Updates from: 03/20/2024 09:37:29
Category Microsoft Docs article Related commit history on GitHub Change details
admin Activity Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/activity-reports.md
People who have the following permissions:
- Global reader (with no user details) -- Usage Summary Reports reader (with no user details)
+- Usage Summary Reports reader (with no user details): By design, this role has read access to user, groups, and other settings by default in the Microsoft 365 admin center, as the role is based on Microsoft Entra.
- Reports reader
admin Email Activity Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/email-activity-ww.md
Title: "Microsoft 365 admin center email activity reports"--++ Previously updated : 09/26/2023 Last updated : 03/14/2024 audience: Admin
For example, you can get a high level view of email traffic within your organiza
## How to get to the email activity report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. Select **View More** under **Email activity**.
-3. From the **Email activity** drop-down list, select **Exchange** \> **Email activity**.
+2. From the **Overview** page, select **Exchange** \> **Email activity**.
## Interpret the email activity report
-You can get a view into your user's email activity by looking at the **Activity** and **Users** charts.
+You can get a view into your user's email activity by looking at the **Activity** and **Users** charts.
![Email activity report.](../../media/5eb1d9e9-8106-4843-acb7-c0238c0da816.png) The **Email activity** report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you select a particular day in the report, the table will show data for up to 28 days from the current date (not the date the report was generated). The data in each report usually covers up to the last 24 to 48 hours.
-The **Activity** chart enables you to understand the trend of the amount of email activity going on in your organization. You can understand the split of email send, email read, email received, meeting created, or meeting interacted activities.
+The **Activity** chart enables you to understand the trend of the amount of email activity going on in your organization. You can understand the split of email send, email read, email received, meeting created, or meeting interacted activities.
-The **User** chart enables you to understand the trend of the number of unique users who are generating the email activities. You can look at the trend of users performing email sending, email reading, email receiving, meeting creating, or meeting interacting activities.
+The **User** chart enables you to understand the trend of the number of unique users who are generating the email activities. You can look at the trend of users performing email sending, email reading, email receiving, meeting creating, or meeting interacting activities.
-On the Activity chart, the Y axis is the count of activity of the type email sent, email received, email read, meeting created, and meeting interacted.
+On the Activity chart, the Y axis is the count of activity of the type email sent, email received, email read, meeting created, and meeting interacted.
-On the Users activity chart, the Y axis is the user's performing activity of the type email sent, email received, email read, meeting created, or meeting interacted.
+On the Users activity chart, the Y axis is the user's performing activity of the type email sent, email received, email read, meeting created, or meeting interacted.
-The X axis on both charts is the selected date range for this specific report.
+The X axis on both charts is the selected date range for this specific report.
You can filter the series you see on the chart by selecting an item in the legend. The table shows you a breakdown of the email activities at the per-user level. This shows all users that have an Exchange product assigned to them and their email activities.
-
|Item|Description| |:--|:--| |Username |The email address of the user. |
You can filter the series you see on the chart by selecting an item in the legen
|Meeting interacted actions |The number of times a meeting request accept, tentative, decline, or cancel action was recorded for the user. | |Product assigned |The products that are assigned to this user. | - If your organization's policies prevents you from viewing reports where user information is identifiable, you can change the privacy setting for all these reports. Check out the **How do I hide user level details?** section in the [Activity Reports in the Microsoft 365 admin center](activity-reports.md). Select **Choose columns** to add or remove columns from the report. ![Email activity report - choose columns.](../../media/80ffa0ad-61c5-4a6f-8a1d-5f6730ff7da9.png)
-You can also export the report data into an Excel .csv file, by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis.
-
+You can also export the report data into an Excel .csv file, by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis.
+ > [!NOTE] > The Email activity report is only available for mailboxes that are associated with users who have licenses.
admin Microsoft 365 Copilot Organizational Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-organizational-messages.md
There are certain policies, if not configured properly, that can block the deliv
## Getting started
-In the Microsoft 365 admin center, go to **Reports** > **Usage > Microsoft 365 Copilot**.
+In the Microsoft 365 admin center, go to **Reports** > **Usage > Copilot for Microsoft 365**.
:::image type="content" source="../../media/copilot-usage-adoption-page.png" alt-text="Screenshot showing the Microsoft 365 Copilot usage dashboard with information about organization adoption." lightbox="../../media/copilot-usage-adoption-page.png":::
admin Organizational Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/adoption/organizational-messages.md
description: "Learn how to send messages to your organization in Microsoft 365 u
# Adoption Score Organizational Messages
-Organizational messages enable IT admins to deliver clear, actionable messages in-product and in a targeted way, while maintaining user-level privacy. Organizational messages in Adoption Score use targeted in-product notifications to advise on Microsoft 365 recommended practices based on Adoption Score insights. Users can be reminded to use products that have recently been deployed, encouraged to try a product on a different surface, or to recommend new ways of working, such as using @mentions to improve response rates in communications. Templated messages are delivered to users in their flow of work through surfaces including Outlook, Excel, PowerPoint, and Word. Authorized professionals can use the organizational messages wizard in Adoption Score to choose from up to three templated message types, define when and how often a message can be displayed, and exclude groups or priority accounts from receiving the message.
+Organizational messages enable IT admins to deliver clear, actionable messages in-product and in a targeted way, while maintaining user-level privacy. Organizational messages in Adoption Score use targeted in-product notifications to advise on Microsoft 365 recommended practices based on Adoption Score insights. Users can be reminded to use products that have recently been deployed, encouraged to try a product on a different surface, or to recommend new ways of working, such as using @mentions to improve response rates in communications. Templated messages are delivered to users in their flow of work through surfaces including Outlook, Excel, PowerPoint, Word, and new Teams. Authorized professionals can use the organizational messages wizard in Adoption Score to choose from up to three templated message types, define when and how often a message can be displayed, and exclude groups or priority accounts from receiving the message.
Organizational messages for Adoption Score will initially roll out to Communication, Content Collaboration, Mobility, and more to follow to support all People Experience categories. Check out the [2022 Ignite session](https://ignite.microsoft.com/en-US/sessions/ff17a80f-2fa6-4e52-b92c-745f0ca8d574?source=sessions) for a detailed demonstration and feature description.
Visit [privacy controls for Adoption Score](privacy.md) to understand how to ena
:::image type="content" source="../../media/org-message-adoption-score.png" alt-text="Screenshot: How to enable Organizational Messages in Adoption Score." lightbox="../../media/org-message-adoption-score-expanded.jpg":::
-## Getting Started
+## Getting started
In the Microsoft 365 admin center, go to **Reports** \> **Adoption Score.**
admin Message Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/message-center.md
f1.keywords:
Previously updated : 09/18/2023 Last updated : 03/14/2024 audience: Admin
To unsubscribe from Message center emails, see [Unsubscribe from Message center
|Is this the only way Microsoft communicates changes about Microsoft 365?|No, but Message center is the primary way we communicate the timing of individual changes in Microsoft 365. See [Stay on top of Microsoft 365 changes](stay-on-top-of-updates.md) for more information.| |How can I see posts in my language?|Message center posts are written in English. You can control whether, by default, posts are shown in English or are automatically machine-translated to your preferred language. You can also select to machine-translate posts to any language we support. See [Language translation for Message center posts](language-translation-for-message-center-posts.md) for more details.| |Can I preview changes or features before they are rolled-out to my organization?|Some changes and new features can be previewed by opting in to the Targeted release program. To opt in, in the admin center, go to **Settings** > **Org settings** > **Organization profile** > **Release preferences**. (In the admin center, you may need to select **Show all** at the bottom of the left navigation pane to see **Settings**.) You can choose Targeted release for your entire organization, or just for selected users. See [Standard or Targeted release options in Microsoft 365](release-options-in-office-365.md) for more information about the program.|
-|Can I find out the exact date a change is available in my organization?|Unfortunately, we can't tell you the exact date a change is made to your organization. In our Message center post, we will give as much information as we can on the timing of the release, based on our confidence level. We're working on improvements to get better with that level of detail.|
+|Can I find out the exact date a change is available in my organization?|Unfortunately, we can't tell you the exact date a change is made to your organization. In our Message center post, we give as much information as we can on the timing of the release, based on our confidence level. We're working on improvements to get better with that level of detail.|
|Are these messages specific to my organization?|We do our best to make sure that you only see Message center posts that affect your organization. The Microsoft 365 Roadmap includes all of the features we are currently working on and rolling out, but not all of these features apply to every organization.| |Can I get message center posts emailed instead?|Yes! You can select to have a weekly digest emailed to you and up to two other email addresses. The emailed weekly digest is turned on by default. If you aren't getting your weekly digests, check your spam folder. See the [Preferences](#preferences) section of this article for more information on how to set up the weekly digest.| |How do I stop getting the Message center digest?|Go to Message center in the admin center and select **Preferences**. In the **Email** tab, turn off the option to **Send me email notifications from message center**.|
-|How can I ensure data privacy notifications are received by the right contacts in my organization?|As a global admin you'll receive data privacy messages for your organization. Additionally, you can assign the Message Center Privacy reader role to people who should see data privacy messages. Other admin roles with access to Message Center cannot view data privacy messages. <br/><br/>For more info, see [Preferences](#preferences) in this article.|
+|How can I ensure data privacy notifications are received by the right contacts in my organization?|As a global admin you receive data privacy messages for your organization. Additionally, you can assign the Message Center Privacy reader role to people who should see data privacy messages. Other admin roles with access to Message Center cannot view data privacy messages. <br/><br/>For more info, see [Preferences](#preferences) in this article.|
|Why canΓÇÖt I see a message that was previously there?|To manage the number of messages within Message center, each message will expire and be removed after a period of time. Generally, messages expire 30 days post the time period outlined in the message body.| ## Feature release status for your organization in Message Center
- For each new and updated feature announcement in Message center, ΓÇ£Status for your org.ΓÇ¥ field provides a release status to help you track when a feature is available in your tenant.
+ For each new and updated feature announcement in Message center, the **Status for your org** field provides a release status to help you track when a feature is available in your tenant.
These three release statuses are updated on each applicable message over the lifecycle of the feature release
The release status is **ONLY** available for new and updated features that are a
For each new Message center post, we provide a recommendation for how relevant the change is for your organization. This recommendation is based on multiple factors such as: -- Apps and service usage
+- Apps and service usage.
- Changes meant to prevent or fix issues for subscription. - Changes meant to help you plan ahead or stay informed. - Impact changes, such as data privacy and app and service retirements.
There are three levels of relevance:
- **High** - These are posts about changes in your organization, which need immediate action to avoid service disruption. These can also include feature releases with high potential impact to your organization, for example, an app or service being heavily used by people in your organization. -- **Medium** - These are posts about changes in your organization, which don't need immediate action. . Examples are non-breaking changes or new features for a service which is being used by your organization, an early announcement for an upcoming breaking feature change, retirement
+- **Medium** - These are posts about changes in your organization, which don't need immediate action. Examples are nonbreaking changes or new features for a service, which is being used by your organization, an early announcement for an upcoming breaking feature change, retirement
-- **Low** - These are posts about changes which just need monitoring. They are related to low impact apps and services in your organization. Examples would be a feature update for an app or service, which isn't actively used in your organization.
+- **Low** - These are posts about changes that need monitoring. They are related to low impact apps and services in your organization. Examples would be a feature update for an app or service, which isn't actively used in your organization.
The relevance recommendations are **ONLY** be available for the newer MC posts. This means the MC posts you already received will see a "blank" for relevance recommendation.
-If you see ΓÇ£**Processing**ΓÇ¥ for a MC post, it means that the score is being computed for this post and should be available soon. You should try to refresh after a few minutes.
+If you see **Processing** for a Message center post, it means that the score is being computed for this post and should be available soon. You should try to refresh after a few minutes.
-Once you start receiving this, please tell us if a MC post is **not relevant** to you through the [**extended feedback.**](#give-feedback-on-a-post) This feedback is very important for us to improve the accuracy of the relevance recommendations.
+Once you start receiving this, please tell us if a Message center post is **not relevant** to you through the [**extended feedback.**](#give-feedback-on-a-post) This feedback is important for us to improve the accuracy of the relevance recommendations.
## Filter messages
The Archive tab shows the messages you have archived. To archive a message, in t
::: moniker range="o365-worldwide"
-Use the **Service**, **Tag**, and **Message state** drop-down menus to select a filtered view of messages. For example, in this diagram,the messages are tagged with the **Admin impact** tag.
+Use the **Service**, **Tag**, and **Message state** drop-down menus to select a filtered view of messages. For example, in this diagram, the messages are tagged with the **Admin impact** tag.
You can select any column heading, except **Service** and **Tag**, to sort messages in ascending or descending order.
You can select any column heading, except **Service** and **Tag**, to sort mess
::: moniker range="o365-21vianet"
-Use the **Service**, **Tag**, and **Message state** drop-down menus to select a filtered view of messages. For example, in this diagram the messages are tagged with the **Admin impact**.
+Use the **Service**, **Tag**, and **Message state** drop-down menus to select a filtered view of messages. For example, in this diagram, the messages are tagged with the **Admin impact**.
You can select any column heading, except **Service** and **Tags**, to sort messages in ascending or descending order.
Major updates are communicated at least 30 days in advance when an action is req
If administration is distributed across your organization, you may not want or need to see posts about all Microsoft 365 services. Each admin can: - Set preferences that control which messages are displayed in Message center.-- Filter messages
+- Filter messages.
- Set email preferences to receive a weekly digest of all messages, emails for major updates only, and emails for data privacy messages. ::: moniker range="o365-worldwide"
If administration is distributed across your organization, you may not want or n
You can also enter up to two email addresses, separated by a semicolon.
- You can also choose the emails you want to get, as well as a weekly digest of services you select.
+ You can also choose the emails you want to get, and a weekly digest of services you select.
4. Select **Save** to keep your changes.
The number of monthly users applies to all users who've used that Microsoft 365
To choose columns, on the **Message center** page, on the far right, select **Choose columns**, and in the **Choose columns** pane, select the ones you want displayed.
-Here's a quick overview of the information you'll see in each column.
+Here's a quick overview of the information in each column.
### Column information |Column|Description| |||
-|Check mark|Selecting the check mark in the column heading row will select all messages currently displayed. Selecting the check mark next to one or more messages lets you take action on those messages.|
+|Check mark|Selecting the check mark in the column heading row selects all messages currently displayed. Selecting the check mark next to one or more messages lets you take action on those messages.|
|Message title|Message titles are brief descriptions of upcoming changes. If the full title doesn't display, hover your cursor over it and the entire title will appear in a pop-up box.| |Service|Icons indicate the application to which the message applies.| |More options|More options lets you dismiss a message, mark it as read or unread, or share it with another admin. To restore an archived message, select the **Archive** tab, select the check mark next to the message, and select **Restore**.| |Tags| You can choose tags from the Tag drop-down to filter messages. <br> <p> **Data Privacy**: Data privacy notification (limited to global administrator and Message center Privacy reader roles). <p> **Major update**: Changes communicated at least 30 days in advance ([Major updates](#major-updates)). <p> **Retirement**: Retirement of a service or feature. <p> **New feature**: New feature or service. <p> **Feature update**: Update to an existing feature. <p> **Admin impact**: When the change clearly impacts the admin in the following ways - UI change, workflow change, control available and Specific/Potential Action. <p> **User impact**: When the change to the service clearly impacts the user - UI Change and workflow change. <p> **Updated message**: When a message is updated.|
-|Category| This is not shown by default, but can be specified in the **Choose columns** panel. Messages are identified by one of the following three categories: <p> **Prevent or fix issues**: Informs you of known issues affecting your organization and may require that you take action to avoid disruptions in service. Prevent or fix issues are different than Service health messages because they prompt you to be proactive to avoid issues. <p> **Plan for change**: Informs you of changes to Microsoft 365 that may require you to act to avoid disruptions in service. For example, we'll let you know about changes to system requirements or about features that are being removed. We try to provide at least 30 days' notice of any change that requires an admin to act to keep the service running normally. <p> **Stay informed**: Tells you about new or updated features we are turning on in your organization. The features are usually announced first in the [Microsoft 365 Roadmap](https://go.microsoft.com/fwlink/?linkid=2070821). <p> May also let you know about planned maintenance in accordance with our Service Level Agreement. Planned maintenance may result in down time, where you or your users can't access Microsoft 365, a specific feature, or a service such as email or OneDrive for Business.|
+|Category| This is not shown by default, but can be specified in the **Choose columns** panel. Messages are identified by one of the following three categories: <p> **Prevent or fix issues**: Informs you of known issues affecting your organization and may require that you take action to avoid disruptions in service. Prevent or fix issues are different than Service health messages because they prompt you to be proactive to avoid issues. <p> **Plan for change**: Informs you of changes to Microsoft 365 that may require you to act to avoid disruptions in service. For example, we let you know about changes to system requirements or about features that are being removed. We try to provide at least 30 days' notice of any change that requires an admin to act to keep the service running normally. <p> **Stay informed**: Tells you about new or updated features we are turning on in your organization. announced first in the [Microsoft 365 Roadmap](https://go.microsoft.com/fwlink/?linkid=2070821). <p> May also let you know about planned maintenance in accordance with our Service Level Agreement. Planned maintenance may result in down time, where you or your users can't access Microsoft 365, a specific feature, or a service such as email or OneDrive for Business.|
|Act by|We'll only have dates here if we're making a change that requires you to take an action by a certain deadline. Since we rarely use the **Act by** column, if you see something here, you should pay extra attention to it.| |Last updated|Date that the message was published or last updated.| |Message ID|Microsoft tracks our Message center posts by message ID. You can refer to this ID if you want to give feedback or if you call Support about a particular message.|
See a message that someone else needs to act on? You can share the contents of t
1. Select the message to open it, and then select **Share**.
-2. To share the message, enter up to two email addresses separated by a colon. You can send to individual and to group email addresses. Optionally, you can choose to receive a copy of the message in email (the message will go to your primary email address) or add a personal message to provide recipients with more context.
+2. To share the message, enter up to two email addresses separated by a colon. You can send to individual and to group email addresses. Optionally, you can choose to receive a copy of the message in email (the message goes to your primary email address) or add a personal message to provide recipients with more context.
3. Select **Share** to send the email. ## Get a link
-Need to follow up with another admin to make sure they're aware of a change and taking action? You can generate a link to share in email or instant messaging, for example, that will connect the user directly to that message. The person you share the link with has to have access to Message center. See [admin roles that don't have access to the Message center](message-center.md#admin-roles-that-dont-have-access-to-the-message-center) for more information.
+Need to follow up with another admin to make sure they're aware of a change and taking action? You can generate a link to share in email or instant messaging. The person you share the link with has to have access to Message center. See [admin roles that don't have access to the Message center](message-center.md#admin-roles-that-dont-have-access-to-the-message-center) for more information.
-1. Select the message to open it.
+1. Select the message center post.
2. Select **Copy link**.
You can also open a message and mark it as unread in the details panel.
## Archive and restore
-If you see a message that doesn't pertain to you, or maybe you've already acted on it, you can archive the message to remove it from Inbox. The view that you see in the Message center is specific to your user account, so archiving it from your view doesn't affect other admins. There are two ways to archive a message.
+If you see a message that doesn't pertain to you, or maybe you've already acted on it, you can archive the message. Archiving a message removes it from the Inbox. The view that you see in the Message center is specific to your user account, so archiving it from your view doesn't affect other admins. There are two ways to archive a message.
- On the main page of the Message center, select a message, and then select **Archive** above the list of messages. - Open the message, and then select **Archive** on the top of the message pane.
Need to get an archived message back? No problem.
## Favorite messages
-To mark a message as a favorite, hover over the message title and you will see a **Favorite** :::image type="icon" source="../../media/favorite-star.png" border="false"::: star you can select right after the **More options** ellipses. Once you have marked messages as favorite you can also sort and filter them.
+To mark a message as a favorite, hover over the message title and you will see a **Favorite** :::image type="icon" source="../../media/favorite-star.png" border="false"::: star you can select right after the **More options** ellipses. Once you have marked messages as favorite, you can also sort and filter them.
## Scroll messages in the message pane
bookings Bookings Sms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/bookings-sms.md
Title: "Configure SMS text notifications and reminders in Microsoft Bookings"
Previously updated : 09/15/2021 Last updated : 02/28/2024 audience: Admin
security Exposed Apis Create App Webapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-webapp.md
ms.localizationpriority: medium Previously updated : 01/25/2023 Last updated : 03/19/2024 audience: ITPro
$appId = '' ### Paste your Application ID here
$appSecret = '' ### Paste your Application key here $sourceAppIdUri = 'https://api.securitycenter.microsoft.com/.default'
-$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"
+$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
$authBody = [Ordered] @{ scope = "$sourceAppIdUri" client_id = "$appId"
security Attack Surface Reduction Rules Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md
The following ASR rules DO NOT honor Microsoft Defender for Endpoint Indicators
||| | Block credential stealing from the Windows local security authority subsystem (lsass.exe) | Doesn't honor indicators of compromise for files or certificates. | | Block Office applications from injecting code into other processes |Doesn't honor indicators of compromise for files or certificates. |
-| Block Win32 API calls from Office mac |Doesn't honor indicators of compromise for certificates. |
+| Block Win32 API calls from Office macros |Doesn't honor indicators of compromise for certificates. |
## ASR rules supported operating systems
security Configure Endpoints Script https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md
Last updated 02/29/2024
You can also manually onboard individual devices to Defender for Endpoint. You might want to onboard some devices when you're testing the service before you commit to onboarding all devices in your network. > [!IMPORTANT]
-> The script described in this article is recommended for manually onbooarding devices to Defender for Endpoint. It should only be used on a limited number of devices. If you're deploying to a production environment, see [other deployment options](configure-endpoints.md), such as Intune, Group Policy, or Configuration Manager.
+> The script described in this article is recommended for manually onboarding devices to Defender for Endpoint. It should only be used on a limited number of devices. If you're deploying to a production environment, see [other deployment options](configure-endpoints.md), such as Intune, Group Policy, or Configuration Manager.
Check out [Identify Defender for Endpoint architecture and deployment method](deployment-strategy.md) to see the various paths in deploying Defender for Endpoint.
security Configure Process Opened File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
- tier2 - mde-ngp search.appverid: met150 Previously updated : 07/18/2023 Last updated : 03/19/2024
-# Configure exclusions for files opened by processes
+# Configure exclusions for files opened by processes
+ **Applies to:** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
See [Important points about exclusions](configure-exclusions-microsoft-defender-
This article describes how to configure exclusion lists.
-## Examples of exclusions
+## Examples of process exclusions
|Exclusion|Example| |||
You can [configure how locally and globally defined exclusions lists are merged]
> [!NOTE] > **Network Protection** and **Attack surface reduction rules** are directly impacted by process exclusions on all platforms, meaning that a process exclusion on any OS (Windows, MacOS, Linux) will result in Network Protection or ASR being unable to inspect traffic or enforce rules for that specific process.
+### Image name vs full path for process exclusions
+
+Two different types of process exclusions may be set. A process may be excluded by image name, or by full path. The image name is simply the file name of the process, without the path.
+
+For example, given the process `MyProcess.exe` running from `C:\MyFolder\` the full path to this process would be `C:\MyFolder\MyProcess.exe` and the image name is `MyProcess.exe`.
+
+Image name exclusions are much more broad - an exclusion on `MyProcess.exe` will exclude any processes with this image name, regardless of the path they are run from. So for example, if the process `MyProcess.exe` is excluded by image name, it will also be excluded if it is run from `C:\MyOtherFolder`, from removable media, et cetera. As such it is recommended that whenever possible, the full path is used.
+
+### Use wildcards in the process exclusion list
+
+The use of wildcards in the process exclusion list is different from their use in other exclusion lists. When the process exclusion is defined as an image name only, wildcard usage is not allowed. However when a full path is used, wildcards are supported and the wildcard behavior behaves as described in [File and Folder Exclusions](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+
+The use of environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list is also supported. Details and a full list of supported environment variables are described in [File and Folder Exclusions](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
+
+The following table describes how the wildcards can be used in the process exclusion list, when a path is supplied:
+
+|Wildcard|Example use|Example matches|
+||||
+|`*` (asterisk) <p> Replaces any number of characters.|`C:\MyFolder\*`|Any file opened by `C:\MyFolder\MyProcess.exe` or `C:\MyFolder\AnotherProcess.exe`|
+| |`C:\*\*\MyProcess.exe`|Any file opened by `C:\MyFolder1\MyFolder2\MyProcess.exe` or `C:\MyFolder3\MyFolder4\MyProcess.exe`|
+| |`C:\*\MyFolder\My*.exe`|Any file opened by `C:\MyOtherFolder\MyFolder\MyProcess.exe` or `C:\AnotherFolder\MyFolder\MyOtherProcess.exe`|
+|'?' (question mark) <p> Replaces one character. |`C:\MyFolder\MyProcess??.exe`|Any file opened by `C:\MyFolder\MyProcess42.exe` or `C:\MyFolder\MyProcessAA.exe` or `C:\MyFolder\MyProcessF5.exe`|
+| Envionment Variables |`%ALLUSERSPROFILE%\MyFolder\MyProcess.exe`|Any file opened by `C:\ProgramData\MyFolder\MyProcess.exe`|
+
+### Contextual Process Exclusions
+
+Note that a process exclusion may also be defined via a [Contextual exclusion](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md) allowing for example a specific file to be excluded only if it is opened by a specific process.
+ ## Configure the list of exclusions for files opened by specified processes ### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](/powershell/module/defender).
-### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
+## Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
The use of **Set**, **Add**, and **Remove** is analogous to their counterparts i
For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
-### Use the Windows Security app to exclude files that have been opened by specified processes from scans
-
-See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md) for instructions.
-
-## Use wildcards in the process exclusion list
+## Use the Windows Security app to exclude files that have been opened by specified processes from scans
-The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
-
-In particular, you can't use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list.
-
-The following table describes how the wildcards can be used in the process exclusion list:
-
-|Wildcard|Example use|Example matches|
-||||
-|`*` (asterisk) <p> Replaces any number of characters|`C:\MyData\*`|Any file opened by `C:\MyData\file.exe`|
-|Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated|`%ALLUSERSPROFILE%\CustomLogFiles\file.exe`|Any file opened by `C:\ProgramData\CustomLogFiles\file.exe`|
+Follow the instructions in [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md).
## Review the list of exclusions
security Evaluation Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md
Last updated 02/27/2024
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-enablesiem-abovefoldlink)
+ > [!IMPORTANT]
+ > As Microsoft continues to evaluate the value of the features and services to provide, Microsoft has made the decision to retire the Defender Evaluation Lab.
+ > This change will rollout in mid-January 2024 and expect to complete by late January 2024.
+ Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and device configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
security Fix Unhealthy Sensors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors.md
search.appverid: met150
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-fixsensor-abovefoldlink)
-Devices can be categorized as misconfigured or inactive are flagged for varying causes. This section provides some explanations as to what might have caused a device to be categorized as inactive or misconfigured.
+Devices can be categorized as misconfigured or inactive are flagged for different reasons. This article provides information about why a device might be categorized as inactive or misconfigured.
## Inactive devices
An inactive device isn't necessarily flagged because of an issue. The following
- Device isn't in use - Device was reinstalled or renamed-- Device was offboarded
+- Device was off-boarded
- Device isn't sending signals
Any device that isn't in use for more than seven days retains 'Inactive' status
### Device was reinstalled or renamed A new device entity is generated in Microsoft Defender XDR for reinstalled or renamed devices. The previous device entity remains, with an 'Inactive' status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.
-### Device was offboarded
-If the device was offboarded, it still appears in devices list. After seven days, the device health state should change to inactive.
+### Device was off-boarded
+If the device was off-boarded, it still appears in devices list. After seven days, the device health state should change to inactive.
### Device isn't sending signals If the device isn't sending any signals to any Microsoft Defender for Endpoint channels for more than seven days for any reason, a device can be considered inactive; this includes conditions that fall under misconfigured devices classification.
Follow theses actions to correct known issues related to a misconfigured device
If the devices aren't reporting correctly, you should verify that the Windows diagnostic data service is set to automatically start. Also verify that the Windows diagnostic data service is running on the endpoint. - [Ensure that Microsoft Defender Antivirus isn't disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)</br>
-If your devices are running a third-party antimalware client, Defender for Endpoint agent requires that the Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled.
+If your devices are running a third-party anti-malware client, Defender for Endpoint agent requires that the Microsoft Defender Antivirus Early Launch anti-malware (ELAM) driver is enabled.
+
+- For macOS devices that 'sleep' for more than approximately 48 hours (a weekend), Microsoft Defender for Endpoint on macOS still sends Command and Control (CnC) channel data, but doesn't send any Cyber channel data. After the devices are turned on and used on the first business day, the devices will show up as active.
If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
security Linux Support Ebpf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-ebpf.md
You can also update the mdatp_managed.json file:
Refer to the link for detailed sample json file - [Set preferences for Microsoft Defender for Endpoint on Linux.](linux-preferences.md) > [!IMPORTANT] > If you disable eBPF, the supplementary event provider switches back to auditd.
-> In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules.
+> In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules. You can also check the status of eBPF (enabled/disabled) on your linux endpoints using the advanced hunting query on the Security Portal. Steps are as follows-
+
+1. Go to the [Microsoft Defender portal](https://security.microsoft.com) and sign in.
+
+2. In the navigation pane, go to **Hunting** > **Advanced hunting**.
+
+3. Under **Advanced hunting**, go to **Defender Vulnerability Management**.
+
+4. Run the following query: `DeviceTvmInfoGathering`.
+
+5. In the output, in the **Additional fields** column, select **Show more**, and then look for **EBPF STATUS: true**.
## Immutable mode of Auditd
The output of above command should show no rules or any user added rules. In cas
### Troubleshooting and Diagnostics
-You can check the agent health status by running the **mdatp** health command. Make sure that the eBPF sensor for Defender for Endpoint on Linux is supported by checking the current kernel version by using the following command line:
+You can check the agent health status by running the `mdatp` health command. Make sure that the eBPF sensor for Defender for Endpoint on Linux is supported by checking the current kernel version by using the following command line:
```bash uname -a
uname -a
#### Known Issues
-1. Enabling eBPF on RHEL 8.1 version with SAP might result in kernel panic. To mitigate this issue you can take one of the following steps:
+1. Enabling eBPF on RHEL 8.1 version with SAP might result in kernel panic. To mitigate this issue, you can take one of the following steps:
- Use a distro version higher than RHEL 8.1.
- - Switch to auditd mode if you need to use RHEL 8.1 version
+ - Switch to auditd mode if you need to use RHEL 8.1 version.
-2. Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result in kernel panic. To mitigate this issue you can take one of the following steps:
+2. Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result in kernel panic. To mitigate this issue, you can take one of the following steps:
- - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. Note that the minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4
+ - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. Note that the minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
- Switch to auditd mode if you need to use the same kernel version ```bash
If you see a hike in resource consumption by Microsoft Defender on your endpoint
```Bash sudo mdatp diagnostic ebpf-statistics ```+ ```Output Output Monitor 20 seconds
Top syscall ids:
90 : 10 87 : 3 ```
-In the above output, you can see that stress-ng is the top process generating large number of events and might result into performance issues. Most likely stress-ng is generating the system call with ID 82. You can create a ticket with Microsoft to get this process excluded. In future as part of upcoming enhancements, you'll have more control to apply such exclusions at your end.
+
+In the above output, you can see that stress-ng is the top process generating large number of events and might result into performance issues. Most likely stress-ng is generating the system call with ID 82. You can create a ticket with Microsoft to get this process excluded. In future as part of upcoming enhancements, you have more control to apply such exclusions at your end.
Exclusions applied to auditd can't be migrated or copied to eBPF. Common concerns such as noisy logs, kernel panic, noisy syscalls are already taken care of by eBPF internally. In case you want to add any further exclusions, then reach out to Microsoft to get the necessary exclusions applied.
security Linux Support Offline Security Intelligence Update https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-offline-security-intelligence-update.md
Last updated 03/12/2024
- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-This document describes the *Offline Security Intelligence Update* feature of Microsoft Defender for Endpoint on Linux.
+This document describes the Offline Security Intelligence Update feature of Microsoft Defender for Endpoint on Linux.
-This feature enables organizations to download *security intelligence* (also referred to as definitions or signatures in this document) on Linux endpoints that aren't exposed to the internet via a local hosting server (termed as *Mirror Server* in this document).
+This feature enables an organization to update the security intelligence (also referred to as definitions or signatures in this document) on Linux endpoints with limited or no exposure to the internet using a local hosting server (termed as *Mirror Server* in this document).
-The Mirror Server is any server in the customer's environment that can connect to the Microsoft cloud to download the signatures. Other Linux endpoints pull the signatures from the Mirror Server at a predefined interval.
+Mirror Server is any server in the customer's environment that can connect to the Microsoft cloud to download the signatures. Other Linux endpoints pull the signatures from the Mirror Server at a predefined interval.
Key benefits include: -- Customers who have server environments that aren't exposed to the internet can now benefit by being able to download and enable the latest security intelligence updates in a controlled manner.--- Control and manage the frequency of signature downloads on the local server.--- Control and manage the frequency at which endpoints pull the signatures from the local server.--- Test the downloaded signatures on a test device before propagating it to the entire fleet, providing greater security and control.--- Now, on behalf of your entire fleet, only one local server polls the Microsoft cloud to get the latest signatures. This action helps reduce network bandwidth.-
+- Ability to control and manage the frequency of signature downloads on the local server & the frequency at which endpoints pull the signatures from the local server.
+- Adds an extra layer of protection & control as the downloaded signatures can be tested on a test device before being propagated to the entire fleet.
+- Reduces network bandwidth as now only one local server will poll MS cloud to get the latest signatures on behalf of your entire fleet.
- Local server can run any of the three OS - Windows, Mac, Linux, and isn't required to install Defender for Endpoint.--- Signatures are always downloaded along with the latest compatible AV engine. Thus, keeping AV engine + signatures updated after every cycle.-
+- Provides the most up to date antivirus protection as signatures are always downloaded along with the latest compatible AV engine.
- In each iteration, signature with n-1 version is moved to a backup folder on the local server. If there's any issue with the latest signature, you can pull the n-1 signature version from the backup folder to your endpoints.--- If the offline update fails, you can also choose to fall back to online update directly from the Microsoft cloud.
+- On the rare occasion the offline update fails, you can also choose to fallback to online updates from Microsoft cloud(traditional method).
## How Offline Security Intelligence Update works -- Organizations need to set up a Mirror Server, which is a local Web/NFS server that is reachable to the Microsoft cloud. Your organization is responsible for the management and maintenance of the Mirror Server.
+- Organizations need to set up a Mirror Server, which is a local Web/NFS server that is reachable by the Microsoft cloud.
- Signatures are downloaded from Microsoft Cloud on this Mirror Server by executing a script using cron job/task scheduler on the local server. - Linux endpoints running Defender for Endpoint pull the downloaded signatures from this Mirror Server at a user-defined time interval. - Signatures pulled on the Linux endpoints from the local server are first verified before loading it into the AV engine. - To trigger and configure the update process, update the managed config json file on the Linux endpoints. - The status of the update can be seen on the mdatp CLI.-- + :::image type="content" source="./media/offline-update-diag-1.png" alt-text="Process flow diagram on the Mirror Server for downloading the security intelligence updates" lightbox="./media/offline-update-diag-2.png"::: Fig. 1: Process flow diagram on the Mirror Server for downloading the security intelligence updates
Fig. 2: Process flow diagram on the Linux endpoint for security intelligence upd
- The Mirror Server needs to have access to the following URLs: - https://github.com/microsoft/mdatp-xplat.git - https://go.microsoft.com/fwlink/?linkid=2144709 -- The following operating systems are supported for the Mirror Server:
+- The following operating systems are supported on the Mirror Server:
- Linux (Any Flavor) - Windows (Any Version) - Mac (Any version)
Fig. 2: Process flow diagram on the Linux endpoint for security intelligence upd
- The Linux endpoint must be running any of the Defender for Endpoint supported distributions. - ## Configuring the Mirror Server > [!NOTE]
-> The management and ownership of the Mirror Server lies solely with the customer as it resides in the customer's private environment. The Mirror Server's management and maintenance ownership lies with the customers since the Mirror Server resides in the customer's private environment and Microsoft will have no visibility into it.
+> The management and ownership of the Mirror Server lies solely with the customer as it resides in the customer's private environment.
> [!NOTE] > The Mirror Server does not need to have Defender for Endpoint installed.
Follow these steps to get the downloader script:
- Extract the zip. > [!NOTE]
-> Schedule a [cron job](#scheduling-a-cron-job) to keep the repo / the downloaded zip file updated to the latest version at regular intervals.
+> Schedule a [cron job](#scheduling-a-cron-job) to keep the repo/downloaded zip file updated to the latest version at regular intervals.
-After cloning the repo / downloading the zip file, the local directory structure should be as follows:
+After cloning the repo/downloaded zip file, the local directory structure should be as follows:
``` user@vm:~/mdatp-xplat$ tree linux/definition_downloader/
Once the Mirror Server is set up, we need to propagate this URL to the Linux end
### Verify the configuration
-Once the Mirror Server and the Linux endpoints are configured, to test if the settings are applied correctly on the Linux endpoints, run the following command:
+ To test if the settings are applied correctly on the Linux endpoints, run the following command:
``` mdatp health --details definitions ```
-and verify the updated fields according to the managed json. For example, a sample output would look like:
+For example, a sample output would look like:
``` user@vm:~$ mdatp health --details definitions
definitions_update_source_uri : "https://go.microsoft.com/fwlink/?
definitions_update_fail_reason : "" offline_definition_url_configured : "http://172.22.199.67:8000/linux/production/" [managed] offline_definition_update : "enabled" [managed]
-offline_definition_update_verify_sig : "disabled"
-offline_definition_update_fallback_to_cloud : false
+offline_definition_update_verify_sig : "enabled"
+offline_definition_update_fallback_to_cloud : false[managed]
``` ## Triggering the Offline Security Intelligence Updates ### Automatic update-- If the `automaticDefinitionUpdateEnabled` field is set to true in the managed json, then the offline security intelligence updates are triggered automatically at periodic intervals.-- By default, this periodic interval is every 8 hours. But it can be configured by setting the `definitionUpdatesInterval` in the managed json to the desired interval.
+- If the fields `automaticDefinitionUpdateEnabled` and 'offline_definition_update' in the managed json are set to true, then the offline security intelligence updates are triggered automatically at periodic intervals.
+- By default, this periodic interval is 8 hours. But it can be configured by setting the `definitionUpdatesInterval` in the managed json.
### Manual update - In order to trigger the offline security intelligence update manually to download the signatures from the Mirror Server on the Linux endpoints, run the command:
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
Here are the properties you can use when you create the group and policy.
> > You can also use the scripts at [mdatp-devicecontrol/Removable Storage Access Control Samples/macOS/policy/scripts at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/scripts) to translate Windows Device Control policy to macOS Device Control policy or translate macOS Device Control V1 policy to this V2 policy.
+>[!WARNING]
+>In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices. At this time, the recommended mitigation is to use a version of macOS less than 14.3.1.
+ ### Settings | Property name | Description | Options |
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
search.appverid: met150 Previously updated : 12/07/2023 Last updated : 03/19/2024 # Troubleshoot license issues for Microsoft Defender for Endpoint on macOS
Select the **x** symbol.
### Message
-When you select the **x** symbol, you'll see options as shown in the following screenshot:
+When you select the **x** symbol, you see options as shown in the following screenshot:
-When you select **Action needed**, you'll get the error message as shown in the following screenshot:
+When you select **Action needed**, you get the error message as shown in the following screenshot:
:::image type="content" source="images/license-not-found-message.png" alt-text="Screenshot of the page displaying the No license found message and its description.":::
-You'll encounter this message in a different way: If you're using the terminal to enter **mdatp health** without the double quotes, the message as shown in the following screenshot is displayed:
+You encounter this message in a different way: If you're using the terminal to enter **mdatp health** without the double quotes, the message as shown in the following screenshot is displayed:
:::image type="content" source="images/no-license-found-warning.png" alt-text="Screenshot of the product page on which the No license found warning message is displayed."::: ### Cause
-1. You've deployed and/or installed the Microsoft Defender for Endpoint on macOS package [Download installation packages](mac-install-manually.md#download-installation-and-onboarding-packages), but might not have run the configuration script [Download the onboarding package](mac-install-with-intune.md#step-14-download-the-onboarding-package) that contains the license settings. For information on troubleshooting in this scenario, see [For not running the configuration script](#for-not-running-the-configuration-script).
+- You can encounter an error if you've deployed and/or installed the Microsoft Defender for Endpoint on macOS package [Download installation packages](mac-install-manually.md#download-installation-and-onboarding-packages), but you might not have run the configuration script [Download the onboarding package](mac-install-with-intune.md#step-14-download-the-onboarding-package) that contains the license settings. For information on troubleshooting in this scenario, see [If you didn't run the configuration script](#if-you-did-not-run-the-configuration-script).
-1. You can also encounter this error message when the Microsoft Defender for Endpoint on macOS agent isn't up to date. For information on troubleshooting in this scenario, see [For Microsoft Defender for Endpoint on macOS not being up to date](#for-microsoft-defender-for-endpoint-on-macos-not-being-up-to-date).
+- You can encounter an error message when the Microsoft Defender for Endpoint on macOS agent isn't up to date. For information on troubleshooting in this scenario, see [If Microsoft Defender for Endpoint on macOS isn't up to date](#if-microsoft-defender-for-endpoint-on-macos-is-not-up-to-date).
-1. You can also encounter this error message if you haven't assigned a license to the user. For information on troubleshooting in this scenario, see [For not assigning a license to the user](#for-not-assigning-a-license-to-the-user).
+- You can encounter an error message if you offboarded and reonboarded Mac from Microsoft Defender for Endpoint on macOS.
+
+- You can encounter an error message if a license isn't assigned to a user. For information on troubleshooting in this scenario, see [If a license isn't assigned to a user](#if-a-license-is-not-assigned-to-a-user).
### Solutions
-#### For not running the configuration script
+#### If you did not run the configuration script
-This section describes the troubleshooting measures when the error/warning message is caused by non-execution of the configuration script that contains the license settings after you have deployed and/or installed the Microsoft Defender for Endpoint on macOS package.
+This section describes the troubleshooting measures when the error/warning message is caused by nonexecution of the configuration script. The script contains the license settings when the Microsoft Defender for Endpoint on macOS package is installed and deployed.
Depending on the deployment management tool used, follow the tool-specific instructions to onboard the package (register the license) as described in the following table:
Depending on the deployment management tool used, follow the tool-specific instr
> [!NOTE] > If the onboarding package runs correctly, the licensing information will be located in `/Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist`.
-#### For Microsoft Defender for Endpoint on macOS not being up to date
+#### If Microsoft Defender for Endpoint on macOS is not up to date
-For scenarios where Microsoft Defender for Endpoint on macOS isn't up to date, you'll need to [update](mac-updates.md) the agent.
+For scenarios where Microsoft Defender for Endpoint on macOS isn't up to date, you need to [update](mac-updates.md) the agent.
-#### For not assigning a license to the user
+#### If Microsoft Defender for Endpoint on macOS has been offboarded
-1. In the Microsoft Defender portal (security.microsoft.com):
- 1. Select **Settings**. The **Settings** screen appears.
- 1. Select **Endpoints**.
-
- :::image type="content" source="media/endpoints-option-on-settings-screen.png" alt-text="Screenshot of the Settings screen on which the Endpoints option is listed." lightbox="media/endpoints-option-on-settings-screen.png":::
+When the offboarding script is executed on the macOS, it saves a file in `/Library/Application Support/Microsoft/Defender/` and it's named `com.microsoft.wdav.atp.offboarding.plist`.
+
+If the file exists, it will prevent the macOS from being onboarded again. Delete the **com.microsoft.wdav.atp.offboarding.plist** running the onboarding script again.
+
+#### If a license is not assigned to a user
+
+1. In the Microsoft Defender portal (security.microsoft.com), select **Settings**, and then select **Endpoints**.
+
+ :::image type="content" source="media/endpoints-option-on-settings-screen.png" alt-text="Screenshot of the Settings screen on which the Endpoints option is listed." lightbox="media/endpoints-option-on-settings-screen.png":::
- The **Endpoints** screen appears.
-
- :::image type="content" source="media/endpoints-screen.png" alt-text="Screenshot of the Endpoints page." lightbox="media/endpoints-screen.png":::
+2. Select **Licenses**.
- 1. Select **Licenses**.
-
- :::image type="content" source="images/selecting-licenses-option-from-endpoints-screen.png" alt-text="Screenshot of the Endpoints page from which the Licenses options can be selected." lightbox="images/selecting-licenses-option-from-endpoints-screen.png":::
+ :::image type="content" source="images/selecting-licenses-option-from-endpoints-screen.png" alt-text="Screenshot of the Endpoints page from which the Licenses options can be selected." lightbox="images/selecting-licenses-option-from-endpoints-screen.png":::
- 1. Select **View and purchase licenses in the Microsoft 365 admin center**. The following screen in the Microsoft 365 admin center portal appears:
+3. Select **View and purchase licenses in the Microsoft 365 admin center**. The following screen in the Microsoft 365 admin center portal appears:
+
+ :::image type="content" source="images/m365-admin-center-purchase-assign-licenses.png" alt-text="Screenshot of the Microsoft 365 admin center portal page from which licenses can be purchased and assigned." lightbox="images/m365-admin-center-purchase-assign-licenses.png":::
- :::image type="content" source="images/m365-admin-center-purchase-assign-licenses.png" alt-text="Screenshot of the Microsoft 365 admin center portal page from which licenses can be purchased and assigned." lightbox="images/m365-admin-center-purchase-assign-licenses.png":::
+4. Check the checkbox of the license you want to purchase from Microsoft, and select it. The screen displaying detail of the chosen license appears:
- 1. Check the checkbox of the license you want to purchase from Microsoft, and select it. The screen displaying detail of the chosen license appears:
-
- :::image type="content" source="images/resultant-screen-of-selecting-preferred-license.png" alt-text="Screenshot of the product page from which you can select the option of assigning the purchased license.":::
+ :::image type="content" source="images/resultant-screen-of-selecting-preferred-license.png" alt-text="Screenshot of the product page from which you can select the option of assigning the purchased license.":::
- 1. Select the **Assign licenses** link.
+5. Select the **Assign licenses** link.
- :::image type="content" source="media/assign-licenses-link.png" alt-text="Screenshot of the product page from which you can select the Assign licenses link.":::
+ :::image type="content" source="media/assign-licenses-link.png" alt-text="Screenshot of the product page from which you can select the Assign licenses link.":::
- The following screen appears:
+ The following screen appears:
- :::image type="content" source="images/screen-containing-option-to-assign-licenses.png" alt-text="Screenshot of the page containing the + Assign licenses option." lightbox="images/screen-containing-option-to-assign-licenses.png":::
+ :::image type="content" source="images/screen-containing-option-to-assign-licenses.png" alt-text="Screenshot of the page containing the + Assign licenses option." lightbox="images/screen-containing-option-to-assign-licenses.png":::
- 1. Select **+ Assign licenses**.
- 1. Enter the name or email address of the person to whom you want to assign this license.
-
- The following screen appears, displaying the details of the chosen license assignee and a list of options.
+6. Select **+ Assign licenses**.
- :::image type="content" source="media/assignee-details-and-options.png" alt-text="Screenshot of the page displaying the assignee's details and a list of options.":::
+7. Enter the name or email address of the person to whom you want to assign this license. The following screen appears, displaying the details of the chosen license assignee and a list of options.
+
+ :::image type="content" source="media/assignee-details-and-options.png" alt-text="Screenshot of the page displaying the assignee's details and a list of options.":::
- 1. Check the checkboxes for **Microsoft 365 Advanced Auditing**, **Microsoft Defender XDR**, and **Microsoft Defender for Endpoint**.
- 1. Select **Save**.
+8. Check the checkboxes for **Microsoft 365 Advanced Auditing**, **Microsoft Defender XDR**, and **Microsoft Defender for Endpoint**. Then select **Save**.
On implementing these solution-options (either of them), if the licensing issues have been resolved, and then you run **mdatp health**, you should see the following results:
You can also suppress switching to experience for Individuals on MDM-enrolled ma
- [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](mac-jamfpro-policies.md): Learn how to set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro. - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md): Learn how to install, configure, update, and use Microsoft Defender for Endpoint on Mac. - [Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro](mac-install-with-jamf.md): Learn how to deploy Microsoft Defender for Endpoint on macOS with Jamf Pro.+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
Network protection for macOS is now available for all Mac devices onboarded to D
Apple fixed an issue on macOS [Ventura upgrade](<https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes>), which is fixed with the latest OS update. The issue impacts Microsoft Defender for Endpoint security extensions, and might result in losing Full Disk Access Authorization, impacting its ability to function properly.
+In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices. At this time, the recommended mitigation is to use a version of macOS less than 14.3.1.
+ **Sonoma support** Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release.
Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release.
**macOS Deprecation** Microsoft Defender for Endpoint no longer supports Big Sur (11)
+### Mar-2024 (Build: 101.24012.0010 | Release version: 20.124012.10.0)
+
+| Build: | **101.24012.0010** |
+|--|--|
+| Release version: | **20.124012.10.0** |
+| Engine version: | **1.1.24020.3** |
+| Signature version: | **1.405.788.0** |
+
+##### What's new
+
+- Bug and performance fixes
+ ### Jan-2024 (Build: 101.23122.0005 | Release version: 20.123122.5.0) | Build: | **101.23122.0005** |
security Troubleshoot Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md
Title: Report and troubleshoot Microsoft Defender for Endpoint attack surface reduction rules
-description: This article describes how to report and troubleshoot Microsoft Defender for Endpoint attack surface reduction ules
+description: This article describes how to report and troubleshoot Microsoft Defender for Endpoint attack surface reduction rules
ms.localizationpriority: medium audience: ITPro
security Troubleshoot Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-settings.md
+
+ Title: Troubleshoot Microsoft Defender Antivirus settings
+description: Find out where settings for Microsoft Defender Antivirus are coming from.
++++++ Last updated : 03/19/2024+
+ms.localizationpriority: medium
++
+search.appverid: MET150
+f1.keywords: NOCSH
+audience: ITPro
++
+# Troubleshoot Microsoft Defender Antivirus settings
+
+**Applies to:**
+
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint Plan 1 and 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
+- Microsoft Defender Antivirus
+
+Microsoft Defender Antivirus provides numerous ways to manage the product, which provides small and medium-sized businesses and enterprise organizations with flexibility by working with the management tools that they already have.
+
+- Microsoft Defender for Endpoint security settings management
+- Microsoft Intune (MDM)
+- Microsoft Configuration Manager with Tenant Attach
+- Microsoft Configuration Manager co-management
+- Microsoft Configuration Manager (standalone)
+- Group Policy (GPO)
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- Registry
+
+> [!TIP]
+> For best results, use one method of managing Microsoft Defender Antivirus.
+
+## Troubleshooting Microsoft Defender Antivirus settings
+
+Suppose that migrating from a non-Microsoft antivirus product, and when you try enabling Microsoft Defender Antivirus, it won't start. Most likely, you're experiencing a policy conflict. You can narrow down the issue by checking this registry key: `DisableAntispyware` (dword) 1 (hex) is set.
+
+To remove policy conflicts, here's our current, recommended process:
+
+1. Understand the order of precedence.
+2. Determine where Microsoft Defender Antivirus settings are configured.
+3. Identify policies and settings.
+4. Work with your security team to remove or revise conflicting policies.
+
+## Step 1: Understand the order of precedence
+
+When policies and settings are configured in multiple tools, in general, here's the order of precedence:
+
+1. Group Policy (GPO)
+2. Microsoft Configuration Manager co-management
+3. Microsoft Configuration Manager (standalone)
+4. Microsoft Intune (MDM)
+5. Microsoft Configuration Manager with Tenant Attach
+6. PowerShell ([Set-MpPreference](/powershell/module/defender/set-mppreference)), [MpCmdRun.exe](command-line-arguments-microsoft-defender-antivirus.md), or [Windows Management Instrumentation](use-wmi-microsoft-defender-antivirus.md) (WMI).
+
+> [!WARNING]
+> [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) is a Policy CSP setting that does not apply for all settings, such as [attack surface reduction rules](attack-surface-reduction-rules-reference.md) (ASR rules) in Windows 10.
+ 
+## Step 2: Determine where Microsoft Defender Antivirus settings are configured
+
+Find out whether Microsoft Defender Antivirus settings are coming through a policy, MDM, or a local setting. The following table describes policies, settings, and relevant tools.
+
+|Policy or setting| Registry location | Tools|
+| -- | -- | -- |
+|Policy| `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`|- Microsoft Configuration Manager co-management<br/>- Microsoft Configuration Manager<br/>- GPO|
+|MDM|`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager` |- Microsoft Intune (MDM)<br/>- Microsoft Configuration Manager with Tenant Attach|
+|Local setting|`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender`|- MpCmdRun.exe<br/>- PowerShell (Set-MpPreference)<br/>- Windows Management Instrumentation (WMI)|
+
+## Step 3: Identify policies or settings
+
+The following table describes how to identify policies and settings.
+
+|Method used | What to check |
+| -- | -- |
+|Policy| - If you're using GPO: Select **Start**, open Command Prompt as an administrator, and then run the command `GpResult.exe /h C:\temp\GpResult_output.html`. <br/>- If you're using Microsoft Configuration Manager co-management or Microsoft Configuration Manager (standalone), go to `C:\Windows\CCM\Logs`.|
+|MDM | If you're using Intune, on your device, select Start, open Command Prompt as an administrator, and then run the command `mdmdiagnosticstool.exe -zip "c:\temp\MDMDiagReport.zip"`. For more details, see [Collect MDM logs - Windows Client Management](/windows/client-management/mdm-collect-logs). |
+|Local setting | Determine whether the policy or setting was deployed during the imaging (sysprep), via PowerShell (for example, Set-MpPreference), Windows Management Instrumentation (WMI), or through a direct modification to the registry.|
+
+## Step 4: Remove or revise conflicting policies
+
+Once you have identified the conflicting policy, work with your security administrators to change device targeting so that devices receive the correct Microsoft Defender Antivirus settings.
++
security Investigate Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md
You can find identity information in the following views:
- Advanced hunting queries - Action center
-A clickable identity link is available in these views that will take you to the **User** page where more details about the user are shown. For example, you can see the details of user accounts identified in the alerts of an incident in the Microsoft Defender portal at **Incidents & alerts** \> ***incident*** \> **Users**.
+A clickable identity link is available in these views that will take you to the **User** page where more details about the user are shown. For example, you can see the details of user accounts identified in the alerts of an incident in the Microsoft Defender portal at **Incidents & alerts** \> ***incident*** \> **Assets** > **Users**.
When you investigate a specific identity, you'll see the: - [Overview](#overview), including identity details, incident and alerts visual view, investigation priority, and scored timeline-- [Active Alerts](#alerts) tab
+- [Incidents and alerts](#incidents-and-alerts) tab
- [Observed in organization](#observed-in-organization) tab - [Identity timeline](#timeline) tab - [Remediation actions](#remediation-actions) > [!NOTE] > The user page shows the Microsoft Entra organization as well as groups, helping you understand the groups and permissions associated with a user.
For more information, see [Defender for Identity entity tags in Microsoft Defend
> [!NOTE] > The organization tree section and the account tags are available when a Microsoft Defender for Identity license is available.
-## Alerts
+## Incidents and alerts
-You can see all active alerts involving the user from the last 180 days in this tab. Information like alert severity and the time the alert was generated is available in this tab. Clicking on the alert row shows you additional information about the alert.
+You can see all active incidents and alerts involving the user from the last 180 days in this tab. Information like alert severity and the time the alert was generated is available in this tab. Select the alert row to view more details about the alert.
## Observed in organization
The map provides a list of other devices or users an attacker can take advantage
The lateral movement path report, which can be viewed by date, is always available to provide information about the potential lateral movement paths discovered and can be customized by time. Select a different date using **View a different date** to view previous lateral movement paths found for an entity. The graph only displays if a potential lateral movement path has been found for an entity in the past two days. ## Timeline
From the Overview page, you can do these additional actions:
- Reset investigation priority score for the user - View Microsoft Entra account settings, related governance, the user's owned files, or the user's shared files For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions).
security Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md
adobe-target: true Last updated 03/08/2024
-appliesto: ✅ Microsoft Defender XDR
+appliesto:
+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
security Microsoft Secure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score.md
Secure Score helps organizations:
Watch this video for a quick overview of Secure score. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWUPrP]
-Organizations gain access to robust visualizations of metrics and trends, integration with other Microsoft products, score comparison with similar organizations, and much more. The score can also reflect when third-party solutions have addressed recommended actions.
+Organizations gain access to robust visualizations of metrics and trends, integration with other Microsoft products, score comparison with similar organizations, and much more. The score can also reflect when non-Microsoft solutions addressed recommended actions.
-
-> [!NOTE]
-> Currently, the Microsoft Entra related Microsoft Secure Score recommendations are not available for customer tenants registered in the following Microsoft Entra regions:
-Japan, Australia, New Zealand, Fiji, Canada, United Kingdom, South Korea, France, United Arab Emirates, South America, Switzerland, Liechtenstein, Norway, Germany, Brazil, Sweden, and Qatar.
## How it works
You're given points for the following actions:
- Configuring recommended security features - Doing security-related tasks-- Addressing the recommended action with a third-party application or software, or an alternate mitigation
+- Addressing the recommended action with a non-Microsoft application or software, or an alternate mitigation
Some recommended actions only give points when fully completed. Some give partial points if they're completed for some devices or users. If you can't or don't want to enact one of the recommended actions, you can choose to accept the risk or remaining risk.
Your score is updated in real time to reflect the information presented in the v
Each recommended action is worth 10 points or less, and most are scored in a binary fashion. If you implement the recommended action, like create a new policy or turn on a specific setting, you get 100% of the points. For other recommended actions, points are given as a percentage of the total configuration.
-For example, a recommended action states you get 10 points by protecting all your users with multi-factor authentication. You only have 50 of 100 total users protected, so you'd get a partial score of 5 points (50 protected / 100 total * 10 max pts = 5 pts).
+For example, a recommended action states you get 10 points by protecting all your users with multi-factor authentication. You only have 50 of 100 total users protected, so you'd get a partial score of five points (50 protected / 100 total * 10 max pts = 5 pts).
### Products included in Secure Score
Currently there are recommendations for the following products:
- Microsoft Defender for Office - Docusign - Exchange Online-- Github
+- GitHub
- Microsoft Defender for Cloud Apps - Microsoft Information Protection - Microsoft Teams
If you turn on security defaults, you'll be awarded full points for the followin
### Manage permissions with Microsoft Defender XDR Unified role-based access control(RBAC)
-With [Microsoft Defender XDR Unified role-based access control(RBAC)](manage-rbac.md), you can create custom roles with specific permissions for Secure Score. This allows you to control which users have access to Secure Score data, the products for which they will see Secure Score data (for example, Microsoft Defender for Endpoint) and their permission level to the data.
+With [Microsoft Defender XDR Unified role-based access control(RBAC)](manage-rbac.md), you can create custom roles with specific permissions for Secure Score. This allows you to control which users have access to Secure Score data, the products for which they'll see Secure Score data (for example, Microsoft Defender for Endpoint) and their permission level to the data.
You can also manage user permissions to access Secure Score data from additional data sources, such as the other products supported by Secure Score, for more information, see [Products included in Secure Score](#products-included-in-secure-score). You can view the Secure Score data from the additional data sources either alone or alongside the other data sources.
To start using Microsoft Defender XDR Unified RBAC to manage your Secure Score p
### Microsoft Entra global roles permissions
-Microsoft Entra global roles (for example, Global Administrator) can still be used to access Secure Score. Users who have the supported Microsoft Entra global roles, but are not assigned to a custom role in Microsoft Defender XDR Unified RBAC, will continue to have access to view (and manage where permitted) Secure Score data as outlined below:
+Microsoft Entra global roles (for example, Global Administrator) can still be used to access Secure Score. Users who have the supported Microsoft Entra global roles, but aren't assigned to a custom role in Microsoft Defender XDR Unified RBAC, will continue to have access to view (and manage where permitted) Secure Score data as outlined:
The following roles have read and write access and can make changes, directly interact with Secure Score, and can assign read-only access to other users:
security Mto Tenant Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-tenant-devices.md
Title: Devices in multi-tenant management
-description: Learn about multitenant device view in multitenant management of the Microsoft Defender XDR
+ Title: Devices in multitenant management
+description: Learn about multitenant device view in multitenant management of the Microsoft Defender XDR.
search.appverid: met150
- highpri - tier1 Previously updated : 09/01/2023 Last updated : 03/15/2024
-# Multi-tenant devices
+# Devices
**Applies to:** - [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
+The **Devices** page in multitenant management enables you to quickly manage tenants and devices.
+ ## Tenant device list
-The Tenants page in multi-tenant management lists each tenant you have access to. Each tenant page includes details such as the number of devices and device types, the number of high value and high exposure devices, and the number of devices available to onboard:
+The Tenants page in multitenant management lists each tenant you have access to. Each tenant page includes details such as the number of devices and device types, the number of high value and high exposure devices, and the number of devices available to onboard:
- :::image type="content" source="../../media/defender/mto-tenant-page.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant device list" lightbox="../../media/defender/mto-tenant-page.png":::
+ :::image type="content" source="../../media/multi-tenant/devices/devices-tenant-view.png" alt-text="Screenshot of the Microsoft Defender XDR tenants list in the Devices page" lightbox="../../media/multi-tenant/devices/devices-tenant-view.png":::
At the top of the page, you can view the number of tenants and the number of devices onboarded or discovered, across all tenants. You can also see the aggregate number of devices identified as:
At the top of the page, you can view the number of tenants and the number of dev
Select a tenant name to navigate to the device inventory for that tenant in the [Microsoft Defender XDR](https://security.microsoft.com/machines) portal where all data and inventory-related actions are available.
-For more information, see [Device inventory](../defender-endpoint/machines-view-overview.md).
+## Device inventory
+
+The Device inventory page lists all the devices in each tenant that you have access to. The page is like the [Defender for Endpoint device inventory](../defender-endpoint/machines-view-overview.md) with the addition of the **Tenant name** column. Moreover, the device inventory page doesn't have the network, IOT, and uncategorized devices tabs.
+
+You can navigate to the device inventory page by selecting **Assets > Devices** in Microsoft Defender XDR's navigation menu.
+
+ :::image type="content" source="../../media/multi-tenant/devices/devices-device-inventory.png" alt-text="Screenshot of the Microsoft Defender XDR Devices page for multitenant management" lightbox="../../media/multi-tenant/devices/devices-device-inventory.png":::
+
+The total number of devices, critical assets, high risk devices, and internet-facing devices for all tenants are shown at the top of the page.
+
+You can search a specific device with the search function. You can sort and filter the device list according to the following fields to customize your view:
+
+- Tenant name
+- Risk level
+- Criticality level
+- Mitigation status
+- Cloud platforms
+- Operating system (OS) platforms
+- Windows OS version
+- Sensor health state
+- Antivirus status
+- Tags
+- First seen
+- Internet facing
+- Group
+- Exclusion state
+- Managed by
+
+To manage a device, select a specific device from the list. Device management tasks like managing tags, device exclusion, and reporting inaccuracy becomes available at the top of the device list.
+
+ :::image type="content" source="../../media/multi-tenant/devices/devices-choose-device.png" alt-text="Screenshot of choosing a device from the device inventory list" lightbox="../../media/multi-tenant/devices/devices-choose-device.png":::
+
+Selecting a device by clicking on the device name opens the device page in a new tab. You can further apply other actions on the device in the new tab.
security Anti Malware Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-policies-configure.md
Select a policy by clicking anywhere in the row other than the check box next to
In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.
-2. On the **Anti-malware** page, select the anti-malware policy by using either of the following methods:
+On the **Anti-malware** page, select the anti-malware policy by using either of the following methods:
- - Select the policy from the list by selecting the check box next to the name. The following actions are available in the :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** dropdown list that appears:
- - **Enable selected policies**.
- - **Disable selected policies**.
- - **Delete selected policies**.
+- Select the policy from the list by selecting the check box next to the name. The following actions are available in the :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** dropdown list that appears:
+ - **Enable selected policies**.
+ - **Disable selected policies**.
+ - **Delete selected policies**.
- :::image type="content" source="../../media/anti-malware-policies-main-page.png" alt-text="The Anti-malware page with a policy selected and the More actions control expanded." lightbox="../../media/anti-malware-policies-main-page.png":::
+ :::image type="content" source="../../media/anti-malware-policies-main-page.png" alt-text="The Anti-malware page with a policy selected and the More actions control expanded." lightbox="../../media/anti-malware-policies-main-page.png":::
- - Select the policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens:
- - Modify policy settings by clicking **Edit** in each section (custom policies or the default policy)
- - :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** or :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** (custom policies only)
- - :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** or :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** (custom policies only)
- - :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)
+- Select the policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens:
+ - Modify policy settings by clicking **Edit** in each section (custom policies or the default policy)
+ - :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** or :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** (custom policies only)
+ - :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** or :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** (custom policies only)
+ - :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)
- :::image type="content" source="../../media/anti-malware-policies-details-flyout.png" alt-text="The details flyout of a custom anti-malware policy." lightbox="../../media/anti-malware-policies-details-flyout.png":::
+ :::image type="content" source="../../media/anti-malware-policies-details-flyout.png" alt-text="The details flyout of a custom anti-malware policy." lightbox="../../media/anti-malware-policies-details-flyout.png":::
The actions are described in the following subsections.
security Detect And Remediate Outlook Rules Forms Attack https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack.md
The simplest way to verify a rules or custom forms attack is to run the [Get-All
#### Prerequisites
-You need to be a member of the Global Administrator role in [Microsoft Entra ID](/microsoft-365/admin/add-users/about-admin-roles) or the Organization Management role group in [Exchange Online](/exchange/permissions-exo/permissions-exo), because the script connects to every mailbox in the organization to read rules and forms.
+You need to be a member of the Global Administrator role in [Microsoft Entra ID](/entra/identity/role-based-access-control/manage-roles-portal) or the Organization Management role group in [Exchange Online](/exchange/permissions-exo/permissions-exo), because the script connects to every mailbox in the organization to read rules and forms.
1. Use an account with local administrator rights to sign in to the computer where you intend to run the script.
security Mdo About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-about.md
Defender for Office 365 Plan 2 includes best-of-class [threat investigation and
### Threat Trackers on the latest threats -- **[Threat trackers](threat-trackers.md)** provide the latest intelligence on prevailing cybersecurity issues. For example, you can view information about the latest malware, and take countermeasures before it becomes an actual threat to your organization. Available trackers include [Noteworthy trackers](threat-trackers.md#noteworthy-trackers), [Trending trackers](threat-trackers.md#trending-trackers), [Tracked queries](threat-trackers.md#tracked-queries), and [Saved queries](threat-trackers.md#saved-queries).
+**[Threat trackers](threat-trackers.md)** are [saved queries from Threat Explorer](threat-explorer-real-time-detections-about.md#saved-queries-in-threat-explorer) that you run manually or that can be configured to periodically run automatically. The **Trending campaigns** tab automatically highlights new email threats that were recently received by your organization.
### Threat Explorer or Real-Time Detections
security Mdo Deployment Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-deployment-guide.md
To configure EOP and Defender for Office 365 features, you need permissions. The
|Role or role group|Learn more| |||
-|Global Administrator in Azure AD|[About Microsoft 365 admin roles](/microsoft-365/admin/add-users/about-admin-roles)|
+|Global Administrator in Microsoft Entra|[Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference#global-administrator)|
|Organization Management in Email & collaboration role groups|[Role groups in Microsoft Defender for Office 365](scc-permissions.md#role-groups-in-microsoft-defender-for-office-365-and-microsoft-purview)|
-|Security Administrator in Azure AD|[Azure AD built-in roles](/entra/identity/role-based-access-control/permissions-reference#security-administrator)
-|Security Administrator in Email & collaboration role groups|[Role groups in Microsoft Defender for Office 365](scc-permissions.md#role-groups-in-microsoft-defender-for-office-365-and-microsoft-purview)|
+|Security Administrator in Microsoft Entra|[Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference#security-administrator)
+|Security Administrator in Email & collaboration role groups|[Email & collaboration permissions in Microsoft Defender for Office 365](scc-permissions.md#role-groups-in-microsoft-defender-for-office-365-and-microsoft-purview)|
|Exchange Online Organization Management|[Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo)| ## Step 1: Configure email authentication for your Microsoft 365 domains
security Office 365 Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md
Microsoft Defender for Office 365 uses role-based access control. Permissions ar
## Next steps -- [Learn about Threat Trackers - New and Noteworthy](threat-trackers.md)
+- [Threat trackers in Microsoft Defender for Office 365 Plan 2](threat-trackers.md)
- [Find and investigate malicious email that was delivered (Office 365 Threat Investigation and Response)](threat-explorer-investigate-delivered-malicious-email.md) - [Simulate a phishing attack](attack-simulation-training-simulations.md)
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
description: What are best practices for Exchange Online Protection (EOP) and Defender for Office 365 security settings? What's the current recommendations for standard protection? What should be used if you want to be more strict? And what extras do you get if you also use Defender for Office 365? Previously updated : 11/2/2023 Last updated : 3/19/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
Admins can create or use quarantine policies with more restrictive or less restr
|**If the message is detected as spoof and DMARC Policy is set as p=reject** (_DmarcRejectAction_)|**Reject the message** (`Reject`)|**Reject the message** (`Reject`)|**Reject the message** (`Reject`)|This action is meaningful only when **Honor DMARC record policy when the message is detected as spoof** is turned on.| |**If the message is detected as spoof by spoof intelligence** (_AuthenticationFailAction_)|**Move the message to the recipients' Junk Email folders** (`MoveToJmf`)|**Move the message to the recipients' Junk Email folders** (`MoveToJmf`)|**Quarantine the message** (`Quarantine`)|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-spoofed-senders). <br><br> If you select **Quarantine the message** as the action for the spoof verdict, an **Apply quarantine policy** box is available.| |**Quarantine policy** for **Spoof** (_SpoofQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if spoof detections are quarantined.|
-|**Show first contact safety tip** (_EnableFirstContactSafetyTips_)|Not selected (`$false`)|Selected (`$true`)|Not selected (`$false`)|For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).|
+|**Show first contact safety tip** (_EnableFirstContactSafetyTips_)|Not selected (`$false`)|Selected (`$true`)|Selected (`$true`)|For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).|
|**Show (?) for unauthenticated senders for spoof** (_EnableUnauthenticatedSender_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).| |**Show "via" tag** (_EnableViaTag_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <br><br> For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).|
security Submissions Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-teams.md
description: "Admins can configure whether users can report malicious message in Microsoft Teams." Previously updated : 8/7/2023 Last updated : 3/19/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 2</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
The value of this setting is meaningful only if message reporting is turned on i
2. On the **User reported settings** page, go to the **Microsoft Teams** section for the **Monitor reported messages in Microsoft Teams** setting.
- As previously described, this setting is turned on by default for new tenants, and existing tenants need to enable it. You typically leave it turned on if message reporting is also turned on in Teams admin center.
+ As previously described, this setting is turned on by default for new tenants, and existing tenants need to enable it. Typically, you leave it turned on if message reporting is also turned on in Teams admin center. [Learn more about reported message destinations](submissions-report-messages-files-to-microsoft.md#report-suspicious-email-messages-to-microsoft).
:::image type="content" source="../../media/submissions-teams-turn-on-off-defender-portal.png" alt-text="Screenshot of the 'Monitor reported messages in Microsoft Teams' setting in the Microsoft Defender portal." lightbox="../../media/submissions-teams-turn-on-off-defender-portal.png":::
security Submissions User Reported Messages Custom Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox.md
description: "Admins can configure where user reported messages go for analysis: to an internal reporting mailbox, to Microsoft, or both. Other settings complete the reporting experience for users when they report good messages, spam, or phishing messages from Outlook." Previously updated : 10/19/2023 Last updated : 3/19/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
The difference between these two elements isn't obvious when you manage the user
Only after you specify a reporting mailbox (used by Microsoft or third-party reporting tools) and save the changes on the **User reported settings page** is the report submission rule named DefaultReportSubmissionRule created. It might take several seconds before the rule is visible in PowerShell. > [!NOTE]
- > The default settings on the **User reported settings** page include **Send reported messages to** \> **Microsoft and my reporting mailbox** with a blank value for the reporting mailbox. In PowerShell, there's no report submission rule. This default configuration means the reporting mailbox is the global admin's Exchange Online mailbox. The global admin isn't _shown_ as the reporting mailbox in the output of the **Get-ReportSubmissionPolicy** and **Get-ReportSubmissionRule** cmdlets or on the **User reported settings** page until _after_ the first user in the organization reports a message from Outlook.
+ > The default settings on the **User reported settings** page include **Send reported messages to** \> **Microsoft and my reporting mailbox** with a blank value for the reporting mailbox. In PowerShell, there's no report submission rule. This default configuration means the reporting mailbox is the global admin's Exchange Online mailbox. The global admin isn't _shown_ as the reporting mailbox in the output of the **Get-ReportSubmissionPolicy** and **Get-ReportSubmissionRule** cmdlets or on the **User reported settings** page until _after_ the first user in the organization reports a message from Outlook. [Learn more about reported message destinations](submissions-report-messages-files-to-microsoft.md#report-suspicious-email-messages-to-microsoft).
- You can delete the report submission rule and recreate it with a different name, but the rule is always associated with the report submission policy, and you can't select or change the name of the policy. So, we recommend naming the rule DefaultReportSubmissionRule if you create or recreate the rule.
security Threat Explorer Real Time Detections About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about.md
audience: ITPro Previously updated : 3/13/2024 Last updated : 3/19/2024 ms.localizationpriority: medium - m365-security
To use Explorer or Real-time detections, you need to be assigned permissions. Yo
- _Preview and download messages_: Membership in the **Data Investigator** or **eDiscovery Manager** role groups. Or, [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the same roles as **Organization Management** or **Security Administrator**, and then add the **Preview** role. - _Move messages in and delete messages from mailboxes_: Membership in the **Data Investigator** or **Organization Management** role groups. Or, [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the same roles as **Security Administrator**, and then add the **Search and Purge** role. - _Read-only access_: Membership in the **Security Reader** role group.-- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:
+- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:
- _Full access_: Membership in the **Global Administrator** or **Security Administrator** roles. - _Search for Exchange mail flow rules (transport rules) by name in Threat Explorer_: Membership in the **Security Admin** or **Security Reader** roles. - _Read-only access_: Membership in the **Global Reader** or **Security Reader** roles.
The filterable properties that are available in the **Delivery action** box in t
|Data loss prevention rule|Text. Separate multiple values by commas.| |Context|Select one or more values: <ul><li>**Evaluation**</li><li>**Priority account protection**</li></ul>| |Connector|Text. Separate multiple values by commas.|
-|Delivery action|Select one or more values: <ul><li>**Blocked**: Email messages that were quarantined, that failed delivery, or were dropped.</li><li>**Delivered**: Email delivered to the user's Inbox or other folder where the user can access the message.</li><li>**Delivered to junk**: Email delivered to the user's Junk Email folder or Deleted Items folder where the user can access the message.</li><li>**Replaced**: This value is no longer relevant. [Anti-malware policies](anti-malware-protection-about.md) in Exchange Online Protection (EOP) used to have an option to deliver the message with all attachments replaced by TXT files. This action is no longer available in Microsoft 365, but is still available in anti-malware policies in Exchange Server.</li></ul>|
+|Delivery action|Select one or more values: <ul><li>**Blocked**: Email messages that were quarantined, that failed delivery, or were dropped.</li><li>**Delivered**: Email delivered to the user's Inbox or other folder where the user can access the message.</li><li>**Delivered to junk**: Email delivered to the user's Junk Email folder or Deleted Items folder where the user can access the message.</li><li>**Replaced**: Message attachments that were replaced by [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li></ul>|
|Additional action|Select one or more values: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**: The message was retroactively identified as good.</li><li>**ZAP**: For more information, see [Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365](zero-hour-auto-purge.md).</li></ul>| |Directionality|Select one or more values: <ul><li>**Inbound**</li><li>**Intra-irg**</li><li>**Outbound**</li></ul>| |Detection technology|Select one or more values: <ul><li>**Advanced filter**: Signals based on machine learning.</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.</li><li>**File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.</li><li>**File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.</li><li>**Fingerprint matching**: The message closely resembles a previous detected malicious message.</li><li>**General filter**</li><li>**Impersonation brand**: Sender impersonation of well-known brands.</li><li>**Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).</li><li>**Mixed analysis detection**: Multiple filters contributed to the message verdict.</li><li>**spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).</li><li>**Spoof external domain**: Sender email address spoofing using a domain that's external to your organization.</li><li>**Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization.</li><li>**URL detonation reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.</li><li>**URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.</li></ul>|
The filterable properties that are available in the **Delivery action** box in t
|Latest delivery location┬╣|Same values as **Original delivery location**</li></ul>| |Phish confidence level|Select one or more values: <ul><li>**High**</li><li>**Normal**</li></ul>| |Primary override|Select one or more values: <ul><li>**Allowed by organization policy**</li><li>**Allowed by user policy**</li><li>**Blocked by organization policy**</li><li>**Blocked by user policy**</li><li>**None**</li></ul>|
-|Primary override source|Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel** (ZAP)</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|
+|Primary override source|Messages can have multiple allow or block overrides as identified in **Override source**. The override that ultimately allowed or blocked the message is identified in **Primary override source**. <br/> Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel** (ZAP)</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|
|Override source|Same values as **Primary override source**</li></ul>| |Policy type|Select one or more values: <ul><li>**Anti-malware policy**</li><li>**Anti-phishing policy**</li><li>**Exchange transport rule** (mail flow rule), **Hosted content filter policy** (anti-spam policy), **Hosted outbound spam filter policy** (outbound spam policy), **Safe Attachments policy**</li><li>**Unknown**</li></ul>| |Policy action|Select one or more values: <ul><li>**Add x-header**</li><li>**Bcc message**</li><li>**Delete message**</li><li>**Modify subject**</li><li>**Move to Junk Email folder**</li><li>**No action taken**</li><li>**Redirect message**</li><li>**Send to quarantine**</li></ul>|
When you select an entry by clicking anywhere in the row other than the check bo
- :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Report clean** - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Report phishing** - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Report malware**
- <! The target URL is constructed such that it should open a new submission with the details filled out. But it takes me to the Email tab on the main Submissions page. Perhaps another permissions issue?>
+ <! The target URL is constructed such that it should open a new submission with the details filled out. But it takes me to the Email tab on the main Submissions page.>
- :::image type="icon" source="../../media/m365-cc-sc-manage-indicator-icon.png" border="false"::: **Manage indicator**: - :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add indicator** - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Manage in tenant block list**
The filterable properties that are available in the **Sender address** box in th
|Data loss prevention rule|Text. Separate multiple values by commas.|Γ£ö|| |Context|Select one or more values: <ul><li>**Evaluation**</li><li>**Priority account protection**</li></ul>|Γ£ö|| |Connector|Text. Separate multiple values by commas.|Γ£ö||
-|Delivery action|Select one or more values: <ul><li>**Blocked**</li><li>**Delivered**</li><li>**Delivered to junk**</li><li>**Replaced**</li></ul>|Γ£ö|Γ£ö|
+|Delivery action|Select one or more values: <ul><li>**Blocked**</li><li>**Delivered**</li><li>**Delivered to junk**</li><li>**Replaced**: Message attachments that were replaced by [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li></ul>|Γ£ö|Γ£ö|
|Additional action|Select one or more values: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**</li><li>**ZAP**: For more information, see [Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365](zero-hour-auto-purge.md).</li></ul>|Γ£ö|Γ£ö| |Directionality|Select one or more values: <ul><li>**Inbound**</li><li>**Intra-irg**</li><li>**Outbound**</li></ul>|Γ£ö|Γ£ö| |Detection technology|Select one or more values: <ul><li>**Advanced filter**: Signals based on machine learning.</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.</li><li>**File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.</li><li>**File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.</li><li>**Fingerprint matching**: The message closely resembles a previous detected malicious message.</li><li>**General filter**</li><li>**Impersonation brand**: Sender impersonation of well-known brands.</li><li>**Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).</li><li>**Mixed analysis detection**: Multiple filters contributed to the message verdict.</li><li>**spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).</li><li>**Spoof external domain**: Sender email address spoofing using a domain that's external to your organization.</li><li>**Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization.</li><li>**URL detonation**: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis.</li><li>**URL detonation reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.</li><li>**URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.</li></ul>|Γ£ö|Γ£ö| |Original delivery location|Select one or more values: <ul><li>**Deleted Items folder**</li><li>**Dropped**</li><li>**Failed**</li><li>**Inbox/folder**</li><li>**Junk folder**</li><li>**On-prem/external**</li><li>**Quarantine**</li><li>**Unknown**</li></ul>|Γ£ö|Γ£ö| |Latest delivery location|Same values as **Original delivery location**</li></ul>|Γ£ö|Γ£ö| |Primary override|Select one or more values: <ul><li>**Allowed by organization policy**</li><li>**Allowed by user policy**</li><li>**Blocked by organization policy**</li><li>**Blocked by user policy**</li><li>**None**</li></ul>|Γ£ö|Γ£ö|
-|Primary override source|Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel**</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|Γ£ö|Γ£ö|
+|Primary override source|Messages can have multiple allow or block overrides as identified in **Override source**. The override that ultimately allowed or blocked the message is identified in **Primary override source**. <br/> Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel** (ZAP)</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|Γ£ö|Γ£ö|
|Override source|Same values as **Primary override source**</li></ul>|Γ£ö|Γ£ö| |Policy type|Select one or more values: <ul><li>**Anti-malware policy**</li><li>**Anti-phishing policy**</li><li>**Exchange transport rule** (mail flow rule), **Hosted content filter policy** (anti-spam policy), **Hosted outbound spam filter policy** (outbound spam policy), **Safe Attachments policy**</li><li>**Unknown**</li></ul>|Γ£ö|Γ£ö| |Policy action|Select one or more values: <ul><li>**Add x-header**</li><li>**Bcc message**</li><li>**Delete message**</li><li>**Modify subject**</li><li>**Move to Junk Email folder**</li><li>**No action taken**</li><li>**Redirect message**</li><li>**Send to quarantine**</li></ul>|Γ£ö|Γ£ö|
The filterable properties that are available in the **Sender address** box in th
|Data loss prevention rule|Text. Separate multiple values by commas.|Γ£ö|| |Context|Select one or more values: <ul><li>**Evaluation**</li><li>**Priority account protection**</li></ul>|Γ£ö|| |Connector|Text. Separate multiple values by commas.|Γ£ö||
-|Delivery action|Select one or more values: <ul><li>**Blocked**</li><li>**Delivered**</li><li>**Delivered to junk**</li><li>**Replaced**</li></ul>|Γ£ö|Γ£ö|
+|Delivery action|Select one or more values: <ul><li>**Blocked**</li><li>**Delivered**</li><li>**Delivered to junk**</li><li>**Replaced**: Message attachments that were replaced by [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li></ul>|Γ£ö|Γ£ö|
|Additional action|Select one or more values: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**</li><li>**ZAP**</li></ul>|Γ£ö|Γ£ö| |Directionality|Select one or more values: <ul><li>**Inbound**</li><li>**Intra-irg**</li><li>**Outbound**</li></ul>|Γ£ö|Γ£ö| |Detection technology|Select one or more values: <ul><li>**Advanced filter**</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**</li><li>**File detonation reputation**</li><li>**File reputation**</li><li>**Fingerprint matching**</li><li>**General filter**</li><li>**Impersonation brand**</li><li>**Impersonation domain**</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**</li><li>**Mixed analysis detection**</li><li>**spoof DMARC**</li><li>**Spoof external domain**</li><li>**Spoof intra-org**</li><li>**URL detonation**</li><li>**URL detonation reputation**</li><li>**URL malicious reputation**</li></ul>|Γ£ö|Γ£ö|
The filterable properties that are available in the **Sender address** box in th
|Latest delivery location|Same values as **Original delivery location**</li></ul>|Γ£ö|Γ£ö| |Phish confidence level|Select one or more values: <ul><li>**High**</li><li>**Normal**</li></ul>|Γ£ö|| |Primary override|Select one or more values: <ul><li>**Allowed by organization policy**</li><li>**Allowed by user policy**</li><li>**Blocked by organization policy**</li><li>**Blocked by user policy**</li><li>**None**</li></ul>|Γ£ö|Γ£ö|
-|Primary override source|Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel**</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|Γ£ö|Γ£ö|
+|Primary override source|Messages can have multiple allow or block overrides as identified in **Override source**. The override that ultimately allowed or blocked the message is identified in **Primary override source**. <br/> Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel** (ZAP)</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|Γ£ö|Γ£ö|
|Override source|Same values as **Primary override source**</li></ul>|Γ£ö|Γ£ö| |Policy type|Select one or more values: <ul><li>**Anti-malware policy**</li><li>**Anti-phishing policy**</li><li>**Exchange transport rule** (mail flow rule), **Hosted content filter policy** (anti-spam policy), **Hosted outbound spam filter policy** (outbound spam policy), **Safe Attachments policy**</li><li>**Unknown**</li></ul>|Γ£ö|Γ£ö| |Policy action|Select one or more values: <ul><li>**Add x-header**</li><li>**Bcc message**</li><li>**Delete message**</li><li>**Modify subject**</li><li>**Move to Junk Email folder**</li><li>**No action taken**</li><li>**Redirect message**</li><li>**Send to quarantine**</li></ul>|Γ£ö|Γ£ö|
The same chart pivots are available and described for the **All email** view in
:::image type="content" source="../../media/te-rtd-all-email-view-details-area-url-clicks-tab-default-view.png" alt-text="Screenshot of the details area of the Phish view in Threat Explorer with the URL clicks tab selected and showing the available pivots with no pivot selected." lightbox="../../media/te-rtd-all-email-view-details-area-url-clicks-tab-default-view.png"::: > [!TIP]
-> In Threat Explorer, each pivot in **URL clicks** view has a :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View all clicks** action that opens the [URL clicks view in Threat Explorer](#url-clicks-view-in-threat-explorer) in a new tab. This action isn't available in Real-time detections, because the **URL clicks** view isn't avaialble in Real-time detections.
+> In Threat Explorer, each pivot in **URL clicks** view has a :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View all clicks** action that opens the [URL clicks view in Threat Explorer](#url-clicks-view-in-threat-explorer) in a new tab. This action isn't available in Real-time detections, because the **URL clicks** view isn't available in Real-time detections.
#### Top URLs view for the details area of the Phish view in Threat Explorer and Real-time detections
The **Top clicks** view shows a details table. You can sort the entries by click
> - Narrow the width of appropriate columns. > - Zoom out in your web browser.
-Select an entry by selecting the check box next to the first column in the row, and then select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View all clicks** to open Threat Explorer in a new tab in **URL clicks** view. <! Doesn't work? No filters >
+Select an entry by selecting the check box next to the first column in the row, and then select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View all clicks** to open Threat Explorer in a new tab in **URL clicks** view.
When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. The information in the flyout is the same as described in [Top URLs details for the All email view](#top-urls-details-for-the-all-email-view).
The steps to create property filter/query conditions are the same in all views i
### Saved queries in Threat Explorer > [!TIP]
-> **Save query** isn't available in Real-time detections. It's available only in Threat Explorer.
+> **Save query** is part of [Threat trackers](threat-trackers.md) and isn't available in Real-time detections. Saved queries and Threat trackers are available only in Defender for Office 365 Plan 2.
> > **Save query** isn't available in the [Content malware view](#content-malware-view-in-threat-explorer-and-real-time-detections).
-Most views in Threat Explorer allow you to save filters (queries) for later use. Saved queries are available on the **Threat tracker** page in the Defender portal at <https://security.microsoft.com/threattrackerv2>. For more information about Threat trackers, see [About Threat trackers](threat-trackers.md).
+Most views in Threat Explorer allow you to save filters (queries) for later use. Saved queries are available on the **Threat tracker** page in the Defender portal at <https://security.microsoft.com/threattrackerv2>. For more information about Threat trackers, see [Threat trackers in Microsoft Defender for Office 365 Plan 2](threat-trackers.md).
To save queries in Threat Explorer, do the following steps:
To save queries in Threat Explorer, do the following steps:
- **Exact dates**: Select a start date and end date in the boxes. The oldest start date that you can select is 30 days before today. The newest end date that you can select is today. - **Relative dates**: Select the number of days in the **Show last nn days when search is run**. The default value is 7, but you can select 1 to 30. - **Track query**: By default, this option isn't selected. This option affects whether the query runs automatically:
- - **Track query** not selected: The query is available for you to run manually in Threat Explorer. The query is saved on the **Saved queries** tab on the **Threat tracker** page.
- - **Track query** selected: The query periodically runs in the background. The results and the query are saved on the **Tracked queries** tab on the **Threat tracker** page.
+ - **Track query** not selected: The query is available for you to run manually in Threat Explorer. The query is saved on the **Saved queries** tab on the **Threat tracker** page with the **Tracked query** property value **No**.
+ - **Track query** selected: The query periodically runs in the background. The query is available on the **Saved queries** tab on the **Threat tracker** page with the **Tracked query** property value **Yes**. The periodic results of the query are shown on the **Tracked queries** tab on the **Threat tracker** page.
When you're finished in the **Save query** flyout, select **Save**, and then select **OK** in the confirmation dialog.
To save queries in Threat Explorer, do the following steps:
On the **Saved query** or **Tracked query** tabs on the **Threat tracker** page in the Defender portal at <https://security.microsoft.com/threattrackerv2>, you can select **Explore** in the **Actions** column to open and use the query in Threat Explorer.
-When you open the query from the **Threat tracker** page, :::image type="icon" source="../../media/m365-cc-sc-save-icon.png" border="false"::: **Save query as** and :::image type="icon" source="../../media/m365-cc-sc-gear-icon.png" border="false"::: **Saved query settings** are now available in **Save query** on the **Explorer** page:
+When you open the query by selecting **Explore** from the **Threat tracker** page, :::image type="icon" source="../../media/m365-cc-sc-save-icon.png" border="false"::: **Save query as** and :::image type="icon" source="../../media/m365-cc-sc-gear-icon.png" border="false"::: **Saved query settings** are now available in **Save query** on the **Explorer** page:
- If you select :::image type="icon" source="../../media/m365-cc-sc-save-icon.png" border="false"::: **Save query as**, the **Save query** flyout opens with all previously selected settings. If you make changes, select **Save**, and then select **OK** in the **Success** dialog, the updated query is saved as a new query on the **Threat tracker** page (you might need to select :::image type="icon" source="../../media/m365-cc-sc-refresh-icon.png" border="false":::**Refresh** to see it).
security Threat Trackers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-trackers.md
Title: Threat Trackers - New and Noteworthy
+ Title: Threat trackers in Microsoft Defender for Office 365 Plan 2
f1.keywords: - NOCSH---+++ audience: ITPro ms.localizationpriority: medium
description: Learn about Threat Trackers, including new Noteworthy Trackers, to help your organization stay on top of security concerns. Previously updated : 6/20/2023 Last updated : 3/19/2024 appliesto:
- - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
- ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
-# Threat Trackers - New and Noteworthy
+# Threat trackers in Microsoft Defender for Office 365 Plan 2
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-[Office 365 Threat Investigation and Response](office-365-ti.md) capabilities enable your organization's security team to discover and take action against cybersecurity threats. Office 365 Threat Investigation and Response capabilities include Threat Tracker features, including Noteworthy trackers. Read this article to get an overview of these new features and next steps.
+Microsoft 365 organizations that have [Microsoft Defender for Office 365 Plan 2](mdo-security-comparison.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet) included in their subscription or purchased as an add-on have _Threat trackers_. Threat trackers are queries that you create and save in [Threat Explorer (also known as Explorer)](threat-explorer-real-time-detections-about.md). You use these queries to automatically or manually discover cybersecurity threats in your organization.
-> [!IMPORTANT]
-> Office 365 Threat Intelligence is now Microsoft Defender for Office 365 Plan 2, along with additional threat protection capabilities. To learn more, see [Microsoft Defender for Office 365 plans and pricing](https://products.office.com/exchange/advance-threat-protection) and the [Microsoft Defender for Office 365 Service Description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description).
+For information about creating and saving queries in Threat Explorer, see [Saved queries in Threat Explorer](threat-explorer-real-time-detections-about.md#saved-queries-in-threat-explorer).
-## What are Threat Trackers?
+## Permissions and licensing for Threat trackers
-Threat Trackers are informative widgets and views that provide you with intelligence on different cybersecurity issues that might impact your company. For example, you can view information about trending malware campaigns using Threat Trackers.
+To use Threat trackers, you need to be assigned permissions. You have the following options:
-Trackers are just a few of the many great features you get with [Microsoft Defender for Office 365 Plan 2](office-365-ti.md). Threat Trackers include [Noteworthy trackers](#noteworthy-trackers), [Trending trackers](#trending-trackers), [Tracked queries](#tracked-queries), and [Saved queries](#saved-queries).
+- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md):
+ - _Create, save, and modify Threat Explorer queries_: Membership in the **Organization Management** or **Security Administrator** role groups.
+ - _Read-only access to Threat Explorer queries on the Threat tracker page_: Membership in the **Security Reader** or **Global Reader** role groups.
+- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:
+ - _Create, save, and modify Threat Explorer queries_: Membership in the **Global Administrator** or **Security Administrator** roles.
+ - _Read-only access to Threat Explorer queries on the Threat tracker page_: Membership in the **Security Reader** or **Global Reader** roles.
-To view and use your Threat Trackers for your organization, open the Microsoft Defender portal at <https://security.microsoft.com>, and go to **Email & collaboration** \> **Threat tracker**. To go directly to the **Threat tracker** page, use <https://security.microsoft.com/threattrackerv2>.
+To remediate messages in Threat Explorer, you need additional permissions. For more information, see [Permissions and licensing for Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#permissions-and-licensing-for-threat-explorer-and-real-time-detections).
-> [!NOTE]
-> To use Threat Trackers, you must be a global administrator, security administrator, or security reader. See [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md).
+To use Threat Explorer or Threat trackers, you need to be assigned a license for Defender for Office 365 (included in your subscription or an add-on license).
-### Noteworthy trackers
+Threat Explorer and Threat trackers contain data for users with Defender for Office 365 licenses assigned to them.
-Noteworthy trackers are where you'll find big and smaller threats and risks that we think you should know about. Noteworthy trackers help you find whether these issues exist in your Microsoft 365 environment, plus link to articles (like this one) that give you more details on what is happening, and how they'll impact your organization's use of Office 365. Whether it's a big new threat (e.g. Wannacry, Petya) or an existing threat that might create some new challenges (like our other inaugural Noteworthy item - Nemucod), this is where you'll find important new items you and your security team should review and examine periodically.
+## Threat trackers
-Typically Noteworthy trackers will be posted for just a couple of weeks when we identify new threats and think you might need the extra visibility that this feature provides. Once the biggest risk for a threat has passed, we'll remove that Noteworthy item. This way, we can keep the list fresh and up to date with other relevant new items.
+The **Threat tracker** page is available in the Microsoft Defender portal at <https://security.microsoft.com> at **Email & collaboration** \> **Threat tracker**. Or, to go directly to the **Threat tracker** page, use <https://security.microsoft.com/threattrackerv2>.
-### Trending trackers
+The **Threat tracker** page contains three tabs:
-Trending trackers (formerly called Campaigns) highlight new threats received in your organization's email in the past week. The Trending trackers view provides dynamic assessments of email threats impacting your organization's Office 365 environment. This view shows tenant level malware trends, identifying malware families on the rise, flat, or declining, giving admins greater insight into which threats require further attention.
+- **Saved queries**: Contains all queries that you saved in Threat Explorer.
+- **Tracked queries**: Contains the results of queries that you saved in Threat Explorer where you selected **Track query**. The query automatically runs periodically, and the results are shown on this tab.
+- **Trending campaigns**: We populate the information on this tab to highlight new threats received in your organization.
+These tabs are described in the following subsections.
-Trending trackers give you an idea of new threats you should review to ensure your broader corporate environment is prepared against attacks.
+### Saved queries tab
-### Tracked queries
-
-Tracked queries leverage your saved queries to periodically assess Microsoft 365 activity in your organization. This gives you event trending, with more to come in the coming months. Tracked queries run automatically, giving you up-to-date information without having to remember to re-run your queries.
--
-### Saved queries
-
-Saved queries are also found in the Trackers section. You can use Saved queries to store the common Explorer searches that you want to get back to quicker and repeatedly, without having to re-create the search every time.
+The **Save queries** tab on the **Threat tracker** page at <https://security.microsoft.com/threattrackerv2> contains all of your saved queries from Threat Explorer. You can use these queries without having to re-create the search filters.
+The following information is shown on the **Save queries** tab. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
-You can always save a Noteworthy tracker query or any of your own Explorer queries using the **Save query** button at the top of the Explorer page. Anything saved there will show up in the **Saved queries** list on the Tracker page.
+- **Date created**
+- **Name**
+- **Type**
+- **Author**
+- **Last executed**
+- **Tracked query**: This value is controlled by whether you selected **Track this query** when you created the query in Threat Explorer:
+ - **No**: You need to run the query manually.
+ - **Yes**: The query automatically runs periodically. The query and the results are also available on the **Tracked queries** page.
+- **Actions**: Select **Explore** to open and run the query in Threat Explorer, or to update or save a modified or unmodified copy of the query in Threat Explorer.
-## Trackers and Explorer
+If you select a query, the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** and :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** actions that appear.
-Whether you're reviewing email, content, or Office activities (coming soon), Explorer and Trackers work together to help you investigate and track security risks and threats. All together, Trackers provide you with information to protect your users by highlighting new, notable, and frequently searched issues - ensuring your business is better protected as it moves to the cloud.
+If you select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**, you can update the date and **Track query** settings of the existing query in the details flyout that opens.
-And remember that you can always provide us with feedback on this or other Microsoft 365 security features by clicking on the **Feedback** button in the lower-right corner.
--
-## Trackers and Microsoft Defender for Office 365
-
-With our inaugural Noteworthy threat, we're highlighting advanced malware threats detected by [Safe Attachments](safe-attachments-about.md). If you're an Office 365 Enterprise E5 customer and you're not using [Microsoft Defender for Office 365](defender-for-office-365.md), you should be - it's included in your subscription. Defender for Office 365 provides value even if you have other security tools filtering email flow with your Office 365 services. However, anti-spam and [Safe Links](safe-links-about.md) features work best when your main email security solution is through Office 365.
+### Tracked queries
+The **Tracked queries** tab on the **Threat tracker** page at <https://security.microsoft.com/threattrackerv2> contains the results of queries that you created in Threat Explorer where you selected **Track this query**. Tracked queries run automatically, giving you up-to-date information without having to remember to run the queries.
-In today's threat-riddled world, running only traditional anti-malware scans means you are not protected well enough against attacks. Today's more sophisticated attackers use commonly available tools to create new, obfuscated, or delayed attacks that won't be recognized by traditional signature-based anti-malware engines. The Safe Attachments feature takes email attachments and detonates them in a virtual environment to determine whether they're safe or malicious. This detonation process opens each file in a virtual computer environment, then watches what happens after the file is opened. Whether it's a PDF, and compressed file, or an Office document, malicious code can be hidden in a file, activating only once the victim opens it on their computer. By detonating and analyzing the file in the email flow, Defender for Office 365 capabilities finds these threats based on behaviors, file reputation, and a number of heuristic rules.
+The following information is shown on the **Tracked queries** tab. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
-The new Noteworthy threat filter highlights items that were recently detected through Safe Attachments. These detections represent items that are new malicious files, not previously found by Microsoft 365 in either your email flow or other customers' email. Pay attention to the items in the Noteworthy Threat Tracker, see who was targeted by them, and review the detonation details shown on the Advanced Analysis tab (found by clicking on the subject of the email in Explorer). Note you'll only find this tab on emails detected by the Safe Attachments capability - this Noteworthy tracker includes that filter, but you can also use that filter for other searches in Explorer.
+- **Date created**
+- **Name**
+- **Today's message count**
+- **Prior day message count**
+- **Trend: today vs. prior week**
+- **Actions**: Select **Explore** to open and run the query in Threat Explorer.
-## Next steps
+If you select a query, the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action appears. If you select this action, you can update the date and **Track query** settings of the existing query in the details flyout that opens.
-- If your organization doesn't already have these Office 365 Threat Investigation and Response capabilities, see [How do we get Office 365 Threat Investigation and Response capabilities?](office-365-ti.md).
+### Trending campaigns tab
-- Make sure that your security team has the correct roles and permissions assigned. You must be a global administrator, or have the Security Administrator, Security Reader, or Search and Purge role assigned in the Microsoft Defender portal. See [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md).
+The **Trending campaigns** tab on the **Threat tracker** page at <https://security.microsoft.com/threattrackerv2> automatically highlights new email threats that were recently received by your organization.
-- Watch for the new Trackers to show up in your Microsoft 365 environment. When available, you'll find your Trackers on the **Threat tracker** page in the Microsoft Defender portal at <https://security.microsoft.com/threattracker>.
+The following information is shown on the **Trending campaigns** tab. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
-- If you haven't already done so, learn more about and configure [Microsoft Defender for Office 365](defender-for-office-365.md) for your organization, including [Safe links](safe-links-about.md) and [Safe Attachments](safe-attachments-about.md).
+- **Malware family**
+- **Prior day message count**
+- **Trend: today vs. prior week**
+- **Targeting: your company vs. global**
+- **Actions**: Select **Explore** to open and run the query in Threat Explorer.
security Try Microsoft Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365.md
In **audit mode**, you're looking for reports that show detections by the evalua
## Required permissions
-The following permissions are required in [Microsoft Entra ID](/microsoft-365/admin/add-users/about-admin-roles) to set up an evaluation or trial of Defender for Microsoft 365:
+The following permissions are required in [Microsoft Entra ID](/entra/identity/role-based-access-control/manage-roles-portal) to set up an evaluation or trial of Defender for Microsoft 365:
- *Create, modify or delete an evaluation or trial*: Membership in the **Security Administrator** or **Global Administrator** roles. - *View evaluation policies and reports in audit mode*: Membership in the **Security Administrator** or **Security Reader** roles.
security Zero Trust Identity Device Access Policies Prereq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-prereq.md
Here are some additional recommendations:
- Use [Microsoft Entra Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-getting-started) to reduce the number of persistent administrative accounts. - [Use privileged access management](/purview/privileged-access-management) to protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.-- Create and use separate accounts that are assigned [Microsoft 365 administrator roles](/microsoft-365/admin/add-users/about-admin-roles) *only for administration*. Admins should have their own user account for regular non-administrative use and only use an administrative account when necessary to complete a task associated with their role or job function.
+- Create and use separate accounts that are assigned [Microsoft 365 administrator roles](/entra/identity/role-based-access-control/manage-roles-portal) *only for administration*. Admins should have their own user account for regular non-administrative use and only use an administrative account when necessary to complete a task associated with their role or job function.
- Follow [best practices](/entra/identity/role-based-access-control/best-practices) for securing privileged accounts in Microsoft Entra ID. ## Next step
syntex Esignature Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-overview.md
With SharePoint eSignature, you can quickly and securely send documents for sign
## Before you begin
-Before you can use SharePoint eSignature, an admin must [set up SharePoint eSignature](esignature-setup.md) in the Microsoft 365 admin center.
+Before you can enable SharePoint eSignature, an admin must [set up SharePoint eSignature](esignature-setup.md) in the Microsoft 365 admin center. SharePoint eSignature enables binding agreements between parties by allowing guests access to SharePoint to electronically sign documents. Certain external sharing must be enabled at a tenant or site level to allow this access - see Admin section for more details. Consider whether this meets your compliance and security requirements when enabling eSignature.
-You must be signed in to SharePoint Online by using your work email address.
+When requesting eSignatures, you must be signed in to SharePoint Online by using your work email address.
## Release notes
You must be signed in to SharePoint Online by using your work email address.
<br> > [!div class="nextstepaction"]
-> [Create a signature request](esignature-send-requests.md)
+> [Create a signature request](esignature-send-requests.md)
syntex Esignature Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-setup.md
You must have Global admin or SharePoint admin permissions to be able to access
### External recipients
- If you will be requesting signatures from external recipients, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration#enabling-the-integration). External recipients are people outside your organization and would be onboarded as guests into your tenant. Microsoft Entra B2B provides authentication and management of guests.
+ If you will be requesting signatures from external recipients, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration#enabling-the-integration) and [guest sharing](/microsoft-365/solutions/collaborate-in-site). External recipients are people outside your organization and would be onboarded as guests into your tenant. Microsoft Entra B2B provides authentication and management of guests.
## Set up SharePoint eSignature
Microsoft Entra B2B provides authentication and management of guests. External s
### Authentication
-External recipients might need to authenticate before they're able to access a document for signing. The type of authentication required by the external recipients depends on the configuration for guest users at the SharePoint level or at the tenant level. Additionally, if the external user belongs to an organization with a Microsoft 365 tenant, it's possible for their organization's setup to affect their authentication experience when attempting to sign the document.
+External recipients might need to authenticate before they're able to access a document for signing. The type of authentication required by the external recipients depends on the configuration for guest users at the SharePoint level or at the tenant level. Additionally, if the external user belongs to an organization with a Microsoft 365 tenant, it's possible for their organization's setup to affect their authentication experience when attempting to sign the document. For more information, see [Collaboration with guests in a site](/microsoft-365/solutions/collaborate-in-site).
## Document storage and retention
syntex Esignature Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-troubleshoot.md
SharePoint eSignature is an extension of SharePoint document storage and managem
- Microsoft Entra collaboration settings restrict document sharing to specific individuals. This event limits who the requests can be sent to.
+To check whether all SharePoint Online external sharing settings, following powershell script can be used:
+
+`</> Shell
+Connect-SPOService -Url "https://yourtenant.sharepoint.com"
+Get-SPOSite -Limit All | Select-Object Url, SharingCapability`
++ ### Conditional access policies Certain [conditional access](/entra/identity/conditional-access/overview) policies might determine whether an external recipient (signers outside of your organization or Microsoft 365 tenant) is able sign a document. When this happens, the external signers might not be able to access the document for signing. In some other cases, they might be able to access the document for signing but the signing operation is unsuccessful. One common way to resolve this is to contact your IT admin who will be able to add the eSignature app to the list of approved apps via the Microsoft Entra admin center.