Updates from: 03/02/2023 02:32:28
Category Microsoft Docs article Related commit history on GitHub Change details
admin Active Users Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/active-users-ww.md
description: "Learn how to get an Active Users report using the Microsoft 365 Re
The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).
-For example, you can use the **Active Users** report to find out how many product licenses are being used by individuals in your organization, and drill down for information about which users are using what products. This report can help administrators identify underutilized products or users that might need additional training or information.
+For example, you can use the **Active Users** report to find out how many product licenses are being used by individuals in your organization, and drill down for information about which users are using what products. This report can help administrators identify underutilized products or users that might need additional training or information.
+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How to get to the Active Users report
admin Browser Usage Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/browser-usage-report.md
description: "Learn how to get a Microsoft browser usage report using the Micros
# Microsoft 365 Reports in the admin center - Microsoft browser usage
-The Microsoft 365 Reports dashboard shows you an activity overview across the products in your organization. It enables you to drill into individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).
+The Microsoft 365 Reports dashboard shows you an activity overview across the products in your organization. It enables you to drill into individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).
+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
The **Microsoft Browser Usage report** in the Microsoft 365 Admin Center lets you see if users access Microsoft 365 online services via Microsoft Edge. This report insight can help you migrate your organization to Microsoft Edge. Usage reporting is based on an aggregate count of users in your organization that sign in to their Microsoft 365 account and use the Microsoft Edge browser to access Microsoft 365 services.
admin Email Activity Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/email-activity-ww.md
description: "Learn how to get an email activity report and understand user emai
# Microsoft 365 Reports in the admin center - Email activity The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard will help you better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
For example, you can get a high level view of email traffic within your organization from the Reports page, and then you can drill into the Email activity widget to understand the trends and per user level details of the email activity within your organization.
admin Email Apps Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/email-apps-usage-ww.md
description: "Learn how to get an email apps usage report to find out how many e
# Microsoft 365 Reports in the admin center - Email apps usage The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the email apps usage report, you can see how many email apps are connecting to Exchange Online. You can also see the version information of Outlook apps that users are using, which will allow you to follow up with those who are using unsupported versions to install supported versions of Outlook.+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How to get to the email apps report
admin Forms Activity Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/forms-activity-ww.md
description: "Learn how to get a Microsoft Forms activity report using the Micro
The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It lets you drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). For example, you can understand the activity of every user licensed to use Microsoft Forms by looking at their interaction with forms. It also helps you to understand the level of collaboration going on by looking at the number of forms created and forms the user responded to.+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How to get to the Forms activity report
admin Forms Pro Activity Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/forms-pro-activity-ww.md
description: "Learn how to get a Microsoft Dynamics 365 Customer Voice activity
The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It lets you drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).
-For example, you can understand the activity of every user licensed to use Microsoft Dynamics 365 Customer Voice by looking at their interactions with Dynamics 365 Customer Voice. It also helps you to understand the level of collaboration going on by looking at the number of Pro Surveys created and Pro Surveys to which the users responded to.
+For example, you can understand the activity of every user licensed to use Microsoft Dynamics 365 Customer Voice by looking at their interactions with Dynamics 365 Customer Voice. It also helps you to understand the level of collaboration going on by looking at the number of Pro Surveys created and Pro Surveys to which the users responded to.
+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How to get to the Dynamics 365 Customer Voice activity report
admin Mailbox Usage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/mailbox-usage.md
description: "Learn how to get the Mailbox usage report to find out about activi
# Microsoft 365 Reports in the admin center - Mailbox usage The **Mailbox usage report** provides information about users with a user mailbox and the level of activity by each based on the email send, read, create appointment, send meeting, accept meeting, decline meeting and cancel meeting activity. It also provides information about how much storage has been consumed by each user mailbox, and how many of them are approaching storage quotas. The mailbox usage report also contains information on mailboxes shared amongst users, providing storage and quota data on shared mailboxes.+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How to get to the mailbox usage report
admin Microsoft Office Activations Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-office-activations-ww.md
description: "Learn how to get an Office Activation report to know which users h
# Microsoft 365 Reports in the admin center - Microsoft Office activations The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
The Office Activation report gives you a view of which users have activated their Office subscription on at least one device. It provides a breakdown of the Microsoft 365 Apps for enterprise, Project, and Visio Pro for Office 365 subscription activations, as well as the breakdown of activations across desktop and devices. This report could be useful in helping you identify users that might need additional help and support to activate their Office subscription.
admin Microsoft Teams Device Usage Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-device-usage-preview.md
description: "Gain insights into the devices on which Microsoft Teams apps are b
# Microsoft 365 Reports in the admin center - Microsoft Teams device usage The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the Microsoft Teams device usage report, you can gain insights into the types of devices on which the Microsoft Teams apps is being used in your organization.+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How to get to the Microsoft Teams device usage report
admin Microsoft Teams Usage Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-usage-activity.md
description: "The Teams usage report shows you how users are communicating and c
The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
+ The brand-new **Teams usage report** gives you an overview of the usage activity in Teams, including the number of active users, channels and messages so you can quickly see how many users across your organization are using Teams to communicate and collaborate. It also includes other Teams specific activities, such as the number of active guests, meetings, and messages. ![Microsoft 365 reports - Microsoft Teams activity report.](../../media/teams-usage.png)
admin Microsoft Teams User Activity Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-user-activity-preview.md
description: "Learn how to get the Microsoft Teams user activity report and gain
# Microsoft 365 Reports in the admin center - Microsoft Teams user activity The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the Microsoft Teams user activity report, you can gain insights into the Microsoft Teams activity in your organization.+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How to get to the Microsoft Teams user activity report
admin Microsoft365 Apps Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft365-apps-usage-ww.md
For example, you can understand the activity of each user licensed to use Micros
> [!NOTE] > Shared computer activations are not included in this report.
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
+ ## How to get to the Microsoft 365 Apps usage report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
admin Office 365 Groups Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/office-365-groups-ww.md
description: "Get a Microsoft 365 Groups report to gain insights into the activi
The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the Microsoft 365 groups report, you can gain insights into the activity of groups in your organization and see how many groups are being created and used.
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
+ ## How to get to the groups report 1. In the admin center, select **Reports**, and then select **Usage**.
admin Onedrive For Business Activity Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/onedrive-for-business-activity-ww.md
The Microsoft 365 Reports dashboard shows you the activity overview across the p
For example, you can understand the activity of every user licensed to use OneDrive by looking at their interaction with files on OneDrive. It also helps you to understand the level of collaboration going on by looking at the number of files shared.
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
+ ## How do I get to the OneDrive Activity report? 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
admin Onedrive For Business Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/onedrive-for-business-usage-ww.md
The Microsoft 365 Reports dashboard shows you the activity overview across the p
For example, the OneDrive card on the dashboard gives you a high-level view of the value you are getting from OneDrive for Business in terms of the total number of files and storage used across your organization. You can then drill into it to understand the trends of active OneDrive accounts, how many files are users interacting with as well as the storage used. It also gives you details for each user's OneDrive.
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
+ ## How do I get to the OneDrive usage report? 1. In the admin center, go to the **Reports**, and then select **Usage**.
admin Project Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/project-activity.md
description: "Learn how to get the Project activity report and gain insights int
The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
+ In the **Project activity report**, you can understand the activity of every user licensed to use Microsoft Project by looking at their interaction with Project. It also helps you to understand the level of collaboration going on by looking at the number of projects visited and tasks created or edited. ## How to get to the Project activity report
admin Sharepoint Activity Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/sharepoint-activity-ww.md
description: "Get the SharePoint activity usage report to learn about SharePoint
As a Microsoft 365 admin, the Reports dashboard shows you the activity overview across various products in your organization. It enables you to drill in to get more granular insight about the activities specific to each product. Check out the [activity reports in the Microsoft 365 admin center](activity-reports.md). For example, you can understand the activity of every user licensed to use SharePoint by looking at their interaction with files. It also helps you to understand the level of collaboration going on by looking at the number of files shared.+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How do I get to the SharePoint activity report?
admin Sharepoint Site Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/sharepoint-site-usage-ww.md
description: "Get the SharePoint site usage report to know how many files users
# Microsoft 365 Reports in the admin center - SharePoint site usage
-As a Microsoft 365 admin, the Reports dashboard shows you the activity overview across various products in your organization. It enables you to drill in to get more granular insight about the activities specific to each product. For example, you can get a high-level view of the value you are getting from SharePoint in terms of the total number of files that users store in SharePoint sites, how many files are actively being used, and the storage consumed across all these sites. Then, you can drill into the SharePoint site usage report to understand the trends and per site level details for all sites.
+As a Microsoft 365 admin, the Reports dashboard shows you the activity overview across various products in your organization. It enables you to drill in to get more granular insight about the activities specific to each product. For example, you can get a high-level view of the value you are getting from SharePoint in terms of the total number of files that users store in SharePoint sites, how many files are actively being used, and the storage consumed across all these sites. Then, you can drill into the SharePoint site usage report to understand the trends and per site level details for all sites.
+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How to get to the SharePoint site usage report
admin Viva Insights Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/viva-insights-activity.md
As a Microsoft 365 admin, the Reports dashboard shows you the activity overview
For example, you can understand the adoption of Viva Insights by looking at the active users. Additionally, you can find a deployment guide to further boost adoption in your organization.
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
+ ## How do I get to the to the Viva Insights activity report? 1. In the admin center, go to the **Reports**, and then select **Usage**.
admin Viva Learning Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/viva-learning-activity.md
As an Microsoft 365 admin, the Reports dashboard shows you the activity overview
For example, you can understand the activity of your licensed Viva Learning users by looking at their interactions. It also helps you to understand the type of features being used within the Learning App.
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
+ ## How do I get to the to the Viva Learning activity report? 1. In the admin center, go to the **Reports** > **Usage** page.
admin Yammer Activity Report Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/yammer-activity-report-ww.md
description: "Get the Yammer Activity report and know more about the number of u
# Microsoft 365 Reports in the admin center - Yammer activity report
-As Microsoft 365 admin, the Reports dashboard shows you data on the usage of the products within your organization. Check out [activity reports in the admin center](activity-reports.md). With the **Yammer Activity report**, you can understand the level of engagement of your organization with Yammer by looking at the number of unique users using Yammer to post, like or read a message and the amount of activity generated across the organization.
+As Microsoft 365 admin, the Reports dashboard shows you data on the usage of the products within your organization. Check out [activity reports in the admin center](activity-reports.md). With the **Yammer Activity report**, you can understand the level of engagement of your organization with Yammer by looking at the number of unique users using Yammer to post, like or read a message and the amount of activity generated across the organization.
+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How do I get to the Yammer activity report?
admin Yammer Device Usage Report Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/yammer-device-usage-report-ww.md
description: "Get the Yammer device usage report to learn more about which devic
The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out the [Reports overview topic](activity-reports.md).
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
+ The Yammer device usage reports give you information about which devices your users are using Yammer on. You can view the number of daily users by device type, and number of users by device type. You can view both over a selected time period. You can also view details per user. ## How do I get to the Yammer device usage report?
admin Yammer Groups Activity Report Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/yammer-groups-activity-report-ww.md
description: "Get the Yammer groups activity report to learn more about the numb
# Microsoft 365 Reports in the admin center - Yammer groups activity report The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the Yammer groups activity report, you can gain insights into the activity of Yammer groups in your organization and see how many Yammer groups are being created and used.+
+> [!NOTE]
+> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).
## How do I get to the Yammer groups activity report?
compliance Communication Compliance Alerts Best Practices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-alerts-best-practices.md
+
+ Title: "Best practices for managing your alerts queue"
+description: "Learn best practices for managing the volume of alerts in Microsoft Purview Communication Compliance."
+keywords: Microsoft 365, Microsoft Purview, compliance, communication compliance
+f1.keywords:
+- NOCSH
+++ Last updated : 02/28/2023
+audience: Admin
+
+f1_keywords:
+- 'ms.o365.cc.SupervisoryReview'
+
+ms.localizationpriority: medium
+
+- highpri
+- tier1
+- purview-compliance
+- m365solution-insiderrisk
+- m365initiative-compliance
+- highpri
+
+search.appverid:
+- MET150
+- MOE150
++
+# Best practices for managing the volume of alerts in communication compliance
+
+After configuring Microsoft Purview Communication Compliance, you may want to make adjustments to manage the volume of alerts that you receive. Use the list of best practices in this article to help you create policies that cover as many users as possible while reducing the number of non-actionable alerts.
+
+## Understand keyword list volumes
+
+Many customers use custom keyword lists for compliance scenarios. Understanding the volume of policy matches for each keyword can help you tune your policies. Use the [Sensitive information type per location report](communication-compliance-reports-audits.md#detailed-reports) to analyze keyword lists to see which keywords trigger most matches. You can then investigate further to see if those keywords have high false-positive rates. You can also use the [Message details reports](communication-compliance-reports-audits.md#message-details-report) to get data on keyword matches for a specific policy.
+
+## Use the data classification dashboard
+
+ItΓÇÖs important to understand the volume of items classified by trainable classifiers and sensitive information types. You can use the [Content explorer](data-classification-content-explorer.md) in the data classification dashboard to help you understand the volume that you can expect for your organization.
+
+When you first start using trainable classifiers, you might not get enough matches, or you might get too many matches. The following table shows the volume level to expect for different types of trainable classifiers.
+
+|Trainable classifier|Volume|
+|-||
+|Discrimination |Low|
+|Targeted harassment|Low|
+|Threat|Low|
+|Adult images|Low|
+|Customer complaints|Medium|
+|Profanity|Medium|
+|Racy images|Medium|
+|Gory images|Medium|
+|Gifts & entertainment|Medium|
+|Money laundering (preview)|Medium|
+|Regulatory collusion (preview)|Medium|
+|Stock manipulation (preview)|Medium|
+|Unauthorized disclosure (preview)|High|
+
+Consider using the Adult images classifier instead of the Racy images classifier since the Adult images classifier detects a more explicit image. You can use the Content explorer page to help you understand the volume that you can expect for your organization for each of the trainable classifiers.
+
+## Filter email blasts
+
+You can [filter out email messages](communication-compliance-configure.md#step-5-required-create-a-communication-compliance-policy) that are generic and intended for mass communication. For example, filter out spam, newsletters, and so on.
+
+## Filter out email signatures/disclaimers
+
+Sensitive information types can be triggered from footers in emails, such as disclaimers. If many of your non-actionable alerts come from a specific set of sentences or phrases in an email signature or disclaimer, you can [filter out the email signature or disclaimer](sit-common-scenarios.md#ignore-a-disclaimer-notice).
+
+## Use sentiment evaluation
+
+Messages in alerts include [sentiment evaluation](communication-compliance-investigate-remediate.md#step-2-examine-the-message-details) to help you quickly prioritize potentially riskier messages to address first. Using sentiment evaluation won't reduce your detection volumes but will make it easier to prioritize detections. Messages are flagged as Positive, Negative, or Neutral sentiment. For some organizations, messages with Positive sentiment may be determined to be a lower priority, allowing you to spend more time on other message alerts.
+
+## Report messages as misclassified
+
+[Reporting false positives as misclassified](communication-compliance-investigate-remediate.md#remediate-alerts) will help to improve MicrosoftΓÇÖs models and reduce the number of false positives that you see in the future.
+
+## Filter out specific senders by using a condition
+
+If you have senders that consistently trigger detections (for example, through newsletters, automated mails, and so on), you can filter out these particular senders using the following conditional setting: [Message is not received from any of these domains](communication-compliance-policies.md#conditional-settings).
+
+## Use communication direction to target a particular set of users
+
+If youΓÇÖre detecting standards of business conduct scenarios and only care about communications from your employees (not from external users), consider using a policy that detects only [outbound communications](communication-compliance-policies.md#direction). If you make the entire organization in scope, you can ensure that all of the users in your organization are covered but exclude users from outside your organization.
+
+## Combine trainable classifiers
+
+Consider combining two or more [trainable classifiers](classifier-learn-about.md#classifiers) together. For example, combine the [Threat](classifier-tc-definitions.md#threat) and [Profanity](classifier-tc-definitions.md#profanity) classifiers or the [Targeted harassment](classifier-tc-definitions.md#harassment) and [Profanity](classifier-tc-definitions.md#profanity) classifiers to raise the threshold for messages captured.
+
+## Lower the percentage of reviewed communications
+
+If you just want to sample a subset of all the messages that trigger alerts, [specify a percentage of communications to review](communication-compliance-policies.md#review-percentage).
compliance Communication Compliance Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-configure.md
For more information about configuring Yammer in Native Mode, see:
7. The **Your policy was created** page is displayed with guidelines on when policy will be activated and which communications will be captured.
+> [!TIP]
+> After configuring your policy, [learn about best practices for managing the volume of alerts](communication-compliance-alerts-best-practices.md).
+ ## Step 6 (optional): Update compliance boundaries for communication compliance policies [Compliance boundaries](/microsoft-365/compliance/set-up-compliance-boundaries) create logical boundaries within an organization that control the user content locations (such as mailboxes, OneDrive accounts, and SharePoint sites) that eDiscovery managers can search.
compliance Create A Custom Sensitive Information Type https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type.md
audience: Admin Previously updated : 09/17/2019 Last updated : 02/28/2023 ms.localizationpriority: medium - tier1
search.appverid:
description: "Learn how to create, modify, remove, and test custom sensitive information types in the Compliance Center."
-# Create custom sensitive information types in the Compliance center
+# Create custom sensitive information types in the compliance portal
-If the pre-configured sensitive information types don't meet your needs, you can create your own custom sensitive information types that you fully define or you can copy one of the pre-configured ones and modify it.
+If the pre-configured sensitive information types (SIT) don't meet your needs, you can create your own custom SITs that you fully define. You can also copy one of the pre-configured SITs and modify it.
-The custom sensitive information types that you create by using this method are added to the rule package named `Microsoft.SCCManaged.CustomRulePack`.
+The custom sensitive information types that you create by using these methods are added to the rule package named `Microsoft.SCCManaged.CustomRulePack`.
There are two ways to create a new sensitive information type:
There are two ways to create a new sensitive information type:
## Before you begin -- You should be familiar with sensitive information types and what they are composed of. See, [Learn about sensitive information types](sensitive-information-type-learn-about.md). It is critical to understand the roles of:
+- You should be familiar with sensitive information types and what they're composed of. To get this understanding, see, [Learn about sensitive information types](sensitive-information-type-learn-about.md). It's critical to understand the roles of:
- [regular expressions](https://www.boost.org/doc/libs/1_68_0/libs/regex/doc/html/) - Microsoft 365 sensitive information types uses the Boost.RegEx 5.1.3 engine - keyword lists - you can create your own as you define your sensitive information type or choose from existing keyword lists - [keyword dictionary](create-a-keyword-dictionary.md)
There are two ways to create a new sensitive information type:
- Your organization must have a subscription, such as Office 365 Enterprise, that includes Microsoft Purview Data Loss Prevention (DLP). See [Messaging Policy and Compliance ServiceDescription](/office365/servicedescriptions/exchange-online-protection-service-description/messaging-policy-and-compliance-servicedesc). > [!IMPORTANT]
-> Microsoft Customer Service & Support can't assist with creating custom classifications or regular expression patterns. Support engineers can provide limited support for the feature, such as, providing sample regular expression patterns for testing purposes, or assisting with troubleshooting an existing regular expression pattern that's not triggering as expected, but can't provide assurances that any custom content-matching development will fulfill your requirements or obligations.
+> Microsoft Customer Service & Support can't assist with creating custom classifications or regular expression patterns. Support engineers can provide limited support for the feature, such as, providing sample regular expression patterns for testing purposes, or helping to troubleshoot an existing regular expression pattern that's not triggering as expected. However, they can't provide assurances that any custom content-matching development will fulfill your requirements or obligations.
## Create a custom sensitive information type Use this procedure to create a new sensitive information type that you fully define.
-1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose **Create sensitive info type**.
+1. In the Compliance Center, go to **Data classification** \> **Classifiers** \> **Sensitive info types** and choose **Create sensitive info type**.
2. Fill in values for **Name** and **Description** and choose **Next**.
Use this procedure to create a new sensitive information type that you fully def
11. Choose the **recommended confidence level** for this sensitive information type.
-12. Check your setting and choose **Submit**.
+12. Check your settings and choose **Save**.
> [!IMPORTANT] > Microsoft 365 uses the search crawler to identify and classify sensitive information in SharePoint Online and OneDrive for Business sites. To identify your new custom sensitive information type in existing content, the content must be re-crawled. Content is crawled based on a schedule, but you can manually re-crawl content for a site collection, list, or library. For more information, see [Manually request crawling and re-indexing of a site, a library or a list](/sharepoint/crawl-site-content).
-13. On the **Data classification** page, you'll see all the sensitive information types listed. Choose **Refresh** and then browse for or use the search tool to find the sensitive information type you created.
+13. The **Sensitive info types** tab of the **Classifiers** page, lists all of the sensitive information types. Choose **Refresh** and then browse for or use the search tool to find the sensitive information type you created.
### Copy and modify a sensitive information type
Use this procedure to create a new sensitive information type that is based on a
> - International classification of diseases (ICD-9-CM) > - U.S. driver's license number
-You can also create custom sensitive information types by using PowerShell and Exact Data Match capabilities. To learn more about those methods, see:
+You can also create custom sensitive information types by using PowerShell and Exact Data Match (EDM) capabilities. To learn more about those methods, see:
- [Create a custom sensitive information type in Microsoft Purview PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md) - [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types)
-1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose the sensitive information type that you want to copy.
+1. In the Compliance Center, go to **Data classification** \> **Classifiers** \> **Sensitive info types** and select the sensitive information type that you want to copy.
-2. In the flyout, choose **Copy**.
+2. The overview page for the sensitive information type opens. Choose **Copy**. When the copy is ready, a message stating that the copy was created appears with an option to edit it. Choose **Yes**.
-3. Choose **Refresh** in the list of sensitive information types and either browse or search for the copy you just made. Partial sting searches work, so you could just search for `copy` and search would return all the sensitive information types with the word `copy` in the name.
+3. Give your new sensitive information type a new **Name** and **Description**.
-4. Fill in values for **Name** and **Description** and choose **Next**.
+4. You can choose to create a new pattern, or edit or remove some or all of the existing patterns.
+ 1. To create a new pattern, choose **Create**.
+ 1. To edit an existing pattern, choose the **Edit** (pencil) icon next to the pattern you want to change.
+ 1. To remove a pattern, choose the **Delete** icon next to the pattern you want to remove.
-5. Choose your sensitive information type copy and choose **Edit**.
+5. When creating or editing a pattern, choose the default confidence level for the pattern. The values are **Low confidence**, **Medium confidence**, and **High confidence**.
-6. Give your new sensitive information type a new **Name** and **Description**.
+6. Choose and define **Primary element**. The primary element can be a **Regular expression**, a **Keyword list**, a **Keyword dictionary**, or one of the pre-configured **Functions**. See, [Sensitive information type functions](sit-functions.md).
-7. You can choose to edit or remove the existing patterns and add new ones. Choose the default confidence level for the new pattern. The values are **Low confidence**, **Medium confidence**, and **High confidence**.
+7. Fill in a value for **Character proximity**.
-8. Choose and define **Primary element**. The primary element can be a **Regular expression**, a **Keyword list**, a **Keyword dictionary**, or one of the pre-configured **Functions**. See, [Sensitive information type functions](sit-functions.md).
+8. (Optional) If you have **Supporting elements** or any [additional checks](sit-regex-validators-additional-checks.md#sensitive-information-type-additional-checks) add them. If needed, you can group your **Supporting elements**.
-9. Fill in a value for **Character proximity**.
+9. If you're creating a new pattern, choose **Create**. If you are editing an existing pattern, choose **Update**.
-10. (Optional) If you have **Supporting elements** or any [**additional checks**](sit-regex-validators-additional-checks.md#sensitive-information-type-additional-checks) add them. If needed you can group your **Supporting elements**.
-
-11. Choose **Create**.
+10. Choose **Next**.
-12. Choose **Next**.
+11. Confirm your confidence level selection for this sensitive information type and then choose **Next**.
-13. Choose the **recommended confidence level** for this sensitive information type.
+12. Review your settings and then choose **Save**.
-14. Check your setting and choose **Submit**.
+13. Your sensitive information type is created. At the confirmation message, choose **Done*
## Test a sensitive information type You can test any sensitive information type in the list. We suggest that you test every sensitive information type that you create before using it in a policy.
-1. Prepare two files, like a Word document. One with content that matches the elements you specified in your sensitive information type and one that doesn't match.
+1. Prepare two files, for example, two Word documents. One should have content that matches the elements you specified in your sensitive information type. The other should have content that doesn't match.
-2. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose the sensitive information type from the list to open the details pane and choose **Test**.
+2. In the compliance portal, go to **Data classification** \> **Classifiers** \> **Sensitive info types** and choose the sensitive information type from the list to open the details pane. Choose **Test**.
-3. Upload a file and choose **Test**.
+3. Upload a file and choose **Test**. (You can only upload and test one file at a time.)
-4. On the **Matches results** page, review the results and choose **Finish**.
+4. On the **Match results** page, review the results and choose **Finish**.
> [!NOTE] > Microsoft Purview information protection supports double byte character set languages for:
You can test any sensitive information type in the list. We suggest that you tes
> This support is available for sensitive information types. See, [Information protection support for double byte character sets release notes (preview)](mip-dbcs-relnotes.md) for more information. > [!TIP]
-> To detect patterns containing Chinese/Japanese characters and single byte characters or to detect patterns containing Chinese/Japanese and English, define two variants of the keyword or regex.
+> To detect patterns containing Chinese/Japanese characters and single byte characters, or to detect patterns containing Chinese/Japanese and English, define two variants of the keyword or regex.
> > - For example, to detect a keyword like "机密的document", use two variants of the keyword; one with a space between the Japanese and English text and another without a space between the Japanese and English text. So, the keywords to be added in the SIT should be "机密的 document" and "机密的document". Similarly, to detect a phrase "東京オリンピック2020", two variants should be used; "東京オリンピック 2020" and "東京オリンピック2020". >
-> Along with Chinese/Japanese/double byte characters, if the list of keywords/phrases also contain non Chinese/Japanese words also (like English only), it is recommended to create two dictionaries/keyword lists. One for keywords containing Chinese/Japanese/double byte characters and another one for English only.
+> Along with Chinese/Japanese/double byte characters, if the list of keywords/phrases also contain non Chinese/Japanese words also (for instance, English only), creating two dictionaries/keyword lists is recommended. Create one for keywords containing Chinese/Japanese/double byte characters and another for English-only.
>
-> - For example, if you want to create a keyword dictionary/list with three phrases "Highly confidential", "機密性が高い" and "机密的document", the it you should create two keyword lists.
+> - For example, if you want to create a keyword dictionary/list with three phrases "Highly confidential", "機密性が高い", and "机密的document", you should create two keyword lists.
> 1. Highly confidential > 2. 機密性が高い, 机密的document and 机密的 document >
-> While creating a regex using a double byte hyphen or a double byte period, make sure to escape both the characters like one would escape a hyphen or period in a regex. Here is a sample regex for reference:
+> While creating a regex using a double byte hyphen or a double byte period, make sure to escape both the characters in the same way that you would escape a hyphen or period in a regex. Here is a sample regex for reference:
> > `(?<!\d)([4][0-9]{3}[\-?\-\t]*[0-9]{4})` >
compliance Create A Keyword Dictionary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-keyword-dictionary.md
description: "Learn the basic steps to creating a keyword dictionary in the Micr
# Create a keyword dictionary
-Microsoft Purview Data Loss Prevention (DLP) can identify, monitor, and protect your sensitive items. Identifying sensitive items sometimes requires looking for keywords, particularly when identifying generic content (such as healthcare-related communication), or inappropriate or explicit language. Although you can create keyword lists in sensitive information types, keyword lists are limited in size and require modifying XML to create or edit them. Keyword dictionaries provide simpler management of keywords and at a much larger scale, supporting up to 1 MB of terms (post compression) in the dictionary and support any language. The tenant limit is also 1 MB after compression. 1 MB of post compression limit means that all dictionaries combined across a tenant can have close to 1 million characters.
+Microsoft Purview Data Loss Prevention (DLP) can identify, monitor, and protect your sensitive items. Identifying sensitive items sometimes requires looking for keywords, particularly when identifying generic content (such as healthcare-related communication), or inappropriate or explicit language. Although you can create keyword lists in sensitive information types, keyword lists are limited in size and require modifying XML to create or edit them. In contrast, keyword dictionaries provide simpler management of keywords and at a much larger scale, supporting up to 1 MB of terms (post-compression) in the dictionary. Additionally, keyword dictionaries can support any language. The tenant limit is also 1 MB after compression. A post-compression limit of 1 MB means that all dictionaries combined across a tenant can have close to one million characters.
[!INCLUDE [purview-preview](../includes/purview-preview.md)] ## Keyword dictionary limits
-There is a limit of 50 keyword dictionary based sensitive information types that can be created per tenant. To find out how many keyword dictionaries you have in your tenant, connect using the procedures in [Connect to the Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to connect to your tenant and run this PowerShell script.
+There is a limit of 50 keyword dictionary based sensitive information types that can be created per tenant. To find out how many keyword dictionaries you have in your tenant, connect follow the procedures in [Connect to the Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to connect to your tenant and then run this PowerShell script:
```powershell $rawFile = $env:TEMP + "\rule.xml"
Remove-Item $rawFile
## Basic steps to creating a keyword dictionary
-The keywords for your dictionary could come from various sources, most commonly from a file (such as a .csv or .txt list) imported in the service or by PowerShell cmdlet, from a list you enter directly in the PowerShell cmdlet, or from an existing dictionary. When you create a keyword dictionary, you follow the same core steps:
+The keywords for your dictionary can come from various sources, most commonly from a file (such as a .csv or .txt list) imported in the service or via a PowerShell cmdlet, from a list you enter directly in the PowerShell cmdlet, or from an existing dictionary. When you create a keyword dictionary, you follow the same core steps:
1. Use the *<a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a> or connect to **Microsoft Purview compliance portal PowerShell**.
Use the following steps to create and import keywords for a custom dictionary:
1. Connect to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>.
-2. Navigate to **Data Classification > Sensitive info types**.
+2. Navigate to **Data Classifications > Classifiers > Sensitive info types**.
-3. Select **Create** and enter a **Name** and **Description** for your sensitive info type, then select **Next**
+3. Select **Create** and enter a **Name** and **Description** for your sensitive info type, then select **Next**.
-4. Select **Add an element**, then select **Dictionary (Large keywords)** in the **Detect content containing** drop-down list.
+4. You can use your keyword dictionary as either the primary element or a secondary element. To use a keyword dictionary as the primary element, in the **Primary Element** field, select **Add Primary Element** and then select **Keyword dictionary** in the dropdown list.
-5. Select **Add a dictionary**
+5. On the **Add keyword dictionary** page, you can choose from existing dictionaries, upload a dictionary, or create a dictionary.
+ 1. To use an existing dictionary,choose **Choose from existing dictionaries**.
+ 1. To upload a keyword dictionary, choose **Upload a dictionary** and follow the prompts to upload either a TXT or CSV file.
+ 1. To create a dictionary:
+ 1. Enter a **Name** for your custom dictionary.
+ 1. In the **Keywords** field, enter each keyword in your dictionary on a separate line.
+ 1. When you are finished, choose **Done**.
-6. Under the Search control, select **You can create new keyword dictionaries here**.
+6. On the next page, choose **Create**.
-7. Enter a **Name** for your custom dictionary.
+7. If you want to add additional patterns to your sensitive information type, you can do so on the next page. When finished, choose **Next**.
-8. Select **Import**, and select either **From text** or **From csv** depending on your keyword file type.
+8. Confirm the confidence level for your sensitive information type and choose **Next**.
-9. In the file dialog, select the keyword file from your local PC or network file share, then select **Open**.
-
-10. Select **Save**, then select your custom dictionary from the **Keyword dictionaries** list.
-
-11. Select **Add**, then select **Next**.
-
-12. Review and finalize your sensitive info type selections, then select **Finish**.
+9. Review and finalize your sensitive info type selections, then select **Create** and then **Done**.
## Create a keyword dictionary from a file using PowerShell
-Often when you need to create a large dictionary, it's to use keywords from a file or a list exported from some other source. In this case, you'll create a keyword dictionary containing a list of inappropriate language to screen in external email. You must first [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell).
+Often when you need to create a large dictionary, it's so you can use keywords from a file or a list exported from some other source. In the example that follows, you'll create a keyword dictionary containing a list of diseases to screen in external email. To begin, you'll need to [connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell).
-1. Copy the keywords into a text file and make sure that each keyword is on a separate line.
+1. Copy your keywords into a text file and make sure that each keyword is on a separate line.
-2. Save the text file with Unicode encoding. In Notepad \> **Save As** \> **Encoding** \> **Unicode**.
+2. Save the text file with Unicode encoding. In Notepad, navigate to \> **Save As** \> **Encoding** \> **Unicode**.
3. Read the file into a variable by running this cmdlet:
Often when you need to create a large dictionary, it's to use keywords from a fi
## Using keyword dictionaries in custom sensitive information types and DLP policies
-Keyword dictionaries can be used as part of the match requirements for a custom sensitive information type, or as a sensitive information type themselves. Both require you to create a [custom sensitive information type](create-a-custom-sensitive-information-type-in-scc-powershell.md). Follow the instructions in the linked article to create a sensitive information type. Once you have the XML, you'll need the GUID identifier for the dictionary to use it.
+Keyword dictionaries can be used as part of the match requirements for a custom sensitive information type, or as a sensitive information type themselves. Both require you to create a [custom sensitive information type](create-a-custom-sensitive-information-type-in-scc-powershell.md). Follow the instructions in the linked article to create a sensitive information type. Once you have the XML, you'll need the GUID identifier from the XML in order to use the dictionary.
```xml <Entity id="9e5382d0-1b6a-42fd-820e-44e0d3b15b6e" patternsProximity="300" recommendedConfidence="75">
Get-DlpKeywordDictionary -Name "Diseases"
The output of the command looks like this:
-`RunspaceId : 138e55e7-ea1e-4f7a-b824-79f2c4252255`
-`Identity : 8d2d44b0-91f4-41f2-94e0-21c1c5b5fc9f`
-`Name : Diseases`
-`Description : Names of diseases and injuries from ICD-10-CM lexicon`
+`RunspaceId : 138e55e7-ea1e-4f7a-b824-79f2c4252255` <br>
+`Identity : 8d2d44b0-91f4-41f2-94e0-21c1c5b5fc9f` <br>
+`Name : Diseases` <br>
+`Description : Names of diseases and injuries from ICD-10-CM lexicon`<br>
`KeywordDictionary : aarskog's syndrome, abandonment, abasia, abderhalden-kaufmann-lignac, abdominalgia, abduction contracture, abetalipo`
- `proteinemia, abiotrophy, ablatio, ablation, ablepharia, abocclusion, abolition, aborter, abortion, abortus, aboulomania,`
- `abrami's disease, abramo`
-`IsValid : True`
-`ObjectState : Unchanged`
+ `proteinemia, abiotrophy, ablatio, ablation, ablepharia,abocclusion, abolition, aborter, abortion, abortus, aboulomania,`
+ `abrami's disease, abramo` <br>
+`IsValid : True` <br>
+`ObjectState : Unchanged` <br>
-Paste the identity into your custom sensitive information type's XML and upload it. Now your dictionary will appear in your list of sensitive information types and you can use it right in your policy, specifying how many keywords are required to match.
+Paste the **identity** value into the XML for your custom sensitive information type as the **idRef**. Next, upload the XML file. Your dictionary will now appear in your list of sensitive information types and you can use it right in your policy, specifying how many keywords are required to match.
```xml <Entity id="d333c6c2-5f4c-4131-9433-db3ef72a89e8" patternsProximity="300" recommendedConfidence="85">
compliance Customize A Built In Sensitive Information Type https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customize-a-built-in-sensitive-information-type.md
description: Learn how to create a custom sensitive information type that will a
# Customize a built-in sensitive information type
-When looking for sensitive information in content, you need to describe that information in what's called a *rule*. Microsoft Purview Data Loss Prevention (DLP) includes rules for the most-common sensitive information types that you can use right away. To use these rules, you have to include them in a policy. You might find that you want to adjust these built-in rules to meet your organization's specific needs, and you can do that by creating a custom sensitive information type. This topic shows you how to customize the XML file that contains the existing rule collection to detect a wider range of potential credit-card information.
+When looking for sensitive information in content, you need to describe that information in what's called a *rule*. Microsoft Purview Data Loss Prevention (DLP) includes rules for the most common sensitive information types. You can use these rules right away. To use them, you must include them in a policy. You might find that you want to adjust these built-in rules to meet your organization's specific needs. You can do that by creating a custom sensitive information type. This topic shows you how to customize the XML file that contains the existing rule collection so you can detect a wider range of potential credit card information.
You can take this example and apply it to other built-in sensitive information types. For a list of default sensitive information types and XML definitions, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).
To export the XML, you need to [connect to Security & Compliance PowerShell](/po
## Find the rule that you want to modify in the XML
-The cmdlets above exported the entire *rule collection*, which includes the default rules we provide. Next you'll need to look specifically for the Credit Card Number rule that you want to modify.
+The cmdlets above exported the entire *rule collection*, which includes the default rules that Microsoft provides. Next, you'll need to look specifically for the Credit Card Number rule that you want to modify.
1. Use a text editor to open the XML file that you exported in the previous section.
To upload your rule, you need to do the following.
4. To confirm, type Y, and then press **Enter**.
-5. Verify that your new rule was uploaded and its display name by typing:
+5. Verify the display name of your new rule and that it was uploaded, by entering:
```powershell Get-DlpSensitiveInformationType
These are the definitions for the terms you encountered during this procedure.
|Term|Definition| |||
-|Entity|Entities are what we call sensitive information types, such as credit card numbers. Each entity has a unique GUID as its ID. If you copy a GUID and search for it in the XML, you'll find the XML rule definition and all the localized translations of that XML rule. You can also find this definition by locating the GUID for the translation and then searching for that GUID.|
+|Entity|*Entities* are what we call sensitive information types, such as credit card numbers. Each entity has a unique GUID as its ID. If you copy a GUID and search for it in the XML, you'll find the XML rule definition and all the localized translations of that XML rule. You can also find this definition by locating the GUID for the translation and then searching for that GUID.|
|Functions|The XML file references `Func_credit_card`, which is a function in compiled code. Functions are used to run complex regexes and verify that checksums match for our built-in rules.) Because this happens in the code, some of the variables don't appear in the XML file.| |IdMatch|This is the identifier that the pattern is to trying to matchΓÇöfor example, a credit card number.| |Keyword lists|The XML file also references `keyword_cc_verification` and `keyword_cc_name`, which are lists of keywords from which we are looking for matches within the `patternsProximity` for the entity. These aren't currently displayed in the XML.|
-|Pattern|The pattern contains the list of what the sensitive type is looking for. This includes keywords, regexes, and internal functions, which perform tasks like verifying checksums. Sensitive information types can have multiple patterns with unique confidences. This is useful when creating a sensitive information type that returns a high confidence if corroborative evidence is found and a lower confidence if little or no corroborative evidence is found.|
+|Pattern|The *pattern* contains the list of what the sensitive type is looking for. This includes keywords, regexes, and internal functions, which perform tasks like verifying checksums. Sensitive information types can have multiple patterns with unique confidence levels. This is useful when creating a sensitive information type that returns a high confidence if corroborative evidence is found and a lower confidence if little or no corroborative evidence is found.|
|Pattern confidenceLevel|This is the level of confidence that the DLP engine found a match. This level of confidence is associated with a match for the pattern if the pattern's requirements are met. This is the confidence measure you should consider when using Exchange mail flow rules (also known as transport rules).|
-|patternsProximity|When we find what looks like a credit card number pattern, `patternsProximity` is the proximity around that number where we'll look for corroborative evidence.|
-|recommendedConfidence|This is the confidence level we recommend for this rule. The recommended confidence applies to entities and affinities. For entities, this number is never evaluated against the `confidenceLevel` for the pattern. It's merely a suggestion to help you choose a confidence level if you want to apply one. For affinities, the `confidenceLevel` of the pattern must be higher than the `recommendedConfidence` number for a mail flow rule action to be invoked. The `recommendedConfidence` is the default confidence level used in mail flow rules that invokes an action. If you want, you can manually change the mail flow rule to be invoked based off the pattern's confidence level, instead.|
+|patternsProximity|When we find what looks like a credit card number pattern, `patternsProximity` is the distance around that number where we'll look for corroborative evidence.|
+|recommendedConfidence|This is the confidence level we recommend for this rule. The recommended confidence level applies to entities and affinities. For entities, this number is never evaluated against the `confidenceLevel` for the pattern. It's merely a suggestion to help you choose a confidence level if you want to apply one. For affinities, the `confidenceLevel` of the pattern must be higher than the `recommendedConfidence` number for a mail flow rule action to be invoked. The `recommendedConfidence` is the default confidence level used in mail flow rules that invokes an action. If you want, you can manually change the mail flow rule to be invoked based off the pattern's confidence level, instead.|
| ## For more information
compliance Document Fingerprinting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-fingerprinting.md
description: "Document Fingerprinting makes it easier for you to protect informa
# Document Fingerprinting
-Information workers in your organization handle many kinds of sensitive information during a typical day. In the Microsoft Purview compliance portal, Document Fingerprinting makes it easier for you to protect this information by identifying standard forms that are used throughout your organization. This topic describes the concepts behind Document Fingerprinting and how to create one by using PowerShell.
+Information workers in your organization handle many kinds of sensitive information during a typical day. In the Microsoft Purview compliance portal, Document Fingerprinting makes it easier for you to protect this information by identifying standard forms that are used throughout your organization. This topic describes the concepts behind Document Fingerprinting and how to create a document fingerprint using PowerShell.
[!INCLUDE [purview-preview](../includes/purview-preview.md)] ## Basic scenario for Document Fingerprinting
-Document Fingerprinting is a Microsoft Purview Data Loss Prevention (DLP) feature that converts a standard form into a sensitive information type, which you can use in the rules of your DLP policies. For example, you can create a document fingerprint based on a blank patent template and then create a DLP policy that detects and blocks all outgoing patent templates with sensitive content filled in. Optionally, you can set up [policy tips](use-notifications-and-policy-tips.md) to notify senders that they might be sending sensitive information, and the sender should verify that the recipients are qualified to receive the patents. This process works with any text-based forms used in your organization. Additional examples of forms that you can upload include:
+Document Fingerprinting is a Microsoft Purview Data Loss Prevention (DLP) feature that converts a standard form into a sensitive information type, which you can use in the rules of your DLP policies. For example, you can create a document fingerprint based on a blank patent template and then create a DLP policy that detects and blocks all outgoing patent templates with sensitive content filled in. Optionally, you can set up [policy tips](use-notifications-and-policy-tips.md) to notify senders that they might be sending sensitive information, and that the sender should verify that the recipients are qualified to receive the patents. This process works with any text-based forms used in your organization. Additional examples of forms that you can upload include:
- Government forms - Health Insurance Portability and Accountability Act (HIPAA) compliance forms
Ideally, your organization already has an established business practice of using
## How Document Fingerprinting works
-You've probably already guessed that documents don't have actual fingerprints, but the name helps explain the feature. In the same way that a person's fingerprints have unique patterns, documents have unique word patterns. When you upload a file, DLP identifies the unique word pattern in the document, creates a document fingerprint based on that pattern, and uses that document fingerprint to detect outbound documents containing the same pattern. That's why uploading a form or template creates the most effective type of document fingerprint. Everyone who fills out a form uses the same original set of words and then adds his or her own words to the document. As long as the outbound document isn't password protected and contains all the text from the original form, DLP can determine if the document matches the document fingerprint.
+You've probably already guessed that documents don't have actual fingerprints, but the name helps explain the feature. In the same way that a person's fingerprints have unique patterns, documents have unique word patterns. When you upload a file, DLP identifies the unique word pattern in the document, creates a document fingerprint based on that pattern, and uses that document fingerprint to detect outbound documents containing the same pattern. That's why uploading a form or template creates the most effective type of document fingerprint. Everyone who fills out a form uses the same original set of words and then adds his or her own words to the document. As long as the outbound document isn't password protected and contains all the text from the original form, DLP can determine whether the document matches the document fingerprint.
> [!IMPORTANT] > For now, DLP can use document fingerprinting as a detection method in Exchange online only.
The following example shows what happens if you create a document fingerprint ba
![Diagram of document fingerprinting.](../media/Document-Fingerprinting-diagram.png)
-The patent template contains the blank fields "Patent title," "Inventors," and "Description" and descriptions for each of those fieldsΓÇöthat's the word pattern. When you upload the original patent template, it's in one of the supported file types and in plain text. DLP converts this word pattern into a document fingerprint, which is a small Unicode XML file containing a unique hash value representing the original text, and the fingerprint is saved as a data classification in Active Directory. (As a security measure, the original document itself isn't stored on the service; only the hash value is stored, and the original document can't be reconstructed from the hash value.) The patent fingerprint then becomes a sensitive information type that you can associate with a DLP policy. After you associate the fingerprint with a DLP policy, DLP detects any outbound emails containing documents that match the patent fingerprint and deals with them according to your organization's policy.
+The patent template contains the blank fields "Patent title," "Inventors," and "Description", along with descriptions for each of those fields--that's the word pattern. When you upload the original patent template, it's in one of the supported file types and in plain text. DLP converts this word pattern into a document fingerprint, which is a small Unicode XML file containing a unique hash value representing the original text, and the fingerprint is saved as a data classification in Active Directory. (As a security measure, the original document itself isn't stored on the service; only the hash value is stored, and the original document can't be reconstructed from the hash value.) The patent fingerprint then becomes a sensitive information type that you can associate with a DLP policy. After you associate the fingerprint with a DLP policy, DLP detects any outbound emails containing documents that match the patent fingerprint and deals with them according to your organization's policy.
-For example, you might want to set up a DLP policy that prevents regular employees from sending outgoing messages containing patents. DLP will use the patent fingerprint to detect patents and block those emails. Alternatively, you might want to let your legal department to be able to send patents to other organizations because it has a business need for doing so. You can allow specific departments to send sensitive information by creating exceptions for those departments in your DLP policy, or you can allow them to override a policy tip with a business justification.
+For example, you might want to set up a DLP policy that prevents regular employees from sending outgoing messages containing patents. DLP will use the patent fingerprint to detect patents and block those emails. Alternatively, you might want to let your legal department be able to send patents to other organizations because it has a business need for doing so. You can allow specific departments to send sensitive information by creating exceptions for those departments in your DLP policy, or you can allow them to override a policy tip with a business justification.
> [!IMPORTANT] > Text in embedded documents is not considered for fingerprint creation. You should provide sample template files that don't contain embedded documents.
compliance Information Barriers Multi Segment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-multi-segment.md
If the value of the `InformationBarrierMode` property is *Legacy*, enabling mult
To enable multi-segment support for organizations in *SingleSegment* mode, run the following cmdlet from an [Exchange Online PowerShell session](/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps). ```powershell
-Enable-ExoInformationBarrierMultiSegment
+Enable-ExoInformationBarriersMultiSegment [-Organization] <tenantIdentity>
``` > [!IMPORTANT]
compliance Insider Risk Management Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-activities.md
New reports typically take up to 10 hours before they're ready for review. When
![Insider risk management user activity report](../media/insider-risk-user-activity-report.png)
-The **User activity report** for the selected user contains the **User activity**, **Activity explorer**, and **Forensic evidence (preview)** tabs:
+The **User activity report** for the selected user contains the **User activity**, **Activity explorer**, and **Forensic evidence** tabs:
- **User activity**: Use this chart view to investigate potentially risky activities and view potentially related activities that occur in sequences. This tab is structured to enable quick review of a case, including a historical timeline of all activities, activity details, the current risk score for the user in the case, the sequence of risk events, and filtering controls to help with investigative efforts. - **Activity explorer**: This tab provides risk investigators with a comprehensive analytics tool that provides detailed information about activities. With the Activity explorer, reviewers can quickly review a timeline of detected risky activity and identify and filter all potentially risky activities associated with alerts. To learn more about using the Activity explorer, see the *Activity explorer* section later in this article.
compliance Insider Risk Management Browser Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-browser-support.md
# Learn about and configure insider risk management browser signal detection
->[!IMPORTANT]
->Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
+> [!IMPORTANT]
+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
+
+In Microsoft Purview Insider Risk Management, browser signal detection is used for:
+
+- The [Risky browser usage template](/microsoft-365/compliance/insider-risk-management-policy-templates#risky-browser-usage-preview)
+- [Forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence#capturing-options)
+
+## Risky browser usage template
Web browsers are often used by users to access both sensitive and non-sensitive files within an organization. Insider risk management allows your organization to detect and act on browser exfiltration signals for all non-executable files viewed in [Microsoft Edge](https://www.microsoft.com/edge) and [Google Chrome](https://www.google.com/chrome) browsers. With these signals, analysts and investigators can quickly act when any of the following risk activities are performed by in-scope policy users when using these browsers:
The following table summarizes identified risk activities and extension support
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
+## Forensic evidence
+
+For forensic evidence, all types of browsing activities can be captured; you're not limited to the browsing indicators of the [Risky browser usage template](/microsoft-365/compliance/insider-risk-management-policy-templates#risky-browser-usage-preview). You can specify the desktop apps and websites that you want to include or exclude. To capture browsing activity for forensic evidence, you must install the extensions as described in this topic, and you must also turn on at least one risky browsing indicator in the insider risk settings.
+ ## Common requirements
-Before installing the Microsoft Edge add-on or Google Chrome extension, customers need to ensure that devices for in-scope policy users meet the following requirements:
+Before installing the Microsoft Edge add-on or Google Chrome extension, ensure that devices for in-scope policy users meet the following requirements:
- Latest Windows 10 x64 build is recommended, minimum Windows 10 x64 build 1809 for signal detection support. Browser signal detection isn't currently supported on non-Windows devices. - Current [Microsoft 365 subscription](/microsoft-365/compliance/insider-risk-management-configure#subscriptions-and-licensing) with insider risk management support.
For the basic setup option, complete the following steps:
### Option 2: Intune setup for Edge
-User this option to configure the extension and requirements for your organization using Intune.
+Use this option to configure the extension and requirements for your organization using Intune.
For the Intune setup option, complete the following steps:
compliance Insider Risk Management Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-cases.md
The **Activity explorer** tab allows risk analysts and investigators to review c
For more information about the Activity explorer, see the [Insider risk management activities](insider-risk-management-activities.md#activity-explorer) article.
-## Forensic evidence (preview)
+## Forensic evidence
-The **Forensic evidence (preview)** tab allows risk investigators to review visual captures associated with risk activities included in cases. For example, as part of the case management actions, investigators may need to help clarify the context of the user activity under review. Viewing the actual clips of the activity can help the investigator determine if the user activity is potentially risky and may lead to a security incident.
+The **Forensic evidence ** tab allows risk investigators to review visual captures associated with risk activities included in cases. For example, as part of the case management actions, investigators may need to help clarify the context of the user activity under review. Viewing the actual clips of the activity can help the investigator determine if the user activity is potentially risky and may lead to a security incident.
For more information about forensic evidence, see the [Learn about insider risk management forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence) article.
compliance Insider Risk Management Forensic Evidence Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure.md
Title: Get started with insider risk management forensic evidence (preview)
+ Title: Get started with insider risk management forensic evidence
description: Get started with insider risk management forensic evidence in Microsoft Purview. Forensic evidence is an investigative tool for viewing captured security-related user activity to help determine whether the user's actions pose a risk and may lead to a security incident. keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance ms.localizationpriority: medium
f1.keywords:
Previously updated : 02/07/2023 Last updated : 03/01/2023 audience: itpro
-# Get started with insider risk management forensic evidence (preview)
+# Get started with insider risk management forensic evidence
+
+> [!IMPORTANT]
+> Forensic evidence is an opt-in add-on feature in Insider Risk Management that gives security teams visual insights into potential insider data security incidents, with user privacy built in. Forensic evidence includes customizable event triggers and built-in user privacy protection controls, enabling security teams to better investigate, understand and respond to potential insider data risks like unauthorized data exfiltration of sensitive data.
+>
+> Organizations set the right policies for themselves, including what risky events are highest priority for capturing forensic evidence and what data is most sensitive. Forensic evidence is off by default, policy creation requires dual authorization and usernames can be masked with pseudonymization (which is on by default for Insider Risk Management). Setting up policies and reviewing security alerts within Insider Risk Management leverages strong role-based access controls (RBAC), ensuring that the designated individuals in the organization are taking the right actions with additional auditing capabilities.
>[!IMPORTANT] >Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy. ## Configure forensic evidence
-Configuring forensic evidence in your organization is similar to configuring other policies from insider risk management policy templates. In general, you'll follow the same basic configuration steps to set up forensic evidence, but there are a few areas that need feature-specific configuration actions before your get started with the basic configuration steps.
+Configuring forensic evidence in your organization is similar to configuring other policies from insider risk management policy templates. In general, you'll follow the same basic configuration steps to set up forensic evidence, but there are a few areas that need feature-specific configuration actions before you get started with the basic configuration steps.
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
Additionally, you'll need to add the following domain to your firewall allowlist
Captures and capture data are stored at this domain and is assigned only to your organization. No other Microsoft 365 organization has access to forensic evidence captures for your organization.
+> [!NOTE]
+> Forensic evidence data is stored in one region where your Exchange Online Protection (EOP) or exchange region is set.
+ ### Step 2: Configure supported devices User devices eligible for forensic evidence capturing must be onboarded to the [Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center) and must have the Microsoft Purview Client installed.
User devices eligible for forensic evidence capturing must be onboarded to the [
>[!IMPORTANT] >The Microsoft Purview Client automatically collects general diagnostic data related to device configuration and performance metrics. This includes data on critical errors, RAM consumption, process failures, and other data. This data helps us assess the client's health and identify any issues. For more details about how diagnostic data may be used, see the Use of Software with Online Services on the [Microsoft Product Terms](https://www.microsoft.com/licensing/product-licensing/products).
-For a list of device and configuration requirements, see [Learn about forensic evidence (preview)](insider-risk-management-forensic-evidence.md#device-and-configuration-requirements). To onboard supported devices, complete the steps outlined in the [Onboard Windows 10 and Windows 11 devices into Microsoft 365 overview](/microsoft-365/compliance/device-onboarding-overview) article.
+For a list of device and configuration requirements, see [Learn about forensic evidence](insider-risk-management-forensic-evidence.md#device-and-configuration-requirements). To onboard supported devices, complete the steps outlined in the [Onboard Windows 10 and Windows 11 devices into Microsoft 365 overview](/microsoft-365/compliance/device-onboarding-overview) article.
To install the Microsoft Purview Client, complete the following steps:
-1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Client installation**.
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence** > **Client installation**.
2. Select **Download installer package (x64 version)** to download the installation package for Windows. 3. After downloading the installation package, use your preferred method to install the client on users' devices. These options may include manually installing the client on devices or tools to help automate the client installation:
Forensic evidence has several configuration settings that provide flexibility fo
To configure forensic evidence settings, complete the following steps:
-1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Forensic evidence settings**.
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence** > **Forensic evidence settings**.
2. Select **Forensic evidence capturing** to enable capturing support in your forensic evidence policies. If this is turned off later, this will remove all previously added users for forensic evidence policies. >[!IMPORTANT] >The Microsoft Purview Client used to capture activity on users' devices is licensed under the Use of Software with the Online Services on the [Microsoft Product Terms](https://www.microsoft.com/licensing/product-licensing/products). Note that customers are solely responsible for using the insider risk management solution, including the Microsoft Purview Client, in compliance with all applicable laws.
-1. In the **Capturing window** section, define when to start and stop activity capturing. Available values are *10 seconds*, *30 seconds*, *1 minute*, *3 minutes*, or *5 minutes*.
+1. In the **Capturing window** section, define when to start and stop activity capturing. Available values are *10 seconds*, *30 seconds*, *1 minute*, *3 minutes*, or *5 minutes*.
1. In the **Upload bandwidth limit** section, define the amount of capture data to upload into your data storage account per user, per day. Available values are *100 MB*, *250 MB*, *500 MB*, *1 GB*, or *2 GB*.
-1. In the **Offline capturing** section, enable offline capturing if needed. When enabled, users' offline activity is captured and uploaded to your data storage account the next time they're online.
1. In the **Offline capturing cache limit** section, define the maximum cache size to store on users' devices when offline capturing is enabled. Available values are *100 MB*, *250 MB*, *500 MB*, *1 GB*, or *2 GB*. 1. Select **Save**. ### Step 4: Create a policy
-Forensic evidence policies define the scope of security-related user activity to capture on configured devices. You can have one policy that captures all activities approved users perform on their devices and additional policies that capture only specific activities (such as printing or exfiltrating files). Once created, you'll include these policies in forensic evidence requests to control what activity to capture for users whose requests are approved.
+Forensic evidence policies define the scope of security-related user activity to capture for configured devices. There are two options for capturing forensic evidence:
-1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Forensic evidence policies**.
-2. Select **Create forensic evidence policy**.
-3. On the **Scope** page, you'll choose the scope of security-related user activity to capture. Select one of the following options:
+- **Capture only specific activities (such as printing or exfiltrating files).** With this option, you can choose the device activities that you want to capture and only the selected activities will be captured by the policy. You can also choose to capture activity for specific desktop apps and/or websites. This way you can focus on just the activities, apps, and websites that present risk.
+- **Capture all activities that approved users perform on their devices.** This option is typically used for a specific period of time, for example, when a particular user is potentially involved in risky activity that may lead to a security incident. To preserve capacity and user privacy, you can choose to exclude specific desktop apps and/or websites from the capture.
+
+After you create a policy, you'll include it in forensic evidence requests to control what activity to capture for users whose requests are approved.
+
+> [!NOTE]
+> Continuous forensic policies (capturing all activities) take precedence over selective forensic evidence policies (capturing only specific activities).
- - **Specific activities**: This option only captures activities detected by policies that users are included in. These activities are defined by the indicators selected in forensic evidence policies. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **Alerts** or **Cases** dashboard.
- - **All activities**: This option captures any activity performed by users. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **User activity reports (preview)** dashboard.
+#### Capture only specific activities
+
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence** > **Forensic evidence policies**.
+2. Select **Create forensic evidence policy**.
+3. On the **Scope** page, select **Specific activities**. This option only captures activities detected by policies that users are included in. These activities are defined by the indicators selected in forensic evidence policies. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **Alerts** or **Cases** dashboard.
4. Select **Next**. 5. On the **Name and description** page, complete the following fields: - **Name (required)**: Enter a friendly name for the forensic evidence policy. This name can't be changed after the policy is created. - **Description (optional)**: Enter a description for the forensic evidence policy. 6. Select **Next**.
-7. If you've selected the **All Activities** option in Step 3, the **Device activities** page directs you the final step in the policy wizard. There aren't any device activities to configure when the **All activities** option is selected.
+7. On the **Choose device activities to capture** page:
+ 1. Select any device activities that you want to capture. Only the selected activities will be captured by the policy.
+ > [!NOTE]
+ > If the indicators aren't selectable, you'll be prompted to turn them on.
+ 2. You can also choose to capture activity for particular desktop apps and/or websites in your policy by selecting the **Opening a specific app or website** check box under **App and web browsing activities to capture**.
+
+ > [!IMPORTANT]
+ > If you want to capture browsing activities (to include or exclude specific URLs in your forensic evidence policies), make sure to [install the necessary browser extensions](insider-risk-management-browser-support.md). You also need to turn on at least one browsing indicator. If you haven't already turned on one or more browsing indicators, you'll be prompted to do so if you choose to include or exclude desktop apps or websites. The triggering event for capturing browsing activities is a URL update in the URL bar that contains the specified URL.
+
+ 3. Select **Next**.
+8. (Optional) If you chose to capture activity for particular desktop apps and websites, in the **Add apps and websites you want to capture activity for** page:
+ 1. To add a desktop app, select **Add desktop apps**, enter the name of an executable file (for example, teams.exe), and then select **Add**. Repeat this process for each desktop app that you want to add (up to 25 apps). To find the name of an executable file for the app, open the Task Manager, and then view the properties for the app. Here's a list of exe names for some of the common applications: Microsoft Edge (msedge.exe), Microsoft Excel (Excel.exe), the Snipping tool (SnippingTool.exe), Microsoft Teams (Teams.exe), Microsoft Word (WinWord.exe), and Microsoft Remote Desktop Connection (mstsc.exe).
+
+ > [!NOTE]
+ > Sometimes, the exe names for an app might differ based on the device and the permissions with which the app was opened. For example, on a Windows 11 enterprise device, when Windows PowerShell is opened without administrator permissions, the exe name is WindowsTerminal.exe but when opened with administrator permissions, the exe name changes to powershell.exe. Make sure to include/exclude both exe names in such scenarios.
+
+ 2. To add a web app or website, select **Add web apps and websites**, enter a URL (for example, https://teams.microsoft.com), and then select **Add**. Repeat this process for each web app or website that you want to add. You can add up to 25 URLs with a character length of 100 for each URL.
- If you've selected the **Specific activities** option in Step 3, you'll select device activities to capture on the **Device activities** page. Only the activities selected will be captured by the policy. If the indicators aren't selectable, you'll need to turn on these indicators for your organization before you can select these indicators in the forensic evidence policy.
+ > [!TIP]
+ > If an app has a desktop and web version, be sure to add both the desktop executable and the web URL to make sure you capture activity for both.
- After you've selected indicators, select **Next**.
-8. On the **Finish** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Select **Edit** to change any of the policy values or select **Submit** to create and activate the policy.
+ 3. Select **Next**.
+9. On the **Review settings and finish** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Edit any of the policy values or select **Submit** to create and activate the policy.
+10. After you've completed the policy configuration steps, continue to Step 5.
-After you've completed the policy configuration steps, continue to Step 5.
+#### Capture all activities
+
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Forensic evidence policies**.
+2. Select **Create forensic evidence policy**.
+3. On the **Scope** page, select **All activities**. This option captures any activity performed by users. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **User activity reports (preview)** dashboard.
+4. Select **Next**.
+5. On the **Name and description** page, complete the following fields:
+ - **Name (required)**: Enter a friendly name for the forensic evidence policy. This name can't be changed after the policy is created.
+ - **Description (optional)**: Enter a description for the forensic evidence policy.
+6. Select **Next**.
+7. On the **Choose device activities to capture** page, if you want to exclude certain desktop apps and/or web apps or websites from the capture, under **App and web browsing activities to capture**, select the **Exclude specific apps or websites** check box.
+9. Select **Next**.
+10. If you chose to exclude particular desktop apps and websites from the capture, in the **Exclude applications/URLs** page:
+ - To exclude a desktop app from the capture, select **Exclude desktop apps**, enter the name of an executable file (for example, teams.exe), and then select **Add**. Repeat this process for each desktop app that you want to exclude (up to 25 apps). To find the name of an executable file for an app, open the Task Manager, and then view the properties for the app.
+ - To exclude a web app or website, select **Exclude web apps and websites**, enter a URL (for example, https://teams.microsoft.com), and then select **Add**. Repeat this process for each web app or website that you want to exclude. You can exclude up to 25 URLs with a character length of 100 for each URL.
+
+ > [!TIP]
+ > If an app has a desktop and web version, be sure to add both the desktop executable and the web URL to make sure you exclude both.
+
+11. On the **Review settings and finish** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Edit any of the policy values or select **Submit** to create and activate the policy.
+12. After you've completed the policy configuration steps, continue to Step 5.
### Step 5: Define and approve users for capturing Before security-related user activities can be captured, admins must follow the dual authorization process in forensic evidence. This process mandates that enabling visual capturing for specific users is both defined and approved by applicable people in your organization.
->[!IMPORTANT]
->For the preview release, a maximum of 5 concurrent users are eligible for forensic evidence capturing. Capturing for groups isn't supported in the preview release.
- You must request that forensic evidence capturing is enabled for specific users. When a request is submitted, approvers in your organization are notified in email and can approve or reject the request. If approved, the user will appear on the **Approved users** tab and will be eligible for capturing. - To request approval for forensic evidence capturing for users, complete [these configuration steps](/microsoft-365/compliance/insider-risk-management-forensic-evidence-manage#request-capturing-approvals).
compliance Insider Risk Management Forensic Evidence Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-forensic-evidence-manage.md
Title: Manage insider risk management forensic evidence (preview)
+ Title: Manage insider risk management forensic evidence
description: Manage insider risk management forensic evidence in Microsoft Purview. Forensic evidence is an investigative tool for viewing captured security-related user activity to help determine whether the user's actions pose a risk and may lead to a security incident. keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance ms.localizationpriority: medium
f1.keywords:
Previously updated : 02/21/2023 Last updated : 03/01/2023 audience: itpro
-# Manage insider risk management forensic evidence (preview)
+# Manage insider risk management forensic evidence
+
+> [!IMPORTANT]
+> Forensic evidence is an opt-in add-on feature in Insider Risk Management that gives security teams visual insights into potential insider data security incidents, with user privacy built in. Forensic evidence includes customizable event triggers and built-in user privacy protection controls, enabling security teams to better investigate, understand and respond to potential insider data risks like unauthorized data exfiltration of sensitive data.
+>
+> Organizations set the right policies for themselves, including what risky events are highest priority for capturing forensic evidence and what data is most sensitive. Forensic evidence is off by default, policy creation requires dual authorization and usernames can be masked with pseudonymization (which is on by default for Insider Risk Management). Setting up policies and reviewing security alerts within Insider Risk Management leverages strong role-based access controls (RBAC), ensuring that the designated individuals in the organization are taking the right actions with additional auditing capabilities.
>[!IMPORTANT] >Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
You must request that forensic evidence capturing be turned on for specific user
To configure approved users for forensic evidence capturing, complete the following steps:
-1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **User management**.
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence** > **User management**.
2. Select the **Manage forensic evidence requests** tab. 3. Select **Create request**. 4. On the **Users** page, select **Add users**.
To configure approved users for forensic evidence capturing, complete the follow
8. On the **Justification** page, let the reviewer know why you're requesting that capturing be enabled for the users you added in the **Justification for turning on forensic evidence capturing** text box. This is a required field. When complete, select **Next**. 9. On the **Email notifications** page, you can use a notification template to send an email to users letting them know that forensic evidence capturing will be turned on for their device in accordance with your organization's policies. The email will be sent to users only if their request is approved.
- Select the **Send an email notification to approved users** checkbox. Choose an existing template o create a new one. To create a new template, select **Create a notification template** and complete the following required fields in the **New email notification template** pane.
+ Select the **Send an email notification to approved users** check box. Choose an existing template or create a new one. To create a new template, select **Create a notification template** and complete the following required fields in the **New email notification template** pane.
10. Select **Next**. 11. On the **Finish** page, review your settings before submitting the request. Select **Edit users** or **Edit justification** to change any of the request values or select **Submit** to create and send the request to reviewers.
-To view pending approval requests, navigate to **Insider risk management** > **Forensic evidence (preview)** > **Pending requests**. Here you'll see the users with pending requests, their email address, the request submission date, and who submitted the approval request. If no users are displayed, there aren't any pending approval requests for any users.
+To view pending approval requests, navigate to **Insider risk management** > **Forensic evidence** > **Pending requests**. Here you'll see the users with pending requests, their email address, the request submission date, and who submitted the approval request. If no users are displayed, there aren't any pending approval requests for any users.
-Users assigned to the *Insider Risk Management Approvers* role group can select a user on the **Forensic evidence request (preview)** tab and review the request. After reviewing the request, these users can approve or reject the forensic evidence capturing request. Approving or rejecting the capturing request removes the pending request for users from this view.
+Users assigned to the *Insider Risk Management Approvers* role group can select a user on the **Forensic evidence request** tab and review the request. After reviewing the request, these users can approve or reject the forensic evidence capturing request. Approving or rejecting the capturing request removes the pending request for users from this view.
### Approve or reject capturing requests After requests are complete, users assigned to the *Insider Risk Management Approvers* role group will receive an email notification for the approval request. To approve or reject requests, reviewers must complete the following steps:
-1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Pending requests**.
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence** > **Pending requests**.
2. Select a user to review. 3. On the **Review forensic evidence request (preview)** pane, review the justification submitted by the requestor. Select **Approve** or **Reject** as applicable. 4. On the **Request approved** or **Request rejected** page, select **Close**.
If needed, you can revoke approval for specific users and exclude them from fore
To revoke approvals for users, users assigned to the *Insider Risk Management Approvers* role group must complete the following steps:
-1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **User management**.
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence** > **User management**.
2. Select the **Approved users** tab. 3. Select a user, then select **Remove**. 4. On the removal confirmation page, select **Remove** to revoke capturing approval or select **Cancel** to close the confirmation page.
You can create and use a notification template to send an email to users letting
To create a new notification template, complete the following steps:
-1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Notification templates**.
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence** > **Notification templates**.
2. Select **Create notification template**. 3. On the **New email notification template** pane, complete the following required fields: - Template name - Send from - Subject - Message body
-4. Select **Save**
+4. Select **Save**.
To delete an existing notification template, select a template and select **Delete**.
-## Viewing capture clips
-
-If you've selected the option to only capture activities defined by the indicators selected in forensic evidence policies, capture clips are available as part of the alert and are accessible on the **Forensic evidence (preview)** tab on the **Alerts dashboard**. If alerts are later escalated to cases, the associated clips are accessible on the **Forensic evidence (preview)** tab on the **Cases** dashboard.
+## Viewing captured clips
-If you've selected the option to capture any security-related activity performed by users included in forensic evidence policies, you'll view the clips for individual users on the **User activity report** dashboard.
+You can view and explore captured clips by selecting the **Forensics evidence** tab when you open Microsoft Purview Insider Risk Management. You can also select the **Forensics evidence** tab from other areas in the solution to view a list of captured clips in context:
->[!IMPORTANT]
->Forensic evidence clips are deleted 120 days after they're captured or at the end of the preview period, whichever is sooner. You can download or transfer forensic evidence clips before they're deleted.
+- **Alerts dashboard.** Clips accessible from the **Alerts** dashboard correspond to the option to capture **specific user activities** when the forensic evidence policy is created. The captured clips are defined by indicators selected in the forensic evidence policy.
+- **User activity reports.** Clips accessible from **User activity** reports correspond to the option to capture **any security-related activity** performed by users included in forensic evidence policies.
+- **Cases dashboard.** Clips accessible from the **Cases** dashboard are alerts that have been escalated to cases.
-### Reviewing capture clips included with alerts
+> [!NOTE]
+> If you're a member of both the *Insider Risk Management Investigators* role group and the *Insider Risk Management Admins* role group, you'll see a **Review captured clips** button when you open Microsoft Purview Insider Risk Management. If you select the **Review captured clips** button, it changes to the **Open forensic evidence settings** button. The purpose of this button is to go back and forth between the list of captured clips and settings if you have both roles. [Learn more about role groups](insider-risk-management-configure.md#step-1-required-enable-permissions-for-insider-risk-management)
-For alerts generated by policies, forensic evidence captures for users are available for review on the **Forensic evidence (preview)** tab on the **Alerts** dashboard. If one or more captures are available for the alert, you'll also see a **View forensic evidence** notification in the Activity that generated this alert header section. You can select the notification link or the **Forensic evidence (preview)** tab to review the activity captures.
+When you select the **Forensics evidence** tab, captured clips and associated information are displayed in a list. If you select a captured clip in the list, a video player appears in the center of the screen, and a transcript of activities and events from the clip are displayed to the right of the video player.
-![Insider risk management forensic evidence user activity.](../media/insider-risk-forensic-evidence-user-activity.png)
+![Insider risk management forensic evidence captured clips list.](../media/insider-risk-management-capture-explore.png)
-Overall, reviewing an alert for potentially risky activity that may contain forensic evidence captures is essentially the same as reviewing an alert without forensic evidence captures. The significant difference is the inclusion of any applicable captures. The **Forensic evidence (preview)** tab provides access to all available captures associated with the alert. Each capture is displayed and includes the following information:
+Each captured clip includes the following information:
- **Date/time (UTC)**: The date, time (UTC), and duration of the capture. - **Device**: The name of the device in Windows 10/11.-- **Activity type**: The insider risk management activity type included in the capture. These activities are based on global and policy indicators assigned to the associated policy.-- **Capture events**: Each capture contains events within the capture to help focus your review on specific activities for the capturing session.
+- **Activities**: The insider risk management activity type included in the capture. These activities are based on global and policy indicators assigned to the associated policy.
+- **User**: The name of the user.
+- **URL** (if applicable): The URL that the user was accessing when the activity took place.
+- **Application** (if applicable): The application that the user was accessing when the activity took place.
+- **Active window title**: The title of the window that the user was accessing when the activity took place.
+
+To view a captured clip:
+
+1. If needed, configure the filters at the top of the list.
+2. Select a clip from the list.
+3. Using the video player controls, select the *Play control* to review the entire clip from beginning to end.
+4. To scope the review to a specific activity or event in the clip, select the activity or event in the transcript. You can also use the search box above the transcript to search for specific activities or events.
+
+ > [!NOTE]
+ > A red triangle in the transcript denotes an activity.
+
+#### Filtering the captured clips list
+
+You can use the filters above the captured clips list to filter for specific activities and information.
+
+- Each filter supports up to 10 unique IDs so, for example, you can filter on up to 10 users at one time.
+- Use the **URL name** filter to match a domain name or to search for any keyword after matching a domain. For example, entering "SharePoint" as a keyword returns any URL that includes "SharePoint" anywhere in the URL.
+- With the **App name** filter, you can filter by **Contains any of** or **Contains all of**. For example, if you select **Contains any of** and enter "Contoso.com,Contoso2.com", you could have one clip that captures Contoso.com and another that captures Contoso2.com. If you select **Contains all of** and enter "Contoso.com,Contoso2.com", any captures would have to contain both domains.
+- The **Active window title** filter behaves the same way as the **App name** filter.
+
+#### Deleting clips
-To view a capture clip, complete the following steps:
+Users assigned to the *Insider Risk Management Investigators* role group can delete individual clips from the captured clips list. To do this:
-1. If needed, configure the filters for the available captures. You can filter by the **Dates (UTC)** or by **Activity**.
-2. Select a clip to review.
-3. Select the device monitor to review. Each monitor connected to the device (up to 4) is eligible for forensic evidence capturing and are listed as *Display 1*, *Display 2*, etc.
-4. Using the video player controls, select the *Play control* to review the entire clip from beginning to end.
-5. If you want to scope the review to a specific event in the clip, select the event from the **Capture events** lists to the right of the video player.
+1. Select the check box next to the capture.
+2. Select the **Delete** (Trash can) button.
-### Reviewing capture clips included with cases
+Users assigned to the *Insider Risk Management Admins* role group can do bulk deletions through settings. To do this:
-If alerts are escalated to cases, all associated forensic evidence captures are included as part of the case. Reviewing forensic evidence captures for cases follows the same process as when you review captures as part of examining alerts.
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence** > **Forensic evidence settings**.
+2. Make sure that the **Allow deletion of forensic user data by an Administrator or Investigator** option is set to **On**.
+3. Under **Delete a user's** data, click **Select a user**, and then select the user that you want to delete clips for.
-### Reviewing capture clips without alerts
+> [!IMPORTANT]
+> Forensic evidence clips are deleted 120 days after they're captured. You can export or transfer forensic evidence clips before they're deleted.
-To view clips for activity not associated with alerts, you'll use [User activity reports](/microsoft-365/compliance/insider-risk-management-activities#user-activity-reports). User activity reports allow you to examine activities for specific users for a defined time period without having to assign them temporarily or explicitly to an insider risk management policy. If these user activities include activities supported by forensic evidence capturing, clips are included with the user activity.
+### Alerts dashboard
-If you've configured forensic evidence to capture all security-related user activity, regardless of whether they're included in a forensic evidence policy, you'll review these captures by selecting **Insider risk management** > **User activity reports** and then selecting a specific user and selecting the **Forensic evidence (preview)** tab.
+For alerts generated by policies, you can review forensic evidence captures on the **Forensic evidence** tab on the **Alerts** dashboard. If one or more captures are available for the alert, you'll also see a **View forensic evidence** notification link in the activity that generates an alert header section. You can select the notification link or the **Forensic evidence** tab to review a list of activity captures.
+
+![Insider risk management forensic evidence user activity.](../media/insider-risk-forensic-evidence-user-activity.png)
+
+Reviewing an alert for potentially risky activity that may contain forensic evidence captures is essentially the same as reviewing an alert without forensic evidence captures. The significant difference is the inclusion of any applicable captures. The **Forensic evidence** tab provides access to all available captures associated with the alert.
+
+### Cases dashboard
+
+If alerts are escalated to cases, all associated forensic evidence captures are included as part of the case. Reviewing forensic evidence captures for cases follows the same process as reviewing captures for alerts.
+
+### User activity reports
+
+User activity reports allow you to examine activities for specific users for a defined time period without having to assign them temporarily or explicitly to an insider risk management policy. If these user activities include activities supported by forensic evidence capturing, clips are included with the user activity.
+
+If you've configured forensic evidence to capture all security-related user activity, regardless of whether they're included in a forensic evidence policy, to review these captures:
+
+1. Select **Insider risk management** > **Overview**.
+2. At the bottom of the **Overview** screen, under **Investigate user activity**, select **Manage reports**.
+3. Select a specific user, and then select the **Forensic evidence** tab.
+4. Refer to the instructions above.
## Device health report (preview)
-After devices are configured to support forensic evidence, you can review the Microsoft Purview Client health status for all devices in your organization by navigating to **Insider risk management** > **Forensic evidence (preview)** > **Device health**.
+After devices are configured to support forensic evidence, you can review the Microsoft Purview Client health status for all devices in your organization by navigating to **Insider risk management** > **Forensic evidence** > **Device health**.
![Insider risk management forensic evidence device health.](../media/insider-risk-forensic-evidence-device-health.png)
-For a list of minimum device and configuration requirements, see [Learn about forensic evidence (preview)](insider-risk-management-forensic-evidence.md#device-and-configuration-requirements). To onboard supported devices, complete the steps outlined in the [Onboard Windows 10 and Windows 11 devices into Microsoft 365 overview](/microsoft-365/compliance/device-onboarding-overview) article.
+For a list of minimum device and configuration requirements, see [Learn about forensic evidence](insider-risk-management-forensic-evidence.md#device-and-configuration-requirements). To onboard supported devices, complete the steps outlined in the [Onboard Windows 10 and Windows 11 devices into Microsoft 365 overview](/microsoft-365/compliance/device-onboarding-overview) article.
The Device health report allows you to view the status and health of all devices that have the forensic evidence agent installed. Each report widget on the report displays information for last 24 hours.
The device health status gives you insights into potential issues with your devi
| Encoder initialization failed. | Error | Reinstall the client on this device. | Contact Microsoft Support if the recommended actions don't resolve issues with the client.+
+## Capacity and billing
+
+When forensic evidence is configured, you can opt in to purchase the forensic evidence add-on for Insider Risk Management for your captured clips. The add-on is available for organizations with any of the following licenses: Microsoft 365 E5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 Insider Risk Management.
+
+You can purchase the add-on in units of 100 GB per month. The purchased capacity is metered based on forensic evidence ingested at the tenant level for users included in forensic evidence policies. 100 GB is roughly equal to around 1,100 hours of forensic evidence captures per tenant, at a video resolution of 1080p. You can [download the capacity calculator](https://aka.ms/ForensicEvidenceCapacityCalculator) to help estimate the number of GBs needed per month.
+
+Each add-on license is valid for one month (30 days) from the date of purchase. You can purchase multiple licenses at the same time, but each forensic evidence add-on license is valid for just one month from the date of purchase. The unused capacity is forfeited when the license expires.
+
+The 100 GB is calculated based on the volume of forensic evidence ingested from endpoints. Once the forensic evidence is ingested, it will be retained for 120 days. You can export forensic evidence if needed after the 120-day retention period.
+
+### Payment plans
+
+There are two payment plans available when purchasing the add-on through the Microsoft 365 admin center:
+
+- **Pay yearly (available in all channels).** The annual commitment option allows you to buy the number of licenses you specify each month for 12 months. ItΓÇÖs suitable for customers who want to ensure they have capacity available each month to ingest forensic evidence without interruption. This payment plan will automatically replenish the number of licenses purchased each month. The license is still valid for one month from the date of purchase, and the unused capacity will be forfeited when the license expires. Customers can choose to be billed one time or split the bill into 12 monthly payments.
+- **Pay monthly (only available in web direct).** If you don't want to make an annual commitment, you can buy the number of licenses needed each month. The license is valid for one month from the date of purchase and the unused capacity will be forfeited when the license expires.
+
+### Can I try the forensic capability before purchasing it?
+
+Each tenant that has a Microsoft 365 E5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 Insider Risk Management license can sign up for a 20-GB trial license to try out the forensic evidence capability.
+
+> [!NOTE]
+> The 20-GB trial license is only available for customers on the legacy commerce platform. 
+
+The 20 GB of capacity available through the trial license doesn't have any time limit and is available until you use up the full 20 GB. If you don't use up the full 20 GB in one year, you can reactivate it. If you purchase a forensic evidence add-on license prior to using the trial capacity, you will be able to use the remaining trial capacity until itΓÇÖs used up before the system starts metering the purchased capacity.
+
+If you use up the 20 GB of trial capacity and don't subsequently purchase the forensic add-on for Insider Risk Management, you'll be able to view any clips that you've already ingested but won't be able to ingest any new clips.
+
+#### Sign up for the 20-GB trial license
+
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence** > **Capacity and billing**.
+
+ > [!NOTE]
+ > You can also sign up for the trial license from the **Insider risk management** > **Forensic evidence** > **Dashboard** tab.
+
+2. Select **Claim 20 GB of capacity**.
+3. Follow the prompts in the Microsoft 365 admin center.
+
+### Purchase the forensic add-on for Insider Risk Management
+
+1. Go to **Microsoft 365 admin center** > **Marketplace** > **All products**.
+2. Search for "forensic evidence".
+
+### Analyze your capacity
+
+After purchasing capacity (or signing up for the 20-GB trial license), you can use the **Capacity** page to analyze how much capacity that you have used and the amount of capacity remaining. You can also analyze the amount of capacity you're using each month by selecting from the **Capacity usage in GB** list or by selecting **View all capacity usage**.
+
+![Insider risk management forensic evidence Capacity page.](../media/insider-risk-management-capacity-billing.png)
compliance Insider Risk Management Forensic Evidence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-forensic-evidence.md
Title: Learn about insider risk management forensic evidence (preview)
+ Title: Learn about insider risk management forensic evidence
description: Learn about insider risk management forensic evidence in Microsoft Purview. Forensic evidence is an investigative tool for viewing captured user activity to help determine whether the user's actions pose a risk and may lead to a security incident. keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance ms.localizationpriority: medium
f1.keywords:
Previously updated : 02/21/2023 Last updated : 03/01/2023 audience: itpro
-# Learn about insider risk management forensic evidence (preview)
+# Learn about insider risk management forensic evidence
+
+> [!IMPORTANT]
+> Forensic evidence is an opt-in add-on feature in Insider Risk Management that gives security teams visual insights into potential insider data security incidents, with user privacy built in. Forensic evidence includes customizable event triggers and built-in user privacy protection controls, enabling security teams to better investigate, understand and respond to potential insider data risks like unauthorized data exfiltration of sensitive data.
+>
+> Organizations set the right policies for themselves, including what risky events are highest priority for capturing forensic evidence and what data is most sensitive. Forensic evidence is off by default, policy creation requires dual authorization and usernames can be masked with pseudonymization (which is on by default for Insider Risk Management). Setting up policies and reviewing security alerts within Insider Risk Management leverages strong role-based access controls (RBAC), ensuring that the designated individuals in the organization are taking the right actions with additional auditing capabilities.
>[!IMPORTANT] >Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Having visual context is crucial for security teams during forensic investigatio
## Feature capabilities - **Visual capturing** allows organizations to capture clips of key security-related user activities, allowing for more secure or compliant visibility and meeting organizational needs.
+- **Include or exclude desktop applications and/or websites** to configure a recording policy that focuses on the applications and websites that present the most risk. This preserves storage space and user privacy. For example, exclude personal email and social media accounts.
- **Protected user privacy** through multiple levels of approval for the activation of the capturing feature. - **Customizable triggers and capturing options** mean that security teams can set up forensic evidence to meet their needs, whether it be based on incidents (for example, *Capture 5 min before and 10 min after a user has downloaded 'SecretResearchPlans.docx'*), or based on continuous capturing needs. - **User-centric policy targeting** means that security and compliance teams can focus on activity by user, not device, for better contextual insights. - **Strong role-based access controls (RBAC)** mean that the ability to set up and review forensic clips is tightly controlled and only available to individuals in the organization with the right permissions. - **Deep integration with current insider risk management features**, making for easier onboarding and more familiar workflows for insider risk management administrators and a trusted single-platform approach.
+- **Trial capacity (up to 20 GB)** for captured clips, with quick access to capacity utilization and the ability to purchase additional capacity.
## Device and configuration requirements
The following tables include the supported minimum requirements for utilizing in
| Display | Minimum screen resolution of 1920 x 1080 | > [!IMPORTANT]
-> If the minimum requirements aren't met, users are likely to run into Microsoft Purview client issues and the quality of forensic recordings may not be reliable.
+> If the minimum requirements aren't met, users are likely to run into Microsoft Purview client issues and the quality of forensic captures may not be reliable.
## Capturing options
The following tables include the supported minimum requirements for utilizing in
Depending how your organization decides to configure forensic evidence, there are two capturing options: -- **Specific activities**: This policy option captures activity only when a triggering event has brought an approved user into scope for the forensic evidence policy and when the conditions for a policy indicator are detected for the user. For example, a user approved for forensic evidence capturing is brought in-scope to the forensic evidence policy and the user copies data to personal cloud storage services or portable storage devices. Capturing is scoped only to the configured time frame when the user is copying the data to the personal cloud storage service or portable storage device. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **Alerts** dashboard.-- **All activities**: This policy option captures any activity performed by users. For example, your organization has a time-sensitive need for capturing activities for an approved user that is actively involved in potentially risky activities that may lead to a security incident. Policy indicators may not have reached the threshold for an alert to be generated by the policy and the potentially risky activity may not be documented. Continuous capturing help prevents the potentially risky activity from being missed or going undetected. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **User activity reports (preview)** dashboard.
+- **Specific activities**: This policy option captures activity only when a triggering event has brought an approved user into scope for the forensic evidence policy and when the conditions for a policy indicator are detected for the user. For example, a user approved for forensic evidence capturing is brought in-scope to the forensic evidence policy and the user copies data to personal cloud storage services or portable storage devices. Capturing is scoped only to the configured time frame when the user is copying the data to the personal cloud storage service or portable storage device. Captures for this option will be available for review on the **Forensic evidence** tab on the **Alerts** dashboard.
+- **All activities**: This policy option captures any activity performed by users. For example, your organization has a time-sensitive need for capturing activities for an approved user that is actively involved in potentially risky activities that may lead to a security incident. Policy indicators may not have reached the threshold for an alert to be generated by the policy and the potentially risky activity may not be documented. Continuous capturing help prevents the potentially risky activity from being missed or going undetected. Captures for this option will be available for review on the **Forensic evidence** tab on the **User activity reports (preview)** dashboard.
>[!IMPORTANT] >Forensic evidence clips are deleted 120 days after they're captured or at the end of the preview period, whichever is sooner. You can download or transfer forensic evidence clips before they're deleted.
compliance Insider Risk Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management.md
Employment stressor events can impact user behavior in several ways that relate
- [Data leaks by risky users (preview)](insider-risk-management-policy-templates.md#data-leaks-by-risky-users-preview) - [Security policy violations by risky users (preview)](insider-risk-management-policy-templates.md#security-policy-violations-by-risky-users-preview)
-### Visual context for potentially risky user activities with forensic evidence (preview)
+### Visual context for potentially risky user activities with forensic evidence
Having visual context is crucial for security teams during forensic investigations to get better insights into potentially risky user activities that may lead to a security incident. This may include visual capturing of these activities to help evaluate if they are indeed risky or taken out of context and not potentially risky. For activities that are determined to be risky, having forensic evidence captures can help investigators and your organization better mitigate, understand, and respond to these activities. To help with this scenario, [enable forensic evidence capturing](insider-risk-management-forensic-evidence.md) for online and offline devices in your organization.
compliance Sensitivity Labels Meetings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-meetings.md
audience: Admin Previously updated : 12/03/2022 Last updated : 03/01/2023 ms.localizationpriority: high
description: "Configure sensitivity labels to protect calendar items, and Teams
>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).* > [!NOTE]
-> For this scenario, Outlook calendar events remain in preview and subject to change.
+> For this scenario, Outlook calendar events remain in preview for Windows, and rolling out in general availability for macOS.
> > You won't be able to configure all the options referenced on this page if a [Teams Premium license](/MicrosoftTeams/enhanced-teams-experience) isn't found for your tenant. For those settings, you'll see an information bar in the Microsoft Purview compliance portal that your organization doesn't have this license.
Example showing a Teams meeting invite that has the label **Highly confidential*
To apply a sensitivity label to meeting invites and appointments using Outlook, users must use Outlook on the web from a desktop computer, or use built-in labeling from Microsoft 365 Apps for enterprise: - **Outlook for Windows**: Rolling out to Current Channel (Preview)-- **Outlook for Mac**: Rolling out to Current Channel (Preview)
+- **Outlook for Mac**: Rolling out to version 16.70+
The AIP add-in for Outlook doesn't support applying labels to meeting invites.
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
f1.keywords:
Previously updated : 02/22/2023 Last updated : 03/01/2023 audience: Admin
To use the Office built-in labeling client with Office on the web for documents
When you label a document or email, the label is stored as metadata that includes your tenant and a label GUID. When a labeled document or email is opened by an Office app that supports sensitivity labels, this metadata is read and only if the user belongs to the same tenant, the label displays in their app. For example, for built-in labeling for Word, PowerPoint, and Excel, the label name displays on the status bar.
-This means that if you share documents with another organization that uses different label names, each organization can apply and see their own label applied to the document. However, the following elements from an applied label are visible to users outside your organization:
+This implementation means that if you share documents with another organization that uses different label names, each organization can apply and see their own label applied to the document.
+
+The same is true for email (and labeled calendar events) sent by Outlook. However, email clients other than Outlook might not retain the label metadata in the email headers. For example, users replying or forwarding from another organization that doesn't use Outlook will likely result in the original email label no longer visible to the original organization because the label metadata hasn't been retained. If that label applied encryption, the encryption persists to protect the contents.
+
+The following elements from an applied label are visible to users outside your organization:
- Content markings. When a label applies a header, footer, or watermark, these are added directly to the content and remain visible until somebody modifies or deletes them. -- The name and description of the underlying protection template from a label that applied encryption. This information displays in a message bar at the top of the document, to provide information about who is authorized to open the document, and their usage rights for that document.
+- The name and description of the underlying protection template from a label that applied encryption. This information displays in a message bar at the top of the content, to provide information about who is authorized to view the content, and their usage rights for that content.
### Sharing encrypted documents with external users
compliance Sensitivity Labels Versions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-versions.md
Previously updated : 02/27/2023 Last updated : 03/01/2023 audience: Admin
The numbers listed are the minimum Office application versions required for each
|[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | Current Channel: 2107+ <br /><br> Monthly Enterprise Channel: 2107+ <br /><br> Semi-Annual Enterprise Channel: 2202+ | 16.51+ | 2.58+ | 16.0.14931+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[PDF support](sensitivity-labels-office-apps.md#pdf-support)| Current Channel: 2208+ <br /><br> Monthly Enterprise Channel: 2209+ <br /><br> Semi-Annual Enterprise Channel: 2302+ | Under review | Under review | Under review | Under review | |[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [display label color](sensitivity-labels-office-apps.md#label-colors) | Preview: [Current Channel (Preview)](https://office.com/insider) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review |
-|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)| Preview: [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Under review |
+|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)| Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Under review |
## Sensitivity label capabilities in Outlook
The numbers listed are the minimum Office application versions required for each
|--|-:|-||-|-| |[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)| Preview: [Current Channel (Preview)](https://office.com/insider) | Not relevant | Not relevant | Not relevant| Not relevant | |Manually apply, change, or remove label <br /> - [Files and emails](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
-|Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)| Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) <sup>\*</sup> | Under review | Under review | Yes |
+|Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)| Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Rolling out: 16.70+ <sup>\*</sup> | Under review | Under review | Yes |
|[Multi-language support](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Require a justification to change a label](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
The numbers listed are the minimum Office application versions required for each
|[PDF support](sensitivity-labels-office-apps.md#pdf-support) | Current Channel: 2205+ <br /><br> Monthly Enterprise Channel: 2205+ <br /><br> Semi-Annual Enterprise Channel: Under review| Under review | Under review | Under review | Under review | |[Apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) | Current Channel: 2211+ <br /><br> Monthly Enterprise Channel: 2211+ <br /><br> Semi-Annual Enterprise Channel: 2302+ | 16.61+ <sup>\*</sup> | 4.2226+ | 4.2203+ | Under review | |[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [display label color](sensitivity-labels-office-apps.md#label-colors) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Under review |
-|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)| Preview: [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Under review |
+|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)| Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Under review |
**Footnotes:**
compliance Sit Common Scenarios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-common-scenarios.md
audience: Admin Previously updated : 12/30/2021 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
Contoso Bank needs to classify the credit card numbers that they issue as sensit
1. Create a copy of the credit card SIT. Use the steps to [copy and modify a sensitive information type](create-a-custom-sensitive-information-type.md#copy-and-modify-a-sensitive-information-type) to copy the credit card SIT. 1. Edit the high confidence pattern. Follow the steps in [edit or delete the sensitive information type pattern](sit-get-started-exact-data-match-create-rule-package.md#edit-or-delete-the-sensitive-information-type-pattern).
-1. Add 'starts with' check and add the list of bin digit (formatted & unformatted). For example to ensure that only credit cards starting with 411111 & 433512 should be considered valid, add the following to the list 4111 11, 4111-11, 411111, 4335 12, 4335-12, 433512.
+1. Add 'starts with' check and add the list of bin digit (formatted & unformatted). For example to ensure that the SIT only considers credit cards starting with 411111 & 433512 should be considered valid, add the following to the list 4111 11, 4111-11, 411111, 4335 12, 4335-12, 433512.
1. Repeat step 2 & 3 for the low confidence pattern. ## Test numbers similar to Social Security numbers
Contoso has identified a few nine-digit test numbers that trigger false positive
1. Create a copy of the SSN SIT. Use the steps to [copy and modify a sensitive information type](create-a-custom-sensitive-information-type.md#copy-and-modify-a-sensitive-information-type) to copy the SSN SIT. 1. Edit the high confidence pattern. Follow the steps in [edit or delete the sensitive information type pattern](sit-get-started-exact-data-match-create-rule-package.md#edit-or-delete-the-sensitive-information-type-pattern).
-1. Add the numbers to be excluded in the 'exclude specific values' additional check. For example, to exclude 239-23-532 & 23923532, just adding 23923532 will suffice
+1. Add the numbers you want to exclude in the 'exclude specific values' additional check. For example, to exclude 239-23-532 & 23923532, just adding 23923532 is sufficient.
1. Repeat step 2 & 3 for other confidence patterns as well ## Phone numbers in signature trigger match
Add a 'not' group in supporting elements using a keyword list containing commonl
## Unable to trigger ABA routing policy
-DLP policy is unable to trigger ABA routing number policy in large excel files because the required keyword isn't found within 300 characters.
+DLP policy is unable to trigger ABA routing number policy in large excel files because the required keyword isn't within 300 characters.
**Suggested solution**
Create a copy of the built-in SIT and edit it to change the proximity of the key
## Unable to detect credit card numbers with unusual delimiters
-Contoso Bank has noticed some of their employees share Credit card numbers with ΓÇÿ/ΓÇÖ as a delimiter, for example 4111/1111/1111/1111, which isn't detected by the out of the box credit card definition. Contoso would like to define their own regex and validate it using LuhnCheck.
+Contoso Bank has noticed some of their employees share credit card numbers with ΓÇÿ/ΓÇÖ as a delimiter, for example 4111/1111/1111/1111, which the out-of-the-box credit card definition doesn't detect. Contoso would like to define their own regex and validate it using LuhnCheck.
**Suggested solution**
Contoso Bank has noticed some of their employees share Credit card numbers with
## Ignore a disclaimer notice
-Many organizations add legal disclaimers, disclosure statements, signatures, or other information to the top or bottom of email messages that enter or leave their organizations and in some cases even within the organizations. The employees themselves put signatures including ΓÇô motivational quotes, social messages, and so on. A disclaimer or signature can contain the terms that are present in the lexicon of a CC and and may generate a lot of false positives.
+Many organizations add legal disclaimers, disclosure statements, signatures, etc., or other information to the top or bottom of email messages that enter or leave their organizations. In some cases, emails sent within an organization itself can contain such text. For example, employees may add signatures with motivational quotes, social messages, and so on. A disclaimer or signature can contain the terms that are present in the lexicon of a CC and may generate many false positives.
-For example, a typical disclaimer might contain words like sensitive, or confidential and a policy looking for sensitive info will detect it as an incident, leading to lot of false positives. Thus providing customers with an option to ignore disclaimer can reduce false positives and increase the efficiency of compliance team.
+For example, a typical disclaimer might contain words like *sensitive*, or *confidential* and a policy looking for sensitive info will detect it as an incident, leading to lot of false positives. Thus providing customers with an option to ignore disclaimers can reduce the number of false positives and increase the efficiency of the compliance team.
### Example of disclaimer
Consider the following disclaimer:
IMPORTANT NOTICE: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Contoso may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system.
-If the SIT has been configured to detect a keyword confidential, then the pattern will invoke a match every time a disclaimer is used in the email, leading to a lot of false positives.
+If the SIT is configured to detect *confidential* as a keyword, the pattern will invoke a match every time an email includes the disclaimer, leading to considerable number of false positives.
### Ignore disclaimer using prefix and suffix in SIT
-One way to ignore the instances of keywords in the disclaimer is by excluding the instances of keywords which are preceded by a prefix and followed by a suffix.
+One way to ignore the instances of keywords in the disclaimer is by excluding the instances of keywords that are preceded by a prefix and followed by a suffix.
Consider this disclaimer: IMPORTANT NOTICE: This e-mail message is intended to be received only by persons *entitled to receive the* confidential **information it may contain**. E-mail messages to clients of Contoso may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system.
-We have two instances of the keyword ΓÇ£confidentialΓÇ¥ and if we configure the SIT to ignore instances of this keyword preceded by prefixes (italicized in the example) and followed by suffixes (bolded in the example), then we can achieve ignoring disclaimers in most of the cases.
+Say we have two instances of the keyword *confidential*. If we configure the SIT to ignore instances of this keyword that are preceded by prefixes (italicized in the example) and followed by suffixes (bolded in the example), then we can successfully ignore disclaimers in most cases.
To ignore the disclaimer using prefix and suffix:
To ignore the disclaimer using prefix and suffix:
### Ignore disclaimer by excluding secondary elements
-Another way to add a list of supporting elements (instances in disclaimer) which needs to be excluded is to exclude secondary elements.
+Another way to add a list of supporting elements (instances in disclaimer) that need to be excluded is to exclude secondary elements.
Consider this disclaimer:
We have two instances of the keyword ΓÇ£confidentialΓÇ¥ in this example. If we c
To ignore the disclaimer using secondary elements: 1. Select **Not any of these** group in the supporting elements.
-1. Add the instances of disclaimer which we want to ignore as a keyword list/dictionary.
-1. Add the keywords as a new line which we want to ignore. Remember that the length of each text can't be more than 50 characters.
+1. Add the instances of disclaimer that we want to ignore as a keyword list/dictionary.
+1. Add the keywords as a new line that we want to ignore. Remember that the length of each text can't be more than 50 characters.
1. Set the proximity of this element to be within 50-60 characters of the primary element.
compliance Sit Create Edm Sit Classic Ux Workflow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-create-edm-sit-classic-ux-workflow.md
audience: Admin Previously updated : 09/14/2021 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
# Create exact data match sensitive information type workflow classic experience
-Creating and making an exact data match (EDM) based sensitive information type (SIT) available is a multi-phase process. They can be used in Microsoft Purview data loss prevention policies, auto-labeling, eDiscovery and certain content governance tasks. This article outlines the workflow and links to the procedures for each phase using the classic experience.
+Creating and making an exact data match (EDM)-based sensitive information type (SIT) available is a multi-phase process. These SITs can be used in Microsoft Purview data loss prevention policies, auto-labeling, eDiscovery, and certain content governance tasks. This article outlines the workflow and links to the procedures for each phase using the classic experience.
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
compliance Sit Create Edm Sit Unified Ux Sample File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-create-edm-sit-unified-ux-sample-file.md
audience: Admin Previously updated : 06/14/2022 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
compliance Sit Create Edm Sit Unified Ux Schema Rule Package https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-create-edm-sit-unified-ux-schema-rule-package.md
audience: Admin Previously updated : 09/14/2021 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
Make sure you have completed the steps in these articles before you start the pr
1. [Export source data for exact data match based sensitive information type](sit-get-started-exact-data-match-export-data.md) 1. [Create EDM SIT sample file for the new experience](sit-create-edm-sit-unified-ux-sample-file.md)
-If you are not familiar with EDM based SITS or their implementation, it is essential that you familiarize yourself with the concepts in:
+If you are not familiar with EDM based SITS or their implementation, it is essential that you familiarize yourself with the concepts in these topics:
- [Learn about sensitive information types](sensitive-information-type-learn-about.md#learn-about-sensitive-information-types) - [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types)
If you are not familiar with EDM based SITS or their implementation, it is essen
> The system will suggest a mapping between an existing SIT and your primary element. You should review the [existing SITs](sensitive-information-type-entity-definitions.md) to get an idea of which ones will meet your needs. Make sure the existing SIT will detect exactly the strings you want to select, and not include any surrounding characters or exclude any valid part of the string as stored in your sensitive information table. > [!NOTE]
-> All data are retained as you navigate forward and backward through the UI. Backward navigation (selecting **Back**) only supports moving from top level page to top level page and sub page to sub page. You can't backward navigate from top level page to the preceding sub page or from a sub page to a preceding top level page.
+> All data are retained as you navigate forward and backward through the UI. Backward navigation (selecting **Back**) only supports moving from top level page to top level page and sub page to sub page. You can't backward navigate from a top-level page to the preceding sub page or from a sub page to a preceding top level page.
1. In the Microsoft Purview compliance portal for your tenant go to **Data classification** > **Exact data matches**.
If you are not familiar with EDM based SITS or their implementation, it is essen
1. Name the SIT and add a description. The name that the system generates for the schema will be the SIT name you enter here concatenated with *schema*. It will be displayed at the end of the flow. Select **Next**.
-1. Select the method you want to use to define your schema, either **Upload a file containing sample data**, or **Manually define your data structure**. We recommend the upload sample data file option and the rest of this procedure assumes you have chosen to upload your sample file. Select **Next**.
+1. Select the method you want to use to define your schema, either **Upload a file containing sample data**, or **Manually define your data structure**. We recommend the upload sample data file option. The rest of this procedure assumes you have chosen to upload your sample file. Select **Next**.
> [!NOTE] > No matter which option you select, you'll be using the information in the sample file you created in [Create EDM SIT sample file for the new experience](sit-create-edm-sit-unified-ux-sample-file.md).
If you are not familiar with EDM based SITS or their implementation, it is essen
8. Select your primary elements based on the recommendations presented. Look at the values in the **Match validation** column for guidance and choose **Next**. > [!TIP]
-> - Select primary elements whose values make that row unique in the table. For example, don't pick fields like *FirstName* or *DateOfBirth* as there will most likely be many duplications of first names or dates of birth in your actual sensitive data file. Instead pick things like *Social Security Number* and *BankAccountNumber* whose value will be unique in your table and therefore make the row unique in the table.
-> - You must pick one primary element but no more than ten primary elements. If you have a multi-token corroborative data field, you should map that to a base SIT as well. The more you can pick that have values that are unique in your actual sensitive data table, the better the accuracy of your EDM SIT will be. It will also improve performance and avoid timeouts caused by process overloading.
+> - Select primary elements whose values make that row unique in the table. For example, don't pick fields like *FirstName* or *DateOfBirth* as there will most likely be many duplications of first names or dates of birth in your actual sensitive data file. Instead pick things like *Social Security Number* and *BankAccountNumber* whose values will be unique in your table and therefore make the row unique in the table.
+> - You must pick one primary element but no more than ten primary elements. If you have a multi-token corroborative data field, you should map that to a base SIT as well. The more data fields you select that have values that are unique in your actual sensitive data table, the more accurate your EDM SIT will be. It will also improve performance and avoid timeouts caused by process overloading.
> - Select a sensitive information type that closely matches the format of the content you want to find. Selecting a SIT that matches unnecessary content, like one that matches all text strings, or all numbers can cause excessive load in the system which could result in sensitive information being missed.
-9. On the **Configure settings for data fields** you can tell set how EDM treats case and which delimiters to ignore. You can set this for the values for all elements values or specify the settings for each element individually. Choose **Next**.
+9. On the **Configure settings for data fields**, you can set how EDM treats case and which delimiters to ignore. You can set this for the values for all elements' values or specify the settings for each element individually. Choose **Next**.
> [!IMPORTANT]
-If you selected the Ignored Delimiters option for the primary element column in your schema, make sure the SIT you map to will match data with and without the selected delimiters.
+> If you selected the Ignored Delimiters option for the primary element column in your schema, make sure the SIT you map to will match data with and without the selected delimiters.
-10. EDM will automatically generate one detection rule for each of the primary elements you identified. EDM will create a high confidence rule and a medium confidence rule. High confidence rules have more requirements that must be met than medium rules. Likewise, medium confidence rules have more requirements than low confidence rules should you choose to create a low confidence rule. You can review and edit those rules on the **Configure detection rules for primary elements** page. Choose **Submit**.
+10. EDM will automatically generate one detection rule for each of the primary elements you identified. EDM will create a high confidence rule and a medium confidence rule. High confidence rules have more requirements that must be met than medium rules. Likewise, medium confidence rules have more requirements than low confidence rules, should you choose to create a low confidence rule. You can review and edit those rules on the **Configure detection rules for primary elements** page. Choose **Submit**.
> [!TIP] > All elements that are not selected as primary elements can still be used as corroborative or supporting evidence. The more supporting elements found that are in a defined proximity to primary elements, the higher the confidence that the item is a true positive. > [!NOTE]
-When you select **Submit**, EDM will create the schema and rule package. The name of the schema can be found on the final page of the creation flow.
+> When you select **Submit**, EDM will create the schema and rule package. The name of the schema can be found on the final page of the creation flow.
## Next step
compliance Sit Create Edm Sit Unified Ux Workflow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-create-edm-sit-unified-ux-workflow.md
audience: Admin Previously updated : 09/14/2021 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
# Create exact data match sensitive information type workflow new experience
-Creating and making an exact data match (EDM) based sensitive information type (SIT) available is a multi-phase process. They can be used in Microsoft Purview data loss prevention policies, eDiscovery and certain content governance tasks This article outlines the workflow and links to the procedures for each of the phases
+Creating and making an exact data match (EDM) based sensitive information type (SIT) available is a multi-phase process. They can be used in Microsoft Purview data loss prevention policies, eDiscovery and certain content governance tasks. This article outlines the workflow and links to the procedures for each of the phases
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
compliance Sit Custom Sit Filters https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-custom-sit-filters.md
description: "This article presents a list of the filters that can be encoded in
# Custom sensitive information type filters reference
-In Microsoft you can define filters or other checks while creating a custom sensitive information types (SIT).
+In Microsoft Purview, you can define filters or other checks while creating a custom sensitive information type (SIT).
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
In Microsoft you can define filters or other checks while creating a custom sens
### AllDigitsSame Exclude
-Description: Allows you to exclude matches that have all digits as duplicate digits, like 111111111 or 111-111-111
+Description: Allows you to exclude matches that have all digits as duplicate digits, such as 111111111 or 111-111-111
-Defining filters
+Defining filters:
```xml <Filters id="ssn_filters"> <Filter type="AllDigitsSameFilter"></Filter> </Filters> ```
-Using it in rule package at the entity level
+Using it in rule package at the entity level:
```xml <Entity id="50842eb7-edc8-4019-85dd-5a5c1f2bb085" patternsProximity="300" recommendedConfidence="85" filters="ssn_filters"> <Pattern confidenceLevel="85">
Using it in rule package at the entity level
</Entity> ```
-Using it in rule package at the pattern level
+Using it in rule package at the pattern level:
```xml <Entity id="50842eb7-edc8-4019-85dd-5a5c1f2bb085" patternsProximity="300" recommendedConfidence="85"> <Pattern confidenceLevel="85" filters="ssn_filters">
Using it in rule package at the pattern level
### TextMatchFilter StartsWith
-Description: Allows you to define the starting characters for the entity. It has two variants, include and exclude.
+Description: Allows you to define the starting characters for the entity. It has two variants, *exclude* and *include*.
-For example to exclude the numbers starting with 0500, 91, 091, 010 in a list like this:
+For example, to *exclude* the numbers starting with 0500, 91, 091, 010 in a list like this:
- 0500-4500-027 - 91564721450
For example to exclude the numbers starting with 0500, 91, 091, 010 in a list li
- 1000-3265-9874 - 0100-7892-3012
-You can use the following xml
+you can use the following XML:
```xml <Filters id="phone_number_filters_exc">
You can use the following xml
</Group> </Keyword> ```
-For example, to include the numbers starting with 0500, 91, 091, 0100 in a list like this:
+Similarly, to *include* the numbers starting with 0500, 91, 091, 0100 in a list like this:
- 0500-4500-027 - 91564721450
For example, to include the numbers starting with 0500, 91, 091, 0100 in a list
- 1000-3265-9874 - 0100-7892-3012
-You can use the following xml
+you can use the following XML:
```xml <Filters id="phone_filters_inc">
You can use the following xml
</Filter> ```
-### TextMatchFilter EndsWith
+### TextMatchFilter EndsWith
-Description: Allows you to define the ending characters for the entity.
+Description: Allows you to define the ending characters for the entity.
-For example, to exclude the numbers ending with 0500,91,091, 0100 in a list like this:
+For example, to *exclude* the numbers ending with 0500,91,091, 0100 in a list like this:
- 1234567891 - 1234-5678-0091 - 1234.4567.7091 - 1234-8091-4564
-You can use the following xml
+you can use the following XML:
```xml <Filters id="phone_number_filters_exc">
You can use the following xml
</Keyword> ```
-For example, to include the numbers ending with 0500, 91, 091, 0100, in a list like this:
+For example, to *include* the numbers ending with 0500, 91, 091, 0100, in a list like this:
- 1234567891 - 1234-5678-0091 - 1234.4567.7091 - 1234-8091-4564
-You can use the following xml
+You can use the following XML:
```xml <Filters id="phone_filters_inc">
You can use the following xml
### TextMatchFilter Full
-Description: Allows you to prohibit certain matches to prevent them from triggering the rule. For example, exclude 4111111111111111 from the list of valid credit card matches.
+Description: Allows you to prohibit certain matches to prevent them from triggering the rule, such as excluding 4111111111111111 from the list of valid credit card matches.
-For example, to exclude credit card numbers like 4111111111111111 and 3241891031113111 in a list like this:
+For example, to *exclude* credit card numbers like 4111111111111111 and 3241891031113111 in a list like this:
- 4485 3647 3952 7352 - 4111111111111111 - 3241891031113111
-You can use the following xml
+you can use the following XML:
```xml <Filters id="cc_number_filters_exc">
You can use the following xml
</Keyword> ```
-For example, to include credit card numbers like 4111111111111111 and 3241891031113111 in a list like this:
+Likewise, to *include* credit card numbers like 4111111111111111 and 3241891031113111 in a list like this:
- 4485 3647 3952 7352 - 4111111111111111 - 3241891031113111
-You can use the following xml
+you can use the following XML:
```xml <Filters id="cc_filters_inc">
You can use the following xml
### TextMatchFilter Prefix
-Description: Allows you to define the preceding characters that should be always included or excluded. For example, if Credit card number is preceded by ΓÇÿOrder ID:ΓÇÖ then remove the match from the valid matches.
+Description: Allows you to define the preceding characters that should be always excluded or included. For example, if **Credit card number** is preceded by ΓÇÿOrder ID:ΓÇÖ, then remove the match from the valid matches.
For example, to exclude occurrences of phone numbers that have **Phone number** and **call me at** strings before the phone number, in a list like this:
For example, to exclude occurrences of phone numbers that have **Phone number**
- Phone 45-124576532-123 - 45-124576532-123
-You can use the following xml
+you can use the following XML:
```xml <Filters id="cc_number_filters_exc">
You can use the following xml
</Keyword> ```
-For example, to include occurrences that have **credit card** and **card #** strings before the credit card number, in a list like this:
+Similarly, to include occurrences that have **credit card** and **card #** strings before the credit card number, in a list like this:
- Credit card 45-124576532-123 - 45-124576532-123 (which could be phone number)
-You can use the following xml
+you can use the following XML:
```xml <Filters id="cc_filters_inc">
You can use the following xml
### TextMatchFilter Suffix
-Description: Allows you to define the following characters that should be always included or excluded. For example, if Credit card number is followed by ΓÇÿ/xuidΓÇÖ then remove the match from the valid matches.
+Description: Allows you to define the following characters that should be always excluded or included. For example, if Credit card number is followed by ΓÇÿ/xuidΓÇÖ then remove the match from the valid matches.
For example, top exclude occurrences if there are five more instances of four digits as suffix in a list like this: - 1234-5678-9321 4500 9870 6321 48925566 - 1234-5678-9321
-You can use the following xml
+you can use the following XML:
```xml <Filters id="cc_number_filters_exc">
You can use the following xml
<Regexid="Regex_false_positives_suffix">(\d{4}){5,}</Regex> ```
-For example, to exclude occurrences if they are followed by **/xuidsuffix**, like one in this list:
+You can also exclude occurrences if they are followed by **/xuidsuffix**, like the one in this list:
- 1234-5678-9321 /xuid - 1234-5678-9321
-You can use this xml
+you can use this XML:
```xml <Filters id="cc_number_filters_exc">
You can use this xml
</Keyword> ```
-For example, to include an occurrence only if it is followed by **cvv** or **expires**, like two in this list:
+Similarly, to include an occurrence only if it is followed by **cvv** or **expires**, such as the two in this list:
- 45-124576532-123 - 45-124576532-123 cvv 966 - 45-124576532-123 expires 03/23
-You can use this xml
+you can use this XML:
```xml <Filters id="cc_filters_inc">
You can use this xml
## Using filters in rule packages
-Filters can be defined on the entire SIT or on a pattern. Here are some code snippets examples.
+Filters can be defined on the entire SIT or on a pattern. Here are some examples.
-### At sensitive information type level
+### At the sensitive information type level
Filters at Entity - will cover all child patterns
-The filters will be applied on **all** the instances classified by any of the patterns in that entity / sensitive type
+The filters will be applied to **all** the instances classified by any of the patterns in that entity / sensitive information type.
```xml <Entity id="6443b88f-2808-482a-8e1a-3ae5026645e1" patternsProximity="300" recommendedConfidence="85" filters="CompositeFiltersAtEntityLevel">
The filters will be applied on **all** the instances classified by any of the pa
Filters only at the pattern level.
-The filter will be applied on the instances matched by the pattern.
+The filter will be applied to only the instances matched by the pattern.
```xml <Entity id="50842eb7-edc8-4019-85dd-5a5c1f2bb085" patternsProximity="300" recommendedConfidence="85">
The filter will be applied on the instances matched by the pattern.
```
-### At sensitive information type level and an additional filter on some of the patterns of that entity
+### At the sensitive information type level with an additional filter on some of the patterns of that entity
Filters at Entity + pattern
-The filters will be applied on **all** the instances classified by any of the patterns in that entity / sensitive type. The pattern level filter will filter the instances matched by that pattern.
+The filters will be applied to **all** the instances classified by any of the patterns in that entity / sensitive information type. The pattern level filter will filter the instances matched by that pattern.
```xml <Entity id="6443b88f-2808-482a-8e1a-3ae5026645e1" patternsProximity="300" recommendedConfidence="85" filters="CompositeFiltersAtEntityLevel">
The filters will be applied on **all** the instances classified by any of the pa
<IdMatch idRef="Regex_denmark_id" /> </Pattern> </Entity>
-```
-
-
+```
## More information
compliance Sit Edm Notifications Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-edm-notifications-activities.md
audience: Admin Previously updated : 01/28/2021 Last updated : 03/01/2023 ms.localizationpriority: high - tier1
When you [create custom sensitive information types with exact data match (EDM)]
- `UploadDataCompleted` > [!NOTE]
- The ability to create notifications for EDM activities is available for the World Wide and GCC clouds only.
+> The ability to create notifications for EDM activities is available for the World Wide and GCC clouds only.
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
-## Pre-requisites
+## Prerequisites
-The account you use must be one of the following:
+The account you have one of the following roles:
-- A global admin
+- Global administrator
- Compliance administrator - Exchange Online administrator
compliance Sit Functions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-functions.md
f1.keywords:
Previously updated : 09/17/2019 Last updated : 03/01/2023 audience: Admin
description: Learn what the sensitive information type functions look for.
# Sensitive information type functions
-Sensitive information types (SIT) can use functions as primary elements to identify sensitive items. For example, the Credit Card Number sensitive information type uses the Func_credit_card function to detect credit card number.
+Sensitive information types (SIT) can use functions as primary elements for identifying sensitive items. For example, the Credit Card Number SIT uses the Func_credit_card function to detect credit card number.
-This article explains what these functions look for, to help you understand how the predefined sensitive information types work. For more information, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
+This article explains what these functions look for, so you can better understand how the predefined sensitive information types work. For more information, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
compliance Sit Get Started Exact Data Match Based Sits Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-get-started-exact-data-match-based-sits-overview.md
audience: Admin Previously updated : 09/14/2021 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
- [New experience](sit-create-edm-sit-unified-ux-workflow.md) - [Classic experience](sit-create-edm-sit-classic-ux-workflow.md)
-Creating and making an exact data match (EDM) based sensitive information type (SIT) available is a multi-phase process. You can use the *new experience* the existing *classic experience* or PowerShell. This article helps you understand the differences between the new and classic experiences and helps you pick the right one for your needs.
+Creating and making an exact data match (EDM) based sensitive information type (SIT) available is a multi-phase process. You can use the *new experience* the existing *classic experience* or via PowerShell. This article helps you understand the differences between the two experiences and helps you pick the right one for your needs.
EDM SITs can be used in:
The new EDM experience combines the functionality of the EDM schema and EDM sens
### Simplified workflow
-With the new experience, the schema and SIT are created via one user experience. This means fewer clicks, better guidance on mapping primary elements to default SITs and default confidence levels for the rules.
+With the new experience, the schema and SIT are created via one user experience. This means there are fewer clicks, better guidance on mapping primary elements to default SITs, and default confidence levels for the rules.
When you need to see the status of an EDM SIT in the creation process, the new experience reports on this in the UI.
In the new experience you can provide a sample data file that has the same heade
> [!IMPORTANT] > Be sure to use sample data values that aren't sensitive, but are in the same format as your actual sensitive data. Using non-sensitive data is essential because the sample data file doesn't get encrypted and hashed when you upload it like the actual sensitive information table does. The data from the sample data file is not retained or accessible once the EDM SIT is created.
-The system generates the EDM SIT detection rules, one for each primary field. Based on detection of the primary fields the system creates high and medium confidence rules using all the other fields as corroborative evidence. You can add low confidence rules if you want.
+The system generates the EDM SIT detection rules, one for each primary field. Based on detection of the primary fields, the system creates high and medium confidence rules using all the other fields as corroborative evidence. You can add low confidence rules if you want.
### Additional guardrails to ensure better performance
-<!--As the Azure-based EDM cloud service leverages a shared infrastructure, a misconfigured EDM SIT that triggers excessive EDM lookups could impact EDM performance for other customers if it wasn't controlled. This is prevented by throttling instances where EDM is misconfigured in a way that would cause excessive lookups.-->
-
-The system warns you if it finds a primary field mapped to a SIT that detects a broad range of values, called a *loosely defined SIT*. This can cause the system to perform lookups on large numbers of strings that aren't related to the kind of content that you're looking for. Mapping between these types of SITs and primary fields can result in false negatives and decrease performance.
+The system warns you if it finds a primary field mapped to a SIT that detects a broad range of values, called a *loosely-defined SIT*. This can cause the system to perform lookups on large numbers of strings that aren't related to the kind of content that you're looking for. Mapping between these types of SITs and primary fields can result in false negatives and decrease performance.
> [!NOTE]
-> A *loosely defined SIT*, like a custom one that looks for all personal identification numbers, has detection rules that allow for greater variability in the items detected. A *strongly defined SIT*, like U.S. Social Security Number, has detection rules that only allow a narrow, well defined set of items to be detected.
+> A *loosely-defined SIT*, such as a custom SIT that looks for all personal identification numbers, has detection rules that allow for greater variability in the items detected. A *strongly-defined SIT*, such as a U.S. Social Security Number, has detection rules that only allow a narrow, well-defined set of items to be detected.
-The system will also warn you if the values in the primary field you select occurs multiple times in a large number of rows. This can cause large numbers of result sets to be returned and processed, which could cause a time out. Time outs can result in missed detections and poor performance.
+The system will also warn you if the values in the primary field you select occur multiple times in a large number of rows. This can cause large numbers of result sets to be returned and processed, which could cause a time out. Time outs can result in missed detections and poor performance.
## Choosing the right EDM SIT creation experience for you
-You can toggle back and forth between the new and classic experiences, but we recommend using the new experience unless your needs fall into one or more of these four use cases.
+You can toggle back and forth between the new and classic experiences, but we recommend using the new experience unless your needs fall into one or more of these four use cases, as described below.
+
+To choose the best method of creating EDM SITs for your needs:
1. Read through this section 1. Choose the experience that you want to use
-1. Select the link for the [Next step](#next-steps) for the experience you want.
+1. Select the link for the [next step](#next-steps) for the experience you want.
### You want to map multiple EDM SITS to the same schema
compliance Sit Get Started Exact Data Match Create Rule Package https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-get-started-exact-data-match-create-rule-package.md
audience: Admin Previously updated : 09/14/2021 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
Perform the steps in these articles:
3. [Hash and upload the sensitive information source table for exact data match sensitive information types](sit-get-started-exact-data-match-hash-upload.md#hash-and-upload-the-sensitive-information-source-table-for-exact-data-match-sensitive-information-types) - Whether you will be creating an EDM sensitive information type using the wizard or the rule package XML file via PowerShell, you must have Global admin or Compliance admin permissions to create, test, and deploy a custom sensitive information type through the UI. See [About admin roles in Office 365](/office365/admin/add-users/about-admin-roles).-- Identify one of the built in SITs to use as the Primary elements sensitive information type.
+- Identify one of the built-in SITs to use as the Primary elements sensitive information type.
- If none of the built-in sensitive info types will match the data in the column you selected you will have to create a custom sensitive info type that does. - If you selected the Ignored Delimiters option for the primary element column in your schema, make sure the custom SIT you create will match data with and without the selected delimiters.
- - If you use a built in SIT, make sure it will detect exactly the strings you want to select, and not include any surrounding characters or exclude any valid part of the string as stored in your sensitive information table.
+ - If you use a built-in SIT, make sure it will detect exactly the strings you want to select, and not include any surrounding characters or exclude any valid part of the string as stored in your sensitive information table.
See [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md#sensitive-information-type-entity-definitions) and [Create custom sensitive information types in Compliance center](create-a-custom-sensitive-information-type.md).
compliance Sit Get Started Exact Data Match Export Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-get-started-exact-data-match-export-data.md
audience: Admin Previously updated : 09/15/2021 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
compliance Sit Get Started Exact Data Match Hash Upload https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-get-started-exact-data-match-hash-upload.md
audience: Admin Previously updated : 09/14/2021 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
In this phase, you:
2. Set up the EDM Upload Agent tool. 3. Use the EDM Upload Agent tool to hash, with a salt value, the sensitive information source table, and upload it.
-The hashing and uploading can be done using one computer or you can separate the hashing step from the upload step for greater security.
+The hashing and uploading can be done using one computer or you can separate the hash step from the upload step for greater security.
-If you want to hash and upload from one computer, you need to do it from a computer that can directly connect to your Microsoft 365 tenant. This requires that your clear text sensitive information source table file is on that computer for hashing.
+If you want to hash and upload from one computer, you need to do it from a computer that can directly connect to your Microsoft 365 tenant. This requires that your clear-text sensitive information source table file is on that computer for hashing.
-If you don't want to expose your clear-text sensitive information source table file on the direct access computer, you can hash it on a computer in a secure location. Then you can copy the hash file and the salt file to a computer that can directly connect to your Microsoft 365 tenant for upload. In the separated hash and upload scenario, you need the EDMUploadAgent on both computers.
+If you don't want to expose your clear-text sensitive information source table file on the direct access computer, you can hash it on a computer that's in a secure location. Then, you can copy the hash file and the salt file to a computer that can connect directly to your Microsoft 365 tenant for upload. In the separated hash and upload scenario, you'll need the EDMUploadAgent on both computers.
> [!IMPORTANT] > If you used the Exact Data Match schema and sensitive information type wizard to create your schema file, you ***must*** download the schema for this procedure if you haven't already done so. See, [Export of the EDM schema file in XML format](sit-get-started-exact-data-match-create-schema.md#export-of-the-edm-schema-file-in-xml-format). > [!NOTE]
-> If your organization has set up [Customer Key for Microsoft 365 at the tenant level](customer-key-overview.md), Exact data match will make use of its encryption functionality automatically. This is available only to E5 licensed tenants in the Commercial cloud.
+> If your organization has set up [Customer Key for Microsoft 365 at the tenant level](customer-key-overview.md), an exact data match will use the encryption functionality automatically. This is available only to E5 licensed tenants in the Commercial cloud.
### Best practices
If the tool indicates a mismatch in number of columns, it might be due to the pr
**If you find single quote characters or commas inside a value**: for example the person's name *Tom O'Neil* or the city *'s-Gravenhage*, which starts with an apostrophe character, you need to modify the data export process used to generate the sensitive information table and surround such columns with double quotes.
-**If double quote characters are found inside values**, it might be preferable to use the Tab-delimited format for the table that is less susceptible to such issues.
+**If double quote characters are found inside values**, it might be preferable to use the Tab-delimited format for the table, which is less susceptible to such issues.
### Prerequisites - a work or school account for Microsoft 365 to add to the **EDM\_DataUploaders** security group - a Windows 10, Windows Server 2016 with .NET version 4.6.2, or a Windows Server 2019 machine<!--4.7.2 un comment this around 9/29--> for running the EDMUploadAgent-- a directory on your upload machine for the:
+- a directory on your upload machine for the following:
- [EDM Upload Agent](#links-to-edm-upload-agent-by-subscription-type) - your sensitive item file in .csv, .tsv or pipe (|) format, **PatientRecords.csv** in our examples - the output hash and salt files created in this procedure - the datastore name from the **edm.xml** file, for this example its `PatientRecords` > [!IMPORTANT]
-Install the [EDM Upload Agent](#links-to-edm-upload-agent-by-subscription-type) in a custom folder so you don't need administrator permissions. If you install it into the default (*Program Files*), administrator permissions are required.
+> Install the [EDM Upload Agent](#links-to-edm-upload-agent-by-subscription-type) in a custom folder so you don't need administrator permissions. If you install it into the default (*Program Files*), administrator permissions are required.
#### Set up the security group and user account
This computer must have direct access to your Microsoft 365 tenant.
> > You can upload data with the EDMUploadAgent to any given data store only twice per day.
-3. Authorize the EDM Upload Agent, open Command Prompt window as an administrator, switch to the **C:\EDM\Data** directory and then run the following command:
+3. Authorize the EDM Upload Agent, open Command Prompt window as an administrator, switch to the **C:\EDM\Data** directory, and then run the following command:
`EdmUploadAgent.exe /Authorize`
This computer must have direct access to your Microsoft 365 tenant.
If your sensitive information table has some incorrectly formatted values, but you still want to import the remaining data while ignoring invalid rows, you can use the */AllowedBadLinesPercentage* parameter in the command. The example above specifies a five percent threshold. This means that the tool hashes and uploads the sensitive information table, even if up to five percent of the rows are invalid.
- This command automatically adds a randomly generated salt value to the hash for greater security. Optionally, if you want to use your own salt value, add the **/Salt \<saltvalue\>** to the command. This value must be 64 characters in length and can only contain the a-z characters and 0-9 characters.
+ This command automatically adds a randomly-generated salt value to the hash for greater security. Optionally, if you want to use your own salt value, add the **/Salt \<saltvalue\>** to the command. This value must be 64 characters in length and can only contain the a-z characters and 0-9 characters.
6. Check the upload status by running this command:
OPTIONAL: If you used the Exact Data Match schema and sensitive information type
EdmUploadAgent.exe /SaveSchema /DataStoreName <schema name> /OutputDir <path to output folder> ````
-1. On the computer in the secure environment, run the following command in Command Prompt windows:
+1. On the computer in the secure environment, run the following command in a Command Prompt window:
```dos EdmUploadAgent.exe /CreateHash /DataFile [data file] /HashLocation [hash file location] /Schema [Schema file] /AllowedBadLinesPercentage [value]
EdmUploadAgent.exe /SaveSchema /DataStoreName <schema name> /OutputDir <path to
2. Copy these files in a secure fashion to the computer you use to upload your sensitive information source table file (PatientRecords) to your tenant.
-3. Authorize the EDM Upload Agent, open Command Prompt window as an administrator, switch to the **C:\EDM\Data** directory and then run the following command:
+3. Authorize the EDM Upload Agent, open Command Prompt window as an administrator, switch to the **C:\EDM\Data** directory, and then run the following command:
```dos EdmUploadAgent.exe /Authorize
EdmUploadAgent.exe /SaveSchema /DataStoreName <schema name> /OutputDir <path to
EdmUploadAgent.exe /UploadHash /DataStoreName PatientRecords /HashFile C:\\Edm\\Hash\\**PatientRecords.EdmHash** ```
-6. To verify that your sensitive data has been uploaded, run the following command in Command Prompt window:
+6. To verify that your sensitive data has been uploaded, run the following command in a Command Prompt window:
```dos EdmUploadAgent.exe /GetDataStore
EdmUploadAgent.exe /SaveSchema /DataStoreName <schema name> /OutputDir <path to
You see a list of data stores and when they were last updated.
-7. If you want to see all the data uploads to a particular store, run the following command in a Windows command prompt to see a list of all the data stores and when they were updated:
+7. If you want to see all the data uploads to a particular store, run the following command in a Command Prompt window to see a list of all the data stores and when they were updated:
```dos EdmUploadAgent.exe /GetSession /DataStoreName <DataStoreName>
compliance Sit Regex Validators Additional Checks https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-regex-validators-additional-checks.md
audience: Admin Previously updated : 02/14/2022 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
# Sensitive information type REGEX validators and additional check > [!IMPORTANT]
-> Microsoft Customer Service & Support can't assist with creating custom classifications or regular expression patterns. Support engineers can provide limited support for the feature, such as, providing sample regular expression patterns for testing purposes, or assisting with troubleshooting an existing regular expression pattern that's not triggering as expected, but can't provide assurances that any custom content-matching development will fulfill your requirements or obligations.
+> Microsoft Customer Service & Support can't assist with creating custom classifications or regular expression patterns. Support engineers can provide limited support for the feature, such as providing sample regular expression patterns for testing the feature, or assisting with troubleshooting an existing regular expression pattern that's not triggering as expected. However, support engineers can't assure you that any custom content-matching development fulfills your requirements or obligations.
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
### Checksum validator
-If you need to run a checksum on a digit in a regular expression, you can use the *checksum validator*. For example, say you need to create a SIT for an eight digit license number where the last digit is a checksum digit that is validated using a mod 9 calculation. You've set up the checksum algorithm like this:
+To run a checksum on a digit in a regular expression, you can use the *checksum validator*. For example, if you need to create a SIT for an eight-digit license number where the last digit is a checksum digit validated using a mod 9 calculation, set up the checksum algorithm like this:
```console Sum = digit 1 * Weight 1 + digit 2 * weight 2 + digit 3 * weight 3 + digit 4 * weight 4 + digit 5 * weight 5 + digit 6 * weight 6 + digit 7 * weight 7 + digit 8 * weight 8
If Mod value != digit 8
\d{8} ```
-2. Then add the checksum validator.
+2. Add the checksum validator.
-3. Add the weight values separated by commas, the position of the check digit and the Mod value. For more information on the Modulo operation, see [Modulo operation](https://en.wikipedia.org/wiki/Modulo_operation).
+3. Add the weight values separated by commas, the position of the check digit, and the mod value. For more information on the Modulo operation, see [Modulo operation](https://en.wikipedia.org/wiki/Modulo_operation).
> [!NOTE]
- > If the check digit is not part of the checksum calculation then use 0 as the weight for the check digit. For example, in the above case weight 8 will be equal to 0 if the check digit is not to be used for calculating the check digit.
+ > If the check digit isn't part of the checksum calculation, use 0 as the weight for the check digit. For example, in the previous case, weight 8 will be equal to 0 if the check digit won't be used for calculating the check digit.
:::image type="content" alt-text="screenshot of configured checksum validator." source="../media/checksum-validator.png" lightbox="../media/checksum-validator.png"::: ### Date validator
-If a date value that is embedded in regular expression is part of a new pattern you are creating, you can use the *date validator* to test that it meets your criteria. For example, say you want to create a SIT for a nine digit employee identification number. The first six digits are the date of hire in DDMMYY format and the last three are randomly generated numbers. To validate that the first six digits are in the correct format.
+If a date value that's embedded in a regular expression is part of a new pattern you're creating, you can use the *date validator* to test whether that date value meets your criteria. For example, you want to create a SIT for a nine-digit employee identification number. The first six digits are the date of hire in DDMMYY format and the last three are randomly generated numbers. Take the following steps to validate that the first six digits are in the correct format:
1. Define the primary element with this regular expression:
If a date value that is embedded in regular expression is part of a new pattern
\d{9} ```
-2. Then add the date validator.
+2. Add the date validator.
3. Select the date format and the start offset. Since the date string is the first six digits, the offset is `0`.
If a date value that is embedded in regular expression is part of a new pattern
### Functional processors as validators
-You can use function processors for some of the most commonly used SITs as validators. This allows you to define your own regular expression while ensuring they pass the additional checks required by the SIT. For example, Func_India_Aadhar will ensure that the custom regular expression defined by you passes the validation logic required for Indian Aadhar card. For more information on DLP functions that can be used as validators, see [Sensitive information type functions](sit-functions.md).
+You can use function processors for some of the most commonly used SITs as validators. Using function processors allows you to define your own regular expressions while ensuring that they pass the additional checks required by the SIT. For example, Func_India_Aadhar ensures that the custom regular expression you defined passes the validation logic required for the Indian Aadhar card. For more information on the DLP functions that you can use as validators, see [Sensitive information type functions](sit-functions.md).
### Luhn check validator
-You can use the Luhn check validator if you have a custom Sensitive information type that includes a regular expression which should pass the [Luhn algorithm](https://en.wikipedia.org/wiki/Luhn_algorithm).
+You can use the Luhn check validator if you have a custom sensitive information type that includes a regular expression, which should pass the [Luhn algorithm](https://en.wikipedia.org/wiki/Luhn_algorithm).
## Sensitive information type additional checks Here are the definitions and some examples for the available additional checks.
-**Exclude specific matches**: This check lets you define keywords to exclude when detecting matches for the pattern you are editing. For example, you might exclude test credit card numbers like '4111111111111111' so that they're not matched as a valid number.
+**Exclude specific matches**: This check lets you define keywords to exclude when detecting matches for the pattern you're editing. For example, you might exclude test credit card numbers like '4111111111111111' so that they're not matched as a valid number.
**Starts or doesn't start with characters**: This check lets you define the characters that the matched items must or must not start with. For example, if you want the pattern to detect only credit card numbers that start with 41, 42, or 43, select **Starts with** and add 41, 42, and 43 to the list, separated by commas.
Here are the definitions and some examples for the available additional checks.
**Exclude duplicate characters**: This check lets you ignore matches in which all the digits are the same. For example, if the six digit employee ID number cannot have all the digits be the same, you can select **Exclude duplicate characters** to exclude 111111, 222222, 333333, 444444, 555555, 666666, 777777, 888888, 999999, and 000000 from the list of valid matches for the employee ID.
-**Include or exclude prefixes**: This check lets you define the keywords that must or must not be found immediately before the matching entity. Depending on your selection, entities will be matched or not matched if they're preceded by the prefixes you include here. For example, if you **Exclude** the prefix **GUID:**, any entity that's preceded by **GUID:** won't be considered a match.
+**Include or exclude prefixes**: This check lets you define the keywords that must or must not be found immediately before the matching entity. Depending on your selection, entities will be matched or not matched if they're preceded by the prefixes you include here. For example, if you **Exclude** the prefix **GUID:**, any entity that's preceded by **GUID:** won't match.
-**Include or exclude suffixes** This check lets you define the keywords that must or must not be found immediately after the matching entity. Depending on your selection, entities will be matched or not matched if they're followed by the suffixes you include here. For example, if you **Exclude** the suffix **:GUID**, any text that's followed by **:GUID** won't be matched.
+**Include or exclude suffixes** This check lets you define the keywords that must or must not be found immediately after the matching entity. Depending on your selection, entities will match or not match if they're followed by the suffixes you include here. For example, if you **Exclude** the suffix **:GUID**, any text that's followed by **:GUID** won't match.
compliance Sit Remove A Custom Sensitive Information Type In Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-remove-a-custom-sensitive-information-type-in-powershell.md
description: "Learn how to remove a custom sensitive information type using Powe
In Security & Compliance PowerShell, there are two methods to remove custom sensitive information types: -- **Remove individual custom sensitive information types**: Use the method documented in [Modify a custom sensitive information type using PowerShell](sit-modify-a-custom-sensitive-information-type-in-powershell.md#modify-a-custom-sensitive-information-type-using-powershell). You export the custom rule package that contains the custom sensitive information type, remove the sensitive information type from the XML file, and import the updated XML file back into the existing custom rule package.
+- **Remove individual custom sensitive information types**: Use the method documented in [Modify a custom sensitive information type using PowerShell](sit-modify-a-custom-sensitive-information-type-in-powershell.md#modify-a-custom-sensitive-information-type-using-powershell). Export the custom rule package containing the custom sensitive information type. Remove the sensitive information type from the XML file, and then import the updated XML file back into the existing custom rule package.
- **Remove a custom rule package and all custom sensitive information types that it contains**: This method is documented in this section.
In Security & Compliance PowerShell, there are two methods to remove custom sens
Get-DlpSensitiveInformationType ```
- For custom sensitive information types, the Publisher property value will be something other than Microsoft Corporation.
+ For custom sensitive information types, the Publisher property value will be something other than "Microsoft Corporation".
- Replace \<Name\> with the Name value of the sensitive information type (for example, Employee ID) and run the [Get-DlpSensitiveInformationType](/powershell/module/exchange/get-dlpsensitiveinformationtype) cmdlet to verify the sensitive information type is no longer listed:
compliance Sit Use Exact Data Manage Schema https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-use-exact-data-manage-schema.md
audience: Admin Previously updated : 09/14/2021 Last updated : 03/01/2023 ms.localizationpriority: medium - tier1
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
f1.keywords:
Previously updated : 02/28/2023 Last updated : 03/01/2023 audience: Admin
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
+## March 2023
+
+### Insider risk management
+
+- **Forensic Evidence GA**: With the GA release of Forensic Evidence, you can now:
+ - [Specify websites or desktop apps to include or exclude when you create a policy](insider-risk-management-forensic-evidence-configure.md#step-4-create-a-policy)
+ - [View and explore a list of captured clips and filter the list to find just the information you need](insider-risk-management-forensic-evidence-manage.md#viewing-captured-clips)
+ - [Purchase/analyze capacity for captured clips and/or sign up for 20 GB of trial capacity](insider-risk-management-forensic-evidence-manage.md#capacity-and-billing)
+
+### Sensitivity labels
+
+- **General availability (GA)**: Outlook for Mac is now rolling out in general availability for [protected meetings](sensitivity-labels-meetings.md).
+ ## February 2023 ### Audit
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
### Insider risk management - **In preview**: New [Adaptive Protection guidance](/microsoft-365/compliance/insider-risk-management-adaptive-protection). Adaptive Protection in Microsoft Purview uses machine learning to identify and mitigate the most critical risks with the most effective [data loss prevention (DLP)](/microsoft-365/compliance/dlp-adaptive-protection-learn) protection controls dynamically, saving security teams valuable time while ensuring better data security.
+- **New sequences**: [Added sequence detection for third-party cloud services and unallowed domains](insider-risk-management-policies.md#sequence-detection-preview)
+- **New cumulative exfiltration button**: [The new cumulative exfiltration button on the user activity chart provides a visual chart of how activity is building over time for a user](insider-risk-management-activities.md#user-activity)
+- **Filter out activity that has already been reviewed**: [Use the Review status filter to filter out any activity that was part of a dismissed or resolved alert](insider-risk-management-activities.md#activity-explorer-1).
+- [Clarification for why user activity data outside the selected calendar control range might be included](insider-risk-management-activities.md#user-activity-reports)
+- [Clarification that scoped admins cannot select the quick setup option for Adaptive Protection](insider-risk-management-adaptive-protection.md#quick-setup)
+ ### On-premises scanner
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
### Sensitivity labels -- **General availability (GA)**: Protected meetings by [labeling calendar invites and responses, Teams meetings, and chat](sensitivity-labels-meetings.md). Outlook remains in preview for this scenario.
+- **General availability (GA)**: Protected meetings by [labeling calendar invites and responses, Teams meetings, and chat](sensitivity-labels-meetings.md). Although Outlook for Mac is now rolling out in general availability, Outlook for Windows remains in preview for this scenario.
- **General availability (GA)**: For Windows, built-in labeling supports [organization-wide custom permissions](encryption-sensitivity-labels.md#support-for-organization-wide-custom-permissions) as a parity feature for the AIP add-in. - **In preview**: [Support for Azure Active Directory administrative units](get-started-with-sensitivity-labels.md#support-for-administrative-units). - **In preview**: Previously available in preview for Word, Excel, and PowerPoint, the [sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) with support for [label colors](sensitivity-labels-office-apps.md#label-colors) is now also in preview for Outlook on Windows.
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- Updates to [conditional settings](/microsoft-365/compliance/communication-compliance-policies#conditional-settings) and the required formatting for multi-value conditions. - New section that outlines [limitations](/microsoft-365/compliance/communication-compliance-channels#channel-limits) for supported channels.
+### Compliance Manager
+- Compliance Manager now has [improvement actions related to Microsoft Priva](/microsoft-365/compliance/compliance-manager-setup#testing-source-for-automated-testing) (**in preview**).
+ ### eDiscovery - Updated with a clarification for searches for [inactive mailboxes](/microsoft-365/compliance/create-and-manage-inactive-mailboxes).
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- Updated *obfuscation* examples for [insider risk management policies](/microsoft-365/compliance/insider-risk-management-policies). - Restructured documentation and moved [policy template guidance](/microsoft-365/compliance/insider-risk-management-policy-templates) into a new article.
+### Microsoft Priva
+
+- Two additional roles are now permitted to start a [Priva trial](/privacy/priva/priva-trial): Compliance Admin and Info Protection Admin.
+- There are new recommended alert settings (**in preview**) in [Privacy Risk Management policies](/privacy/priva/risk-management-policies) that allow users to choose more actionable and relevant alerts to reduce noise and alert fatigue.
+- There are new Compliance Manager improvement actions related to Priva (in preview); see [these instructions](/privacy/priva/priva-overview#microsoft-purview-compliance-manager) for how to access Compliance Manager and how to see the actions.
+- When [creating a subject rights request](/privacy/priva/subject-rights-requests-create), it's now optional to enter the data subject's name. A new flyout pane lets you add more identifiers. A new "Conditions" flyout pane appears during search refinement that lets users set multiple search conditions at once.
+- Update to clarify that a subject rights request will automatically pause at the [data estimate stage](/privacy/priva/subject-rights-requests-data-retrieval) if over 10K items or 100 GB of data are likekly to be retrieved.
+- Updates for [reviewing data and collaborating on subject rights requests](/privacy/priva/subject-rights-requests-data-review):
+ - There are new filtering options when reviewing data, including keywords supporting multiple words and wildcard.
+ - The "Plain text" view in the content review area now highlights all the data subject identifiers provided.
+ - Clarifications that the search function in the annotate view can jump to search results within the view.
+ - Individual collaborators can now be removed from dedicated Teams channel
+ ### Sensitivity labels - **Rolling out in preview**: As a parity feature for the AIP add-in, built-in labeling for Windows supports the configuration of a [default sublabel for a parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label).
frontline Shifts Connector Ukg Sso https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/includes/shifts-connector-ukg-sso.md
After UKG enables SSO for your organization, you'll need to configure the connec
1. From the left menu, go to **Administration**, then **Application Setup**. 1. Then, go to **System Configuration** and choose **System Settings**. 1. Select **Global Values**.
-1. In the **global.oAuth.authCode.redirection.uris** field, enter the value: "https://flw.teams.microsoft.com/shifts-web-app/connectorauthenticationdone".
-1. In the **global.oAuthToken.redirection.domain.whiteList** field, enter the value: "flw.teams.microsoft.com".
+1. In the **global.oAuth.authCode.redirection.uris** field, enter the value: "https://aka.ms/shifts/connector/ukgdimensions/auth".
+1. In the **global.oAuthToken.redirection.domain.whiteList** field, enter the value: "aka.ms".
1. Select **Save**.
frontline Shifts Connector Wizard Intro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/includes/shifts-connector-wizard-intro.md
-- Previously updated : 08/04/2022++ Last updated : 03/01/2023 audience: admin
The Shifts connector wizard in the Microsoft 365 admin center enables you to int
The wizard creates a connection to your WFM system and a connection instance, which apply the sync settings and team mappings that you choose. Sync settings determine the schedule information that's synced between your WFM system and Shifts. Team mappings define the sync relationship between your WFM instances and teams in Teams.
-You can create one or more connection instances, each with different sync settings. For example, if your organization has multiple locations with different schedule requirements, create a connection instance with unique sync settings for each location. Keep in mind that a WFM instance can only be mapped to one team at any given time. If a WFM instance is already mapped to a team, it can't be mapped to another team.
+You can create one or more connection instances, each with different sync settings. For example, if your organization has multiple locations with different schedule requirements, create a connection instance with unique sync settings for each location. Keep in mind that a WFM instance should only be mapped once to a Microsoft team at any given time. However, it's possible in the wizard to have different connection instances with the same mappings. This means that you can create connection instances with duplicated mappings.
With your WFM system as the system of record, your frontline workers can efficiently manage their schedules and availability in Shifts on their devices. Frontline managers can continue to use your WFM system to set up schedules.
frontline Shifts Connector Blue Yonder Admin Center Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-admin-center-manage.md
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 2/27/2023 Last updated : 3/01/2023 # Use the Microsoft 365 admin center to manage your Shifts connection to Blue Yonder Workforce Management (Preview)
You can use the [Shifts connector wizard](shifts-connector-wizard.md) (Preview)
1. In the left navigation of the [Microsoft 365 admin center](https://admin.microsoft.com/), choose **Setup**, and then under **Featured collections**, select **Frontline workers**. 2. Select **Connector Management Console**.
- Here, you'll see a list of all the connections and connection instances you've set up through the wizard or PowerShell, along with information about each one.
+ Here, you'll see a list of all the connections and connection instances if you've already set them up through the wizard or PowerShell, along with information about each one.
:::image type="content" source="media/shifts-connector-blue-yonder-manage.png" alt-text="Screenshot of the Connector Management page in the Microsoft 365 admin center, showing a list of connections." lightbox="media/shifts-connector-blue-yonder-manage.png":::
You can use the [Shifts connector wizard](shifts-connector-wizard.md) (Preview)
### Manage your connection instances -- To create a new connection instance, select **Create instance**.-- To make changes to an existing connection instance, choose **Edit** next to the instance name. You'll be taken to the wizard, where you can update the settings and mappings.
+> [!IMPORTANT]
+> Before mapping a Blue Yonder WFM instance to a Microsoft team, check if the team has schedule entities such as shifts or time off. If the team has an existing schedule with schedule entities, [remove the schedule entities from the team](shifts-connector-wizard.md#remove-schedule-entities-from-teams-you-want-to-map) before you map a Blue Yonder WFM instance to it. If you don't remove schedule entities before mapping, you'll see duplicate shifts.
+
+- To create a new connection instance, select **Create instance**. You'll be taken to the wizard, where you can [choose your settings and create mappings](shifts-connector-wizard.md#create-a-connection-instance).
+- To make changes to an existing connection instance, choose **Edit** next to the instance name. You'll be taken to the wizard, where you can [update the settings and mappings](shifts-connector-wizard.md#create-a-connection-instance).
- To view more details about an existing connection instance, select its name. On the details page, you'll see health information, including ongoing errors (if any), and mappings. You can also choose **Edit** to update settings in the wizard or **Back** to return to the Connector Management Console. :::image type="content" source="media/shifts-connector-blue-yonder-manage-details.png" alt-text="Screenshot of the details page for a connection, showing connector health and mappings information." lightbox="media/shifts-connector-blue-yonder-manage-details.png":::
frontline Shifts Connector Blue Yonder Known Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-known-issues.md
Last updated 10/28/2022
This article lists known issues for the [Microsoft Teams Shifts connector for Blue Yonder](shifts-connectors.md#microsoft-teams-shifts-connector-for-blue-yonder).
-## You can map an instance to more than one team using PowerShell or Microsoft Graph
+## You can map an instance to more than one team using PowerShell or your Microsoft 365 admin center
A Blue Yonder Workforce Management instance should only be mapped to one team at any given time in a connection.
-However, when you use PowerShell or Microsoft Graph to set up a connection, itΓÇÖs possible to map an instance to more than one team. We recommend that you avoid mapping an instance to multiple teams as it can result in syncing issues and unexpected behavior.
+However, when you use PowerShell or Microsoft 365 admin center to set up a connection, itΓÇÖs possible to map an instance to more than one team. We recommend that you avoid mapping an instance to multiple teams as it can result in syncing issues and unexpected behavior.
## Related articles
frontline Shifts Connector Ukg Admin Center Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-admin-center-manage.md
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 2/27/2023 Last updated : 3/01/2023 # Use the Microsoft 365 admin center to manage your Shifts connection to UKG Dimensions (Preview)
You can use the [Shifts connector wizard](shifts-connector-wizard-ukg.md) (Previ
1. In the left navigation of the [Microsoft 365 admin center](https://admin.microsoft.com/), choose **Setup**, and then under **Featured collections**, select **Frontline workers**. 2. Select **Connector Management Console**.
- Here, you'll see a list of all the connections and connection instances you've set up through the wizard or PowerShell, along with information about each one.
+ Here, you'll see a list of all the connections and connection instances if you've already set them up through the wizard or PowerShell, along with information about each one.
:::image type="content" source="media/shifts-connector-ukg-manage.png" alt-text="Screenshot of the Connector Management page in the Microsoft 365 admin center, showing a list of connections." lightbox="media/shifts-connector-ukg-manage.png":::
You can use the [Shifts connector wizard](shifts-connector-wizard-ukg.md) (Previ
### Manage your connection instances -- To create a new connection instance, select **Create instance**.-- To make changes to an existing connection instance, choose **Edit** next to the instance name. You'll be taken to the wizard, where you can update the settings and mappings.
+> [!IMPORTANT]
+> Before mapping a UKG Dimensions instance to a Microsoft team, check if the team has schedule entities such as shifts or time off. If the team has an existing schedule with schedule entities, [remove the schedule entities from the team](shifts-connector-wizard-ukg.md#remove-schedule-entities-from-teams-you-want-to-map) before you map a UKG Dimensions instance to it. If you don't remove schedule entities before mapping, you'll see duplicate shifts.
+
+- To create a new connection instance, select **Create instance**. You'll be taken to the wizard, where you can [choose your settings and create mappings](shifts-connector-wizard-ukg.md#create-a-connection-instance).
+- To make changes to an existing connection instance, choose **Edit** next to the instance name. You'll be taken to the wizard, where you can [update the settings and mappings](shifts-connector-wizard-ukg.md#create-a-connection-instance).
- To view more details about an existing connection instance, select its name. On the details page, you'll see health information, including ongoing errors (if any), and mappings. You can also choose **Edit** to update settings in the wizard or **Back** to return to the Connector Management Console. :::image type="content" source="media/shifts-connector-ukg-manage-details.png" alt-text="Screenshot of the details page for a connection, showing connector health and mappings information." lightbox="media/shifts-connector-ukg-manage-details.png":::
frontline Shifts Connector Ukg Known Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-known-issues.md
Last updated 10/28/2022
This article lists known issues for the [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions).
-## You can map an instance to more than one team using PowerShell or Microsoft Graph
+## You can map an instance to more than one team using PowerShell or your Microsoft 365 admin center
A UKG Dimensions instance should only be mapped to one team at any given time in a connection.
-However, when you use PowerShell or Microsoft Graph to set up a connection, itΓÇÖs possible to map an instance to more than one team. We recommend that you avoid mapping an instance to multiple teams as it can result in syncing issues and unexpected behavior.
+However, when you use PowerShell or Microsoft 365 admin center to set up a connection, itΓÇÖs possible to map an instance to more than one team. We recommend that you avoid mapping an instance to multiple teams as it can result in syncing issues and unexpected behavior.
## Frontline managers can select a time zone for a schedule in Shifts that's different from the time zone that's set in UKG Dimensions
To work around this issue, do one of the following actions:
- Clear cookies and site data for the mykronos.com site in the browser. To learn more, see [Delete cookies in Microsoft Edge](https://support.microsoft.com/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09) or [Clear, enable, and manage cookies in Chrome](https://support.google.com/chrome/answer/95647). - Use the Teams web app in an InPrivate window in Microsoft Edge or in Incognito mode in Google Chrome.
+## Availability can only be set for one Microsoft team
+
+When a user in Shifts belongs to multiple teams and one of those teams has availability syncing enabled, they won't be able to set their availability and will receive an error message. A user can therefore only set availability in one team even if they belong to multiple teams within Shifts.
+ ## Related articles - [Shifts connectors](shifts-connectors.md)
frontline Shifts Connector Wizard Ukg https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-wizard-ukg.md
Last updated 2/27/2023
[!INCLUDE [shifts-connector-wizard-intro](includes/shifts-connector-wizard-intro.md)]
+### Terms used in this article
+
+|Term |Definition |
+|--|--|
+|Connection |This is where you configure your UKG Dimensions details by providing your service account name, password, and service URLs. This enables access to all your WFM (workforce management) instances created in your UKG Dimensions WFM system. |
+|Connection instance |This is where you configure: <br> - The synchronization settings that determine how and which schedule information syncs between UKG Dimensions and Shifts <br> - Team mappings to define the relationship between your WFM instances and teams in Microsoft Teams |
+|WFM instance | This term refers to a team within your UKG Dimensions WFM system, which is different than a team in Microsoft Teams. |
+ ## Integrate Shifts with UKG Dimensions The [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions) enables you to integrate Shifts with UKG Dimensions to manage your schedules and keep them up to date. In this article, we walk you through how to run the wizard to set up a connection and a connection instance to UKG Dimensions through the connector.
You must be a Microsoft 365 global admin to run the wizard.
### Prerequisites [!INCLUDE [shifts-connector-ukg-prerequisites](includes/shifts-connector-ukg-prerequisites.md)] -- The teams you want to map don't have any schedules. If a team has an existing schedule, [remove the schedule from the team](#remove-schedules-from-teams-you-want-to-map) before you map a UKG Dimensions instance to it. Otherwise, you'll see duplicate shifts.
+- The teams you want to map don't have any schedules. If a team has an existing schedule, [remove the schedule entities from the team](#remove-schedule-entities-from-teams-you-want-to-map) before you map a UKG Dimensions instance to it. Otherwise, you'll see duplicate shifts.
### Configure single sign-on [!INCLUDE [shifts-connector-ukg-sso](includes/shifts-connector-ukg-sso.md)] <a name="remove_schedules"> </a>
-## Remove schedules from teams you want to map
+## Remove schedule entities from teams you want to map
> [!NOTE]
-> Complete this step if you're mapping UKG Dimensions instances to existing teams that have schedules. If you're mapping to teams that don't have any schedules or if you've already created new teams to map to, you can skip this step.
+> Complete this step if you're mapping UKG Dimensions instances to existing teams that have schedule entities. If you're mapping to teams that don't have any schedules or if you've already created new teams to map to, you can skip this step.
-Use PowerShell to remove schedules from teams.
+Use PowerShell to remove schedule entities from teams.
1. First, you'll need to install the PowerShell modules and get set up. Follow the steps to [set up your environment](shifts-connector-ukg-powershell-manage.md#set-up-your-environment)
On the Settings page, you choose the information to sync from UKG Dimensions to
1. Enter a name for your connection instance. It can't be longer than 100 characters or have any special characters.
-1. Enter your Microsoft 365 system account. This is the [account that you created as a prerequisite](#before-you-begin) that is a team owner of all the teams you want to map.
-
-<a name="email"> </a>
-
-1. Under **Email notification recipients**, choose who receives email notifications about this connection instance. You can add individual users and groups. The email notifications contain information about setup status and any issues or errors that may occur after the connection instance is set up.
- > [!TIP] > You'll be given the following options for the next group of settings: <br> > **Shifts users will not see provider data**: Data won't sync between UKG Dimensions and Shifts. <br> > **Shifts users can see provider data**: Data syncing is unidirectional from UKG Dimensions to Shifts. <br> > **Shifts users can see and change provider data**: Data syncing is bidirectional between UKG Dimensions and Shifts.
-4. Choose your basic, **Time card**, and **Request** settings from the options listed above.
+2. Choose your basic, **Time card**, and **Request** settings from the options listed above.
+
+3. Then, choose your sync frequency.
+
+4. Enter your Microsoft 365 system account. This is the [account that you created as a prerequisite](#before-you-begin) that is a team owner of all the teams you want to map.
+
+<a name="email"> </a>
-5. Then, choose your sync frequency.
+5. Under **Email notification recipients**, choose who receives email notifications about this connection instance. You can add individual users and groups. The email notifications contain information about setup status and any issues or errors that may occur after the connection instance is set up.
> [!IMPORTANT] > Before you disable a feature by selecting the option **Shifts users will not see provider data**, be aware that:
frontline Shifts Connector Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-wizard.md
Last updated 2/27/2023
[!INCLUDE [shifts-connector-wizard-intro](includes/shifts-connector-wizard-intro.md)]
+### Terms used in this article
+
+|Term |Definition |
+|--|--|
+|Connection |This is where you configure your Blue Yonder WFM details by providing your service account name, password, and service URLs. This enables access to all your WFM (workforce management) instances created in your Blue Yonder WFM system. |
+|Connection instance |This is where you configure: <br> - The synchronization settings that determine how and which schedule information syncs between Blue Yonder WFM and Shifts <br> - Team mappings to define the relationship between your WFM instances and teams in Microsoft Teams |
+|WFM instance | This term refers to a team within your Blue Yonder WFM system, which is different than a team in Microsoft Teams. |
+ ## Integrate Shifts with Blue Yonder Workforce Management The [Microsoft Teams Shifts connector for Blue Yonder](shifts-connectors.md#microsoft-teams-shifts-connector-for-blue-yonder) enables you to integrate Shifts with Blue Yonder Workforce Management (Blue Yonder WFM) to manage your schedules and keep them up to date. In this article, we walk you through how to run the wizard to set up a connection and connection instance to Blue Yonder WFM through the connector.
You must be a Microsoft 365 global admin to run the wizard.
<a name="prerequisites"> </a> [!INCLUDE [shifts-connector-prerequisites](includes/shifts-connector-prerequisites.md)] -- The teams you want to map don't have any schedules. If a team has an existing schedule, [remove the schedule from the team](#remove-schedules-from-teams-you-want-to-map) before you map a Blue Yonder WFM instance to it. Otherwise, you'll see duplicate shifts.
+- The teams you want to map don't have any schedules. If a team has an existing schedule, [remove the schedule entities from the team](#remove-schedule-entities-from-teams-you-want-to-map) before you map a Blue Yonder WFM instance to it. Otherwise, you'll see duplicate shifts.
-## Remove schedules from teams you want to map
+## Remove schedule entities from teams you want to map
<a name="remove_schedules"> </a> > [!NOTE]
-> Complete this step if you're mapping Blue Yonder WFM instances to existing teams that have schedules. If you're mapping to teams that don't have any schedules or if you're creating new teams to map to, you can skip this step.
+> Complete this step if you're mapping Blue Yonder WFM instances to existing teams that have schedule entities. If you're mapping to teams that don't have any schedules or if you're creating new teams to map to, you can skip this step.
-Use PowerShell to remove schedules from teams.
+Use PowerShell to remove schedule entities from teams.
1. First, you'll need to install the PowerShell modules and get set up. Follow the steps to [set up your environment](shifts-connector-powershell-manage.md#set-up-your-environment) 1. Run the following command:
frontline Shifts Connectors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connectors.md
Managed Shifts connectors are connectors developed in collaboration with our par
|Connector|Description|Requirements| ||||
-|[Microsoft Teams Shifts connector for Blue Yonder](#microsoft-teams-shifts-connector-for-blue-yonder)|Use this connector to integrate Shifts with Blue Yonder Workforce Management. This connector is hosted and managed by Microsoft.|Prerequisites for setting up a connection: <ul><li>Using the [Shifts connector wizard](shifts-connector-wizard.md#prerequisites) in the Microsoft 365 admin center<br>Before you run the wizard, [remove schedules from existing teams that you want to map](shifts-connector-wizard.md#remove-schedules-from-teams-you-want-to-map).</li><li>Using [PowerShell](shifts-connector-blue-yonder-powershell-setup.md#prerequisites)</li></ul>|
-|[Microsoft Teams Shifts connector for UKG Dimensions](#microsoft-teams-shifts-connector-for-ukg-dimensions)|Use this connector to integrate Shifts with UKG Dimensions. This connector is hosted and managed by Microsoft.|Prerequisites for setting up a connection: <ul><li>Using the [Shifts connector wizard](shifts-connector-wizard-ukg.md#prerequisites) in the Microsoft 365 admin center<br>Before you run the wizard, [remove schedules from existing teams that you want to map](shifts-connector-wizard-ukg.md#remove-schedules-from-teams-you-want-to-map)</li><li>Using [PowerShell](shifts-connector-ukg-powershell-setup.md#prerequisites)</li></ul>|
+|[Microsoft Teams Shifts connector for Blue Yonder](#microsoft-teams-shifts-connector-for-blue-yonder)|Use this connector to integrate Shifts with Blue Yonder Workforce Management. This connector is hosted and managed by Microsoft.|Prerequisites for setting up a connection: <ul><li>Using the [Shifts connector wizard](shifts-connector-wizard.md#prerequisites) in the Microsoft 365 admin center<br>Before you run the wizard, [remove schedules from existing teams that you want to map](shifts-connector-wizard.md#remove-schedule-entities-from-teams-you-want-to-map).</li><li>Using [PowerShell](shifts-connector-blue-yonder-powershell-setup.md#prerequisites)</li></ul>|
+|[Microsoft Teams Shifts connector for UKG Dimensions](#microsoft-teams-shifts-connector-for-ukg-dimensions)|Use this connector to integrate Shifts with UKG Dimensions. This connector is hosted and managed by Microsoft.|Prerequisites for setting up a connection: <ul><li>Using the [Shifts connector wizard](shifts-connector-wizard-ukg.md#prerequisites) in the Microsoft 365 admin center<br>Before you run the wizard, [remove schedules from existing teams that you want to map](shifts-connector-wizard-ukg.md#remove-schedule-entities-from-teams-you-want-to-map)</li><li>Using [PowerShell](shifts-connector-ukg-powershell-setup.md#prerequisites)</li></ul>|
|[Reflexis Shifts connector for Microsoft Teams](#reflexis-shifts-connector-for-microsoft-teams)|Use this connector to integrate Shifts with Reflexis Workforce Management. This connector is hosted and managed by Zebra. |To learn more, go to <https://connect.zebra.com/microsoft-connectors>.| <a name="blue_yonder"> </a>
includes Office 365 Operated By 21Vianet Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-operated-by-21vianet-endpoints.md
- Previously updated : 08/10/2020- <!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.-->
-<!--China endpoints version 2023010300-->
-<!--File generated 2023-01-03 08:00:07.4128-->
+<!--China endpoints version 2023030100-->
+<!--File generated 2023-03-01 08:00:07.5376-->
## Exchange Online
ID | Category | ER | Addresses | Ports
9 | Allow<BR>Required | No | `*.partner.microsoftonline-p.cn`<BR>`42.159.4.68/32, 42.159.4.200/32, 42.159.7.156/32, 42.159.132.138/32, 42.159.133.17/32, 42.159.135.78/32, 182.50.87.0/24` | **TCP:** 443, 80 10 | Allow<BR>Required | No | `*.partner.microsoftonline.cn`<BR>`42.159.4.68/32, 42.159.4.200/32, 42.159.7.156/32, 42.159.132.138/32, 42.159.133.17/32, 42.159.135.78/32, 103.9.8.0/22` | **TCP:** 443, 80 11 | Allow<BR>Required | No | `activation.sls.microsoft.com, bjb-odcsm.officeapps.partner.office365.cn, bjb-ols.officeapps.partner.office365.cn, bjb-roaming.officeapps.partner.office365.cn, crl.microsoft.com, odc.officeapps.live.com, office15client.microsoft.com, officecdn.microsoft.com, ols.officeapps.partner.office365.cn, osi-prod-bjb01-odcsm.chinacloudapp.cn, osiprod-scus01-odcsm.cloudapp.net, osi-prod-sha01-odcsm.chinacloudapp.cn, roaming.officeapps.partner.office365.cn, sha-odcsm.officeapps.partner.office365.cn, sha-ols.officeapps.partner.office365.cn, sha-roaming.officeapps.partner.office365.cn`<BR>`40.73.248.0/21, 42.159.4.45/32, 42.159.4.50/32, 42.159.4.225/32, 42.159.7.13/32, 42.159.132.73/32, 42.159.132.74/32, 42.159.132.75/32, 65.52.98.231/32, 65.55.69.140/32, 65.55.227.140/32, 70.37.81.47/32, 168.63.252.62/32` | **TCP:** 443, 80
-13 | Default<BR>Required | No | `*.msauth.cn, *.msauthimages.cn, *.msftauth.cn, *.msftauthimages.cn` | **TCP:** 443, 80
+13 | Default<BR>Required | No | `*.msauth.cn, *.msauthimages.cn, *.msftauth.cn, *.msftauthimages.cn, login.microsoftonline.com` | **TCP:** 443, 80
15 | Default<BR>Required | No | `loki.office365.cn` | **TCP:** 443 16 | Default<BR>Required | No | `*.cdn.office.net, shellprod.msocdn.com` | **TCP:** 443 17 | Allow<BR>Required | No | `*.auth.microsoft.cn, login.partner.microsoftonline.cn, microsoftgraph.chinacloudapi.cn`<BR>`40.72.70.0/23, 42.159.87.106/32, 42.159.92.96/32, 52.130.2.32/27, 52.130.3.64/27, 52.130.17.192/27, 52.130.18.32/27, 139.217.115.121/32, 139.217.118.25/32, 139.217.118.46/32, 139.217.118.54/32, 139.217.228.95/32, 139.217.231.198/32, 139.217.231.208/32, 139.217.231.219/32, 139.219.132.56/32, 139.219.133.182/32, 2406:e500:5500::/48` | **TCP:** 443, 80
includes Office 365 U.S. Government Dod Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-dod-endpoints.md
- Previously updated : 08/10/2020- <!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.-->
-<!--USGovDoD endpoints version 2023010300-->
-<!--File generated 2023-01-03 08:00:04.1075-->
+<!--USGovDoD endpoints version 2023030100-->
+<!--File generated 2023-03-01 08:00:04.6482-->
## Exchange Online
ID | Category | ER | Addresses | Ports
15 | Allow<BR>Required | Yes | `portal.apps.mil, reports.apps.mil, webshell.dodsuite.office365.us, www.ohome.apps.mil`<BR>`52.127.72.42/32, 52.127.76.42/32, 52.180.251.166/32, 52.181.24.112/32, 52.181.160.19/32, 52.181.160.113/32, 52.181.160.236/32, 52.182.24.200/32, 52.182.54.237/32, 52.182.92.132/32` | **TCP:** 443 16 | Allow<BR>Required | Yes | `*.osi.apps.mil, dod.loki.office365.us`<BR>`52.127.72.0/21, 2001:489a:2206::/48` | **TCP:** 443 17 | Default<BR>Required | No | `activation.sls.microsoft.com, crl.microsoft.com, go.microsoft.com, insertmedia.bing.office.net, ocsa.officeapps.live.com, ocsredir.officeapps.live.com, ocws.officeapps.live.com, office15client.microsoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, officepreviewredir.microsoft.com, officeredir.microsoft.com, ols.officeapps.live.com, r.office.microsoft.com` | **TCP:** 443, 80
-18 | Default<BR>Required | No | `cdn.odc.officeapps.live.com, odc.officeapps.live.com, officeclient.microsoft.com` | **TCP:** 443, 80
+18 | Default<BR>Required | No | `cdn.odc.officeapps.live.com, mrodevicemgr.officeapps.live.com, odc.officeapps.live.com, officeclient.microsoft.com` | **TCP:** 443, 80
24 | Default<BR>Required | No | `lpcres.delve.office.com` | **TCP:** 443 25 | Default<BR>Required | No | `*.cdn.office.net` | **TCP:** 443 26 | Allow<BR>Required | Yes | `*.compliance.apps.mil, *.security.apps.mil, compliance.apps.mil, security.apps.mil`<BR>`23.103.191.0/24, 23.103.199.0/25, 23.103.204.0/22, 52.181.167.52/32, 52.181.167.91/32, 52.182.95.219/32, 2001:489a:2202::/62, 2001:489a:2202:8::/62, 2001:489a:2202:2000::/63` | **TCP:** 443, 80
includes Office 365 U.S. Government Gcc High Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-gcc-high-endpoints.md
- Previously updated : 08/10/2020- <!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.-->
-<!--USGovGCCHigh endpoints version 2023010300-->
-<!--File generated 2023-01-03 08:00:06.0752-->
+<!--USGovGCCHigh endpoints version 2023030100-->
+<!--File generated 2023-03-01 08:00:06.0052-->
## Exchange Online
ID | Category | ER | Addresses | Ports
## Microsoft 365 Common and Office Online ID | Category | ER | Addresses | Ports | - | | -- | -
+-- | - | | -- | -
11 | Allow<BR>Required | Yes | `*.gov.online.office365.us`<BR>`52.127.37.0/24, 52.127.82.0/23` | **TCP:** 443 12 | Default<BR>Required | Yes | `*.cdn.office365.us` | **TCP:** 443 13 | Allow<BR>Required | Yes | `*.auth.microsoft.us, *.gov.us.microsoftonline.com, graph.microsoft.us, graph.microsoftazure.us, login.microsoftonline.us`<BR>`20.140.232.0/23, 52.126.194.0/23, 2001:489a:3500::/50` | **TCP:** 443
ID | Category | ER | Addresses | Ports
15 | Default<BR>Required | No | `officehome.msocdn.us, prod.msocdn.us` | **TCP:** 443, 80 16 | Allow<BR>Required | Yes | `portal.office365.us, www.office365.us`<BR>`13.72.179.48/32, 52.227.167.206/32, 52.227.170.242/32` | **TCP:** 443, 80 17 | Allow<BR>Required | Yes | `*.osi.office365.us, gcchigh.loki.office365.us, tasks.office365.us`<BR>`52.127.240.0/20, 2001:489a:2206::/48` | **TCP:** 443
-18 | Default<BR>Required | No | `activation.sls.microsoft.com, crl.microsoft.com, go.microsoft.com, insertmedia.bing.office.net, ocsa.officeapps.live.com, ocsredir.officeapps.live.com, ocws.officeapps.live.com, office15client.microsoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, officepreviewredir.microsoft.com, officeredir.microsoft.com, ols.officeapps.live.com, r.office.microsoft.com` | **TCP:** 443, 80
+18 | Default<BR>Required | No | `*.office.delivery.microsoft.com, activation.sls.microsoft.com, crl.microsoft.com, go.microsoft.com, insertmedia.bing.office.net, mrodevicemgr.officeapps.live.com, ocsa.officeapps.live.com, ocsredir.officeapps.live.com, ocws.officeapps.live.com, office15client.microsoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, officepreviewredir.microsoft.com, officeredir.microsoft.com, ols.officeapps.live.com, r.office.microsoft.com` | **TCP:** 443, 80
19 | Default<BR>Required | No | `cdn.odc.officeapps.live.com, odc.officeapps.live.com, officeclient.microsoft.com` | **TCP:** 443, 80 23 | Default<BR>Required | No | `*.office365.us` | **TCP:** 443, 80 24 | Default<BR>Required | No | `lpcres.delve.office.com` | **TCP:** 443
includes Office 365 Worldwide Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md
- Previously updated : 08/10/2020- <!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.-->
-<!--Worldwide endpoints version 2023013100-->
-<!--File generated 2023-01-31 08:00:04.3621-->
+<!--Worldwide endpoints version 2023030100-->
+<!--File generated 2023-03-01 08:00:02.9265-->
## Exchange Online
ID | Category | ER | Addresses | Ports
## Microsoft 365 Common and Office Online ID | Category | ER | Addresses | Ports
- | -- | | | -
+ | -- | | -- | -
41 | Default<BR>Optional<BR>**Notes:** Microsoft Stream | No | `*.microsoftstream.com` | **TCP:** 443 43 | Default<BR>Optional<BR>**Notes:** Microsoft Stream 3rd party integration (including CDNs) | No | `nps.onyx.azure.net` | **TCP:** 443 44 | Default<BR>Optional<BR>**Notes:** Microsoft Stream - unauthenticated | No | `*.azureedge.net, *.media.azure.net, *.streaming.mediaservices.windows.net` | **TCP:** 443
ID | Category | ER | Addresses | Ports
50 | Default<BR>Optional<BR>**Notes:** OneNote notebooks (wildcards) | No | `*.microsoft.com` | **TCP:** 443 51 | Default<BR>Required | No | `*cdn.onenote.net` | **TCP:** 443 53 | Default<BR>Required | No | `ajax.aspnetcdn.com, apis.live.net, officeapps.live.com, www.onedrive.com` | **TCP:** 443
-56 | Allow<BR>Required | Yes | `*.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com`<BR>`20.190.128.0/18, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48` | **TCP:** 443, 80
+56 | Allow<BR>Required | Yes | `*.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com`<BR>`20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48` | **TCP:** 443, 80
59 | Default<BR>Required | No | `*.hip.live.com, *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, management.azure.com, policykeyservice.dc.ad.msft.net` | **TCP:** 443, 80
-64 | Allow<BR>Required | Yes | `*.compliance.microsoft.com, *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, security.microsoft.com`<BR>`52.108.0.0/14, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64` | **TCP:** 443
+64 | Allow<BR>Required | Yes | `*.compliance.microsoft.com, *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, security.microsoft.com`<BR>`13.107.6.192/32, 13.107.9.192/32, 52.108.0.0/14, 2620:1ec:4::192/128, 2620:1ec:a92::192/128` | **TCP:** 443
65 | Allow<BR>Required | Yes | `account.office.net`<BR>`52.108.0.0/14, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64` | **TCP:** 443, 80 66 | Default<BR>Required | No | `*.portal.cloudappsecurity.com` | **TCP:** 443 67 | Default<BR>Optional<BR>**Notes:** Security and Compliance Center eDiscovery export | No | `*.blob.core.windows.net` | **TCP:** 443
lighthouse M365 Lighthouse Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-whats-new.md
We're continuously adding new features to [Microsoft 365 Lighthouse](m365-lighth
## February 2023
-### New GDAP management capabilities
-
-Managed Service Provider (MSP) technicians responsible for managing granular delegated admin privileges (GDAP) can now get at-a-glance details of all their customers' delegated relationships in Microsoft 365 Lighthouse. This new feature helps ensure GDAP is set up correctly for all of your customers.
-
-To view the status of your customers' delegated relationships, including delegated access type, whether a GDAP template has been assigned, number of active and pending relationships, nearest expiration date, and security groups with access to manage the customer tenant, go to **Permissions** > **Delegated access**.
- ### App insights from Endpoint analyticsΓÇ» We've added insights from Endpoint analytics to Microsoft 365 Lighthouse to help you proactively take measures to improve the health of user devices and apps within managed tenants. The insights from Endpoint analytics inform a deployment sub-task called **Enable Device Health Monitoring** within the default baseline under the **Set up device enrollment** task. Once the new sub-task is enabled and the deployment task is deployed, select **Apps** > **App performance** in the left navigation pane in Microsoft 365 Lighthouse to see the Endpoint analytics insights.ΓÇ»
security Attack Surface Reduction Rules Deployment Implement https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement.md
- m365solution-asr-rules - highpri - tier1 Previously updated : 09/19/2022 Last updated : 12/19/2022 search.appverid: met150
security Attack Surface Reduction Rules Deployment Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan.md
ms.localizationpriority: medium audience: ITPro -+
- m365solution-asr-rules - highpri - tier1 Previously updated : 1/18/2022 Last updated : 12/18/2022 search.appverid: met150
security Attack Surface Reduction Rules Deployment Test https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test.md
- m365solution-asr-rules - highpri - tier1 Previously updated : 09/18/2022 Last updated : 12/18/2022 search.appverid: met150
security Attack Surface Reduction Rules Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment.md
- m365solution-asr-rules - highpri - tier1 Previously updated : 09/18/2022 Last updated : 12/18/2022 search.appverid: met150
security Attack Surface Reduction Rules Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report.md
- m365-security - tier2 Previously updated : 08/25/2022 Last updated : 01/05/2023 search.appverid: met150
security Defender Endpoint Plan 1 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2.md
The following table summarizes what's included in Microsoft endpoint security pl
|:|:| | [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) | - [Next-generation protection](defender-endpoint-plan-1.md#next-generation-protection) (includes antimalware and antivirus)<br/>- [Attack surface reduction](defender-endpoint-plan-1.md#attack-surface-reduction)<br/>- [Manual response actions](defender-endpoint-plan-1.md#manual-response-actions)<br/>- [Centralized management](defender-endpoint-plan-1.md#centralized-management)<br/>- [Security reports](defender-endpoint-plan-1.md#reporting)<br/>- [APIs](defender-endpoint-plan-1.md#apis)<br/>- [Support for Windows 10, iOS, Android OS, and macOS devices](defender-endpoint-plan-1.md#cross-platform-support)| | [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) | All of the Defender for Endpoint Plan 1 capabilities, plus:<br/>- [Device discovery](device-discovery.md)<br/>- [Device inventory](machines-view-overview.md)<br/>- [Core Defender Vulnerability Management capabilities](../defender-vulnerability-management/defender-vulnerability-management-capabilities.md)<br/>- [Threat Analytics](threat-analytics.md)<br/>- [Automated investigation and response](automated-investigations.md)<br/>- [Advanced hunting](advanced-hunting-overview.md)<br/>- [Endpoint detection and response](overview-endpoint-detection-response.md)<br/>- [Endpoint Attack Notifications](endpoint-attack-notifications.md)<br/>- Support for [Windows](configure-endpoints.md) (client only) and [non-Windows platforms](configure-endpoints-non-windows.md) (macOS, iOS, Android, and Linux) |
-| [Defender Vulnerability Management add-on](../defender-vulnerability-management/defender-vulnerability-management-capabilities.md) | More Defender Vulnerability Management capabilities for Defender for Endpoint Plan 2: <br/>- [Security baselines assessment](../defender-vulnerability-management/tvm-security-baselines.md)<br/>- [Block vulnerable applications](../defender-vulnerability-management/tvm-block-vuln-apps.md)<br/>- [Browser extensions](../defender-vulnerability-management/tvm-browser-extensions.md)<br/>- [Digital certificate assessment](../defender-vulnerability-management/tvm-certificate-inventory.md)<br/>- [Network share analysis](../defender-vulnerability-management/tvm-network-share-assessment.md)<br/>- Support for [Windows](configure-endpoints.md) (client and server) and [non-Windows platforms](configure-endpoints-non-windows.md) (macOS, iOS, Android, and Linux) |
+| [Defender Vulnerability Management add-on](../defender-vulnerability-management/defender-vulnerability-management-capabilities.md) | More Defender Vulnerability Management capabilities for Defender for Endpoint Plan 2: <br/>- [Security baselines assessment](../defender-vulnerability-management/tvm-security-baselines.md)<br/>- [Block vulnerable applications](../defender-vulnerability-management/tvm-block-vuln-apps.md)<br/>- [Browser extensions](../defender-vulnerability-management/tvm-browser-extensions.md)<br/>- [Digital certificate assessment](../defender-vulnerability-management/tvm-certificate-inventory.md)<br/>- [Network share analysis](../defender-vulnerability-management/tvm-network-share-assessment.md)<br/> - [Hardware and firmware assessment](../defender-vulnerability-management/tvm-hardware-and-firmware.md) <br/> - [Authenticated scan for Windows](../defender-vulnerability-management/windows-authenticated-scan.md) <br/> - Support for [Windows](configure-endpoints.md) (client and server) and [non-Windows platforms](configure-endpoints-non-windows.md) (macOS, iOS, Android, and Linux) |
| [Defender for Business](../defender-business/mdb-overview.md) <sup>[[1](#fn1)]</sup> | [Services optimized for small and medium-sized businesses](../defender-business/compare-mdb-m365-plans.md) include: <br/>- Email protection<br/>- Antispam protection<br/>- Antimalware protection<br/>- Next-generation protection<br/>- Attack surface reduction<br/>- Endpoint detection and response<br/>- Automated investigation and response <br/>- Vulnerability management<br/>- Centralized reporting<br/>- APIs (for integration with custom apps or reporting solutions)<br/>- [Integration with Microsoft 365 Lighthouse](../defender-business/mdb-lighthouse-integration.md) | (<a id="fn1">1</a>) Microsoft Defender for Business is available as a standalone subscription for small and medium-sized businesses. It's also included as part of [Microsoft 365 Business Premium](/microsoft-365/business-premium). These plans feature advanced security capabilities with a simplified setup and configuration experience. See [Compare Microsoft Defender for Business to Microsoft 365 Business Premium](/microsoft-365/security/defender-business/compare-mdb-m365-plans#compare-microsoft-defender-for-business-to-microsoft-365-business-premium).
security Export Firmware Hardware Assessment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/export-firmware-hardware-assessment.md
GET https://api.security.microsoft.com/api/machines/HardwareFirmwareInventoryPro
```
-## 2. Export certificate assessment (via files)
+## 2. Export hardware and firmware assessment (via files)
### 2.1 API method description
security Network Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md
It's possible to disable automatic updates of the scanner by going to the **MDAT
6. Enter the **Target (range):** The IP address ranges or hostnames you want to scan. You can either enter the addresses or import a CSV file. Importing a file will override any manually added addresses. 7. Select the **Scan interval:** By default, the scan will run every four hours, you can change the scan interval or have it only run once, by selecting 'Do not repeat'. 8. Choose your **Authentication method**.
- - You can select to **Use azure KeyVault for providing credentials:** If you manage your credentials in Azure KeyVault you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials.
+ - You can select to **Use azure KeyVault for providing credentials:** If you manage your credentials in Azure KeyVault you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials. The secret value is dependent on the Authenticated Method you choose:
+
+ |Authentication Method|Azure KeyVault secret value|
+ |:-|:-:|
+ |AuthPriv|Username;AuthPassword;PrivPassword|
+ |AuthNoPriv|Username;AuthPassword|
+ |CommunityString |CommunityString|
+ 9. Select **Next** to run or skip the test scan. 10. Select **Next** to review the settings and the select **Submit** to create your new network device authenticated scan.
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
- m365-security - tier2 Previously updated : 05/16/2022 Last updated : 01/16/2023 search.appverid: met150
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium Previously updated : 02/28/2023 Last updated : 03/01/2023 audience: ITPro
If your organization has [exclusions defined for Microsoft Defender Antivirus](c
- `DisableLocalAdminMerge` is enabled. (See [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp).) - Microsoft Defender Antivirus exclusions are managed in Microsoft Intune. (See [Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows).)-- Tamper protection is deployed and managed by using Intune, and devices are managed by Intune. (See [Manage tamper protection for your organization using Microsoft Intune](manage-tamper-protection-microsoft-endpoint-manager.md).)
+- Tamper protection is deployed and managed by using Intune, and devices are managed by Intune. (See [How to tell if a Windows device is managed by Intune](manage-tamper-protection-microsoft-endpoint-manager.md#how-to-tell-if-a-windows-device-is-managed-by-intune).)
- Devices are running Windows Defender platform `4.18.2211.5` or later. (See [Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions).) - Functionality to protect exclusions is enabled on devices. (See [How to determine whether the functionality is enabled on a Windows device](#how-to-determine-whether-the-functionality-to-protect-exclusions-is-enabled-on-a-windows-device).)
You can use a registry key to determine whether the functionality to protect Mic
1. On a Windows device open Registry Editor. (Read-only mode is fine; you won't be editing the registry key.)
-2. Go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features` (or `HKLM\SOFTWARE\Microsoft\Windows Defender\Features`), and look for the `REG_DWORD` entries that are listed in the following table:
+2. To confirm that the device is managed by Intune only, go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender` (or `HKLM\SOFTWARE\Microsoft\Windows Defender`), and look for a `REG_DWORD` entry called **ManagedDefenderProductType**.
+
+ - If **ManagedDefenderProductType** has a value of `6`, then the device is managed by Intune only (*this value is required for exclusions to be tamper protected*).
+ - If **ManagedDefenderProductType** has a value of `7`, then the device is co-managed, such as by Intune and Configuration Manager.
+
+3. To confirm that tamper protection is deployed and that exclusions are tamper protected, go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features` (or `HKLM\SOFTWARE\Microsoft\Windows Defender\Features`), and look for the `REG_DWORD` entries that are listed in the following table:
| REG_DWORD | Value | What it means | |:|:|:|
- | **TamperProtection** | 5 | Tamper protection is deployed. |
+ | **TamperProtection** | 5 | Tamper protection is deployed to the device. |
| **TamperProtectionSource** | 64 | Tamper protection is managed by Intune. | | **TPExclusions** | 1 | Required conditions are met, and the new functionality to protect exclusions is enabled on the device. In this case, exclusions are tamper protected. | | **TPExclusions** | 0 | Tamper protection isn't currently protecting exclusions on the device. |
security Troubleshoot Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md
- m365-security - tier3 search.appverid: met150 Previously updated : 04/21/2021 Last updated : 12/05/2022 # Report and troubleshoot Microsoft Defender for Endpoint ASR Rules
security Defender Vulnerability Management Capabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities.md
Title: Compare Microsoft Defender Vulnerability Management offerings
+ Title: Compare Microsoft Defender Vulnerability Management plans and capabilities
description: Compare Defender Vulnerability Management Offerings. Learn about the differences between the plans and select the plan that suits your organization's needs. keywords: Defender for Endpoint, advanced threat protection, endpoint protection search.appverid: MET150
- tier1
-# Compare Microsoft Defender Vulnerability Management offerings
+# Compare Microsoft Defender Vulnerability Management plans and capabilities
> [!IMPORTANT] > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
-**Applies to**
+This article helps clarify the Defender Vulnerability Management capabilities included in:
-- [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender Vulnerability Management add-on](../defender-vulnerability-management/index.yml)
+- [Microsoft Defender Vulnerability Management Standalone](../defender-vulnerability-management/index.yml)
+- [Microsoft Defender for Servers](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
-> [!NOTE]
-> Microsoft Defender Vulnerability Management, a new standalone offering will provide the complete set of vulnerability tools and capabilities discussed in this article. To learn more, go to [What is Microsoft Defender Vulnerability Management.](defender-vulnerability-management.md)
+> [!IMPORTANT]
+> This article provides a summary of vulnerability management capabilities available across different Microsoft Defender product plans; however, it's not intended to be a service description or licensing contract document. For more detailed information, see the following resources:
+>
+> - [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)
+> - [Microsoft 365 Education](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-education)
-> [!NOTE]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+## Vulnerability Management capabilities for endpoints
-This article helps clarify what Defender Vulnerability Management capabilities are included in the following plans:
+The table below shows the availability of Defender Vulnerability Management capabilities for endpoints:
-| Defender Vulnerability Management <p> _Core capabilities part of Defender for Endpoint Plan 2_| Defender Vulnerability Management add-on <p> _Additional capabilities for Defender for Endpoint Plan 2_| Defender Vulnerability Management Standalone <p> _Full vulnerability Management capabilities_|
-|:|:|:|
- [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Software assessment](tvm-software-inventory.md) <p> [Software usages insights](tvm-usage-insights.md) <p> | [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md) | [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Software assessment](tvm-software-inventory.md) <p> [Software usages insights](tvm-usage-insights.md) <p> [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md)|
+|Capability| Defender for Endpoint Plan 2| Defender Vulnerability Management Add-on </br> for Defender for Endpoint Plan 2 and E5 |Defender Vulnerability Management Standalone </br> (Public Preview) |
+|:-|:-:|:-:|:-:|
+|[Device discovery](../defender-endpoint/device-discovery.md)|Γ£ö|-|Γ£ö|
+|[Device inventory](../defender-endpoint/machines-view-overview.md)|Γ£ö|-|Γ£ö|
+|[Vulnerability assessment](tvm-weaknesses.md)|Γ£ö|-|Γ£ö|
+|[Configuration assessment](tvm-microsoft-secure-score-devices.md)|Γ£ö|-|Γ£ö|
+|[Risk based prioritization](tvm-security-recommendation.md)|Γ£ö|-|Γ£ö|
+|[Remediation tracking](tvm-remediation.md)|Γ£ö|-|Γ£ö|
+|[Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md)|Γ£ö|-|Γ£ö|
+|[Software inventory](tvm-software-inventory.md)|Γ£ö|-|Γ£ö|
+|[Software usages insights](tvm-usage-insights.md)|Γ£ö|-|Γ£ö|
+|[Security baselines assessment](tvm-security-baselines.md)|-|Γ£ö|Γ£ö|
+|[Block vulnerable applications](tvm-block-vuln-apps.md)|-|Γ£ö|Γ£ö|
+|[Browser extensions assessment](tvm-browser-extensions.md)|-|Γ£ö|Γ£ö|
+|[Digital certificate assessment](tvm-certificate-inventory.md)|-|Γ£ö|Γ£ö|
+|[Network share analysis](tvm-network-share-assessment.md)|-|Γ£ö|Γ£ö|
+|[Hardware and firmware assessment](tvm-hardware-and-firmware.md)|-|Γ£ö|Γ£ö|
+|[Authenticated scan for Windows](windows-authenticated-scan.md)|-|Γ£ö|Γ£ö|
> [!NOTE]
-> Microsoft 365 Business Premium and the standalone version of Microsoft Defender for Business include the capabilities that are listed under **Core capabilities part of Defender for Endpoint Plan 2** in the preceding table.
+> Microsoft 365 Business Premium and the standalone version of Microsoft Defender for Business include the capabilities that are listed under **Defender for Endpoint Plan 2** in the preceding table.
+
+## Start a trial
+
+- The Defender Vulnerability Management add-on for Defender for Endpoint Plan 2 is now generally available. To try it, go to [Try Defender Vulnerability Management Add-on trial for Defender for Endpoint Plan 2 customers](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers).
+- Defender Vulnerability Management Standalone is in public preview trial. To try it, go to [Try Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone).
+
+## Vulnerability Management capabilities for servers
+
+For Microsoft Defender for Cloud customers, Defender Vulnerability Management is natively integrated within Defender for Cloud to perform vulnerability assessments for cloud based virtual machines and recommendations will automatically populate in the Defender for Cloud portal.
+
+Microsoft Defender for Servers Plan 2 includes access to the additional vulnerability management capabilities that are part of the Defender Vulnerability Management add-on. The table below shows the availability of Defender Vulnerability Management capabilities across the Defender for Servers plans.
+
+>[!Note]
+> The Microsoft Defender Vulnerability Management add-on capabilities included in Defender for Servers Plan 2 are only available through the [Microsoft Defender 365 portal](https://security.microsoft.com/homepage).
+
+|Capability|Defender For Servers Plan 1|Defender For Servers Plan 2|
+|:-|:-:|:-:|
+|[Vulnerability assessment](tvm-weaknesses.md)|Γ£ö|Γ£ö|
+|[Configuration assessment](tvm-microsoft-secure-score-devices.md)|Γ£ö|Γ£ö|
+|[Risk based prioritization](tvm-security-recommendation.md)|Γ£ö|Γ£ö|
+|[Remediation tracking](tvm-remediation.md)|Γ£ö|Γ£ö|
+|[Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md)|Γ£ö|Γ£ö|
+|[Software inventory](tvm-software-inventory.md)|Γ£ö|Γ£ö|
+|[Software usages insights](tvm-usage-insights.md)|Γ£ö|Γ£ö|
+|[Security baselines assessment](tvm-security-baselines.md)|-|Γ£ö|
+|[Block vulnerable applications](tvm-block-vuln-apps.md)|-|Γ£ö|
+|[Digital certificate assessment](tvm-certificate-inventory.md)|-|Γ£ö|
+|[Network share analysis](tvm-network-share-assessment.md)|-|Γ£ö|
+|[Hardware and firmware assessment](tvm-hardware-and-firmware.md)|-|Γ£ö|
+|[Authenticated scan for Windows](windows-authenticated-scan.md)|-|Γ£ö|
## Next steps
security Defender Vulnerability Management Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-faq.md
Last updated 06/02/2022
# Microsoft Defender Vulnerability Management frequently asked questions -
-**Applies to:**
--- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)- [!include[Prerelease information](../../includes/prerelease.md)] Find answers to frequently asked questions (FAQs) about Microsoft Defender Vulnerability Management. Use the following links to help find answer to your questions:
Find answers to frequently asked questions (FAQs) about Microsoft Defender Vulne
### What license does the user need to benefit from Defender Vulnerability Management capabilities?
-Microsoft Defender Vulnerability Management is available for public preview via two
+Microsoft Defender Vulnerability Management is available via two
-1. Microsoft Defender for Endpoint Plan 2 customers can seamlessly enhance their existing generally available vulnerability management capabilities with the Microsoft Defender Vulnerability Management add-on. This service provides consolidated inventories, expanded asset coverage, cross-platform support, and new assessment and mitigation tools. To sign up for the free 120-day public preview trial, see [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-the-defender-vulnerability-management-add-on-public-preview-trial-for-defender-for-endpoint-plan-2-customers).
+1. Microsoft Defender for Endpoint Plan 2 customers can seamlessly enhance their existing generally available vulnerability management capabilities with the Microsoft Defender Vulnerability Management add-on. This service provides consolidated inventories, expanded asset coverage, cross-platform support, and new assessment and mitigation tools. To sign up for the free 90-day trial, see [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers).
-2. For non-Defender for Endpoint Plan 1 or Plan 2 customers, or non-Microsoft 365 E3 customers looking for a risk-based vulnerability management solution, Microsoft Defender Vulnerability Management standalone helps you efficiently discover, assess, and remediate vulnerabilities and misconfigurations in one place. To sign up for the free 120-day public preview trial, see [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone).
-
-If you have any questions related to the trial sign-up and onboarding process, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).
+2. For non-Defender for Endpoint Plan 1 or Plan 2 customers, or non-Microsoft 365 E3 customers looking for a risk-based vulnerability management solution, Microsoft Defender Vulnerability Management standalone helps you efficiently discover, assess, and remediate vulnerabilities and misconfigurations in one place. To sign up for the free 180-day public preview trial, see [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone).
### Is Defender Vulnerability Management available as part of Defender for Endpoint Plan 2? If the customer has Defender for Endpoint Plan 2 they have the core vulnerability management capabilities. Defender Vulnerability Management is a separate solution from Defender for Endpoint (not included in Defender for Endpoint Plan 2) and is available as an add-on.
-### What will the purchase options be when Defender Vulnerability Management is generally available (GA)?
+### What will the purchase options be when Defender Vulnerability Management Standalone is generally available (GA)?
-Details on your purchase options for Defender Vulnerability Management will be made available once the offering is GA.
+Details on your purchase options for Defender Vulnerability Management Standalone will be made available once the offering is GA.
## Defender Vulnerability Management trial FAQs ### How do customers sign up for a trial?
-For existing Defender for Endpoint Plan 2 customers who want to evaluate the experience first-hand, we encourage directly onboarding onto the Microsoft Defender Vulnerability Management add-on free 120-day public preview trial. For more information, see [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-the-defender-vulnerability-management-add-on-public-preview-trial-for-defender-for-endpoint-plan-2-customers).
+For existing Defender for Endpoint Plan 2 customers who want to evaluate the experience first-hand, we encourage directly onboarding onto the Microsoft Defender Vulnerability Management add-on free 90-day trial. For more information, see [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers).
-For new customers (non-Defender for Endpoint Plan 1 or Plan 2 customers, or non-Microsoft 365 E3 customers), see [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone) to sign up for the free 120-day public preview trial.
+For new customers (non-Defender for Endpoint Plan 1 or Plan 2 customers, or non-Microsoft 365 E3 customers), see [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone) to sign up for the free 180-day public preview trial.
> [!NOTE] > Customers need to have the global admin role defined in Azure AD to onboard the trial.
->
-> We're happy to assist with initial trial onboarding and to meet with customers to provide an overview of the product capabilities. To do this or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com) and we will get in touch!
### How is the service provisioned/deployed?
Once a customer is onboarded on to the free-trial experience, Defender Vulnerabi
Currently, there's no need to assign the new Defender Vulnerability Management license to users. Licenses will be applied automatically after a customer signs up for the free public preview trial.
-### If a customer is in private preview, what will happen to their premium capabilities if I don't sign up for a free public preview trial?
+### If a customer is in private preview, what will happen to their premium capabilities if I don't sign up for a free trial?
-The new capabilities will be available only to customers who onboard the public preview trial. Customers who haven't onboarded will lose access to these capabilities. Blocked applications will be immediately unblocked. Security baseline profiles may be stored for a short additional time before being deleted.
+The new capabilities will be available only to customers who onboard a trial. Customers who haven't onboarded will lose access to these capabilities. Blocked applications will be immediately unblocked. Security baseline profiles may be stored for a short additional time before being deleted.
-### How long does the public preview trial last and what happens at the end of my trial?
+### How long does the trial last and what happens at the end of my trial?
-The public preview trial lasts for 120 days.
+- The Defender Vulnerability Management add-on trial lasts for 90 days.
+- The Defender Vulnerability Management Standalone public preview trial lasts for 180 days.
After your trial ends, you'll have a 30 day grace period of active trial before the license becomes suspended. When the trial is suspended, you'll retain your security baselines, but you may lose access to your portal and your blocked applications may become unblocked.
Currently Windows is supported, but coverage will be expanded to cover more oper
## Defender Vulnerability Management general FAQs
-### Can I set up a customer meeting to learn more about Defender Vulnerability Management?
-
-Yes, to do this or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com) and we will get in touch!
- ### Where can I find the full list of capabilities across different plans? For details on the full list of capabilities across Microsoft Defender Vulnerability Management and Defender for Endpoint, see [Defender Vulnerability Management Capabilities](defender-vulnerability-management-capabilities.md).
security Defender Vulnerability Management Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-trial.md
search.appverid: met150
Last updated 07/13/2022
-# About the Microsoft Defender Vulnerability Management public preview trial
+# About the Microsoft Defender Vulnerability Management trial
+Microsoft Defender Vulnerability Management provides advanced vulnerability management capabilities to minimize your organization's cyber risk. Get real-time asset discovery, continuous risk-based assessment and prioritization, and built in remediation tools.
-**Applies to:**
+It includes capabilities so your teams can intelligently assess, prioritize, and seamlessly remediate the biggest risks to your organization.
-- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)--
-Microsoft Defender Vulnerability Management is a new service that provides advanced vulnerability management capabilities to minimize your organization's cyber risk. Get real-time asset discovery, continuous risk-based assessment and prioritization, and built in remediation tools.
-
-It includes the existing vulnerability management capabilities in Microsoft Defender for Endpoint and new capabilities to further provide enhanced tools so your teams can intelligently assess, prioritize, and seamlessly remediate the biggest risks to your organization.
-
-## How to sign up for the Defender Vulnerability Management public preview trial
+## How to sign up for the Defender Vulnerability Management trial
> [!NOTE] > The sign up process outlined below is only relevant to customers who have access to the [Microsoft Defender 365 portal](https://security.microsoft.com/homepage).
Once you've reached the [Microsoft 365 trials hub](https://security.microsoft.co
:::image type="content" source="../../medivm-trialshub.png" alt-text="Screenshot of Microsoft Defender Vulnerability Management trial hub landing page."::: 2. Review the information about what's included in the trial, then select **Begin trial**.
-Your trial will be effective immediately for 120 days. It can take up to 6 hours for all vulnerability management features to appear in your left navigation. Sign out and sign back in to see the updates.
+Your trial will be effective immediately:
+
+- The Defender Vulnerability Management add-on trial lasts for 90 days.
+- The Defender Vulnerability Management Standalone public preview trial lasts for 180 days.
+
+It can take up to 6 hours for all vulnerability management features to appear in your left navigation. Sign out and sign back in to see the updates.
> [!NOTE]
-> This is a public preview trial. Details on your purchase options for this new offering will be made available once the offering is generally available.
+>Defender Vulnerability Management Standalone trial is in public preview. Details on your purchase options for this new offering will be made available once the offering is generally available.
## Required roles for starting the trial
It can take a few hours for the changes to take effect. Once it does, return to
## Licensing
-As part of the trial setup, the new Defender Vulnerability Management trial licenses will be applied to users automatically. Therefore, no assignment is needed (_The trial can automatically apply up to 1,000,000 licenses_). The licenses are active for 120 days.
+As part of the trial setup, the new Defender Vulnerability Management trial licenses will be applied to users automatically. Therefore, no assignment is needed (_The trial can automatically apply up to 1,000,000 licenses_). The licenses are active for the duration of the trial.
## Getting started, extending, and ending the trial
Wondering what you can experience in your free trial? The Defender Vulnerability
- **[Browser extensions assessment](tvm-browser-extensions.md)** - **[Digital certificates assessment](tvm-certificate-inventory.md)** - **[Network shares analysis](tvm-network-share-assessment.md)**
+- **[Hardware and firmware assessment](tvm-hardware-and-firmware.md)**
+- **[Authenticated scan for Windows](windows-authenticated-scan.md)**
security Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management.md
Last updated 05/09/2022
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-**Applies to:**
--- [Microsoft Defender Vulnerability Management](defender-vulnerability-management-capabilities.md)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)- Reducing cyber risk requires comprehensive risk-based vulnerability management to identify, assess, remediate, and track all your biggest vulnerabilities across your most critical assets, all in a single solution. Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Leveraging Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.
Watch the following video to learn more about Defender Vulnerability Management.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Y1FX]
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
> [!TIP] >For more information on the features and capabilities that are included in each offering, see [Compare Microsoft Defender Vulnerability Management offerings.](defender-vulnerability-management-capabilities.md)
Watch the following video to learn more about Defender Vulnerability Management.
With Defender Vulnerability Management, you can empower your security and IT teams to bridge workflow gaps and prioritize and address critical vulnerabilities and misconfigurations across your organization. Reduce cyber security risk with:
-## Asset discovery & inventory
+## Continuous asset discovery and monitoring
Defender Vulnerability Management built-in and agentless scanners continuously monitor and detect risk in your organization even when devices aren't connected to the corporate network.
-A single inventory with a real-time consolidated view of your organization's software applications, digital certificates, network shares, and browser extensions helps you discover and assess all your organization's assets.
-
-View information on extension permissions and associated risk levels, identify certificates before they expire, detect potential vulnerabilities due to weak signature algorithms, and assess misconfigurations in internal network shares.
-
-## Vulnerability & configuration assessment
+Consolidated inventories provide a real-time view of your organization's software applications, digital certificates, hardware and firmware, and browser extensions to help you monitor and assess all your organization's assets.
-Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools.
+Advanced vulnerability and configuration assessment tools help you understand and assess your cyber exposure, including:
- **Security baselines assessment** - Create customizable baseline profiles to measure risk compliance against established benchmarks, such as, Center for Internet Security (CIS) and Security Technical Implementation Guides (STIG). - **Visibility into software and vulnerabilities** - Get a view of the organization's software inventory, and software changes like installations, uninstalls, and patches.-- **Network share assessment** - See actionable security recommendations, in the security recommendations page, for network share configurations identified as vulnerable.
+- **Network share assessment** - Assess vulnerable internal network shares configuration with actionable security recommendations.
+- **Authenticated scan for Windows** - Scan unmanaged Windows devices regularly for software vulnerabilities by providing Microsoft Defender Vulnerability Management with credentials to remotely access the devices.
- **Threat analytics & event timelines** - Use event timelines, and entity-level vulnerability assessments to understand and prioritize vulnerabilities.-- **Browser extensions** - View a list of the browser extensions installed across different browsers in your organization.-- **Digital certificates** - View a list of certificates installed across your organization in a single central certificate inventory page.
+- **Browser extensions assessment** - View a list of the browser extensions installed across different browsers in your organization. View information on an extension's permissions and associated risk levels.
+- **Digital certificates assessment** - View a list of certificates installed across your organization in a single central certificate inventory page. Identify certificates before they expire and detect potential vulnerabilities due to weak signature algorithms.
+- **Hardware and firmware assessment** - View a list of known hardware and firmware in your organization organized by system models, processors, and BIOS. Each view includes details such as the name of the vendor, number of weaknesses, threats insights, and the number of exposed devices.
## Risk-based intelligent prioritization
Enable security administrators and IT administrators to collaborate and seamless
|Area|Description| |||
-|[Dashboard](tvm-dashboard-insights.md)|Get a high-level view of the organization exposure score, threat awareness, Microsoft Secure Score for Devices, expiring certificates, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.|
+|[**Dashboard**](tvm-dashboard-insights.md)|Get a high-level view of the organization exposure score, threat awareness, Microsoft Secure Score for Devices, expiring certificates, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.|
|[**Recommendations**](tvm-security-recommendation.md)|See the list of security recommendations and related threat information. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Defender for Endpoint.| |[**Remediation**](tvm-remediation.md)|See remediation activities you've created and recommendation exceptions.| |[**Inventories**](tvm-software-inventory.md)|Discover and assess all your organization's assets in a single view.|
Enable security administrators and IT administrators to collaborate and seamless
## APIs
-Run vulnerability management related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+Run vulnerability management related API calls to automate vulnerability management workflows. To get started, see [Supported Microsoft Defender for Endpoint APIs](../defender-endpoint/exposed-apis-list.md).
-See the following articles for related APIs:
+See the following articles for related Defender for Endpoint APIs:
-- [Supported Microsoft Defender for Endpoint APIs](../defender-endpoint/exposed-apis-list.md) - [Machine APIs](../defender-endpoint/machine.md) - [Recommendation APIs](../defender-endpoint/vulnerability.md) - [Score APIs](../defender-endpoint/score.md)
security Get Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management.md
Title: Microsoft Defender Vulnerability Management public preview
+ Title: Sign up for Microsoft Defender Vulnerability Management
description: Get Microsoft Defender Vulnerability Management search.appverid: MET150
-# Sign up for Microsoft Defender Vulnerability Management public preview
-
-**Applies to:**
--- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender Vulnerability Management](index.yml)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
-> [!IMPORTANT]
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+# Sign up for Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management is available as a standalone and as an add-on for Microsoft Defender for Endpoint Plan 2 customers. How you sign up for the Defender Vulnerability Management trial depends on whether you already have Microsoft Defender for Endpoint Plan 2. > [!NOTE] > This offering isn't currently available to: >
-> - Customers using the **New Commerce Experience (NCE)**
> - US Government customers using GCC, GCC High, and DoD > - Microsoft Defender for Business customers -- If you don't have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3, sign up to try the [Defender Vulnerability Management Standalone trial.](#try-defender-vulnerability-management-standalone)-- If you already have Defender for Endpoint Plan 2, sign up to try the [Defender Vulnerability Management Add-on trial.](#try-the-defender-vulnerability-management-add-on-public-preview-trial-for-defender-for-endpoint-plan-2-customers)
+- If you don't have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3, sign up to try the [Defender Vulnerability Management Standalone Trial](#try-defender-vulnerability-management-standalone)
+- If you already have Defender for Endpoint Plan 2, sign up to try the [Defender Vulnerability Management Add-on Trial](#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers)
-> If you have any questions related to the trial sign up and onboarding process, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).
+> [!NOTE]
+> Trials will be available to customers using the New Commerce Experience (NCE) for a 30 day period. After the 30 day period customers will be able to purchase Microsoft Defender Vulnerability Management through NCE.
## Try Defender Vulnerability Management Standalone
To sign up:
1. Log in as a global admin to the tenant where the Defender Vulnerability Management public preview trial service will be added. 2. Visit [Microsoft Defender Vulnerability Management Public Preview Trial](https://aka.ms/MdvmStandaloneStartTrial). 3. Follow the prompts to sign in. This will differ depending on whether you already have a Microsoft 365 subscription or not.
-4. Once you have signed in, select the **Try now** button to confirm your order of the 120 day subscription of the Microsoft Defender Vulnerability Management Public Preview Trial.
+4. Once you have signed in, select the **Try now** button to confirm your order of the 180 day subscription of the Microsoft Defender Vulnerability Management Public Preview trial.
5. Select **Continue**. You'll now be directed to the Microsoft 365 Defender portal. > [!NOTE] > Once you activate the trial it can take up to 4 hours for Defender Vulnerability Management to be fully available in your tenant.
-## Try the Defender Vulnerability Management Add-on Public Preview Trial for Defender for Endpoint Plan 2 customers
+## Try Defender Vulnerability Management Add-on trial for Defender for Endpoint Plan 2 customers
-If you already have Defender for Endpoint Plan 2, sign up to trial the **Defender Vulnerability Management Add-on trial** to get access to the additional capabilities. To sign up:
+If you already have Defender for Endpoint Plan 2, sign up to the **Defender Vulnerability Management Add-on trial** to get access to the additional capabilities. To sign up:
-1. Visit [Microsoft Defender Vulnerability Management Add-on Public Preview Trial](https://aka.ms/MdvmAddonStartTrial).
+1. Visit [Microsoft Defender Vulnerability Management Add-on Trial](https://aka.ms/MdvmAddonStartTrial).
2. Follow the prompts to sign in. This will differ depending on whether you already have a Microsoft 365 subscription or not.
-3. Once you have signed in, select the **Try now** button to confirm your order of the 120 day subscription of the Microsoft Defender Vulnerability Add-on Public Preview Trial.
+3. Once you have signed in, select the **Try now** button to confirm your order of the 90 day subscription of the Microsoft Defender Vulnerability Add-on trial.
4. Select **Continue**. You'll now be directed to the Microsoft 365 Defender portal. > [!NOTE]
security Threat And Vuln Mgt Event Timeline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/threat-and-vuln-mgt-event-timeline.md
search.appverid: met150
Last updated 03/04/2022
-# Event timeline
+# Event timeline
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
Last updated 03/04/2022
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization through new vulnerabilities or exploits. You can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was added to an exploit kit, and more.
security Trial User Guide Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/trial-user-guide-defender-vulnerability-management.md
Title: Trial user guide - Microsoft Defender Vulnerability Management (public preview)
+ Title: Trial user guide - Microsoft Defender Vulnerability Management
description: Learn how Microsoft Defender Vulnerability Management can help you protect all your users and data. keywords: vulnerability management, threat and vulnerability management, Microsoft Defender for Endpoint TVM, Microsoft Defender for Endpoint-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, Microsoft Defender for Endpoint, Microsoft Defender Vulnerability Management, endpoint vulnerabilities, next generation
Last updated 11/02/2022
## Welcome to the Microsoft Defender Vulnerability Management trial user guide
-This user guide is a simple guide to help you make the most of your free trial. Using the suggested steps in this user guide from the Microsoft Security team, you'll learn how vulnerability management can help you protect all your users and data.
+This user guide is a simple tool to help you make the most of your free trial. Using the suggested steps in this guide from the Microsoft Security team, you'll learn how vulnerability management can help you protect your users and data.
## What is Microsoft Defender Vulnerability Management? Reducing cyber risk requires a comprehensive risk-based vulnerability management program to identify, assess, remediate, and track important vulnerabilities across your most critical assets.
-Microsoft Defender Vulnerability Management is a new service that proactively provides continuous real-time discovery and assessment of vulnerabilities, context-aware threat & business prioritization, and built-in remediation processes. It includes all Defender Vulnerability Management capabilities in Microsoft Defender for Endpoint and new enhanced capabilities so your teams can further intelligently assess, prioritize, and seamlessly remediate the biggest risks to your organization.
+Microsoft Defender Vulnerability Management delivers asset visibility, continuous real-time discovery and assessment of vulnerabilities, context-aware threat & business prioritization, and built-in remediation processes. It includes capabilities so your teams can intelligently assess, prioritize, and seamlessly remediate the biggest risks to your organization.
:::image type="content" source="../../medivm-asset.png" alt-text="Screenshot of Microsoft Defender Vulnerability Management features and capabilities.":::
Watch the following video to learn more about Defender Vulnerability Management:
> Users need to have the global admin role defined in Azure AD to onboard the trial. 1. Check [permissions and pre-requisites.](tvm-prerequisites.md)
-2. The Microsoft Defender Vulnerability Management preview trial can be accessed in several ways:
+2. The Microsoft Defender Vulnerability Management trial can be accessed in several ways:
Via the [Microsoft 365 Defender portal](https://security.microsoft.com) under Trials.
Watch the following video to learn more about Defender Vulnerability Management:
3. Sign up for the trial depends on whether you already have Microsoft Defender for Endpoint Plan 2 or not. - If you have Defender for Endpoint Plan 2, choose [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-the-defender-vulnerability-management-add-on-public-preview-trial-for-defender-for-endpoint-plan-2-customers). - If you don't have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3, choose [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone).
-4. When you're ready to get started, visit the [Microsoft 365 Defender portal](https://security.microsoft.com) to start using the Defender Vulnerability Management trial.
+4. When you're ready to get started, visit the [Microsoft 365 Defender portal](https://security.microsoft.com) and select **Vulnerability management** in the left navigation bar to start using the Defender Vulnerability Management trial.
> [!NOTE]
-> This is a public preview trial. Details on your purchase options for this new offering will be made available once the offering is generally available.
+> Defender Vulnerability Management Standalone trial is in public preview. Details on your purchase options for this new offering will be made available once the offering is generally available.
> [!NOTE] > Once you activate the trial it can take up to 6 hours for the new features to become available in the portal.
Now that you have set up your trial, it's time to try key capabilities.
### Step 2: Know what to protect in a single view
-Built-in and agentless scanners continuously monitor and detect risk even when devices aren't connected to the corporate network. Expanded asset coverage consolidates software applications, digital certificates, network shares, and browser extensions into a single inventory view.
+Built-in and agentless scanners continuously monitor and detect risk even when devices aren't connected to the corporate network. Expanded asset coverage consolidates software applications, digital certificates, browser extensions, and hardware and firmware into a single inventory view.
1. [**Device inventory**](../defender-endpoint/machines-view-overview.md) - The device inventory shows a list of the devices in your network. By default, the list displays devices seen in the last 30 days. At a glance, you'll see information such as domains, risk levels, OS platform, associated CVEs, and other details for easy identification of devices most at risk.
Built-in and agentless scanners continuously monitor and detect risk even when d
- Identify certificates that are about to expire so you can update them and prevent service disruption. - Detect potential vulnerabilities due to the use of weak signature algorithm (for example, SHA-1-RSA), short key size (for example, RSA 512 bit), or weak signature hash algorithm (for example, MD5). - Ensure compliance with regulatory guidelines and organizational policy.
+ - [**Hardware and firmware**](tvm-certificate-inventory.md) - the hardware and firmware inventory provides a list of known hardware and firmware in your organization. It provides individual inventories for system models, processors, and BIOS. Each view includes details such as the name of the vendor, number of weaknesses, threats insights, and the number of exposed devices.
-3. [Assign device value](tvm-assign-device-value.md) - defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the Defender Vulnerability Management exposure score calculation. Devices assigned as "high value" will receive more weight. Device value options:
+3. [**Authenticated scan for Windows**](windows-authenticated-scan.md) - with Authenticated scan for Windows you can remotely target by IP ranges or hostnames and scan Windows services by providing Defender Vulnerability Management with credentials to remotely access the devices. Once configured the targeted unmanaged devices will be scanned regularly for software vulnerabilities.
+
+4. [Assign device value](tvm-assign-device-value.md) - defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the Defender Vulnerability Management exposure score calculation. Devices assigned as "high value" will receive more weight. Device value options:
- Low - Normal (Default) - High
security Tvm Assign Device Value https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-assign-device-value.md
Last updated 03/04/2022
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
Defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the Defender Vulnerability Management exposure score calculation. Devices assigned as "high value" will receive more weight.
security Tvm Block Vuln Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps.md
Last updated 04/12/2022
# Block vulnerable applications - **Applies to:** -- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
+- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
>[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+ Remediating vulnerabilities takes time and can be dependent on the responsibilities and resources of the IT team. Security admins can temporarily reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application, until the remediation request is completed. The block option gives IT teams time to patch the application without security admins worrying that the vulnerabilities will be exploited in the meantime.
security Tvm Browser Extensions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-browser-extensions.md
Last updated 04/11/2022
# Browser extensions assessment - **Applies to:** -- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
+- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
>[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+ A browser extension is a small software application that adds functionality to a web browser. Visibility into the browser extensions installed can help you ensure the safe usage of extensions in your organization.
The **Browser extensions** page displays a list of the browser extensions instal
1. Go to **Vulnerability management** \> **Software inventory** in the [Microsoft 365 Defender portal](https://security.microsoft.com). 2. Select the **Browser extensions** tab.
+>[!Note]
+> Browser extension assessment is only available on Windows devices. Only extensions that exist in Edge, Chrome, and Firefox, will appear in browser extension list.
+ The **Browser extensions** page opens with a list of the browser extensions installed across your organization, including details on the extension name, browser, the number of devices the extension is installed on, and the number that have it turned on. :::image type="content" source="../../media/defender-vulnerability-management/browser_extensions.png" alt-text="Screenshot of the Browser extensions page" lightbox="../../media/defender-vulnerability-management/browser_extensions.png":::
You can use the Browser filter to view the relevant list of extensions for a par
The **Requested permissions** and **Permissions risk** columns provide more specific information on the number of permissions requested by the extension, and the permissions risk level based on the type of access to devices or sites it requested.
-> [!Note]
-> Only extensions that exist in Edge, Chrome, and Firefox on Windows devices, will appear in browser extension list.
- Select a browser extension to open its flyout pane, where you can learn more about the extension: :::image type="content" source="../../media/defender-vulnerability-management/browser_extensions_details.png" alt-text="Screenshot of the Browser extensions details pane" lightbox="../../media/defender-vulnerability-management/browser_extensions_details.png":::
Select the **Permissions** tab, from the browser extension flyout pane, to see i
The permission risk level generated is based on the type of access the permission is requesting. You can use this information to help make an informed decision on whether you want to allow or block this extension.
-> [!Note]
+>[!Note]
>Risk is subjective, and it's up to each organization to determine the types of risk they are willing to take on. Select a permission to see a further flyout with more information.
security Tvm Certificate Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-certificate-inventory.md
Last updated 04/11/2022
# Certificate inventory - **Applies to:** -- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
+- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
>[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+ Certificates can be used in multiple ways, this includes:
security Tvm Dashboard Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-dashboard-insights.md
Last updated 03/04/2022
# Dashboard insights - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
Defender vulnerability management provides both security administrators and security operations teams with unique value, including:
security Tvm End Of Support Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-end-of-support-software.md
Last updated 03/04/2022
# Plan for end-of-support software and software versions - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
End-of-support (EOS), otherwise known as end-of-life (EOL), for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
security Tvm Exception https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-exception.md
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ ms.localizationpriority: medium audience: ITPro
Last updated 03/04/2022
# Create and view exceptions for security recommendations - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. If your organization has device groups, you will be able to scope the exception to specific device groups. Exceptions can either be created for selected device groups, or for all device groups past and present.
security Tvm Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score.md
Last updated 03/04/2022
# Exposure score in Defender Vulnerability Management - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
Your exposure score is visible in the [Defender Vulnerability Management dashboard](tvm-dashboard-insights.md) in the Microsoft 365 Defender portal. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable to exploitation.
security Tvm Hardware And Firmware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-hardware-and-firmware.md
Last updated 11/23/2022
# Hardware and firmware assessment - **Applies to:** -- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
+- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
>[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+ Firmware and hardware attacks are on the rise. Attackers are increasingly targeting firmware and device drivers of hardware components to gain high privilege and persistence. Visibility into the threat posture of your firmware and hardware, and timely remediation of identified vulnerabilities is a vital part of keeping your organization secure.
security Tvm Hunt Exposed Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-hunt-exposed-devices.md
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ ms.localizationpriority: medium audience: ITPro
Last updated 03/04/2022
# Hunt for exposed devices - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
## Use advanced hunting to find devices with vulnerabilities
security Tvm Manage Log4shell Guidance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-manage-Log4shell-guidance.md
Last updated 06/29/2022
# Learn how to manage the Log4Shell vulnerability in Microsoft Defender for Endpoint
-**Applies to:**
--- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender Vulnerability Management](defender-vulnerability-management.md)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)- The Log4Shell vulnerability is a remote code execution (RCE) vulnerability found in the Apache Log4j 2 logging library. As Apache Log4j 2 is commonly used by many software applications and online services, it represents a complex and high-risk situation for companies across the globe. Referred to as "Log4Shell" ([CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046)) it introduces a new attack vector that attackers can exploit to extract data and deploy ransomware in an organization. > [!NOTE]
security Tvm Microsoft Secure Score Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-microsoft-secure-score-devices.md
Last updated 03/04/2022
# Microsoft Secure Score for Devices - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
> [!NOTE] > Configuration score is now part of vulnerability management as Microsoft Secure Score for Devices.
security Tvm Network Share Assessment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-network-share-assessment.md
Last updated 04/27/2022
# Network share configuration assessment - **Applies to:** -- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
+- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
>[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+ The ability to share files and folders over a network allows users to provide access to resources like files, documents, and media to other people on the network. As network shares can be easily accessed by network users, some common weaknesses exist that can cause network shares to be vulnerable.
security Tvm Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-prerequisites.md
Last updated 03/04/2022
# Prerequisites & permissions for Microsoft Defender Vulnerability Management -
-**Applies to:**
--- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender Vulnerability Management](index.yml)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
- >[!NOTE] >The same minimum requirements as Microsoft Defender for Endpoint apply to Microsoft Defender Vulnerability Management, for more information, see [Minimum requirements](../defender-endpoint/minimum-requirements.md).
For more information, see [Create and manage roles for role-based access control
**Threat and vulnerability management ΓÇô Manage security baselines assessment profiles** - Create and manage profiles so you can assess if your devices comply to security industry baselines.
->[!Note]
-> For the Defender Vulnerability Management public preview trial this permission is not required. Users with "Threat and vulnerability management - View data" permissions can manage security baselines. However, when the trial ends and a license is purchased, this permission is required.
- ## Related articles - [Supported operating systems and platforms](tvm-supported-os.md)
security Tvm Remediation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-remediation.md
Last updated 03/04/2022
# Remediate vulnerabilities - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
Watch this short video to learn how Microsoft Defender Vulnerability Management discovers vulnerabilities and misconfigurations on your endpoints and provides actionable insights that help you quickly remediate threats and vulnerabilities in your environment.
security Tvm Security Baselines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-security-baselines.md
Last updated 04/12/2022
# Security baselines assessment - **Applies to:** -- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
+- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
>[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+ Instead of running never-ending compliance scans, security baselines assessment helps you to continuously and effortlessly monitor your organization's security baselines compliance and identify changes in real time.
security Tvm Security Recommendation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-security-recommendation.md
Last updated 03/04/2022
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.
security Tvm Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-software-inventory.md
Title: Software inventory in Defender Vulnerability Management
+ Title: Software inventory
description: The software inventory page for Microsoft Defender for Endpoint's Vulnerability Management shows how many weaknesses and vulnerabilities have been detected in software. keywords: threat and vulnerability management, Microsoft Defender for Endpoint, Microsoft Defender for Endpoint software inventory, Microsoft Defender for Endpoint threat & vulnerability management, Microsoft Defender for Endpoint threat & vulnerability management software inventory, Microsoft Defender for Endpoint tvm software inventory, tvm software inventory, Microsoft Defender Vulnerability Management
search.appverid: met150
Last updated 03/04/2022
-# Software inventory in Defender Vulnerability Management
-
+# Software inventory
**Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
The software inventory in Defender Vulnerability Management is a list of known software in your organization. The default filter on the software inventory page displays all software with official [Common Platform Enumerations (CPE)](https://nvd.nist.gov/products/cpe). The view includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
security Tvm Supported Os https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-supported-os.md
Last updated 03/04/2022
# Supported operating systems, platforms and capabilities -
-**Applies to:**
--- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
- Before you begin, ensure that you meet the following operating system or platform requisites for vulnerability management so the activities in your devices are properly accounted for. > [!NOTE]
security Tvm Usage Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-usage-insights.md
Last updated 10/06/2022
# Software usage insights - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
Defender Vulnerability Management software usage information gives you insights into the total number of devices using an application in your organization and the median usage (in days) for that application over the past 30 days.
security Tvm Vulnerable Devices Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-vulnerable-devices-report.md
Last updated 03/04/2022
# Vulnerable devices report - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
The report shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
security Tvm Weaknesses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses.md
Last updated 03/04/2022
# Vulnerabilities in my organization - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
> [!IMPORTANT] > Defender Vulnerability Management can help identify Log4j vulnerabilities in applications and components. [Learn more](../defender-endpoint/tvm-manage-Log4shell-guidance.md).
security Tvm Zero Day Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-zero-day-vulnerabilities.md
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ ms.localizationpriority: medium audience: ITPro
Last updated 03/04/2022
# Mitigate zero-day vulnerabilities - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
->[!Note]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
A zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability, and no public information about this risk is available. Zero-day vulnerabilities often have high severity levels and are actively exploited.
security Whats New In Microsoft Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md
Last updated 07/25/2022
# What's new in Microsoft Defender Vulnerability Management Public Preview -
-**Applies to:**
--- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender Vulnerability Management](index.yml)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+This article provides information about new features and important product updates for the latest release of Microsoft Defender Vulnerability Management public preview.
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
-> [!NOTE]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+## March 2023
-This article provides information about new features and important product updates for the latest release of Microsoft Defender Vulnerability Management public preview.
+Microsoft Defender Vulnerability Management add-on is now Generally Available. This includes consolidated inventories, new assessments, and mitigation tools to further enhance your vulnerability management program. To learn more about what's included in Microsoft Defender Vulnerability Management plans, see [Compare Microsoft Defender Vulnerability Management plans and capabilities](defender-vulnerability-management-capabilities.md).
## December 2022
security Windows Authenticated Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/windows-authenticated-scan.md
# Authenticated scan for Windows - **Applies to:** -- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender Vulnerability Management](index.yml) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+>[!Note]
+> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
-> [!NOTE]
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+ Authenticated scan for Windows provides the ability to run scans on unmanaged Windows devices. You can remotely target by IP ranges or hostnames and scan Windows services by providing Microsoft Defender Vulnerability Management with credentials to remotely access the devices. Once configured the targeted unmanaged devices will be scanned regularly for software vulnerabilities.
To configure a new authenticated scan:
8. Enter the credentials Microsoft Defender Vulnerability Management will use to remotely access the devices: - **Use azure KeyVault:** If you manage your credentials in Azure KeyVault you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials
- - **Enter [gMSA account details](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview/):** Input the Domain and Username
+ - For the Azure KeyVault secret value use [gMSA account details](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview/) in the format **Domain;Username**
9. Select **Next** to run or skip the test scan. For more information on test scans, see [Scan and add network devices](../defender-endpoint/network-devices.md#scan-and-add-network-devices). 10. Select **Next** to review the settings and then select **Submit** to create your new authenticated scan.
security Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md
- intro-overview adobe-target: true Previously updated : 02/17/2021 Last updated : 03/01/2023 # What is Microsoft 365 Defender?
Last updated 02/17/2021
Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
-Here's a list of the different Microsoft 365 Defender products and solutions:
+Here's a list of the different Microsoft 365 Defender products and solutions that Microsoft 365 Defender coordinates with:
- [**Microsoft Defender for Endpoint**](../defender-endpoint/microsoft-defender-endpoint.md) - [**Microsoft Defender for Office 365**](../office-365-security/microsoft-defender-for-office-365-product-overview.md)
Here's a list of the different Microsoft 365 Defender products and solutions:
- [**Microsoft Data Loss Prevention**](/microsoft-365/compliance/dlp-learn-about-dlp) - [**App Governance**](/defender-cloud-apps/app-governance-manage-app-governance)
-Note that Azure Active Directory Identity Protection (AAD IP) is in public preview and may be substantially modified before it's commercially released. AAD IP is available to customers only if they already have Microsoft 365 Defender.
+Note that the coordination of alerts from Azure Active Directory Identity Protection (AAD IP) to Microsoft 365 Defender is in public preview and may be substantially modified before it's commercially released. AAD IP is available to customers only if they already have Microsoft 365 Defender.
With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.
security Attack Simulation Training Login Pages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-login-pages.md
Last updated 1/31/2023
**Applies to** [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
-In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, login pages are displayed to users in simulations that use the **Credential harvest** and **Link in attachment** [social engineering techniques](attack-simulation-training-simulations.md#select-a-social-engineering-technique).
+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, login pages are shown to users in simulations that use **Credential harvest** and **Link in attachment** [social engineering techniques](attack-simulation-training-simulations.md#select-a-social-engineering-technique).
To see the available login pages, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **Login pages**. To go directly to the **Simulation content library** tab where you can select **Login pages**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.
security Attack Simulation Training Payloads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md
Last updated 1/31/2023
**Applies to** [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
-In Attack simulation training, a _payload_ is the phishing email message and links or attachment content that's are presented to users in simulations. Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 offers a robust built-in payload catalog for the available social engineering techniques. However, you might want to create custom payloads that will work better for your organization.
+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, a _payload_ is the phishing email message and links or attachment content that's are presented to users in simulations. Attack simulation training offers a robust built-in payload catalog for the available social engineering techniques. However, you might want to create custom payloads that will work better for your organization.
To see the available payloads, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **Payloads**. To go directly to the **Simulation content library** tab where you can select **Payloads**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.
security Attack Simulation Training Simulation Automations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations.md
Last updated 1/31/2023
**Applies to** [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, simulation automations allow you to run multiple benign cyberattack simulations in your organization. Simulation automations can contain multiple payloads and start on an automated schedule. Creating a simulation automation is very similar to [creating an individual simulation](attack-simulation-training-simulations.md), except you also select the payloads and the automation schedule.
+ For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md). To create a simulation automation, do the following steps:
security Attack Simulation Training Simulations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulations.md
Last updated 12/01/2022
**Applies to** [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
-Attack simulation training in Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 lets you run benign cyberattack simulations in your organization. These simulations test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks. This article walks you through creating a simulated phishing attack using Attack simulation training.
+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, simulations allow you run benign cyberattack simulations in your organization. These simulations test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks. This article walks you through creating a simulated phishing attack using Attack simulation training.
For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
security Attack Simulation Training Training Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-campaigns.md
Last updated 01/13/2023
> [!NOTE] > This article describes features that are in Public Preview, aren't available in all organizations, and are subject to change.
-In Attack simulation training in Microsoft Defender for Office 365 Plan 2, Training campaigns are a faster, more direct way to provide security training to users. Instead of creating and launching [simulated phishing attacks](attack-simulation-training-simulations.md) that eventually lead to training, you can create and assign Training campaigns directly to users.
+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, Training campaigns are a faster, more direct way to provide security training to users. Instead of creating and launching [simulated phishing attacks](attack-simulation-training-simulations.md) that eventually lead to training, you can create and assign Training campaigns directly to users.
A Training campaign contains one or more built-in Training modules that you select. Currently, there are over 70 Training modules to select from. For more information about Training modules, see [Training modules for Training campaigns in Attack simulation training](attack-simulation-training-training-modules.md).
security Attack Simulation Training Training Modules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-modules.md
Last updated 01/13/2023
> [!NOTE] > This article describes features that are in Public Preview, aren't available in all organizations, and are subject to change.
-In Attack simulation training in Microsoft Defender for Office 365 Plan 2, you select one or more Training modules to include in Training campaigns that you create and assign to users. For more information about Training campaigns, see [Training campaigns in Attack simulation training](attack-simulation-training-training-campaigns.md).
+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, you select one or more Training modules to include in Training campaigns that you create and assign to users. For more information about Training campaigns, see [Training campaigns in Attack simulation training](attack-simulation-training-training-campaigns.md).
To see the available Training modules, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Training modules**. To go directly to the **Content library** tab where you can select **Training modules**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.
security Safe Links About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-about.md
Watch this short video on how to protect against malicious links with Safe Links
Safe Links protection is available in the following locations: -- **Email messages**: Safe Links protections for links in email messages is controlled by Safe Links policies.
+- **Email messages**: Safe Links protections for links in email messages are controlled by Safe Links policies.
For more information about Safe Links protection for email messages, see the [Safe Links settings for email messages](#safe-links-settings-for-email-messages) section later in this article.
solutions Data Privacy Protection Assess https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/data-privacy-protection-assess.md
f1.keywords: - NOCSH Previously updated : 06/22/2020 Last updated : 02/06/2023 audience: ITPro
solutions Data Privacy Protection Protect Govern https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/data-privacy-protection-protect-govern.md
f1.keywords: - NOCSH Previously updated : 06/22/2020 Last updated : 02/06/2023 audience: ITPro
solutions Data Privacy Protection Regulations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/data-privacy-protection-regulations.md
f1.keywords: - NOCSH Previously updated : 06/22/2020 Last updated : 02/06/2023 audience: ITPro
solutions Data Privacy Protection Respond Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/data-privacy-protection-respond-requests.md
f1.keywords: - NOCSH Previously updated : 06/22/2020 Last updated : 02/06/2023 audience: ITPro
solutions Data Privacy Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/data-privacy-protection.md
f1.keywords: - NOCSH Previously updated : 06/22/2020 Last updated : 02/06/2023 audience: ITPro
syntex Use Content Center Site https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/use-content-center-site.md
In this site, models can be trained and evaluated using your own content. Howeve
## Provision the site
+> [!NOTE]
+> The content center site template is provided in the SharePoint look book service, which is no longer being updated. Some of the information in the template might not reflect the current Syntex features.
+ The content center site can be provisioned from the [SharePoint look book service](https://lookbook.microsoft.com/). ![Screenshot of the content center site template provisioning page.](../media/content-understanding/content-center-site-provisioning-page.png)