Docs update tracker

Updates from: 03/26/2022 02:38:31

Category	Microsoft Docs article	Related commit history on GitHub	Change details
compliance	Customer Lockbox Requests	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-lockbox-requests.md	search.appverid: - MET150 - MOE150 -description: "Learn about Customer Lockbox requests that allow you to control how a Microsoft support engineer can access your data when you run into an issue." +description: "Learn about Customer Lockbox requests that allow you to control how a Microsoft support engineer can access your data when you encounter an issue." # Customer Lockbox in Office 365 -This article provides deployment and configuration guidance for Customer Lockbox. Customer Lockbox supports requests to access data in Exchange Online, SharePoint Online, and OneDrive for Business. To recommend support for other services, submit a request at [Feedback Portal](https://feedbackportal.microsoft.com). +This article provides deployment and configuration guidance for Customer Lockbox. Customer Lockbox supports requests to access data in Exchange Online, SharePoint Online, OneDrive for Business, and Teams. To recommend support for other services, submit a request at [Feedback Portal](https://feedbackportal.microsoft.com). To┬ásee┬áthe┬áoptions┬áfor┬álicensing┬áyour┬áusers┬áto┬ábenefit┬áfrom┬áMicrosoft┬á365┬ácompliance┬áofferings,┬ásee the┬á[Microsoft┬á365┬álicensing┬águidance┬áfor┬ásecurity┬á&┬ácompliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance). -Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox brings you into the approval workflow process that Microsoft uses to ensure only authorized requests allow access to your content. To learn more about MicrosoftΓÇÖs workflow process, see [Privileged access management in Microsoft 365](privileged-access-management-solution-overview.md). +Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox brings you into the approval workflow process that Microsoft uses to ensure only authorized requests allow access to your content. To learn more about Microsoft's workflow process, see [Privileged access management in Microsoft 365](privileged-access-management-solution-overview.md). Occasionally, Microsoft engineers help troubleshoot and fix issues that arise with the service. Usually, engineers fix issues using extensive telemetry and debugging tools Microsoft has in place for its services. However, some cases require a Microsoft engineer to access your content to determine the root cause and fix the issue. Customer Lockbox requires the engineer to request access from you as a final step in the approval workflow. This gives you the option to approve or deny the request for your organization, and provide direct-access control to your content. -### Customer Lockbox overview video +## Customer Lockbox overview video > [!VIDEO https://www.microsoft.com/videoplayer/embed/8fecf10b-1f03-4849-8b67-76d3d2a43f26?autoplay=false] These steps outline the typical workflow when a Microsoft engineer starts a Cust 2. After the user troubleshoots the issue, but can't fix it, they open a support request with Microsoft Support. -3. A Microsoft support engineer reviews the service request and determines a need to access the organization's tenant to repair the issue in Exchange Online. +3. A Microsoft support engineer reviews the service request and determines a need to access the organization's tenant to repair the issue. 4. The Microsoft support engineer logs into the Customer Lockbox request tool and makes a data access request that includes the organization's tenant name, service request number, and the estimated time the engineer needs access to the data. These steps outline the typical workflow when a Microsoft engineer starts a Cust > [!IMPORTANT] > Microsoft does not include any links in Customer Lockbox email notifications requiring you to sign in to Office 365. -7. After the approver from the organization approves the request, the Microsoft engineer receives the approval message, logs into the tenant in Exchange Online, and fixes the customer's issue. Microsoft engineers have the requested duration to fix the issue after which the access is automatically revoked. +7. After the approver from the organization approves the request, the Microsoft engineer receives the approval message, logs into the tenant, and fixes the customer's issue. Microsoft engineers have the requested duration to fix the issue after which the access is automatically revoked. > [!NOTE] > All actions performed by a Microsoft engineer are logged in the audit log. You can search for and review these audit records. You can turn on Customer Lockbox controls in the Microsoft 365 admin center. Whe 1. Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in. -2. Choose Settings > Org Settings > <a href="https://go.microsoft.com/fwlink/p/?linkid=2072756" target="_blank">Security & Privacy</a>. +2. Choose Settings > Org Settings > Security & Privacy. 3. Select Security & Privacy, then select Customer Lockbox in the left column. Check the Require approval for all data access requests checkbox and save the changes to turn on the feature. An alternative to using the audit search tool in the Microsoft 365 compliance ce After you [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), run one of the following commands. Replace the placeholders with a specific date range. -#### Search for Set-AccessToCustomerDataRequest activities +Search for `Set-AccessToCustomerDataRequest` activities ```powershell Search-UnifiedAuditLog -StartDate xx/xx/xxxx -EndDate xx/xx/xxxx -Operations Set-AccessToCustomerDataRequest ``` -#### Search for activities performed by Microsoft engineers +Search for activities performed by Microsoft engineers ```powershell Search-UnifiedAuditLog -StartDate xx/xx/xxxx -EndDate xx/xx/xxxx -UserIds "Microsoft Operator" When a person in your organization approves or denies a Customer Lockbox request \| Activity \| Set-AccessToCustomerDataRequest; this is the auditing activity that is logged when you approve or deny a Customer Lockbox request. \| \| Item \| The Guid of the Customer Lockbox request \| -The following screenshot shows an example of an audit record that corresponds to an approved Customer Lockbox request. If a Customer Lockbox request was denied, then the value of ApprovalDecision parameter would be Deny. +The following screenshot shows an example of an audit record that corresponds to an approved Customer Lockbox request. If a Customer Lockbox request was denied, then the value of `ApprovalDecision` parameter would be `Deny`. ![Audit record for an approved Customer Lockbox request.](../media/CustomerLockbox9.png) The actions performed by a Microsoft engineer after a Customer Lockbox request i ## Frequently asked questions -#### Which Microsoft 365 services does Customer Lockbox apply to? +### Which Microsoft 365 services does Customer Lockbox apply to? -Customer Lockbox is currently supported in Exchange Online, SharePoint Online, and OneDrive for Business. +Customer Lockbox is currently supported in Exchange Online, SharePoint Online, OneDrive for Business, and Teams. -#### Is Customer Lockbox available to all customers? +### Is Customer Lockbox available to all customers? Customer Lockbox is included with the Microsoft 365 or Office 365 E5 subscriptions and can be added to other plans with an Information Protection and Compliance or an Advanced Compliance add-on subscription. See┬á[Plans and pricing](https://products.office.com/business/office-365-enterprise-e5-business-software)┬áfor more information. -#### What is customer content? +### What is customer content? Customer content is the data created by users of Microsoft 365 services and applications. Examples of customer content include: Customer content is the data created by users of Microsoft 365 services and appl - Instant messages (IM) or voice conversations +- Text entered in Teams chats and Teams channels, for example, 1:1 chats, group chats, shared channels, private channels, and meeting chat + +- Other data pasted into Teams chat threads, such as code snippets, images, audio and video messages, and links + +- App and bot data in Teams chats and Teams channels + +- Teams activity feed + +- Teams meeting recordings and transcripts + +- Voicemail + +- Files posted to Teams chats and Teams channels + - Customer-generated blob or structured storage data (for example, SQL Containers) - Customer-owned security information (for example, certificates, encryption keys, and passwords) Customer content is the data created by users of Microsoft 365 services and appl For more information about customer content in Office 365, see the [Office 365 Trust Center](https://products.office.com/business/office-365-trust-center-privacy/). -#### Who is notified when there is a request to access my content? +### Who is notified when there is a request to access my content? Global administrators and anyone assigned the Customer Lockbox access approver admin role are notified. These are also the same users who can approve for Customer Lockbox requests. -#### Who can approve or reject these requests in my organization? +### Who can approve or reject these requests in my organization? Global administrators and anyone assigned the Customer Lockbox access approver admin role can approve Customer Lockbox requests. Customers control these role assignments in their organizations. -#### How do I opt in to Customer Lockbox? +### How do I opt in to Customer Lockbox? -A global administrator can enable and configure Customer Lockbox in the Microsoft 365 or <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. +A global administrator can enable and configure Customer Lockbox in the Microsoft 365 admin center. -#### If I approve a Customer Lockbox request, what can the engineer do and how will I know what the Microsoft engineer did? +### If I approve a Customer Lockbox request, what can the engineer do and how will I know what the Microsoft engineer did? After you approve a Customer Lockbox request, the Microsoft engineer granted these necessary privileges to access customer content by using pre-approved cmdlets. Actions taken by Microsoft engineers in response to Customer Lockbox requests are logged and accessible in the audit log in the Security & Compliance Center. -#### How do I know that Microsoft follows the approval process? +### How do I know that Microsoft follows the approval process? You can cross-reference the email approval notifications sent to admins and approvers in your organization with the Customer Lockbox request history in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339). Customer Lockbox is included in the latest [SOC 1 SSAE 16 audit report](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide?command=Download&downloadType=Document&downloadId=91592749-e86a-43ac-801e-121382614681&docTab=4ce99610-c9c0-11e7-8c2c-f908a777fa4d_SOC%20%2F%20SSAE%2016%20Reports). For more details, you can find the latest reports in the [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide?command=Download&downloadType=Document&downloadId=91592749-e86a-43ac-801e-121382614681&docTab=4ce99610-c9c0-11e7-8c2c-f908a777fa4d_SOC%20%2F%20SSAE%2016%20Reports). -#### Can Microsoft modify the list of approvers for my tenant? If not, how is it prevented? +### Can Microsoft modify the list of approvers for my tenant? If not, how is it prevented? Only a global administrator in your organization can specify who can approve Customer Lockbox requests. That means only the members of the Global administrator group in Azure Active Directory can specify who can approve request. Membership of the Global administrator group in Azure Active Directory is managed only by your organization. -#### What if I need more information about a content access request to approve it? +### What if I need more information about a content access request to approve it? Each Customer Lockbox request contains a Microsoft 365 service request number. You can contact Microsoft Support and reference this service number to get more information about the request. -#### When a Customer Lockbox request is approved, how long are the permissions valid? +### When a Customer Lockbox request is approved, how long are the permissions valid? Currently, the maximum period for the access permissions granted to the Microsoft engineer is 4 hours. The Microsoft engineer can also request a shorter period. -#### How can I get a history of all Customer Lockbox requests? +### How can I get a history of all Customer Lockbox requests? All Customer Lockbox requests are viewed in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339). -#### How do I correlate the content access requests with the related audit logs? +### How do I correlate the content access requests with the related audit logs? The Compliance Center Activity Feed contains log activities of Customer Lockbox. Customers can cross-reference the Customer Lockbox log activities from the activity feed against the email request they receive. -#### What happens when a customer doesn't respond to a Customer Lockbox request? +### What happens when a customer doesn't respond to a Customer Lockbox request? Customer Lockbox requests have a default duration of 12 hours. If you don't respond to a request within 12 hour, the request expires. -#### What does Microsoft do when a customer rejects a Customer Lockbox request? +### What does Microsoft do when a customer rejects a Customer Lockbox request? If a customer rejects a Customer Lockbox request, no access to customer content occurs. If a user in your organization continues to experience a service issue requiring Microsoft to access customer content to resolve the issue, then the service issue might persist and Microsoft will inform the user about this. -#### How do I set up alerts whenever a request has been approved? +### How do I set up alerts whenever a request has been approved? There is no built-in option to alert administrators. However, administrators can set up alerts using [Microsoft Defender for Cloud Apps](/cloud-app-security/getting-started-with-cloud-app-security#to-create-policies). -#### Does Customer Lockbox protect against data requests from law enforcement agencies or other third parties? +### Does Customer Lockbox protect against data requests from law enforcement agencies or other third parties? No. Microsoft takes third-party requests for customer data seriously. As a cloud service provider, Microsoft always advocates for the privacy of customer data. In the event we get a subpoena, Microsoft always attempts to redirect the third party to the customer to obtain the information. (Read Brad Smith's blog: [Protecting customer data from government snooping](https://blogs.microsoft.com/blog/2013/12/04/protecting-customer-data-from-government-snooping/)). We periodically publish [detailed information](https://www.microsoft.com/corporate-responsibility/lerr) about the law enforcement requests that Microsoft receives. See the [Microsoft Trust Center](https://www.microsoft.com/trustcenter/default.aspx) regarding third-party data requests and the "Disclosure of Customer Data" section in the [Online Services Terms](https://www.microsoft.com/Licensing/product-licensing/products.aspx) for more information. -#### How does Microsoft ensure that a member of its staff doesn't have standing access to customer content in Office 365 applications? +### How does Microsoft ensure that a member of its staff doesn't have standing access to customer content in Office 365 applications? -Microsoft implements extensive preventive measures through access control systems, and detective measures to identify and address attempts to circumvent these access control systems. Microsoft 365 operates with the principles of least privilege and just-in-time access. Therefore, no Microsoft personnel have permission to access customer content on an ongoing basis. If permission is granted, it is for a limited duration. +Microsoft implements extensive preventive measures through access control systems, and detective measures to identify and address attempts to circumvent these access control systems. Microsoft 365 operates with the principles of least privilege and just-in-time access. Therefore, no Microsoft personnel have permission to access customer content on an ongoing basis. If permission is granted, it is for a limited duration. Microsoft 365 uses an access control system called Lockbox to process requests for permissions that grant the ability to perform operational and administrative functions within the service. An operator must request access to customer content using Lockbox, which then requires a second person to take action on the request (for example, approve it) before access is granted. That second person can't be the requestor and must be designated to approve access to customer content. Only if the request is approved does the operator acquire temporary access to customer content. After the elevation period expires, Lockbox revokes access. Refer to the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products) for more details about Microsoft general security practices. -#### Under what circumstances do Microsoft engineers need access to my content? +### Under what circumstances do Microsoft engineers need access to my content? The most common scenario where Microsoft engineers need access customer content is when the customer makes a support request that requires access for troubleshooting. A foundational principle of Microsoft 365 is that the service operates without Microsoft access to customer content. Nearly all service operations performed by Microsoft are fully automated and human involvement is highly controlled and abstracted away from customer content. The goal for Microsoft 365 is access to customer content to support the service isn't needed until the customer approves a specific request for Microsoft access. -#### I already thought my data was secure with the Microsoft cloud, so why do I need Customer Lockbox? +### I already thought my data was secure with the Microsoft cloud, so why do I need Customer Lockbox? Customer Lockbox provides an extra layer of control by offering customers the ability to give explicit access authorization for service operations. By demonstrating that procedures are in place for explicit data access authorization, Customer Lockbox also helps customers meet certain compliance obligations such as HIPAA and FEDRAMP.
compliance	Dlp Chrome Get Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md	For detailed licensing guidance, see [Microsoft 365 licensing guidance for secur - Your org must be licensed for Endpoint DLP - Your devices must be running Windows 10 x64 build 1809 or later.-- The device must have Antimalware Client Version is 4.18.2101.9 or later. Check your current version by opening Windows Security app, select the Settings icon, and then select About. +- The device must have Antimalware Client Version is 4.18.2202.x or later. Check your current version by opening Windows Security app, select the Settings icon, and then select About. ### Permissions If you are rolling out the Microsoft Compliance Extension to all your monitored This is the recommended method. -1. Sign in to the Windows 10 computer on which you want to install the Microsoft Compliance Extension on, and run this PowerShell script as an administrator. +1. Navigate to [Microsoft Compliance Extension - Chrome Web Store (google.com)](https://chrome.google.com/webstore/detail/microsoft-compliance-exte/echcggldkblhodogklpincgchnpgcdco). - ```powershell - Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" \| New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force - ``` - -2. Navigate to [Microsoft Compliance Extension - Chrome Web Store (google.com)](https://chrome.google.com/webstore/detail/microsoft-compliance-exte/echcggldkblhodogklpincgchnpgcdco). - -3. Install the extension using the instructions on the Chrome Web Store page. +2. Install the extension using the instructions on the Chrome Web Store page. ### Deploy using Microsoft Endpoint Manager Use this setup method for organization-wide deployments. -##### Enabling Required Registry Value via Microsoft Endpoint Manager - -1. Create a PowerShell script with the following contents: - - ```powershell - Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" \| New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force - ``` - -2. Sign in to the [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com). - -3. Navigate to Devices > Scripts and select Add. - -4. Browse to the location of the script created when prompted. - -5. Select the following settings: - 1. Run this script using the logged-on credentials: NO - 1. Enforce script signature check: NO - 1. Run script in 64-bit PowerShell Host: YES - -6. Select the proper device groups and apply the policy. - #### Microsoft Endpoint Manager Force Install Steps Before adding the Microsoft Compliance Extension to the list of force-installed extensions, it is important to ingest the Chrome ADMX. Steps for this process in Microsoft Endpoint Manager are documented by Google: [Manage Chrome Browser with Microsoft Intune - Google Chrome Enterprise Help](https://support.google.com/chrome/a/answer/9102677?hl=en#zippy=%2Cstep-ingest-the-chrome-admx-file-into-intune). Before adding the Microsoft Compliance Extension to the list of force-installed ### Deploy using Group Policy -If you don't want to use Microsoft Endpoint Manager, you can use group policies to deploy the Microsoft Compliance Extension across your organization - -1. Your devices must be manageable via Group Policy, and you need to import all Chrome ADMXs into the Group Policy Central Store. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). - -2. Create a PowerShell script using this PowerShell command: - - ```powershell - Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" \| New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force - ``` - -3. Open the Group Policy Management Console and navigate to your organizational unit (OU). - -4. Right-click and select Create a GPO in this domain and Link it here. When prompted, assign a descriptive name to this group policy object (GPO) and finish creating it. - -5. Right-click the GPO and select Edit. - -6. Go to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks. - -7. Create a new immediate task by selecting right-clicking and selecting New > Immediate Task (At least Windows 7). - -8. Give the task a name & description. - -9. Choose the corresponding account to run the immediate task, for example NT Authority - -10. Select Run with highest privileges. - -11. Configure the policy for Windows 10. - -12. In the Actions tab, select the action Start a program. - -13. Enter the path to the Program/Script created in Step 1. - -14. Select Apply. +If you don't want to use Microsoft Endpoint Manager, you can use group policies to deploy the Microsoft Compliance Extension across your organization. #### Adding the Chrome Extension to the ForceInstall List
compliance	Dlp Teams Default Policy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-teams-default-policy.md	description: "Learn about the default data loss prevention policy in Microsoft T [Data loss prevention](dlp-learn-about-dlp.md) capabilities have been extended to include Microsoft Teams chat and channel messages, including private channel messages. As a part of this release, we created a default DLP policy for Microsoft Teams for first-time customers to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft 365 compliance center</a>. -## Applies to - -Any tenant who is licensed with one or more of the below licenses and have active Teams users - -- ME5, -- MA5, -- E5/A5 Compliance, -- IP+G, -- OE5, -- O365 Advanced Compliance -- EMS E5 +## Licensing +For complete licensing information for DLP in Microsoft Teams, see [Information Protection: Data Loss Prevention for Teams](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection-data-loss-prevention-for-teams). ## What does the default policy do?
contentunderstanding	Adoption Getstarted	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-getstarted.md	Title: "Microsoft SharePoint Syntex adoption: Get started" -description: Learn how to use and implement SharePoint Syntex in your organization to help you solve your business problems. -- + Title: Get started driving adoption of Microsoft SharePoint Syntex +description: Learn how to use and implement SharePoint Syntex in your organization to help you streamline your business processes. ++ Last updated audience: admin search.appverid: ms.localizationpriority: medium -# Microsoft SharePoint Syntex adoption: Get started +# Get started driving adoption of Microsoft SharePoint Syntex Think of the intelligent content services available in SharePoint Syntex as having three parts:
contentunderstanding	Adoption Scenarios	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-scenarios.md	When you automate this scenario, you can ensure that: ## See also -[Microsoft SharePoint Syntex adoption: Get started](adoption-getstarted.md) +[Get started driving adoption of SharePoint Syntex](adoption-getstarted.md)
contentunderstanding	Trial Syntex	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/trial-syntex.md	- admindeeplinkMAC search.appverid: ms.localizationpriority: medium -description: Learn how to plan and run a trial pilot program for SharePoint Syntex in your organization. +description: Learn how to plan, sign up, and run a trial pilot program for SharePoint Syntex in your organization. # Run a trial of Microsoft SharePoint Syntex
enterprise	Manage Skype For Business Online With Microsoft 365 Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-skype-for-business-online-with-microsoft-365-powershell.md	Skype for Business Online administrators are responsible for managing policies. ## Before you start > [!NOTE] -> Skype for Business Online Connector is currently part of the latest Teams PowerShell module. If you're using the latest Teams PowerShell public release, you don't need to install the Skype for Business Online Connector. +> Skype for Business Online Connector is currently part of the latest Teams PowerShell module. If you're using the latest Teams PowerShell public release, you don't need to install the Skype for Business Online Connector. + +> [!NOTE] +> Skype for Business Online Admins can manage both Teams and Skype for Business Online app policies through PowerShell. Install the [Teams PowerShell module](/microsoftteams/teams-powershell-install).
security	Microsoft 365 Security For Bdm	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/Microsoft-365-security-for-bdm.md	This article is organized by priority of work, starting with protecting those ac Microsoft provides you with the Secure Score tool within your tenant to automatically analyze your security posture based on your regular activities, assign a score, and provide security improvement recommendations. Before taking the actions recommended in this article, take note of your current score and recommendations. The actions recommended in this article will increase your score. The goal is not to achieve the max score, but to be aware of opportunities to protect your environment in a way that does not negatively affect productivity for your users. See [Microsoft Secure Score](defender/microsoft-secure-score.md). One more thing before we get started . . . be sure to [turn on the audit log](../compliance/search-the-audit-log-in-security-and-compliance.md). You'll need this data later, in the event you need to investigate an incident or a breach. As a first step, we recommend ensuring critical accounts in the environment are \|Configure and use Privileged Access Workstations (PAW) to administer services. Do not use the same workstations for browsing the Internet and checking email not related to your administrative account.\| !![green check mark.](../media/green-check-mark.png)\|![green check mark.](../media/green-check-mark.png)::: \| The following diagram illustrates these capabilities. Additional recommendations: Known threats include malware, compromised accounts, and phishing. Some protecti \|Block connections from countries that you don't do business with. Create an Azure AD conditional access policy to block any connections coming from these countries, effectively creating a geo firewall around your tenant.\| \|![green check mark.](../media/green-check-mark.png)\| The following diagram illustrates these capabilities.+ ## Protect against unknown threats After adding extra protections to your privileged accounts and protecting agains The following diagram illustrates these capabilities. :::image type="content" source="../media/m365-security-bdm-illustrations-unknown-threats.png" alt-text="An example of the capabilities offered by tools to protect against unknown threats" lightbox="../media/m365-security-bdm-illustrations-unknown-threats.png"::: + Additional recommendations: - Secure partner channel communications like Emails using TLS. While Microsoft takes every possible measure to prevent against threats and atta \|Use [AIP Scanner](/azure/information-protection/deploy-aip-scanner) to identify and classify information across servers and file shares. Use the AIP reporting tool to view the results and take appropriate actions.\| \|![green check mark.](../media/green-check-mark.png)\| The following diagram illustrates these capabilities. -![Recommended capabilities for protecting against breach.](../media/m365-security-bdm-illustrations-assume-breach.png) + ## Continuous monitoring and auditing Last but not least, Continuous Monitoring and Auditing of the Microsoft 365 envi \|Use Microsoft Defender for Cloud to monitor for threats across hybrid and cloud workloads. Microsoft Defender for Cloud includes a free tier of capabilities and a standard tier of capabilities that are paid for based on resource hours or transactions.\| \| \| The following diagram illustrates these capabilities.++ Top recommended monitoring actions:
security	Microsoft 365 Zero Trust	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/Microsoft-365-zero-trust.md	Microsoft 365 is built intentionally with many security and information protecti This illustration represents the work of deploying Zero Trust capabilities. This work is broken into units of work that can be configured together, starting from the bottom and working to the top to ensure that prerequisite work is complete. In this illustration: - Zero Trust begins with a foundation of identity and device protection. In this illustration: The first step is to build your Zero Trust foundation by configuring identity and device access protection. Go to [_Zero Trust identity and device access protection_](office-365-securi Start by implementing the starting-point tier. These policies do not require enrolling devices into management. ## Step 2. Manage endpoints with Intune Next, enroll your devices into management and begin protecting these with more sophisticated controls. Go to [_Manage devices with Intune_](../solutions/manage-devices-with-intune-overview.md) for prescriptive guidance to accomplish this. Go to [_Manage devices with Intune_](../solutions/manage-devices-with-intune With devices enrolled into management, you can now implement the full set of recommended Zero Trust identity and device access policies, requiring compliant devices. Return to [_Common identity and device access policies_](office-365-security/identity-access-policies.md) and add the policies in the Enterprise tier. ## Step 4. Evaluate, pilot, and deploy Microsoft 365 Defender Microsoft 365 Defender is an extended detection and response (XDR) solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft 365 environment, including endpoint, email, applications, and identities. Go to [_Evaluate and pilot Microsoft 365 Defender_](defender/eval-overview.md) for a methodical guide to piloting and deploying Microsoft 365 Defender components. Implement Microsoft Information Protection (MIP) to help you discover, classify, MIP capabilities are included with Microsoft 365 Compliance and give you the tools to know your data, protect your data, and prevent data loss. While this work is represented at the top of the deployment stack illustrated earlier in this article, you can begin this work anytime. Microsoft Information Protection provides a framework, process, and capabilities you can use to accomplish your specific business objectives. For more information on how to plan and deploy information protection, see [_Deploy a Microsoft Information Protection solution_](../compliance/information-protection-solution.md).
security	Active Content In Trusted Docs	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/active-content-in-trusted-docs.md	Previously, when users identified documents as trusted documents, their selectio The updated Trust Center logic is described in the following diagram: 1. A user opens an Office document that contains active content. 2. If the document is from a trusted location, the document is opened with the active content enabled. If the document is not from a trusted location, the evaluation continues. -3. This is where the updated behavior takes effect: +3. It is here the updated behavior takes effect: - Previously, the next evaluated setting would have been if the user had identified this document as a trusted document. If they did, the document would open with the active content enabled. - Now, whether or not the user identified the document as a trusted document is not considered here (now at step 8). - This is the fundamental change in behavior: cloud policies (step 4), group policies (step 6) and local settings (step 7) are checked _before_ the user designation of a trusted document is even considered. If any of those steps block access to the active content and none of the steps allow user overrides, then user identification of the document as a trusted document is basically irrelevant. + The fundamental change in behavior is described as follows: cloud policies (step 4), group policies (step 6), and local settings (step 7) are checked _before_ the user designation of a trusted document is even considered. If any of those steps block access to the active content and none of the steps allow user overrides, then user identification of the document as a trusted document is irrelevant. 4. Cloud policies are checked to see if this type of active content is allowed or blocked. If the active content is not blocked, the evaluation continues to step 6. Admins have many ways to configure Office in an organization. For example: ## Admin options for restricting active content -There's a big difference in the level of trust in internally created content vs. content that users download from the internet. Consider allowing active content in internal documents and globally not allowing active content in documents from the internet. +There's a large difference in the level of trust in internally created content vs. content that users download from the internet. Consider allowing active content in internal documents and globally not allowing active content in documents from the internet. If your users don't need specific types of active content, your most secure option is to use policies to turn off user access to that active content, and allow exceptions as needed. The following policies are available: - Turn off Trusted Documents: Exceptions for groups available. - Turn off all active content: Exceptions for individuals. -The tables in the following sections describe the settings that control active content. These policies, if applied to users, will be enforced on trusted documents, and the previous end user experience might not be the same. The tables also include the recommended security baselines setting, and identify other settings where the user prompt to override is available (allowing the user to enable the active content). +The tables in the following sections describe the settings that control active content. These policies, if applied to users, will be enforced on trusted documents, and the previous end-user experience might not be the same. The tables also include the recommended security baselines setting, and identify other settings where the user prompt to override is available (allowing the user to enable the active content). ### HKEY_CURRENT_USER settings The tables in the following sections describe the settings that control active c \|Macros\|Excel\|Scan encrypted macros in Excel Open XML workbooks\|Scan encrypted macros (default)\|No\| \|Macros\|Office\|Allow VBA to load typelib references by path from untrusted intranet locations\|Disabled\|No\| \|Macros\|Office\|Automation Security\|Use application macro security level\|No\| -\|Macros\|Office\|Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine\|Disabled\|No\| +\|Macros\|Office\|Disable other security checks on VBA library references that may refer to unsafe locations on the local machine\|Disabled\|No\| \|Macros\|Office\|Macro Runtime Scan Scope\|Enable for all documents\|No\| \|Macros\|Office\|Only trust VBA macros that use V3 signatures\|Not a security baseline setting.\|No\| \|Macros\|Outlook\|Outlook Security Mode\|Use Outlook Security Group Policy\|Required to enable all Outlook GPO settings. <p> Mentioned as a dependency (this policy doesn't block active content itself).\| The tables in the following sections describe the settings that control active c \|\|\|\|\|\| \|ActiveX\|Office\|Restrict ActiveX Install\|excel.exe = True <p> exprwd.exe = True <p> groove.exe = True <p> msaccess.exe = True <p> mse7.exe = True <p> mspub.exe = True <p> onent.exe = True <p> outlook.exe = True <p> powerpnt.exe = True <p> pptview.exe = True <p> spDesign.exe = True <p> visio.exe = True <p> winproj.exe = True <p> winword.exe = True\|No\| \|Add-ins & Extensibility\|Office\|Add-on Management\|excel.exe = True <p> exprwd.exe = True <p> groove.exe = True <p> msaccess.exe = True <p> mse7.exe = True <p> mspub.exe = True <p> onent.exe = True <p> outlook.exe = True <p> powerpnt.exe = True <p> pptview.exe = True <p> spDesign.exe = True <p> visio.exe = True <p> winproj.exe = True <p> winword.exe = True\|No\| -\|Add-ins & Extensibility\|Office\|Block Flash activation in Office documents\|See the Microsoft Security Guide ADMX/ADML files for a list of COM killbits to block all activation for Flash in Microsoft 365 apps. The ADMX/ADML files for enterprise Security Baselines are available in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319).\|No\| +\|Add-ins & Extensibility\|Office\|Block Flash activation in Office documents\|See the Microsoft Security Guide ADMX/ADML files for a list of COM killbits to block all activation for Flash at Microsoft 365 apps. The ADMX/ADML files for enterprise Security Baselines are available in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319).\|No\| \|Jscript & VBScript\|Office\|Restrict legacy JScript execution for Office\|Enabled: <p> Access: 69632 <p> Excel: 69632 <p> OneNote: 69632 <p> Outlook: 69632 <p> PowerPoint: 69632 <p> Project: 69632 <p> Publisher: 69632 <p> Visio: 69632 <p> Word: 69632\|No\| \|Jscript & VBScript\|Office\|Scripted Window Security Restrictions\|excel.exe = True <p> exprwd.exe = True <p> groove.exe = True <p> msaccess.exe = True <p> mse7.exe = True <p> mspub.exe = True <p> onent.exe = True <p> outlook.exe = True <p> powerpnt.exe = True <p> pptview.exe = True <p> spDesign.exe = True <p> visio.exe = True <p> winproj.exe = True <p> winword.exe = True\|No\| \|
security	Advanced Features	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md	Title: Configure advanced features in Microsoft Defender for Endpoint description: Turn on advanced features such as block file in Microsoft Defender for Endpoint. -keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, microsoft defender for identity, office 365, azure information protection, intune +keywords: advanced features, settings, block file, automated investigation, auto resolve, skype, microsoft defender for identity, office 365, azure information protection, intune ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library Enabling this feature allows you to run unsigned scripts in a live response sess Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software, which might be unexpected or unwanted. -Turn on this feature so that potentially unwanted applications (PUA) are remediated on all devices in your tenant even if PUA protection is not configured on the devices. This will help protect users from inadvertently installing unwanted applications on their device. When turned off, remediation is dependent on the device configuration. +Turn on this feature so that potentially unwanted applications (PUA) are remediated on all devices in your tenant even if PUA protection is not configured on the devices. This activation of the feature helps to protect users from inadvertently installing unwanted applications on their device. When turned off, remediation is dependent on the device configuration. ## Restrict correlation to within scoped device groups -This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization. +This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross-device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization. > [!NOTE] > Changing this setting impacts future alert correlations only. Endpoint detection and response (EDR) in block mode provides protection from mal ## Autoresolve remediated alerts -For tenants created on or after Windows 10, version 1809, the automated investigation, and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature. +For tenants created on or after Windows 10, version 1809, the automated investigation, and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto resolved, you'll need to manually turn off the feature. > [!TIP] > For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://security.microsoft.com//preferences2/integration) page. To turn Allow or block files on: 1. Toggle the setting between On and Off. - :::image type="content" source="../../media/alloworblockfile.png" alt-text="Image of advanced settings for block file feature."::: + :::image type="content" source="../../media/alloworblockfile.png" alt-text="The Endpoints screen" lightbox="../../media/alloworblockfile.png"::: 1. Select Save preferences at the bottom of the page. For more information, see [Investigate a user account](investigate-user.md). ## Skype for Business integration -Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks. +Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This activation can be handy when you need to communicate with the user and mitigate risks. > [!NOTE] > When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode. Defender for Endpoint can be integrated with [Microsoft Intune](/intune/what-is- > [!IMPORTANT] > You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md). -This feature is only available if you've the following: +This feature is only available if you've the following prerequisites: - A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5) - An active Microsoft Intune environment, with Intune-managed Windows devices [Azure AD-joined](/azure/active-directory/devices/concept-azure-ad-join/).
security	Advanced Hunting Schema Reference	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-schema-reference.md	While constructing queries, use the built-in schema reference to quickly get the - Tables description: Type of data contained in the table and the source of that data. - Columns: All the columns in the table.-- Action types: Possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information. +- Action types: Possible values in the `ActionType` column representing the event types supported by the table. These values are provided only for tables that contain event information. - Sample query: Example queries that feature how the table can be utilized. ### Access the schema reference To quickly access the schema reference, select the View reference action next to the table name in the schema representation. You can also select Schema reference to search for a table. -![Image showing how to access in-portal schema reference.](images/ah-reference.png) ## Learn the schema tables Table and column names are also listed within the Microsoft 365 Defender portal, \| > [!TIP] -> Use [advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable). +> Use [advanced hunting at Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable). Learn more about how to move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-migrate-from-mde).
security	Alerts Queue	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue.md	ms.technology: mde > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-alertsq-abovefoldlink) -The Alerts shows a list of alerts that were flagged from devices in your network. The most recent alerts are showed at the top of the list helping you see the most recent alerts first. +The Alerts queue shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are shown at the top of the list helping you see the most recent alerts first. > [!NOTE] > The alerts are significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md). On the top navigation you can: - Export the alerts list to excel - Manage Alerts ## Sort and filter alerts You can apply the following filters to limit the list of alerts and get a more f ### Severity -You can filter the alerts based on their Severity. - -\|Alert severity\|Description\| -\|\|\| -\|High <br> (Red)\|Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.\| -\|Medium <br> (Orange)\|Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.\| -\|Low <br> (Yellow)\|Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.\| -\|Informational <br> (Grey)\|Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.\| +Alert severity\|Description +\| +High <br> (Red)\|Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. +Medium <br> (Orange)\|Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). These behaviors include observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack. +Low <br> (Yellow)\|Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization. +Informational <br> (Grey)\|Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues. #### Understanding alert severity The Defender for Endpoint alert severity represents the severity of the detected So, for example: -- The severity of a Defender for Endpoint alert about a Microsoft Defender Antivirus detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage. +- The severity of a Defender for Endpoint alert about a Microsoft Defender Antivirus detected threat that was prevented and did not infect the device is categorized as "Informational" because there was no actual damage. - An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat. - An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. You can filter the alerts based on Tags assigned to alerts. You can filter the alerts based on the following policies: -- Activity from infrequent country-- Admin Submission Result Completed-- Admin triggered manual investigation of email-- Admin triggered user compromise investigation-- Anomalous Token -- Atypical travel-- Creation of forwarding/redirect rule-- Email messages containing malicious URL removed after delivery-- Email messages containing malicious file removed after delivery-- Email reported by user as malware or phish-- Password Spray-- Remediation action taken by admin on emails or URL or sender-- Suspicious service creation -- Unfamiliar sign-in properties +\|Detection source\|API value\| +\|\|\| +\|Third-party sensors\|ThirdPartySensors\| +\|Antivirus\|WindowsDefenderAv\| +\|Automated investigation\|AutomatedInvestigation\| +\|Custom detection\|CustomDetection\| +\|Custom TI\|CustomerTI\| +\|EDR\|WindowsDefenderAtp\| +\|Microsoft 365 Defender\|MTP\| +\|Microsoft Defender for Office 365\|OfficeATP\| +\|Microsoft Threat Experts\|ThreatExperts\| +\|SmartScreen\|WindowsDefenderSmartScreen\| ### Entities
security	Analyzer Feedback	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-feedback.md	ms.technology: m365d - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) -If you have feedback or suggestions that would help us improve the Microsoft Defender for Endpoint client analyzer, please use the following link to submit feedback: +If you have feedback or suggestions that would help us improve the Microsoft Defender for Endpoint client analyzer, use either of these options to submit feedback: -Microsoft 365 Defender portal (security.microsoft.com): +1. Microsoft 365 Defender portal (security.microsoft.com): -![Image of give feedback button.](images/1d5b3c010b4b5c0e9d5eb43f71fa95e3.png) + +2. Microsoft 365 Defender portal (security.microsoft.com): +
security	Analyzer Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-report.md	Use the following example to understand the report. Example output from the analyzer on a machine onboarded to expired Org ID and failing to reach one of the required Microsoft Defender for Endpoint URLs: -![Image of client analyzer result.](images/147cbcf0f7b6f0ff65d200bf3e4674cb.png) - On top, the script version and script runtime are listed for reference - The Device Information section provides basic OS and device identifiers to uniquely identify the device on which the analyzer has run. - The Endpoint Security Details provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor process. If important processes aren't online as expected, the color will change to red.- - ![Image of client analyzer detailed result](images/85f56004dc6bd1679c3d2c063e36cb80.png) - + - The Endpoint Security Details provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor process. If important processes aren't online as expected, the color will change to red. - ![Image of client analyzer detailed result.](images/85f56004dc6bd1679c3d2c063e36cb80.png) + :::image type="content" source="images/85f56004dc6bd1679c3d2c063e36cb80.png" alt-text="The Check Results Summary page" lightbox="images/85f56004dc6bd1679c3d2c063e36cb80.png"::: -- On Check Results Summary you'll have an aggregated count for error, +- On Check Results Summary, you'll have an aggregated count for error, warning, or informational events detected by the analyzer. -- On Detailed Results you'll see a list (sorted by severity) with +- On Detailed Results, you'll see a list (sorted by severity) with the results and the guidance based on the observations made by the analyzer. ## Open a support ticket to Microsoft and include the Analyzer results Use the following example to understand the report. To include analyzer result files [when opening a support ticket](contact-support.md#open-a-service-request), make sure you use the Attachments section and include the `MDEClientAnalyzerResult.zip` file: -![Image of attachment prompt.](images/508c189656c3deb3b239daf811e33741.png) > [!NOTE] > If the file size is larger than 25 MB, the support engineer assigned to your case will provide a dedicated secure workspace to upload large files for analysis.
security	Android Configure Mam	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md	ms.technology: mde Microsoft Defender for Endpoint on Android, which already protects enterprise users on Mobile Device Management (MDM) scenarios, now extends support to Mobile App Management (MAM), for devices that are not enrolled using Intune mobile device management (MDM). It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for mobile application management (MAM).This capability allows you to manage and protect your organization's data within an application. -Microsoft Defender for Endpoint on Android threat information is leveraged by Intune App Protection Policies to protect these apps. App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A managed application has app protection policies applied to it and can be managed by Intune. +Microsoft Defender for Endpoint on Android threat information is applied by Intune App Protection Policies to protect these apps. App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A managed application has app protection policies applied to it and can be managed by Intune. Microsoft Defender for Endpoint on Android supports both the configurations of MAM - Intune MDM + MAM: IT administrators can only manage apps using App Protection Policies on devices that are enrolled with Intune mobile device management (MDM).-- MAM without device enrollment: MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using [App Protection Policies](/mem/intune/app/app-protection-policy) on devices not enrolled with Intune MDM. This means apps can be managed by Intune on devices enrolled with third-party EMM providers. +- MAM without device enrollment: MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using [App Protection Policies](/mem/intune/app/app-protection-policy) on devices not enrolled with Intune MDM. This provision means that apps can be managed by Intune on devices enrolled with third-party EMM providers. To manage apps using in both the above configurations customers should use Intune in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) To enable this capability an administrator needs to configure the connection between Microsoft Defender for Endpoint and Intune, create the app protection policy, and apply the policy on targeted devices and applications. End users also need to take steps to install Microsoft Defender for Endpoint on c. If the connection is not turned on, select the toggle to turn it on and then select Save Preferences. - ![Image of Defender for Endpoint -Intune connector](images/enable-intune-connection.png) + :::image type="content" source="images/enable-intune-connection.png" alt-text="The Advanced features section in the Microsoft 365 Defender portal" lightbox="images/enable-intune-connection.png"::: d. Go to Microsoft Endpoint Manager (Intune) and Validate whether Microsoft Defender for Endpoint-Intune connector is enabled. - ![Image of Defender for Endpoint-Intune connector in Intune](images/validate-intune-connector.png) + :::image type="content" source="images/validate-intune-connector.png" alt-text="The intune-connector status pane in the Microsoft 365 Defender portal" lightbox="images/validate-intune-connector.png"::: - Enable Microsoft Defender for Endpoint on Android Connector for App Protection Policy (APP) End users also need to take steps to install Microsoft Defender for Endpoint on c. Select Save. - ![App settings](images/app-settings.png) + :::image type="content" source="images/app-settings.png" alt-text="The application settings pane in the Microsoft 365 Defender portal" lightbox="images/app-settings.png"::: - Create an app protection policy Microsoft Defender for Endpoint can be configured to send threat signals to be u 1. Create a policy <br> App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. -![Image of policy creation](images/create-policy.png) 2. Add apps <br> a. Choose how you want to apply this policy to apps on different devices. Then add at least one app. <br> - Use this option to specify whether this policy applies to unmanaged devices. In case of Android, you can specify the policy applies to Android Enterprise, Device Admin, or Unmanaged devices. You can also choose to target your policy to apps on devices of any management state. + Use this option to specify whether this policy applies to unmanaged devices. In Android, you can specify the policy applies to Android Enterprise, Device Admin, or Unmanaged devices. You can also choose to target your policy to apps on devices of any management state. Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management. Companies can use app protection policies with or without MDM at the same time. For example, consider an employee that uses both a phone issued by the company, and their own personal tablet. The company phone is enrolled in MDM and protected by app protection policies while the personal device is protected by app protection policies only. b. Select Apps<br> Because mobile app management doesn't require device management, you can protect Example: Outlook as a managed app - ![Image Outlook as managed app](images/managed-app.png) + :::image type="content" source="images/managed-app.png" alt-text="The Public apps pane in the Microsoft 365 Defender portal" lightbox="images/managed-app.png"::: + 3. Set sign-in security requirements for your protection policy. <br> Select Setting > Max allowed device threat level in Device Conditions and enter a value. Then select Action: "Block Access". Microsoft Defender for Endpoint on Android shares this Device Threat Level. - ![Image of conditional launch](images/conditional-launch.png) -- + :::image type="content" source="images/conditional-launch.png" alt-text="The Device conditions pane in the Microsoft 365 Defender portal" lightbox="images/conditional-launch.png"::: + - Assign user groups for whom the policy needs to be applied.<br> Select Included groups. Then add the relevant groups. - ![Image of assigments](images/assignment.png) + :::image type="content" source="images/assignment.png" alt-text="The Included groups pane in the Microsoft 365 Defender portal" lightbox="images/assignment.png"::: -## End user prerequisites -- The broker app needs to be installed +## End-user prerequisites +- The broker app must be installed - Intune Company Portal -- Users have the required licenses for the managed app and has the app installed +- Users have the required licenses for the managed app and have the app installed -### End user onboarding +### End-user onboarding 1. Sign in to a managed application, for example, Outlook. The device is registered and the application protection policy is synchronized to the device. The application protection policy recognizes the device's health state. Select Setting > Max allowed device threat level in Device Conditions an 4. Install the Microsoft Defender for Endpoint (Mobile) app and launch back Managed app onboarding screen. - ![Install MDE and launch back managed app onboarding screen](images/download-mde.png) + :::image type="content" source="images/download-mde.png" alt-text="The illustrative pages that contain the procedure of downloading MDE and launching back the app-onboarding screen" lightbox="images/download-mde.png"::: + 5. Click Continue > Launch. The Microsoft Defender for Endpoint app onboarding/activation flow is initiated. Follow the steps to complete onboarding. You will automatically be redirected back to Managed app onboarding screen, which now indicates that the device is healthy.
security	Android Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md	Learn how to deploy Defender for Endpoint on Android on Intune Company Portal - 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to Apps \> Android Apps \> Add \> Android store app and choose Select. - :::image type="content" alt-text="Image of Microsoft Endpoint Manager Admin Center add android store application." source="images/mda-addandroidstoreapp.png" lightbox="images/mda-addandroidstoreapp.png"::: + :::image type="content" source="images/mda-addandroidstoreapp.png" alt-text="The Add Android store application pane in the Microsoft Endpoint Manager Admin Center portal" lightbox="images/mda-addandroidstoreapp.png"::: 2. On the Add app page and in the App Information section enter: Learn how to deploy Defender for Endpoint on Android on Intune Company Portal - Other fields are optional. Select Next. - :::image type="content" alt-text="Image of Microsoft Endpoint Manager Admin Center add app info." source="images/mda-addappinfo.png" lightbox="images/mda-addappinfo.png"::: + :::image type="content" source="images/mda-addappinfo.png" alt-text=" The Add App page displaying the application's publisher and URL information in the Microsoft Endpoint Manager Admin Center portal" lightbox="images/mda-addappinfo.png"::: 3. In the Assignments section, go to the Required section and select Add group. You can then choose the user group(s) that you would like to target Defender for Endpoint on Android app. Choose Select and then Next. > [!NOTE] > The selected user group should consist of Intune enrolled users. > - > :::image type="content" alt-text="Image of the Microsoft Endpoint Manager Admin Center selected user groups." source="images/363bf30f7d69a94db578e8af0ddd044b.png" lightbox="images/363bf30f7d69a94db578e8af0ddd044b.png"::: + > :::image type="content" source="images/363bf30f7d69a94db578e8af0ddd044b.png" alt-text="The Add group pane in the Add App page in the Microsoft Endpoint Manager Admin Center portal" lightbox="images/363bf30f7d69a94db578e8af0ddd044b.png"::: 4. In the Review+Create section, verify that all the information entered is correct and then select Create. In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page. - :::image type="content" alt-text="Image of Microsoft Endpoint Manager Admin Center notification of Defender for Endpoint app." source="images/86cbe56f88bb6e93e9c63303397fc24f.png" lightbox="images/86cbe56f88bb6e93e9c63303397fc24f.png"::: + :::image type="content" source="images/86cbe56f88bb6e93e9c63303397fc24f.png" alt-text="The application status pane in the Microsoft Endpoint Manager Admin Center portal" lightbox="images/86cbe56f88bb6e93e9c63303397fc24f.png"::: 5. In the app information page that is displayed, in the Monitor section, select Device install status to verify that the device installation has completed successfully. - :::image type="content" alt-text="Image of Microsoft Endpoint Manager Admin Center device install." source="images/513cf5d59eaaef5d2b5bc122715b5844.png" lightbox="images/513cf5d59eaaef5d2b5bc122715b5844.png"::: + :::image type="content" source="images/513cf5d59eaaef5d2b5bc122715b5844.png" alt-text="The Device install status page in the Microsoft Defender 365 portal" lightbox="images/513cf5d59eaaef5d2b5bc122715b5844.png"::: ### Complete onboarding and check status 1. Once Defender for Endpoint on Android has been installed on the device, you'll see the app icon. - ![Icon on mobile device.](images/7cf9311ad676ec5142002a4d0c2323ca.jpg) + :::image type="content" source="images/7cf9311ad676ec5142002a4d0c2323ca.jpg" alt-text="The Microsoft Defender ATP icon listed in the Search pane" lightbox="images/7cf9311ad676ec5142002a4d0c2323ca.jpg"::: 2. Tap the Microsoft Defender for Endpoint app icon and follow the on-screen instructions to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint on Android. 3. Upon successful onboarding, the device will start showing up on the Devices list in the Microsoft 365 Defender portal. - :::image type="content" alt-text="Image of device in Defender for Endpoint portal." source="images/9fe378a1dce0f143005c3aa53d8c4f51.png" lightbox="images/9fe378a1dce0f143005c3aa53d8c4f51.png"::: + :::image type="content" source="images/9fe378a1dce0f143005c3aa53d8c4f51.png" alt-text="A device in the Microsoft Defender for Endpoint portal" lightbox="images/9fe378a1dce0f143005c3aa53d8c4f51.png"::: ## Deploy on Android Enterprise enrolled devices Follow the steps below to add Microsoft Defender for Endpoint app into your mana 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to Apps \> Android Apps \> Add and select Managed Google Play app. - :::image type="content" alt-text="Image of Microsoft Endpoint Manager admin center managed google play." source="images/579ff59f31f599414cedf63051628b2e.png" lightbox="images/579ff59f31f599414cedf63051628b2e.png"::: + :::image type="content" source="images/579ff59f31f599414cedf63051628b2e.png" alt-text="The application-adding pane in the Microsoft Endpoint Manager admin center portal" lightbox="images/579ff59f31f599414cedf63051628b2e.png"::: 2. On your managed Google Play page that loads subsequently, go to the search box and enter `Microsoft Defender`. Your search should display the Microsoft Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result. - ![Image of Microsoft Endpoint Manager admin center Apps search.](images/0f79cb37900b57c3e2bb0effad1c19cb.png) + :::image type="content" source="images/0f79cb37900b57c3e2bb0effad1c19cb.png" alt-text="The Managed Google Play page in the Microsoft Endpoint Manager admin center portal" lightbox="images/0f79cb37900b57c3e2bb0effad1c19cb.png"::: 3. In the App description page that comes up next, you should be able to see app details on Defender for Endpoint. Review the information on the page and then select Approve. > [!div class="mx-imgBorder"] - > ![A screenshot of a Managed Google Play.](images/07e6d4119f265037e3b80a20a73b856f.png) + > :::image type="content" source="images/07e6d4119f265037e3b80a20a73b856f.png" alt-text="The page of Managed Google Play in the Microsoft Endpoint Manager admin center portal" lightbox="images/07e6d4119f265037e3b80a20a73b856f.png"::: + 4. You'll be presented with the permissions that Defender for Endpoint obtains for it to work. Review them and then select Approve. - ![A screenshot of Defender for Endpoint preview app approval.](images/206b3d954f06cc58b3466fb7a0bd9f74.png) + :::image type="content" source="images/206b3d954f06cc58b3466fb7a0bd9f74.png" alt-text="The permissions approval page in the Microsoft Defender 365 portal" lightbox="images/206b3d954f06cc58b3466fb7a0bd9f74.png"::: 5. You'll be presented with the Approval settings page. The page confirms your preference to handle new app permissions that Defender for Endpoint on Android might ask. Review the choices and select your preferred option. Select Done. By default, managed Google Play selects Keep approved when app requests new permissions. > [!div class="mx-imgBorder"] - > ![Image of notifications tab.](images/ffecfdda1c4df14148f1526c22cc0236.png) + > :::image type="content" source="images/ffecfdda1c4df14148f1526c22cc0236.png" alt-text=" The approval settings configuration completion page in the in the Microsoft Defender 365 portal" lightbox="images/ffecfdda1c4df14148f1526c22cc0236.png"::: 6. After the permissions handling selection is made, select Sync to sync Microsoft Defender for Endpoint to your apps list. > [!div class="mx-imgBorder"] - > ![Image of sync page.](images/34e6b9a0dae125d085c84593140180ed.png) + > :::image type="content" source="images/34e6b9a0dae125d085c84593140180ed.png" alt-text="The Sync pane in the Microsoft Defender 365 portal" lightbox="images/34e6b9a0dae125d085c84593140180ed.png"::: 7. The sync will complete in a few minutes. - :::image type="content" alt-text="Image of Android app." source="images/9fc07ffc150171f169dc6e57fe6f1c74.png" lightbox="images/9fc07ffc150171f169dc6e57fe6f1c74.png"::: + :::image type="content" source="images/9fc07ffc150171f169dc6e57fe6f1c74.png" alt-text="The application sync status pane in the Android apps page in the Microsoft Defender 365 portal" lightbox="images/9fc07ffc150171f169dc6e57fe6f1c74.png"::: 8. Select the Refresh button in the Android apps screen and Microsoft Defender for Endpoint should be visible in the apps list. - :::image type="content" alt-text="Image of list of Android apps." source="images/fa4ac18a6333335db3775630b8e6b353.png" lightbox="images/fa4ac18a6333335db3775630b8e6b353.png"::: + :::image type="content" source="images/fa4ac18a6333335db3775630b8e6b353.png" alt-text="The page displaying the synced application" lightbox="images/fa4ac18a6333335db3775630b8e6b353.png"::: 9. Defender for Endpoint supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s). 1. In the Apps page, go to Policy > App configuration policies > Add > Managed devices. - :::image type="content" alt-text="Image of Microsoft Endpoint Manager admin center android managed devices." source="images/android-mem.png"::: + :::image type="content" source="images/android-mem.png" alt-text="The App configuration policies pane in the Microsoft Endpoint Manager admin center portal" lightbox="images/android-mem.png"::: 1. In the Create app configuration policy page, enter the following details: Follow the steps below to add Microsoft Defender for Endpoint app into your mana - Choose Work Profile only as Profile Type. - Click Select App, choose Microsoft Defender ATP, select OK and then Next. - :::image type="content" alt-text="Image of create app configuration policy page." source="images/android-create-app.png" lightbox="images/android-create-app.png"::: + :::image type="content" source="images/android-create-app.png" alt-text=" The Associated app details pane" lightbox="images/android-create-app.png"::: 1. In the Settings page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions: Follow the steps below to add Microsoft Defender for Endpoint app into your mana Then select OK. - :::image type="content" alt-text="Image of android create app configuration policy." source="images/android-create-app-config.png" lightbox="images/android-create-app-config.png"::: + :::image type="content" source="images/android-create-app-config.png" alt-text="The Add permissions pane" lightbox="images/android-create-app-config.png"::: 1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the Permission state drop-down and then select Next. - :::image type="content" alt-text="Image of android auto grant create app configuration policy." source="images/android-auto-grant.png" lightbox="images/android-auto-grant.png"::: + :::image type="content" source="images/android-auto-grant.png" alt-text="The Permission state pane" lightbox="images/android-auto-grant.png"::: 1. In the Assignments page, select the user group to which this app config policy would be assigned to. Click Select groups to include and selecting the applicable group and then selecting Next. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. - :::image type="content" alt-text="Image of the create app configuration policy." source="images/android-select-group.png" lightbox="images/android-select-group.png"::: + :::image type="content" source="images/android-select-group.png" alt-text="The Selected groups pane" lightbox="images/android-select-group.png"::: 1. In the Review + Create page that comes up next, review all the information and then select Create. The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group. > [!div class="mx-imgBorder"] - > ![Image of android review create app config policy.](images/android-review-create.png) + > :::image type="content" source="images/android-review-create.png" alt-text="The Review + create tab in the Create app configuration policy page" lightbox="images/android-review-create.png"::: 10. Select Microsoft Defender ATP app in the list \> Properties \> Assignments \> Edit. - :::image type="content" alt-text="Image of list of apps." source="images/mda-properties.png" lightbox="images/mda-properties.png"::: + :::image type="content" source="images/mda-properties.png" alt-text="The Edit option on the Properties page" lightbox="images/mda-properties.png"::: 11. Assign the app as a Required app to a user group. It is automatically installed in the work profile during the next sync of the device via Company Portal app. This assignment can be done by navigating to the Required section \> Add group, selecting the user group and click Select. > [!div class="mx-imgBorder"] - > ![Image of edit application page.](images/ea06643280075f16265a596fb9a96042.png) + > :::image type="content" source="images/ea06643280075f16265a596fb9a96042.png" alt-text="The Edit application page" lightbox="images/ea06643280075f16265a596fb9a96042.png"::: 12. In the Edit Application page, review all the information that was entered above. Then select Review + Save and then Save again to commence assignment. Defender for Endpoint supports Device configuration policies for managed devices Select Create. - :::image type="content" alt-text="Image of devices configuration profile Create." source="images/1autosetupofvpn.png"::: + :::image type="content" source="images/1autosetupofvpn.png" alt-text="The Configuration profiles menu item in the Policy pane" lightbox="images/1autosetupofvpn.png"::: 2. Configuration Settings Provide a Name and a Description to uniquely identify the configuration profile. - :::image type="content" alt-text="Image of devices configuration profile Name and Description." source="images/2autosetupofvpn.png"::: + :::image type="content" source="images/2autosetupofvpn.png" alt-text="The devices configuration profile Name and Description fields in the Basics pane" lightbox="images/2autosetupofvpn.png"::: 3. Select Connectivity and configure VPN: - Enable Always-on VPN - Setup a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device. + Set up a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device. - Select Custom in VPN client dropdown list Defender for Endpoint supports Device configuration policies for managed devices - Lockdown mode Not configured (Default) - ![Image of devices configuration profile enable Always-on VPN.](images/3autosetupofvpn.png) - :::image type="content" alt-text="Image of devices configuration profile enable Always-on VPN." source="images/3autosetupofvpn.png"::: + :::image type="content" source="images/3autosetupofvpn.png" alt-text="The Connectivity pane under the Configuration settings tab" lightbox="images/3autosetupofvpn.png"::: 4. Assignment In the Assignments page, select the user group to which this app config policy would be assigned to. Choose Select groups to include and selecting the applicable group and then select Next. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. - ![Image of devices configuration profile Assignment.](images/4autosetupofvpn.png) + :::image type="content" source="images/4autosetupofvpn.png" alt-text="The devices configuration profile Assignment pane in the Device restrictions" lightbox="images/4autosetupofvpn.png"::: 5. In the Review + Create page that comes up next, review all the information and then select Create. The device configuration profile is now assigned to the selected user group. - ![Image of devices configuration profile Review and Create.](images/5autosetupofvpn.png) + :::image type="content" source="images/5autosetupofvpn.png" alt-text="A devices configuration profile 's provision for Review + create" lightbox="images/5autosetupofvpn.png"::: ## Check status and complete onboarding 1. Confirm the installation status of Microsoft Defender for Endpoint on Android by clicking on the Device Install Status. Verify that the device is displayed here. > [!div class="mx-imgBorder"] - > ![Image of device installation status.](images/900c0197aa59f9b7abd762ab2b32e80c.png) + > :::image type="content" source="images/900c0197aa59f9b7abd762ab2b32e80c.png" alt-text="The device installation status pane" lightbox="images/900c0197aa59f9b7abd762ab2b32e80c.png"::: 2. On the device, you can validate the onboarding status by going to the work profile. Confirm that Defender for Endpoint is available and that you are enrolled to the Personally owned devices with work profile. If you are enrolled to a Corporate-owned, fully managed user device, you will have a single profile on the device where you can confirm that Defender for Endpoint is available. - ![Image of app in mobile device.](images/c2e647fc8fa31c4f2349c76f2497bc0e.png) + :::image type="content" source="images/c2e647fc8fa31c4f2349c76f2497bc0e.png" alt-text="The application display pane" lightbox="images/c2e647fc8fa31c4f2349c76f2497bc0e.png"::: 3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful. - ![Image of mobile device with Microsoft Defender for Endpoint app](images/MDE_new.png) + :::image type="content" source="images/MDE_new.png" alt-text="Th display of a Microsoft Defender for Endpoint application on a mobile device" lightbox="images/MDE_new.png"::: 4. At this stage the device is successfully onboarded onto Defender for Endpoint on Android. You can verify this on the [Microsoft 365 Defender portal](https://security.microsoft.com) by navigating to the Device Inventory page. - :::image type="content" alt-text="Image of Microsoft Defender for Endpoint portal." source="images/9fe378a1dce0f143005c3aa53d8c4f51.png" lightbox="images/9fe378a1dce0f143005c3aa53d8c4f51.png"::: + :::image type="content" source="images/9fe378a1dce0f143005c3aa53d8c4f51.png" alt-text="The Microsoft Defender for Endpoint portal" lightbox="images/9fe378a1dce0f143005c3aa53d8c4f51.png"::: ## Related topics
security	Android Support Signin	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md	This article provides solutions to help address the sign-on issues. Sign in failed: Unexpected error, try later Message: from Google Play Store and try again. Sign in failed: Invalid license, please contact administrator Message: Invalid license, please contact administrator Phishing websites impersonate trustworthy websites for the purpose of obtaining Phishing and harmful web threats that are detected by Defender for Endpoint for Android are not blocked on some Xiaomi devices. The following functionality doesn't work on these devices. -![Image of site reported unsafe.](images/0c04975c74746a5cdb085e1d9386e713.png) Cause: Xiaomi devices include a new permission model. This prevents Defender for Endpoi Xiaomi devices permission: "Display pop-up windows while running in the background." -![Image of pop up setting.](images/6e48e7b29daf50afddcc6c8c7d59fd64.png) Solution: Users can follow these steps to enable the same permissions from the device sett 2. Search for and select Battery Optimization. - ![Search for and select "Battery Optimisation".](images/search-battery-optimisation.png) + :::image type="content" source="images/search-battery-optimisation.png" alt-text="The page on which you can search and select Battery Optimisation" lightbox="images/search-battery-optimisation.png"::: 3. In Special app access, select Battery Optimization. - ![In Special app access, select "Battery Optimisation".](images/special-app-access.png) + :::image type="content" source="images/special-app-access.png" alt-text="The Special app access pane from which you can select Battery Optimisation" lightbox="images/special-app-access.png"::: 4. Change the Dropdown to show All Apps. - ![Step one to change the dropdown to show "All Apps".](images/show-all-apps-2.png) + :::image type="content" source="images/show-all-apps-2.png" alt-text="The drop-down from which you can change the value to All Apps under the Battery Optimisation pane" lightbox="images/show-all-apps-2.png"::: - ![Step two to change dropdown to show "All Apps".](images/show-all-apps-1.png) + :::image type="content" source="images/show-all-apps-1.png" alt-text="The drop-down that displays the All Apps option under the Battery Optimisation pane" lightbox="images/show-all-apps-1.png"::: 5. Locate ΓÇ£Microsoft Defender for EndpointΓÇ¥ and select DonΓÇÖt Optimize. - ![Locate "Microsoft Defender for Endpoint" and select "Don't Optimize".](images/select-dont-optimise.png) + :::image type="content" source="images/select-dont-optimise.png" alt-text="The page that enables location of the option Microsoft Defender for Endpoint and selection of Don't Optimize" lightbox="images/select-dont-optimise.png"::: Return to the Microsoft Defender for Endpoint onboarding screen, select Allow, and you will be redirected to the dashboard screen. If a user faces an issue which is not already addressed in the above sections or 1. Open the MDE application on your device and click on the profile icon in the top-left corner. - :::image type="content" alt-text="Click on profile icon." source="images/select-profile-icon-1.jpg"::: + :::image type="content" source="images/select-profile-icon-1.jpg" alt-text="The profile icon in the Microsoft Defender for Endpoint portal" lightbox="images/select-profile-icon-1.jpg"::: 2. Select ΓÇ£Help & feedbackΓÇ¥. - :::image type="content" alt-text="Select help and feedback." source="images/selecthelpandfeedback2.png"::: + :::image type="content" source="images/selecthelpandfeedback2.png" alt-text="The Help & feedback option that can be selected in the Microsoft Defender for Endpoint portal" lightbox="images/selecthelpandfeedback2.png"::: 3. Select ΓÇ£Send feedback to MicrosoftΓÇ¥. - :::image type="content" alt-text="Select send feedback to Microsoft." source="images/send-feedback-to-microsoft-3.jpg"::: + :::image type="content" alt-text="Select send feedback to Microsoft" source="images/send-feedback-to-microsoft-3.jpg"::: 4. Choose from the given options. To report an issue, select ΓÇ£I want to report an issueΓÇ¥. - :::image type="content" alt-text="Report an issue." source="images/report-issue-4.jpg"::: + :::image type="content" source="images/report-issue-4.jpg" alt-text="The I want to report an issue option" lightbox="images/report-issue-4.jpg"::: 5. Provide details of the issue that you are facing and check ΓÇ£Send diagnostic dataΓÇ¥. We recommend checking ΓÇ£Include your email addressΓÇ¥ so that the team can reach back to you with a solution or a follow-up. - :::image type="content" alt-text="Add details and attach diagnostic data." source="images/finalsubmit5.png"::: + :::image type="content" source="images/finalsubmit5.png" alt-text="The pane on which you can add details and attach diagnostic data" lightbox="images/finalsubmit5.png"::: 6. Click on ΓÇ£SubmitΓÇ¥ to successfully send the feedback.
security	Api Hello World	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-hello-world.md	For the Application registration stage, you must have a Global administrator 2. Navigate to Azure Active Directory \> App registrations \> New registration. - :::image type="content" alt-text="Image of Microsoft Azure and navigation to application registration." source="images/atp-azure-new-app2.png" lightbox="images/atp-azure-new-app2.png"::: + :::image type="content" source="images/atp-azure-new-app2.png" alt-text="The App registrations option under the Manage pane in the Azure Active Directory portal" lightbox="images/atp-azure-new-app2.png"::: 3. In the registration form, choose a name for your application and then click Register. For the Application registration stage, you must have a Global administrator > [!NOTE] > WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. - :::image type="content" alt-text="Image of API access and API selection1." source="images/add-permission.png" lightbox="images/add-permission.png"::: + :::image type="content" source="images/add-permission.png" alt-text="The API permissions option under the Manage pane in the Azure Active Directory portal" lightbox="images/add-permission.png"::: - Choose Application permissions \> Alert.Read.All > Click on Add permissions. - :::image type="content" alt-text="Image of API access and API selection2." source="images/application-permissions.png" lightbox="images/application-permissions.png"::: + :::image type="content" source="images/application-permissions.png" alt-text="The permission type and settings panes in the Request API permissions page" lightbox="images/application-permissions.png"::: > [!IMPORTANT] > You need to select the relevant permissions. 'Read All Alerts' is only an example! For the Application registration stage, you must have a Global administrator > [!NOTE] > Every time you add permission, you must click on Grant consent for the new permission to take effect. - ![Image of Grant permissions.](images/grant-consent.png) + :::image type="content" source="images/grant-consent.png" alt-text="The grant permission consent option in the Azure Active Directory portal" lightbox="images/grant-consent.png"::: 6. Add a secret to the application. For the Application registration stage, you must have a Global administrator > [!IMPORTANT] > After click Add, copy the generated secret value. You won't be able to retrieve after you leave! - ![Image of create app key.](images/webapp-create-key2.png) + :::image type="content" source="images/webapp-create-key2.png" alt-text="The Certificates & secrets menu item in the Manage pane in the Azure Active Directory portal" lightbox="images/webapp-create-key2.png"::: 7. Write down your application ID and your tenant ID. On your application page, go to Overview and copy the following: - ![Image of created app id.](images/app-and-tenant-ids.png) + :::image type="content" source="images/app-and-tenant-ids.png" alt-text="The application details pane under the Overview menu item in the Azure Active Directory portal" lightbox="images/app-and-tenant-ids.png"::: Done! You have successfully registered an application! Done! You have successfully registered an application! - Paste in the top box. - Look for the "roles" section. Find the _Alert.Read.All_ role. - :::image type="content" alt-text="Image jwt.ms." source="images/api-jwt-ms.png" lightbox="images/api-jwt-ms.png"::: + :::image type="content" source="images/api-jwt-ms.png" alt-text="The Decoded Token pane for jwt.ms" lightbox="images/api-jwt-ms.png"::: ### Lets get the Alerts!
security	Api Microsoft Flow	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-microsoft-flow.md	- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) - Automating security procedures is a standard requirement for every modern Security Operations Center (SOC). For SOC teams to operate in the most efficient way, automation is a must. Use Microsoft Power Automate to help you create automated workflows and build an end-to-end procedure automation within a few minutes. Microsoft Power Automate supports different connectors that were built exactly for that. -Use this article to guide you in creating automations that is triggered by an event, such as when an new alert is created in your tenant. Microsoft Defender API has an official Power Automate Connector with many capabilities. - +Use this article to guide you in creating automations that are triggered by an event, such as when a new alert is created in your tenant. Microsoft Defender API has an official Power Automate Connector with many capabilities. - > [!NOTE] > For more details about premium connectors licensing prerequisites, see [Licensing for premium connectors](/power-automate/triggers-introduction#licensing-for-premium-connectors). - ## Usage example The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant. You'll be guided on defining what event starts the flow and what next action will be taken when that trigger occurs. The following example demonstrates how to create a Flow that is triggered any ti 2. Go to My flows \> New \> Automated-from blank. - :::image type="content" alt-text="Image of edit credentials2." source="images/api-flow-1.png"::: + :::image type="content" source="images/api-flow-1.png" alt-text="The New flow pane under My flows menu item in the Microsoft Defender 365 portal" lightbox="images/api-flow-1.png"::: 3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger. - :::image type="content" alt-text="Image of edit credentials3." source="images/api-flow-2.png"::: + :::image type="content" source="images/api-flow-2.png" alt-text=" The Choose your flow's trigger section in the Microsoft Defender 365 portal" lightbox="images/api-flow-2.png" ::: Now you have a Flow that is triggered every time a new Alert occurs. All you need to do now is choose your next steps. For example, you can isolate the device if the Severity of the Alert is High and send an email about it. The Alert trigger provides only the Alert ID and the Machine ID. You can use the 3. Set the Alert ID from the last step as Input. - :::image type="content" alt-text="Image of edit credentials5." source="images/api-flow-4.png" lightbox="images/api-flow-4.png"::: + :::image type="content" source="images/api-flow-4.png" alt-text="The Alerts pane" lightbox="images/api-flow-4.png"::: ### Isolate the device if the Alert's severity is High The Alert trigger provides only the Alert ID and the Machine ID. You can use the If yes, add the Microsoft Defender ATP - Isolate machine action with the Machine ID and a comment. - :::image type="content" alt-text="Image of edit credentials6." source="images/api-flow-5.png" lightbox="images/api-flow-5.png"::: + :::image type="content" source="images/api-flow-5.png" alt-text="The Actions pane" lightbox="images/api-flow-5.png"::: 3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail.
security	Api Power Bi	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-power-bi.md	[!include[Improve request performance](../../includes/improve-request-performance.md)] -In this section you will learn create a Power BI report on top of Defender for Endpoint APIs. +In this section you will learn to create a Power BI report on top of Defender for Endpoint APIs. The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts. ## Connect Power BI to Advanced Hunting API -- Open Microsoft Power BI +- Open Microsoft Power BI. -- Click Get Data \> Blank Query +- Click Get Data \> Blank Query. - ![Image of create blank query.](images/power-bi-create-blank-query.png) + :::image type="content" source="images/power-bi-create-blank-query.png" alt-text="The Blank Query option under the Get Data menu item" lightbox="images/power-bi-create-blank-query.png"::: -- Click Advanced Editor +- Click Advanced Editor. - ![Image of open advanced editor.](images/power-bi-open-advanced-editor.png) + :::image type="content" source="images/power-bi-open-advanced-editor.png" alt-text="The Advanced Editor menu item" lightbox="images/power-bi-open-advanced-editor.png"::: - Copy the below and paste it in the editor: The first example demonstrates how to connect Power BI to Advanced Hunting API a in Table ``` -- Click Done +- Click Done. -- Click Edit Credentials +- Click Edit Credentials. - ![Image of edit credentials0.](images/power-bi-edit-credentials.png) + :::image type="content" source="images/power-bi-edit-credentials.png" alt-text="The Edit Credentials menu item" lightbox="images/power-bi-edit-credentials.png"::: + -- Select Organizational account \> Sign in +- Select Organizational account \> Sign in. - ![Image of set credentials1.](images/power-bi-set-credentials-organizational.png) + :::image type="content" source="images/power-bi-set-credentials-organizational.png" alt-text="The Sign in option in the Organizational account menu item" lightbox="images/power-bi-set-credentials-organizational.png"::: -- Enter your credentials and wait to be signed in +- Enter your credentials and wait to be signed in. -- Click Connect +- Click Connect. - ![Image of set credentials2.](images/power-bi-set-credentials-organizational-cont.png) + :::image type="content" source="images/power-bi-set-credentials-organizational-cont.png" alt-text="The sign-in confirmation message in the Organizational account menu item" lightbox="images/power-bi-set-credentials-organizational-cont.png"::: -- Now the results of your query will appear as table and you can start build visualizations on top of it! +- Now the results of your query will appear as a table and you can start to build visualizations on top of it! - You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you would like. The first example demonstrates how to connect Power BI to Advanced Hunting API a ``` - You can do the same for Alerts and Machines.-- You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md) +- You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md). ## Power BI dashboard samples in GitHub
security	Attack Surface Reduction Rules Deployment Implement	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement.md	Last updated 1/18/2022 Implementing attack surface reduction (ASR) rules moves the first test ring into an enabled, functional state. > [!div class="mx-imgBorder"] -> ![ASR rules implementation steps](images/asr-rules-implementation-steps.png) +> :::image type="content" source="images/asr-rules-implementation-steps.png" alt-text="The procedure to implement ASR rules" lightbox="images/asr-rules-implementation-steps.png"::: + ## Step 1: Transition ASR Rules from Audit to Block
security	Attack Surface Reduction Rules Deployment Operationalize	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md	Consistent, regular review of reports is an essential aspect of maintaining your One of the most powerful features of [Microsoft 365 Defender](https://security.microsoft.com) is advanced hunting. If you're not familiar with advanced hunting, see: [Proactively hunt for threats with advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). > [!div class="mx-imgBorder"] -> ![Microsoft 365 Defender Advanced hunting](images/asr-defender365-advanced-hunting2.png) +> :::image type="content" source="images/asr-defender365-advanced-hunting2.png" alt-text="The Advanced Hunting page in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting2.png"::: Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that lets you explore up to 30 days of the captured (raw) data that Microsoft Defender ATP Endpoint Detection and Response (EDR) collects from all your machines. Through advanced hunting, you can proactively inspect events in order to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. Through advanced hunting, it is possible to extract ASR rules information, creat ASR events shown in the advancing hunting portal are throttled to unique processes seen every hour. The time of the ASR event is the first time the event is seen within that hour. > [!div class="mx-imgBorder"] -> ![Microsoft 365 Defender Advanced hunting query command line](images/asr-defender365-advanced-hunting3.png) +> :::image type="content" source="images/asr-defender365-advanced-hunting3.png" alt-text="The Advanced hunting query command line in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting3.png"::: > [!div class="mx-imgBorder"] -> ![Microsoft 365 Defender Advanced hunting query results](images/asr-defender365-advanced-hunting4.png) +> :::image type="content" source="images/asr-defender365-advanced-hunting4.png" alt-text="The Advanced hunting query results in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting4.png"::: The above shows that 187 events were registered for AsrLsassCredentialTheft: The above shows that 187 events were registered for AsrLsassCredentialTheft: If you want to focus on the AsrOfficeChildProcess rule and get details on the actual files and processes involved, change the filter for ActionType and replace the summarize line with a projection of the wanted fields (in this case they are DeviceName, FileName, FolderPath, etc.). > [!div class="mx-imgBorder"] -> ![Microsoft 365 Defender Advanced hunting query focused](images/asr-defender365-advanced-hunting4b.png) +> :::image type="content" source="images/asr-defender365-advanced-hunting4b.png" alt-text="The Advanced hunting query focused example in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting4b.png"::: > [!div class="mx-imgBorder"] -> ![Microsoft 365 Defender Advanced hunting query focused results](images/asr-defender365-advanced-hunting5b.png) +> :::image type="content" source="images/asr-defender365-advanced-hunting5b.png" alt-text="The Advanced hunting query focused results in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting5b.png"::: The true benefit of advanced hunting is that you can shape the queries to your liking. By shaping your query you can see the exact story of what was happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment.
security	Attack Surface Reduction Rules Deployment Plan	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan.md	Last updated 1/18/2022 When testing attack surface reduction (ASR) rules it is important to start with the right business unit. YouΓÇÖll want to start with a small group of people in a specific business unit. You can identify some ASR champions within a particular business unit who can provide real-world impact about the ASR rules, and help you tune your implementation. > [!div class="mx-imgBorder"] -> ![ASR rules planning steps](images/asr-rules-planning-steps.png) +> :::image type="content" source="images/asr-rules-planning-steps.png" alt-text="The ASR rules planning steps" lightbox="images/asr-rules-planning-steps.png"::: ## Start with the right business unit
security	Attack Surface Reduction Rules Deployment Test	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test.md	Testing attack surface reduction (ASR) rules helps you determine if rules will i Begin your attack surface reduction(ASR) rules deployment with ring 1. > [!div class="mx-imgBorder"] -> ![ASR rules testing steps](images/asr-rules-testing-steps.png) +> :::image type="content" source="images/asr-rules-testing-steps.png" alt-text="The ASR rules testing steps" lightbox="images/asr-rules-testing-steps.png"::: + ## Step 1: Test ASR rules using Audit Begin the testing phase by turning on the ASR rules with the rules set to Audit, You can use Microsoft Endpoint Manager (MEM) Endpoint Security to configure custom ASR rules. -1. Open [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#home) +1. Open [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#home). 2. Go to Endpoint Security > Attack surface reduction. 3. Select Create Policy. 4. In Platform, select Windows 10 and later, and in Profile, select Attack surface reduction rules. > [!div class="mx-imgBorder"] - > ![Configure ASR rules profile](images/asr-mem-create-profile.png) + > :::image type="content" source="images/asr-mem-create-profile.png" alt-text="The profile creation page for ASR rules" lightbox="images/asr-mem-create-profile.png"::: 5. Click Create. 6. In the Basics tab of the Create profile pane, in Name add a name for your policy. In Description add a description for your ASR rules policy. 7. In the Configuration settings tab, under Attack Surface Reduction Rules, set all rules to Audit mode. > [!div class="mx-imgBorder"] - > ![Set ASR rules to Audit mode](images/asr-mem-configuration-settings.png) + > :::image type="content" source="images/asr-mem-configuration-settings.png" alt-text="The configuration of ASR rules to Audit mode" lightbox="images/asr-mem-configuration-settings.png"::: >[!Note] >There are variations in some ASR rules mode listings; _Blocked_ and _Enabled_ provide the same functionality. You can use Microsoft Endpoint Manager (MEM) Endpoint Security to configure cust 10. Review your settings in the Review + create pane. Click Create to apply the rules. > [!div class="mx-imgBorder"] - > ![Activate ASR rules policy](images/asr-mem-review-create.png) + > :::image type="content" source="images/asr-mem-review-create.png" alt-text="The Create profile page" lightbox="images/asr-mem-review-create.png"::: Your new attack surface reduction policy for ASR rules is listed in Endpoint security \| Attack surface reduction. > [!div class="mx-imgBorder"] - > ![Listed ASR rule policy](images/asr-mem-my-asr-rules.png) + > :::image type="content" source="images/asr-mem-my-asr-rules.png" alt-text=" The Attack surface reduction page" lightbox="images/asr-mem-my-asr-rules.png"::: ## Step 2: Understand the Attack surface reduction rules reporting page in the Microsoft 365 Defender portal -The ASR rules reporting page is found in Microsoft 365 Defender portal > Reports > Attack surface reduction rules. This page has three tabs: +The ASR rules reporting page is found in Microsoft 365 Defender portal > Reports > Attack surface reduction rules. This page has three tabs: - Detections - Configuration The ASR rules reporting page is found in Microsoft 365 Defender portal > Provides a 30-day timeline of detected audit and blocked events. > [!div class="mx-imgBorder"] -> ![Attack surface reduction rules detections tab](images/asr-defender365-01.png) +> :::image type="content" source="images/asr-defender365-01.png" alt-text="The Attack surface reduction rules detections tab" lightbox="images/asr-defender365-01.png"::: The Attack Surface reduction rules pane provides an overview of detected events on a per-rule basis. The Attack Surface reduction rules pane provides an overview of detected events >There are some variations in ASR rules reports. Microsoft is in the process of updating the behavior of the ASR rules reports to provide a consistent experience. > [!div class="mx-imgBorder"] -> ![Attack surface reduction rules rule detections](images/asr-defender365-01b.png) +> :::image type="content" source="images/asr-defender365-01b.png" alt-text="The Attack surface reduction rules page" lightbox="images/asr-defender365-01b.png"::: Click View detections to open the Detections tab. > [!div class="mx-imgBorder"] -> ![Attack surface reduction rules detections](images/asr-defender365-reports-detections.png) +> :::image type="content" source="images/asr-defender365-reports-detections.png" alt-text="The Attack surface reduction rules detections" lightbox="images/asr-defender365-reports-detections.png"::: The GroupBy and Filter pane provide the following options: The GroupBy returns results set to the following groups: - Publisher > [!div class="mx-imgBorder"] -> ![Attack surface reduction rules detections GroupBy filter](images/asr-defender365-reports-detections.png) +> :::image type="content" source="images/asr-defender365-reports-detections.png" alt-text="The Attack surface reduction rules detections GroupBy filter" lightbox="images/asr-defender365-reports-detections.png"::: Filter opens the Filter on rules page, which enables you to scope the results to only the selected ASR rules: > [!div class="mx-imgBorder"] -> ![Attack surface reduction rules detections filter on rules](images/asr-defender365-filter.png) +> :::image type="content" source="images/asr-defender365-filter.png" alt-text="The Attack surface reduction rules detections filter on rules" lightbox="images/asr-defender365-filter.png"::: >[!Note] >If you have a Microsoft Microsoft 365 Security E5 or A5, Windows E5 or A5 license, the following link opens the Microsoft Defender 365 Reports > [Attack surface reductions](https://security.microsoft.com/asr?viewid=detections) > Detections tab. ### Configuration tab -Lists ΓÇô on a per-computer basis ΓÇô the aggregate state of ASR rules: Off, Audit, Block. +ListsΓÇöon a per-computer basisΓÇöthe aggregate state of ASR rules: Off, Audit, Block. > [!div class="mx-imgBorder"] -> ![Attack surface reduction rules Configuration tab](images/asr-defender365-configurations.png) +> :::image type="content" source="images/asr-defender365-configurations.png" alt-text="The Attack surface reduction rules Configuration tab and an entry in its page" lightbox="images/asr-defender365-configurations.png"::: -On the Configurations tab, you can check ΓÇô on a per-device basis ΓÇô which ASR rules are enabled, and in which mode, by selecting the device for which you want to review ASR rules. +On the Configurations tab, you can checkΓÇöon a per-device basisΓÇöwhich ASR rules are enabled, and in which mode, by selecting the device for which you want to review ASR rules. > [!div class="mx-imgBorder"] -> ![Attack surface reduction rules enabled and mode](images/asr-defender365-configurations.settings.png) +> :::image type="content" source="images/asr-defender365-configurations.settings.png" alt-text="The Attack surface reduction rules enabled and mode" lightbox="images/asr-defender365-configurations.settings.png"::: The Get started** link opens the Microsoft Endpoint Manager admin center, where you can create or modify an endpoint protection policy for ASR: > [!div class="mx-imgBorder"] -> ![Attack surface reduction rules in MEM](images/asr-defender365-05b-mem1.png) +> :::image type="content" source="images/asr-defender365-05b-mem1.png" alt-text="The Endpoint security menu item on the Overview page" lightbox="images/asr-defender365-05b-mem1.png"::: In Endpoint security \| Overview, select Attack surface reduction*: > [!div class="mx-imgBorder"] -> ![Attack surface reduction in MEM](images/asr-defender365-05b-mem2.png) +> :::image type="content" source="images/asr-defender365-05b-mem2.png" alt-text="The Attack surface reduction in MEM" lightbox="images/asr-defender365-05b-mem2.png"::: The Endpoint Security \| Attack surface reduction pane opens: > [!div class="mx-imgBorder"] -> ![Endpoint security Asr pane](images/asr-defender365-05b-mem3.png) +> :::image type="content" source="images/asr-defender365-05b-mem3.png" alt-text="The Endpoint security Attack surface reduction pane" lightbox="images/asr-defender365-05b-mem3.png"::: >[!Note] >If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Configurations](https://security.microsoft.com/asr?viewid=configuration) tab. This tab provides a method to select detected entities (for example, false posit > Microsoft Defender Antivirus AV exclusions are honored by ASR rules. See [Configure and validate exclusions based on extension, name, or location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). > [!div class="mx-imgBorder"] -> ![Endpoint security Asr tool](Images/asr-defender365-06d.png) +> :::image type="content" source="Images/asr-defender365-06d.png" alt-text="The pane for exclusion of the detected file" lightbox="Images/asr-defender365-06d.png"::: > [!Note] >If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Exclusions](https://security.microsoft.com/asr?viewid=exclusions) tab.
security	Attack Surface Reduction Rules Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment.md	Some rules donΓÇÖt work well if un-signed, internally developed application and As with any new, wide-scale implementation which could potentially impact your line-of-business operations, it is important to be methodical in your planning and implementation. Because of the powerful capabilities of ASR rules in preventing malware, careful planning and deployment of these rules is necessary to ensure they work best for your unique customer workflows. To work in your environment, you need to plan, test, implement, and operationalize ASR rules carefully. > [!div class="mx-imgBorder"] -> ![ASR rules deployment phases](images/asr-rules-deployment-phases.png) +> :::image type="content" source="images/asr-rules-deployment-phases.png" alt-text="The ASR rules deployment phases" lightbox="images/asr-rules-deployment-phases.png"::: >[!Note] >For Customers who are using a non-Microsoft HIPS and are transitioning to Microsoft Defender for Endpoint attack surface reduction rules:
security	Attack Surface Reduction	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md	For more information about configuring attack surface reduction rules, see [Enab You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](/windows/security/threat-protection/#tvm). In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.
security	Auto Investigation Action Center	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/auto-investigation-action-center.md	During and after an automated investigation, remediation actions for threat dete We are pleased to announce a new, unified Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center))! The following table compares the new, unified Action center to the previous Action center. The following table compares the new, unified Action center to the previous Acti \|\|\| \|Lists pending and completed actions for devices and email in one location <br/>([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) plus [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp))\|Lists pending and completed actions for devices <br/> ([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) only) \| \|Is located at:<br/>[https://security.microsoft.com/action-center](https://security.microsoft.com/action-center) \|Is located at:<br/>[https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center) \| -\| In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, choose Action center. <p>:::image type="content" source="images/action-center-nav-new.png" alt-text="Navigating to the Action Center in the Microsoft 365 Defender portal."::: \| In the Microsoft 365 Defender portal, choose Automated investigations > Action center. <p>:::image type="content" source="images/action-center-nav-old.png" alt-text="Navigating to the Action center from the Microsoft 365 Defender portal."::: \| +\| In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, choose Action center. <p>:::image type="content" source="images/action-center-nav-new.png" alt-text="The navigation pane to the Action Center in the Microsoft 365 Defender portal" lightbox="images/action-center-nav-new.png"::: \| In the Microsoft 365 Defender portal, choose Automated investigations > Action center. <p>:::image type="content" source="images/action-center-nav-old.png" alt-text="An older version of the navigation pane to the Action Center in the Microsoft 365 Defender portal" lightbox="images/action-center-nav-old.png"::: \| The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience. When you visit the Action center, you see two tabs: Pending actions and **Hi You can customize, sort, filter, and export data in the Action center. - Select a column heading to sort items in ascending or descending order. - Use the time period filter to view data for the past day, week, 30 days, or 6 months.
security	Behavioral Blocking Containment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md	Title: Behavioral blocking and containment -description: Learn about behavioral blocking and containment capabilities in Microsoft Defender for Endpoint +description: Learn about behavioral blocking and containment capabilities at Microsoft Defender for Endpoint keywords: Microsoft Defender for Endpoint, EDR in block mode, passive mode blocking ms.pagetype: security Today's threat landscape is overrun by [fileless malware](/windows/security/thre Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities. Behavioral blocking and containment capabilities work with multiple components and features of Defender for Endpoint to stop attacks immediately and prevent attacks from progressing. With these capabilities, more threats can be prevented or blocked, even if they The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities: ## Components of behavioral blocking and containment The following image shows an example of an alert that was triggered by behaviora - [Feedback-loop blocking](feedback-loop-blocking.md) (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) -- [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus isn't the primary antivirus solution. (EDR in block mode isn't enabled by default; you turn it on in Microsoft 365 Defender.) +- [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus isn't the primary antivirus solution. (EDR in block mode isn't enabled by default; you turn it on at Microsoft 365 Defender.) Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap). Below are two real-life examples of behavioral blocking and containment in actio As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user's device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. -Behavior-based device learning models in Defender for Endpoint caught and stopped the attacker's techniques at two points in the attack chain: +Behavior-based device-learning models in Defender for Endpoint caught and stopped the attacker's techniques at two points in the attack chain: -- The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. +- The first protection layer detected the exploit behavior. Device-learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. - The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot). While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender). -This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running. +This example shows how behavior-based device-learning models in the cloud add new layers of protection against attacks, even after they have started running. ### Example 2: NTLM relay - Juicy Potato malware variant As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Defender for Endpoint detected a privilege escalation activity on a device in an organization. An alert called "Possible privilege escalation using NTLM relay" was triggered. The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device. Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image: A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing more attackers or other malware from deploying on the device.
security	Check Sensor Status	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md	Title: Check the health state of the sensor in Microsoft Defender for Endpoint + Title: Check the health state of the sensor at Microsoft Defender for Endpoint description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or aren't reporting sensor data. keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication ms.prod: m365-security Last updated 04/24/2018 ms.technology: mde -# Check sensor health state in Microsoft Defender for Endpoint +# Check sensor health state at Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] There are two status indicators on the tile that provide information on the numb Clicking any of the groups directs you to Devices list, filtered according to your choice. -![Screenshot of Devices with sensor issues tile.](images/atp-devices-with-sensor-issues-tile.png) On Devices list, you can filter the health state list by the following status: You can also download the entire list in CSV format using the Export feature > [!NOTE] > Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. -![Screenshot of Devices list page.](images/atp-devices-list-page.png) You can view the device details when you click on a misconfigured or inactive device.
security	Client Behavioral Blocking	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md	Title: Client behavioral blocking -description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint +description: Client behavioral blocking is part of behavioral blocking and containment capabilities at Microsoft Defender for Endpoint keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender for Endpoint ms.pagetype: security ms.technology: mde Client behavioral blocking is a component of [behavioral blocking and containment capabilities](behavioral-blocking-containment.md) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. Antivirus protection works best when paired with cloud protection.
security	Cloud Protection Microsoft Antivirus Sample Submission	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md	Title: Cloud protection and sample submission in Microsoft Defender Antivirus + Title: Cloud protection and sample submission at Microsoft Defender Antivirus description: Learn about cloud-delivered protection and Microsoft Defender Antivirus keywords: Microsoft Defender Antivirus, next-generation technologies, antivirus sample submission, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection ms.prod: m365-security Last updated 02/24/2022 -# Cloud protection and sample submission in Microsoft Defender Antivirus +# Cloud protection and sample submission at Microsoft Defender Antivirus Applies to: - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) Microsoft Defender Antivirus uses many intelligent mechanisms for detecting malw If a suspicious or malicious file is detected, a sample is sent to the cloud service for analysis while Microsoft Defender Antivirus blocks the file. As soon as a determination is made, which happens quickly, the file is either released or blocked by Microsoft Defender Antivirus. -This article provides an overview of cloud protection and automatic sample submission in Microsoft Defender Antivirus. To learn more about cloud protection, see [Cloud protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md). +This article provides an overview of cloud protection and automatic sample submission at Microsoft Defender Antivirus. To learn more about cloud protection, see [Cloud protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md). ## How cloud protection and sample submission work together -To understand how cloud protection works together with sample submission, it can be helpful to understand how Defender for Endpoint protects against threats. The Microsoft Intelligent Security Graph monitors threat data from a vast network of sensors. Microsoft layers cloud-based machine learning models that can assess files based on signals from the client and the vast network of sensors and data in the Intelligent Security Graph. This approach gives Defender for Endpoint the ability to block many never-before-seen threats. +To understand how cloud protection works together with sample submission, it can be helpful to understand how Defender for Endpoint protects against threats. The Microsoft Intelligent Security Graph monitors threat data from a vast network of sensors. Microsoft layers cloud-based machine-learning models that can assess files based on signals from the client and the vast network of sensors and data in the Intelligent Security Graph. This approach gives Defender for Endpoint the ability to block many never-before-seen threats. The following image depicts the flow of cloud protection and sample submission with Microsoft Defender Antivirus: Microsoft Defender Antivirus and cloud protection automatically block most new, never-before-seen threats at first sight by using the following methods: -1. Lightweight client-based machine learning models, blocking new and unknown malware. +1. Lightweight client-based machine-learning models, blocking new and unknown malware. 2. Local behavioral analysis, stopping file-based and file-less attacks. Microsoft Defender Antivirus and cloud protection automatically block most new, - "Do not send" is the equivalent to the "Disabled" setting in macOS policy - Metadata is sent for detections even when sample submission is disabled - 3. After metadata and/or files are submitted to cloud protection, you can use samples, detonation, or big data analysis machine learning models to reach a verdict. Turning off cloud-delivered protection will limit analysis to only what the client can provide through local machine learning models, and similar functions. + 3. After metadata and/or files are submitted to cloud protection, you can use samples, detonation, or big data analysis machine-learning models to reach a verdict. Turning off cloud-delivered protection will limit analysis to only what the client can provide through local machine-learning models, and similar functions. > [!IMPORTANT] > [Block at first sight (BAFS)](configure-block-at-first-sight-microsoft-defender-antivirus.md) provides detonation and analysis to determine whether a file or process is safe. BAFS can delay the opening of a file momentarily until a verdict is reached. If you disable sample submission, BAFS is also disabled, and file analysis is limited to metadata only. We recommend keeping sample submission and BAFS enabled. To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight) ## Cloud protection levels -Cloud protection is enabled by default in Microsoft Defender Antivirus. We recommend that you keep cloud protection enabled, although you can configure the protection level for your organization. See [Specify the cloud-delivered protection level for Microsoft Defender Antivirus](specify-cloud-protection-level-microsoft-defender-antivirus.md). +Cloud protection is enabled by default at Microsoft Defender Antivirus. We recommend that you keep cloud protection enabled, although you can configure the protection level for your organization. See [Specify the cloud-delivered protection level for Microsoft Defender Antivirus](specify-cloud-protection-level-microsoft-defender-antivirus.md). ## Sample submission settings In addition to configuring your cloud protection level, you can configure your s - Send all samples automatically - Do not send samples -For information about configuration options using Intune, Configuration Manager, GPO, or PowerShell, see [Turn on cloud protection in Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md). +For information about configuration options using Intune, Configuration Manager, GPO, or PowerShell, see [Turn on cloud protection at Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md). ## Examples of metadata sent to the cloud protection service The following table lists examples of metadata sent for analysis by cloud protection: In addition, Defender for Endpoint has received multiple compliance certificatio - ISO 27001 - ISO 27018 - SOC I, II, III-- and PCI +- PCI For more information, see the following resources: For more information, see the following resources: ## Other file sample submission scenarios -There are two more scenarios where Defender for Endpoint might request a file sample that is not related to the cloud protection in Microsoft Defender Antivirus. These scenarios are described in the following table: +There are two more scenarios where Defender for Endpoint might request a file sample that is not related to the cloud protection at Microsoft Defender Antivirus. These scenarios are described in the following table: \| Scenario \| Description \| \|:\|:\|
security	Cloud Protection Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md	Next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To identify new threats dynamically, next-generation technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. Cloud protection works together with Microsoft Defender Antivirus to deliver accurate, real-time, and intelligent protection. -[:::image type="content" source="images/mde-cloud-protection.png" alt-text="Diagram showing how cloud protection works together with Microsoft Defender Antivirus":::](enable-cloud-protection-microsoft-defender-antivirus.md) +[:::image type="content" source="images/mde-cloud-protection.png" alt-text="Diagram showing how cloud protection works together with Microsoft Defender Antivirus" lightbox="images/mde-cloud-protection.png":::](enable-cloud-protection-microsoft-defender-antivirus.md) > [!TIP] > We recommend keeping cloud protection turned on. To learn more, see [Why cloud protection should be enabled for Microsoft Defender Antivirus](why-cloud-protection-should-be-on-mdav.md).
security	Collect Diagnostic Data	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md	You can also specify where the diagnostic .cab file will be created using a Grou 2. Select Define the directory path to copy support log files. - ![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png) + :::image type="content" source="images/GPO1-SupportLogLocationDefender.png" alt-text="The local group policy editor" lightbox="images/GPO1-SupportLogLocationDefender.png"::: - ![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png) + :::image type="content" source="images/GPO2-SupportLogLocationGPPage.png" alt-text="The define path for log files setting" lightbox="images/GPO2-SupportLogLocationGPPage.png"::: - ![Screenshot of local group policy editor.](images/GPO1-SupportLogLocationDefender.png) + :::image type="content" source="images/GPO1-SupportLogLocationDefender.png" alt-text="The local group policy editor" lightbox="images/GPO1-SupportLogLocationDefender.png"::: - ![Screenshot of define path for log files setting.](images/GPO2-SupportLogLocationGPPage.png) + :::image type="content" source="images/GPO2-SupportLogLocationGPPage.png" alt-text="The define path for configuring the log files setting" lightbox="images/GPO2-SupportLogLocationGPPage.png"::: + 3. Inside the policy editor, select Enabled. 4. Specify the directory path where you want to copy the support log files in the Options field. - ![Screenshot of Enabled directory path custom setting.](images/GPO3-SupportLogLocationGPPageEnabledExample.png) + :::image type="content" source="images/GPO3-SupportLogLocationGPPageEnabledExample.png" alt-text="The Enabled directory path custom setting" lightbox="images/GPO3-SupportLogLocationGPPageEnabledExample.png"::: 5. Select OK or Apply. ## See also
security	Configure Block At First Sight Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md	When Microsoft Defender Antivirus encounters a suspicious but undetected file, i Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. -![List of Microsoft Defender AV engines.](images/microsoft-defender-atp-next-generation-protection-engines.png) > [!TIP] > To learn more, see [(Blog) Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). Microsoft Defender Antivirus uses multiple detection and prevention technologies - Time extension for file scanning by the cloud: 50 - Prompt users before sample submission: Send all data without prompting - :::image type="content" source="../../media/intune-block-at-first-sight.png" alt-text="Intune config block at first sight."::: + :::image type="content" source="../../media/intune-block-at-first-sight.png" alt-text="Intune config block at first sight" lightbox="../../media/intune-block-at-first-sight.png"::: 4. Save your settings. Microsoft Defender Antivirus uses multiple detection and prevention technologies - Cloud-delivered protection level: High - Microsoft Defender Antivirus Extended Timeout in Seconds: 50 - :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager."::: + :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in the Microsoft Endpoint Manager portal" lightbox="images/endpointmgr-antivirus-cloudprotection.png"::: 4. Apply the Microsoft Defender Antivirus profile to a group, such as All users, All devices, or All users and devices. You can confirm that block at first sight is enabled on individual client device 2. Select Virus & threat protection, and then, under Virus & threat protection settings, select Manage Settings. - :::image type="content" source="../../media/wdav-protection-settings-wdsc.png" alt-text="Screenshot of the Virus & threat protection settings label in the Windows Security app"::: + :::image type="content" source="../../media/wdav-protection-settings-wdsc.png" alt-text="The Virus & threat protection settings label in the Windows Security app" lightbox="../../media/wdav-protection-settings-wdsc.png"::: 3. Confirm that Cloud-delivered protection and Automatic sample submission are both turned on.
security	Configure Endpoints Gp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md	Get the current list of attack surface reduction rules GUIDs from [Attack surfac This will set each up for audit only. - ![Image of attack surface reduction configuration.](images/asr-guid.png) + :::image type="content" source="images/asr-guid.png" alt-text="The Attack surface reduction configuration" lightbox="images/asr-guid.png"::: Policy\|Location\|Setting \|\| Create a new Group Policy or group these settings in with the other policies. Th 2. Browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection. - :::image type="content" source="images/realtime-protect.png" alt-text="real time protection."::: + :::image type="content" source="images/realtime-protect.png" alt-text="Real-time protection" lightbox="images/realtime-protect.png"::: 1. In the Quarantine folder, configure removal of items from Quarantine folder. - :::image type="content" source="images/removal-items-quarantine1.png" alt-text="removal items quarantine folder."::: + :::image type="content" source="images/removal-items-quarantine1.png" alt-text="Removal items quarantine folder" lightbox="images/removal-items-quarantine1.png"::: - :::image type="content" source="images/config-removal-items-quarantine2.png" alt-text="config-removal quarantine."::: + :::image type="content" source="images/config-removal-items-quarantine2.png" alt-text="config-removal quarantine" lightbox="images/config-removal-items-quarantine2.png"::: 4. In the Scan folder, configure the scan settings. - :::image type="content" source="images/gpo-scans.png" alt-text="gpo scans."::: + :::image type="content" source="images/gpo-scans.png" alt-text="gpo scans" lightbox="images/gpo-scans.png"::: ### Monitor all files in Real time protection Browse to Computer Configuration \> Policies \> Administrative Templates \> Windows Components \> Microsoft Defender Antivirus \> Real-time Protection. - Since the value for "Scan incoming and outgoing files" (default) is 0, the group policy for the "Configure monitoring for incoming and outgoing file and program activity" for "bi-directional (full on-access)" setting changes to disabled. - ### Configure Windows Defender SmartScreen settings 1. Browse to Computer Configuration \> Policies \> Administrative Templates \> Windows Components \> Windows Defender SmartScreen \> Explorer. - :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="config windows defender smart screen explorer."::: + :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="Configure windows defender smart screen explorer" lightbox="images/config-windows-def-smartscr-explorer.png"::: 2. Browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender SmartScreen > Microsoft Edge. - :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="config windows defender smart screen Edge."::: + :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="Configure windows defender smart screen Edge" lightbox="images/config-windows-def-smartscr-explorer.png"::: ### Configure Potentially Unwanted Applications Browse to Computer Configuration \> Policies \> Administrative Templates \> Windows Components \> Microsoft Defender Antivirus. ### Configure Cloud Deliver Protection and send samples automatically Browse to Computer Configuration \> Policies \> Administrative Templates \> Windows Components \> Microsoft Defender Antivirus \> MAPS. > [!NOTE] > The Send all samples option will provide the most analysis of binaries/scripts/docs which increases security posture. For more information, see [Turn on cloud protection in Microsoft Defender Antivi Browse to Computer Configuration \> Policies \> Administrative Templates \> Windows Components \> Microsoft Defender Antivirus \> Security Intelligence Updates. ### Configure cloud deliver timeout and protection level Browse to Computer Configuration \> Policies \> Administrative Templates \> Windows Components \> Microsoft Defender Antivirus \> MpEngine. When you configure cloud protection level policy to Default Microsoft Defender Antivirus blocking policy this will disable the policy. This is what is required to set the protection level to the windows default. ## Related topics - [Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
security	Configure Endpoints Sccm	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md	If you're using System Center 2012 R2 Configuration Manager, monitoring consists If there are failed deployments (devices with Error, Requirements Not Met, or Failed statuses), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). - ![Configuration Manager showing successful deployment with no errors.](images/sccm-deployment.png) + :::image type="content" source="images/sccm-deployment.png" alt-text="The Configuration Manager showing successful deployment with no errors" lightbox="images/sccm-deployment.png"::: ### Check that the devices are compliant with the Microsoft Defender for Endpoint service
security	Configure Endpoints Script	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md	Check out the [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae- 1. Go to Start and type cmd. 2. Right-click Command prompt and select Run as administrator. - ![Window Start menu pointing to Run as administrator.](images/run-as-admin.png) + :::image type="content" source="images/run-as-admin.png" alt-text="The Window Start menu pointing to Run as administrator" lightbox="images/run-as-admin.png"::: 4. Type the location of the script file. If you copied the file to the desktop, type: %userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd For security reasons, the package used to Offboard devices will expire 30 days a 1. Go to Start and type cmd. 2. Right-click Command prompt and select Run as administrator. - ![Window Start menu pointing to Run as administrator.](images/run-as-admin.png) + :::image type="content" source="images/run-as-admin.png" alt-text="The Windows Start menu pointing to the Run as administrator option" lightbox="images/run-as-admin.png"::: 4. Type the location of the script file. If you copied the file to the desktop, type: %userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd
security	Configure Endpoints	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints.md	Devices in your organization must be configured so that the Defender for Endpoin In general, you'll identify the Windows device you're onboarding, then follow the corresponding tool appropriate to the device or your environment. -![Image of onboarding tools and methods](images/onboarding-config-tools.png) ## Endpoint onboarding tools
security	Configure Extension File Exclusions Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md	Get-MpPreference In the following example, the items contained in the `ExclusionExtension` list are highlighted: For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender Antivirus cmdlets](/powershell/module/defender/). $WDAVprefs.ExclusionPath In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet: For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender Antivirus cmdlets](/powershell/module/defender/).
security	Configure Machines Asr	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md	ms.technology: mde [Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives. <br> Attack surface management card The Attack surface management card is an entry point to tools in <a href="http Select Go to attack surface management \> Reports \> Attack surface reduction rules \> Add exclusions. From there, you can navigate to other sections of Microsoft 365 Defender portal. -![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 Defender portal.](images/secconmgmt_asr_m365exlusions.png)<br> The *Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 Defender portal* > [!NOTE]
security	Configure Machines Onboarding	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-onboarding.md	Before you can track and manage onboarding of devices: The Onboarding card provides a high-level overview of your onboarding rate by comparing the number of Windows devices that have actually onboarded to Defender for Endpoint against the total number of Intune-managed Windows devices. -![Device configuration management Onboarding card.](images/secconmgmt_onboarding_card.png) Card showing onboarded devices compared to the total number of Intune-managed Windows device Defender for Endpoint provides several convenient options for [onboarding Window From the Onboarding card, select Onboard more devices to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state. -![Microsoft Defender for Endpoint device compliance page on Intune device management.](images/secconmgmt_onboarding_1deviceconfprofile.png) Microsoft Defender for Endpoint device compliance page on Intune device management
security	Configure Machines Security Baseline	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-security-baseline.md	Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: The Security baseline card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 and Windows 11 devices that have been assigned the Defender for Endpoint security baseline. -![Security baseline card.](images/secconmgmt_baseline_card.png) Card showing compliance to the Defender for Endpoint security baseline Device configuration management monitors baseline compliance only of Windows 10 2. Create a new profile. - ![Microsoft Defender for Endpoint security baseline overview on Intune.](images/secconmgmt_baseline_intuneprofile1.png)<br> + :::image type="content" source="images/secconmgmt_baseline_intuneprofile1.png" alt-text="The Create profile tab in the Microsoft Defender for Endpoint security baseline overview on Intune" lightbox="images/secconmgmt_baseline_intuneprofile1.png":::<br> Microsoft Defender for Endpoint security baseline overview on Intune 3. During profile creation, you can review and adjust specific settings on the baseline. - ![Security baseline options during profile creation on Intune.](images/secconmgmt_baseline_intuneprofile2.png)<br> + :::image type="content" source="images/secconmgmt_baseline_intuneprofile2.png" alt-text="The Security baseline options during profile creation on Intune" lightbox="images/secconmgmt_baseline_intuneprofile2.png":::<br> Security baseline options during profile creation on Intune 4. Assign the profile to the appropriate device group. - ![Security baseline profiles on Intune.](images/secconmgmt_baseline_intuneprofile3.png)<br> + :::image type="content" source="images/secconmgmt_baseline_intuneprofile3.png" alt-text="The Security baseline profiles on Intune" lightbox="images/secconmgmt_baseline_intuneprofile3.png":::<br> Assigning the security baseline profile on Intune 5. Create the profile to save it and deploy it to the assigned device group. - ![Assigning the security baseline on Intune.](images/secconmgmt_baseline_intuneprofile4.png)<br> + :::image type="content" source="images/secconmgmt_baseline_intuneprofile4.png" alt-text="Assigning the security baseline on Intune" lightbox="images/secconmgmt_baseline_intuneprofile4.png":::<br> Creating the security baseline profile on Intune > [!TIP]
security	Configure Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines.md	With properly configured devices, you can boost overall resilience against threa Click Configuration management from the navigation menu to open the Device configuration management page. -![Security configuration management page.](images/secconmgmt_main.png) Device configuration management page If you have been assigned other roles, ensure you have the necessary permissions - Read permissions to device compliance policies - Read permissions to the organization -![Required permissions on intune.](images/secconmgmt_intune_permissions.png) Device configuration permissions on Intune
security	Configure Microsoft Threat Experts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts.md	If you're already a Defender for Endpoint customer, you can apply through the Mi 2. Click Apply. - ![Image of Microsoft Threat Experts settings.](images/mte-collaboratewithmte.png) + :::image type="content" source="images/mte-collaboratewithmte.png" alt-text="The Microsoft Threat Experts settings" lightbox="images/mte-collaboratewithmte.png"::: 3. Enter your name and email address so that Microsoft can get back to you on your application. - ![Image of Microsoft Threat Experts application.](images/mte-apply.png) + :::image type="content" source="images/mte-apply.png" alt-text="The Name field on the Microsoft Threat Experts application page" lightbox="images/mte-apply.png"::: 4. Read the [privacy statement](https://privacy.microsoft.com/privacystatement), then click Submit when you're done. You will receive a welcome email once your application is approved. - ![Image of Microsoft Threat Experts application confirmation.](images/mte-applicationconfirmation.png) + :::image type="content" source="images/mte-applicationconfirmation.png" alt-text="The Microsoft Threat Experts application confirmation message" lightbox="images/mte-applicationconfirmation.png"::: When accepted, you will receive a welcome email and you will see the Apply button change to a toggle that is "on". In case you want to take yourself out of the Targeted Attack Notifications service, slide the toggle "off" and click Save preferences at the bottom of the page. You can partner with Microsoft Threat Experts who can be engaged directly from w 2. From the upper right-hand menu, click the ? icon. Then, select Consult a threat expert. - ![Image of Microsoft Threat Experts Experts on Demand from the menu.](images/mte-eod-menu.png) + :::image type="content" source="images/mte-eod-menu.png" alt-text="The Microsoft Threat Experts Experts on Demand menu item" lightbox="images/mte-eod-menu.png"::: A flyout screen opens. The following screen shows when you are on a trial subscription. - ![Image of Microsoft Threat Experts Experts on Demand screen.](images/mte-eod.png) + :::image type="content" source="images/mte-eod.png" alt-text="The Microsoft Threat Experts Experts on Demand page" lightbox="images/mte-eod.png"::: The following screen shows when you are on a full Microsoft Threat Experts - Experts on-Demand subscription. - ![Image of Microsoft Threat Experts Experts on Demand full subscription screen.](images/mte-eod-fullsubscription.png) + :::image type="content" source="images/mte-eod-fullsubscription.png" alt-text="The Microsoft Threat Experts Experts on Demand full subscription page" lightbox="images/mte-eod-fullsubscription.png"::: The Inquiry topic field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request.
security	Configure Network Connections Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md	If you're properly connected, you'll see a warning Microsoft Defender Antivirus If you're using Microsoft Edge, you'll also see a notification message: A similar message occurs if you're using Internet Explorer: #### View the fake malware detection in your Windows Security app
security	Configure Proxy Internet	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md	The static proxy is configurable through group policy (GP), both the settings un Set it to Enabled and select Disable Authenticated Proxy usage. - ![Image of Group Policy setting1.](images/atp-gpo-proxy1.png) + :::image type="content" source="images/atp-gpo-proxy1.png" alt-text="The Group Policy setting1 status pane" lightbox="images/atp-gpo-proxy1.png"::: - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry: Configure the proxy. - ![Image of Group Policy setting2.](images/atp-gpo-proxy2.png) + :::image type="content" source="images/atp-gpo-proxy2.png" alt-text="The Group Policy setting2 status pane" lightbox="images/atp-gpo-proxy2.png"::: \| Group Policy \| Registry key \| Registry entry \| Value \| Configure the static proxy using the Group Policy available in Administrative Te 2. Set it to Enabled and define the proxy server. Note, the URL must have either http:// or https://. For supported versions for https://, see [Manage Microsoft Defender Antivirus updates](manage-updates-baselines-microsoft-defender-antivirus.md). - :::image type="content" source="images/proxy-server-mdav.png" alt-text="Proxy server for Microsoft Defender Antivirus."::: + :::image type="content" source="images/proxy-server-mdav.png" alt-text="The proxy server for Microsoft Defender Antivirus" lightbox="images/proxy-server-mdav.png"::: 3. Under the registry key `HKLM\Software\Policies\Microsoft\Windows Defender`, the policy sets the registry value `ProxyServer` as REG_SZ. The following downloadable spreadsheet lists the services and their associated U **** \|Spreadsheet of domains list\| Description\| \|\|\| -\|Microsoft Defender for Endpoint URL list for commercial customers\| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx) -\| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers \| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx) +\|:::image type="content" source="images/mdatp-urls.png" alt-text="The Microsoft Defender for Endpoint URLs spreadsheet" lightbox="images/mdatp-urls.png":::\|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)\| +\| If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning. In your firewall, open all the URLs where the geography column is WW. For rows where the geography column isn't WW, open the URLs to your specific data location. To verify your data location setting, see [Verify data storage location and update data retention settings for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/data-retention-settings). The information in the list of proxy and firewall configuration information is r 4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (refer to the Service URLs [Spreadsheet](https://download.microsoft.com/download/8/e-urls.xlsx)). - ![Image of administrator in Windows PowerShell.](images/admin-powershell.png) + :::image type="content" source="images/admin-powershell.png" alt-text="The administrator in Windows PowerShell" lightbox="images/admin-powershell.png"::: The wildcards (\) used in \.ods.opinsights.azure.com, \.oms.opinsights.azure.com, and \.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace. It can be found in the Onboarding section of your tenant within the Microsoft 365 Defender portal.
security	Configure Real Time Protection Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md	To enable and configure always-on protection: 2. Under Best match, select Edit group policy to launch Local Group Policy Editor. - ![GPEdit taskbar search result.](images/gpedit-search.png) + :::image type="content" source="images/gpedit-search.png" alt-text="The GPEdit taskbar search result in the Control panel" lightbox="images/gpedit-search.png"::: 2. In the left pane of Local Group Policy Editor, expand the tree to Computer Configuration \> Administrative Templates \> Windows Components \> Microsoft Defender Antivirus.
security	Configure Server Endpoints	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md	For guidance on how to download and use Windows Security Baselines for Windows s You'll need to complete the following general steps to successfully onboard servers. -![Illustration of onboarding flow for Windows Servers and Windows 10 devices](images/server-onboarding-tools-methods.png) Windows Server 2012 R2 and Windows Server 2016 (Preview) The following steps are only applicable if you're using a third-party anti-malwa - Type: `REG_DWORD` - Value: `1` -2. Run the following PowerShell command to verify that the passive mode was configured: - - ```powershell - Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} - ``` - -3. Confirm that a recent event containing the passive mode event is found: - - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) - + :::image type="content" source="images/atp-verify-passive-mode.png" alt-text="The passive mode verification result" lightbox="images/atp-verify-passive-mode.png"::: > [!IMPORTANT] > > - When you use Microsoft Defender for Cloud to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European users, and in the UK for UK users).
security	Connected Applications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/connected-applications.md	From the left navigation menu, select Partners & APIs (under Endpoints) The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days. -![Image of connected apps.](images/connected-apps.png) ## Edit, reconfigure, or delete a connected application
security	Contact Support	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md	Accessing the new support widget can be done in one of two ways: 1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support": - :::image type="content" source="../../media/contactsupport.png" alt-text="Microsoft support."::: + :::image type="content" source="../../media/contactsupport.png" alt-text="The Microsoft support icon in the Microsoft 365 Defender portal" lightbox="../../media/contactsupport.png"::: 2. Clicking on the Need help? button in the bottom right of the Microsoft 365 Defender portal: - ![Image of the need help button.](images/need-help-option.png) + :::image type="content" source="images/need-help-option.png" alt-text="The Need help button" lightbox="images/need-help-option.png"::: In the widget you'll be offered two options: In the widget you'll be offered two options: This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced. In case the suggested articles aren't sufficient, you can open a service request. Learn how to open support tickets by contacting Defender for Endpoint support. ### Contact support - 1. Fill in a title and description for the issue you are facing, the phone number and email address where we may reach you. 2. (Optional) Include up to five attachments that are relevant to the issue to provide additional context for the support case.
security	Corelight Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/corelight-integration.md	To enable the Corelight integration, youΓÇÖll need to take the following steps: 1. In the navigation pane of the [https://security.microsoft.com](https://security.microsoft.com/) portal, select Settings \> Device discovery \> Data sources. - ![Image of data sources](images/enable-corelight.png) + :::image type="content" source="images/enable-corelight.png" alt-text="The data sources page in the Microsoft 365 Defender portal" lightbox="images/enable-corelight.png"::: 2. Select Send Corelight data to M365D and select Save. In addition to this, the GUI validation requires that a broker is configured in 1. In the Corelight Sensor GUI configuration section, select Sensor \> Export. 2. From the list, go to EXPORT TO KAFKA and select the switch to turn it on. - ![Image of kafka export](images/exporttokafka.png) + :::image type="content" source="images/exporttokafka.png" alt-text="The kafka export" lightbox="images/exporttokafka.png"::: 3. Next, turn on EXPORT TO AZURE DEFENDER FOR IOT and enter your tenant ID, noted in Step 1, in the TENANT ID field. - ![Image of iot export](images/exporttodiot.png) + :::image type="content" source="images/exporttodiot.png" alt-text="The iot export" lightbox="images/exporttodiot.png"::: 4. Select Apply Changes. - ![Apply image ](images/corelightapply.png) + :::image type="content" source="images/corelightapply.png" alt-text="The Apply changes icon" lightbox="images/corelightapply.png"::: > [!NOTE] > Configuration options in Kafka (excluding Log Exclusion and Filters) should not be changed. Any changes made will be ignored.
security	Customize Controlled Folders	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-controlled-folders.md	You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobil ``` 3. Repeat step 2 for each folder that you want to protect. Folders that are protected are visible in the Windows Security app. - :::image type="content" source="images/cfa-allow-folder-ps.png" alt-text="PowerShell window with cmdlet shown."::: + :::image type="content" source="images/cfa-allow-folder-ps.png" alt-text="The PowerShell window with cmdlet shown" lightbox="images/cfa-allow-folder-ps.png"::: > [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list and not `Set-MpPreference`. Using the `Set-MpPreference` cmdlet will overwrite the existing list. An allowed application or service only has write access to a controlled folder a 4. Select Add an allowed app and follow the prompts to add apps. - :::image type="content" source="images/cfa-allow-app.png" alt-text="Add an allowed app button."::: + :::image type="content" source="images/cfa-allow-app.png" alt-text="The Add an allowed app button" lightbox="images/cfa-allow-app.png"::: ### Use Group Policy to allow specific apps An allowed application or service only has write access to a controlled folder a Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app. - :::image type="content" source="images/cfa-allow-app-ps.png" alt-text="PowerShell cmdlet to allow an app."::: + :::image type="content" source="images/cfa-allow-app-ps.png" alt-text="The PowerShell cmdlet to allow an application" lightbox="images/cfa-allow-app-ps.png"::: > [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
security	Data Collection Analyzer	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md	When collaborating with Microsoft support professionals, you may be asked to use Run 'MDEClientAnalyzer.cmd /?' to see the list of available parameters and their description: -![Image of client analyzer parameters in command line.](images/d89a1c04cf8441e4df72005879871bd0.png) > [!NOTE] > When any advanced troubleshooting parameter is used, the analyzer also calls into [MpCmdRun.exe](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus) to collect Microsoft Defender Antivirus related support logs. Run 'MDEClientAnalyzer.cmd /?' to see the list of available parameters and t The analyzer and all the above scenario flags can be initiated remotely by running 'RemoteMDEClientAnalyzer.cmd', which is also bundled into the analyzer toolset: -![Image of commandline with analyzer information.](images/57cab9d82d08f672a92bf9e748ac9572.png) > [!NOTE] >
security	Defender Endpoint False Positives Negatives	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md	In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md). -![Definition of false positive and negatives in Defender for Endpoint.](images/false-positives-overview.png) Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender), your security operations can take steps to address them by using the following process: Fortunately, steps can be taken to address and reduce these kinds of issues. If You can get help if you still have issues with false positives/negatives after performing the tasks described in this article. See [Still need help?](#still-need-help) -![Steps to address false positives and negatives.](images/false-positives-step-diagram.png) > [!NOTE] > This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md). When you're done reviewing and undoing actions that were taken as a result of fa ### Remove a file from quarantine across multiple devices > [!div class="mx-imgBorder"] -> ![Quarantine file.](images/autoir-quarantine-file-1.png) +> :::image type="content" source="images/autoir-quarantine-file-1.png" alt-text="The Quarantine file" lightbox="images/autoir-quarantine-file-1.png"::: 1. In the left navigation pane of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, click Action center. To specify entities as exclusions for Microsoft Defender for Endpoint, create "a - [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains) - [Application certificates](#indicators-for-application-certificates) -![Indicator types diagram.](images/false-positives-indicators.png) #### Indicators for files
security	Defender Endpoint Plan 1	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1.md	Microsoft Defender for Endpoint is an enterprise endpoint security platform desi The green boxes in the following image depict what's included in Defender for Endpoint Plan 1: Use this guide to:
security	Deployment Phases	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-phases.md	This guide helps you work across stakeholders to prepare your environment and th Each section corresponds to a separate article in this solution. -![Image of deployment phases with details from table.](images/deployment-guide-phases.png) -![Summary of deployment phases: prepare, setup, onboard.](images/phase-diagrams/deployment-phases.png) <br>
security	Deployment Rings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-rings.md	The deployment rings can be applied in the following scenarios: ## New deployments -![Image of deployment rings.](images/deployment-rings.png) A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they are satisfied before moving on to the next ring. Use the following material to select the appropriate Microsoft Defender for Endp \|Item\|Description\| \|:--\|:--\| -\|[![Thumb image for Microsoft Defender for Endpoint deployment strategy.](images/mde-deployment-strategy.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \\| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) \| The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li></ul> +\|[:::image type="content" source="images/mde-deployment-strategy.png" alt-text="The strategy for Microsoft Defender for Endpoint deployment" lightbox="images/mde-deployment-strategy.png":::](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \\| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) \| The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li></ul> ## Existing deployments With macOS and Linux, you could take a couple of systems and run in the Beta cha The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in Beta are the first ones to receive updates and new features, followed later by Preview and lastly by Current. -![Image of insider rings.](images/insider-rings.png) + In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either Beta or Preview.
security	Deployment Strategy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md	Plan your Microsoft Defender for Endpoint deployment so that you can maximize th This solution provides guidance on how to identify your environment architecture, select the type of deployment tool that best fits your needs, and guidance on how to configure capabilities. -![Image of deployment flow.](images/deployment-guide-plan.png) ## Step 1: Identify architecture Use the following material to select the appropriate Defender for Endpoint archi \| Item \| Description \| \|:--\|:--\| -\|[![Thumb image for Defender for Endpoint deployment strategy.](images/mde-deployment-strategy.png)](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \\| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) \| The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li> +\|[:::image type="content" source="images/mde-deployment-strategy.png" alt-text="The strategy for deployment of Defender for Endpoint" lightbox="images/mde-deployment-strategy.png":::](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \\| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) \| The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li> ## Step 2: Select deployment method
security	Device Control Removable Storage Access Control	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md	Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices tha - 4.18.2107 or later: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets); add AccountName into [advanced hunting](device-control-removable-storage-access-control.md#view-device-control-removable-storage-access-control-data-in-microsoft-defender-for-endpoint) -- 4.18.2111 or later: Add 'Enable or Disable Removable Storage Access Control', 'Default Enforcement', client machine policy update time through PowerShell, file information--- 4.18.2201 or later: Support a copy of file written to allowed storage through OMA-URI- > [!NOTE] > None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status. Before you get started with Removable Storage Access Control, you must confirm y The following image illustrates the example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs). - :::image type="content" source="images/prevent-write-access-allow-usb.png" alt-text="The screen displaying the configuration settings that allow specific approved USBs on devices."::: + :::image type="content" source="images/prevent-write-access-allow-usb.png" alt-text="The configuration settings that allow specific approved USBs on devices" lightbox="images/prevent-write-access-allow-usb.png"::: 2. Combine all rules within `<PolicyRules>` `</PolicyRules>` into one xml file. Before you get started with Removable Storage Access Control, you must confirm y The following image illustrates the usage of SID property, and an example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs). - :::image type="content" source="images/usage-sid-property.png" alt-text="The screen displaying a code that indicates usage of the SID property attribute."::: + :::image type="content" source="images/usage-sid-property.png" alt-text="The code that indicates usage of the SID property attribute" lightbox="images/usage-sid-property.png"::: 3. Save both rule and group XML files on the network share folder and put the network share folder path into the Group Policy setting: Computer Configuration \> Administrative Templates \> Windows Components \> Microsoft Defender Antivirus \> Device Control: 'Define device control policy groups' and 'Define device control policy rules'. Before you get started with Removable Storage Access Control, you must confirm y - The target machine must be able to access the network share to have the policy. However, once the policy is read, the network share connection is no longer required, even after machine reboot. - :::image type="content" source="images/device-control.png" alt-text="The Device Control screen."::: + :::image type="content" source="images/device-control.png" alt-text="The Device Control screen" lightbox="images/device-control.png"::: 4. Default enforcement: allows you to set default access (Deny or Allow) to removable media if there is no policy. For example, you only have policy (either Deny or Allow) for RemovableMediaDevices, but do not have any policy for CdRomDevices or WpdDevices, and you set default Deny through this policy, Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> * - Data Type: String (XML file) - :::image type="content" source="images/xml-data-type-string.png" alt-text="The xml file for the STRING data type."::: + :::image type="content" source="images/xml-data-type-string.png" alt-text="The Data type field in the Add Row page" lightbox="images/xml-data-type-string.png"::: 2. For each policy, also create an OMA-URI: DeviceEvents \| order by Timestamp desc ``` -```kusto -//RemovableStorageFileEvent: event triggered by File level enforcement, information of files written to removable storage -DeviceEvents -\| where ActionType contains "RemovableStorageFileEvent" -\| extend parsed=parse_json(AdditionalFields) -\| extend Policy = tostring(parsed.Policy) -\| extend PolicyRuleId = tostring(parsed.PolicyRuleId) -\| extend MediaClassName = tostring(parsed.ClassName) -\| extend MediaInstanceId = tostring(parsed.InstanceId) -\| extend MediaName = tostring(parsed.MediaName) -\| extend MediaProductId = tostring(parsed.ProductId) -\| extend MediaVendorId = tostring(parsed.VendorId) -\| extend MediaSerialNumber = tostring(parsed.SerialNumber) -\| extend DuplicatedOperation = tostring(parsed.DuplicatedOperation) -\| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation) -\| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, - ActionType, Policy, PolicyRuleId, DuplicatedOperation, - MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, - FileName, FolderPath, FileSize, FileEvidenceLocation, - AdditionalFields -\| order by Timestamp desc -``` - ## Frequently asked questions
security	Device Control Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md	The View details button shows more media usage data in the device control The page provides a dashboard with aggregated number of events per type and a list of events. Administrators can filter on time range, media class name, and device ID. > [!div class="mx-imgBorder"] -> ![DeviceControlReportDetails](images/Detaileddevicecontrolreport.png) +> :::image type="content" source="images/Detaileddevicecontrolreport.png" alt-text="The Device Control Report Details page in the Microsoft 365 Defender portal" lightbox="images/Detaileddevicecontrolreport.png"::: When you select an event, a flyout appears that shows you more information: When you select an event, a flyout appears that shows you more information: - Location details: Device name, User, and MDATP device ID. > [!div class="mx-imgBorder"] -> ![FilterOnDeviceControlReport](images/devicecontrolreportfilter.png) +> :::image type="content" source="images/devicecontrolreportfilter.png" alt-text="The Filter On Device Control Report page" lightbox="images/devicecontrolreportfilter.png"::: To see real-time activity for this media across the organization, select the Open Advanced hunting button. This includes an embedded, pre-defined query. > [!div class="mx-imgBorder"] -> ![QueryOnDeviceControlReport](images/Devicecontrolreportquery.png) +> :::image type="content" source="images/Devicecontrolreportquery.png" alt-text="The Query On Device Control Report page" lightbox="images/Devicecontrolreportquery.png"::: To see the security of the device, select the Open device page** button on the flyout. This button opens the device entity page. > [!div class="mx-imgBorder"] -> ![DeviceEntityPage](images/Devicesecuritypage.png) +> :::image type="content" source="images/Devicesecuritypage.png" alt-text="The Device Entity Page" lightbox="images/Devicesecuritypage.png"::: ## Reporting delays
security	Device Discovery	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md	To assess these devices, you can use a filter in the device inventory list calle - Unsupported: The endpoint was discovered in the network but is not supported by Microsoft Defender for Endpoint. - Insufficient info: The system could not determine the supportability of the device. Enabling standard discovery on more devices in the network can enrich the discovered attributes. -![Image of device inventory dashboard.](images/device-discovery-inventory.png) > [!TIP] > You can always apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices. To address the challenge of gaining enough visibility to locate, identify, and s Vulnerabilities and risks on your devices as well as other discovered unmanaged devices in the network are part of the current TVM flows under "Security Recommendations" and represented in entity pages across the portal. Search for "SSH" related security recommendations to find SSH vulnerabilities that are related for unmanaged and managed devices. -![Image of security recommendations dashboard.](images/1156c82ffadd356ce329d1cf551e806c.png) + ## Use Advanced Hunting on discovered devices You can use Advanced Hunting queries to gain visibility on discovered devices. Find details about discovered Endpoints in the DeviceInfo table, or network-related information about those devices in the DeviceNetworkInfo table. -![Image of advanced hunting use.](images/f48ba1779eddee9872f167453c24e5c9.png) Device discovery leverages Microsoft Defender for Endpoint onboarded devices as a network data source to attribute activities to non-onboarded devices. This means that if a Microsoft Defender for Endpoint onboarded device communicated with a non-onboarded device, activities on the non-onboarded device can be seen on the timeline and through the Advanced hunting DeviceNetworkEvents table.
security	Device Timeline Event Flag	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md	While navigating the device timeline, you can search and filter for specific eve ## Flag an event 1. Find the event that you want to flag -2. Click the flag icon in the Flag column. - ![Image of device timeline flag.](images/device-flags.png) +2. Click the flag icon in the Flag column. -3. Click the flag icon in the Flag column. - - ![Image of device timeline flag](images/device-flags.png) ## View flagged events 1. In the timeline Filters section, enable Flagged events. 2. Click Apply. Only flagged events are displayed. - You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event. - - ![Image of device timeline flag with filter on.](images/device-flag-filter.png) - -3. Click Apply. Only flagged events are displayed. You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event. +You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event. - ![Image of device timeline flag with filter on](images/device-flag-filter.png)
security	Edr In Block Mode	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md	ms.technology: mde EDR in block mode is integrated with [threat & vulnerability management](next-gen-threat-and-vuln-mgt.md). Your organization's security team will get a [security recommendation](tvm-security-recommendation.md) to turn EDR in block mode on if it isn't already enabled. > [!TIP] > To get the best protection, make sure to [deploy Microsoft Defender for Endpoint baselines](configure-machines-security-baseline.md). When EDR in block mode is turned on, and a malicious artifact is detected, Micro The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: ## Enable EDR in block mode
security	Enable Attack Surface Reduction	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md	You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul 1. Open the Microsoft Endpoint Manager (MEM) admin center. In the Home menu, click Devices, select Configuration profiles, and then click Create profile. > [!div class="mx-imgBorder"] - > ![MEM Create Profile.](images/mem01-create-profile.png) + > :::image type="content" source="images/mem01-create-profile.png" alt-text="The Create profile page in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem01-create-profile.png"::: 2. In Create a profile, in the following two drop-down lists, select the following: You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul Select Custom, and then select Create. > [!div class="mx-imgBorder"] - > ![MEM rule profile attributes.](images/mem02-profile-attributes.png) + > :::image type="content" source="images/mem02-profile-attributes.png" alt-text="The rule profile attributes in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem02-profile-attributes.png"::: 3. The Custom template tool opens to step 1 Basics. In 1 Basics, in Name, type a name for your template, and in Description you can type a description (optional). > [!div class="mx-imgBorder"] - > ![MEM basic attributes.](images/mem03-1-basics.png) + > :::image type="content" source="images/mem03-1-basics.png" alt-text="The basic attributes in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem03-1-basics.png"::: 4. Click Next. Step 2 Configuration settings opens. For OMA-URI Settings, click Add. Two options now appear: Add and Export. > [!div class="mx-imgBorder"] - > ![MEM Configuration settings.](images/mem04-2-configuration-settings.png) + > :::image type="content" source="images/mem04-2-configuration-settings.png" alt-text="The configuration settings in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem04-2-configuration-settings.png"::: 5. Click Add again. The Add Row OMA-URI Settings opens. In Add Row, do the following: You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul - 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block) > [!div class="mx-imgBorder"] - > ![MEM OMA URI configuration.](images/mem05-add-row-oma-uri.png) + > :::image type="content" source="images/mem05-add-row-oma-uri.png" alt-text="The OMA URI configuration in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem05-add-row-oma-uri.png"::: 6. Select Save. Add Row closes. In Custom, select Next. In step 3 Scope tags, scope tags are optional. Do one of the following: You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul - Add all devices > [!div class="mx-imgBorder"] - > ![MEM assignments.](images/mem06-4-assignments.png) + > :::image type="content" source="images/mem06-4-assignments.png" alt-text="The assignments in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem06-4-assignments.png"::: 8. In Excluded groups, select any groups that you want to exclude from this rule, and then select Next. You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul - In Value, enter the applicable value or value range > [!div class="mx-imgBorder"] - > ![MEM Applicability rules.](images/mem07-5-applicability-rules.png) + > :::image type="content" source="images/mem07-5-applicability-rules.png" alt-text="The applicability rules in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem07-5-applicability-rules.png"::: 10. Select Next. In step 6 Review + create, review the settings and information you have selected and entered, and then select Create. > [!div class="mx-imgBorder"] - > ![MEM Review and create.](images/mem08-6-review-create.png) + > :::image type="content" source="images/mem08-6-review-create.png" alt-text="The Review and create option in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem08-6-review-create.png"::: > [!NOTE] > Rules are active and live within minutes. Example: - 2 : Audit (Evaluate how the ASR rule would impact your organization if enabled) - 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block) - :::image type="content" source="images/asr-rules-gp.png" alt-text="ASR rules in Group Policy."::: + :::image type="content" source="images/asr-rules-gp.png" alt-text="ASR rules in Group Policy" lightbox="images/asr-rules-gp.png"::: 5. To exclude files and folders from ASR rules, select the Exclude files and paths from Attack surface reduction rules setting and set the option to Enabled. Select Show and enter each file or folder in the Value name column. Enter 0 in the Value column for each item. Example: > The User Defined option setting is shown in the following figure. > [!div class="mx-imgBorder"] -> ![ASR enable "User Defined"](images/asr-user-defined.png) +> :::image type="content" source="images/asr-user-defined.png" alt-text="The Enable option for credential security" lightbox="images/asr-user-defined.png"::: 1. Type powershell in the Start menu, right-click Windows PowerShell and select Run as administrator.
security	Enable Cloud Protection Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md	For more information about allowed parameters, see [Windows Defender WMIv2 APIs] 2. Select the Virus & threat protection tile (or the shield icon on the left menu bar), and then, under Manage settings select Virus & threat protection settings. -3. Confirm that Cloud-based Protection and Automatic sample submission are both switched to On. + :::image type="content" source="../../media/wdav-protection-settings-wdsc.png" alt-text="The Virus & threat protection settings" lightbox="../../media/wdav-protection-settings-wdsc.png"::: + +3. Confirm that Cloud-based Protection and Automatic sample submission are switched to On. > [!NOTE] > If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
security	Enable Controlled Folders	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-controlled-folders.md	Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](/wi - Block disk modification only - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in Applications and Services Logs \> Microsoft \> Windows \> Windows Defender \> Operational \> ID 1123. - Audit disk modification only - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs \> Microsoft \> Windows \> Windows Defender \> Operational \> ID 1124). Attempts to modify or delete files in protected folders won't be recorded. - ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down.](../../media/cfa-gp-enable.png) + :::image type="content" source="../../media/cfa-gp-enable.png" alt-text="The group policy option Enabled and Audit Mode selected" lightbox="../../media/cfa-gp-enable.png"::: > [!IMPORTANT] > To fully enable controlled folder access, you must set the Group Policy option to Enabled and select Block in the options drop-down menu.
security	Enable Exploit Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-exploit-protection.md	The result is that DEP is enabled for test.exe. DEP will not be enabled for an 3. Name the profile, choose Windows 10 and later and Endpoint protection. - :::image type="content" source="images/create-endpoint-protection-profile.png" alt-text="Create endpoint protection profile."::: + :::image type="content" source="images/create-endpoint-protection-profile.png" alt-text="The Create endpoint protection profile" lightbox="images/create-endpoint-protection-profile.png"::: 4. Select Configure \> Windows Defender Exploit Guard \> Exploit protection. 5. Upload an [XML file](/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: - :::image type="content" source="images/enable-ep-intune.png" alt-text="Enable network protection in Intune."::: + :::image type="content" source="images/enable-ep-intune.png" alt-text="The Enable network protection setting in Intune" lightbox="images/enable-ep-intune.png"::: 6. Select OK to save each open blade, and then choose Create.
security	Enable Microsoft Defender For Iot Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration.md	To enable Microsoft Defender for IoT, the user must have the following roles: 1. In the navigation pane of the [https://security.microsoft.com](https://security.microsoft.com/) portal, select Settings \> Device discovery \> Microsoft Defender for IoT. - ![Image of IoT integration setup.](images/enable-defender-for-iot.png) + :::image type="content" source="images/enable-defender-for-iot.png" alt-text="The IoT integration setup" lightbox="images/enable-defender-for-iot.png"::: 2. Select an Azure subscription from the dropdown list of available subscriptions in your Azure Active Directory tenant and select Save.
security	Enable Network Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-network-protection.md	If the Key is missing, Navigate to SOFTWARE \> Microsoft \> Windows D - 1, or On - 2, or Audit** mode - :::image type="content" alt-text="Network Protection registry key." source="../../media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png" lightbox="../../media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png"::: - - + :::image type="content" source="../../media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png" alt-text="Network Protection registry key" lightbox="../../media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png"::: + ## Enable network protection Enable network protection by using any of these methods:
security	Evaluate Network Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-network-protection.md	Enable network protection in audit mode to see which IP addresses and domains wo The network connection will be allowed and a test message will be displayed. - ![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png) + :::image type="content" source="images/np-notif.png" alt-text="The connection blockage notification" lightbox="images/np-notif.png"::: > [!NOTE] > Network connections can be successful even though a site is blocked by network protection. To learn more, see [Network protection and the TCP three-way handshake](network-protection.md#network-protection-and-the-tcp-three-way-handshake).
security	Evaluation Lab	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md	Already have a lab? Make sure to enable the new threat simulators and have activ 1. In the navigation pane, select Evaluation & tutorials \> Evaluation lab, then select Setup lab. - :::image type="content" source="../../media/evaluationtutormenu.png" alt-text="Image of evaluation lab welcome page."::: + :::image type="content" source="../../media/evaluationtutormenu.png" alt-text="The evaluation lab welcome page" lightbox="../../media/evaluationtutormenu.png"::: 2. Depending on your evaluation needs, you can choose to setup an environment with fewer devices for a longer period or more devices for a shorter period. Select your preferred lab configuration then select Next. - ![Image of lab configuration options.](images/lab-creation-page.png) + :::image type="content" source="images/lab-creation-page.png" alt-text="The lab configuration options" lightbox="images/lab-creation-page.png"::: 3. (Optional) You can choose to install threat simulators in the lab. - ![Image of install simulators agent.](images/install-agent.png) + :::image type="content" source="images/install-agent.png" alt-text="The install simulators agent page" lightbox="images/install-agent.png"::: > [!IMPORTANT] > You'll first need to accept and provide consent to the terms and information sharing statements. 4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the devices you add. - ![Image of summary page.](images/lab-setup-summary.png) + :::image type="content" source="images/lab-setup-summary.png" alt-text="The summary page" lightbox="images/lab-setup-summary.png"::: 5. Review the summary and select Setup lab. Automated investigation settings will be dependent on tenant settings. It will b 1. From the dashboard, select Add device. -2. Choose the type of device to add. You can choose to add Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, and Linux (Ubuntu). +2. Choose the type of device to add. You can choose to add Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, and Linux (Ubuntu). + + :::image type="content" source="../../media/add-machine-optionsnew.png" alt-text="The lab setup with device options" lightbox="../../media/add-machine-optionsnew.png"::: > [!NOTE] > If something goes wrong with the device creation process, you'll be notified and you'll need to submit a new request. If the device creation fails, it will not be counted against the overall allowed quota. Automated investigation settings will be dependent on tenant settings. It will b > [!NOTE] > The password is only displayed once. Be sure to save it for later use. - :::image type="content" source="../../media/add-machine-eval-lab-new.png" alt-text="Image of device added with connection details."::: + :::image type="content" source="../../media/add-machine-eval-lab-new.png" alt-text="The device added with connection details" lightbox="../../media/add-machine-eval-lab-new.png"::: 4. Device set up begins. This can take up to approximately 30 minutes. 5. See the status of test devices, the risk and exposure levels, and the status of simulator installations by selecting the Devices tab. - ![Image of devices tab.](images/machines-tab.png) + :::image type="content" source="images/machines-tab.png" alt-text="The devices tab" lightbox="images/machines-tab.png"::: + > [!TIP] > In the Simulator status column, you can hover over the information icon to know the installation status of an agent. When all existing devices are used and deleted, you can request for more devices 1. From the evaluation lab dashboard, select Request for more devices. - ![Image of request for more devices.](images/request-more-devices.png) + :::image type="content" source="images/request-more-devices.png" alt-text="The request for more devices option" lightbox="images/request-more-devices.png"::: 2. Choose your configuration. 3. Submit the request. If you are looking for a pre-made simulation, you can use our ["Do It Yourself" 1. Connect to your device and run an attack simulation by selecting Connect. - ![Image of the connect button for test devices.](images/test-machine-table.png) + :::image type="content" source="images/test-machine-table.png" alt-text="The Connect button for the test devices" lightbox="images/test-machine-table.png"::: -2. For Windows devices: save the RDP file and launch it by selecting Connect.<br> - ![Image of remote desktop connection.](images/remote-connection.png) + :::image type="content" source="images/remote-connection.png" alt-text="The remote desktop connection screen" lightbox="images/remote-connection.png"::: For Linux devices: you'll need to use a local SSH client and the provided command. If you are looking for a pre-made simulation, you can use our ["Do It Yourself" > [!NOTE] > If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting Reset password from the menu: > - > ![Image of reset password.](images/reset-password-test-machine.png) + > :::image type="content" source="images/reset-password-test-machine.png" alt-text="The Reset password option" lightbox="images/reset-password-test-machine.png"::: > > The device will change it's state to "Executing password reset", then you'll be presented with your new password in a few minutes. 3. Enter the password that was displayed during the device creation step. - ![Image of window to enter credentials.](images/enter-password.png) + :::image type="content" source="images/enter-password.png" alt-text="The screen on which you enter credentials" lightbox="images/enter-password.png"::: 4. Run Do-it-yourself attack simulations on the device. Running threat simulations using third-party platforms is a good way to evaluate 2. Select a threat simulator. - ![Image of threat simulator selection.](images/select-simulator.png) + :::image type="content" source="images/select-simulator.png" alt-text="The threat simulator selection" lightbox="images/select-simulator.png"::: 3. Choose a simulation or look through the simulation gallery to browse through the available simulations. Running threat simulations using third-party platforms is a good way to evaluate 6. View the progress of a simulation by selecting the Simulations tab. View the simulation state, active alerts, and other details. - ![Image of simulations tab.](images/simulations-tab.png) + :::image type="content" source="images/simulations-tab.png" alt-text="Simulations tab" lightbox="images/simulations-tab.png"::: After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender for Endpoint triggered an automated investigation and remediation. Check out the evidence collected and analyzed by the feature. A list of supported third-party threat simulation agents are listed, and specifi You can conveniently run any available simulation right from the catalog. -![Image of simulations catalog.](images/simulations-catalog.png) Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run. Examples: -![Image of simulation description details1.](images/simulation-details-aiq.png) -![Image of simulation description details2.](images/simulation-details-sb.png) ## Evaluation report The lab reports summarize the results of the simulations conducted on the devices. -![Image of the evaluation report.](images/eval-report.png) At a glance, you'll quickly be able to see: Your feedback helps us get better in protecting your environment from advanced a Let us know what you think, by selecting Provide feedback. -![Image of provide feedback.](images/send-us-feedback-eval-lab.png)
security	Exposed Apis Create App Nativeapp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp.md	This page explains how to create an AAD application, get an access token to Micr 2. Navigate to Azure Active Directory \> App registrations \> New registration. - :::image type="content" alt-text="Image of Microsoft Azure and navigation to application registration." source="images/atp-azure-new-app2.png" lightbox="images/atp-azure-new-app2.png"::: + :::image type="content" source="images/atp-azure-new-app2.png" alt-text="The App registrations page in the Microsoft Azure portal" lightbox="images/atp-azure-new-app2.png"::: 3. When the Register an application page appears, enter your application's registration information: - Name - Enter a meaningful application name that will be displayed to users of the app. This page explains how to create an AAD application, get an access token to Micr - Choose Delegated permissions \> Alert.Read > select Add permissions. - :::image type="content" alt-text="application permissions." source="images/application-permissions-public-client.png" lightbox="images/application-permissions-public-client.png"::: + :::image type="content" source="images/application-permissions-public-client.png" alt-text="The application type and permissions panes" lightbox="images/application-permissions-public-client.png"::: > [!IMPORTANT] > Select the relevant permissions. Read alerts is only an example. This page explains how to create an AAD application, get an access token to Micr > [!NOTE] > Every time you add permission you must select on Grant consent for the new permission to take effect. - ![Image of Grant permissions.](images/grant-consent.png) + :::image type="content" source="images/grant-consent.png" alt-text="The Grand admin consent option" lightbox="images/grant-consent.png"::: 5. Write down your application ID and your tenant ID. On your application page, go to Overview and copy the following information: - :::image type="content" alt-text="Image of created app id." source="images/app-and-tenant-ids.png" lightbox="images/app-and-tenant-ids.png"::: + :::image type="content" source="images/app-and-tenant-ids.png" alt-text="The created app ID" lightbox="images/app-and-tenant-ids.png"::: ## Get an access token Verify to make sure you got a correct token: - Validate you get a 'scp' claim with the desired app permissions. - In the screenshot below you can see a decoded token acquired from the app in the tutorial: - :::image type="content" alt-text="Image of token validation." source="images/nativeapp-decoded-token.png" lightbox="images/nativeapp-decoded-token.png"::: + :::image type="content" source="images/nativeapp-decoded-token.png" alt-text="The token validation page" lightbox="images/nativeapp-decoded-token.png"::: ## Use the token to access Microsoft Defender for Endpoint API
security	Exposed Apis Create App Partners	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-partners.md	The following steps will guide you how to create an Azure AD application, get an 2. Navigate to Azure Active Directory \> App registrations \> New registration. - ![Image of Microsoft Azure and navigation to application registration.](images/atp-azure-new-app2.png) + :::image type="content" source="images/atp-azure-new-app2.png" alt-text="The navigation to application registration pane" lightbox="images/atp-azure-new-app2.png"::: 3. In the registration form: The following steps will guide you how to create an Azure AD application, get an - Redirect URI - type: Web, URI: https://portal.azure.com - ![Image of Microsoft Azure partner application registration.](images/atp-api-new-app-partner.png) + :::image type="content" source="images/atp-api-new-app-partner.png" alt-text="The Microsoft Azure partner application registration page" lightbox="images/atp-api-new-app-partner.png"::: 4. Allow your Application to access Microsoft Defender for Endpoint and assign it with the minimal set of permissions required to complete the integration. The following steps will guide you how to create an Azure AD application, get an - Note: WindowsDefenderATP does not appear in the original list. Start writing its name in the text box to see it appear. - ![add permission.](images/add-permission.png) + :::image type="content" source="images/add-permission.png" alt-text="The Add a permission option" lightbox="images/add-permission.png"::: ### Request API permissions In the following example we will use 'Read all alerts' permission: 1. Choose Application permissions \> Alert.Read.All > select on Add permissions - ![app permissions.](images/application-permissions.png) + :::image type="content" source="images/application-permissions.png" alt-text="The option that allows to add a permission" lightbox="images/application-permissions.png"::: 2. Select Grant consent - Note: Every time you add permission you must select on Grant consent for the new permission to take effect. - ![Image of Grant permissions.](images/grant-consent.png) + :::image type="content" source="images/grant-consent.png" alt-text="The option that allows consent to be granted" lightbox="images/grant-consent.png"::: 3. Add a secret to the application. In the following example we will use 'Read all alerts' permission: Important: After click Add, copy the generated secret value. You won't be able to retrieve after you leave! - ![Image of create app key.](images/webapp-create-key2.png) + :::image type="content" source="images/webapp-create-key2.png" alt-text="The create app key" lightbox="images/webapp-create-key2.png"::: 4. Write down your application ID: - On your application page, go to Overview and copy the following information: - ![Image of created app id.](images/app-id.png) + :::image type="content" source="images/app-id.png" alt-text="The create application's ID" lightbox="images/app-id.png"::: 5. Add the application to your customer's tenant. In the following example we will use 'Read all alerts' permission: After clicking on the consent link, sign in with the Global Administrator of the customer's tenant and consent the application. - ![Image of consent.](images/app-consent-partner.png) + :::image type="content" source="images/app-consent-partner.png" alt-text="The Accept button" lightbox="images/app-consent-partner.png"::: In addition, you will need to ask your customer for their tenant ID and save it for future use when acquiring the token. Sanity check to make sure you got a correct token: - In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender for Endpoint: - The "tid" claim is the tenant ID the token belongs to. -![Image of token validation.](images/webapp-decoded-token.png) ## Use the token to access Microsoft Defender for Endpoint API
security	Exposed Apis Create App Webapp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp.md	This article explains how to create an Azure AD application, get an access token 2. Navigate to Azure Active Directory \> App registrations \> New registration. - :::image type="content" alt-text="Image of Microsoft Azure and navigation to application registration." source="images/atp-azure-new-app2.png" lightbox="images/atp-azure-new-app2.png"::: + :::image type="content" source="images/atp-azure-new-app2.png" alt-text="The application registration pane" lightbox="images/atp-azure-new-app2.png"::: 3. In the registration form, choose a name for your application, and then select Register. This article explains how to create an Azure AD application, get an access token > [!NOTE] > WindowsDefenderATP does not appear in the original list. Start writing its name in the text box to see it appear. - :::image type="content" alt-text="add permission." source="images/add-permission.png" lightbox="images/add-permission.png"::: + :::image type="content" source="images/add-permission.png" alt-text="The API permissions pane" lightbox="images/add-permission.png"::: Select Application permissions \> Alert.Read.All, and then select Add permissions. - :::image type="content" alt-text="app permission." source="images/application-permissions.png" lightbox="images/application-permissions.png"::: + :::image type="content" source="images/application-permissions.png" alt-text="The application permission information pane" lightbox="images/application-permissions.png"::: You need to select the relevant permissions. 'Read All Alerts' is only an example. For example: This article explains how to create an Azure AD application, get an access token > [!NOTE] > Every time you add a permission, you must select Grant consent for the new permission to take effect. - ![Grant permissions.](images/grant-consent.png) + :::image type="content" source="images/grant-consent.png" alt-text="The grant permissions page" lightbox="images/grant-consent.png"::: 6. To add a secret to the application, select Certificates & secrets, add a description to the secret, and then select Add. > [!NOTE] > After you select Add, select copy the generated secret value. You won't be able to retrieve this value after you leave. - ![Image of create app key.](images/webapp-create-key2.png) + :::image type="content" source="images/webapp-create-key2.png" alt-text="The create application option" lightbox="images/webapp-create-key2.png"::: 7. Write down your application ID and your tenant ID. On your application page, go to Overview and copy the following. - :::image type="content" alt-text="Image of created app id." source="images/app-and-tenant-ids.png" lightbox="images/app-and-tenant-ids.png"::: + :::image type="content" source="images/app-and-tenant-ids.png" alt-text="The created app and tenant IDs" lightbox="images/app-and-tenant-ids.png"::: 8. For Microsoft Defender for Endpoint Partners only. Set your app to be multi-tenanted (available in all tenants after consent). This is required for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is not required if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted: Ensure that you got the correct token: In the following image, you can see a decoded token acquired from an app with permissions to all of Microsoft Defender for Endpoint's roles: - :::image type="content" alt-text="Image of token validation." source="images/webapp-decoded-token.png" lightbox="images/webapp-decoded-token.png"::: + :::image type="content" source="images/webapp-decoded-token.png" alt-text="The token details portion" lightbox="images/webapp-decoded-token.png"::: ## Use the token to access Microsoft Defender for Endpoint API
security	Gov	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md	If a proxy or firewall is blocking all traffic by default and allowing only spec The following downloadable spreadsheet lists the services and their associated URLs your network must be able to connect to. Verify there are no firewall or network-filtering rules that would deny access to these URLs, or create an allow rule specifically for them. -\|Spreadsheet of domains list\| Description\| -\|\|\| -\| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers \| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx) +Spreadsheet of domains list\|Description +:--\|:-- For more information, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
security	Grant Mssp Access	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/grant-mssp-access.md	To implement a multi-tenant delegated access solution, take the following steps: To enable RBAC in the customer Microsoft 365 Defender portal, access Settings > Permissions > Roles and "Turn on roles", from a user account with Global Administrator or Security Administrator rights. - ![Image of MSSP access.](images/mssp-access.png) + :::image type="content" source="images/mssp-access.png" alt-text="MSSP access" lightbox="images/mssp-access.png"::: Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via "Assigned user groups". To implement a multi-tenant delegated access solution, take the following steps: To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add New Catalog. In our example, we will call it MSSP Accesses. - ![Image of new catalog.](images/goverance-catalog.png) + :::image type="content" source="images/goverance-catalog.png" alt-text="The new catalog page" lightbox="images/goverance-catalog.png"::: Further more information, see [Create a catalog of resources](/azure/active-directory/governance/entitlement-management-catalog-create). To implement a multi-tenant delegated access solution, take the following steps: - Access auto expires after 365 days > [!div class="mx-imgBorder"] - > ![Image of new access package.](images/new-access-package.png) + > :::image type="content" source="images/new-access-package.png" alt-text="The New access package page" lightbox="images/new-access-package.png"::: For more information, see [Create a new access package](/azure/active-directory/governance/entitlement-management-access-package-create). To implement a multi-tenant delegated access solution, take the following steps: The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the MSSP Analyst Approvers. > [!div class="mx-imgBorder"] - > ![Image of access properties.](images/access-properties.png) + > :::image type="content" source="images/access-properties.png" alt-text="The Properties page" lightbox="images/access-properties.png"::: The link is located on the overview page of each access package.
security	Host Firewall Reporting	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/host-firewall-reporting.md	The following scenarios are supported during Ring0 Preview. Here is a couple of examples of the firewall report pages. Here you will find a summary of inbound, outbound, and application activity. You can access this page directly by going to <https://security.microsoft.com/firewall>. > [!div class="mx-imgBorder"] -> ![Host firewall reporting page.](\images\host-firewall-reporting-page.png) +> :::image type="content" source="\images\host-firewall-reporting-page.png" alt-text="The Host firewall reporting page" lightbox="\images\host-firewall-reporting-page.png"::: These reports can also be accessed by going to Reports > Security Report > Devices (section) located at the bottom of the Firewall Blocked Inbound Connections card. These reports can also be accessed by going to Reports > Security Report Cards support interactive objects. You can drill into the activity of a device by clicking on the device name, which will launch the Microsoft 365 Defender portal in a new tab, and take you directly to the Device Timeline tab. > [!div class="mx-imgBorder"] -> ![Computers with a blocked connection.](\images\firewall-reporting-blocked-connection.png) +> :::image type="content" source="\images\firewall-reporting-blocked-connection.png" alt-text="The Computers with a blocked connection page" lightbox="\images\firewall-reporting-blocked-connection.png"::: You can now select the Timeline tab, which will give you a list of events associated with that device. After clicking on the Filters button on the upper right-hand corner of the viewing pane, select the type of event you want. In this case, select Firewall events and the pane will be filtered to Firewall events. > [!div class="mx-imgBorder"] -> ![Filters button.](\images\firewall-reporting-filters-button.png) +> :::image type="content" source="\images\firewall-reporting-filters-button.png" alt-text="The Filters button" lightbox="\images\firewall-reporting-filters-button.png"::: ### Drill into advanced hunting (preview refresh) Firewall reports support drilling from the card directly into Advanced Hunting by clicking the Open Advanced hunting button. The query will be pre-populated. > [!div class="mx-imgBorder"] -> ![Open Advanced hunting button.](\images\firewall-reporting-advanced-hunting.png) +> :::image type="content" source="\images\firewall-reporting-advanced-hunting.png" alt-text="The Open Advanced hunting button" lightbox="\images\firewall-reporting-advanced-hunting.png"::: The query can now be executed, and all related Firewall events from the last 30 days can be explored.
security	Import Export Exploit Protection Emet Xml	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml.md	When you've configured exploit protection to your desired state (including both 2. Select the App & browser control tile (or the app icon on the left menu bar) and then select Exploit protection settings: - ![Highlight of the Exploit protection settings option in the Windows Security app.](../../media/wdsc-exp-prot.png) + :::image type="content" source="../../media/wdsc-exp-prot.png" alt-text="The Exploit protection settings option in the Windows Security app" lightbox="../../media/wdsc-exp-prot.png"::: 3. At the bottom of the Exploit protection section, select Export settings. Choose the location and name of the XML file where you want the configuration to be saved. > [!IMPORTANT] > If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file. - ![Highlight of the Export Settings option.](../../media/wdsc-exp-prot-export.png) + :::image type="content" source="../../media/wdsc-exp-prot-export.png" alt-text="The Export Settings option" lightbox="../../media/wdsc-exp-prot-export.png"::: > [!NOTE] > When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the System settings and Program settings sections (either section will export all settings). You can use Group Policy to deploy the configuration you've created to multiple 3. Expand the tree to Windows components \> Windows Defender Exploit Guard \> Exploit protection. - ![Screenshot of the group policy setting for exploit protection.](../../media/exp-prot-gp.png) + :::image type="content" source="../../media/exp-prot-gp.png" alt-text="The group policy setting for exploit protection" lightbox="../../media/exp-prot-gp.png"::: 4. Double-click Use a common set of Exploit protection settings and set the option to Enabled.
security	Indicator File	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md	Choose if to Generate an alert on the file block event and define the alerts set - Description - Recommended actions -![Alert settings for file indicators.](images/indicators-generate-alert.png) > [!IMPORTANT] >
security	Information Protection Investigation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-investigation.md	Learn how to use data sensitivity labels to prioritize incident investigation. 2. Scroll to the right to see the Data sensitivity column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident. - ![Image of data sensitivity column.](images/data-sensitivity-column.png) + :::image type="content" source="images/data-sensitivity-column.png" alt-text="The Highly confidential option in the data sensitivity column" lightbox="images/data-sensitivity-column.png"::: You can also filter based on Data sensitivity - ![Image of data sensitivity filter.](images/data-sensitivity-filter.png) + :::image type="content" source="images/data-sensitivity-filter.png" alt-text="The data sensitivity filter" lightbox="images/data-sensitivity-filter.png"::: 3. Open the incident page to further investigate. - ![Image of incident page details.](images/incident-page.png) + :::image type="content" source="images/incident-page.png" alt-text="The incident page details" lightbox="images/incident-page.png"::: 4. Select the Devices tab to identify devices storing files with sensitivity labels. - ![Image of device tab.](images/investigate-devices-tab.png) + :::image type="content" source="images/investigate-devices-tab.png" alt-text="The Device tab" lightbox="images/investigate-devices-tab.png"::: 5. Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected. You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name. - ![Image of device timeline with narrowed down search results based on label.](images/machine-timeline-labels.png) + :::image type="content" source="images/machine-timeline-labels.png" alt-text="The device timeline with narrowed down search results based on label" lightbox="images/machine-timeline-labels.png"::: > [!TIP] > These data points are also exposed through the 'DeviceFileEvents' in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
security	Investigate Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-alerts.md	Expand entities to view details at a glance. Selecting an entity will switch the > [!NOTE] > The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected. -![An example of an alert story with an alert in focus and some expanded cards.](images/alert-story-tree.png) ## Take action from the details pane Once you're done investigating, go back to the alert you started with, mark the If you classify it as a true alert, you can also select a determination, as shown in the image below. -![A snippet of the details pane with a resolved alert and the determination drop-down expanded.](images/alert-details-resolved-true.png) If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future. -![actions and classification in the details pane with the suppression rule highlighted.](images/alert-false-suppression-rule.png) > [!TIP] > If you're experiencing any issues not described above, use the ≡ƒÖé button to provide feedback or open a support ticket.
security	Investigate Behind Proxy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-behind-proxy.md	For more information, see [Enable network protection](enable-network-protection. When network protection is turned on, you'll see that on a device's timeline the IP address will keep representing the proxy, while the real target address shows up. -![Image of network events on device's timeline.](images/atp-proxy-investigation.png) Other events triggered by the network protection layer are now available to surface the real domain names even behind a proxy. Event's information: -![Image of single network event.](images/atp-proxy-investigation-event.png) ## Hunt for connection events using advanced hunting DeviceNetworkEvents \| take 10 ``` -![Image of advanced hunting query.](images/atp-proxy-investigation-ah.png) You can also filter out events that are related to connection to the proxy itself.
security	Investigate Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-files.md	The file prevalence card shows where the file was seen in devices in the organiz > [!NOTE] > Different users may see dissimilar values in the devices in organization section of the file prevalence card. This is because the card displays information based on the RBAC scope that a user has. Meaning, if a user has been granted visibility on a specific set of devices, they will only see the file organizational prevalence on those devices. -![Image of file information.](images/atp-file-information.png) ## Alerts The Alerts tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the device group, if any, the affected device belongs to. You can choose what kind of information is shown by selecting Customize columns from the toolbar above the column headers. -![Image of alerts related to the file section.](images/atp-alerts-related-to-file.png) ## Observed in organization The Observed in organization tab allows you to specify a date range to see w > [!NOTE] > This tab will show a maximum number of 100 devices. To see _all_ devices with the file, export the tab to a CSV file, by selecting Export from the action menu above the tab's column headers. -![Image of most recent observed device with the file.](images/atp-observed-machines.png) Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. You can specify a time window as small as a single day. This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching. Use the slider or the range selector to quickly specify a time period that you w The Deep analysis tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank. -![Image of deep analysis tab.](images/submit-file.png) ## File names The File names tab lists all names the file has been observed to use, within your organizations. -![Image of file names tab.](images/atp-file-names.png) ## Related topics
security	Investigate Incidents	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-incidents.md	When you investigate an incident, you'll see: Click an incident to see the Incident pane. Select Open incident page to see the incident details and related information (alerts, devices, investigations, evidence, graph). -![Image of incident details1.](images/atp-incident-details.png) ### Alerts You can investigate the alerts and see how they were linked together in an incid - Same file - The files associated with the alert are exactly the same - Same URL - The URL that triggered the alert is exactly the same -![Image of alerts tab with incident details page showing the reasons the alerts were linked together in that incident.](images/atp-incidents-alerts-reason.png) You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md). You can also manage an alert and see alert metadata along with other information You can also investigate the devices that are part of, or related to, a given incident. For more information, see [Investigate devices](investigate-machines.md). -![Image of devices tab in incident details page.](images/atp-incident-device-tab.png) ### Investigations Select Investigations to see all the automatic investigations launched by the system in response to the incident alerts. -![Image of investigations tab in incident details page.](images/atp-incident-investigations-tab.png) ## Going through the evidence Microsoft Defender for Endpoint automatically investigates all the incidents' su Each of the analyzed entities will be marked as infected, remediated, or suspicious. -![Image of evidence tab in incident details page.](images/atp-incident-evidence-tab.png) ## Visualizing associated cybersecurity threats Microsoft Defender for Endpoint aggregates the threat information into an incide The Graph tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which device. etc. -![Image of the incident graph.](images/atp-incident-graph-tab.png) You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances have there been worldwide, whether it's been observed in your organization, if so, how many instances. -![Image of incident details.](images/atp-incident-graph-details.png) ## Related topics
security	Investigate Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md	When you investigate a specific device, you'll see: - Tabs (overview, alerts, timeline, security recommendations, software inventory, discovered vulnerabilities, missing KBs) - Cards (active alerts, logged on users, security assessment) -![Image of device view.](images/specific-device.png) > [!NOTE] > Due to product constrains, the device profile does not consider all cyber evidence when determining the 'Last Seen' timeframe (as seen on the device page as well). The tabs provide relevant security and threat prevention information related to The Overview tab displays the [cards](#cards) for active alerts, logged on users, and security assessment. -![Image of overview tab on the device page.](images/overview-device.png) ### Alerts The Alerts tab provides a list of alerts that are associated with the device. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts. -![Image of alerts related to the device.](images/alerts-device.png) When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related devices. Multiple alerts can be selected at a time. The timeline also enables you to selectively drill down into events that occurre > - [5031](/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network > - [5157](/windows/security/threat-protection/auditing/event-5157) - blocked connection -![Image of device timeline with events.](images/timeline-device.png) Some of the functionality includes: Select an event to view relevant details about that event. A panel displays to s To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting Hunt for related events. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint. -![Image of the event details panel.](images/event-details.png) ### Security recommendations Security recommendations are generated from Microsoft Defender for Endpoint's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details. -![Image of security recommendations tab.](images/security-recommendations-device.png) ### Software inventory The Software inventory tab lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. See [Software inventory](tvm-software-inventory.md) for details -![Image of software inventory tab.](images/software-inventory-device.png) ### Discovered vulnerabilities The Discovered vulnerabilities tab shows the name, severity, and threat insights of discovered vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details. -![Image of discovered vulnerabilities tab.](images/discovered-vulnerabilities-device.png) ### Missing KBs The Missing KBs tab lists the missing security updates for the device. -![Image of missing kbs tab.](images/missing-kbs-device.png) ## Cards The Missing KBs tab lists the missing security updates for the device. The Azure Advanced Threat Protection card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Microsoft Defender for Identity feature, and there are any active alerts. More information is available in the "Alerts" drill down. -![Image of active alerts card.](images/risk-level-small.png) > [!NOTE] > You'll need to enable the integration on both Microsoft Defender for Identity and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md). The Azure Advanced Threat Protection card will display a high-level overview The Logged on users card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md). -![Image of user details pane.](images/logged-on-users.png) > [!NOTE] > The 'Most frequent' user value is calculated only based on evidence of users who successfully logged on interactively. The Logged on users card shows how many users have logged on in the past 30 The Security assessments card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A device's exposure level is determined by the cumulative impact of its pending security recommendations. -![Image of security assessments card.](images/security-assessments.png) ## Related topics
security	Investigate User	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md	When you investigate a user account entity, you'll see: - Alerts related to this user - Observed in organization (devices logged on to) -![Image of the user account entity details page.](images/atp-user-details-view.png) ### User details
security	Ios Configure Features	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md	While enabled by default, there might be some cases that require you to disable 1. Toggle off Connect On Demand to disable VPN. > [!div class="mx-imgBorder"] - > ![VPN config connect on demand.](images/ios-vpn-config.png) + > :::image type="content" source="images/ios-vpn-config.png" alt-text="The toggle button for the VPN config Connect on demand option" lightbox="images/ios-vpn-config.png"::: > [!NOTE] > Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap Start VPN. Follow the steps below to create a compliance policy against jailbroken devices. 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to Devices -> Compliance policies -> Create Policy. Select "iOS/iPadOS" as platform and click Create. > [!div class="mx-imgBorder"] - > ![Create Policy.](images/ios-jb-policy.png) + > :::image type="content" source="images/ios-jb-policy.png" alt-text="The Create Policy tab" lightbox="images/ios-jb-policy.png"::: 2. Specify a name of the policy, for example "Compliance Policy for Jailbreak". 3. In the compliance settings page, click to expand Device Health section and click Block for Jailbroken devices field. > [!div class="mx-imgBorder"] - > ![Policy Settings.](images/ios-jb-settings.png) + > :::image type="content" source="images/ios-jb-settings.png" alt-text="The Compliance settings tab" lightbox="images/ios-jb-settings.png"::: -4. In the Action for noncompliance section, select the actions as per your requirements and select Next. +4. In the Actions for noncompliance section, select the actions as per your requirements and select Next. > [!div class="mx-imgBorder"] - > ![Policy Actions.](images/ios-jb-actions.png) + > :::image type="content" source="images/ios-jb-actions.png" alt-text="The Actions for noncompliance tab" lightbox="images/ios-jb-actions.png"::: 5. In the Assignments section, select the user groups that you want to include for this policy and then select Next. 6. In the Review+Create section, verify that all the information entered is correct and then select Create.
security	Ios Install Unmanaged	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install-unmanaged.md	End users also need to take steps to install Microsoft Defender for Endpoint on 1. Verify that the connector is enabled. <br> On the [unified security console](https://security.microsoft.com), go to Settings > Endpoints > Advanced Features and ensure that Microsoft Intune connection is enabled. - ![Image of Defender for Endpoint -Intune connector](images/enable-intune-connection.png) + :::image type="content" source="images/enable-intune-connection.png" alt-text="The Defender for Endpoint - Intune connector" lightbox="images/enable-intune-connection.png"::: + 2. Verify that the connector is enabled on the Intune portal. <br> In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to Endpoint Security > Microsoft Defender for Endpoint and ensure that the Connection status is enabled. - ![App settings](images/app-settings.png) + :::image type="content" source="images/app-settings.png" alt-text="The application settings" lightbox="images/app-settings.png"::: ### Create an app protection policy Microsoft Defender for Endpoint can be configured to send threat signals to be u 1. Create a policy <br> App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. -![Image of policy creation](images/create-policy.png) 2. Add apps <br> a. Choose how you want to apply this policy to apps on different devices. Then add at least one app. <br> Because mobile app management doesn't require device management, you can protect Example: Outlook as a managed app - ![Image Outlook as managed app](images/managed-app.png) + :::image type="content" source="images/managed-app.png" alt-text="The Microsoft Outlook menu item on the left navigation pane" lightbox="images/managed-app.png"::: + 3. Set sign-in security requirements for your protection policy. <br> Select Setting > Max allowed device threat level in Device Conditions and enter a value. Then select Action: "Block Access". Microsoft Defender for Endpoint on iOS shares this Device Threat Level. - ![Image of conditional launch](images/conditional-launch.png) + + :::image type="content" source="images/conditional-launch.png" alt-text="The Device conditions pane" lightbox="images/conditional-launch.png"::: 4. Assign user groups for whom the policy needs to be applied.<br> Select Included groups. Then add the relevant groups.
security	Ios Install	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md	Deploy Defender for Endpoint on iOS via Intune Company Portal. 1. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to Apps -> iOS/iPadOS -> Add -> iOS store app and click Select. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager Admin Center1.](images/ios-deploy-1.png) + > :::image type="content" source="images/ios-deploy-1.png" alt-text="The Add applications tab in the Microsoft Endpoint Manager Admin Center" lightbox="images/ios-deploy-1.png"::: 1. On the Add app page, click on Search the App Store and type Microsoft Defender for Endpoint in the search bar. In the search results section, click on Microsoft Defender for Endpoint and click Select. Deploy Defender for Endpoint on iOS via Intune Company Portal. > The selected user group should consist of Intune enrolled users. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager Admin Center2.](images/ios-deploy-2.png) + > :::image type="content" source="images/ios-deploy-2.png" alt-text="The Add group tab in the Microsoft Endpoint Manager Admin Center" lightbox="images/ios-deploy-2.png"::: 1. In the Review + Create section, verify that all the information entered is correct and then select Create. In a few moments, the Defender for Endpoint app should be created successfully, and a notification should show up at the top-right corner of the page. 1. In the app information page that is displayed, in the Monitor section, select Device install status to verify that the device installation has completed successfully. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager Admin Center3.](images/ios-deploy-3.png) + > :::image type="content" source="images/ios-deploy-3.png" alt-text="The Device install status page" lightbox="images/ios-deploy-3.png"::: ## Complete deployment for supervised devices This step simplifies the onboarding process by setting up the VPN profile. For a - Type of Automatic VPN = On-demand VPN - Click Add for On Demand Rules and select I want to do the following = Establish VPN, I want to restrict to = All domains. - ![A screen shot of VPN profile configuration settings](images/ios-deploy-8.png) + :::image type="content" source="images/ios-deploy-8.png" alt-text="The VPN profile Configuration settings tab" lightbox="images/ios-deploy-8.png"::: 1. Click Next and assign the profile to targeted users. 1. In the Review + Create section, verify that all the information entered is correct and then select Create. Admins can configure Microsoft Defender for Endpoint to deploy and activate sile - Type of Automatic VPN = On-demand VPN - Select Add for On Demand Rules and select I want to do the following = Establish VPN, I want to restrict to = All domains. - ![A screen shot of VPN profile configuration.](images/ios-deploy-9.png) + :::image type="content" source="images/ios-deploy-9.png" alt-text="The VPN profile Configuration page" lightbox="images/ios-deploy-9.png"::: 1. Select Next and assign the profile to targeted users. 1. In the Review + Create section, verify that all the information entered is correct and then select Create. Once the above configuration is done and synced with the device, the following a 1. Once Defender for Endpoint on iOS has been installed on the device, you will see the app icon. - ![A screen shot of a smart phone Description automatically generated.](images/41627a709700c324849bf7e13510c516.png) + :::image type="content" source="images/41627a709700c324849bf7e13510c516.png" alt-text="A smart phone Description automatically generated" lightbox="images/41627a709700c324849bf7e13510c516.png"::: 2. Tap the Defender for Endpoint app icon (MSDefender) and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint on iOS. 3. Upon successful onboarding, the device will start showing up on the Devices list in the Microsoft 365 Defender portal. > [!div class="mx-imgBorder"] - > ![A screenshot of a cell phone Description automatically generated.](images/device-inventory-screen.png) + > :::image type="content" source="images/device-inventory-screen.png" alt-text="The Device inventory page" lightbox="images/device-inventory-screen.png"::: +## Configure Microsoft Defender for Endpoint for Supervised Mode + +The Microsoft Defender for Endpoint on iOS app has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender for Endpoint app needs to know if a device is in Supervised Mode. + +### Configure Supervised Mode via Intune + +Intune allows you to configure the Defender for iOS app through an App Configuration policy. + + > [!NOTE] + > This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for all managed iOS devices as a best practice. + +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to Apps \> App configuration policies \> Add. Click on Managed devices. + + > [!div class="mx-imgBorder"] + > :::image type="content" source="images/ios-deploy-4.png" alt-text="The Managed devices option" lightbox="images/ios-deploy-4.png"::: + +1. In the Create app configuration policy page, provide the following information: + - Policy Name + - Platform: Select iOS/iPadOS + - Targeted app: Select Microsoft Defender for Endpoint from the list + + > [!div class="mx-imgBorder"] + > :::image type="content" source="images/ios-deploy-5.png" alt-text="The basic fields for the configuration policy for the application" lightbox="images/ios-deploy-5.png"::: + +1. In the next screen, select Use configuration designer as the format. Specify the following property: + - Configuration Key: issupervised + - Value type: String + - Configuration Value: {{issupervised}} + + > [!div class="mx-imgBorder"] + > :::image type="content" source="images/ios-deploy-6.png" alt-text="The page from which to choose the format for the settings of the policy configuration" lightbox="images/ios-deploy-6.png"::: + +1. Click Next to open the Scope tags page. Scope tags are optional. Click Next to continue. + +1. On the Assignments page, select the groups that will receive this profile. For this scenario, it is best practice to target All Devices. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). + + When deploying to user groups, a user must sign in to a device before the policy applies. + + Click Next. + +1. On the Review + create page, when you're done, choose Create. The new profile is displayed in the list of configuration profiles. ## Next Steps
security	Ios Troubleshoot	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-troubleshoot.md	While enabled by default, there might be some cases that require you to disable 1. Toggle off Connect On Demand to disable VPN. > [!div class="mx-imgBorder"] - > ![VPN config connect on demand.](images/ios-vpn-config.png) + > :::image type="content" source="images/ios-vpn-config.png" alt-text="The Connect on demand option" lightbox="images/ios-vpn-config.png"::: > [!NOTE] > Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and Enable Web Protection. Microsoft Defender for Endpoint protects you against phishing or other web-based In addition, a notification is shown on the iOS device. Tapping on the notification opens the following screen for the user to review the details. > [!div class="mx-imgBorder"] -> ![Image of site reported as unsafe notification.](images/ios-phish-alert.png) +> :::image type="content" source="images/ios-phish-alert.png" alt-text="The site reported as unsafe notification" lightbox="images/ios-phish-alert.png"::: ## Device not seen on the Defender for Endpoint console after onboarding.
security	Limited Periodic Scanning Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md	By default, Microsoft Defender Antivirus will enable itself on a Windows 10 or a If Microsoft Defender Antivirus is enabled, the usual options will appear to configure it on that device: -![Windows Security app showing Microsoft Defender AV options, including scan options, settings, and update options.](images/vtp-wdav.png) If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the Virus & threat protection section to show status about the AV product, and provide a link to the product's configuration options.
security	Linux Install Manually	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md	Download the onboarding package from Microsoft 365 Defender portal. 2. In the first drop-down menu, select Linux Server as the operating system. In the second drop-down menu, select Local Script as the deployment method. 3. Select Download onboarding package. Save the file as WindowsDefenderATPOnboardingPackage.zip. - ![Microsoft 365 Defender portal screenshot.](images/portal-onboarding-linux.png) + :::image type="content" source="images/portal-onboarding-linux.png" alt-text="Downloading an onboarding package in the Microsoft 365 Defender portal" lightbox="images/portal-onboarding-linux.png"::: 4. From a command prompt, verify that you have the file, and extract the contents of the archive:
security	Linux Install With Ansible	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md	Download the onboarding package from Microsoft 365 Defender portal: 2. In the first drop-down menu, select Linux Server as the operating system. In the second drop-down menu, select Your preferred Linux configuration management tool as the deployment method. 3. Select Download onboarding package. Save the file as WindowsDefenderATPOnboardingPackage.zip. - ![Microsoft 365 Defender portal screenshot.](images/portal-onboarding-linux-2.png) + :::image type="content" source="images/portal-onboarding-linux-2.png" alt-text="The Download onboarding package option" lightbox="images/portal-onboarding-linux-2.png"::: 4. From a command prompt, verify that you have the file. Extract the contents of the archive:
security	Linux Install With Puppet	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md	Download the onboarding package from Microsoft 365 Defender portal: 2. In the first drop-down menu, select Linux Server as the operating system. In the second drop-down menu, select Your preferred Linux configuration management tool as the deployment method. 3. Select Download onboarding package. Save the file as WindowsDefenderATPOnboardingPackage.zip. - ![Microsoft 365 Defender portal screenshot.](images/portal-onboarding-linux-2.png) + :::image type="content" source="images/portal-onboarding-linux-2.png" alt-text="The option to download the onboarded package" lightbox="images/portal-onboarding-linux-2.png"::: 4. From a command prompt, verify that you have the file.
security	Linux Schedule Scan Mde	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde.md	Type "`:wq`" without the double quotes. To view your cron jobs, type `sudo crontab -l` #### To inspect cron job runs
security	Live Response	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md	Before you can initiate a session on a device, make sure you fulfill the followi You'll receive the following error: - ![Image of error message.](images/live-response-error.png) + :::image type="content" source="images/live-response-error.png" alt-text="The error message" lightbox="images/live-response-error.png"::: - Enable live response unsigned script execution (optional).
security	Mac Device Control Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md	The device control policy can be used to: When the device control policy that you have put in place is enforced on a device (for example, access to a removable media device is restricted), a notification is displayed to the user. -![Device control notification.](images/mac-device-control-notification.png) When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification. To find the vendor ID, product ID, and serial number of a USB device: 1. Plug in the USB device for which you want to look up the identifiers. 1. In the top-level menu of macOS, select About This Mac. - ![About this Mac.](images/mac-device-control-lookup-1.png) + :::image type="content" source="images/mac-device-control-lookup-1.png" alt-text="The About this Mac page" lightbox="images/mac-device-control-lookup-1.png"::: 1. Select System Report. - ![System Report.](images/mac-device-control-lookup-2.png) + :::image type="content" source="images/mac-device-control-lookup-2.png" alt-text="The system report" lightbox="images/mac-device-control-lookup-2.png"::: 1. From the left column, select USB. - ![View of all USB devices.](images/mac-device-control-lookup-3.png) + :::image type="content" source="images/mac-device-control-lookup-3.png" alt-text="The view of all the USB devices" lightbox="images/mac-device-control-lookup-3.png"::: + 1. Under USB Device Tree, navigate to the USB device that you plugged in. - ![Details of a USB device.](images/mac-device-control-lookup-4.png) + :::image type="content" source="images/mac-device-control-lookup-4.png" alt-text="The details of a USB device" lightbox="images/mac-device-control-lookup-4.png"::: 1. The vendor ID, product ID, and serial number are displayed. When adding the vendor ID and product ID to the removable media policy, you must only add the part after `0x`. For example, in the below image, vendor ID is `1000` and product ID is `090c`.
security	Mac Exclusions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md	For more information on how to configure exclusions from JAMF, Intune, or anothe Open the Defender for Endpoint application and navigate to Manage settings \> Add or Remove Exclusion..., as shown in the following screenshot: -![Manage exclusions screenshot.](images/mdatp-37-exclusions.png) Select the type of exclusion that you wish to add and follow the prompts.
security	Mac Install Jamfpro Login	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login.md	ms.technology: mde 1. Enter your credentials. - ![Image of Jamf Pro dashboard1.](images/jamf-pro-portal1.png) + :::image type="content" source="images/jamf-pro-portal1.png" alt-text="The Jamf Pro dashboard1" lightbox="images/jamf-pro-portal1.png"::: 2. Select Computers. - ![Image of Jamf Pro dashboard2.](images/jamf-pro-dashboard.png) + :::image type="content" source="images/jamf-pro-dashboard.png" alt-text="The Jamf Pro dashboard2" lightbox="images/jamf-pro-dashboard.png"::: 3. You will see the settings that are available. - ![Image of Jamf Pro dashboard3.](images/jamfpro-settings.png) + :::image type="content" source="images/jamfpro-settings.png" alt-text="The Jamf Pro dashboard3" lightbox="images/jamfpro-settings.png"::: ## Next step
security	Mac Install Manually	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md	Download the installation and onboarding packages from Microsoft 365 Defender po 3. In Section 2 of the page, select Download installation package. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select Download onboarding package. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - ![Microsoft 365 Defender portal screenshot.](images/portal-onboarding-macos.png) + :::image type="content" source="images/portal-onboarding-macos.png" alt-text="The options to download the installation and onboarding packages" lightbox="images/portal-onboarding-macos.png"::: 5. From a command prompt, verify that you have the two files. To complete this process, you must have admin privileges on the device. 1. Navigate to the downloaded wdav.pkg in Finder and open it. - ![App install screenshot1.](images/mdatp-28-appinstall.png) + :::image type="content" source="images/mdatp-28-appinstall.png" alt-text="The installation of the application" lightbox="images/mdatp-28-appinstall.png"::: 2. Select Continue, agree with the License terms, and enter the password when prompted. - ![App install screenshot2.](images/mdatp-29-appinstalllogin.png) + :::image type="content" source="images/mdatp-29-appinstalllogin.png" alt-text="The application installation" lightbox="images/mdatp-29-appinstalllogin.png"::: > [!IMPORTANT] > You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - ![App install screenshot3.](images/mdatp-30-systemextension.png) + :::image type="content" source="images/mdatp-30-systemextension.png" alt-text="The application's installation" lightbox="images/mdatp-30-systemextension.png"::: 3. Select Open Security Preferences or Open System Preferences > Security & Privacy. Select Allow: - ![Security and privacy window screenshot.](images/mdatp-31-securityprivacysettings.png) + :::image type="content" source="images/mdatp-31-securityprivacysettings.png" alt-text="The Security and privacy window" lightbox="images/mdatp-31-securityprivacysettings.png"::: The installation proceeds. To complete this process, you must have admin privileges on the device. 1. Navigate to the downloaded wdav.pkg in Finder and open it. - ![App install screenshot4.](images/monterey-install-1.png) + :::image type="content" source="images/monterey-install-1.png" alt-text="The installation process for the application" lightbox="images/monterey-install-1.png"::: 2. Select Continue, agree with the License terms, and enter the password when prompted. 3. At the end of the installation process, you'll be promoted to approve the system extensions used by the product. Select Open Security Preferences. - ![System extension approval.](images/monterey-install-2.png) + :::image type="content" source="images/monterey-install-2.png" alt-text="The system extension approval" lightbox="images/monterey-install-2.png"::: 4. From the Security & Privacy window, select Allow. - ![System extension security preferences1.](images/monterey-install-3.png) + :::image type="content" source="images/monterey-install-3.png" alt-text="The system extension security preferences1" lightbox="images/monterey-install-3.png"::: 5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender for Endpoint on Mac. 6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on Mac inspects socket traffic and reports this information to the Microsoft 365 Defender portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select Allow. - ![System extension security preferences2.](images/monterey-install-4.png) + :::image type="content" source="images/monterey-install-4.png" alt-text="The system extension security preferences2" lightbox="images/monterey-install-4.png"::: 7. Open System Preferences \> Security & Privacy and navigate to the Privacy tab. Grant Full Disk Access permission to Microsoft Defender and Microsoft Defenders Endpoint Security Extension. - ![Full disk access.](images/monterey-install-5.png) + :::image type="content" source="images/monterey-install-5.png" alt-text="The full disk access" lightbox="images/monterey-install-5.png"::: ## Client configuration To complete this process, you must have admin privileges on the device. After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. > [!div class="mx-imgBorder"] - > ![Microsoft Defender icon in status bar screenshot.](images/mdatp-icon-bar.png) + > :::image type="content" source="images/mdatp-icon-bar.png" alt-text="The Microsoft Defender icon in status bar" lightbox="images/mdatp-icon-bar.png"::: ## How to Allow Full Disk Access To complete this process, you must have admin privileges on the device. 12. Go to the Alert Queue. - :::image type="content" source="images/b8db76c2-c368-49ad-970f-dcb87534d9be.png" alt-text="Example of a macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions."::: + :::image type="content" source="images/b8db76c2-c368-49ad-970f-dcb87534d9be.png" alt-text="An macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions" lightbox="images/b8db76c2-c368-49ad-970f-dcb87534d9be.png"::: Look at the alert details and the device timeline, and perform the regular investigation steps.
security	Mac Install With Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md	Download the onboarding packages from Microsoft 365 Defender portal: 2. Set the operating system to macOS and the deployment method to Mobile Device Management / Microsoft Intune. - ![Onboarding settings screenshot.](images/macos-install-with-intune.png) + :::image type="content" source="images/macos-install-with-intune.png" alt-text="The Onboarding settings page" lightbox="images/macos-install-with-intune.png"::: 3. Select Download onboarding package. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. This profile contains license information for Microsoft Defender for Endpoint. W 1. Select Platform=macOS, Profile type=Templates. Template name=Custom. Click Create. > [!div class="mx-imgBorder"] - > ![Custom Configuration Profile creation.](images/mdatp-6-systemconfigurationprofiles-1.png) + > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-1.png" alt-text="The Custom Configuration Profile creation page" lightbox="images/mdatp-6-systemconfigurationprofiles-1.png"::: 1. Choose a name for the profile, e.g., "Defender for Cloud or Endpoint onboarding for macOS". Click Next. > [!div class="mx-imgBorder"] - > ![Custom Configuration Profile - name.](images/mdatp-6-systemconfigurationprofiles-2.png) + > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-2.png" alt-text="The Custom Configuration Profile name field" lightbox="images/mdatp-6-systemconfigurationprofiles-2.png"::: 1. Choose a name for the configuration profile name, e.g., "Defender for Endpoint onboarding for macOS". 1. Choose a [deployment channel](/mem/intune/fundamentals/whats-new#new-deployment-channel-setting-for-custom-device-configuration-profiles-on-macos-devices). 1. Select intune/WindowsDefenderATPOnboarding.xml that you extracted from the onboarding package above as configuration profile file. > [!div class="mx-imgBorder"] - > ![Import a configuration from a file for Custom Configuration Profile.](images/mdatp-6-systemconfigurationprofiles.png) + > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles.png" alt-text="The import of a configuration from a file for Custom Configuration Profile" lightbox="images/mdatp-6-systemconfigurationprofiles.png"::: 1. Click Next. 1. Assign devices on the Assignment tab. Click Next. > [!div class="mx-imgBorder"] - > ![Custom Configuration Profile - assignment.](images/mdatp-6-systemconfigurationprofiles-2.png) + > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-2.png" alt-text="The custom configuration profile - assignment" lightbox="images/mdatp-6-systemconfigurationprofiles-2.png"::: 1. Review and Create. 1. Open Devices \> Configuration profiles, you can see your created profile there. > [!div class="mx-imgBorder"] - > ![Custom Configuration Profile - done.](images/mdatp-6-systemconfigurationprofiles-3.png) + > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-3.png" alt-text="The completion of the custom configuration profile" lightbox="images/mdatp-6-systemconfigurationprofiles-3.png"::: ### Approve System Extensions This profile is needed for macOS 10.15 (Catalina) or newer. It will be ignored o \|com.microsoft.wdav.netext\|UBF8T346G9\| > [!div class="mx-imgBorder"] - > ![System extension settings.](images/mac-system-extension-intune2.png) + > :::image type="content" source="images/mac-system-extension-intune2.png" alt-text="The settings of the system's extension" lightbox="images/mac-system-extension-intune2.png"::: 1. In the Assignments tab, assign this profile to All Users & All devices. 1. Review and create this configuration profile. This profile is needed for macOS 10.15 (Catalina) or older. It will be ignored o 1. Set Team identifier to UBF8T346G9 and click Next. > [!div class="mx-imgBorder"] - > ![Kernel extension settings.](images/mac-kernel-extension-intune2.png) + > :::image type="content" source="images/mac-system-extension-intune2.png" alt-text="The Kernel settings of the system's extension" lightbox="images/mac-system-extension-intune2.png"::: 1. In the Assignments tab, assign this profile to All Users & All devices. 1. Review and create this configuration profile. Follow the instructions for [Onboarding blob](#onboarding-blob) from above, usin Once the Intune changes are propagated to the enrolled devices, you can see them listed under Monitor \> Device status: > [!div class="mx-imgBorder"] -> ![View of Device Status in Monitor.](images/mdatp-7-devicestatusblade.png) +> :::image type="content" source="images/mdatp-7-devicestatusblade.png" alt-text="The view of the device status" lightbox="images/mdatp-7-devicestatusblade.png"::: ## Publish application This step enables deploying Microsoft Defender for Endpoint to enrolled machines 1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), open Apps. > [!div class="mx-imgBorder"] - > ![Ready to create application.](images/mdatp-8-app-before.png) + > :::image type="content" source="images/mdatp-8-app-before.png" alt-text="The application's overview page" lightbox="images/mdatp-8-app-before.png"::: 1. Select By platform > macOS > Add. 1. Choose App type=macOS, click Select. > [!div class="mx-imgBorder"] - > ![Specify application type.](images/mdatp-9-app-type.png) + > :::image type="content" source="images/mdatp-9-app-type.png" alt-text="The specific application type" lightbox="images/mdatp-9-app-type.png"::: 1. Keep default values, click Next. > [!div class="mx-imgBorder"] - > ![Application properties.](images/mdatp-10-properties.png) + > :::image type="content" source="images/mdatp-10-properties.png" alt-text="The application properties page" lightbox="images/mdatp-10-properties.png"::: 1. Add assignments, click Next. > [!div class="mx-imgBorder"] - > ![Intune assignments info screenshot.](images/mdatp-11-assignments.png) + > :::image type="content" source="images/mdatp-11-assignments.png" alt-text="The Intune assignments information page" lightbox="images/mdatp-11-assignments.png"::: 1. Review and Create. 1. You can visit Apps \> By platform \> macOS to see it on the list of all applications. > [!div class="mx-imgBorder"] - > ![Applications list.](images/mdatp-12-applications.png) + > :::image type="content" source="images/mdatp-12-applications.png" alt-text="The application lists page" lightbox="images/mdatp-12-applications.png"::: For more information, see [Add Microsoft Defender for Endpoint to macOS devices using Microsoft Intune](/mem/intune/apps/apps-advanced-threat-protection-macos).) You don't need any special provisioning for a Mac device beyond a standard [Comp 1. Confirm device management. > [!div class="mx-imgBorder"] - > ![Confirm device management screenshot.](images/mdatp-3-confirmdevicemgmt.png) + > :::image type="content" source="images/mdatp-3-confirmdevicemgmt.png" alt-text="The Confirm device management page" lightbox="images/mdatp-3-confirmdevicemgmt.png"::: Select Open System Preferences, locate Management Profile on the list, and select Approve.... Your Management Profile would be displayed as Verified: - ![Management profile screenshot.](images/mdatp-4-managementprofile.png) + :::image type="content" source="images/mdatp-4-managementprofile.png" alt-text="The Management profile page" lightbox="images/mdatp-4-managementprofile.png"::: 2. Select Continue and complete the enrollment. You don't need any special provisioning for a Mac device beyond a standard [Comp 3. In Intune, open Manage \> Devices \> All devices. Here you can see your device among those listed: > [!div class="mx-imgBorder"] - > ![Add Devices screenshot.](images/mdatp-5-alldevices.png) + > :::image type="content" source="images/mdatp-5-alldevices.png" alt-text="The All Devices page" lightbox="images/mdatp-5-alldevices.png"::: ## Verify client device state 1. After the configuration profiles are deployed to your devices, open System Preferences \> Profiles on your Mac device. > [!div class="mx-imgBorder"] - > ![System Preferences screenshot.](images/mdatp-13-systempreferences.png) + > :::image type="content" source="images/mdatp-13-systempreferences.png" alt-text="The System preferences page" lightbox="images/mdatp-13-systempreferences.png"::: - ![System Preferences Profiles screenshot.](images/mdatp-14-systempreferencesprofiles.png) + :::image type="content" source="images/mdatp-14-systempreferencesprofiles.png" alt-text="The System Preferences Profiles page" lightbox="images/mdatp-14-systempreferencesprofiles.png"::: 2. Verify that the following configuration profiles are present and installed. The Management Profile should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune: - ![Profiles screenshot.](images/mdatp-15-managementprofileconfig.png) + :::image type="content" source="images/mdatp-15-managementprofileconfig.png" alt-text="The Profiles page" lightbox="images/mdatp-15-managementprofileconfig.png"::: 3. You should also see the Microsoft Defender for Endpoint icon in the top-right corner: > [!div class="mx-imgBorder"] - > ![Microsoft Defender for Endpoint icon in status bar screenshot.](images/mdatp-icon-bar.png) + > :::image type="content" source="images/mdatp-icon-bar.png" alt-text="The icon for Microsoft Defender for Endpoint in the status bar" lightbox="images/mdatp-icon-bar.png"::: ## Troubleshooting
security	Mac Jamfpro Device Groups	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups.md	Set up the device groups similar to Group policy organizational unite (OUs), Mi 2. Select New. - ![Image of Jamf Pro1.](images/jamf-pro-static-group.png) + :::image type="content" source="images/jamf-pro-static-group.png" alt-text="The Jamf Pro1 page" lightbox="images/jamf-pro-static-group.png"::: 3. Provide a display name and select Save. - ![Image of Jamf Pro2.](images/jamfpro-machine-group.png) + :::image type="content" source="images/jamfpro-machine-group.png" alt-text="The Jamf Pro2 page" lightbox="images/jamfpro-machine-group.png"::: 4. Now you will see the Contoso's Machine Group under Static Computer Groups. - ![Image of Jamf Pro3.](images/contoso-machine-group.png) + :::image type="content" source="images/contoso-machine-group.png" alt-text="The Jamf Pro3 page" lightbox="images/contoso-machine-group.png"::: ## Next step - [Set up Microsoft Defender for Endpoint on macOS policies in Jamf Pro](mac-jamfpro-policies.md)
security	Mac Jamfpro Enroll Devices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices.md	For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c 1. In the Jamf Pro dashboard, navigate to Enrollment invitations. - ![Image of configuration settings1.](images/a347307458d6a9bbfa88df7dbe15398f.png) + :::image type="content" source="images/a347307458d6a9bbfa88df7dbe15398f.png" alt-text="The configuration settings1" lightbox="images/a347307458d6a9bbfa88df7dbe15398f.png"::: 2. Select + New. - ![A close up of a logo Description automatically generated.](images/b6c7ad56d50f497c38fc14c1e315456c.png) + :::image type="content" source="images/b6c7ad56d50f497c38fc14c1e315456c.png" alt-text="The close up of a logo description automatically generated" lightbox="images/b6c7ad56d50f497c38fc14c1e315456c.png"::: 3. In Specify Recipients for the Invitation > under Email Addresses enter the e-mail address(es) of the recipients. - ![Image of configuration settings2.](images/718b9d609f9f77c8b13ba88c4c0abe5d.png) + :::image type="content" source="images/718b9d609f9f77c8b13ba88c4c0abe5d.png" alt-text="The configuration settings2" lightbox="images/718b9d609f9f77c8b13ba88c4c0abe5d.png"::: - ![Image of configuration settings3.](images/ae3597247b6bc7c5347cf56ab1e820c0.png) + :::image type="content" source="images/ae3597247b6bc7c5347cf56ab1e820c0.png" alt-text="The configuration settings3" lightbox="images/ae3597247b6bc7c5347cf56ab1e820c0.png"::: For example: janedoe@contoso.com - ![Image of configuration settings4.](images/4922c0fcdde4c7f73242b13bf5e35c19.png) + :::image type="content" source="images/4922c0fcdde4c7f73242b13bf5e35c19.png" alt-text="The configuration settings4" lightbox="images/4922c0fcdde4c7f73242b13bf5e35c19.png"::: 4. Configure the message for the invitation. - ![Image of configuration settings5.](images/ce580aec080512d44a37ff8e82e5c2ac.png) + :::image type="content" source="images/ce580aec080512d44a37ff8e82e5c2ac.png" alt-text="The configuration settings5" lightbox="images/ce580aec080512d44a37ff8e82e5c2ac.png"::: - ![Image of configuration settings6.](images/5856b765a6ce677caacb130ca36b1a62.png) + :::image type="content" source="images/5856b765a6ce677caacb130ca36b1a62.png" alt-text="The configuration settings6" lightbox="images/5856b765a6ce677caacb130ca36b1a62.png"::: - ![Image of configuration settings7.](images/3ced5383a6be788486d89d407d042f28.png) + :::image type="content" source="images/3ced5383a6be788486d89d407d042f28.png" alt-text="The configuration settings7" lightbox="images/3ced5383a6be788486d89d407d042f28.png"::: - ![Image of configuration settings8.](images/54be9c6ed5b24cebe628dc3cd9ca4089.png) + :::image type="content" source="images/54be9c6ed5b24cebe628dc3cd9ca4089.png" alt-text="The configuration settings8" lightbox="images/54be9c6ed5b24cebe628dc3cd9ca4089.png"::: ## Enrollment Method 2: Prestage Enrollments 1. In the Jamf Pro dashboard, navigate to Prestage enrollments. - ![Image of configuration settings9.](images/6fd0cb2bbb0e60a623829c91fd0826ab.png) + :::image type="content" source="images/6fd0cb2bbb0e60a623829c91fd0826ab.png" alt-text="The configuration settings9" lightbox="images/6fd0cb2bbb0e60a623829c91fd0826ab.png"::: 2. Follow the instructions in [Computer PreStage Enrollments](https://docs.jamf.com/9.9/casper-suite/administrator-guide/Computer_PreStage_Enrollments.html). For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c 1. Select Continue and install the CA certificate from a System Preferences window. - ![Image of Jamf Pro enrollment1.](images/jamfpro-ca-certificate.png) + :::image type="content" source="images/jamfpro-ca-certificate.png" alt-text="The Jamf Pro enrollment1" lightbox="images/jamfpro-ca-certificate.png"::: 2. Once CA certificate is installed, return to the browser window and select Continue and install the MDM profile. - ![Image of Jamf Pro enrollment2.](images/jamfpro-install-mdm-profile.png) + :::image type="content" source="images/jamfpro-install-mdm-profile.png" alt-text="The Jamf Pro enrollment2" lightbox="images/jamfpro-install-mdm-profile.png"::: 3. Select Allow to downloads from JAMF. - ![Image of Jamf Pro enrollment3.](images/jamfpro-download.png) + :::image type="content" source="images/jamfpro-download.png" alt-text="The Jamf Pro enrollment3" lightbox="images/jamfpro-download.png"::: 4. Select Continue to proceed with the MDM Profile installation. - ![Image of Jamf Pro enrollment4.](images/jamfpro-install-mdm.png) + :::image type="content" source="images/jamfpro-install-mdm.png" alt-text="The Jamf Pro enrollment4" lightbox="images/jamfpro-install-mdm.png"::: 5. Select Continue to install the MDM Profile. - ![Image of Jamf Pro enrollment5.](images/jamfpro-mdm-unverified.png) + :::image type="content" source="images/jamfpro-mdm-unverified.png" alt-text="The Jamf Pro enrollment5" lightbox="images/jamfpro-mdm-unverified.png"::: 6. Select Continue to complete the configuration. - ![Image of Jamf Pro enrollment6.](images/jamfpro-mdm-profile.png) + :::image type="content" source="images/jamfpro-mdm-profile.png" alt-text="The Jamf Pro enrollment6" lightbox="images/jamfpro-mdm-profile.png":::
security	Mac Jamfpro Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md	You'll need to take the following steps: 2. Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method. - ![Image of Microsoft 365 Defender portal.](images/onboarding-macos.png) + :::image type="content" source="images/onboarding-macos.png" alt-text="The Settings page of the Microsoft Defender Security Center" lightbox="images/onboarding-macos.png"::: 3. Select Download onboarding package (WindowsDefenderATPOnboardingPackage.zip). You'll need to take the following steps: 1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section. - ![Image of WindowsDefenderATPOnboarding file.](images/plist-onboarding-file.png) + :::image type="content" source="images/plist-onboarding-file.png" alt-text="The Windows Defender ATP Onboarding file" lightbox="images/plist-onboarding-file.png"::: 2. Sign in to Jamf Pro, navigate to Computers > Configuration Profiles, and select New. - ![Image of creating a new Jamf Pro dashboard.](images/jamf-pro-configure-profile.png) + :::image type="content" source="images/jamf-pro-configure-profile.png" alt-text="The page on which you create a new Jamf Pro dashboard" lightbox="images/jamf-pro-configure-profile.png"::: 3. Enter the following details: You'll need to take the following steps: 4. Navigate to the Application & Custom Settings page and select Upload > Add. - ![Image of configurate app and custom settings.](images/jamfpro-mac-profile.png) + :::image type="content" source="images/jamfpro-mac-profile.png" alt-text="The configurate app and custom settings" lightbox="images/jamfpro-mac-profile.png"::: 5. Select Upload File (PLIST file) then in Preference Domain enter: `com.microsoft.wdav.atp`. - ![Image of jamfpro plist upload file.](images/jamfpro-plist-upload.png) + :::image type="content" source="images/jamfpro-plist-upload.png" alt-text="The jamfpro plist upload file" lightbox="images/jamfpro-plist-upload.png"::: - ![Image of upload file property List file.](images/jamfpro-plist-file.png) + :::image type="content" source="images/jamfpro-plist-file.png" alt-text="The upload file property List file" lightbox="images/jamfpro-plist-file.png"::: 6. Select Open and select the onboarding file. - ![Image of onboarding file.](images/jamfpro-plist-file-onboard.png) + :::image type="content" source="images/jamfpro-plist-file-onboard.png" alt-text="The onboarding file" lightbox="images/jamfpro-plist-file-onboard.png"::: 7. Select Upload. - ![Image of uploading plist file.](images/jamfpro-upload-plist.png) + :::image type="content" source="images/jamfpro-upload-plist.png" alt-text="The uploading plist file" lightbox="images/jamfpro-upload-plist.png"::: 8. Select the Scope tab. - ![Image of scope tab.](images/jamfpro-scope-tab.png) + :::image type="content" source="images/jamfpro-scope-tab.png" alt-text="The Scope tab" lightbox="images/jamfpro-scope-tab.png"::: 9. Select the target computers. - ![Image of target computers.](images/jamfpro-target-computer.png) + :::image type="content" source="images/jamfpro-target-computer.png" alt-text="The target computers" lightbox="images/jamfpro-target-computer.png"::: - ![Image of targets.](images/jamfpro-targets.png) + :::image type="content" source="images/jamfpro-targets.png" alt-text="The targets" lightbox="images/jamfpro-targets.png"::: 10. Select Save. - ![Image of deployment target computers.](images/jamfpro-deployment-target.png) + :::image type="content" source="images/jamfpro-deployment-target.png" alt-text="The deployment of target computers" lightbox="images/jamfpro-deployment-target.png"::: - ![Image of target computers selected.](images/jamfpro-target-selected.png) + :::image type="content" source="images/jamfpro-target-selected.png" alt-text="The selection of target computers" lightbox="images/jamfpro-target-selected.png"::: 11. Select Done. - ![Image of target group computers.](images/jamfpro-target-group.png) + :::image type="content" source="images/jamfpro-target-group.png" alt-text="The computers of a target group" lightbox="images/jamfpro-target-group.png"::: - ![List of configuration profiles.](images/jamfpro-configuration-policies.png) + :::image type="content" source="images/jamfpro-configuration-policies.png" alt-text="The list of configuration profiles" lightbox="images/jamfpro-configuration-policies.png"::: ## Step 3: Configure Microsoft Defender for Endpoint settings Note that you must use exact `com.microsoft.wdav` as the Preference Domain, 2. Create a new Configuration Profile under Computers -> Configuration Profiles, enter the following details on the General tab: - ![New profile.](images/644e0f3af40c29e80ca1443535b2fe32.png) + :::image type="content" source="images/644e0f3af40c29e80ca1443535b2fe32.png" alt-text="A new profile" lightbox="images/644e0f3af40c29e80ca1443535b2fe32.png"::: - Name: MDATP MDAV configuration settings - Description:\<blank\> Note that you must use exact `com.microsoft.wdav` as the Preference Domain, 3. Scroll down to the Application & Custom Settings tab, select External Applications, click Add and use Custom Schema as Source to use for the preference domain. - ![Add custom schema.](images/4137189bc3204bb09eed3aabc41afd78.png) + :::image type="content" source="images/4137189bc3204bb09eed3aabc41afd78.png" alt-text="Add custom schema" lightbox="images/4137189bc3204bb09eed3aabc41afd78.png"::: 4. Enter `com.microsoft.wdav` as the Preference Domain, click on Add Schema and Upload the schema.json file downloaded on Step 1. Click Save. - ![Upload schema.](images/a6f9f556037c42fabcfdcb1b697244cf.png) + :::image type="content" source="images/a6f9f556037c42fabcfdcb1b697244cf.png" alt-text="Upload schema" lightbox="images/a6f9f556037c42fabcfdcb1b697244cf.png"::: 5. You can see all supported Microsoft Defender for Endpoint configuration settings below, under Preference Domain Properties. Click Add/Remove properties to select the settings that you want to be managed, and click Ok to save your changes. (Settings left unselected will not be included into the managed configuration, an end user will be able to configure those settings on their machines.) - ![Select managed settings.](images/817b3b760d11467abe9bdd519513f54f.png) + :::image type="content" source="images/817b3b760d11467abe9bdd519513f54f.png" alt-text="The chosen managed settings" lightbox="images/817b3b760d11467abe9bdd519513f54f.png"::: 6. Change values of the settings to desired values. You can click More information to get documentation for a particular setting. (You may click Plist preview to inspect what the configuration plist will look like. Click Form editor to return to the visual editor.) - ![Change settings values.](images/a14a79efd5c041bb8974cb5b12b3a9b6.png) + :::image type="content" source="images/a14a79efd5c041bb8974cb5b12b3a9b6.png" alt-text="The page on which you change the settings values" lightbox="images/a14a79efd5c041bb8974cb5b12b3a9b6.png"::: 7. Select the Scope tab. - ![Configuration profile scope.](images/9fc17529e5577eefd773c658ec576a7d.png) + :::image type="content" source="images/9fc17529e5577eefd773c658ec576a7d.png" alt-text="The Configuration profile scope" lightbox="images/9fc17529e5577eefd773c658ec576a7d.png"::: 8. Select Contoso's Machine Group. 9. Select Add, then select Save. - ![Configuration settings - add.](images/cf30438b5512ac89af1d11cbf35219a6.png) + :::image type="content" source="images/cf30438b5512ac89af1d11cbf35219a6.png" alt-text="The page on which you can add the Configuration settings" lightbox="images/cf30438b5512ac89af1d11cbf35219a6.png"::: - ![Configuration settings - save.](images/6f093e42856753a3955cab7ee14f12d9.png) + :::image type="content" source="images/6f093e42856753a3955cab7ee14f12d9.png" alt-text="The page on which you can save the Configuration settings" lightbox="images/6f093e42856753a3955cab7ee14f12d9.png"::: 10. Select Done. You'll see the new Configuration profile. - ![Configuration settings - done.](images/dd55405106da0dfc2f50f8d4525b01c8.png) + :::image type="content" source="images/dd55405106da0dfc2f50f8d4525b01c8.png" alt-text="The page on which you complete the Configuration settings" lightbox="images/dd55405106da0dfc2f50f8d4525b01c8.png"::: Microsoft Defender for Endpoint adds new settings over time. These new settings will be added to the schema, and a new version will be published to Github. All you need to do to have updates is to download an updated schema, edit existing configuration profile, and Edit schema at the Application & Custom Settings tab. All you need to do to have updates is to download an updated schema, edit existi 3. In the Jamf Pro dashboard, open Computers, and their Configuration Profiles. Click New and switch to the General tab. - ![New profile.](images/644e0f3af40c29e80ca1443535b2fe32.png) + :::image type="content" source="images/644e0f3af40c29e80ca1443535b2fe32.png" alt-text="The page displaying a new profile" lightbox="images/644e0f3af40c29e80ca1443535b2fe32.png"::: 4. Enter the following details: All you need to do to have updates is to download an updated schema, edit existi - Distribution Method: Install Automatically(default) - Level: Computer Level(default) - ![Image of MDATP MDAV configuration settings.](images/3160906404bc5a2edf84d1d015894e3b.png) + :::image type="content" source="images/3160906404bc5a2edf84d1d015894e3b.png" alt-text="The MDATP MDAV configuration settings" lightbox="images/3160906404bc5a2edf84d1d015894e3b.png"::: 5. In Application & Custom Settings select Configure. - ![Image of app and custom settings.](images/e1cc1e48ec9d5d688087b4d771e668d2.png) + :::image type="content" source="images/e1cc1e48ec9d5d688087b4d771e668d2.png" alt-text="The application and custom settings" lightbox="images/e1cc1e48ec9d5d688087b4d771e668d2.png"::: 6. Select Upload File (PLIST file). - ![Image of configuration settings plist file.](images/6f85269276b2278eca4bce84f935f87b.png) + :::image type="content" source="images/6f85269276b2278eca4bce84f935f87b.png" alt-text="The configuration settings plist file" lightbox="images/6f85269276b2278eca4bce84f935f87b.png"::: 7. In Preferences Domain, enter `com.microsoft.wdav`, then select Upload PLIST File. - ![Image of configuration settings preferences domain.](images/db15f147dd959e872a044184711d7d46.png) + :::image type="content" source="images/db15f147dd959e872a044184711d7d46.png" alt-text="The configuration settings preferences domain" lightbox="images/db15f147dd959e872a044184711d7d46.png"::: 8. Select Choose File. - ![Image of configuration settings choose file.](images/526e978761fc571cca06907da7b01fd6.png) + :::image type="content" source="images/526e978761fc571cca06907da7b01fd6.png" alt-text="The prompt to choose the plist file" lightbox="images/526e978761fc571cca06907da7b01fd6.png"::: 9. Select the MDATP_MDAV_configuration_settings.plist, then select Open. - ![Image of mdatpmdav configuration settings.](images/98acea3750113b8dbab334296e833003.png) + :::image type="content" source="images/98acea3750113b8dbab334296e833003.png" alt-text="The mdatpmdav configuration settings" lightbox="images/98acea3750113b8dbab334296e833003.png"::: 10. Select Upload. - ![Image of configuration setting upload.](images/0adb21c13206861ba9b30a879ade93d3.png) + :::image type="content" source="images/0adb21c13206861ba9b30a879ade93d3.png" alt-text="The configuration setting upload" lightbox="images/0adb21c13206861ba9b30a879ade93d3.png"::: - ![Image of configuration settings upload image.](images/f624de59b3cc86e3e2d32ae5de093e02.png) + :::image type="content" source="images/f624de59b3cc86e3e2d32ae5de093e02.png" alt-text="The prompt to upload the image related to the configuration settings" lightbox="images/f624de59b3cc86e3e2d32ae5de093e02.png"::: > [!NOTE] > If you happen to upload the Intune file, you'll get the following error: > - >![Image of configuration settings intune file upload.](images/8e69f867664668796a3b2904896f0436.png) + > :::image type="content" source="images/8e69f867664668796a3b2904896f0436.png" alt-text="The prompt to upload the intune file related to the configuration settings" lightbox="images/8e69f867664668796a3b2904896f0436.png"::: 11. Select Save. - ![Image of configuration settings Save image.](images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png) + :::image type="content" source="images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png" alt-text="The option to save the image related to the configuration settings" lightbox="images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png"::: 12. The file is uploaded. - ![Image of configuration settings file uploaded image.](images/33e2b2a1611fdddf6b5b79e54496e3bb.png) + :::image type="content" source="images/33e2b2a1611fdddf6b5b79e54496e3bb.png" alt-text="The uploaded file related to the configuration settings" lightbox="images/33e2b2a1611fdddf6b5b79e54496e3bb.png"::: - ![Image of configuration settings file uploaded.](images/a422e57fe8d45689227e784443e51bd1.png) + :::image type="content" source="images/a422e57fe8d45689227e784443e51bd1.png" alt-text="The configuration settings page" lightbox="images/a422e57fe8d45689227e784443e51bd1.png"::: 13. Select the Scope tab. - ![Image of configuration settings scope.](images/9fc17529e5577eefd773c658ec576a7d.png) + :::image type="content" source="images/9fc17529e5577eefd773c658ec576a7d.png" alt-text="The scope for the configuration settings" lightbox="images/9fc17529e5577eefd773c658ec576a7d.png"::: 14. Select Contoso's Machine Group. 15. Select Add, then select Save. - ![Image of configuration settings addsav.](images/cf30438b5512ac89af1d11cbf35219a6.png) + :::image type="content" source="images/cf30438b5512ac89af1d11cbf35219a6.png" alt-text="The configuration settings addsav" lightbox="images/cf30438b5512ac89af1d11cbf35219a6.png"::: - ![Image of configuration settings save add.](images/6f093e42856753a3955cab7ee14f12d9.png) + :::image type="content" source="images/6f093e42856753a3955cab7ee14f12d9.png" alt-text="The notification of configuration settings" lightbox="images/6f093e42856753a3955cab7ee14f12d9.png"::: 16. Select Done. You'll see the new Configuration profile. ![Image of configuration settings config profile image.](images/dd55405106da0dfc2f50f8d4525b01c8.png) + :::image type="content" source="images/dd55405106da0dfc2f50f8d4525b01c8.png" alt-text="The config profile's settings" lightbox="images/dd55405106da0dfc2f50f8d4525b01c8.png"::: ## Step 4: Configure notifications settings These steps are applicable of macOS 10.15 (Catalina) or newer. - Distribution Method: Install Automatically (default) - Level: Computer Level (default) - ![Image of new macOS configuration profile screen.](images/c9820a5ff84aaf21635c04a23a97ca93.png) + :::image type="content" source="images/c9820a5ff84aaf21635c04a23a97ca93.png" alt-text="The new macOS configuration profile page" lightbox="images/c9820a5ff84aaf21635c04a23a97ca93.png"::: - Tab Notifications, click Add, and enter the following values: - Bundle ID: `com.microsoft.wdav.tray` These steps are applicable of macOS 10.15 (Catalina) or newer. - Notifications in Notification Center: Click Display - Badge app icon: Click Display - ![Image of configuration settings mdatpmdav notifications tray.](images/7f9138053dbcbf928e5182ee7b295ebe.png) + :::image type="content" source="images/7f9138053dbcbf928e5182ee7b295ebe.png" alt-text="The configuration settings mdatpmdav notifications tray" lightbox="images/7f9138053dbcbf928e5182ee7b295ebe.png"::: - Tab Notifications, click Add one more time, scroll down to New Notifications Settings - Bundle ID: `com.microsoft.autoupdate2` - Configure the rest of the settings to the same values as above - ![Image of configuration settings mdatpmdav notifications mau.](images/4bac6ce277aedfb4a674f2d9fcb2599a.png) + :::image type="content" source="images/4bac6ce277aedfb4a674f2d9fcb2599a.png" alt-text="The configuration settings mdatpmdav notifications mau" lightbox="images/4bac6ce277aedfb4a674f2d9fcb2599a.png"::: Note that now you have two 'tables' with notification configurations, one for Bundle ID: com.microsoft.wdav.tray, and another for Bundle ID: com.microsoft.autoupdate2. While you can configure alert settings per your requirements, Bundle IDs must be exactly the same as described before, and Include switch must be On for Notifications. 3. Select the Scope tab, then select Add. - ![Image of configuration settings scope add.](images/441aa2ecd36abadcdd8aed03556080b5.png) + :::image type="content" source="images/441aa2ecd36abadcdd8aed03556080b5.png" alt-text="The page on which you can add values for the configuration settings" lightbox="images/441aa2ecd36abadcdd8aed03556080b5.png"::: 4. Select Contoso's Machine Group. 5. Select Add, then select Save. - ![Image of configuration settings contoso machine grp save.](images/09a275e321268e5e3ac0c0865d3e2db5.png) + :::image type="content" source="images/09a275e321268e5e3ac0c0865d3e2db5.png" alt-text="The page on which you can save values for the configuration settings contoso machine group" lightbox="images/09a275e321268e5e3ac0c0865d3e2db5.png"::: - ![Image of configuration settings add save.](images/4d2d1d4ee13d3f840f425924c3df0d51.png) + :::image type="content" source="images/4d2d1d4ee13d3f840f425924c3df0d51.png" alt-text="The page that displays the completion notification of the configuration settings" lightbox="images/4d2d1d4ee13d3f840f425924c3df0d51.png"::: 6. Select Done. You'll see the new Configuration profile. - ![Image of configuration setting done img.](images/633ad26b8bf24ec683c98b2feb884bdf.png) + :::image type="content" source="images/633ad26b8bf24ec683c98b2feb884bdf.png" alt-text="The completed configuration settings" lightbox="images/633ad26b8bf24ec683c98b2feb884bdf.png"::: ## Step 5: Configure Microsoft AutoUpdate (MAU) These steps are applicable of macOS 10.15 (Catalina) or newer. 3. In the Jamf Pro dashboard, select General. - ![Image of configuration setting general image.](images/eaba2a23dd34f73bf59e826217ba6f15.png) + :::image type="content" source="images/eaba2a23dd34f73bf59e826217ba6f15.png" alt-text="The configuration settings" lightbox="images/eaba2a23dd34f73bf59e826217ba6f15.png"::: 4. Enter the following details: These steps are applicable of macOS 10.15 (Catalina) or newer. 5. In Application & Custom Settings select Configure. - ![Image of configuration setting app and custom settings.](images/1f72e9c15eaafcabf1504397e99be311.png) + :::image type="content" source="images/1f72e9c15eaafcabf1504397e99be311.png" alt-text="The configuration setting application and custom settings" lightbox="images/1f72e9c15eaafcabf1504397e99be311.png"::: 6. Select Upload File (PLIST file). - ![Image of configuration setting plist.](images/1213872db5833aa8be535da57653219f.png) - 7. In Preference Domain enter: `com.microsoft.autoupdate2`, then select Upload PLIST File. - ![Image of configuration setting pref domain.](images/1213872db5833aa8be535da57653219f.png) + :::image type="content" source="images/1213872db5833aa8be535da57653219f.png" alt-text="The configuration setting preference domain" lightbox="images/1213872db5833aa8be535da57653219f.png"::: + 8. Select Choose File. - ![Image of configuration setting choosefile.](images/335aff58950ce62d1dabc289ecdce9ed.png) + :::image type="content" source="images/335aff58950ce62d1dabc289ecdce9ed.png" alt-text="The prompt to choose the file regarding configuration setting" lightbox="images/335aff58950ce62d1dabc289ecdce9ed.png"::: 9. Select MDATP_MDAV_MAU_settings.plist. - ![Image of configuration setting mdatpmdavmau settings.](images/a26bd4967cd54bb113a2c8d32894c3de.png) + :::image type="content" source="images/a26bd4967cd54bb113a2c8d32894c3de.png" alt-text="The mdatpmdavmau settings" lightbox="images/a26bd4967cd54bb113a2c8d32894c3de.png"::: 10. Select Upload. - ![Image of configuration setting uplimage.](images/4239ca0528efb0734e4ca0b490bfb22d.png) + :::image type="content" source="images/4239ca0528efb0734e4ca0b490bfb22d.png" alt-text="The upload of the file regarding configuration setting" lightbox="images/4239ca0528efb0734e4ca0b490bfb22d.png"::: - ![Image of configuration setting uplimg.](images/4ec20e72c8aed9a4c16912e01692436a.png) + :::image type="content" source="images/4ec20e72c8aed9a4c16912e01692436a.png" alt-text="The page displaying the upload option for the file regarding configuration setting" lightbox="images/4ec20e72c8aed9a4c16912e01692436a.png"::: 11. Select Save. - ![Image of configuration setting saveimg.](images/253274b33e74f3f5b8d475cf8692ce4e.png) + :::image type="content" source="images/253274b33e74f3f5b8d475cf8692ce4e.png" alt-text="The page displaying the save option for the file regarding configuration setting" lightbox="images/253274b33e74f3f5b8d475cf8692ce4e.png"::: 12. Select the Scope tab. - ![Image of configuration setting scopetab.](images/10ab98358b2d602f3f67618735fa82fb.png) + :::image type="content" source="images/10ab98358b2d602f3f67618735fa82fb.png" alt-text="The Scope tab for the configuration settings" lightbox="images/10ab98358b2d602f3f67618735fa82fb.png"::: 13. Select Add. - ![Image of configuration setting addimg1.](images/56e6f6259b9ce3c1706ed8d666ae4947.png) + :::image type="content" source="images/56e6f6259b9ce3c1706ed8d666ae4947.png" alt-text="The option to add deployment targets" lightbox="images/56e6f6259b9ce3c1706ed8d666ae4947.png"::: - ![Image of configuration setting addimg2.](images/38c67ee1905c4747c3b26c8eba57726b.png) + :::image type="content" source="images/38c67ee1905c4747c3b26c8eba57726b.png" alt-text="The page on which you add more values to the configuration settings" lightbox="images/38c67ee1905c4747c3b26c8eba57726b.png"::: - ![Image of configuration setting addimg3.](images/321ba245f14743c1d5d51c15e99deecc.png) + :::image type="content" source="images/321ba245f14743c1d5d51c15e99deecc.png" alt-text="The page on which you can add more values to the configuration settings" lightbox="images/321ba245f14743c1d5d51c15e99deecc.png"::: 14. Select Done. - ![Image of configuration setting doneimage.](images/ba44cdb77e4781aa8b940fb83e3c21f7.png) + :::image type="content" source="images/ba44cdb77e4781aa8b940fb83e3c21f7.png" alt-text="The completion notification regarding the configuration settings" lightbox="images/ba44cdb77e4781aa8b940fb83e3c21f7.png"::: ## Step 6: Grant full disk access to Microsoft Defender for Endpoint 1. In the Jamf Pro dashboard, select Configuration Profiles. - ![Image of configuration setting config profile.](images/264493cd01e62c7085659d6fdc26dc91.png) + :::image type="content" source="images/264493cd01e62c7085659d6fdc26dc91.png" alt-text="The profile for which settings are to be configured" lightbox="images/264493cd01e62c7085659d6fdc26dc91.png"::: 2. Select + New. These steps are applicable of macOS 10.15 (Catalina) or newer. - Distribution method: Install Automatically - Level: Computer level - ![Image of configuration setting general.](images/ba3d40399e1a6d09214ecbb2b341923f.png) + :::image type="content" source="images/ba3d40399e1a6d09214ecbb2b341923f.png" alt-text="The configuration setting in general" lightbox="images/ba3d40399e1a6d09214ecbb2b341923f.png"::: + 4. In Configure Privacy Preferences Policy Control select Configure. - ![Image of configuration privacy policy control.](images/715ae7ec8d6a262c489f94d14e1e51bb.png) + :::image type="content" source="images/715ae7ec8d6a262c489f94d14e1e51bb.png" alt-text="The configuration privacy policy control" lightbox="images/715ae7ec8d6a262c489f94d14e1e51bb.png"::: 5. In Privacy Preferences Policy Control, enter the following details: These steps are applicable of macOS 10.15 (Catalina) or newer. - Identifier Type: Bundle ID - Code Requirement: `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = UBF8T346G9` - ![Image of configuration setting privacy preference policy control details.](images/22cb439de958101c0a12f3038f905b27.png) + :::image type="content" source="images/22cb439de958101c0a12f3038f905b27.png" alt-text="The configuration setting privacy preference policy control details" lightbox="images/22cb439de958101c0a12f3038f905b27.png"::: 6. Select + Add. - ![Image of configuration setting add system policy all files.](images/bd93e78b74c2660a0541af4690dd9485.png) + :::image type="content" source="images/bd93e78b74c2660a0541af4690dd9485.png" alt-text="The configuration setting add system policy all files option" lightbox="images/bd93e78b74c2660a0541af4690dd9485.png"::: - Under App or service: Set to SystemPolicyAllFiles* These steps are applicable of macOS 10.15 (Catalina) or newer. 7. Select Save (not the one at the bottom right). - ![Image of configuration setting save images.](images/6de50b4a897408ddc6ded56a09c09fe2.png) + :::image type="content" source="images/6de50b4a897408ddc6ded56a09c09fe2.png" alt-text="The save operation for the configuration setting" lightbox="images/6de50b4a897408ddc6ded56a09c09fe2.png"::: 8. Click the `+` sign next to App Access to add a new entry. - ![Image of configuration setting app access.](images/tcc-add-entry.png) + :::image type="content" source="images/tcc-add-entry.png" alt-text="The save operation relating to the configuration setting" lightbox="images/tcc-add-entry.png"::: 9. Enter the following details: These steps are applicable of macOS 10.15 (Catalina) or newer. 10. Select + Add. - ![Image of configuration setting tcc epsext entry.](images/tcc-epsext-entry.png) + :::image type="content" source="images/tcc-epsext-entry.png" alt-text="The configuration setting tcc epsext entry" lightbox="images/tcc-epsext-entry.png"::: - Under App or service: Set to SystemPolicyAllFiles These steps are applicable of macOS 10.15 (Catalina) or newer. 11. Select Save (not the one at the bottom right). - ![Image of configuration setting tcc epsext image2.](images/tcc-epsext-entry2.png) + :::image type="content" source="images/tcc-epsext-entry2.png" alt-text="The other instance of configuration setting tcc epsext" lightbox="images/tcc-epsext-entry2.png"::: 12. Select the Scope tab. - ![Image of configuration setting scope.](images/2c49b16cd112729b3719724f581e6882.png) + :::image type="content" source="images/2c49b16cd112729b3719724f581e6882.png" alt-text="The page depicting the scope for the configuration setting" lightbox="images/2c49b16cd112729b3719724f581e6882.png"::: 13. Select + Add. - ![Image of configuration setting addimage.](images/57cef926d1b9260fb74a5f460cee887a.png) + :::image type="content" source="images/57cef926d1b9260fb74a5f460cee887a.png" alt-text="The page depicting the configuration setting" lightbox="images/57cef926d1b9260fb74a5f460cee887a.png"::: 14. Select Computer Groups > under Group Name > select Contoso's MachineGroup. - ![Image of configuration setting contoso machinegrp.](images/368d35b3d6179af92ffdbfd93b226b69.png) + :::image type="content" source="images/368d35b3d6179af92ffdbfd93b226b69.png" alt-text="The configuration setting contoso machine group" lightbox="images/368d35b3d6179af92ffdbfd93b226b69.png"::: 15. Select Add. These steps are applicable of macOS 10.15 (Catalina) or newer. 17. Select Done. - ![Image of configuration setting donimg.](images/809cef630281b64b8f07f20913b0039b.png) + :::image type="content" source="images/809cef630281b64b8f07f20913b0039b.png" alt-text="The configuration setting contoso machine-group" lightbox="images/809cef630281b64b8f07f20913b0039b.png"::: - ![Image of configuration setting donimg2.](images/6c8b406ee224335a8c65d06953dc756e.png) + :::image type="content" source="images/6c8b406ee224335a8c65d06953dc756e.png" alt-text="The configuration setting illustration" lightbox="images/6c8b406ee224335a8c65d06953dc756e.png"::: Alternatively, you can download [fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and upload it to JAMF Configuration Profiles as described in [Deploying Custom Configuration Profiles using Jamf Pro\|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro). Alternatively, you can download [fulldisk.mobileconfig](https://github.com/micro 1. In the Configuration Profiles, select + New. - ![A screenshot of a social media post Description automatically generated.](images/6c8b406ee224335a8c65d06953dc756e.png) + :::image type="content" source="images/6c8b406ee224335a8c65d06953dc756e.png" alt-text="The social media post Description automatically generated" lightbox="images/6c8b406ee224335a8c65d06953dc756e.png"::: 2. Enter the following details: Alternatively, you can download [fulldisk.mobileconfig](https://github.com/micro - Distribution Method: Install Automatically - Level: Computer Level - ![Image of configuration settings mdatpmdav kernel.](images/24e290f5fc309932cf41f3a280d22c14.png) + :::image type="content" source="images/24e290f5fc309932cf41f3a280d22c14.png" alt-text="The configuration settings mdatpmdav kernel" lightbox="images/24e290f5fc309932cf41f3a280d22c14.png"::: 3. In Configure Approved Kernel Extensions select Configure. - ![Image of configuration settings approved kernel ext.](images/30be88b63abc5e8dde11b73f1b1ade6a.png) + :::image type="content" source="images/30be88b63abc5e8dde11b73f1b1ade6a.png" alt-text="The page displaying the configuration settings approved kernel extensions" lightbox="images/30be88b63abc5e8dde11b73f1b1ade6a.png"::: 4. In Approved Kernel Extensions Enter the following details: - Display Name: Microsoft Corp. - Team ID: UBF8T346G9 - ![Image of configuration settings appr kernel extension.](images/39cf120d3ac3652292d8d1b6d057bd60.png) + :::image type="content" source="images/39cf120d3ac3652292d8d1b6d057bd60.png" alt-text="The Approved Kernel Extensions pane" lightbox="images/39cf120d3ac3652292d8d1b6d057bd60.png"::: 5. Select the Scope tab. - ![Image of configuration settings scope tab img.](images/0df36fc308ba569db204ee32db3fb40a.png) + :::image type="content" source="images/0df36fc308ba569db204ee32db3fb40a.png" alt-text="The Scope tab for the configuration" lightbox="images/0df36fc308ba569db204ee32db3fb40a.png"::: 6. Select + Add. Alternatively, you can download [fulldisk.mobileconfig](https://github.com/micro 8. Select + Add. - ![Image of configuration settings add images.](images/0dde8a4c41110dbc398c485433a81359.png) + :::image type="content" source="images/0dde8a4c41110dbc398c485433a81359.png" alt-text="The page on which you define additional values for the configuration settings" lightbox="images/0dde8a4c41110dbc398c485433a81359.png"::: 9. Select Save. - ![Image of configuration settings saveimag.](images/0add8019b85a453b47fa5c402c72761b.png) + :::image type="content" source="images/0add8019b85a453b47fa5c402c72761b.png" alt-text="The MDATP MDAV Kernel extension" lightbox="images/0add8019b85a453b47fa5c402c72761b.png"::: 10. Select Done. - ![Image of configuration settings doneimag.](images/1c9bd3f68db20b80193dac18f33c22d0.png) + :::image type="content" source="images/1c9bd3f68db20b80193dac18f33c22d0.png" alt-text="The Configuration Profiles details page" lightbox="images/1c9bd3f68db20b80193dac18f33c22d0.png"::: Alternatively, you can download [kext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/kext.mobileconfig) and upload it to JAMF Configuration Profiles as described in [Deploying Custom Configuration Profiles using Jamf Pro\|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro). Alternatively, you can download [kext.mobileconfig](https://github.com/microsoft 1. In the Configuration Profiles, select + New. - ![A screenshot of a social media post Description automatically generated.](images/6c8b406ee224335a8c65d06953dc756e.png) + :::image type="content" source="images/6c8b406ee224335a8c65d06953dc756e.png" alt-text="The automatically generated social media post's description" lightbox="images/6c8b406ee224335a8c65d06953dc756e.png"::: 2. Enter the following details: Alternatively, you can download [kext.mobileconfig](https://github.com/microsoft - Distribution Method: Install Automatically - Level: Computer Level - ![Image of configuration settings sysext new prof.](images/sysext-new-profile.png) + :::image type="content" source="images/sysext-new-profile.png" alt-text="The configuration settings sysext new profile" lightbox="images/sysext-new-profile.png"::: 3. In System Extensions select Configure. - ![Image of configuration settings sysext config.](images/sysext-configure.png) + :::image type="content" source="images/sysext-configure.png" alt-text="The pane with the Configure option for the system extensions" lightbox="images/sysext-configure.png"::: 4. In System Extensions enter the following details: Alternatively, you can download [kext.mobileconfig](https://github.com/microsoft - com.microsoft.wdav.epsext - com.microsoft.wdav.netext - ![Image of configuration settings sysextconfig2.](images/sysext-configure2.png) + :::image type="content" source="images/sysext-configure2.png" alt-text="The MDATP MDAV system extensions pane" lightbox="images/sysext-configure2.png"::: 5. Select the Scope tab. - ![Image of configuration settings scopeimage.](images/0df36fc308ba569db204ee32db3fb40a.png) + :::image type="content" source="images/0df36fc308ba569db204ee32db3fb40a.png" alt-text="The Target Computers selection pane" lightbox="images/0df36fc308ba569db204ee32db3fb40a.png"::: 6. Select + Add. Alternatively, you can download [kext.mobileconfig](https://github.com/microsoft 8. Select + Add. - ![Image of configuration settings addima.](images/0dde8a4c41110dbc398c485433a81359.png) + :::image type="content" source="images/0dde8a4c41110dbc398c485433a81359.png" alt-text="The New macOS Configuration Profile pane" lightbox="images/0dde8a4c41110dbc398c485433a81359.png"::: 9. Select Save. - ![Image of configuration settings sysext scope.](images/sysext-scope.png) + :::image type="content" source="images/sysext-scope.png" alt-text="The display of options regarding MDATP MDAV System Extensions" lightbox="images/sysext-scope.png"::: 10. Select Done. - ![Image of configuration settings sysext-final.](images/sysext-final.png) + :::image type="content" source="images/sysext-final.png" alt-text="The configuration settings sysext - final" lightbox="images/sysext-final.png"::: ## Step 9: Configure Network Extension These steps are applicable of macOS 10.15 (Catalina) or newer. Note that Identifier, Socket Filter and Socket Filter Designated Requirement exact values as specified above. - ![Image of configuration setting mdatpmdav.](images/netext-create-profile.png) - - > [!NOTE] - > Jamf supports built-in content filter settings which can be set directly through the interface. + :::image type="content" source="images/netext-create-profile.png" alt-text="The mdatpmdav configuration setting" lightbox="images/netext-create-profile.png"::: 3. Select the Scope tab. - ![Image of configuration settings sco tab.](images/0df36fc308ba569db204ee32db3fb40a.png) + :::image type="content" source="images/0df36fc308ba569db204ee32db3fb40a.png" alt-text="The configuration settings sco tab" lightbox="images/0df36fc308ba569db204ee32db3fb40a.png"::: 4. Select + Add. These steps are applicable of macOS 10.15 (Catalina) or newer. 6. Select + Add. - ![Image of configuration settings adim.](images/0dde8a4c41110dbc398c485433a81359.png) + :::image type="content" source="images/0dde8a4c41110dbc398c485433a81359.png" alt-text="The configuration settings adim" lightbox="images/0dde8a4c41110dbc398c485433a81359.png"::: 7. Select Save. - ![Image of configuration settings savimg netextscop.](images/netext-scope.png) + :::image type="content" source="images/netext-scope.png" alt-text="The Content Filter pane" lightbox="images/netext-scope.png"::: 8. Select Done. - ![Image of configuration settings netextfinal.](images/netext-final.png) + :::image type="content" source="images/netext-final.png" alt-text="The configuration settings netext - final" lightbox="images/netext-final.png"::: Alternatively, you can download [netfilter.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig) and upload it to JAMF Configuration Profiles as described in [Deploying Custom Configuration Profiles using Jamf Pro\|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro). Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint 1. Navigate to where you saved `wdav.pkg`. - ![Image of file explorer wdav pkg.](images/8dde76b5463047423f8637c86b05c29d.png) + :::image type="content" source="images/8dde76b5463047423f8637c86b05c29d.png" alt-text="The file explorer wdav package" lightbox="images/8dde76b5463047423f8637c86b05c29d.png"::: 2. Rename it to `wdav_MDM_Contoso_200329.pkg`. - ![Image of file explorer1 wdavmdmpkg.](images/fb2220fed3a530f4b3ef36f600da0c27.png) + :::image type="content" source="images/fb2220fed3a530f4b3ef36f600da0c27.png" alt-text="The file explorer1 wdavmdm package" lightbox="images/fb2220fed3a530f4b3ef36f600da0c27.png"::: 3. Open the Jamf Pro dashboard. - ![Image of configuration settings jamfpro.](images/990742cd9a15ca9fdd37c9f695d1b9f4.png) + :::image type="content" source="images/990742cd9a15ca9fdd37c9f695d1b9f4.png" alt-text="The configuration settings for jamfpro" lightbox="images/990742cd9a15ca9fdd37c9f695d1b9f4.png"::: 4. Select your computer and click the gear icon at the top, then select Computer Management. - ![Image of configuration settings compmgmt.](images/b6d671b2f18b89d96c1c8e2ea1991242.png) + :::image type="content" source="images/b6d671b2f18b89d96c1c8e2ea1991242.png" alt-text="The configuration settings - computer management" lightbox="images/b6d671b2f18b89d96c1c8e2ea1991242.png"::: 5. In Packages, select + New. - ![A picture containing bird Description automatically generated package new.](images/57aa4d21e2ccc65466bf284701d4e961.png) + :::image type="content" source="images/57aa4d21e2ccc65466bf284701d4e961.png" alt-text="The bird Description for an automatically generated package" lightbox="images/57aa4d21e2ccc65466bf284701d4e961.png"::: 6. In New Package Enter the following details: Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint - Category: None (default) - Filename: Choose File - ![Image of configuration settings general tab.](images/21de3658bf58b1b767a17358a3f06341.png) + :::image type="content" source="images/21de3658bf58b1b767a17358a3f06341.png" alt-text="The General tab for configuration settings" lightbox="images/21de3658bf58b1b767a17358a3f06341.png"::: Open the file and point it to `wdav.pkg` or `wdav_MDM_Contoso_200329.pkg`. - ![A screenshot of a computer screen Description automatically generated.](images/1aa5aaa0a387f4e16ce55b66facc77d1.png) + :::image type="content" source="images/1aa5aaa0a387f4e16ce55b66facc77d1.png" alt-text="The computer screen displaying the description for an automatically generated package" lightbox="images/1aa5aaa0a387f4e16ce55b66facc77d1.png"::: 7. Select Open. Set the Display Name to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus. Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint Limitations tab: Keep default values. - ![Image of configuration settings limitation tab.](images/56dac54634d13b2d3948ab50e8d3ef21.png) + :::image type="content" source="images/56dac54634d13b2d3948ab50e8d3ef21.png" alt-text="The limitation tab for the configuration settings" lightbox="images/56dac54634d13b2d3948ab50e8d3ef21.png"::: 8. Select Save. The package is uploaded to Jamf Pro. - ![Image of configuration settings pack upl jamf pro.](images/33f1ecdc7d4872555418bbc3efe4b7a3.png) + :::image type="content" source="images/33f1ecdc7d4872555418bbc3efe4b7a3.png" alt-text="The configuration settings pack uploading process for the package related to the configuration settings" lightbox="images/33f1ecdc7d4872555418bbc3efe4b7a3.png"::: It can take a few minutes for the package to be available for deployment. - ![Image of configuration settings pack upl.](images/1626d138e6309c6e87bfaab64f5ccf7b.png) + :::image type="content" source="images/1626d138e6309c6e87bfaab64f5ccf7b.png" alt-text="An instance of uploading the package for configuration settings" lightbox="images/1626d138e6309c6e87bfaab64f5ccf7b.png"::: 9. Navigate to the Policies page. - ![Image of configuration settings polocies.](images/f878f8efa5ebc92d069f4b8f79f62c7f.png) + :::image type="content" source="images/f878f8efa5ebc92d069f4b8f79f62c7f.png" alt-text="The configuration settings policies" lightbox="images/f878f8efa5ebc92d069f4b8f79f62c7f.png"::: 10. Select + New to create a new policy. - ![Image of configuration settings new policy.](images/847b70e54ed04787e415f5180414b310.png) + :::image type="content" source="images/847b70e54ed04787e415f5180414b310.png" alt-text="The configuration settings new policy" lightbox="images/847b70e54ed04787e415f5180414b310.png"::: 11. In General Enter the following details: - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later - ![Image of configuration settingsmdatponboard.](images/625ba6d19e8597f05e4907298a454d28.png) + :::image type="content" source="images/625ba6d19e8597f05e4907298a454d28.png" alt-text="The configuration settings - MDATP onboard" lightbox="images/625ba6d19e8597f05e4907298a454d28.png"::: 12. Select Recurring Check-in. - ![Image of configuration settings recur checkin.](images/68bdbc5754dfc80aa1a024dde0fce7b0.png) + :::image type="content" source="images/68bdbc5754dfc80aa1a024dde0fce7b0.png" alt-text="The recurring check-in for the configuration settings" lightbox="images/68bdbc5754dfc80aa1a024dde0fce7b0.png"::: 13. Select Save. 14. Select Packages > Configure. - ![Image of configuration settings pack configure.](images/8fb4cc03721e1efb4a15867d5241ebfb.png) + :::image type="content" source="images/8fb4cc03721e1efb4a15867d5241ebfb.png" alt-text="The option to configure packages" lightbox="images/8fb4cc03721e1efb4a15867d5241ebfb.png"::: 15. Select the Add button next to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus. - ![Image of configuration settings MDATP and MDA add.](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png) + :::image type="content" source="images/526b83fbdbb31265b3d0c1e5fbbdc33a.png" alt-text="The option to add more settings to MDATP MDA" lightbox="images/526b83fbdbb31265b3d0c1e5fbbdc33a.png"::: 16. Select Save. - ![Image of configuration settingssavimg.](images/9d6e5386e652e00715ff348af72671c6.png) + :::image type="content" source="images/9d6e5386e652e00715ff348af72671c6.png" alt-text="The save option for the configuration settings" lightbox="images/9d6e5386e652e00715ff348af72671c6.png"::: 17. Select the Scope tab. - ![Image of configuration settings scptab.](images/8d80fe378a31143db9be0bacf7ddc5a3.png) + :::image type="content" source="images/8d80fe378a31143db9be0bacf7ddc5a3.png" alt-text="The Scope tab related to the configuration settings" lightbox="images/8d80fe378a31143db9be0bacf7ddc5a3.png"::: 18. Select the target computers. - ![Image of configuration settings tgtcomp.](images/6eda18a64a660fa149575454e54e7156.png) + :::image type="content" source="images/6eda18a64a660fa149575454e54e7156.png" alt-text="The option to add computer groups" lightbox="images/6eda18a64a660fa149575454e54e7156.png"::: Scope Select Add. - ![Image of configuration settings ad1img.](images/1c08d097829863778d562c10c5f92b67.png) + :::image type="content" source="images/1c08d097829863778d562c10c5f92b67.png" alt-text="The configuration settings - ad1" lightbox="images/1c08d097829863778d562c10c5f92b67.png"::: - ![Image of configuration settings ad2img.](images/216253cbfb6ae738b9f13496b9c799fd.png) + :::image type="content" source="images/216253cbfb6ae738b9f13496b9c799fd.png" alt-text="The configuration settings - ad2" lightbox="images/216253cbfb6ae738b9f13496b9c799fd.png"::: Self-Service - ![Image of configuration settings selfservice.](images/c9f85bba3e96d627fe00fc5a8363b83a.png) + :::image type="content" source="images/c9f85bba3e96d627fe00fc5a8363b83a.png" alt-text="The Self Service tab for configuration settings" lightbox="images/c9f85bba3e96d627fe00fc5a8363b83a.png"::: 19. Select Done. - ![Image of configuration settings do1img.](images/99679a7835b0d27d0a222bc3fdaf7f3b.png) + :::image type="content" source="images/99679a7835b0d27d0a222bc3fdaf7f3b.png" alt-text="The Contoso onboarding status with an option to complete it" lightbox="images/99679a7835b0d27d0a222bc3fdaf7f3b.png"::: - ![Image of configuration settings do2img.](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png) + :::image type="content" source="images/632aaab79ae18d0d2b8e0c16b6ba39e2.png" alt-text="The policies page" lightbox="images/632aaab79ae18d0d2b8e0c16b6ba39e2.png":::
security	Mac Support Kext	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-kext.md	Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to If you didn't approve the kernel extension during the deployment/installation of Microsoft Defender for Endpoint on macOS, the application displays a banner prompting you to enable it: - ![RTP disabled screenshot.](images/mdatp-32-main-app-fix.png) You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension isn't approved to run on your device. If less than 30 minutes have passed since the product was installed, navigate to If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device: -![Security and privacy window after prompt expired screenshot.](images/mdatp-33-securityprivacysettings-noprompt.png) In this case, you need to perform the following steps to trigger the approval flow again.
security	Mac Support License	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md	ms.technology: mde While you are going through [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md) and [Manual deployment](mac-install-manually.md) testing or a Proof Of Concept (PoC), you might get the following error: -![Image of license error.](images/no-license-found.png) Message:
security	Mac Support Perf	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md	The following steps can be used to troubleshoot and mitigate these issues: - From the user interface. Open Microsoft Defender for Endpoint on macOS and navigate to Manage settings. - ![Manage real-time protection screenshot.](images/mdatp-36-rtp.png) + :::image type="content" source="images/mdatp-36-rtp.png" alt-text=" The Manage real-time protection page" lightbox="images/mdatp-36-rtp.png"::: + - From the Terminal. For security purposes, this operation requires elevation.
security	Mac Sysext Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-policies.md	To approve the system extensions, create the following payload: - com.microsoft.wdav.epsext - com.microsoft.wdav.netext - ![Approved system extensions screenshot.](images/mac-approved-system-extensions.png) + :::image type="content" source="images/mac-approved-system-extensions.png" alt-text=" The Approved system extensions page" lightbox="images/mac-approved-system-extensions.png"::: ### Privacy Preferences Policy Control Add the following JAMF payload to grant Full Disk Access to the Microsoft Defend 3. Set Code Requirement to `identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = UBF8T346G9` 4. Set App or service* to SystemPolicyAllFiles and access to Allow. - ![Privacy Preferences Policy Control.](images/mac-system-extension-privacy.png) + :::image type="content" source="images/mac-system-extension-privacy.png" alt-text=" The Privacy Preferences Policy Control menu item" lightbox="images/mac-system-extension-privacy.png"::: ### Network Extension Policy To approve the system extensions: \|com.microsoft.wdav.netext\|UBF8T346G9\| \|\|\| - ![System configuration profiles screenshot.](images/mac-system-extension-intune2.png) + :::image type="content" source="images/mac-system-extension-intune2.png" alt-text=" The System configuration profiles page" lightbox="images/mac-system-extension-intune2.png"::: 5. In the `Assignments` tab, assign this profile to All Users & All devices. 6. Review and create this configuration profile. To deploy this custom configuration profile: 3. Open the configuration profile and upload sysext.xml. This file was created in the preceding step. 4. Select OK. - ![System extension in Intune screenshot.](images/mac-system-extension-intune.png) + :::image type="content" source="images/mac-system-extension-intune.png" alt-text=" The System extension in Intune page" lightbox="images/mac-system-extension-intune.png"::: 5. In the `Assignments` tab, assign this profile to All Users & All devices. 6. Review and create this configuration profile.
security	Mac Updates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-updates.md	Microsoft regularly publishes software updates to improve performance, security, To update Microsoft Defender for Endpoint on macOS, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually. -![MAU screenshot.](images/MDATP-34-MAU.png) If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization.
security	Machine Reports	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-reports.md	The devices status report provides high-level information about the devices in y The dashboard is structured into two sections: <br>
security	Machine Tags	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md	To add device tags using API, see [Add or remove device tags API](add-or-remove- 2. Select Manage tags from the row of Response actions. - :::image type="content" alt-text="Image of manage tags button." source="images/manage-tags-option.png"::: + :::image type="content" source="images/manage-tags-option.png" alt-text="Image of manage tags button" lightbox="images/manage-tags-option.png"::: + 3. Type to find or create tags - :::image type="content" alt-text="Image of adding tags on a device1." source="images/create-new-tag.png"::: + :::image type="content" source="images/create-new-tag.png" alt-text="Adding tags on device1" lightbox="images/create-new-tag.png"::: Tags are added to the device view and will also be reflected on the Devices inventory view. You can then use the Tags filter to see the relevant list of devices. Tags are added to the device view and will also be reflected on the **Devices in You can also delete tags from this view. ## Add device tags by setting a registry key value
security	Machines View Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md	ms.technology: mde > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-machinesview-abovefoldlink) -The device inventory helps you discover, explore, and investigate devices in your organization including computers, servers, mobile, network appliances and IoT devices. It can help you discover unknown devices and identify device management gaps in your network. +The Devices list shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days. + +At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk. + +There are several options you can choose from to customize the devices list view. On the top navigation you can: + +- Add or remove columns +- Export the entire list in CSV format +- Select the number of items to show per page +- Apply filters + +During the onboarding process, the Devices list is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis. + +> [!NOTE] +> If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself. ++ +## Sort and filter the device list + +You can apply the following filters to limit the list of alerts and get a more focused view. + +### Device name During the Microsoft Defender for Endpoint onboarding process, devices onboarded to MDE are gradually populated into the device inventory as they begin to report sensor data. Following this, the device inventory is populated by devices that are discovered in your network through the device discovery process. The device inventory has three tabs that list devices by:
security	Manage Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-alerts.md	You can manage alerts by selecting an alert in the Alerts queue, or the Al Selecting an alert in either of those places brings up the Alert management pane**. -![Image of alert management pane and alerts queue.](images/atp-alerts-selected.png) ## Link to another incident
security	Manage Incidents	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-incidents.md	Managing incidents is an important part of every cybersecurity operation. You ca Selecting an incident from the Incidents queue brings up the Incident management pane where you can open the incident page for details. - -![Image of the incidents management pane.](images/atp-incidents-mgt-pane-updated.png) You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress. You can assign incidents to yourself, change the status and classification, rena > Incidents that existed prior the rollout of automatic incident naming will retain their names. > - -![Image of incident detail page.](images/atp-incident-details-updated.png) ## Assign incidents If an incident has not been assigned yet, you can select Assign to me to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
security	Manage Protection Updates Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md	The procedures in this article first describe how to set the order, and then how 2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer\|MicrosoftUpdateServer\|MMPC`, as shown in the following screenshot. - :::image type="content" source="../../media/wdav-order-update-sources.png" alt-text="group policy setting listing the order of sources."::: + :::image type="content" source="../../media/wdav-order-update-sources.png" alt-text="Group policy setting listing the order of sources" lightbox="../../media/wdav-order-update-sources.png"::: 3. Select OK. This will set the order of protection update sources.
security	Management Apis	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md	The Microsoft Defender for Endpoint solution is built on top of an integration-r Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. -![Image of available API and integration in Microsoft Defender for Endpoint.](images/mdatp-apis.png) The Defender for Endpoint APIs can be grouped into three:
security	Mde Device Control Device Installation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-device-control-device-installation.md	In Microsoft Endpoint Manager [https://endpoint.microsoft.com/](https://endpoint 1. Configure Prevent installation of devices using drivers that match these device setup classes. - Open Endpoint security > Attack surface reduction > Create Policy > Platform: Windows 10 (and later) & Profile: Device control.- - :::image type="content" source="../../media/devicepolicy-editprofile.png" alt-text="edit profile"::: - + + :::image type="content" source="../../media/devicepolicy-editprofile.png" alt-text="The Edit profile page" lightbox="../../media/devicepolicy-editprofile.png"::: + 2. Plug in a USB, device and you will see following error message: - :::image type="content" source="../../media/devicepolicy-errormsg.png" alt-text="error message"::: + :::image type="content" source="../../media/devicepolicy-errormsg.png" alt-text="The error message" lightbox="../../media/devicepolicy-errormsg.png"::: 3. Enable Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria. - only support OMA-URI for now: Devices > Configuration profiles > Create profile > Platform: Windows 10 (and later) & Profile: Custom- - :::image type="content" source="../../media/devicepolicy-editrow.png" alt-text="edit row"::: + + :::image type="content" source="../../media/devicepolicy-editrow.png" alt-text="The Edit Row page" lightbox="../../media/devicepolicy-editrow.png"::: 4. Enable and add allowed USB Instance ID ΓÇô Allow installation of devices that match any of these device IDs. - Update the step 1 Device control profile- - :::image type="content" source="../../media/devicepolicy-devicecontrol.png" alt-text="devicecontrol"::: + + :::image type="content" source="../../media/devicepolicy-devicecontrol.png" alt-text="An identifier in the Device Control page" lightbox="../../media/devicepolicy-devicecontrol.png"::: + + Adding PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB on above screen capture is because it's not enough to enable only a single hardware ID to enable a single USB thumb-drive. You have to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. You can open Device Manager and change view to ΓÇÿDevices by connectionsΓÇÖ to see the way devices are installed in the PnP tree. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: Adding PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB on above screen capture is because it's not enough to enable only a single hardware ID to enable a single USB thumb-drive. You have to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. You can open Device Manager and change view to ΓÇÿDevices by connectionsΓÇÖ to see the way devices are installed in the PnP tree. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: In Microsoft Endpoint Manager [https://endpoint.microsoft.com/](https://endpoint - ΓÇ£USB Root Hub (USB 3.0)ΓÇ¥ -> USB\ROOT_HUB30 - ΓÇ£Generic USB HubΓÇ¥ -> USB\USB20_HUB - :::image type="content" source="../../media/devicepolicy-devicemgr.png" alt-text="device control"::: + :::image type="content" source="../../media/devicepolicy-devicemgr.png" alt-text="The View menu item in the Device Manager page" lightbox="../../media/devicepolicy-devicemgr.png"::: > [!NOTE] > Some devices in the system have several layers of connectivity to define their installation on the system. USB thumb drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic device IDs that are commonly used in systems and could provide a good start to build an "Allow list" in such cases. The following is one example (it is not always the same for all USBs; you need to understand the PnP tree of the device you want to manage through the Device Manager): In Microsoft Endpoint Manager [https://endpoint.microsoft.com/](https://endpoint 5. Plug in the allowed USB again. YouΓÇÖll see that it's now allowed and available. - :::image type="content" source="../../media/devicepolicy-removedrive.png" alt-text="remove drive"::: + :::image type="content" source="../../media/devicepolicy-removedrive.png" alt-text="The Remove drive details page" lightbox="../../media/devicepolicy-removedrive.png"::: #### Deploying and managing policy via Group Policy DeviceEvents \| order by Timestamp desc ``` ## Frequently asked questions DeviceRegistryEvents It is not enough to enable only a single hardware ID to enable a single USB thumb-drive. Ensure that all the USB devices that precede the target one aren't blocked (allowed) as well. +
security	Mde P1 Maintenance Operations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-maintenance-operations.md	To learn more, see [Manage Defender for Endpoint](manage-mde-post-migration.md). A false positive is an artifact, like a file or a process, that was detected as malicious, even though it isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is. False positives/negatives can occur with any endpoint protection solution, including Defender for Endpoint. However, there are steps you can take to address these kinds of issues and fine-tune your solution, as depicted in the following image: If youΓÇÖre seeing false positives/negatives in Defender for Endpoint, see [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md).
security	Mde P1 Setup Configuration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration.md	This article describes how to set up and configure Defender for Endpoint Plan 1. ## The setup and configuration process The general setup and configuration process for Defender for Endpoint Plan 1 is as follows: <br/><br/> Then, proceed to configure your next-generation protection and attack surface re We recommend using [Microsoft Endpoint Manager](/mem) to manage your organizationΓÇÖs devices and security settings, as shown in the following image: To configure your next-generation protection in Microsoft Endpoint Manager, follow these steps: Attack surface reduction is all about reducing the places and ways your organiza Attack surface reduction rules are available on devices running Windows. We recommend using Microsoft Endpoint Manager, as shown in the following image: 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. You get ransomware mitigation through [controlled folder access](controlled-fold We recommend using Microsoft Endpoint Manager to configure controlled folder access. 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. We recommend using Microsoft Endpoint Manager to configure controlled folder acc You can configure Defender for Endpoint to block or allow removable devices and files on removable devices. We recommend using Microsoft Endpoint Manager to configure your device control settings. 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. You can configure Defender for Endpoint to block or allow removable devices and With network protection, you can help protect your organization against dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. We recommend using Microsoft Endpoint Manager to turn on network protection. 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. With web protection, you can protect your organization's devices from web threat Network firewall helps reduce the risk of network security threats. Your security team can set rules that determine which traffic is permitted to flow to or from your organization's devices. We recommend using Microsoft Endpoint Manager to configure your network firewall. To configure basic firewall settings, follow these steps:
security	Mde Plan1 Getting Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plan1-getting-started.md	The Microsoft 365 Defender portal ([https://security.microsoft.com](https://secu The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is where you'll view alerts, manage devices, and view reports. When you sign into the Microsoft 365 Defender portal, youΓÇÖll start with the Home page, as shown in the following image: The Home page provides your security team with a snapshot aggregate view of alerts, device status, and threats detected. The Defender for Cloud is set up so that your security operations team can find the information they are looking for quickly and easily. The Home page provides your security team with a snapshot aggregate view of aler The Home page includes cards, such as the Active incidents card shown in the following image: The card provides you with information at a glance, along with a link or button that you can select to view more detailed information. Referring to our example Active incidents card, we can select View all incidents to navigate to our list of incidents. ### Navigation bar makes it easy to find alerts, the Action center, and more When you sign into the Microsoft 365 Defender portal, make sure to view and mana Select an incident to view details about the incident. Details include what alerts were triggered, how many devices and users were affected, and other details. The following image shows an example of incident details. Use the Alerts, Devices, and Users tabs to view more information, such as the alerts that were triggered, devices that were affected, and user accounts that were affected. From there, you can take manual response actions, such as isolating a device, stopping and quarantining a file, and so on. Use the Alerts, Devices, and Users tabs to view more information, su To view and manage your organizationΓÇÖs devices, in the navigation bar, under Endpoints, select Device inventory. YouΓÇÖll see a list of devices as shown in the following image: The list includes devices for which alerts were generated. By default, the data shown is for the past 30 days, with the most recent items listed first. Select a device to view more information about it. A flyout pane opens, as shown in the following image: The flyout pane displays details, such as any active alerts for the device, and includes links to take action, such as isolating a device. In Defender for Endpoint Plan 1, several reports are available in the Microsoft To access your Threat protection report, in the Microsoft 365 Defender portal, choose Reports, and then choose Threat protection. The Threat Protection report shows alert trends, status, categories, and more. Views are arranged in two columns: Alert trends and Alert status, as shown in the following image: Scroll down to see all the views in each list. Scroll down to see all the views in each list. To access your Device health report, in the Microsoft 365 Defender portal, choose Reports, and then choose Device health. The Device health report shows health state and antivirus across devices in your organization. Similar to the [Threat protection report](#threat-protection-report), views are arranged in two columns: Device trends and Device summary, as shown in the following image: Scroll down to see all the views in each list. By default, the views in the Device trends column display data for the past 30 days, but you can change a view to display data for the last three months, last six months, or a custom time range (up to 180 days). The Device summary views are snapshots for the previous business day. Scroll down to see all the views in each list. By default, the views in the De To access your Device health report, in the Microsoft 365 Defender portal, choose Reports, and then choose Web protection**. The Web protection report shows detections over time, such as malicious URLs and attempts to access blocked URLs, as shown in the following image: Scroll down to see all the views in the Web protection report. Some views include links that enable you to view more details, configure your threat protection features, and even manage indicators that serve as exceptions in Defender for Endpoint.
security	Microsoft Defender Antivirus On Windows Server	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md	If the GUI isnΓÇÖt installed on your server, and you want to install it, either In Windows Server 2016, the Add Roles and Features Wizard looks like this: - ![Add roles and feature wizard showing the GUI for Windows Defender option.](images/server-add-gui.png) + :::image type="content" source="images/server-add-gui.png" alt-text="The Add roles and feature wizard showing the GUI for Windows Defender option." lightbox="images/server-add-gui.png"::: In Windows Server 2019 and Windows Server 2022, the Add Roles and Feature Wizard is similar.
security	Microsoft Defender Endpoint Linux	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md	If you experience any installation failures, refer to [Troubleshooting installat - 2.6.32-754.6.3.el6.x86_64 - 2.6.32-754.9.1.el6.x86_64 - - > [!NOTE] - > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that that are listed in this section are provided for technical upgrade support only. - - - For rest of the supported distributions, minimum kernel version required is 3.10.0-327 --- Event provider mechanism - - Red Hat Enterprise Linux 6 and CentOS 6: `Talpa` kernel module based solution - - For rest of the supported distributions: `Fanotify` - - The `fanotify` kernel option must be enabled - - > [!CAUTION] - > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. + For Red Hat Enterprise Linux 6 and CentOS 6, the list of supported kernel versions are: + - For 6.7: 2.6.32-573.* + - For 6.8: 2.6.32-642.* + - For 6.9: 2.6.32-696.* + - For 6.10: 2.6.32.754.2.1.el6.x86_64 to 2.6.32-754.41.2: + + > [!NOTE] + > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that that are listed in this section are provided for technical upgrade support only. + + List of versions: + + - 2.6.32-754.2.1.el6.x86_64 + - 2.6.32-754.17.1.el6.x86_64 + - 2.6.32-754.29.1.el6.x86_64 + - 2.6.32-754.3.5.el6.x86_64 + - 2.6.32-754.18.2.el6.x86_64 + - 2.6.32-754.29.2.el6.x86_64 + - 2.6.32-754.6.3.el6.x86_64 + - 2.6.32-754.22.1.el6.x86_64 + - 2.6.32-754.30.2.el6.x86_64 + - 2.6.32-754.9.1.el6.x86_64 + - 2.6.32-754.23.1.el6.x86_64 + - 2.6.32-754.33.1.el6.x86_64 + - 2.6.32-754.10.1.el6.x86_64 + - 2.6.32-754.24.2.el6.x86_64 + - 2.6.32-754.35.1.el6.x86_64 + - 2.6.32-754.11.1.el6.x86_64 + - 2.6.32-754.24.3.el6.x86_64 + - 2.6.32-754.39.1.el6.x86_64 + - 2.6.32-754.12.1.el6.x86_64 + - 2.6.32-754.25.1.el6.x86_64 + - 2.6.32-754.41.2.el6.x86_64 + - 2.6.32-754.14.2.el6.x86_64 + - 2.6.32-754.27.1.el6.x86_64 + - 2.6.32-754.15.3.el6.x86_64 + - 2.6.32-754.28.1.el6.x86_64 ++ +- Minimum kernel version 3.10.0-327 + +- The `fanotify` kernel option must be enabled + + > [!CAUTION] + > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. - Disk space: 1 GB The following downloadable spreadsheet lists the services and their associated U \|Spreadsheet of domains list\| Description\| \|\|\| -\|Microsoft Defender for Endpoint URL list for commercial customers \| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx) -\| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers\| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx) -\| - +\|:::image type="content" source="images/mdatp-urls.png" alt-text="Microsoft Defender for Endpoint URLs spreadsheet" lightbox="images/mdatp-urls.png":::\|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> Download the spreadsheet [here](https://download.microsoft.com/download/8/e-urls.xlsx).\| +\|\|\| > [!NOTE] > For a more specific URL list, see [Configure proxy and internet connectivity settings](/microsoft-365/security/defender-endpoint/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
security	Microsoft Defender Endpoint Mac	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md	The following downloadable spreadsheet lists the services and their associated U \|Spreadsheet of domains list\| Description\| \|\|\| -\|Microsoft Defender for Endpoint URL list for commercial customers \| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx) -\| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers\| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx) -\| --- +\|:::image type="content" source="images/mdatp-urls.png" alt-text="The spreadsheet for the URLs of the Microsoft Defender for Endpoint portal" lightbox="images/mdatp-urls.png":::\|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> Download the spreadsheet here: [mdatp-urls.xlsx](https://download.microsoft.com/download/8/e-urls.xlsx). Microsoft Defender for Endpoint can discover a proxy server by using the following discovery methods:
security	Microsoft Defender Offline	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md	The need to perform an offline scan will also be revealed in Microsoft Endpoint The prompt can occur via a notification, similar to the following: The user will also be notified within the Windows Defender client. In Configuration Manager, you can identify the status of endpoints by navigating Microsoft Defender Offline scans are indicated under Malware remediation status as Offline scan required. ## Configure notifications
security	Microsoft Defender Security Center Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md	The Windows Security app is a client interface on Windows 10, version 1703 and l ## Review virus and threat protection settings in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for Windows Security. The following sections describe how to perform some of the most common tasks whe ## Review the security intelligence update version and download the latest updates in the Windows Security app 1. Open the Windows Security app by searching the start menu for Security, and then selecting Windows Security.
security	Microsoft Threat Experts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-threat-experts.md	The option to Consult a threat expert is available in several places in the - *Help and support menu* - ![Screenshot of MTE-EOD menu option.](images/mte-eod-menu.png) + :::image type="content" source="images/mte-eod-menu.png" alt-text="The MTE-EOD menu item" lightbox="images/mte-eod-menu.png"::: - *Device page actions menu* - ![Screenshot of MTE-EOD device page action menu option.](images/mte-eod-machines.png) + :::image type="content" source="images/mte-eod-machines.png" alt-text="The MTE-EOD device page action menu option" lightbox="images/mte-eod-machines.png"::: - *Alerts page actions menu* - ![Screenshot of MTE-EOD alert page action menu option.](images/mte-eod-alerts.png) + :::image type="content" source="images/mte-eod-alerts.png" alt-text="The MTE-EOD alert page action menu option" lightbox="images/mte-eod-alerts.png"::: - *File page actions menu* - ![Screenshot of MTE-EOD file page action menu option.](images/mte-eod-file.png) + :::image type="content" source="images/mte-eod-file.png" alt-text="The MTE-EOD file page action menu option" lightbox="images/mte-eod-file.png"::: > [!NOTE] > If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Customer Success Account Manager.
security	Minimum Requirements	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md	By default, this service is enabled. It's good practice to check to ensure that If the service is enabled, then the result should look like the following screenshot: - ![Result of the sc query command for diagtrack.](images/windefatp-sc-qc-diagtrack.png) + :::image type="content" source="images/windefatp-sc-qc-diagtrack.png" alt-text="Result of the sc query command for diagtrack" lightbox="images/windefatp-sc-qc-diagtrack.png"::: You'll need to set the service to automatically start if the START_TYPE isn't set to AUTO_START.
security	Network Devices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md	To configure assessment jobs, the following user permission option is required: 2. Download the network scanner and install it on the designated Defender for Endpoint assessment device. > [!div class="mx-imgBorder"] - > ![Download scanner button.](images/assessment-jobs-download-scanner.png) + > :::image type="content" source="images/assessment-jobs-download-scanner.png" alt-text="The Download scanner button" lightbox="images/assessment-jobs-download-scanner.png"::: ## Network scanner installation & registration In the Assessment jobs page in Settings, select Add network assessment job To prevent device duplication in the network device inventory, make sure each IP address is configured only once across multiple assessment devices. > [!div class="mx-imgBorder"] -> ![Add network assessment job button.](images/assessment-jobs-add.png) +> :::image type="content" source="images/assessment-jobs-add.png" alt-text="The Add network assessment job button" lightbox="images/assessment-jobs-add.png"::: Adding a network assessment job steps: Once the results show up, you can choose which devices will be included in the p Newly discovered devices will be shown under the new Network devices tab in the Device inventory** page. It may take up to two hours after adding an assessment job until the devices are updated. > [!div class="mx-imgBorder"] -> ![Network devices section in the Device inventory.](images/assessment-jobs-device-inventory.png) +> :::image type="content" source="images/assessment-jobs-device-inventory.png" alt-text="The Network devices section in the Device inventory" lightbox="images/assessment-jobs-device-inventory.png"::: ## Troubleshooting
security	Onboard Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md	Deploying Microsoft Defender for Endpoint is a two-step process. - Onboard devices to the service - Configure capabilities of the service -![Illustration of onboarding and configuration process](images/deployment-steps.png) ## Onboard devices to the service You'll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.
security	Onboard Downlevel	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md	Create a new group policy specifically for onboarding devices such as "Microsoft - Create a Group Policy Folder named "c:\windows\MMA" - :::image type="content" source="images/grppolicyconfig1.png" alt-text="folders"::: + :::image type="content" source="images/grppolicyconfig1.png" alt-text="The folders location" lightbox="images/grppolicyconfig1.png"::: This will add a new folder on every server that gets the GPO applied, called MMA, and will be stored in c:\windows. This will contain the installation files for the MMA, prerequisites, and install script. - Create a Group Policy Files preference for each of the files stored in Net logon. - :::image type="content" source="images/grppolicyconfig2.png" alt-text="group policy image1"::: + :::image type="content" source="images/grppolicyconfig2.png" alt-text="The group policy - 1" lightbox="images/grppolicyconfig2.png"::: It copies the files from DOMAIN\NETLOGON\MMA\filename to C:\windows\MMA\filename - so the installation files are local to the server: Repeat the process but create item level targeting on the COMMON tab, so the file only gets copied to the appropriate platform/Operating system version in scope: For Windows Server 2008 R2 you'll need (and it will only copy down) the following: - Windows6.1-KB3080149-x64.msu For Windows Server 2008 R2 you'll need (and it will only copy down) the followin Once this is done, you'll need to create a start-up script policy: The name of the file to run here is c:\windows\MMA\DeployMMA.cmd. Once the server is restarted as part of the start-up process it will install the Update for customer experience and diagnostic telemetry KB, and then install the MMA Agent, while setting the Workspace ID and Key, and the server will be onboarded. This could be done in two phases. First create the files and the folder in G As the Script has an exit method and wont re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to a Configuration Manager compliance policy it will check daily to ensure the MMA is present. As mentioned in the onboarding documentation for Server specifically around Server 2008 R2 please see below: For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: You can use either of the following methods: 2. Select the Defender for Endpoint workspace, and click Remove. - ![Image of Microsoft Monitoring Agent Properties](images/atp-mma.png) + :::image type="content" source="images/atp-mma.png" alt-text="The Workspaces pane" lightbox="images/atp-mma.png"::: #### Run a PowerShell command to remove the configuration
security	Onboarding Endpoint Configuration Manager	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md	This article is part of the Deployment guide and acts as an example onboarding m In the [Planning](deployment-strategy.md) topic, there were several methods provided to onboard devices to the service. This topic covers the co-management architecture. -![Image of cloud-native architecture.](images/co-management-architecture.png) Diagram of environment architectures While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). Follow the steps below to onboard endpoints using Microsoft Endpoint Configurati 1. In Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance \> Overview \> Device Collections. - ![Image of Microsoft Endpoint Configuration Manager wizard1.](images/configmgr-device-collections.png) + :::image type="content" source="images/configmgr-device-collections.png" alt-text="The Microsoft Endpoint Configuration Manager wizard1" lightbox="images/configmgr-device-collections.png"::: 2. Right Click Device Collection and select Create Device Collection. - ![Image of Microsoft Endpoint Configuration Manager wizard2.](images/configmgr-create-device-collection.png) + :::image type="content" source="images/configmgr-create-device-collection.png" alt-text="The Microsoft Endpoint Configuration Manager wizard2" lightbox="images/configmgr-create-device-collection.png"::: 3. Provide a Name and Limiting Collection, then select Next. - ![Image of Microsoft Endpoint Configuration Manager wizard3.](images/configmgr-limiting-collection.png) + :::image type="content" source="images/configmgr-limiting-collection.png" alt-text="The Microsoft Endpoint Configuration Manager wizard3" lightbox="images/configmgr-limiting-collection.png"::: 4. Select Add Rule and choose Query Rule. - ![Image of Microsoft Endpoint Configuration Manager wizard4.](images/configmgr-query-rule.png) + :::image type="content" source="images/configmgr-query-rule.png" alt-text="The Microsoft Endpoint Configuration Manager wizard4" lightbox="images/configmgr-query-rule.png"::: 5. Click Next on the Direct Membership Wizard and click on Edit Query Statement. - ![Image of Microsoft Endpoint Configuration Manager wizard5.](images/configmgr-direct-membership.png) + :::image type="content" source="images/configmgr-direct-membership.png" alt-text="The Microsoft Endpoint Configuration Manager wizard5" lightbox="images/configmgr-direct-membership.png"::: 6. Select Criteria and then choose the star icon. - ![Image of Microsoft Endpoint Configuration Manager wizard6.](images/configmgr-criteria.png) + :::image type="content" source="images/configmgr-criteria.png" alt-text="The Microsoft Endpoint Configuration Manager wizard6" lightbox="images/configmgr-criteria.png"::: 7. Keep criterion type as simple value, choose where as Operating System - build number, operator as is greater than or equal to and value 14393 and click on OK. - ![Image of Microsoft Endpoint Configuration Manager wizard7.](images/configmgr-simple-value.png) + :::image type="content" source="images/configmgr-simple-value.png" alt-text="The Microsoft Endpoint Configuration Manager wizard7" lightbox="images/configmgr-simple-value.png"::: 8. Select Next and Close. - ![Image of Microsoft Endpoint Configuration Manager wizard8.](images/configmgr-membership-rules.png) + :::image type="content" source="images/configmgr-membership-rules.png" alt-text="The Microsoft Endpoint Configuration Manager wizard8" lightbox="images/configmgr-membership-rules.png"::: 9. Select Next. - ![Image of Microsoft Endpoint Configuration Manager wizard9.](images/configmgr-confirm.png) + :::image type="content" source="images/configmgr-confirm.png" alt-text="The Microsoft Endpoint Configuration Manager wizard9" lightbox="images/configmgr-confirm.png"::: After completing this task, you now have a device collection with all the Windows endpoints in the environment. From within the Microsoft 365 Defender portal it is possible to download the `.o 2. Under Deployment method select the supported version of Microsoft Endpoint Configuration Manager. - ![Image of Microsoft Defender for Endpoint onboarding wizard10.](images/mdatp-onboarding-wizard.png) + :::image type="content" source="images/mdatp-onboarding-wizard.png" alt-text="The Microsoft Endpoint Configuration Manager wizard10" lightbox="images/mdatp-onboarding-wizard.png"::: 3. Select Download package. - ![Image of Microsoft Defender for Endpoint onboarding wizard11.](images/mdatp-download-package.png) + :::image type="content" source="images/mdatp-download-package.png" alt-text="The Microsoft Endpoint Configuration Manager wizard11" lightbox="images/mdatp-download-package.png"::: 4. Save the package to an accessible location. 5. In Microsoft Endpoint Configuration Manager, navigate to: Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies. 6. Right-click Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy. - ![Image of Microsoft Endpoint Configuration Manager wizard12.](images/configmgr-create-policy.png) + :::image type="content" source="images/configmgr-create-policy.png" alt-text="The Microsoft Endpoint Configuration Manager wizard12" lightbox="images/configmgr-create-policy.png"::: 7. Enter the name and description, verify Onboarding is selected, then select Next. - ![Image of Microsoft Endpoint Configuration Manager wizard13.](images/configmgr-policy-name.png) + :::image type="content" source="images/configmgr-policy-name.png" alt-text="The Microsoft Endpoint Configuration Manager wizard13" lightbox="images/configmgr-policy-name.png"::: 8. Click Browse. From within the Microsoft 365 Defender portal it is possible to download the `.o 10. Click Next. 11. Configure the Agent with the appropriate samples (None or All file types). - ![Image of configuration settings1.](images/configmgr-config-settings.png) + :::image type="content" source="images/configmgr-config-settings.png" alt-text="The configuration settings1" lightbox="images/configmgr-config-settings.png"::: 12. Select the appropriate telemetry (Normal or Expedited) then click Next. - ![Image of configuration settings2.](images/configmgr-telemetry.png) + :::image type="content" source="images/configmgr-telemetry.png" alt-text="The configuration settings2" lightbox="images/configmgr-telemetry.png"::: 13. Verify the configuration, then click Next. - ![Image of configuration settings3.](images/configmgr-verify-configuration.png) + :::image type="content" source="images/configmgr-verify-configuration.png" alt-text="The configuration settings3" lightbox="images/configmgr-verify-configuration.png"::: 14. Click Close when the Wizard completes. 15. In the Microsoft Endpoint Configuration Manager console, right-click the Defender for Endpoint policy you just created and select Deploy. - ![Image of configuration settings4.](images/configmgr-deploy.png) + :::image type="content" source="images/configmgr-deploy.png" alt-text="The configuration settings4" lightbox="images/configmgr-deploy.png"::: 16. On the right panel, select the previously created collection and click OK. - ![Image of configuration settings5.](images/configmgr-select-collection.png) + :::image type="content" source="images/configmgr-select-collection.png" alt-text="The configuration settings5" lightbox="images/configmgr-select-collection.png"::: #### Previous versions of Windows Client (Windows 7 and Windows 8.1) Follow the steps below to identify the Defender for Endpoint Workspace ID and Wo 3. Copy the Workspace ID and Workspace Key and save them. They will be used later in the process. - ![Image of onboarding.](images/91b738e4b97c4272fd6d438d8c2d5269.png) + :::image type="content" source="images/91b738e4b97c4272fd6d438d8c2d5269.png" alt-text="The onboarding process" lightbox="images/91b738e4b97c4272fd6d438d8c2d5269.png"::: 4. Install the Microsoft Monitoring Agent (MMA). Microsoft Defender Antivirus is a built-in antimalware solution that provides ne 1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices and choose Create Antimalware Policy. - ![Image of antimalware policy.](images/9736e0358e86bc778ce1bd4c516adb8b.png) + :::image type="content" source="images/9736e0358e86bc778ce1bd4c516adb8b.png" alt-text="The antimalware policy" lightbox="images/9736e0358e86bc778ce1bd4c516adb8b.png"::: 2. Select Scheduled scans, Scan settings, Default actions, Real-time protection, Exclusion settings, Advanced, Threat overrides, Cloud Protection Service and Security intelligence updates and choose OK. - ![Image of next generation protection pane1.](images/1566ad81bae3d714cc9e0d47575a8cbd.png) + :::image type="content" source="images/1566ad81bae3d714cc9e0d47575a8cbd.png" alt-text="The next-generation protection pane1" lightbox="images/1566ad81bae3d714cc9e0d47575a8cbd.png"::: In certain industries or some select enterprise customers might have specific needs on how Antivirus is configured. Microsoft Defender Antivirus is a built-in antimalware solution that provides ne For more details, see [Windows Security configuration framework](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework). - ![Image of next generation protection pane2.](images/cd7daeb392ad5a36f2d3a15d650f1e96.png) + :::image type="content" source="images/cd7daeb392ad5a36f2d3a15d650f1e96.png" alt-text="The next-generation protection pane2" lightbox="images/cd7daeb392ad5a36f2d3a15d650f1e96.png"::: - ![Image of next generation protection pane3.](images/36c7c2ed737f2f4b54918a4f20791d4b.png) + :::image type="content" source="images/36c7c2ed737f2f4b54918a4f20791d4b.png" alt-text="The next-generation protection pane3" lightbox="images/36c7c2ed737f2f4b54918a4f20791d4b.png"::: - ![Image of next generation protection pane4.](images/a28afc02c1940d5220b233640364970c.png) + :::image type="content" source="images/a28afc02c1940d5220b233640364970c.png" alt-text="The next-generation protection pane4" lightbox="images/a28afc02c1940d5220b233640364970c.png"::: - ![Image of next generation protection pane5.](images/5420a8790c550f39f189830775a6d4c9.png) + :::image type="content" source="images/5420a8790c550f39f189830775a6d4c9.png" alt-text="The next-generation protection pane5" lightbox="images/5420a8790c550f39f189830775a6d4c9.png"::: - ![Image of next generation protection pane6.](images/33f08a38f2f4dd12a364f8eac95e8c6b.png) + :::image type="content" source="images/33f08a38f2f4dd12a364f8eac95e8c6b.png" alt-text="The next-generation protection pane6" lightbox="images/33f08a38f2f4dd12a364f8eac95e8c6b.png"::: - ![Image of next generation protection pane7.](images/41b9a023bc96364062c2041a8f5c344e.png) + :::image type="content" source="images/41b9a023bc96364062c2041a8f5c344e.png" alt-text="The next-generation protection pane7" lightbox="images/41b9a023bc96364062c2041a8f5c344e.png"::: - ![Image of next generation protection pane8.](images/945c9c5d66797037c3caeaa5c19f135c.png) + :::image type="content" source="images/945c9c5d66797037c3caeaa5c19f135c.png" alt-text="The next-generation protection pane8" lightbox="images/945c9c5d66797037c3caeaa5c19f135c.png"::: - ![Image of next generation protection pane9.](images/3876ca687391bfc0ce215d221c683970.png) + :::image type="content" source="images/3876ca687391bfc0ce215d221c683970.png" alt-text="The next-generation protection pane9" lightbox="images/3876ca687391bfc0ce215d221c683970.png"::: 3. Right-click on the newly created antimalware policy and select Deploy. - ![Image of next generation protection pane10.](images/f5508317cd8c7870627cb4726acd5f3d.png) + :::image type="content" source="images/f5508317cd8c7870627cb4726acd5f3d.png" alt-text="The next-generation protection pane10" lightbox="images/f5508317cd8c7870627cb4726acd5f3d.png"::: 4. Target the new antimalware policy to your Windows collection and click OK. - ![Image of next generation protection pane11.](images/configmgr-select-collection.png) + :::image type="content" source="images/configmgr-select-collection.png" alt-text="The next-generation protection pane11" lightbox="images/configmgr-select-collection.png"::: After completing this task, you now have successfully configured Windows Defender Antivirus. To set ASR rules in Audit mode: 1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard and choose Create Exploit Guard Policy. - ![Image of Microsoft Endpoint Configuration Manager console0.](images/728c10ef26042bbdbcd270b6343f1a8a.png) + :::image type="content" source="images/728c10ef26042bbdbcd270b6343f1a8a.png" alt-text="The Microsoft Endpoint Configuration Manager console0" lightbox="images/728c10ef26042bbdbcd270b6343f1a8a.png"::: 2. Select Attack Surface Reduction. 3. Set rules to Audit and click Next. - ![Image of Microsoft Endpoint Configuration Manager console1.](images/d18e40c9e60aecf1f9a93065cb7567bd.png) + :::image type="content" source="images/d18e40c9e60aecf1f9a93065cb7567bd.png" alt-text="The Microsoft Endpoint Configuration Manager console1" lightbox="images/d18e40c9e60aecf1f9a93065cb7567bd.png"::: 4. Confirm the new Exploit Guard policy by clicking on Next. - ![Image of Microsoft Endpoint Configuration Manager console2.](images/0a6536f2c4024c08709cac8fcf800060.png) + :::image type="content" source="images/0a6536f2c4024c08709cac8fcf800060.png" alt-text="The Microsoft Endpoint Configuration Manager console2" lightbox="images/0a6536f2c4024c08709cac8fcf800060.png"::: 5. Once the policy is created click Close. - ![Image of Microsoft Endpoint Configuration Manager console3.](images/95d23a07c2c8bc79176788f28cef7557.png) + :::image type="content" source="images/95d23a07c2c8bc79176788f28cef7557.png" alt-text="The Microsoft Endpoint Configuration Manager console3" lightbox="images/95d23a07c2c8bc79176788f28cef7557.png"::: 6. Right-click on the newly created policy and choose Deploy. - ![Image of Microsoft Endpoint Configuration Manager console4.](images/8999dd697e3b495c04eb911f8b68a1ef.png) + :::image type="content" source="images/8999dd697e3b495c04eb911f8b68a1ef.png" alt-text="The Microsoft Endpoint Configuration Manager console4" lightbox="images/8999dd697e3b495c04eb911f8b68a1ef.png"::: 7. Target the policy to the newly created Windows collection and click OK. - ![Image of Microsoft Endpoint Configuration Manager console5.](images/0ccfe3e803be4b56c668b220b51da7f7.png) + :::image type="content" source="images/0ccfe3e803be4b56c668b220b51da7f7.png" alt-text="The Microsoft Endpoint Configuration Manager console5" lightbox="images/0ccfe3e803be4b56c668b220b51da7f7.png"::: After completing this task, you now have successfully configured ASR rules in audit mode. Below are additional steps to verify whether ASR rules are correctly applied to 3. Click Go to attack surface management in the Attack surface management panel. - ![Image of attack surface management.](images/security-center-attack-surface-mgnt-tile.png) + :::image type="content" source="images/security-center-attack-surface-mgnt-tile.png" alt-text="The attack surface management" lightbox="images/security-center-attack-surface-mgnt-tile.png"::: 4. Click Configuration tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices. - ![A screenshot of attack surface reduction rules reports1.](images/f91f406e6e0aae197a947d3b0e8b2d0d.png) + :::image type="content" source="images/f91f406e6e0aae197a947d3b0e8b2d0d.png" alt-text="The attack surface reduction rules reports1" lightbox="images/f91f406e6e0aae197a947d3b0e8b2d0d.png"::: 5. Click each device shows configuration details of ASR rules. - ![A screenshot of attack surface reduction rules reports2.](images/24bfb16ed561cbb468bd8ce51130ca9d.png) + :::image type="content" source="images/24bfb16ed561cbb468bd8ce51130ca9d.png" alt-text="The attack surface reduction rules reports2" lightbox="images/24bfb16ed561cbb468bd8ce51130ca9d.png"::: See [Optimize ASR rule deployment and detections](/microsoft-365/security/defender-endpoint/configure-machines-asr) for more details. See [Optimize ASR rule deployment and detections](/microsoft-365/security/defend 1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard and choose Create Exploit Guard Policy. - ![A screenshot System Center Configuration Manager1.](images/728c10ef26042bbdbcd270b6343f1a8a.png) + :::image type="content" source="images/728c10ef26042bbdbcd270b6343f1a8a.png" alt-text="The System Center Configuration Manager1" lightbox="images/728c10ef26042bbdbcd270b6343f1a8a.png"::: 2. Select Network protection. 3. Set the setting to Audit and click Next. - ![A screenshot System Center Configuration Manager2.](images/c039b2e05dba1ade6fb4512456380c9f.png) + :::image type="content" source="images/c039b2e05dba1ade6fb4512456380c9f.png" alt-text="The System Center Configuration Manager2" lightbox="images/c039b2e05dba1ade6fb4512456380c9f.png"::: 4. Confirm the new Exploit Guard Policy by clicking Next. - ![A screenshot Exploit Guard policy1.](images/0a6536f2c4024c08709cac8fcf800060.png) + :::image type="content" source="images/0a6536f2c4024c08709cac8fcf800060.png" alt-text="The Exploit Guard policy1" lightbox="images/0a6536f2c4024c08709cac8fcf800060.png"::: 5. Once the policy is created click on Close. - ![A screenshot Exploit Guard policy2.](images/95d23a07c2c8bc79176788f28cef7557.png) + :::image type="content" source="images/95d23a07c2c8bc79176788f28cef7557.png" alt-text="The Exploit Guard policy2" lightbox="images/95d23a07c2c8bc79176788f28cef7557.png"::: 6. Right-click on the newly created policy and choose Deploy. - ![A screenshot Microsoft Endpoint Configuration Manager1.](images/8999dd697e3b495c04eb911f8b68a1ef.png) + :::image type="content" source="images/8999dd697e3b495c04eb911f8b68a1ef.png" alt-text="The Microsoft Endpoint Configuration Manager-1" lightbox="images/8999dd697e3b495c04eb911f8b68a1ef.png"::: 7. Select the policy to the newly created Windows collection and choose OK. - ![A screenshot Microsoft Endpoint Configuration Manager2.](images/0ccfe3e803be4b56c668b220b51da7f7.png) + :::image type="content" source="images/0ccfe3e803be4b56c668b220b51da7f7.png" alt-text="The Microsoft Endpoint Configuration Manager-2" lightbox="images/0ccfe3e803be4b56c668b220b51da7f7.png"::: After completing this task, you now have successfully configured Network Protection in audit mode. After completing this task, you now have successfully configured Network Protect 1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > Windows Defender Exploit Guard and then choose Create Exploit Guard Policy. - ![A screenshot of Microsoft Endpoint Configuration Manager3.](images/728c10ef26042bbdbcd270b6343f1a8a.png) + :::image type="content" source="images/728c10ef26042bbdbcd270b6343f1a8a.png" alt-text="The Microsoft Endpoint Configuration Manager-3" lightbox="images/728c10ef26042bbdbcd270b6343f1a8a.png"::: 2. Select Controlled folder access. 3. Set the configuration to Audit and click Next. - ![A screenshot of Microsoft Endpoint Configuration Manager4.](images/a8b934dab2dbba289cf64fe30e0e8aa4.png) + :::image type="content" source="images/a8b934dab2dbba289cf64fe30e0e8aa4.png" alt-text="The Microsoft Endpoint Configuration Manager-4" lightbox="images/a8b934dab2dbba289cf64fe30e0e8aa4.png"::: 4. Confirm the new Exploit Guard Policy by clicking on Next. - ![A screenshot of Microsoft Endpoint Configuration Manager5.](images/0a6536f2c4024c08709cac8fcf800060.png) + :::image type="content" source="images/0a6536f2c4024c08709cac8fcf800060.png" alt-text="The Microsoft Endpoint Configuration Manager-5" lightbox="images/0a6536f2c4024c08709cac8fcf800060.png"::: 5. Once the policy is created click on Close. - ![A screenshot of Microsoft Endpoint Configuration Manager6.](images/95d23a07c2c8bc79176788f28cef7557.png) + :::image type="content" source="images/95d23a07c2c8bc79176788f28cef7557.png" alt-text="The Microsoft Endpoint Configuration Manager-6" lightbox="images/95d23a07c2c8bc79176788f28cef7557.png"::: 6. Right-click on the newly created policy and choose Deploy. - ![A screenshot of Microsoft Endpoint Configuration Manager7.](images/8999dd697e3b495c04eb911f8b68a1ef.png) + :::image type="content" source="images/8999dd697e3b495c04eb911f8b68a1ef.png" alt-text="The Microsoft Endpoint Configuration Manager-7" lightbox="images/8999dd697e3b495c04eb911f8b68a1ef.png"::: 7. Target the policy to the newly created Windows collection and click OK. - ![A screenshot of Microsoft Endpoint Configuration Manager8.](images/0ccfe3e803be4b56c668b220b51da7f7.png) You have now successfully configured Controlled folder access in audit mode.
security	Onboarding Endpoint Manager	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md	This article is part of the Deployment guide and acts as an example onboarding m In the [Planning](deployment-strategy.md) topic, there were several methods provided to onboard devices to the service. This topic covers the cloud-native architecture. -![Image of cloud-native architecture.](images/cloud-native-architecture.png) Diagram of environment architectures While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). In this section, we will create a test group to assign your configurations on. 2. Open Groups > New Group. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal1.](images/66f724598d9c3319cba27f79dd4617a4.png) + > :::image type="content" source="images/66f724598d9c3319cba27f79dd4617a4.png" alt-text="The Microsoft Endpoint Manager portal1" lightbox="images/66f724598d9c3319cba27f79dd4617a4.png"::: 3. Enter details and create a new group. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal2.](images/b1e0206d675ad07db218b63cd9b9abc3.png) + > :::image type="content" source="images/b1e0206d675ad07db218b63cd9b9abc3.png" alt-text="The Microsoft Endpoint Manager portal2" lightbox="images/b1e0206d675ad07db218b63cd9b9abc3.png"::: 4. Add your test user or device. In this section, we will create a test group to assign your configurations on. 7. Find your test user or device and select it. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal3.](images/149cbfdf221cdbde8159d0ab72644cd0.png) + > :::image type="content" source="images/149cbfdf221cdbde8159d0ab72644cd0.png" alt-text="The Microsoft Endpoint Manager portal3" lightbox="images/149cbfdf221cdbde8159d0ab72644cd0.png"::: 8. Your testing group now has a member to test. Then you will continue by creating several different types of endpoint security 2. Navigate to Endpoint security > Endpoint detection and response. Click on Create Profile. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal4.](images/58dcd48811147feb4ddc17212b7fe840.png) + > :::image type="content" source="images/58dcd48811147feb4ddc17212b7fe840.png" alt-text="The Microsoft Endpoint Manager portal4" lightbox="images/58dcd48811147feb4ddc17212b7fe840.png"::: 3. Under Platform, select Windows 10 and Later, Profile - Endpoint detection and response > Create. Then you will continue by creating several different types of endpoint security 4. Enter a name and description, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal5.](images/a5b2d23bdd50b160fef4afd25dda28d4.png) + > :::image type="content" source="images/a5b2d23bdd50b160fef4afd25dda28d4.png" alt-text="The Microsoft Endpoint Manager portal5" lightbox="images/a5b2d23bdd50b160fef4afd25dda28d4.png"::: 5. Select settings as required, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal6.](images/cea7e288b5d42a9baf1aef0754ade910.png) + > :::image type="content" source="images/cea7e288b5d42a9baf1aef0754ade910.png" alt-text="The Microsoft Endpoint Manager portal6" lightbox="images/cea7e288b5d42a9baf1aef0754ade910.png"::: > [!NOTE] > In this instance, this has been auto populated as Defender for Endpoint has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp). > > The following image is an example of what you'll see when Microsoft Defender for Endpoint is NOT integrated with Intune: > - > ![Image of Microsoft Endpoint Manager portal7.](images/2466460812371ffae2d19a10c347d6f4.png) + > :::image type="content" source="images/2466460812371ffae2d19a10c347d6f4.png" alt-text="The Microsoft Endpoint Manager portal7" lightbox="images/2466460812371ffae2d19a10c347d6f4.png"::: 6. Add scope tags if necessary, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal8.](images/ef844f52ec2c0d737ce793f68b5e8408.png) + > :::image type="content" source="images/ef844f52ec2c0d737ce793f68b5e8408.png" alt-text="The Microsoft Endpoint Manager portal8" lightbox="images/ef844f52ec2c0d737ce793f68b5e8408.png"::: 7. Add test group by clicking on Select groups to include and choose your group, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal9.](images/fc3525e20752da026ec9f46ab4fec64f.png) + > :::image type="content" source="images/fc3525e20752da026ec9f46ab4fec64f.png" alt-text="The Microsoft Endpoint Manager portal9" lightbox="images/fc3525e20752da026ec9f46ab4fec64f.png"::: 8. Review and accept, then select Create. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal10.](images/289172dbd7bd34d55d24810d9d4d8158.png) + > :::image type="content" source="images/289172dbd7bd34d55d24810d9d4d8158.png" alt-text="The Microsoft Endpoint Manager portal10" lightbox="images/289172dbd7bd34d55d24810d9d4d8158.png"::: 9. You can view your completed policy. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal11.](images/5a568b6878be8243ea2b9d82d41ed297.png) + > :::image type="content" source="images/5a568b6878be8243ea2b9d82d41ed297.png" alt-text="The Microsoft Endpoint Manager portal11" lightbox="images/5a568b6878be8243ea2b9d82d41ed297.png"::: ### Next-generation protection Then you will continue by creating several different types of endpoint security 2. Navigate to Endpoint security > Antivirus > Create Policy. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal12.](images/6b728d6e0d71108d768e368b416ff8ba.png) + > :::image type="content" source="images/6b728d6e0d71108d768e368b416ff8ba.png" alt-text="The Microsoft Endpoint Manager portal12" lightbox="images/6b728d6e0d71108d768e368b416ff8ba.png"::: 3. Select Platform - Windows 10 and Later - Windows and Profile - Microsoft Defender Antivirus > Create. 4. Enter name and description, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal13.](images/a7d738dd4509d65407b7d12beaa3e917.png) + > :::image type="content" source="images/a7d738dd4509d65407b7d12beaa3e917.png" alt-text="The Microsoft Endpoint Manager portal13" lightbox="images/a7d738dd4509d65407b7d12beaa3e917.png"::: 5. In the Configuration settings page: Set the configurations you require for Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time Protection, and Remediation). > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal14.](images/3840b1576d6f79a1d72eb14760ef5e8c.png) + > :::image type="content" source="images/3840b1576d6f79a1d72eb14760ef5e8c.png" alt-text="The Microsoft Endpoint Manager portal14" lightbox="images/3840b1576d6f79a1d72eb14760ef5e8c.png"::: 6. Add scope tags if necessary, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal15.](images/2055e4f9b9141525c0eb681e7ba19381.png) + > :::image type="content" source="images/2055e4f9b9141525c0eb681e7ba19381.png" alt-text="The Microsoft Endpoint Manager portal15" lightbox="images/2055e4f9b9141525c0eb681e7ba19381.png"::: 7. Select groups to include, assign to your test group, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal16.](images/48318a51adee06bff3908e8ad4944dc9.png) + > :::image type="content" source="images/48318a51adee06bff3908e8ad4944dc9.png" alt-text="The Microsoft Endpoint Manager portal16" lightbox="images/48318a51adee06bff3908e8ad4944dc9.png"::: 8. Review and create, then select Create. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal17.](images/dfdadab79112d61bd3693d957084b0ec.png) + > :::image type="content" source="images/dfdadab79112d61bd3693d957084b0ec.png" alt-text="The Microsoft Endpoint Manager portal17" lightbox="images/dfdadab79112d61bd3693d957084b0ec.png"::: 9. You'll see the configuration policy you created. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal18.](images/38180219e632d6e4ec7bd25a46398da8.png) + > :::image type="content" source="images/38180219e632d6e4ec7bd25a46398da8.png" alt-text="The Microsoft Endpoint Manager portal18" lightbox="images/38180219e632d6e4ec7bd25a46398da8.png"::: ### Attack Surface Reduction - Attack surface reduction rules Then you will continue by creating several different types of endpoint security rules > Create. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal19.](images/522d9bb4288dc9c1a957392b51384fdd.png) + > :::image type="content" source="images/522d9bb4288dc9c1a957392b51384fdd.png" alt-text="The Microsoft Endpoint Manager portal19" lightbox="images/522d9bb4288dc9c1a957392b51384fdd.png"::: 5. Enter a name and description, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal20.](images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png) + > :::image type="content" source="images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png" alt-text="The Microsoft Endpoint Manager portal20" lightbox="images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png"::: 6. In the Configuration settings page: Set the configurations you require for Attack surface reduction rules, then select Next. Then you will continue by creating several different types of endpoint security > For more information, see [Attack surface reduction rules](attack-surface-reduction.md). > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal21.](images/dd0c00efe615a64a4a368f54257777d0.png) + > :::image type="content" source="images/dd0c00efe615a64a4a368f54257777d0.png" alt-text="The Microsoft Endpoint Manager portal21" lightbox="images/dd0c00efe615a64a4a368f54257777d0.png"::: 7. Add Scope Tags as required, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal22.](images/6daa8d347c98fe94a0d9c22797ff6f28.png) + > :::image type="content" source="images/6daa8d347c98fe94a0d9c22797ff6f28.png" alt-text="The Microsoft Endpoint Manager portal22" lightbox="images/6daa8d347c98fe94a0d9c22797ff6f28.png"::: 8. Select groups to include and assign to test group, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal23.](images/45cefc8e4e474321b4d47b4626346597.png) + > :::image type="content" source="images/45cefc8e4e474321b4d47b4626346597.png" alt-text="The Microsoft Endpoint Manager portal23" lightbox="images/45cefc8e4e474321b4d47b4626346597.png"::: 9. Review the details, then select Create. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal24.](images/2c2e87c5fedc87eba17be0cdeffdb17f.png) + > :::image type="content" source="images/2c2e87c5fedc87eba17be0cdeffdb17f.png" alt-text="The Microsoft Endpoint Manager portal24" lightbox="images/2c2e87c5fedc87eba17be0cdeffdb17f.png"::: 10. View the policy. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal25.](images/7a631d17cc42500dacad4e995823ffef.png) + > :::image type="content" source="images/7a631d17cc42500dacad4e995823ffef.png" alt-text="The Microsoft Endpoint Manager portal25" lightbox="images/7a631d17cc42500dacad4e995823ffef.png"::: ### Attack Surface Reduction - Web Protection Then you will continue by creating several different types of endpoint security 4. Select Windows 10 and Later - Web protection > Create. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal26.](images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png) + > :::image type="content" source="images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png" alt-text="The Microsoft Endpoint Manager portal26" lightbox="images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png"::: 5. Enter a name and description, then select Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal27.](images/5be573a60cd4fa56a86a6668b62dd808.png) + > :::image type="content" source="images/5be573a60cd4fa56a86a6668b62dd808.png" alt-text="The Microsoft Endpoint Manager portal27" lightbox="images/5be573a60cd4fa56a86a6668b62dd808.png"::: 6. In the Configuration settings page: Set the configurations you require for Web Protection, then select Next. Then you will continue by creating several different types of endpoint security > For more information, see [Web Protection](web-protection-overview.md). > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal28.](images/6104aa33a56fab750cf30ecabef9f5b6.png) + > :::image type="content" source="images/6104aa33a56fab750cf30ecabef9f5b6.png" alt-text="The Microsoft Endpoint Manager portal28" lightbox="images/6104aa33a56fab750cf30ecabef9f5b6.png"::: 7. Add Scope Tags as required > Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal29.](images/6daa8d347c98fe94a0d9c22797ff6f28.png) + > :::image type="content" source="images/6daa8d347c98fe94a0d9c22797ff6f28.png" alt-text="The Microsoft Endpoint Manager portal29" lightbox="images/6daa8d347c98fe94a0d9c22797ff6f28.png"::: 8. Select Assign to test group > Next. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal30.](images/45cefc8e4e474321b4d47b4626346597.png) + > :::image type="content" source="images/45cefc8e4e474321b4d47b4626346597.png" alt-text="The Microsoft Endpoint Manager portal30" lightbox="images/45cefc8e4e474321b4d47b4626346597.png"::: 9. Select Review and Create > Create. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal31.](images/8ee0405f1a96c23d2eb6f737f11c1ae5.png) + > :::image type="content" source="images/8ee0405f1a96c23d2eb6f737f11c1ae5.png" alt-text="The Microsoft Endpoint Manager portal31" lightbox="images/8ee0405f1a96c23d2eb6f737f11c1ae5.png"::: 10. View the policy. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal32.](images/e74f6f6c150d017a286e6ed3dffb7757.png) + > :::image type="content" source="images/e74f6f6c150d017a286e6ed3dffb7757.png" alt-text="The Microsoft Endpoint Manager portal32" lightbox="images/e74f6f6c150d017a286e6ed3dffb7757.png"::: ## Validate configuration settings To confirm that the configuration policy has been applied to your test device, f steps above. The following example shows the next generation protection settings. > [!div class="mx-imgBorder"] - > [![Image of Microsoft Endpoint Manager portal33.](images/43ab6aa74471ee2977e154a4a5ef2d39.png)](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox) + > [![Image of Microsoft Endpoint Manager portal33.](images/43ab6aa74471ee2977e154a4a5ef2d39.png)](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox) 2. Select the Configuration Policy to view the policy status. To confirm that the configuration policy has been applied to your test device, f manage the settings as shown below. > [!div class="mx-imgBorder"] - > ![Image of setting page1.](images/88efb4c3710493a53f2840c3eac3e3d3.png) + > :::image type="content" source="images/88efb4c3710493a53f2840c3eac3e3d3.png" alt-text="The settings page-1" lightbox="images/88efb4c3710493a53f2840c3eac3e3d3.png"::: 2. After the policy has been applied, you should not be able to manually manage the settings. To confirm that the configuration policy has been applied to your test device, f > Turn on real-time protection** are being shown as managed. > [!div class="mx-imgBorder"] - > ![Image of setting page2.](images/9341428b2d3164ca63d7d4eaa5cff642.png) + > :::image type="content" source="images/9341428b2d3164ca63d7d4eaa5cff642.png" alt-text="The settings page-2" lightbox="images/9341428b2d3164ca63d7d4eaa5cff642.png"::: ### Confirm Attack Surface Reduction - Attack surface reduction rules To confirm that the configuration policy has been applied to your test device, f > > AttackSurfaceReductionRules_Ids: - ![Image of command line1.](images/cb0260d4b2636814e37eee427211fe71.png) + :::image type="content" source="images/cb0260d4b2636814e37eee427211fe71.png" alt-text="The command line-1" lightbox="images/cb0260d4b2636814e37eee427211fe71.png"::: 3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`. 4. This should respond with the following lines with content as shown below: - ![Image of command line2.](images/619fb877791b1fc8bc7dfae1a579043d.png) + :::image type="content" source="images/619fb877791b1fc8bc7dfae1a579043d.png" alt-text="The command line-2" lightbox="images/619fb877791b1fc8bc7dfae1a579043d.png"::: ### Confirm Attack Surface Reduction - Web Protection To confirm that the configuration policy has been applied to your test device, f 2. This should respond with a 0 as shown below. - ![Image of command line3.](images/196a8e194ac99d84221f405d0f684f8c.png) + :::image type="content" source="images/196a8e194ac99d84221f405d0f684f8c.png" alt-text="The command line-3" lightbox="images/196a8e194ac99d84221f405d0f684f8c.png"::: 3. After applying the policy, open a PowerShell Windows and type `(Get-MpPreference).EnableNetworkProtection`. 4. This should respond with a 1 as shown below. - ![Image of command line4.](images/c06fa3bbc2f70d59dfe1e106cd9a4683.png) + :::image type="content" source="images/c06fa3bbc2f70d59dfe1e106cd9a4683.png" alt-text="The command line-4" lightbox="images/c06fa3bbc2f70d59dfe1e106cd9a4683.png":::
security	Onboarding Notification	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md	You'll need to have access to: 2. Navigate to My flows > New > Scheduled - from blank. - ![Image of flow.](images/new-flow.png) + :::image type="content" source="images/new-flow.png" alt-text="The flow" lightbox="images/new-flow.png"::: + 3. Build a scheduled flow. 1. Enter a flow name. 2. Specify the start and time. 3. Specify the frequency. For example, every 5 minutes. - ![Image of the notification flow.](images/build-flow.png) + :::image type="content" source="images/build-flow.png" alt-text="The notification flow" lightbox="images/build-flow.png"::: 4. Select the + button to add a new action. The new action will be an HTTP request to the Defender for Endpoint security center device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines"). - ![Image of recurrence and add action.](images/recurrence-add.png) + :::image type="content" source="images/recurrence-add.png" alt-text="The recurrence and add action" lightbox="images/recurrence-add.png"::: 5. Enter the following HTTP fields: You'll need to have access to: - Credential Type: Select "Secret". - Secret: Sign-in to https://portal.azure.com and navigate to Azure Active Directory > App Registrations and get the Tenant ID value. - ![Image of the HTTP conditions.](images/http-conditions.png) + :::image type="content" source="images/http-conditions.png" alt-text="The HTTP conditions" lightbox="images/http-conditions.png"::: 6. Add a new step by selecting Add new action then search for Data Operations and select Parse JSON. - ![Image of data operations.](images/data-operations.png) + :::image type="content" source="images/data-operations.png" alt-text="The data operations entry" lightbox="images/data-operations.png"::: 7. Add Body in the Content field. - ![Image of parse JSON.](images/parse-json.png) + :::image type="content" source="images/parse-json.png" alt-text="The parse JSON section" lightbox="images/parse-json.png"::: 8. Select the Use sample payload to generate schema link. - ![Image of parse json with payload.](images/parse-json-schema.png) + :::image type="content" source="images/parse-json-schema.png" alt-text="The parse JSON with payload" lightbox="images/parse-json-schema.png"::: 9. Copy and paste the following JSON snippet: You'll need to have access to: - If yes, no notification will be triggered - If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Defender for Endpoint admin - ![Image of apply to each.](images/flow-apply.png) + :::image type="content" source="images/flow-apply.png" alt-text="The application of the flow to each element" lightbox="images/flow-apply.png"::: - ![Image of apply to each with get items.](images/apply-to-each.png) + :::image type="content" source="images/apply-to-each.png" alt-text="The application of the flow to the Get items element" lightbox="images/apply-to-each.png"::: 11. Under Condition, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0. - ![Image of apply to each condition.](images/apply-to-each-value.png) - ![Image of condition1.](images/conditions-2.png) - ![Image of condition2.](images/condition3.png) - ![Image of send email.](images/send-email.png) + :::image type="content" source="images/apply-to-each-value.png" alt-text="The application of the flow to each condition" lightbox="images/apply-to-each-value.png"::: + :::image type="content" source="images/conditions-2.png" alt-text="The condition-1" lightbox="images/conditions-2.png"::: + :::image type="content" source="images/condition3.png" alt-text="The condition-2" lightbox="images/condition3.png"::: + :::image type="content" source="images/send-email.png" alt-text="The Send an email section" lightbox="images/send-email.png"::: ## Alert notification The following image is an example of an email notification. -![Image of email notification.](images/alert-notification.png) ## Tips
security	Onboarding	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md	These are the steps you need to take to deploy Defender for Endpoint: - Step 1: Onboard endpoints to the service - Step 2: Configure capabilities -![Illustration of the deployment steps](images/deployment-steps.png) +
security	Prevent Changes To Security Settings With Tamper Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md	For more information about releases, see [Windows 10 release information](/windo ### Turn tamper protection on (or off) in the Microsoft 365 Defender portal 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. If your organization uses Microsoft Endpoint Manager (MEM) you can turn tamper p ### Turn tamper protection on (or off) in Microsoft Endpoint Manager -![Turn tamper protection on with Endpoint Manager.](images/turnontamperprotectinmem.png) 1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to Endpoint security \> Antivirus, and then choose + Create Policy. If you are a home user, or you are not subject to settings managed by a security Here's what you see in the Windows Security app: -![Tamper protection turned on in Windows 10 Home.](images/tamperprotectionturnedon.png) 1. Select Start, and start typing Security. In the search results, select Windows Security. Tampering attempts typically indicate bigger cyberattacks. Bad actors try to cha When a tampering attempt is detected, an alert is raised in the [Microsoft 365 Defender portal](/microsoft-365/security/defender-endpoint/portal-overview) ([https://security.microsoft.com](https://security.microsoft.com)). -![Microsoft 365 Defender.](images/tamperattemptalert.png) Using [endpoint detection and response](overview-endpoint-detection-response.md) and [advanced hunting](advanced-hunting-overview.md) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts. Using [endpoint detection and response](overview-endpoint-detection-response.md) Tamper protection integrates with [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) capabilities. [Security recommendations](tvm-security-recommendation.md) include making sure tamper protection is turned on. For example, you can search on tamper. In the results, you can select Turn on Tamper Protection to learn more and turn it on. -![Turn on tamper protection.](images/tamperprotectsecurityrecos.png) To learn more about Threat & Vulnerability Management, see [Dashboard insights - threat and vulnerability management](tvm-dashboard-insights.md#dashboard-insightsthreat-and-vulnerability-management).
security	Prevent End User Interaction Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md	In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender With the setting set to Enabled: With the setting set to Disabled or not configured: > [!NOTE] > Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app." ## Use Group Policy to hide the Microsoft Defender AV interface from users
security	Preview Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview-settings.md	Turn on the preview experience setting to be among the first to try upcoming fea 1. In the navigation pane, select Settings \> Endpoints \> Advanced features. - :::image type="content" source="../../media/atp-preview-features-new.png" alt-text="settings and preview experience image."::: + :::image type="content" source="../../media/atp-preview-features-new.png" alt-text="The settings and preview experience" lightbox="../../media/atp-preview-features-new.png"::: 2. Toggle the setting between On and Off and select Save preferences.
security	Printer Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection.md	For Intune, currently Device Control Printer Protection supports OMA-URI only. The CSP support string with `<enabled/>`: ### Scenario 2: Allow specific approved USB printers using Intune The CSP support string with `<enabled/>`: The CSP support string with approved USB printers via 'ApprovedUsbPrintDevices' property, example `<enabled><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>`: ## Deploy policy via Group Policy If the device isn't Intune joined, you can also deploy the policy via Group Poli User Configuration \> Administrative Templates \> Control Panel \> Printers: Enable Device control Printing Restrictions ### Scenario 2: Allow specific approved USB printers using Group Policy If the device isn't Intune joined, you can also deploy the policy via Group Poli User Configuration \> Administrative Templates \> Control Panel \> Printers: List of Approved USB-connected print devices ## View Device Control Printer Protection data in Microsoft Defender for Endpoint portal DeviceEvents \| order by Timestamp desc ``` - :::image type="content" source="../../media/device-control-advanced-hunting.png" alt-text="advanced hunting."::: + :::image type="content" source="../../media/device-control-advanced-hunting.png" alt-text="advanced hunting" lightbox="../../media/device-control-advanced-hunting.png"::: You can use the PnP event to find the USB printer used in the organization: DeviceEvents \| order by Timestamp desc ``` - :::image type="content" source="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png" alt-text="advanced hunting"::: + :::image type="content" source="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png" alt-text="The Advanced Hunting page" lightbox="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png":::
security	Production Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md	ms.technology: mde Deploying Defender for Endpoint is a three-phase process: -\|[![deployment phase - prepare.](images/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) \| ![deployment phase - setup](images/phase-diagrams/setup.png)<br>Phase 2: Setup \| [![deployment phase - onboard](images/phase-diagrams/onboard.png)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md)\| +\|[![deployment phase - prepare.](images/phase-diagrams/prepare.png#lightbox)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) \| ![deployment phase - setup](images/phase-diagrams/setup.png#lightbox)<br>Phase 2: Setup \| [![deployment phase - onboard](images/phase-diagrams/onboard.png#lightbox)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md)\| \|\|\|\| \|\|You are here!\|\| Checking for the license state and whether it got properly provisioned, can be d 1. To view your licenses, go to the Microsoft Azure portal and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products). - ![Image of Azure Licensing page.](images/atp-licensing-azure-portal.png) + :::image type="content" source="images/atp-licensing-azure-portal.png" alt-text="The Azure Licensing page" lightbox="images/atp-licensing-azure-portal.png"::: 1. Alternately, in the admin center, navigate to Billing \> Subscriptions. On the screen, you'll see all the provisioned licenses and their current Status. - ![Image of billing licenses.](images/atp-billing-subscriptions.png) + :::image type="content" source="images/atp-billing-subscriptions.png" alt-text="The billing licenses page" lightbox="images/atp-billing-subscriptions.png"::: ## Cloud Service Provider validation To gain access into which licenses are provisioned to your company, and to check 2. Clicking on the Partner portal link will open the Admin on behalf option and will give you access to the customer admin center. - ![Image of O365 admin portal.](images/atp-O365-admin-portal-customer.png) + :::image type="content" source="images/atp-O365-admin-portal-customer.png" alt-text="The Office 365 admin portal" lightbox="images/atp-O365-admin-portal-customer.png"::: ## Tenant Configuration Configure a registry-based static proxy to allow only Microsoft Defender for End 2. Create a policy or edit an existing policy based off the organizational practices. 3. Edit the Group Policy and navigate to Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service. - ![Image of Group Policy configuration.](images/atp-gpo-proxy1.png) + :::image type="content" source="images/atp-gpo-proxy1.png" alt-text="The options related to configuration of the usage policy" lightbox="images/atp-gpo-proxy1.png"::: 4. Select Enabled. 5. Select Disable Authenticated Proxy usage. 6. Navigate to Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry. - ![Image of Group Policy configuration setting.](images/atp-gpo-proxy2.png) + :::image type="content" source="images/atp-gpo-proxy2.png" alt-text="The options related to configuration of the connected user experience and telemetry" lightbox="images/atp-gpo-proxy2.png"::: 7. Select Enabled. 8. Enter the Proxy Server Name. The following downloadable spreadsheet lists the services and their associated U \|Spreadsheet of domains list\| Description\| \|\|\| -\|Microsoft Defender for Endpoint URL list for commercial customers \| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx) -\| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers\| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx) +\|:::image type="content" source="images/mdatp-urls.png" alt-text="The Microsoft Defender for Endpoint URLs spreadsheet" lightbox="images/mdatp-urls.png":::\|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)\| \| ## Next step -![Phase 3: Onboard.](images/onboard.png) <br> [Phase 3: Onboard](onboarding.md): Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them. +[![Phase 3: Onboard.](images/onboard.png#lightbox)] <br> [Phase 3: Onboard](onboarding.md): Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them.
security	Raw Data Export Event Hub	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-event-hub.md	In order to get your Event Hubs resource ID, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab \> copy the text under Resource ID: - :::image type="content" alt-text="Image of event hub resource Id1." source="images/event-hub-resource-id.png" lightbox="images/event-hub-resource-id.png"::: + :::image type="content" source="images/event-hub-resource-id.png" alt-text="The Event Hubs resource Id-1" lightbox="images/event-hub-resource-id.png"::: 7. Choose the events you want to stream and click Save. To get the data types for event properties do the following: - Here is an example for Device Info event: - ![Image of event hub resource Id2.](images/machine-info-datatype-example.png) + :::image type="content" source="images/machine-info-datatype-example.png" alt-text="The Event Hubs resource Id-2" lightbox="images/machine-info-datatype-example.png"::: ## Related topics
security	Raw Data Export Storage	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-storage.md	6. Type your Storage Account Resource ID. In order to get your Storage Account Resource ID, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) \> properties tab \> copy the text under Storage account resource ID: - :::image type="content" alt-text="Image of event hub resource ID1." source="images/storage-account-resource-id.png" lightbox="images/storage-account-resource-id.png"::: + :::image type="content" source="images/storage-account-resource-id.png" alt-text="The Event Hubs with resource ID1" lightbox="images/storage-account-resource-id.png"::: 7. Choose the events you want to stream and click Save. - A blob container will be created for each event type: - :::image type="content" alt-text="Image of event hub resource ID2." source="images/storage-account-event-schema.png" lightbox="images/storage-account-event-schema.png"::: + :::image type="content" source="images/storage-account-event-schema.png" alt-text="The Event Hubs with resource ID2" lightbox="images/storage-account-event-schema.png"::: - The schema of each row in a blob is the following JSON: In order to get the data types for our events properties do the following: - Here is an example for Device Info event: - ![Image of event hub resource ID3.](images/data-types-mapping-query.png) + :::image type="content" source="images/data-types-mapping-query.png" alt-text="The Event Hubs with resource ID3" lightbox="images/data-types-mapping-query.png"::: ## Related topics
security	Respond File Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md	You can also submit files for deep analysis, to run the file in a secure cloud s Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files: -<br> - -** - \|Permission\|PE files\|Non-PE files\| \|\|::\|::\| \|View data\|X\|X\| \|Alerts investigation\|☑\|X\| \|Live response basic\|X\|X\| \|Live response advanced\|☑\|☑\| -\| For more information on roles, see [Create and manage roles for role-based access control](user-roles.md). This action takes effect on devices with Windows 10, version 1703 or later, and 2. Go to the top bar and select Stop and Quarantine File. - ![Image of stop and quarantine file action.](images/atp-stop-quarantine-file.png) + :::image type="content" source="images/atp-stop-quarantine-file.png" alt-text="The stop and quarantine file action" lightbox="images/atp-stop-quarantine-file.png"::: 3. Specify a reason, then select Confirm. - ![Image of stop and quarantine file modal window.](images/atp-stop-quarantine.png) + :::image type="content" source="images/atp-stop-quarantine.png" alt-text="The stop and quarantine file page" lightbox="images/atp-stop-quarantine.png"::: The Action center shows the submission information: - ![Image of stop and quarantine file action center.](images/atp-stopnquarantine-file.png) + :::image type="content" source="images/atp-stopnquarantine-file.png" alt-text="The stop and quarantine file action center" lightbox="images/atp-stopnquarantine-file.png"::: - Submission time - Shows when the action was submitted. - Success - Shows the number of devices where the file has been stopped and quarantined. This action takes effect on devices with Windows 10, version 1703 or later, and When the file is being removed from a device, the following notification is shown: -![Image of notification on device user.](images/atp-notification-file.png) In the device timeline, a new event is added for each device where a file was stopped and quarantined. Selecting Download file from the response actions allows you to download a l By default, you should be able to download files that are in quarantine. -![Image of download file action.](images/atp-download-file-action.png) ### Download quarantined files The Action center provides information on actions that were taken on a devic All other related details are also shown, such as submission date/time, submitting user, and if the action succeeded or failed. -![Image of action center with information.](images/action-center-details.png) ## Deep analysis Use the deep analysis feature to investigate the details of any file, usually du > [!NOTE] > Only files from Windows 10 and Windows 11 can be automatically collected. -You can also submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file wasn't observed on a Windows 10 device (or Windows 11), and wait for Submit for deep analysis button to become available. +You can also submit a sample through the [Microsoft 365 Defender Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file wasn't observed on a Windows 10 device (or Windows 11), and wait for Submit for deep analysis button to become available. > [!NOTE] -> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint. +> Due to backend processing flows in the Microsoft 365 Defender Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint. ### Submit files for deep analysis You can also submit a sample through the [Microsoft Security Center Portal](http 2. In the Deep analysis tab of the file view, select Submit. - ![You can only submit PE files in the file details section.](images/submit-file.png) + :::image type="content" source="images/submit-file.png" alt-text="The submit PE files button" lightbox="images/submit-file.png"::: > [!NOTE] > Only PE files are supported, including _.exe_ and _.dll_ files. The details provided can help you investigate if there are indications of a pote 1. Select the file you submitted for deep analysis. 2. Select the Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab. - ![The deep analysis report shows detailed information across a number of categories.](images/analysis-results-nothing500.png) + :::image type="content" source="images/analysis-results-nothing500.png" alt-text="The deep analysis report showing detailed information across a number of categories" lightbox="images/analysis-results-nothing500.png"::: #### Troubleshoot deep analysis
security	Respond Machine Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md	Response actions run along the top of a specific device page and include: [![Image of response actions.](images/response-actions.png)](images/response-actions.png#lightbox) + You can find device pages from any of the following views: - Security operations dashboard - Select a device name from the Devices at risk card. Alternate way: 1. Select Action center from the response actions section of the device page. - ![Image of action center button.](images/action-center-package-collection.png) + :::image type="content" source="images/action-center-package-collection.png" alt-text="The Action center option" lightbox="images/action-center-package-collection.png"::: 2. In the Action center fly-out, select Package collection package available to download the zip file. - ![Image of download package button.](images/collect-package.png) + :::image type="content" source="images/collect-package.png" alt-text="The download package option" lightbox="images/collect-package.png"::: The package contains the following folders: As part of the investigation or response process, you can remotely initiate an a One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan. -![Image of notification to select quick scan or full scan and add comment.](images/run-antivirus.png) The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan. To restrict an application from running, a code integrity policy is applied that Once you have selected Restrict app execution on the device page, type a comment and select Confirm. The Action center will show the scan information and the device timeline will include a new event. -![Image of app restriction notification.](images/restrict-app-execution.png) ### Notification on device user When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running: -![Image of app restriction.](images/atp-app-restriction.png) >[!NOTE] >The notification is not available on Windows Server 2016 and Windows Server 2012 R2. On Windows 10, version 1709 or later, you'll have more control over the network Once you have selected Isolate device on the device page, type a comment and select Confirm. The Action center will show the scan information and the device timeline will include a new event. -![Image of isolate device.](images/isolate-device.png) > [!NOTE] > The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated. Once you have selected Isolate device on the device page, type a comment and When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network: -![Image of no network connection.](images/atp-notification-isolate.png) ## Consult a threat expert The Action center provides information on actions that were taken on a devic All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed. -![Image of action center with information.](images/action-center-details.png) + ## See also
security	Review Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-alerts.md	Note the detection status for your alert. - Prevented: The attempted suspicious action was avoided. For example, a file either wasn't written to disk or executed. - ![An alert page showing threat was prevented.](images/detstat-prevented.png) + :::image type="content" source="images/detstat-prevented.png" alt-text="The page showing the prevention of a threat" lightbox="images/detstat-prevented.png"::: - Blocked: Suspicious behavior was executed and then blocked. For example, a process was executed but because it subsequently exhibited suspicious behaviors, the process was terminated. - ![An alert page showing threat was blocked.](images/detstat-blocked.png) + :::image type="content" source="images/detstat-blocked.png" alt-text="The page showing the blockage of a threat" lightbox="images/detstat-blocked.png"::: - Detected: An attack was detected and is possibly still active. - ![An alert page showing threat was detected.](images/detstat-detected.png) + :::image type="content" source="images/detstat-detected.png" alt-text="The page showing the detection of a threat" lightbox="images/detstat-detected.png"::: You can then also review the automated investigation details in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions. -![A snippet of the details pane with the alert description and automatic investigation sections highlighted.](images/alert-air-and-alert-description.png) Other information available in the details pane when the alert opens includes MITRE techniques, source, and additional contextual details. Selecting a device or a user card in the affected assets sections will switch to - For devices, the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view. - ![A snippet of the details pane when a device is selected.](images/device-page-details.png) + :::image type="content" source="images/device-page-details.png" alt-text="The details pane when a device is selected" lightbox="images/device-page-details.png"::: - For users, the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select Open user page to continue the investigation from that user's point of view. - ![A snippet of the details pane when a user is selected.](images/user-page-details.png) + :::image type="content" source="images/user-page-details.png" alt-text="The details pane when a user is selected" lightbox="images/user-page-details.png"::: ## Related topics
security	Review Scan Results Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus.md	The following cmdlet will return each detection on the endpoint. If there are mu Get-MpThreatDetection ``` You can specify `-ThreatID` to limit the output to only show the detections for a specific threat. If you want to list threat detections, but combine detections of the same threat Get-MpThreat ``` See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender Antivirus cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
security	Run Analyzer Macos Linux	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md	Open a terminal or SSH into the relevant machine and run the following commands: Example: -![Image of command line example.](images/4ca188f6c457e335abe3c9ad3eddda26.png) Additional syntax help:
security	Run Analyzer Windows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-windows.md	In addition to the above, there is also an option to [collect the analyzer suppo All the PowerShell scripts and modules included with the analyzer are Microsoft-signed. If files have been modified in any way, then the analyzer is expected to exit with the following error: -![Image of client analyzer error](images/sigerror.png) If this error is shown, then the issuerInfo.txt output will contain detailed information about why that happened and what file was affected: -![Image of issuer info](images/issuerinfo.png) Example contents after MDEClientAnalyzer.ps1 is modified: -![Image of modified ps1 file](images/modified-ps1.png)
security	Run Detection Test	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-detection-test.md	Run the following PowerShell script on a newly onboarded device to verify that i 1. Right-click Command Prompt and select Run as administrator. - ![Window Start menu pointing to Run as administrator.](images/run-as-admin.png) - + :::image type="content" source="images/run-as-admin.png" alt-text="The Start menu pointing to Run as administrator" lightbox="images/run-as-admin.png"::: + 3. At the prompt, copy and run the following command: ```powershell
security	Security Operations Dashboard	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/security-operations-dashboard.md	The dashboard displays a snapshot of: - Users at risk - Suspicious activities -![Image of Security operations dashboard.](images/atp-sec-ops-dashboard.png) You can explore and investigate alerts and devices to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in. It also has clickable tiles that give visual cues on the overall health state of You can view the overall number of active alerts from the last 30 days in your network from the tile. Alerts are grouped into New and In progress. -![Click on each slice or severity to see a list of alerts from the past 30 days.](images/active-alerts-tile.png) Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (New or In progress). Each row includes an alert severity category and a short description of the aler This tile shows you a list of devices with the highest number of active alerts. The total number of alerts for each device is shown in a circle next to the device name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). -![The Devices at risk tile shows a list of devices with the highest number of alerts, and a breakdown of the severity of the alerts.](images/devices-at-risk-tile.png) Click the name of the device to see details about that device. For more information see, [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md). You can also click Devices list at the top of the tile to go directly to the The Devices with sensor issues tile provides information on the individual device's ability to provide sensor data to the Microsoft Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices. -![Devices with sensor issues tile.](images/atp-tile-sensor-health.png) There are two status indicators that provide information on the number of devices that are not reporting properly to the service: When you click any of the groups, you'll be directed to devices list, filtered a The Service health tile informs you if the service is active or if there are issues. -![The Service health tile shows an overall indicator of the service.](images/status-tile.png) For more information on the service health, see [Check the Microsoft Defender for Endpoint service health](service-status.md). For more information on the service health, see [Check the Microsoft Defender fo The Daily devices reporting tile shows a bar graph that represents the number of devices reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of devices reporting in each day. -![Image of daily devices reporting tile.](images/atp-daily-devices-reporting.png) ## Active automated investigations You can view the overall number of automated investigations from the last 30 days in your network from the Active automated investigations tile. Investigations are grouped into Pending action, Waiting for device, and Running. -![Inmage of active automated investigations.](images/atp-active-investigations-tile.png) ## Automated investigations statistics This tile shows statistics related to automated investigations in the last seven days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation. -![Image of automated investigations statistics.](images/atp-automated-investigations-statistics.png) You can click on Automated investigations, Remediated investigations, and Alerts investigated to navigate to the Investigations page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context. You can click on Automated investigations, Remediated investigations, an The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high, medium, or low alerts. -![User accounts at risk tile shows a list of user accounts with the highest number of alerts and a breakdown of the severity of the alerts.](images/atp-users-at-risk.png) Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md).
security	Switch To Mde Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-overview.md	ms.technology: mde - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) If you are considering switching from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint), or you are in the planning phase, use this article as a guide. This article describes the overall process of moving to Defender for Endpoint. When you make the switch to Defender for Endpoint, you begin with your non-Microsoft antivirus/antimalware protection in active mode. Then, you configure Microsoft Defender Antivirus in passive mode, and onboard your devices to Defender for Endpoint. Next, you configure your endpoint protection features, set Microsoft Defender Antivirus to active mode, and verify that everything is working correctly. Finally, you remove the non-Microsoft solution. When you make the switch to Defender for Endpoint, you begin with your non-Micro The process of migrating to Defender for Endpoint can be divided into three phases, as described in the following table: -![MDE migration process.](images/phase-diagrams/migration-phases.png) + <br/><br/>
security	Switch To Mde Phase 1	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-1.md	- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -\| ![Phase 1: Prepare.](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare \| [![Phase 2: Set up](images/phase-diagrams/setup.png)](switch-to-mde-phase-2.md)<br/>[Phase 2: Set up](switch-to-mde-phase-2.md) \| [![Phase 3: Onboard](images/phase-diagrams/onboard.png)](switch-to-mde-phase-3.md)<br/>[Phase 3: Onboard](switch-to-mde-phase-3.md) \| +\| ![Phase 1: Prepare.](images/phase-diagrams/prepare.png#lightbox)<br/>Phase 1: Prepare \| [![Phase 2: Set up](images/phase-diagrams/setup.png#lightbox)](switch-to-mde-phase-2.md)<br/>[Phase 2: Set up](switch-to-mde-phase-2.md) \| [![Phase 3: Onboard](images/phase-diagrams/onboard.png#lightbox)](switch-to-mde-phase-3.md)<br/>[Phase 3: Onboard](switch-to-mde-phase-3.md) \| \|--\|--\|--\| \|You are here!\| \| \|
security	Switch To Mde Phase 2	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2.md	- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -\|[![Phase 1: Prepare.](images/phase-diagrams/prepare.png)](switch-to-mde-phase-1.md)<br/>[Phase 1: Prepare](switch-to-mde-phase-1.md)\|![Phase 2: Set up.](images/phase-diagrams/setup.png)<br/>Phase 2: Set up\|[![Phase 3: Onboard3.](images/phase-diagrams/onboard.png)](switch-to-mde-phase-3.md)<br/>[Phase 3: Onboard](switch-to-mde-phase-3.md)\| +\|[![Phase 1: Prepare.](images/phase-diagrams/prepare.png#lightbox)](switch-to-mde-phase-1.md)<br/>[Phase 1: Prepare](switch-to-mde-phase-1.md)\|![Phase 2: Set up.](images/phase-diagrams/setup.png#lightbox)<br/>Phase 2: Set up\|[![Phase 3: Onboard3.](images/phase-diagrams/onboard.png#lightbox)](switch-to-mde-phase-3.md)<br/>[Phase 3: Onboard](switch-to-mde-phase-3.md)\| \|\|\|\| \|\|You are here!\|\|
security	Switch To Mde Phase 3	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3.md	- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -\| [![Phase 1: Prepare3.](images/phase-diagrams/prepare.png)](switch-to-mde-phase-1.md)<br/>[Phase 1: Prepare](switch-to-mde-phase-1.md) \| [![Phase 2: Set up](images/phase-diagrams/setup.png)](switch-to-mde-phase-2.md)<br/>[Phase 2: Set up](switch-to-mde-phase-2.md) \| ![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard \| +\| [![Phase 1: Prepare3.](images/phase-diagrams/prepare.png#lightbox)](switch-to-mde-phase-1.md)<br/>[Phase 1: Prepare](switch-to-mde-phase-1.md) \| [![Phase 2: Set up](images/phase-diagrams/setup.png#lightbox)](switch-to-mde-phase-2.md)<br/>[Phase 2: Set up](switch-to-mde-phase-2.md) \| ![Phase 3: Onboard](images/phase-diagrams/onboard.png#lightbox)<br/>Phase 3: Onboard \| \|--\|--\|--\| \|\| \|You are here! \|
security	Techniques Device Timeline	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/techniques-device-timeline.md	This feature simplifies the investigation experience by helping analysts underst For public preview, Techniques are available by default and shown together with events when a device's timeline is viewed. -![Techniques in device timeline screenshot.](images/device-timeline-2.png) Techniques are highlighted in bold text and appear with a blue icon on the left. The corresponding MITRE ATT&CK ID and technique name also appear as tags under Additional information. Select the specific Attack technique to open the related ATT&CK technique page You can copy an entity's details when you see a blue icon on the right. For instance, to copy a related file's SHA1, select the blue page icon. -![Copy entity details.](images/techniques-side-pane-clickable.png) You can do the same for command lines. -![Copy command line.](images/techniques-side-pane-command.png) ## Investigate related events To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected Technique, select Hunt for related events. This leads to the advanced hunting page with a query to find events related to the Technique. -![Hunt for related events.](images/techniques-hunt-for-related-events.png) > [!NOTE] > Querying using the Hunt for related events button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results. You can customize which columns to expose. You can also filter for flagged event You can choose which columns to expose in the timeline by selecting the Choose columns button. -![Customize columns.](images/filter-customize-columns.png) + From there you can select which information set to include. From there you can select which information set to include. To view only either events or techniques, select Filters from the device timeline and choose your preferred Data type to view. -![Filters screenshot.](images/device-timeline-filters.png) ## See also
security	Threat Analytics Analyst Reports	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports.md	ms.technology: mde Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_. To access this section, open the report about the tracked threat and select the Analyst report tab. -![Image of the analyst report section of a threat analytics report.](images/ta-analyst-report-small.png) _Analyst report section of a threat analytics report_
security	Threat Analytics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics.md	The threat analytics dashboard is a great jump off point for getting to the repo Select a threat from the dashboard to view the report for that threat. -![Image of a threat analytics dashboard.](images/ta_dashboard.png) ## View a threat analytics report Each threat analytics report provides information in three sections: *Overview The Overview section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices. -![Image of the overview section of a threat analytics report.](images/ta-overview.png) _Overview section of a threat analytics report_ #### Assess the impact to your organization In the Mitigations section, review the list of specific actionable recommend Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report. -![Image of the mitigations section of a threat analytics report.](images/ta-mitigations.png) + _Mitigations section of a threat analytics report_
security	Threat And Vuln Mgt Event Timeline	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-and-vuln-mgt-event-timeline.md	In the threat and vulnerability management dashboard, hover over the Exposure sc If there are no events that affect your devices or your score for devices, then none will be shown. -![Exposure score hover.](images/tvm-event-timeline-exposure-score350.png) -![Microsoft Secure Score for Devices hover.](images/tvm-event-timeline-device-hover360.png) ### Drill down to events from that day Selecting Show all events from this day takes you to the Event timeline page with a custom date range for that day. -![Event timeline selected custom date range.](images/tvm-event-timeline-drilldown.png) Select Custom range to change the date range to another custom one, or a pre-set time range. -![Event timeline date range options.](images/tvm-event-timeline-dates.png) ## Event timeline overview Features: The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events. -![Event timeline page.](images/tvm-event-timeline-overview-mixed-type.png) ### Columns Once you select an event, a flyout will appear with a list of the details and cu The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means devices are more vulnerable to exploitation. -![Event timeline flyout.](images/tvm-event-timeline-flyout500.png) From there, select Go to related security recommendation view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can submit a remediation request, and track the request in the [remediation page](tvm-remediation.md). To open a software page, select an event > select the hyperlinked software name A full page will appear with all the details of a specific software. Mouse over the graph to see the timeline of events for that specific software. -![Software page with an Event timeline graph.](images/tvm-event-timeline-software2.png) Navigate to the event timeline tab to view all the events related to that software. You can also see security recommendations, discovered vulnerabilities, installed devices, and version distribution. -![Software page with an Event timeline tab.](images/tvm-event-timeline-software-pages.png) ## Related topics
security	Threat Protection Reports	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-reports.md	The threat protection report provides high-level information about alerts genera The dashboard is structured into two sections: -![Image of the threat protection report.](images/threat-protection-reports.png) Section\|Description \|
security	Time Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/time-settings.md	ms.technology: mde > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-settings-abovefoldlink) -Use the Time zone menu ![Time zone settings icon1.](images/atp-time-zone.png) to configure the time zone and view license information. +Use the Time zone menu to configure the time zone and view license information. ## Time zone settings Cyberforensic investigations often rely on time stamps to piece together the seq Microsoft Defender for Endpoint can display either Coordinated Universal Time (UTC) or local time. -Your current time zone setting is shown in the Microsoft Defender settings. You can change the displayed time zone in the Time zone menu Under Settings > Security center. +Your current time zone setting is shown in the Microsoft Defender for Endpoint menu. You can change the displayed time zone in the Time zone menu. + ### UTC time zone The Microsoft Defender for Endpoint time zone is set by default to UTC. Setting To set the time zone: -1. Click the Settings menu in the [Microsoft 365 Defender Portal](https://security.microsoft.com/) ![Time zone settings icon3.](images/atp-time-zone.png). -2. Select Security center. -3. Select Timezone and set the time zone to either UTC or your local time zone. +1. Click the Time zone menu. + :::image type="content" source="images/atp-time-zone.png" alt-text="The Time zone settings-3" lightbox="images/atp-time-zone.png"::: +1. Select the Timezone UTC indicator. +1. Select Timezone UTC or your local time zone, for example -7:00. ### Regional settings
security	Troubleshoot Asr Rules	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md	The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank"> In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, we offer you a complete look at the current ASR rules configuration and events in your estate. Note that your devices must be onboarded into the Microsoft Defender for Endpoint service for these reports to be populated. Here's a screenshot from the Microsoft 365 Defender portal (under Reports \> Devices \> Attack surface reduction). At the device level, select Configuration from the Attack surface reduction rules pane. The following screen is displayed, where you can select a specific device and check its individual ASR rule configuration. ## Microsoft Defender for Endpoint - Advanced hunting Through advanced hunting, it's possible to extract ASR rules information, create ASR rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft 365 Defender. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule. With advanced hunting you can shape the queries to your liking, so that you can see what is happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment. An alternative to advanced hunting, but with a narrower scope, is the Microsoft Pictured below is a screenshot of the Timeline view of these events on a given endpoint. From this view, you can filter the events list based on any of the Event Groups along the right-side pane. You can also enable or disable Flagged and Verbose events while viewing alerts and scrolling through the historical timeline. ## How to troubleshoot ASR rules? One of the easiest ways to determine if ASR rules are already enabled is through Here's an example: There are multiple ASR rules active, with different configured actions. Example: Get-MPPreference \| Select-Object -ExpandPropertyAttackSurfaceReductionRules_Ids ``` The above shows all the IDs for ASR rules that have a setting different from 0 (Not Configured). The next step is then to list the actual actions (Block or Audit) that each rule Get-MPPreference \| Select-Object -ExpandPropertyAttackSurfaceReductionRules_Actions ``` ### Querying blocking and auditing events ASR rule events can be viewed within the Windows Defender log. To access it, open Windows Event Viewer, and browse to Applications and Services Logs \> Microsoft \> Windows \> Windows Defender \> Operational. ## Microsoft Defender Antimalware Protection Logs You can find this utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. You To generate the support information, type MpCmdRun.exe -getfiles. After a while, several logs will be packaged into an archive (MpSupportFiles.cab) and made available in C:\ProgramData\Microsoft\Windows Defender\Support. Extract that archive and you'll have many files available for troubleshooting purposes.
security	Troubleshoot Collect Support Log	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md	If you also require Defender Antivirus support logs (MpSupportFiles.cab), then f 3. Select Upload file to library. - ![Image of upload file.](images/upload-file.png) + :::image type="content" source="images/upload-file.png" alt-text="The upload file" lightbox="images/upload-file.png"::: 4. Select Choose file. - ![Image of choose file button1.](images/choose-file.png) + :::image type="content" source="images/choose-file.png" alt-text="The choose file button-1" lightbox="images/choose-file.png"::: 5. Select the downloaded file named MDELiveAnalyzer.ps1 and then click on Confirm - ![Image of choose file button2.](images/analyzer-file.png) + :::image type="content" source="images/analyzer-file.png" alt-text="The choose file button-2" lightbox="images/analyzer-file.png"::: 6. While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file:
security	Troubleshoot Onboarding Error Messages	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages.md	Potential reasons: For both cases, you should contact Microsoft support at [General Microsoft Defender for Endpoint Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or [Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). -![Image of no subscriptions found.](images/atp-no-subscriptions-found.png) ## Your subscription has expired You can choose to renew or extend the license at any point in time. When accessi > [!NOTE] > For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. -![Image of subscription expired.](images/atp-subscription-expired.png) ## You are not authorized to access the portal If you receive a You are not authorized to access the portal, be aware that Microsoft Defender for Endpoint is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. For more information, see, [Assign user access to the portal](/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). -![Image of not authorized to access portal.](images/atp-not-authorized-to-access-portal.png) ## Data currently isn't available on some sections of the portal If the portal dashboard and other sections show an error message such as "Data currently isn't available": -![Image of data currently isn't available.](images/atp-data-not-available.png) You'll need to allow the `security.windows.com` and all subdomains under it on your web browser. For example, `*.security.windows.com`.
security	Troubleshoot Onboarding	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md	If the deployment tools used does not indicate an error in the onboarding proces 5. On the Filter tab, under Event level: select Critical, Warning, and Error, and click OK. - ![Image of Event Viewer log filter.](images/filter-log.png) + :::image type="content" source="images/filter-log.png" alt-text="The Event Viewer log filter" lightbox="images/filter-log.png"::: 6. Events which can indicate issues will appear in the Operational pane. You can attempt to troubleshoot them based on the solutions in the following table: First, you should check that the service is set to start automatically when Wind If the service is enabled, then the result should look like the following screenshot: - ![Result of the sc query command for diagtrack.](images/windefatp-sc-qc-diagtrack.png) + :::image type="content" source="images/windefatp-sc-qc-diagtrack.png" alt-text="The result of the sc query command for diagtrack" lightbox="images/windefatp-sc-qc-diagtrack.png"::: If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start. If the verification fails and your environment is using a proxy to connect to th - You can also check the previous registry key values to verify that the policy is disabled, by opening the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`. - ![Image of registry key for Microsoft Defender Antivirus.](images/atp-disableantispyware-regkey.png) + :::image type="content" source="images/atp-disableantispyware-regkey.png" alt-text="The registry key for Microsoft Defender Antivirus" lightbox="images/atp-disableantispyware-regkey.png"::: > [!NOTE] > All Windows Defender services (wdboot, wdfilter, wdnisdrv, wdnissvc, and windefend) should be in their default state. Changing the startup of these services is unsupported and may force you to reimage your system. You might also need to check the following: - Check that there is a Microsoft Defender for Endpoint Service running in the Processes tab in Task Manager. For example: - ![Image of process view with Microsoft Defender for Endpoint Service running.](images/atp-task-manager.png) + :::image type="content" source="images/atp-task-manager.png" alt-text="The process view with Microsoft Defender for Endpoint Service running" lightbox="images/atp-task-manager.png"::: - Check Event Viewer \> Applications and Services Logs \> Operation Manager to see if there are any errors. - In Services, check if the Microsoft Monitoring Agent is running on the server. For example, - ![Image of Services.](images/atp-services.png) + :::image type="content" source="images/atp-services.png" alt-text="The services" lightbox="images/atp-services.png"::: - In Microsoft Monitoring Agent \> Azure Log Analytics (OMS), check the Workspaces and verify that the status is running. - ![Image of Microsoft Monitoring Agent Properties.](images/atp-mma-properties.png) + :::image type="content" source="images/atp-mma-properties.png" alt-text="The Microsoft Monitoring Agent Properties" lightbox="images/atp-mma-properties.png"::: - Check to see that devices are reflected in the Devices list in the portal. The steps below provide guidance for the following scenario: 1. Create an application in Microsoft Endpoint Configuration Manager. - ![Image of Microsoft Endpoint Configuration Manager configuration1.](images/mecm-1.png) + :::image type="content" source="images/mecm-1.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-1" lightbox="images/mecm-1.png"::: 2. Select Manually specify the application information. - ![Image of Microsoft Endpoint Configuration Manager configuration2.](images/mecm-2.png) + :::image type="content" source="images/mecm-2.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-2" lightbox="images/mecm-2.png"::: 3. Specify information about the application, then select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration3.](images/mecm-3.png) + :::image type="content" source="images/mecm-3.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-3" lightbox="images/mecm-3.png"::: 4. Specify information about the software center, then select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration4.](images/mecm-4.png) + :::image type="content" source="images/mecm-4.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-4" lightbox="images/mecm-4.png"::: 5. In Deployment types select Add. - ![Image of Microsoft Endpoint Configuration Manager configuration5.](images/mecm-5.png) + :::image type="content" source="images/mecm-5.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-5" lightbox="images/mecm-5.png"::: 6. Select Manually specify the deployment type information, then select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration6.](images/mecm-6.png) + :::image type="content" source="images/mecm-6.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-6" lightbox="images/mecm-6.png"::: 7. Specify information about the deployment type, then select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration7.](images/mecm-7.png) + :::image type="content" source="images/mecm-7.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-7" lightbox="images/mecm-7.png"::: 8. In Content \> Installation program specify the command: `net start sense`. - ![Image of Microsoft Endpoint Configuration Manager configuration8.](images/mecm-8.png) + :::image type="content" source="images/mecm-8.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-8" lightbox="images/mecm-8.png"::: 9. In Detection method, select Configure rules to detect the presence of this deployment type, then select Add Clause. - ![Image of Microsoft Endpoint Configuration Manager configuration9.](images/mecm-9.png) + :::image type="content" source="images/mecm-9.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-9" lightbox="images/mecm-9.png"::: 10. Specify the following detection rule details, then select OK: - ![Image of Microsoft Endpoint Configuration Manager configuration10.](images/mecm-10.png) + :::image type="content" source="images/mecm-10.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-10" lightbox="images/mecm-10.png"::: 11. In Detection method select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration11.](images/mecm-11.png) + :::image type="content" source="images/mecm-11.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-11" lightbox="images/mecm-11.png"::: 12. In User Experience, specify the following information, then select Next: - ![Image of Microsoft Endpoint Configuration Manager configuration12.](images/mecm-12.png) + :::image type="content" source="images/mecm-12.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-12" lightbox="images/mecm-12.png"::: 13. In Requirements, select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration13.](images/mecm-13.png) + :::image type="content" source="images/mecm-13.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-13" lightbox="images/mecm-13.png"::: 14. In Dependencies, select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration14.](images/mecm-14.png) + :::image type="content" source="images/mecm-14.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-14" lightbox="images/mecm-14.png"::: 15. In Summary, select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration15.](images/mecm-15.png) + :::image type="content" source="images/mecm-15.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-15" lightbox="images/mecm-15.png"::: 16. In Completion, select Close. - ![Image of Microsoft Endpoint Configuration Manager configuration16.](images/mecm-16.png) + :::image type="content" source="images/mecm-16.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-16" lightbox="images/mecm-16.png"::: 17. In Deployment types, select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration17.](images/mecm-17.png) + :::image type="content" source="images/mecm-17.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-17" lightbox="images/mecm-17.png"::: 18. In Summary, select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration18.](images/mecm-18.png) + :::image type="content" source="images/mecm-18.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-18" lightbox="images/mecm-18.png"::: The status is then displayed: - ![Image of Microsoft Endpoint Configuration Manager configuration19.](images/mecm-19.png) + :::image type="content" source="images/mecm-19.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-19" lightbox="images/mecm-19.png"::: 19. In Completion, select Close. - ![Image of Microsoft Endpoint Configuration Manager configuration20.](images/mecm-20.png) + :::image type="content" source="images/mecm-20.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-20" lightbox="images/mecm-20.png"::: 20. You can now deploy the application by right-clicking the app and selecting Deploy. - ![Image of Microsoft Endpoint Configuration Manager configuration21.](images/mecm-21.png) + :::image type="content" source="images/mecm-21.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-21" lightbox="images/mecm-21.png"::: 21. In General select Automatically distribute content for dependencies and Browse. - ![Image of Microsoft Endpoint Configuration Manager configuration22.](images/mecm-22.png) + :::image type="content" source="images/mecm-22.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-22" lightbox="images/mecm-22.png"::: 22. In Content select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration23.](images/mecm-23.png) + :::image type="content" source="images/mecm-23.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-23" lightbox="images/mecm-23.png"::: 23. In Deployment settings, select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration24.](images/mecm-24.png) + :::image type="content" source="images/mecm-24.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-24" lightbox="images/mecm-24.png"::: 24. In Scheduling select As soon as possible after the available time, then select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration25.](images/mecm-25.png) + :::image type="content" source="images/mecm-25.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-25" lightbox="images/mecm-25.png"::: 25. In User experience, select Commit changes at deadline or during a maintenance window (requires restarts), then select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration26.](images/mecm-26.png) + :::image type="content" source="images/mecm-26.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-26" lightbox="images/mecm-26.png"::: 26. In Alerts select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration27.](images/mecm-27.png) + :::image type="content" source="images/mecm-27.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-27" lightbox="images/mecm-27.png"::: 27. In Summary, select Next. - ![Image of Microsoft Endpoint Configuration Manager configuration28.](images/mecm-28.png) + :::image type="content" source="images/mecm-28.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-28" lightbox="images/mecm-28.png"::: + The status is then displayed - ![Image of Microsoft Endpoint Configuration Manager configuration29.](images/mecm-29.png) + :::image type="content" source="images/mecm-29.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-29" lightbox="images/mecm-29.png"::: 28. In Completion, select Close. - ![Image of Microsoft Endpoint Configuration Manager configuration30.](images/mecm-30.png) + :::image type="content" source="images/mecm-30.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-30" lightbox="images/mecm-30.png"::: ## Related topics
security	Troubleshoot Performance Issues	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues.md	Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time 1. Check the box beside Unblock. 1. Select Apply. - ![Remove MOTW.](images/procmon-motw.png) + :::image type="content" source="images/procmon-motw.png" alt-text="The Remove MOTW page" lightbox="images/procmon-motw.png"::: 3. Unzip the file in `C:\temp` so that the folder path will be `C:\temp\ProcessMonitor`. Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time Since logging starts automatically, select the magnifying glass icon to stop the current capture or use the keyboard shortcut Ctrl+E. - ![magnifying glass icon.](images/procmon-magglass.png) + :::image type="content" source="images/procmon-magglass.png" alt-text="The magnifying glass icon" lightbox="images/procmon-magglass.png"::: To verify that you have stopped the capture, check if the magnifying glass icon now appears with a red X. - ![red slash.](images/procmon-magglass-stop.png) + :::image type="content" source="images/procmon-magglass-stop.png" alt-text="The red slash" lightbox="images/procmon-magglass-stop.png"::: Next, to clear the earlier capture, select the eraser icon. - ![clear icon.](images/procmon-eraser-clear.png) + :::image type="content" source="images/procmon-eraser-clear.png" alt-text="The clear icon" lightbox="images/procmon-eraser-clear.png"::: Or use the keyboard shortcut Ctrl+X. 2. The second way is to run the command line as admin, then from the Process Monitor path, run: - ![cmd procmon.](images/cmd-procmon.png) + :::image type="content" source="images/cmd-procmon.png" alt-text="The cmd procmon" lightbox="images/cmd-procmon.png"::: ```console Procmon.exe /AcceptEula /Noconnect /Profiling Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time > [!TIP] > Make the ProcMon window as small as possible when capturing data so you can easily start and stop the trace. > - > ![Minimize Procmon.](images/procmon-minimize.png) + > :::image type="content" source="images/procmon-minimize.png" alt-text="The page displaying a minimize Procmon" lightbox="images/procmon-minimize.png"::: 7. After following one of the procedures in step 6, you'll next see an option to set filters. Select OK. You can always filter the results after the capture is completed. - ![Filter out Process Name is System Exclude.](images/procmon-filter-options.png) + :::image type="content" source="images/procmon-filter-options.png" alt-text="The page on which System Exclude is chosen as the Filter out Process Name" lightbox="images/procmon-filter-options.png"::: 8. To start the capture, select the magnifying glass icon again. Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time 11. To save the capture with a unique name and with the .pml format, select File then select Save.... Make sure to select the radio buttons All events and Native Process Monitor Format (PML). - ![save settings.](images/procmon-savesettings1.png) + :::image type="content" source="images/procmon-savesettings1.png" alt-text="The save settings page" lightbox="images/procmon-savesettings1.png"::: 12. For better tracking, change the default path from `C:\temp\ProcessMonitor\LogFile.PML` to `C:\temp\ProcessMonitor\%ComputerName%_LogFile_MMDDYEAR_Repro_of_issue.PML` where: - `%ComputerName%` is the device name Alternatively, you can also use the command-line tool wpr.exe, which is availa 2. Under Windows Kits, right-click Windows Performance Recorder. - ![Start menu.](images/wpr-01.png) + :::image type="content" source="images/wpr-01.png" alt-text="The Start menu" lightbox="images/wpr-01.png"::: Select More. Select Run as administrator. 3. When the User Account Control dialog box appears, select Yes. - ![UAC.](images/wpt-yes.png) + :::image type="content" source="images/wpt-yes.png" alt-text="The UAC page" lightbox="images/wpt-yes.png"::: 4. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder like `C:\temp`. 5. On the WPR dialog box, select More options. - ![Select more options.](images/wpr-03.png) + :::image type="content" source="images/wpr-03.png" alt-text="The page on which you can select more options" lightbox="images/wpr-03.png"::: + 6. Select Add Profiles... and browse to the path of the `MDAV.wprp` file. 7. After that, you should see a new profile set under Custom measurements named Microsoft Defender for Endpoint analysis underneath it. - ![in-file.](images/wpr-infile.png) + :::image type="content" source="images/wpr-infile.png" alt-text="The in-file" lightbox="images/wpr-infile.png"::: > [!WARNING] > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system could consume a high amount of non-paged pool memory or buffers which can lead to system instability. You can choose which profiles to add by expanding Resource Analysis. Alternatively, you can also use the command-line tool wpr.exe, which is availa 9. Now you're ready to collect data. Exit all the applications that are not relevant to reproducing the performance issue. You can select Hide options to keep the space occupied by the WPR window small. - ![Hide options.](images/wpr-08.png) + :::image type="content" source="images/wpr-08.png" alt-text="The Hide options" lightbox="images/wpr-08.png"::: > [!TIP] > Try starting the trace at whole number seconds. For instance, 01:30:00. This will make it easier to analyze the data. Also try to keep track of the timestamp of exactly when the issue is reproduced. 10. Select Start. - ![Select start of trace.](images/wpr-09.png) + :::image type="content" source="images/wpr-09.png" alt-text="The Record system information page" lightbox="images/wpr-09.png"::: 11. Reproduce the issue. Alternatively, you can also use the command-line tool wpr.exe, which is availa 12. Select Save. - ![Select save.](images/wpr-10.png) + :::image type="content" source="images/wpr-10.png" alt-text="The Save option" lightbox="images/wpr-10.png"::: 13. Fill up Type in a detailed description of the problem: with information about the problem and how you reproduced the issue. - ![Fill up details.](images/wpr-12.png) + :::image type="content" source="images/wpr-12.png" alt-text="The pane in which you fill" lightbox="images/wpr-12.png"::: 1. Select File Name: to determine where your trace file will be saved. By default, it is saved to `%user%\Documents\WPR Files\`. 1. Select Save. 14. Wait while the trace is being merged. - ![WPR gathering general trace.](images/wpr-13.png) + :::image type="content" source="images/wpr-13.png" alt-text="The WPR gathering general trace" lightbox="images/wpr-13.png"::: 15. Once the trace is saved, select Open folder. - ![WPR trace saved.](images/wpr-14.png) + :::image type="content" source="images/wpr-14.png" alt-text="The page displaying the notification that WPR trace has been saved" lightbox="images/wpr-14.png"::: Include both the file and the folder in your submission to Microsoft Support. - ![File and folder.](images/wpr-15.png) + :::image type="content" source="images/wpr-15.png" alt-text="The details of the file and the folder" lightbox="images/wpr-15.png"::: ### Capture performance logs using the WPR CLI
security	Troubleshoot Security Config Mgt	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt.md	Through the Microsoft Defender for Endpoint portal, security administrators can In Endpoints \> Device inventory, the Managed By column has been added to filter by management channel (for example, MEM). To see a list of all devices that have failed the Security Management for Microsoft Defender for Endpoint onboarding process, filter the table by MDE-Error. In the list, select a specific device to see troubleshooting details in the side panel, pointing to the root cause of the error, and corresponding documentation. + ## Run Microsoft Defender for Endpoint Client Analyzer on Windows The Client Analyzer output file (MDE Client Analyzer Results.htm) can provide ke - Verify that the device OS is in scope for Security Management for Microsoft Defender for Endpoint onboarding flow in General Device Details section - Verify that the device has successfully registered to Azure Active Directory in Device Configuration Management Details - ![Image of client analyzer results](images/client-analyzer-results.png) + :::image type="content" source="images/client-analyzer-results.png" alt-text="The client analyzer results" lightbox="images/client-analyzer-results.png"::: In the Detailed Results section of the report, the Client Analyzer also provides actionable guidance. In the Detailed Results section of the report, the Client Analyzer also prov For example, as part of the Security Management onboarding flow, it is required for the Azure Active Directory Tenant ID in your Microsoft Defender for Endpoint Tenant to match the SCP Tenant ID that appears in the reports' Device Configuration Management Details section. If relevant, the report output will recommend to perform this verification. -![Image of detailed results](images/detailed-results.png) ## General troubleshooting If you weren't able to identify the onboarded device in AAD or MEM, and did not receive an error during the enrollment, checking the registry key `Computer\\HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SenseCM\\EnrollmentStatus` can provide additional troubleshooting information. The following table lists errors and directions on what to try/check in order to address the error. Note that the list of errors is not complete and is based on typical/common errors encountered by customers in the past: The main mechanism to troubleshoot Azure Active Directory Runtime (AADRT) is to See below for a typical error in AADRT log and how to read it: -![Image of event properties](images/event-properties.png) From the information in the message, it's possible in most cases to understand what error was encountered, what Win32 API returned the error (if applicable), what URL (if applicable) was used and what AAD Runtime API error was encountered. For Security Management for Microsoft Defender for Endpoint on Windows Server 20 1. Open the Synchronization Rules Editor application from the start menu. In the rule list, locate the rule named In from AD ΓÇô Computer Join. Take note of the value in the 'Precedence' column for this rule. - ![Image of synchronization rules editor](images/57ea94e2913562abaf93749d306dd6cf.png) + :::image type="content" source="images/57ea94e2913562abaf93749d306dd6cf.png" alt-text="The synchronization rules editor" lightbox="images/57ea94e2913562abaf93749d306dd6cf.png"::: 2. With the In from AD ΓÇô Computer Join rule highlighted, select Edit. In the Edit Reserved Rule Confirmation dialog box, select Yes. - ![Image of edit reserved rule confirmation](images/8854440d6180a5580efda24110551c68.png) + :::image type="content" source="images/8854440d6180a5580efda24110551c68.png" alt-text="The edit reserved rule confirmation page" lightbox="images/8854440d6180a5580efda24110551c68.png"::: 3. The Edit inbound synchronization rule window will be shown. Update the rule description to note that Windows Server 2012R2 will be synchronized using this rule. Leave all other options unchanged except for the Precedence value. Enter a value for Precedence that is higher than the value from the original rule (as seen in the rule list). - ![Image of confirmation](images/ee0f29162bc3f2fbe666c22f14614c45.png) + :::image type="content" source="images/ee0f29162bc3f2fbe666c22f14614c45.png" alt-text="The Edit inbound synchronization rule page in which you enter values" lightbox="images/ee0f29162bc3f2fbe666c22f14614c45.png"::: 4. Select Next three times. This will navigate to the 'Transformations' section of the rule. Do not make any changes to the 'Scoping filter' and 'Join rules' sections of the rule. The 'Transformations' section should now be shown. - ![Image of inbound synchornization rule](images/296f2c2a705e41233631c3784373bc23.png) + :::image type="content" source="images/296f2c2a705e41233631c3784373bc23.png" alt-text="The inbound synchronization rule" lightbox="images/296f2c2a705e41233631c3784373bc23.png"::: 5. Scroll to the bottom of the list of transformations. Find the transformation for the cloudFiltered attribute. In the textbox in the Source column, select all of the text (Control-A) and delete it. The textbox should now be empty.
security	Tune Performance Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md	For more information on command-line parameters and options, see the [New-MpPerf Based on the query, the user will be able to view data for scan counts, duration (total/min/average/max/median), path, process, and reason for scan. The image below shows sample output for a simple query of the top 10 files for scan impact. ### Additional functionality: exporting and converting to CSV and JSON
security	Tvm Assign Device Value	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-assign-device-value.md	Examples of devices that should be assigned a high value: 2. Select Device value from three dots next to the actions bar at the top of the page. - ![Example of the device value dropdown.](images/tvm-device-value-dropdown.png) + :::image type="content" source="images/tvm-device-value-dropdown.png" alt-text="The Device value option" lightbox="images/tvm-device-value-dropdown.png"::: 3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device. -![Example of the device value flyout.](images/tvm-device-value-flyout.png) + ## How device value impacts your exposure score
security	Tvm Dashboard Insights	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-dashboard-insights.md	Watch this video for a quick overview of what is in the threat and vulnerability ## Threat and vulnerability management dashboard <br>
security	Tvm End Of Support Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-end-of-support-software.md	It's crucial for Security and IT Administrators to work together and ensure that 1. From the threat and vulnerability management menu, navigate to [Security recommendations](tvm-security-recommendation.md). 2. Go to the Filters panel and look for the tags section. Select one or more of the EOS tag options. Then Apply. - ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions.](images/tvm-eos-tag.png) + :::image type="content" source="images/tvm-eos-tag.png" alt-text="The EOS software, EOS versions, and Upcoming EOS versions" lightbox="images/tvm-eos-tag.png"::: 3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. - ![Recommendations with EOS tag.](images/tvm-eos-tags-column.png) + :::image type="content" source="images/tvm-eos-tags-column.png" alt-text="The Recommendations with EOS tag" lightbox="images/tvm-eos-tags-column.png"::: ## List of versions and dates To view a list of versions that have reached end of support, or end or support s 1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon. - ![Screenshot of version distribution link.](images/eos-upcoming-eos.png) + :::image type="content" source="images/eos-upcoming-eos.png" alt-text="The version distribution link" lightbox="images/eos-upcoming-eos.png"::: 2. Select the version distribution link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. - ![Screenshot of software drilldown page with end of support software.](images/software-drilldown-eos.png) + :::image type="content" source="images/software-drilldown-eos.png" alt-text="The software drilldown page with details of the end of support software" lightbox="images/software-drilldown-eos.png"::: 3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date. - ![Screenshot of end of support date.](images/version-eos-date.png) + :::image type="content" source="images/version-eos-date.png" alt-text="The display of the end of support date" lightbox="images/version-eos-date.png"::: Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats.
security	Tvm Exception	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-exception.md	When an exception is created for a recommendation, the recommendation will not b Only users with "exceptions handling" permissions can manage exceptions (including creating or canceling). [Learn more about RBAC roles](user-roles.md). -![View of exception handling permission.](images/tvm-exception-permissions.png) ## Create an exception Select a security recommendation you would like create an exception for, and then select Exception options and fill out the form. -![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png) ### Exception by device group Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from "active" to "partial exception." The state will change to "full exception" if you select all the device groups. -![Showing device group dropdown.](images/tvm-exception-device-group-500.png) #### Filtered views If you have filtered by device group on any of the threat and vulnerability mana This is the button to filter by device group on any of the threat and vulnerability management pages: -![Showing selected device groups filter.](images/tvm-selected-device-groups.png) Exception view with filtered device groups: -![Showing filtered device group dropdown.](images/tvm-exception-device-filter500.png) #### Large number of device groups If your organization has more than 20 device groups, select Edit next to the filtered device group option. -![Showing how to edit large numbers of groups.](images/tvm-exception-edit-groups.png) A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all. -![Showing large device group flyout.](images/tvm-exception-device-group-flyout-400.png) ### Global exceptions If you have global administrator permissions, you will be able to create and cancel a global exception. It affects all current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from "active" to "full exception." -![Showing global exception option.](images/tvm-exception-global.png) Some things to keep in mind: Navigate to the Exceptions tab in the Remediation page. You can filter b Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can export. You can also view the related recommendation or cancel the exception. -![Showing the "Exceptions" tab in the Remediation page.](images/tvm-exception-view.png) ## How to cancel an exception To cancel an exception, navigate to the Exceptions tab in the *Remediation To cancel the exception for all device groups or for a global exception, select the Cancel exception for all device groups button. You will only be able to cancel exceptions for device groups you have permissions for. -![The cancel button.](images/tvm-exception-cancel.png) ### Cancel the exception for a specific device group Select the specific device group to cancel the exception for it. A flyout will appear for the device group, and you can select Cancel exception. -![Showing how to select a specific device group.](images/tvm-exception-device-group-hover.png) ## View impact after exceptions are applied In the Security Recommendations page, select Customize columns and check the boxes for Exposed devices (after exceptions) and Impact (after exceptions). -![Showing customize columns options.](images/tvm-after-exceptions.png) The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include 'third party control' and 'alternate mitigation'. Other justifications do not reduce the exposure of a device, and they are still considered exposed. The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include 'third party control' and 'alternate mitigation.' Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change. -![Showing the columns in the table.](images/tvm-after-exceptions-table.png) ## Related topics
security	Tvm Exposure Score	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-exposure-score.md	Your exposure score is visible in the [Threat and vulnerability management dashb The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart give you a visual indication of a high cybersecurity threat exposure that you can investigate further. -![Exposure score card.](images/tvm_exp_score.png) ## How it works
security	Tvm Microsoft Secure Score Devices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices.md	Improve your security configuration by remediating issues from the security reco 2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select Remediation options. - :::image type="content" alt-text="Security controls related security recommendations." source="images/security-controls.png"::: + :::image type="content" source="images/security-controls.png" alt-text="The Security controls-related security recommendations" lightbox="images/security-controls.png"::: 3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select Export all remediation activity data to CSV so you can attach it to an email for follow-up. 4. Submit request. You'll see a confirmation message that the remediation task has been created. - :::image type="content" alt-text="Remediation task creation confirmation." source="images/remediation-task-created.png"::: + :::image type="content" source="images/remediation-task-created.png" alt-text="The Remediation task creation confirmation" lightbox="images/remediation-task-created.png"::: 5. Save your CSV file. - :::image type="content" alt-text="Save csv file." source="images/tvm_save_csv_file.png"::: + :::image type="content" source="images/tvm_save_csv_file.png" alt-text="The page containing the option to save CSV file" lightbox="images/tvm_save_csv_file.png"::: 6. Send a follow-up email to your IT Administrator and allow the time that you've allotted for the remediation to propagate in the system.
security	Tvm Remediation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-remediation.md	If you chose the "attention required" remediation option, there will be no progr Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. > [!NOTE] > There is a 180 day retention period for completed remediation activities. To keep the Remediation page performing optimally, the remediation activity will be removed 6 months after its completion. Track who closed the remediation activity with the "Completed by" column on the - System confirmation: The task was automatically completed (all devices remediated) - N/A: Information is not available because we don't know how this older task was completed ### Top remediation activities in the dashboard View Top remediation activities in the [threat and Vulnerability management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the Remediation page. You can mark the remediation activity as completed after the IT admin team remediates the task. -![Example of Top remediation activities card with a table that lists top activities that were generated from security recommendations.](images/tvm-remediation-activities-card.png) ## Related articles
security	Tvm Security Recommendation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-security-recommendation.md	Go to the Vulnerability management navigation menu and select Recommendati In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side by side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to lower your organization's exposure from vulnerabilities, and increase your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. -![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png) + The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details. The color of the Exposed devices graph changes as the trend changes. If the > [!NOTE] > Threat and vulnerability management shows devices that were in use up to 30 days ago. This is different from the rest of Microsoft Defender for Endpoint, where if a device has not been in use for more than 7 days it has in an 'Inactive' status. -![Example of the landing page for security recommendations.](images/tvmsecrec-updated.png) ### Icons Useful icons also quickly call your attention to: Select the security recommendation that you want to investigate or process. From the flyout, you can choose any of the following options: When an exception is created for a recommendation, the recommendation is no long Select a security recommendation you would like create an exception for, and then select Exception options. -![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png) Fill out the form and submit. To view all your exceptions (current and past), navigate to the [Remediation](tvm-remediation.md) page under the Threat & Vulnerability Management menu and select the Exceptions tab. [Learn more about how to create an exception](tvm-exception.md#create-an-exception) You can report a false positive when you see any vague, inaccurate, incomplete, 2. Select the three dots beside the security recommendation that you want to report, then select Report inaccuracy**. - ![Showing where the "Report inaccuracy" button is in a security recommendation flyout.](images/report-inaccuracy500.png) + :::image type="content" source="images/report-inaccuracy500.png" alt-text="The Report inaccuracy button" lightbox="images/report-inaccuracy500.png"::: 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
security	Tvm Software Inventory	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-software-inventory.md	The Software inventory page opens with a list of software installed in your By default, the view is filtered by Product Code (CPE): Available. You can also filter the list view based on weaknesses found in the software, threats associated with them, and tags like whether the software has reached end-of-support. Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select Open software page, or flag any technical inconsistencies by selecting Report inaccuracy. Select the software that you want to investigate. A flyout panel will open with Software that isn't currently supported by threat & vulnerability management may be present in the software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section. The following indicates that software is not supported: See evidence of where we detected a specific software on a device from the regis Select a software name to open the flyout, and look for the section called "Software Evidence." ## Software pages You can view software pages a few different ways: - Devices that have the software installed (along with device name, domain, OS, and more). - Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices). - :::image type="content" alt-text="Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more." source="images/tvm-software-page-example.png" lightbox="images/tvm-software-page-example.png"::: + :::image type="content" source="images/tvm-software-page-example.png" alt-text="The Visual Studio 2017 with the software details, weaknesses, exposed devices, and more" lightbox="images/tvm-software-page-example.png"::: ## Report inaccuracy
security	Tvm Vulnerable Devices Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-vulnerable-devices-report.md	There are two columns: Each device is counted only once according to the most severe vulnerability found on that device. ## Exploit availability graphs Each device is counted only once based on the highest level of known exploit. ## Vulnerability age graphs Each device is counted only once under the oldest vulnerability publication date. Older vulnerabilities have a higher chance of being exploited. ## Vulnerable devices by operating system platform graphs The number of devices on each operating system that are exposed due to software vulnerabilities. ## Vulnerable devices by Windows version graphs The number of devices on each Windows 10 or Windows 11 version that are exposed due to vulnerable applications or OS. ## Related topics
security	Tvm Weaknesses	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-weaknesses.md	Go to the Vulnerability management navigation menu and select Weaknesses 1. Go to the global search drop-down menu. 2. Select Vulnerability and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The Weaknesses page opens with the CVE information that you're looking for. -![Global search box with the dropdown option "vulnerability" selected and an example CVE.](images/tvm-vuln-globalsearch.png) ++ 3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices. To see the rest of the vulnerabilities in the Weaknesses page, type CVE, then select search. To see the rest of the vulnerabilities in the Weaknesses page, type CVE, the Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the Exposed Devices column shows 0, that means you aren't at risk. -![Weaknesses landing page.](images/tvm-weaknesses-overview.png) ### Breach and threat insights If you select a CVE, a flyout panel will open with more information such as the - The "OS Feature" category is shown in relevant scenarios - You can go to the related security recommendation for every CVE with exposed device - ![Weakness flyout example.](images/tvm-weakness-flyout400.png) + :::image type="content" source="images/tvm-weakness-flyout400.png" alt-text="The Vulnerability description page" lightbox="images/tvm-weakness-flyout400.png"::: ### Software that isn't supported Exposed device information will not be available for CVEs with unsupported softw 1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the Top vulnerable software widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time. - ![Top vulnerable software card with four columns: software, weaknesses, threats, exposed devices.](images/tvm-top-vulnerable-software500.png) + :::image type="content" source="images/tvm-top-vulnerable-software500.png" alt-text="The Weaknesses column in the Top vulnerable software page" lightbox="images/tvm-top-vulnerable-software500.png"::: 2. Select the software you want to investigate to go to a drilldown page. Exposed device information will not be available for CVEs with unsupported softw 4. Select the vulnerability you want to investigate for more information on vulnerability details - ![Windows Server 2019 drill down overview.](images/windows-server-drilldown.png) + :::image type="content" source="images/windows-server-drilldown.png" alt-text="The Windows Server 2019 drill down overview" lightbox="images/windows-server-drilldown.png"::: ### Discover vulnerabilities in the device page View related weaknesses information in the device page. 2. In the Device inventory page, select the device name that you want to investigate. - ![Device list with selected device to investigate.](images/tvm_machinetoinvestigate.png) + :::image type="content" source="images/tvm_machinetoinvestigate.png" alt-text="The Device list with a selected device to investigate" lightbox="images/tvm_machinetoinvestigate.png"::: 3. The device page will open with details and response options for the device you want to investigate. 4. Select Discovered vulnerabilities. - :::image type="content" alt-text="Device page with details and response options." source="images/tvm-discovered-vulnerabilities.png" lightbox="images/tvm-discovered-vulnerabilities.png"::: + :::image type="content" source="images/tvm-discovered-vulnerabilities.png" alt-text="The Device page with details and response options." lightbox="images/tvm-discovered-vulnerabilities.png"::: 5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic. Similar to the software evidence, we now show the detection logic we applied on The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 or Windows Server 2022 has vulnerability in its DNS component. With this new capability, we'll only attach this CVE to the Windows Server 2019 and Windows Server 2022 devices with the DNS capability enabled in their OS. ## Report inaccuracy
security	Tvm Zero Day Vulnerabilities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-zero-day-vulnerabilities.md	Once a zero-day vulnerability has been found, information about it will be conve Look for recommendations with a zero-day tag in the "Top security recommendations" card. -![Top recommendations with a zero-day tag.](images/tvm-zero-day-top-security-recommendations.png) Find top software with the zero-day tag in the "Top vulnerable software" card. -![Top vulnerable software with a zero-day tag.](images/tvm-zero-day-top-software.png) ### Weaknesses page Look for the named zero-day vulnerability along with a description and details. - If this vulnerability has no CVE-ID assigned, you'll find it under an internal, temporary name that looks like "TVM-XXXX-XXXX". The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel. ### Software inventory page Look for software with the zero-day tag. Filter by the "zero day" tag to only see software with zero-day vulnerabilities. ### Software page Look for a zero-day tag for each software that has been affected by the zero-day vulnerability. ### Security recommendations page View clear suggestions about remediation and mitigation options, including worka If there's software with a zero-day vulnerability and additional vulnerabilities to address, you'll get one recommendation about all vulnerabilities. ## Addressing zero-day vulnerabilities There will be a link to mitigation options and workarounds if they are available Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there's no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose "update." -![Zero day flyout example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-recommendation-flyout400.png) ## Track zero-day remediation activities
security	View Incidents Queue	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/view-incidents-queue.md	On the top navigation you can: - Navigate between pages - Apply filters -![Image of incidents queue.](images/atp-incident-queue.png) ## Sort and filter the incidents queue You can apply the following filters to limit the list of incidents and get a more focused view.
security	Web Content Filtering	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md	A panel will open where you can select the priority and add more details such as To determine the category of a website, you can use the URL search function available on the Microsoft 365 Defender portal (<https://security.microsoft.com>) under Endpoints \> Search. In the URL search results, the web content filtering category appears under URL/Domain details. Administrators can also dispute the category of the domain directly from this page, as shown in the following image. If the category result is not shown, the URL is not currently assigned to an existing web content filtering category. -![Image of web content filtering category lookup results.](../../media/web-content-filtering-category-lookup.png) ## Web content filtering cards and details This card lists the parent web content categories with the largest increase or d In the first 30 days of using this feature, your organization might not have enough data to display this information. -![Image of web activity by category card.](images/web-activity-by-category600.png) ### Web content filtering summary card This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category. -![Image of web content filtering summary card.](images/web-content-filtering-summary.png) ### Web activity summary card This card displays the total number of requests for web content in all URLs. -![Image of web activity summary card.](images/web-activity-summary.png) ### View card details You can access the Report details for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and device groups. -![Image of web protection report details.](images/web-protection-report-details.png) - Web categories: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout.
security	Web Protection Monitoring	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-monitoring.md	Web protection lets you monitor your organization's web browsing security throug - Web threat protection detections over time - this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months) - :::image type="content" alt-text="Image of the card showing web threats protection detections over time." source="images/wtp-blocks-over-time.png" lightbox="images/wtp-blocks-over-time.png"::: + :::image type="content" source="images/wtp-blocks-over-time.png" alt-text="The card showing web threats protection detections over time" lightbox="images/wtp-blocks-over-time.png"::: - Web threat protection summary - this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites. - :::image type="content" alt-text="Image of the card showing web threats protection summary." source="images/wtp-summary.png" lightbox="images/wtp-summary.png"::: + :::image type="content" source="images/wtp-summary.png" alt-text="The card showing web threats protection summary" lightbox="images/wtp-summary.png"::: > [!NOTE] > It can take up to 12 hours before a block is reflected in the cards or the domain list.
security	Web Protection Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-overview.md	ms.technology: mde Web protection in Microsoft Defender for Endpoint is a capability made up of [Web threat protection](web-threat-protection.md), [Web content filtering](web-content-filtering.md), and [Custom indicators](manage-indicators.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft 365 Defender portal by going to Reports > Web protection. ### Web threat protection Internal IP addresses are not supported by custom indicators. For a warn policy In all web protection scenarios, SmartScreen and Network Protection can be used together to ensure protection across both first and third-party browsers and processes. SmartScreen is built directly into Microsoft Edge, while Network Protection monitors traffic in third-party browsers and processes. The diagram below illustrates this concept. This diagram of the two clients working together to provide multiple browser/app coverages is accurate for all features of Web Protection (Indicators, Web Threats, Content Filtering). ## Troubleshoot endpoint blocks To list blocks that are due to other features (like Custom Indicators), refer to If a user visits a web page that poses a risk of malware, phishing, or other web threats, Microsoft Edge will trigger a block page that reads ΓÇÿThis site has been reported as unsafeΓÇÖ along with information related to the threat. > [!div class="mx-imgBorder"] -> ![Page blocked by Microsoft Edge.](../../media/web-protection-malicious-block.png) +> :::image type="content" source="../../media/web-protection-malicious-block.png" alt-text="The page blocked by Microsoft Edge" lightbox="../../media/web-protection-malicious-block.png"::: If blocked by WCF or a custom indicator, a block page shows in Microsoft Edge that tells the user this site is blocked by their organization. > [!div class="mx-imgBorder"] -> ![Page blocked by your organization.](../../media/web-protection-indicator-blockpage.png) +> :::image type="content" source="../../media/web-protection-indicator-blockpage.png" alt-text="The page blocked by your organization" lightbox="../../media/web-protection-indicator-blockpage.png"::: In any case, no block pages are shown in third-party browsers, and the user sees a ΓÇÿSecure Connection FailedΓÇÖ page along with a toast notification. Depending on the policy responsible for the block, a user will see a different message in the toast notification. For example, web content filtering will display the message ΓÇÿThis content is blockedΓÇÖ. > [!div class="mx-imgBorder"] -> ![Page blocked by WCF.](../../media/web-protection-np-block.png) +> :::image type="content" source="../../media/web-protection-np-block.png" alt-text="The page blocked by WCF" lightbox="../../media/web-protection-np-block.png"::: ## Report false positives
security	Web Protection Response	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-response.md	Each alert provides the following information: - Malicious URL or URL in the custom indicator list - Recommended actions for responders -![Image of an alert related to web threat protection.](images/wtp-alert.png) > [!NOTE] > To reduce the volume of alerts, Microsoft Defender for Endpoint consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md). You can dive deeper by selecting the URL or domain of the website in the alert. - Incidents and alerts related to the website - How frequent the website was seen in events in your organization - ![Image of the domain or URL entity details page.](images/wtp-website-details.png) + :::image type="content" source="images/wtp-website-details.png" alt-text="The domain or URL entity details page" lightbox="images/wtp-website-details.png"::: [Learn more about URL or domain entity pages](investigate-domain.md) You can also check the device that attempted to access a blocked URL. Selecting With web protection in Microsoft Defender for Endpoint, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows. -![Image of Microsoft Edge showing a 403 error and the Windows notification.](images/wtp-browser-blocking-page.png) + Web threat blocked on Microsoft Edge -![Image of Chrome web browser showing a secure connection warning and the Windows notification.](images/wtp-chrome-browser-blocking-page.png) Web threat blocked on Chrome ## Related topics
security	Why Cloud Protection Should Be On Mdav	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-cloud-protection-should-be-on-mdav.md	Microsoft Defender Antivirus cloud protection helps protect against malware on your endpoints and across your network. We recommend keeping cloud protection turned on, because certain security features and capabilities in Microsoft Defender for Endpoint only work when cloud protection is enabled. -[:::image type="content" source="images/mde-cloud-protection.png" alt-text="Diagram showing things that depend on cloud protection":::](enable-cloud-protection-microsoft-defender-antivirus.md) +[![alt-text="Diagram showing things that depend on cloud protection](images/mde-cloud-protection.png#lightbox)](enable-cloud-protection-microsoft-defender-antivirus.md) The following table summarizes the features and capabilities that depend on cloud protection: <br/><br/>
security	Directory Service Accounts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/directory-service-accounts.md	To connect the [sensor](sensor-health.md#add-a-sensor) with your Active Director 1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to Settings and then Identities. - ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png) + :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option in the Settings page" lightbox="../../media/defender-identity/settings-identities.png"::: + 1. Select Directory Service accounts. You'll see which accounts are associated with which domains. - ![Directory Service accounts.](../../media/defender-identity/directory-service-accounts.png) + :::image type="content" source="../../media/defender-identity/directory-service-accounts.png" alt-text="The Directory Service accounts menu item" lightbox="../../media/defender-identity/directory-service-accounts.png"::: 1. If you select an account, a pane will open with the settings for that account. - ![Account settings.](../../media/defender-identity/account-settings.png) + :::image type="content" source="../../media/defender-identity/account-settings.png" alt-text="The Account settings page" lightbox="../../media/defender-identity/account-settings.png"::: 1. To add a new Directory Services account, select Create new account and fill in the Account name, Domain, and Password. You can also choose if it's a Group managed service account (gMSA), and if it belongs to a Single label domain. - ![New Directory Service account.](../../media/defender-identity/new-directory-service-account.png) + :::image type="content" source="../../media/defender-identity/new-directory-service-account.png" alt-text="The Create new account option" lightbox="../../media/defender-identity/new-directory-service-account.png"::: 1. Select Save.
security	Entity Tags	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/entity-tags.md	In Microsoft 365 Defender, you can set three types of Defender for Identity enti To set these tags, in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to Settings and then Identities. -![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png) The tag settings will appear under Entity tags. -![Tag setting types.](../../media/defender-identity/tag-settings.png) To set each type of tag, follow the instructions below. You can also manually tag users, devices, or groups as sensitive. 1. Select Sensitive. You will then see the existing sensitive Users, Devices, and Groups. - ![Sensitive entities.](../../media/defender-identity/sensitive-entities.png) + :::image type="content" source="../../media/defender-identity/sensitive-entities.png" alt-text="The Devices tab in the Sensitive entities menu item" lightbox="../../media/defender-identity/sensitive-entities.png"::: 1. Under each category, select Tag... to tag that type of entity. For example, under Groups, select Tag groups. A pane will open with the groups you can select to tag. To search for a group, enter its name in the search box. - ![Add groups.](../../media/defender-identity/add-groups.png) + :::image type="content" source="../../media/defender-identity/add-groups.png" alt-text="The option to add a group" lightbox="../../media/defender-identity/add-groups.png"::: 1. Select your group, and click Add selection. - ![Add selection.](../../media/defender-identity/add-selection.png) + :::image type="content" source="../../media/defender-identity/add-selection.png" alt-text="The Add selection option" lightbox="../../media/defender-identity/add-selection.png"::: ## Honeytoken tags You can tag users or devices with the Honeytoken tag in the same way you tag 1. Under each category, select Tag... to tag that type of entity. For example, under Users, select Tag users. A pane will open with the groups you can select to tag. To search for a group, enter its name in the search box. - ![Add users.](../../media/defender-identity/add-users.png) + :::image type="content" source="../../media/defender-identity/add-users.png" alt-text="The option to add users" lightbox="../../media/defender-identity/add-users.png"::: 1. Select your user, and click Add selection. - ![Add selected user.](../../media/defender-identity/add-selected-user.png) + :::image type="content" source="../../media/defender-identity/add-selected-user.png" alt-text="The option to add a selected user" lightbox="../../media/defender-identity/add-selected-user.png"::: ## Exchange server tags Defender for Identity considers Exchange servers as high-value assets and automa 1. Select Exchange server. You'll then see the existing devices labeled with the Exchange server tag. - ![Exchange servers.](../../media/defender-identity/exchange-servers.png) + :::image type="content" source="../../media/defender-identity/exchange-servers.png" alt-text="The Exchange server menu item" lightbox="../../media/defender-identity/exchange-servers.png"::: 1. To tag a device as an Exchange server, select Tag devices. A pane will open with the devices that you can select to tag. To search for a device, enter its name in the search box. - ![Add devices.](../../media/defender-identity/add-devices.png) + :::image type="content" source="../../media/defender-identity/add-devices.png" alt-text="The option to add a device" lightbox="../../media/defender-identity/add-devices.png"::: 1. Select your device, and click Add selection. - ![Select device.](../../media/defender-identity/select-device.png) + :::image type="content" source="../../media/defender-identity/select-device.png" alt-text="The selection of a device" lightbox="../../media/defender-identity/select-device.png"::: ## See also
security	Exclusions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/exclusions.md	For example, a DNS Reconnaissance alert could be triggered by a security sca 1. In [Microsoft 365 Defender](https://security.microsoft.com/), go to Settings and then Identities. - ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png) + :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option in the Name column" lightbox="../../media/defender-identity/settings-identities.png"::: 1. You'll then see Excluded entities in the left-hand menu. - ![Excluded entities.](../../media/defender-identity/excluded-entities.png) + :::image type="content" source="../../media/defender-identity/excluded-entities.png" alt-text="The Excluded entities pane" lightbox="../../media/defender-identity/excluded-entities.png"::: You can then set exclusions by two methods: Exclusions by detection rule and Global excluded entities. You can then set exclusions by two methods: Exclusions by detection rule and 1. In the left-hand menu, select Exclusions by detection rule. You'll see a list of detection rules. - ![Exclusions by detection rule.](../../media/defender-identity/exclusions-by-detection-rule.png) + :::image type="content" source="../../media/defender-identity/exclusions-by-detection-rule.png" alt-text="The Exclusions by detection rule option in the Excluded entities item in the left pane" lightbox="../../media/defender-identity/exclusions-by-detection-rule.png"::: 1. For each detection you want to configure, do the following steps: 1. Select the rule. You can search for detections using the search bar. Once selected, a pane will open with the detection rule details. - ![Detection rule details.](../../media/defender-identity/detection-rule-details.png) + :::image type="content" source="../../media/defender-identity/detection-rule-details.png" alt-text="The details of a detection rule" lightbox="../../media/defender-identity/detection-rule-details.png"::: 1. To add an exclusion, select the Excluded entities button, and then choose the exclusion type. Different excluded entities are available for each rule. They include users, devices, domains and IP addresses. In this example, the choices are Exclude devices and Exclude IP addresses. - ![Exclude devices or IP addresses.](../../media/defender-identity/exclude-devices-or-ip-addresses.png) + :::image type="content" source="../../media/defender-identity/exclude-devices-or-ip-addresses.png" alt-text="The option to exclude devices or IP addresses" lightbox="../../media/defender-identity/exclude-devices-or-ip-addresses.png"::: 1. After choosing the exclusion type, you can add the exclusion. In the pane that opens, select the + button to add the exclusion. - ![Add an exclusion.](../../media/defender-identity/add-exclusion.png) + :::image type="content" source="../../media/defender-identity/add-exclusion.png" alt-text="The option to add an exclusion" lightbox="../../media/defender-identity/add-exclusion.png"::: 1. Then add the entity to be excluded. Select + Add to add the entity to the list. - ![Add an entity to be excluded.](../../media/defender-identity/add-excluded-entity.png) + :::image type="content" source="../../media/defender-identity/add-excluded-entity.png" alt-text="The option to add entity that is to be excluded" lightbox="../../media/defender-identity/add-excluded-entity.png"::: 1. Then select Exclude IP addresses (in this example) to complete the exclusion. - ![Exclude IP addresses.](../../media/defender-identity/exclude-ip-addresses.png) + :::image type="content" source="../../media/defender-identity/exclude-ip-addresses.png" alt-text="The option to exclude IP addresses" lightbox="../../media/defender-identity/exclude-ip-addresses.png"::: 1. Once you've added exclusions, you can export the list or remove the exclusions by returning to the Excluded entities button. In this example, we've returned to Exclude devices. To export the list, select the down arrow button. - ![Return to Exclude devices.](../../media/defender-identity/return-to-exclude-devices.png) + :::image type="content" source="../../media/defender-identity/return-to-exclude-devices.png" alt-text="The Return to Exclude devices option" lightbox="../../media/defender-identity/return-to-exclude-devices.png"::: 1. To delete an exclusion, select the exclusion and select the trash icon. - ![Delete an exclusion.](../../media/defender-identity/delete-exclusion.png) + :::image type="content" source="../../media/defender-identity/delete-exclusion.png" alt-text="The Delete an exclusion option" lightbox="../../media/defender-identity/delete-exclusion.png"::: ## Global excluded entities You can now also configure exclusions by Global excluded entities. Global ex 1. In the left-hand menu, select Global excluded entities. You'll see the categories of entities that you can exclude. - ![Global excluded entities.](../../media/defender-identity/global-excluded-entities.png) + :::image type="content" source="../../media/defender-identity/global-excluded-entities.png" alt-text="The Global excluded entities submenu item" lightbox="../../media/defender-identity/global-excluded-entities.png"::: 1. Choose an exclusion type. In this example, we selected Exclude domains. - ![Exclude domains.](../../media/defender-identity/exclude-domains.png) + :::image type="content" source="../../media/defender-identity/exclude-domains.png" alt-text="The Domains tab" lightbox="../../media/defender-identity/exclude-domains.png"::: 1. A pane will open where you can add a domain to be excluded. Add the domain you want to exclude. - ![Add a domain to be excluded.](../../media/defender-identity/add-excluded-domain.png) + :::image type="content" source="../../media/defender-identity/add-excluded-domain.png" alt-text="The option to add a domain to be excluded" lightbox="../../media/defender-identity/add-excluded-domain.png"::: 1. The domain will be added to the list. Select Exclude domains to complete the exclusion. - ![Select exclude domains.](../../media/defender-identity/select-exclude-domains.png) + :::image type="content" source="../../media/defender-identity/select-exclude-domains.png" alt-text="The option to Select domains to be excluded" lightbox="../../media/defender-identity/select-exclude-domains.png"::: 1. You'll then see the domain in the list of entities to be excluded from all detection rules. You can export the list, or remove the entities by selecting them and clicking the Remove button. - ![List of global excluded entries.](../../media/defender-identity/global-excluded-entries-list.png) + :::image type="content" source="../../media/defender-identity/global-excluded-entries-list.png" alt-text="The list of global excluded entries" lightbox="../../media/defender-identity/global-excluded-entries-list.png"::: ## See also
security	Manage Security Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/manage-security-alerts.md	Alerts can be accessed from multiple locations, including the Alerts page, t In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to Incidents & alerts and then to Alerts. -![Go to Incidents and Alerts, then Alerts.](../../media/defender-identity/incidents-alerts.png) To see alerts from Defender for Identity, on the top-right select Filter, and then under Service sources select Microsoft Defender for Identity, and select Apply: -![Filter for Defender for Identity events.](../../media/defender-identity/filter-defender-for-identity.png) The alerts are displayed with information in the following columns: Alert name, Tags, Severity, Investigation state, Status, Category, Detection source, Impacted assets, First activity, and Last activity. -![Defender for Identity events.](../../media/defender-identity/filtered-alerts.png) ## Manage alerts If you click the Alert name for one of the alerts, you'll go to the page with details about the alert. In the left pane, you'll see a summary of What happened: -![What happened in alert.](../../media/defender-identity/what-happened.png) Above the What happened box are buttons for the Accounts, Destination Host and Source Host of the alert. For other alerts, you might see buttons for details about additional hosts, accounts, IP addresses, domains, and security groups. Select any of them to get more details about the entities involved. On the right pane, you'll see the Alert details. Here you can see more detai - Classify this alert - Here you can designate this alert as a True alert or False alert - ![Classify alert.](../../media/defender-identity/classify-alert.png) + :::image type="content" source="../../media/defender-identity/classify-alert.png" alt-text="The page on which you can classify an alert" lightbox="../../media/defender-identity/classify-alert.png"::: - Alert state - In Set Classification, you can classify the alert as True or False. In Assigned to, you can assign the alert to yourself or unassign it. - ![Alert state.](../../media/defender-identity/alert-state.png) + :::image type="content" source="../../media/defender-identity/alert-state.png" alt-text="The Alert state pane" lightbox="../../media/defender-identity/alert-state.png"::: - Alert details - Under Alert details, you can find more information about the specific alert, follow a link to documentation about the type of alert, see which incident the alert is associated with, review any automated investigations linked to this alert type, and see the impacted devices and users. - ![Alert details.](../../media/defender-identity/alert-details.png) + :::image type="content" source="../../media/defender-identity/alert-details.png" alt-text="The Alert details page" lightbox="../../media/defender-identity/alert-details.png"::: - Comments & history - Here you can add your comments to the alert, and see the history of all actions associated with the alert. - ![Comments and history.](../../media/defender-identity/comments-history.png) + :::image type="content" source="../../media/defender-identity/comments-history.png" alt-text="The Comments & history page" lightbox="../../media/defender-identity/comments-history.png"::: - Manage alert - If you select Manage alert, you'll go to a pane that will allow you to edit the: - Status - You can choose New, Resolved or In progress. On the right pane, you'll see the Alert details. Here you can see more detai If you select the three dots next to Manage alert, you can Consult a threat expert, Export the alert to an Excel file, or Link to another incident. - ![Manage alert.](../../media/defender-identity/manage-alert.png) + :::image type="content" source="../../media/defender-identity/manage-alert.png" alt-text="The Manage alert option" lightbox="../../media/defender-identity/manage-alert.png"::: > [!NOTE] > In the Excel file, you now have two links available: View in Microsoft Defender for Identity and View in Microsoft 365 Defender. Each link will bring you to the relevant portal, and provide information about the alert there.
security	Notifications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/notifications.md	In Microsoft 365 Defender, you can add recipients for email notifications of hea 1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to Settings and then Identities. - ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png) + :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option in the column Name" lightbox="../../media/defender-identity/settings-identities.png"::: + 1. Select Health issues notifications. 1. Enter the recipient's email address. Select Add. - ![Enter email address for health issues.](../../media/defender-identity/health-email-recipient.png) + :::image type="content" source="../../media/defender-identity/health-email-recipient.png" alt-text="The Health issues notifications submenu item" lightbox="../../media/defender-identity/health-email-recipient.png"::: 1. When Defender for Identity detects a health issue, the recipients will receive an email notification with the details. - ![Example of health issue email.](../../media/defender-identity/health-email.png) + :::image type="content" source="../../media/defender-identity/health-email.png" alt-text="The health issue email" lightbox="../../media/defender-identity/health-email.png"::: > [!NOTE] > The email provides two links for further details about the issue. You can either go to the MDI Health Center or the new Health Center in M365D. In Microsoft 365 Defender, you can add recipients for email notifications of det 1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to Settings and then Identities. - ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png) + :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option" lightbox="../../media/defender-identity/settings-identities.png"::: 1. Select Alert notifications. 1. Enter the recipient's email address. Select Add. - ![Enter email address for detected alerts.](../../media/defender-identity/alert-email-recipient.png) + :::image type="content" source="../../media/defender-identity/alert-email-recipient.png" alt-text="The Alert notifications submenu item" lightbox="../../media/defender-identity/alert-email-recipient.png"::: ## Syslog notifications Defender for Identity can notify you when it detects suspicious activities by se 1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to Settings and then Identities. - ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png) + :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The option of Identities in the Name column" lightbox="../../media/defender-identity/settings-identities.png"::: 1. Select Syslog notifications. 1. To enable syslog notification, set the Syslog service toggle to the on position. - ![Turn on syslog service.](../../media/defender-identity/syslog-service.png) + :::image type="content" source="../../media/defender-identity/syslog-service.png" alt-text="The Syslog service option that can be turned on" lightbox="../../media/defender-identity/syslog-service.png"::: 1. Select Configure service. A pane will open where you can enter the details for the syslog service. - ![Enter syslog service details.](../../media/defender-identity/syslog-sensor.png) + :::image type="content" source="../../media/defender-identity/syslog-sensor.png" alt-text="The page on which you enter the Syslog service details" lightbox="../../media/defender-identity/syslog-sensor.png"::: 1. Enter the following details: Defender for Identity can notify you when it detects suspicious activities by se 1. Once you've configured the Syslog service, you can choose which types of notifications (alerts or health issues) to send to your Syslog server. - ![Syslog service configured.](../../media/defender-identity/syslog-configured.png) + :::image type="content" source="../../media/defender-identity/syslog-configured.png" alt-text="The Syslog service is configured option checked" lightbox="../../media/defender-identity/syslog-configured.png"::: ## See also
security	Sensor Health	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/sensor-health.md	This article explains how to configure and monitor [Microsoft Defender for Ident 1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to Settings and then Identities. - ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png) + :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The option of Identities on the Settings page" lightbox="../../media/defender-identity/settings-identities.png"::: 1. Select the Sensors page, which displays all of your Defender for Identity sensors. For each sensor, you'll see its name, its domain membership, the version number, if updates should be delayed, the service status, update status, health status, the number of health issues, and when the sensor was created. This article explains how to configure and monitor [Microsoft Defender for Ident [![Sensor filters.](../../media/defender-identity/sensor-filters.png)](../../media/defender-identity/sensor-filters.png#lightbox) - ![Filtered sensor.](../../media/defender-identity/filtered-sensor.png) + :::image type="content" source="../../media/defender-identity/filtered-sensor.png" alt-text="The Filtered sensor" lightbox="../../media/defender-identity/filtered-sensor.png"::: 1. If you select one of the sensors, a pane will display with information about the sensor and its health status. This article explains how to configure and monitor [Microsoft Defender for Ident 1. If you select any of the health issues, you'll get a pane with more details about them. If you choose a closed issue, you can reopen it from here. - ![Issue details.](../../media/defender-identity/issue-details.png) + :::image type="content" source="../../media/defender-identity/issue-details.png" alt-text="The Issue details" lightbox="../../media/defender-identity/issue-details.png"::: + 1. If you select Manage sensor, a pane will open where you can configure the sensor details. - ![Manage sensor.](../../media/defender-identity/manage-sensor.png) + :::image type="content" source="../../media/defender-identity/manage-sensor.png" alt-text="The Manage sensor option" lightbox="../../media/defender-identity/manage-sensor.png"::: - ![Configure sensor details.](../../media/defender-identity/configure-sensor-details.png) + :::image type="content" source="../../media/defender-identity/configure-sensor-details.png" alt-text="The page on which you configure settings for the sensor" lightbox="../../media/defender-identity/configure-sensor-details.png"::: 1. In the Sensors page, you can export your list of sensors to a .csv file by selecting Export. - ![Export list of sensors.](../../media/defender-identity/export-sensors.png) + :::image type="content" source="../../media/defender-identity/export-sensors.png" alt-text="The Export list of sensors" lightbox="../../media/defender-identity/export-sensors.png"::: ## Add a sensor From the Sensors page, you can add a new sensor. 1. Select Add sensor. - ![Add sensor.](../../media/defender-identity/add-sensor.png) + :::image type="content" source="../../media/defender-identity/add-sensor.png" alt-text="The Add sensor option" lightbox="../../media/defender-identity/add-sensor.png"::: 1. A pane will open, providing you with a button to download the sensor installer and a generated access key. - ![Download installer and access key.](../../media/defender-identity/installer-access-key.png) + :::image type="content" source="../../media/defender-identity/installer-access-key.png" alt-text="The options to download the installer and regenerate the key" lightbox="../../media/defender-identity/installer-access-key.png"::: 1. Select Download installer to save the package locally. The zip file includes the following files:
security	Vpn Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/vpn-integration.md	Perform the following steps on your RRAS server. 1. Right-click the server name and select Properties. 1. In the Security tab, under Accounting provider, select RADIUS Accounting and select Configure. - ![RADIUS setup.](../../media/defender-identity/radius-setup.png) + :::image type="content" source="../../media/defender-identity/radius-setup.png" alt-text="The RADIUS setup" lightbox="../../media/defender-identity/radius-setup.png"::: 1. In the Add RADIUS Server window, type the Server name of the closest [!INCLUDE [Product short](includes/product-short.md)] sensor (which has network connectivity). For high availability, you can add additional [!INCLUDE [Product short](includes/product-short.md)] sensors as RADIUS Servers. Under Port, make sure the default of 1813 is configured. Select Change and type a new shared secret string of alphanumeric characters. Take note of the new shared secret string as you'll need to fill it out later during [!INCLUDE [Product short](includes/product-short.md)] Configuration. Check the Send RADIUS Account On and Accounting Off messages box and select OK on all open dialog boxes. - ![VPN setup.](../../media/defender-identity/vpn-set-accounting.png) + :::image type="content" source="../../media/defender-identity/vpn-set-accounting.png" alt-text="The VPN setup" lightbox="../../media/defender-identity/vpn-set-accounting.png"::: ## Configure VPN in Defender for Identity To configure VPN data in [!INCLUDE [Product short](includes/product-short.md)] i 1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to Settings and then Identities. - ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png) + :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option under the settings menu item" lightbox="../../media/defender-identity/settings-identities.png"::: 1. Select VPN. 1. Select Enable radius accounting, and type the Shared Secret you configured previously on your RRAS VPN Server. Then select Save. - ![VPN integration.](../../media/defender-identity/vpn-integration.png) + :::image type="content" source="../../media/defender-identity/vpn-integration.png" alt-text="The VPN integration" lightbox="../../media/defender-identity/vpn-integration.png"::: After this is enabled, all Defender for Identity sensors will listen on port 1813 for RADIUS accounting events, and your VPN setup is complete.
security	About Defender For Office 365 Trial	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/about-defender-for-office-365-trial.md	As part of the trial setup, the Defender for Office 365 licenses are automatical The licensing card for the trial shows the following information: -![The Licensing card in the Microsoft Defender for Office 365 trial.](../../media/mdo-trial-licensing-card.png) - Usage type section: - Trial: The number of trial Defender for Office 365 licenses that are available for you to use. Defender for Office 365 helps organizations secure their enterprise by offering You can also learn more about Defender for Office 365 at this [interactive guide](https://aka.ms/MS365D.InteractiveGuide). -![Microsoft Defender for Office 365 conceptual diagram.](../../media/microsoft-defender-for-office-365.png) ### Prevention
security	Address Compromised Users Quickly	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/address-compromised-users-quickly.md	You have a few options for navigating to a list of restricted users. For example 2. On the Alerts page, filter the results by time period and the policy named User restricted from sending email. - ![The Alerts page in the Microsoft 365 Defender portal filtered for restricted users.](../../media/m365-sc-alerts-page-with-restricted-user.png) + :::image type="content" source="../../media/m365-sc-alerts-page-with-restricted-user.png" alt-text="The Alerts page in the Microsoft 365 Defender portal filtered for restricted users" lightbox="../../media/m365-sc-alerts-page-with-restricted-user.png"::: 3. If you select the entry by clicking on the name, a User restricted from sending email page opens with additional details for you to review. Next to the Manage alert button, you can click ![More options icon.](../../medi). - ![The User restricted from sending email page from the Alerts center.](../../media/m365-sc-alerts-user-restricted-from-sending-email-page.png) + :::image type="content" source="../../media/m365-sc-alerts-user-restricted-from-sending-email-page.png" alt-text="The User restricted from sending email page" lightbox="../../media/m365-sc-alerts-user-restricted-from-sending-email-page.png"::: ### View details about automated investigations
security	Admin Review Reported Message	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-review-reported-message.md	You will only be able to mark and notify users of review results if the message 3. Select the Mark as and notify drop-down, and then select No threats found, Phishing, or Junk. > [!div class="mx-imgBorder"] - > ![Send messages from portal.](../../media/admin-review-send-message-from-portal.png) + > :::image type="content" source="../../media/admin-review-send-message-from-portal.png" alt-text="The page displaying the user-reported messages" lightbox="../../media/admin-review-send-message-from-portal.png"::: The reported message will be marked as either false positive or false negative, and an email will be automatically sent from within the portal notifying the user who reported the message. The reported message will be marked as either false positive or false negative, - Footer > [!div class="mx-imgBorder"] - > ![Customize messages send to users.](../../media/admin-review-customize-message.png) + > :::image type="content" source="../../media/admin-review-customize-message.png" alt-text="The Customize confirmation message page" lightbox="../../media/admin-review-customize-message.png"::: 4. When you're finished, click Save. To clear these values, click Discard on the User submissions page.
security	Admin Submission	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md	For other ways to submit email messages, URLs, and attachments to Microsoft, see 3. Select the Mark as and notify drop-down, and then select No threats found \> Phishing or Junk. - :::image type="content" alt-text="Send messages from portal." source="../../media/unified-submission-user-reported-message.png" lightbox="../../media/unified-submission-user-reported-message.png"::: + :::image type="content" source="../../media/unified-submission-user-reported-message.png" alt-text="The Submissions page" lightbox="../../media/unified-submission-user-reported-message.png"::: The reported message will be marked as a false positive or a false negative. An email notification is sent automatically from within the portal to the user who reported the message. The reported message will be marked as a false positive or a false negative. An 5. When you're finished, click Submit. > [!div class="mx-imgBorder"] - > ![New URL submission example.](../../media/submission-flyout-email.png) + > :::image type="content" source="../../media/submission-flyout-email.png" alt-text="The New URL submission process" lightbox="../../media/submission-flyout-email.png"::: ### Send a suspect URL to Microsoft The reported message will be marked as a false positive or a false negative. An 4. When you're finished, click Submit. > [!div class="mx-imgBorder"] - > ![New Email submission example.](../../media/submission-url-flyout.png) + > :::image type="content" source="../../media/submission-url-flyout.png" alt-text="The New Email submission process" lightbox="../../media/submission-url-flyout.png"::: ### Submit a suspected email attachment to Microsoft The reported message will be marked as a false positive or a false negative. An 4. When you're finished, click Submit. > [!div class="mx-imgBorder"] - > ![New Attachment submission example.](../../media/submit-email-attachment-for-analysis.png) + > :::image type="content" source="../../media/submission-file-flyout.png" alt-text="The New Attachment submission process" lightbox="../../media/submission-file-flyout.png"::: > [!NOTE] > If malware filtering has replaced the message attachments with the Malware Alert Text.txt file, you need to submit the original message from quarantine that contains the original attachments. For more information on quarantine and how to release messages with malware false positives, see [Manage quarantined messages and files as an admin](manage-quarantined-messages-and-files.md). The reported message will be marked as a false positive or a false negative. An When you're finished, click Apply. > [!div class="mx-imgBorder"] - > ![New Customize column options for admin submissions.](../../media/submit-admin-submissios-customize-columns.png) + > :::image type="content" source="../../media/admin-submission-customize-columns.png" alt-text="The New Customize column options for admin submissions" lightbox="../../media/admin-submission-customize-columns.png"::: - To filter the entries, click Filter. The available filters are: - Date submitted: Start date and End date. The reported message will be marked as a false positive or a false negative. An When you're finished, click Apply. > [!div class="mx-imgBorder"] - > ![New Filter options for admin submissions.](../../media/submit-admin-submissions-view-filters.png) + > :::image type="content" source="../../media/admin-submission-filters.png" alt-text="The New Filter options for admin submissions" lightbox="../../media/admin-submission-filters.png"::: - To group the entries, click Group and select one of the following values from the dropdown list: - None If you've deployed the [Report Message add-in](enable-the-report-message-add-in. When you're finished, click Apply. > [!div class="mx-imgBorder"] - > ![New Filter options for user submissions.](../../media/submit-user-submissions-view-filters.png) + > :::image type="content" source="../../media/admin-submission-reported-messages.png" alt-text="The New Filter options for user submissions" lightbox="../../media/admin-submission-reported-messages.png"::: - To group the entries, click Group and select one of the following values from the dropdown list: - None On the User reported messages tab, select a message in the list, click Sub - Trigger investigation** > [!div class="mx-imgBorder"] -> ![New Options on the Action button.](../../media/admin-submission-main-action-button.png) +> :::image type="content" source="../../media/admin-submission-main-action-button.png" alt-text="The New options on the Action button" lightbox="../../media/admin-submission-main-action-button.png":::
security	Anti Spoofing Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-protection.md	The following anti-spoofing technologies are available in EOP: EOP analyzes and blocks messages that can't be authenticated by the combination of standard email authentication methods and sender reputation techniques. - ![EOP anti-spoofing checks.](../../media/eop-anti-spoofing-protection.png) + :::image type="content" source="../../media/eop-anti-spoofing-protection.png" alt-text="The EOP anti-spoofing checks" lightbox="../../media/eop-anti-spoofing-protection.png"::: - Spoof intelligence insight: Review spoofed messages from senders in internal and external domains during the last 7 days, and allow or block those senders. For more information, see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md).
security	Attack Simulation Training Faq	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-faq.md	While the whole simulation creation and scheduling experience has been designed A URL reputation service might identify one or more of the URLs that are used by Attack simulation training as unsafe. Google Safe Browsing in Google Chrome blocks some of the simulated phishing URLs with a Deceptive site ahead message. While we work with many URL reputation vendors to always allow our simulation URLs, we don't always have full coverage. -![Deceptive site ahead warning in Google Chrome.](../../media/attack-sim-training-faq-chrome-deceptive-site-message.png) Note that this issue does not affect Microsoft Edge. Every simulation campaign has a lifecycle. When first created, the simulation is While a simulation is in the Scheduled state, the simulation reports will be mostly empty. During this stage, the simulation engine is resolving the target user email addresses, expanding distribution groups, removing guest users from the list, etc.: -![Simulation details showing the simulation in the Scheduled state.](../../media/attack-sim-training-faq-scheduled-state.png) Once the simulation enters the In progress stage, you will notice information starting to trickle into the reporting: -![Simulation details showing the simulation in the In progress state.](../../media/attack-sim-training-faq-in-progress-state.png) It can take up to 30 minutes for the individual simulation reports to update after the transition to the In progress state. The report data continues to build until the simulation reaches the Completed state. Reporting updates occur at the following intervals: Note that the configuration change might take up to 30 minutes to synchronize ac A: Yes you can! On the very last Review Simulation page in the wizard to create a new simulation, there's an option to Send a test. This option will send a sample phishing simulation message to the currently logged in user. After you validate the phishing message in your Inbox, you can submit the simulation. -![Send a test button on the Review simulation page.](../../media/attack-sim-training-simulations-review-simulation.png) ### Q: Can I target users that belong to a different tenant as part of the same simulation campaign?
security	Attack Simulation Training Insights	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md	Selecting View all simulations takes you to the Simulations tab. Selecting Launch a simulation starts the simulation creation wizard. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training.md). -![Recent simulations card on the Overview tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-overview-recent-simulations-card.png) ### Behavior impact on compromise rate card The following summary information is also shown on the card: - users less susceptible to phishing: The difference between the actual number of users compromised by the simulated attack and the predicted compromise rate. This number of users is less likely to be compromised by similar attacks in the future. - x% better than predicted rate: Indicates how users did overall in contrast with the predicted compromise rate. -![Behavior impact on compromise rate card on the Overview tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-overview-behavior-impact-card.png) To see a more detailed report, click View simulations and training efficacy report. This report is explained [later in this article](#training-efficacy-tab-for-the-attack-simulation-report). Selecting Launch simulation for non-simulated users starts the simulation cr Selecting View simulation coverage report takes you to the [User coverage tab for the Attack simulation report](#user-coverage-tab-for-the-attack-simulation-report). -![Simulation coverage card on the Overview tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-overview-sim-coverage-card.png) ### Training completion card The Recommendations card on the Overview tab suggests different types of Selecting Launch now starts the simulation creation wizard with the specified simulation type automatically selected on the Select technique page. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training.md). -![Recommendations card on the Overview tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-overview-recommendations-card.png) ### Attack simulation report You can open the Attack simulation report from the Overview tab by click On the Attack simulation report page, the Training efficacy tab is selected by default. This tab provides the same information that's available in the Behavior impact on compromise rate card, with additional context from the simulation itself. -![Training efficacy tab in the Attack simulation report in the Microsoft 365 Defender portal.](../../media/attack-sim-report-training-efficacy-view.png) The chart shows the Predicted compromise rate and Actual compromised rate. If you hover over a section in the chart, the actual percentage values for are shown. If you click the ![Export icon.](../../media/m365-cc-sc-download-icon.png) Exp #### User coverage tab for the Attack simulation report -![User coverage tab in the Attack simulation report in the Microsoft 365 Defender portal.](../../media/attack-sim-report-user-coverage-view.png) On the User coverage tab, the chart shows the Simulated users and Non-simulated users. If you hover over a data point in the chart, the actual values are shown. If you click the ![Export icon.](../../media/m365-cc-sc-download-icon.png) Exp #### Training completion tab for the Attack simulation report -![Training completion tab in the Attack simulation report in the Microsoft 365 Defender portal.](../../media/attack-sim-report-training-completion-view.png) On the Training completion tab, the chart shows the number of Completed, In progress, and Incomplete simulations. If you hover over a section in the chart, the actual values are shown. If you click the ![Export icon.](../../media/m365-cc-sc-download-icon.png) Exp #### Repeat offenders tab for the Attack simulation report -![Repeat offenders tab in the Attack simulation report in the Microsoft 365 Defender portal.](../../media/attack-sim-report-repeat-offenders-view.png) A _repeat offender_ is a user who was compromised by consecutive simulations. The default number of consecutive simulations is two, but you can change the value on the Settings tab of Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=setting>. The Simulation impact section on the simulation details page shows how many - Links: Entered credentials and Did not enter credentials. - ![Simulation impact section for link-related simulation details.](../../media/attack-sim-training-sim-details-sim-impact-links.png) + :::image type="content" source="../../media/attack-sim-training-sim-details-sim-impact-links.png" alt-text="The Simulation impact section for link-related simulation details" lightbox="../../media/attack-sim-training-sim-details-sim-impact-links.png"::: - Attachments: Opened attachment and Did not open attachment. - ![Simulation impact section for attachment-related simulation details.](../../media/attack-sim-training-sim-details-sim-impact-attachments.png) + :::image type="content" source="../../media/attack-sim-training-sim-details-sim-impact-attachments.png" alt-text="The Simulation impact section for attachment-related simulation details" lightbox="../../media/attack-sim-training-sim-details-sim-impact-attachments.png"::: If you hover over a section in the chart, the actual numbers for each category are shown. The All user activity section on the simulation details page shows numbers f - EmailLinkClicked: How many users clicked on the link in the simulation message. - CredSupplied: After clicking on the link, how many users supplied their credentials. - ![All user activity section for link-related simulation details.](../../media/attack-sim-training-sim-details-all-user-activity-links.png) + :::image type="content" source="../../media/attack-sim-training-sim-details-all-user-activity-links.png" alt-text="The All user activity section for link-related simulation details" lightbox="../../media/attack-sim-training-sim-details-all-user-activity-links.png"::: - Attachments: - AttachmentOpened: How many users opened the attachment in the simulation message. - ![All user activity section for attachment-related simulation details.](../../media/attack-sim-training-sim-details-all-user-activity-attachments.png) + :::image type="content" source="../../media/attack-sim-training-sim-details-all-user-activity-attachments.png" alt-text="The All user activity section for attachment-related simulation details" lightbox="../../media/attack-sim-training-sim-details-all-user-activity-attachments.png"::: ### Training completion section The Training completion section on the simulation details page shows the trainings that are required for the simulation, and how many users have completed the trainings. -![Training completion section for attachment-related simulation details.](../../media/attack-sim-training-sim-details-training-completed.png) ## Recommended actions section The Recommended actions section on the simulation details page shows recommendation actions from [Microsoft Secure Score](../defender/microsoft-secure-score.md) and the effect the action will have on your Secure Score. These recommendations are based on the payload that was used in the simulation, and will help protect your users and your environment. Selecting an Improvement action** from the list takes you to the location to implement the suggested action. -![Recommendation actions section on Attack simulation training.](../../media/attack-sim-training-sim-details-recommended-actions.png) ## Related Links
security	Attack Simulation Training Payload Automations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payload-automations.md	To create a payload automation, do the following steps: 2. On the Payload automations tab, select ![Create automation icon.](../../media/m365-cc-sc-create-icon.png) Create automation. - ![Create automation button on the Payload automations tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-payload-automations-create.png) + :::image type="content" source="../../media/attack-sim-training-sim-automations-create.png" alt-text="The Create simulation button on the Payload automations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-sim-automations-create.png"::: 3. The creation wizard opens. The rest of this article describes the pages and the settings they contain.
security	Attack Simulation Training Payloads	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md	On the Configure payload page, it's time to build your payload. Many of the - Insert name: The value that's added in the message body is `${userName}`. - Insert email: The value that's added in the message body is `${emailAddress}`. - ![The Email message section on the Configure payload page in the payload creation wizard in Attack simulation training in Microsoft Defender for Office 365.](../../media/attack-sim-training-payloads-configure-payload-email-message.png) + :::image type="content" source="../../media/attack-sim-training-payloads-configure-payload-email-message.png" alt-text="The Email message section on the Configure payload page in the payload creation wizard in Attack simulation training in Microsoft Defender for Office 365" lightbox="../../media/attack-sim-training-payloads-configure-payload-email-message.png"::: Phishing link control: This control is available only if you selected Credential harvest, Link in attachment, or Drive-by URL on the Select technique page. Use this control to insert the URL that you previously selected in the Phishing link section. On the Add indicators page, click Add indicator. On the flyout that appe If you select the email message subject or the message body as the location for the indicator, a Select text button is available. Click this button to select the text in the message subject or message body where you want the indicator to appear. When you're finished, click Select. - ![Selected text location in the message body to add to an indicator in the payload creation wizard in Attack simulation training.](../../media/attack-sim-training-payloads-add-indicators-select-location.png) + :::image type="content" source="../../media/attack-sim-training-payloads-add-indicators-select-location.png" alt-text="The Selected text location in the message body to add to an indicator in the payload creation wizard in Attack simulation training" lightbox="../../media/attack-sim-training-payloads-add-indicators-select-location.png"::: - Indicator description: You can accept the default description for the indicator, or you can customize it. On the main Review payload page, you can select Edit in each section to When you're finished, click Submit. On the confirmation page that appears, click Done. -![Review payload page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-payloads-review-payload.png) > [!IMPORTANT] > Payloads that you created will have the value Tenant for the Source property. When you create simulations and select payloads, make sure that you don't filter out the Source value Tenant.
security	Attack Simulation Training Simulation Automations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations.md	To create a simulation automation, do the following steps: 2. On the Simulation automations tab, select ![Create automation icon.](../../media/m365-cc-sc-create-icon.png) Create automation. - ![Create automation button on the Simulation automations tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-sim-automations-create.png) + :::image type="content" source="../../media/attack-sim-training-sim-automations-create.png" alt-text="The Create simulation button on the Simulation automations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-sim-automations-create.png"::: 3. The creation wizard opens. The rest of this article describes the pages and the settings they contain. On the Select social engineering techniques page, select one or more of the If you click the View details link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique. -![Details flyout for the credential harvest technique on the Select social engineering techniques page.](../../media/attack-sim-training-simulations-select-technique-sim-steps.png) When you're finished, click Next. If you select a payload from the list by clicking on the name, details about the - The Overview tab contains an example and other details about the payload. - The Simulations launched tab contains the Simulation name, Click rate, Compromised rate, and Action. -![Payload details flyout in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-select-payload-details.png) When you're finished, click Next. On the Target users page, select who will receive the simulation. Configure - Select All Title - Select existing Title values. - ![User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-target-users-filter-by-category.png) + :::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The user filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png"::: After you identify your criteria, the affected users are shown in the User list section that appears, where you can select some or all of the discovered recipients. On the Assign training page, you can assign trainings for the simulation. We - 7 days after simulation ends - No training: If you select this value, the only option on the page is the Next button that takes you to the [Landing page](#landing-page) page. -![Add recommended training on the Training assignment page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-assign-training-add-recommended-training.png) ### Training assignment For each training in the list, you need to select who gets the training by selec If you don't want to use a training that's shown, click ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete. -![Training assignment page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-training-assignment.png) When you're finished, click Next.
security	Attack Simulation Training	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training.md	To launch a simulated phishing attack, do the following steps: 2. On the Simulations tab, select ![Launch a simulation icon.](../../media/m365-cc-sc-create-icon.png) Launch a simulation. - ![Launch a simulation button on the Simulations tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-launch.png) + :::image type="content" source="../../media/attack-sim-training-simulations-launch.png" alt-text="The Launch a simulation button on the Simulations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-launch.png"::: 3. The simulation creation wizard opens. The rest of this article describes the pages and the settings they contain. On the Select technique page, select an available social engineering techniq If you click the View details link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique. -![Details flyout for the credential harvest technique on the Select technique page.](../../media/attack-sim-training-simulations-select-technique-sim-steps.png) When you're finished, click Next. If you click Filter, the following filters are available: When you're finished configuring the filters, click Apply, Cancel, or Clear filters. -![Select payload page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-select-payload.png) If you select a payload from the list, details about the payload are shown in a flyout: - The Overview tab contains an example and other details about the payload. - The Simulations launched tab contains the Simulation name, Click rate, Compromised rate, and Action. -![Payload details flyout in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-select-payload-details.png) If you select a payload from the list by clicking on the name, a ![Send a test payload icon.](../../media/m365-cc-sc-create-icon.png) Send a test button appears on the main page where you can send a copy of the payload email to yourself (the currently logged in user) for inspection. On the Target users page, select who will receive the simulation. Configure - Select All Title - Select existing Title values. - ![User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-target-users-filter-by-category.png) + :::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png"::: After you identify your criteria, the affected users are shown in the User list section that appears, where you can select some or all of the discovered recipients. On the Assign training page, you can assign trainings for the simulation. We - 7 days after simulation ends - No training: If you select this value, the only option on the page is the Next button that takes you to the [Landing page](#landing-page) page. -![Add recommended training on the Training assignment page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-assign-training-add-recommended-training.png) ### Training assignment For each training in the list, you need to select who gets the training by selec If you don't want to use a training that's shown, click ![Delete training icon.](../../media/m365-cc-sc-delete-icon.png) Delete. -![Training assignment page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-training-assignment.png) When you're finished, click Next. You can select Edit in each section to modify the settings within the sectio When you're finished, click Submit. -![Review simulation page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-review-simulation.png)
security	Automated Investigation Response Office	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/automated-investigation-response-office.md	In addition to automated investigations that are triggered by an alert, your org For example, suppose that you are using the Malware view in Explorer. Using the tabs below the chart, you select the Email tab. If you select one or more items in the list, the + Actions button activates. -![Explorer with selected messages.](../../media/Explorer-Malware-Email-ActionsInvestigate.png) + Using the Actions menu, you can select Trigger investigation. -![Actions menu for selected messages.](../../media/explorer-malwareview-selectedemails-actions.jpg) Similar to playbooks triggered by an alert, automatic investigations that are triggered from a view in Explorer include a root investigation, steps to identify and correlate threats, and recommended actions to mitigate those threats.
security	Azure Ip Protection Features	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/azure-ip-protection-features.md	Starting July 1, 2018, Microsoft will enable the protection capability in Azure Tenant administrators can check the protection status in the Office 365 administrator portal. -![Screenshot that shows that rights management in Office 365 is activated.](../../media/303453c8-e4a5-4875-b49f-e80c3eb7b91e.png) ## Why are we making this change? To opt out of the upcoming change, complete these steps: Once this is enabled, provided you haven't opted out, you can start using the new version of Office 365 Message Encryption which was announced at [Microsoft Ignite 2017](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Email-Encryption-and-Rights-Protection/ba-p/110801) and leverages the encryption and protection capabilities of Azure Information Protection. -![Screenshot that shows an OME protected message in Outlook on the web.](../../media/599ca9e7-c05a-429e-ae8d-359f1291a3d8.png) For more information about the new enhancements, see [Office 365 Message Encryption](../../compliance/ome.md).
security	Campaigns	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md	A campaign might be short-lived, or could span several days, weeks, or months wi Campaign Views is available in the Microsoft 365 Defender portal at <https://security.microsoft.com> at Email & collaboration \> Campaigns, or directly at <https://security.microsoft.com/campaigns>. -![Campaigns overview in the Microsoft 365 Defender portal.](../../media/campaigns-overview.png) You can also get to Campaign Views from: The Campaign origin tab shows the message sources on a map of the world. At the top of the Campaign page, there are several filter and query settings to help you find and isolate specific campaigns. -![Campaign filters.](../../media/campaign-filters-and-settings.png) The most basic filtering that you can do is the start date/time and the end date/time. At the top of the campaign details view, the following campaign information is a - Start date/time and end data/time filters for the campaign flow as described in the next section. - An interactive timeline of campaign activity: The timeline shows activity over the entire lifetime of the campaign. You can hover over the data points in the graph to see the amount of detected messages. -![Campaign information.](../../media/campaign-details-campaign-info.png) ### Campaign flow In the middle of the campaign details view, important details about the campaign > [!TIP] > The information that's displayed in the flow diagram is controlled by the date range filter in the timeline as described in the previous section. -![Campaign details that don't contain user URL clicks.](../../media/campaign-details-no-recipient-actions.png) If you hover over a horizontal band in the diagram, you'll see the number of related messages (for example, messages from a particular source IP, messages from the source IP using the specified sender domain, etc.).
security	Configuration Analyzer For Security Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md	The Configuration analyzer page has three main tabs: By default, the configuration analyzer opens on the Standard recommendations tab. You can switch to the Strict recommendations tab. The settings, layout, and actions are the same on both tabs. -![Settings and recommendations view in the Configuration analyzer.](../../media/configuration-analyzer-settings-and-recommendations-view.png) The first section of the tab displays the number of settings in each type of policy that need improvement as compared to Standard or Strict protection. The types of policies are: To export the results to a .csv file, click Export. To filter the results by a specific Modified by, Setting name, or Type value, use the Search box. -![Configuration drift analysis and history view in the Configuration analyzer.](../../media/configuration-analyzer-configuration-drift-analysis-view.png)
security	Create Safe Sender Lists In Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365.md	The following example assumes you need email from contoso.com to skip spam filte When a message skips spam filtering due to a mail flow rule, the value `SFV:SKN` value is stamped in the X-Forefront-Antispam-Report header. If the message is from a source that's on the IP Allow List, the value `IPV:CAL` is also added. These values can help you with troubleshooting. -![Mail flow rule settings in the EAC for bypassing spam filtering.](../../media/1-AllowList-SkipFilteringFromContoso.png) + :::image type="content" source="../../media/1-AllowList-SkipFilteringFromContoso.png" alt-text="The Mail flow rule settings in the EAC for bypassing spam filtering" lightbox="../../media/1-AllowList-SkipFilteringFromContoso.png"::: + ## Use Outlook Safe Senders
security	Email Analysis Investigations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-analysis-investigations.md	To ensure investigation actions are up to date, any investigation that has pendi Email-based evidence in the Evidence and Response tab for an incident now displays the following information. From the numbered callouts in the figure: From the numbered callouts in the figure: For email or email clusters in the Entities tab of an incident, Prevented means that there was no malicious emails in the mailbox for this item (mail or cluster). Here is an example. In this example, the email is malicious but not in a mailbox.
security	Email Security In Microsoft Defender	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-security-in-microsoft-defender.md	To see malware detected in email sorted by Microsoft 365 technology, use the [ 3. Click Sender, and then choose Basic \> Detection technology in the drop down list. - :::image type="content" source="../../media/exploreremailmalwaredetectiontech-newimg.png" alt-text="malware detection technology."::: + :::image type="content" source="../../media/exploreremailmalwaredetectiontech-newimg.png" alt-text="The malware detection technology" lightbox="../../media/exploreremailmalwaredetectiontech-newimg.png"::: Your detection technologies are now available as filters for the report. 4. Choose an option, and then click Refresh to apply that filter (don't refresh your browser window). - :::image type="content" source="../../media/exploreremailmalwaredetectiontech2-new.png" alt-text="selected detection technology."::: + :::image type="content" source="../../media/exploreremailmalwaredetectiontech2-new.png" alt-text="selected detection technology" lightbox="../../media/exploreremailmalwaredetectiontech2-new.png"::: The report refreshes to show the results that malware detected in email, using the technology option you selected. From here, you can conduct further analysis. You can use the Report clean option in Explorer to report a message as false 4. Scroll down the list of options to go to the Start new submission section, and then select Report clean. A flyout appears. > [!div class="mx-imgBorder"] - > ![Report clean option in Explorer.](../../media/report-clean-option-explorer.png) + > :::image type="content" source="../../media/report-clean-option-explorer.png" alt-text="The Report clean option in the Explorer" lightbox="../../media/report-clean-option-explorer.png"::: 5. Toggle the slider to On. From the drop down list, specify the number of days you want the message to be removed, add a note if needed, and then select Submit. You can view phishing attempts through URLs in email, including a list of URLs t 2. In the View drop down list, choose Email \> Phish. > [!div class="mx-imgBorder"] - > ![View menu for Explorer in phishing context.](../../media/ExplorerViewEmailPhishMenu.png) + > :::image type="content" source="../../media/ExplorerViewEmailPhishMenu.png" alt-text="The View menu for Explorer in phishing context" lightbox="../../media/ExplorerViewEmailPhishMenu.png"::: 3. Click Sender, and then choose URLs \> Click verdict in the drop down list. 4. In options that appear, select one or more options, such as Blocked and Block overridden, and then click Refresh (don't refresh your browser window). - :::image type="content" source="../../media/threatexploreremailphishclickverdict-new.png" alt-text="URLs and click verdicts."::: + :::image type="content" source="../../media/threatexploreremailphishclickverdict-new.png" alt-text="The URLs and click verdicts" lightbox="../../media/threatexploreremailphishclickverdict-new.png"::: The report refreshes to show two different URL tables on the URLs** tab under the report: You can view phishing attempts through URLs in email, including a list of URLs t The two URL tables show top URLs in phishing email messages by delivery action and location. The tables show URL clicks that were blocked or visited despite a warning, so you can see what potential bad links were presented to users and that the users clicked. From here, you can conduct further analysis. For example, below the chart you can see the top URLs in email messages that were blocked in your organization's environment. > [!div class="mx-imgBorder"] - > ![Explorer URLs that were blocked.](../../media/ExplorerPhishClickVerdictURLs.png) + > :::image type="content" source="../../media/ExplorerPhishClickVerdictURLs.png" alt-text="The Explorer URLs that were blocked" lightbox="../../media/ExplorerPhishClickVerdictURLs.png"::: Select a URL to view more detailed information.
security	Enable The Report Message Add In	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/enable-the-report-message-add-in.md	Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ReportJunkEmailEnabled 2. Click GET IT NOW. - ![Report Message - Get It Now.](../../media/ReportMessageGETITNOW.png) + :::image type="content" source="../../media/ReportMessageGETITNOW.png" alt-text="The Get It Now report message" lightbox="../../media/ReportMessageGETITNOW.png"::: 3. In the dialog that appears, review the terms of use and privacy policy, and then click Continue. After the add-in is installed and enabled, you'll see the following icons: - In Outlook, the icon looks like this: > [!div class="mx-imgBorder"] - > ![Report Message add-in icon for Outlook.](../../media/OutlookReportMessageIcon.png) + > :::image type="content" source="../../media/OutlookReportMessageIcon.png" alt-text="The Report Message add-in icon for Outlook" lightbox="../../media/OutlookReportMessageIcon.png"::: - In Outlook on the web, the icon looks like this: After the add-in is installed and enabled, you'll see the following icons: 1. In the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home?#/homepage), go to Settings \> Integrated apps. Click Get apps. > [!div class="mx-imgBorder"] - > ![Microsoft 365 admin center Integrated apps](../../media/microsoft-365-admin-center-integrated-apps.png) + > :::image type="content" source="../../media/microsoft-365-admin-center-integrated-apps.png" alt-text="The Microsoft 365 admin center Integrated apps" lightbox="../../media/microsoft-365-admin-center-integrated-apps.png"::: + 2. In the Microsoft 365 Apps page that appears, click in the Search box, enter Report Message, and then click Search ![Search icon.](../../media/search-icon.png). In the list of results, find and select Report Message. 3. The app details page opens. Select Get It Now. > [!div class="mx-imgBorder"] - > ![Report Message add-in](../../media/microsoft-365-admin-center-report-message.png) + > :::image type="content" source="../../media/microsoft-365-admin-center-report-message.png" alt-text="The Report Message add-in" lightbox="../../media/microsoft-365-admin-center-report-message.png"::: 4. Complete the basic profile information, and then click Continue. > [!div class="mx-imgBorder"] - > ![Report Message add-in profile setup](../../media/microsoft-365-admin-center-profile-info.png) + > :::image type="content" source="../../media/microsoft-365-admin-center-profile-info.png" alt-text="The Report Message add-in profile setup" lightbox="../../media/microsoft-365-admin-center-profile-info.png"::: 5. The Deploy New App flyout opens. Configure the following settings. Click Next to go to the next page to complete setup. After the add-in is installed and enabled, you'll see the following icons: - Accept Permissions requests: Read the app permissions and capabilities carefully before going to the next page. > [!div class="mx-imgBorder"] - > ![App permissions](../../media/microsoft-365-admin-center-deploy-new-app.png) + > :::image type="content" source="../../media/microsoft-365-admin-center-deploy-new-app.png" alt-text="The Accept permissions requests page" lightbox="../../media/microsoft-365-admin-center-deploy-new-app.png"::: - Finish deployment: Review and finish deploying the add-in. - Deployment completed: Select Done to complete the setup. > [!div class="mx-imgBorder"] - > ![Deployment complete](../../media/microsoft-365-admin-center-deployment-complete.png) + > :::image type="content" source="../../media/microsoft-365-admin-center-deployment-complete.png" alt-text="The notification message of the deployment completed" lightbox="../../media/microsoft-365-admin-center-deployment-complete.png"::: ## Edit settings for the Report Message add-in After the add-in is installed and enabled, you'll see the following icons: 2. In the flyout that appears, select Edit users to edit user settings. > [!div class="mx-imgBorder"] - > ![Report Message flyout](../../media/microsoft-365-admin-center-report-message-edit.png) + > :::image type="content" source="../../media/microsoft-365-admin-center-report-message-edit.png" alt-text="The Report Message flyout" lightbox="../../media/microsoft-365-admin-center-report-message-edit.png"::: 3. To remove the add-in, select Remove app under Actions in the same flyout. After the add-in is installed and enabled, you'll see the following icons: 1. In the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home?#/homepage), go to Settings \> Integrated apps. Click Get apps. > [!div class="mx-imgBorder"] - > ![Microsoft 365 admin center Integrated apps](../../media/microsoft-365-admin-center-integrated-apps.png) + > :::image type="content" source="../../media/microsoft-365-admin-center-integrated-apps.png" alt-text="The Microsoft 365 admin center Integrated apps" lightbox="../../media/microsoft-365-admin-center-integrated-apps.png"::: 2. In the Microsoft 365 Apps page that appears, click in the Search box, enter Report Phishing, and then click Search ![Search icon.](../../media/search-icon.png). In the list of results, find and select Report Phishing. After the add-in is installed and enabled, you'll see the following icons: 2. In the flyout that appears, select Edit users to edit user settings. > [!div class="mx-imgBorder"] - > ![Report Phishing flyout](../../media/microsoft-365-admin-center-report-phishing-edit.png) + > :::image type="content" source="../../media/microsoft-365-admin-center-report-phishing-edit.png" alt-text="The Report Phishing flyout" lightbox="../../media/microsoft-365-admin-center-report-phishing-edit.png"::: 3. To remove the add-in, select Remove app under Actions in the same flyout.
security	Exchange Online Protection Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/exchange-online-protection-overview.md	The rest of this article explains how EOP works and the features that are availa To understand how EOP works, it helps to see how it processes incoming email: 1. When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. The majority of spam is stopped at this point and rejected by EOP. For more information, see [Configure connection filtering](configure-the-connection-filter-policy.md).
security	External Email Forwarding	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/external-email-forwarding.md	The following information is required to create the mail flow rule in the Exchan - (Optional) Do the following (action): You can configure an optional action. For example, you can use the action Modify the message properties \> set a message header, with the header name X-Forwarded and the value True. But, configuring an action is not required. - Set Audit this rue with severity level to the value Low, Medium, or High. This setting allows you to use the [Exchange transport rule report](view-email-security-reports.md#exchange-transport-rule-report) to get details of users that are forwarding. -![Mail flow rule properties in the EAC for a rule to identify forwarded messages.](../../media/mail-flow-rule-for-forwarded-messages.png) + ## Blocked email forwarding messages
security	Find And Release Quarantined Messages As A User	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md	After you find a specific quarantined message, select the message to view detail When you select quarantined message from the list, the following information is available in the details flyout that appears. -![The details flyout of a quarantined message.](../../media/quarantine-user-message-details.png) When you select an email message in the list, the following message details appear in the Details flyout pane: To take action on the message, see the next section. > [!NOTE] > To remain in the details flyout, but change the quarantined message that you're looking at, use the up and down arrows at the top of the flyout. > -> ![The up and down arrows in the details flyout of a quarantined message.](../../media/quarantine-message-details-flyout-up-down-arrows.png) +> :::image type="content" source="../../media/quarantine-message-details-flyout-up-down-arrows.png" alt-text="The up and down arrows in the details flyout of a quarantined message" lightbox="../../media/quarantine-message-details-flyout-up-down-arrows.png"::: ### Take action on quarantined email To take action on the message, see the next section. After you select a quarantined message from the list, the following actions are available in the details flyout: -![Available actions in the details flyout of a quarantined message.](../../media/quarantine-user-message-details-flyout-actions.png) - ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) Release email<sup>\</sup>: Delivers the message to your Inbox. If you don't release or remove the message, it will be deleted after the default > [!NOTE] > On a mobile device, the description text isn't available on the action icons. > -> ![Details of a quarantined message with available actions highlighted.](../../media/quarantine-user-message-details-flyout-mobile-actions.png) +> :::image type="content" source="../../media/quarantine-user-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions highlighted" lightbox="../../media/quarantine-user-message-details-flyout-mobile-actions.png"::: + > > The icons in order and their corresponding descriptions are summarized in the following table: > If you don't release or remove the message, it will be deleted after the default When you select multiple quarantined messages in the list (up to 100) by clicking in the blank area to the left of the first column, the Bulk actions* drop down list appears where you can take the following actions: -![Bulk actions drop down list for messages in quarantine.](../../media/quarantine-user-message-bulk-actions.png) - ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) Release messages: Delivers the messages to your Inbox. - ![Remove from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) Delete messages: After you click Yes in the warning that appears, the messages are immediately removed from quarantine without being sent to the original recipients.
security	Identity Access Policies Guest Access	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies-guest-access.md	Providing a path for B2B accounts to authenticate with your Azure AD tenant does This diagram shows which policies to add or update among the common identity and device access policies, for B2B guest and external user access. The following table lists the policies you either need to create and update. The common policies link to the associated configuration instructions in the [Common identity and device access policies](identity-access-policies.md) article. The following table lists the policies you either need to create and update. The To include or exclude guests and external users in Conditional Access policies, for Assignments > Users and groups > Include or Exclude, check All guest and external users. -![screen capture of controls for excluding guests and external users.](../../media/microsoft-365-policies-configurations/identity-access-exclude-guests-ui.png) ## More information Only one organization can manage a device. If you don't exclude guests and exter ## Next step -![Step 4: Policies for Microsoft 365 cloud apps and Microsoft Defender for Cloud Apps.](../../media/microsoft-365-policies-configurations/identity-device-access-steps-next-step-4.png) Configure Conditional Access policies for:
security	Identity Access Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md	This guidance discusses how to deploy the recommended policies in a newly-provis The following diagram illustrates the recommended set of policies. It shows which tier of protections each policy applies to and whether the policies apply to PCs or phones and tablets, or both categories of devices. It also indicates where you configure these policies. <!-- A recommended practice is to create an Azure AD group for Conditional Access exc Here's an example of group assignment and exclusions for requiring MFA. -![Example group assignment and exclusions for MFA policies.](../../media/microsoft-365-policies-configurations/identity-access-policies-assignment.png) Here are the results: Be careful when applying higher levels of protection to groups and users. For ex All Azure AD groups created as part of these recommendations must be created as Microsoft 365 groups. This is important for the deployment of sensitivity labels when securing documents in Microsoft Teams and SharePoint. -![Example of creating a Microsoft 365 group.](../../media/microsoft-365-policies-configurations/identity-device-AAD-groups.png) ## Require MFA based on sign-in risk To require compliance for all devices: ## Next step -[![Step 3: Policies for guest and external users.](../../medi) +[![Step 3: Policies for guest and external users.](../../medi) [Learn about policy recommendations for guest and external users](identity-access-policies-guest-access.md)
security	Identity Access Prerequisites	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-prerequisites.md	Here are some additional recommendations: ## Next step -[![Step 2: Configure the common Zero Trust identity and access Conditional Access policies.](../../medi) +[![Step 2: Configure the common Zero Trust identity and access Conditional Access policies.](../../medi) [Configure the common Zero Trust identity and device access policies](identity-access-policies.md)
security	Impersonation Insight	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/impersonation-insight.md	You can use the impersonation insight in the Microsoft 365 Defender portal to qu 2. On the Anti-phishing page, the impersonation insight looks like this: - ![Impersonation insight and spoof intelligence on the Anti-phishing policy page.](../../media/m365-sc-impersonation-and-spoof-intelligence-insight.png) + :::image type="content" source="../../media/m365-sc-impersonation-and-spoof-intelligence-insight.png" alt-text="The impersonation insight and spoof intelligence on the Anti-phishing policy page" lightbox="../../media/m365-sc-impersonation-and-spoof-intelligence-insight.png"::: The insight has two modes:
security	Install App Guard	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/install-app-guard.md	To learn more about Office update channels, see [Overview of update channels for 2. Select Microsoft Defender Application Guard under Windows Features and select OK. Enabling the Application Guard feature will prompt a system reboot. You can choose to reboot now or after step 3. - ![Windows Features dialog box showing AG.](../../media/ag03-deploy.png) + :::image type="content" source="../../media/ag03-deploy.png" alt-text="The Windows Features dialog box showing AG" lightbox="../../media/ag03-deploy.png"::: The feature can also be enabled by running the following PowerShell command as administrator: To learn more about Office update channels, see [Overview of update channels for 3. Search for Microsoft Defender Application Guard in Managed Mode, a group policy in Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Defender Application Guard. Turn on this policy by setting the value under Options as 2 or 3, and then selecting OK or Apply. - ![Turn on AG in Managed Mode.](../../media/ag04-deploy.png) + :::image type="content" source="../../media/ag04-deploy.png" alt-text="The option to turn on AG in Managed Mode" lightbox="../../media/ag04-deploy.png"::: Instead, you can set the corresponding CSP policy: This step ensures that the data necessary to identify and fix problems is reachi 1. Open Settings from the Start menu. - ![Start menu.](../../media/ag05-diagnostic.png) + :::image type="content" source="../../media/ag05-diagnostic.png" alt-text="The Start menu" lightbox="../../media/ag05-diagnostic.png"::: 2. On Windows Settings, select Privacy. - ![Windows Settings menu.](../../media/ag06-diagnostic.png) + :::image type="content" source="../../media/ag06-diagnostic.png" alt-text="The Windows Settings menu" lightbox="../../media/ag06-diagnostic.png"::: 3. Under Privacy, select Diagnostics & feedback and select Optional diagnostic data. - ![Diagnostics and feedback menu.](../../media/ag07a-diagnostic.png) + :::image type="content" source="../../media/ag07a-diagnostic.png" alt-text="The Diagnostics and feedback menu" lightbox="../../media/ag07a-diagnostic.png"::: For more on configuring Windows diagnostic settings, refer to [Configuring Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enterprise-management). To confirm that Application Guard for Office is enabled, launch Word, Excel, or When you first open an untrusted file, you may see an Office splash screen like the following example. It might be displayed for some time while Application Guard for Office is being activated and the file is being opened. Subsequent openings of untrusted files should be faster. -![Office app splash screen.](../../media/ag08-confirm.png) Upon being opened, the file should display a few visual indicators that the file was opened inside Application Guard for Office: * A callout in the ribbon - ![Doc file showing small App Guard note.](../../media/ag09-confirm.png) + :::image type="content" source="../../media/ag09-confirm.png" alt-text="The Doc file showing small App Guard note" lightbox="../../media/ag09-confirm.png"::: * The application icon with a shield in the taskbar You can also configure Microsoft Defender for Office 365 to work with Defender f * Application Guard for Office is a protected mode that isolates untrusted documents so that they cannot access trusted corporate resources, an intranet, the user's identity, and arbitrary files on the computer. As a result, if a user tries to access a feature that has a dependency on such access, such as inserting a picture from a local file on disk, the access fails and produces a prompt that resembles the following example. To enable an untrusted document to access trusted resources, users must remove Application Guard protection from the document. - ![Dialog box saying To help you keep safe, this feature is not available.](../../media/ag10-limitations.png) + :::image type="content" source="../../media/ag09-confirm.png" alt-text="The Dialog box stating safety message and the feature status" lightbox="../../media/ag09-confirm.png"::: > [!NOTE] > Advise users to only remove protection if they trust the file and its source or where it came from.
security	Integrate Office 365 Ti With Mde	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde.md	Integrating Microsoft Defender for Office 365 with Microsoft Defender for Endpoi The following image depicts what the Devices tab looks like when you have Microsoft Defender for Endpoint integration enabled: -![When Microsoft Defender for Endpoint is enabled, you can see a list of devices with alerts.](../../media/fec928ea-8f0c-44d7-80b9-a2e0a8cd4e89.PNG) In this example, you can see that the recipients of the detected email message have four devices and one has an alert. Clicking the link for a device opens its page in the [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender). Integrating Microsoft Defender for Office 365 with Microsoft Defender for Endpoi 3. In the Microsoft Defender for Endpoint connection flyout that appears, turn on Connect to Microsoft Defender for Endpoint (![Toggle on.](../../media/scc-toggle-on.png)) and then select Close. - :::image type="content" source="../../mediE Connection."::: + :::image type="content" source="../../medieconnection-dialognew.png"::: 4. In the navigation pane, choose Settings. On the Settings page, choose Endpoints
security	Investigate Malicious Email That Was Delivered	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md	Threat Explorer is a powerful report that can serve multiple purposes, such as f 2. In the View menu, choose Email \> All email from the drop down list. - ![Threat explorer View menu, and Email - Malware, Phish, Submissions and All Email options, also Content - Malware.](../../media/tp-InvestigateMalEmail-viewmenu.png) + :::image type="content" source="../../media/tp-InvestigateMalEmail-viewmenu.png" alt-text="The Malware drop-down list" lightbox="../../media/tp-InvestigateMalEmail-viewmenu.png"::: The Malware view is currently the default, and captures emails where a malware threat is detected. The Phish view operates in the same way, for Phish. Threat Explorer is a powerful report that can serve multiple purposes, such as f Advanced filtering is a great addition to search capabilities. A boolean NOT on the Recipient, Sender and Sender domain filters allows admins to investigate by excluding values. This option is the Equals none of selection. This option allows admins to exclude unwanted mailboxes from investigations (for example, alert mailboxes and default reply mailboxes), and is useful for cases where admins search for a specific subject (for example, Attention) where the Recipient can be set to Equals none of: defaultMail@contoso.com. This is an exact value search. - ![The Recipients - 'Contains none of' Advanced filter.](../../media/tp-InvestigateMalEmail-AdvancedFilter.png) + :::image type="content" source="../../media/tp-InvestigateMalEmail-AdvancedFilter.png" alt-text="The Recipients pane" lightbox="../../media/tp-InvestigateMalEmail-AdvancedFilter.png"::: Adding a time filter to the start date and end date helps your security team to drill down quickly. The shortest allowed time duration is 30 minutes. If you can narrow the suspicious action by time-frame (e.g., it happened 3 hours ago), this will limit the context and help pinpoint the problem. - ![The filtering by hours option to narrow the amount of data security teams have to process, and whose shortest duration is 30 minutes.](../../media/tp-InvestigateMalEmail-FilterbyHours.png) + :::image type="content" source="../../media/tp-InvestigateMalEmail-FilterbyHours.png" alt-text="The filtering by hours option" lightbox="../../media/tp-InvestigateMalEmail-FilterbyHours.png"::: 6. Fields in Threat Explorer: Threat Explorer exposes a lot more security-related mail information such as Delivery action, Delivery location, Special action, Directionality, Overrides, and URL threat. It also allows your organization's security team to investigate with a higher certainty.
security	Learn About Spoof Intelligence	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md	The rest of this article explains how to use the spoof intelligence insight in t 2. On the Tenant Allow/Block Lists page, the spoof intelligence insight looks like this: - ![Spoof intelligence insight on the Anti-phishing policy page.](../../media/m365-sc-spoof-intelligence-insight.png) + :::image type="content" source="../../media/m365-sc-spoof-intelligence-insight.png" alt-text="The Spoof intelligence insight on the Anti-phishing policy page" lightbox="../../media/m365-sc-spoof-intelligence-insight.png"::: The insight has two modes:
security	Mail Flow Insights V2	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mail-flow-insights-v2.md	ms.prod: m365-security Admins can use Mail flow dashboard in the Security & Compliance Center to discover trends, insights, and take actions to fix issues related to mail flow in their organization. -![The Mail flow dashboard in the Security & Compliance Center.](../../media/mail-flow-dashboard-v2.png) The available insights are:
security	Manage Quarantined Messages And Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files.md	After you find a specific quarantined message, select the message to view detail When you select quarantined message from the list, the following information is available in the details flyout that appears. -![The details flyout of a quarantined message.](../../media/quarantine-message-details-flyout.png) - Message ID: The globally unique identifier for the message. Available in the Message-ID header field in the message header. - Sender address To take action on the message, see the next section. > [!NOTE] > To remain in the details flyout, but change the quarantined message that you're looking at, use the up and down arrows at the top of the flyout. > -> ![The up and down arrows in the details flyout of a quarantined message.](../../media/quarantine-message-details-flyout-up-down-arrows.png) +> :::image type="content" source="../../media/quarantine-message-details-flyout-up-down-arrows.png" alt-text="The up and down arrows in the details flyout of a quarantined message" lightbox="../../media/quarantine-message-details-flyout-up-down-arrows.png"::: ### Take action on quarantined email After you select a quarantined message from the list, the following actions are available in the details flyout: -![Available actions in the details flyout of a quarantined message.](../../media/quarantine-message-details-flyout-actions.png) - ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) Release email<sup>\</sup>: In the flyout pane that appears, configure the following options: - Add sender to your organization's allow list: Select this option to prevent messages from the sender from being quarantined. If you don't release or remove the message, it will be deleted after the default > [!NOTE] > On a mobile device, the description text isn't available on the action icons. > -> ![Details of a quarantined message with available actions highlighted.](../../media/quarantine-message-details-flyout-mobile-actions.png) +> :::image type="content" source="../../media/quarantine-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions being highlighted" lightbox="../../media/quarantine-message-details-flyout-mobile-actions.png"::: > > The icons in order and their corresponding descriptions are summarized in the following table: > If you don't release or remove the message, it will be deleted after the default When you select multiple quarantined messages in the list (up to 100) by clicking in the blank area to the left of the first column, the Bulk actions* drop down list appears where you can take the following actions: -![Bulk actions drop down list for messages in quarantine.](../../media/quarantine-message-bulk-actions.png) - ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) Release messages: Releases messages to all recipients. In the flyout that appears, you can choose the following options, which are the same as when you release a single message: - Add sender to your organization's allow list After you find a specific quarantined file, select the file to view details abou When you select a quarantined file from the list, the following information is available in the details flyout that opens: -![The details flyout of a quarantined file.](../../media/quarantine-file-details-flyout.png) - File Name - File URL: URL that defines the location of the file (for example, in SharePoint Online). To take action on the file, see the next section. > [!NOTE] > To remain in the details flyout, but change the quarantined file that you're looking at, use the up and down arrows at the top of the flyout. > -> ![The up and down arrows in the details flyout of a quarantined file.](../../media/quarantine-file-details-flyout-up-down-arrows.png) +> :::image type="content" source="../../media/quarantine-file-details-flyout-up-down-arrows.png" alt-text="The up and down arrows in the details flyout of quarantined files" lightbox="../../media/quarantine-file-details-flyout-up-down-arrows.png"::: ### Take action on quarantined files After you select a quarantined file from the list, the following actions are available in the details flyout: -![Available actions in the details flyout of a quarantined file.](../../media/quarantine-file-details-flyout-actions.png) - ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png) Release file<sup>\</sup>: In the flyout pane that appears, turn on or turn off Report files to Microsoft for analysis, and then click Release. - ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png) If you don't release or remove the file, it will be deleted after the default qu When you select multiple quarantined files in the list (up to 100) by clicking in the blank area to the left of the Subject* column, the Bulk actions drop down list appears where you can take the following actions: -![Bulk actions drop down list for files in quarantine.](../../media/quarantine-file-bulk-actions.png) - ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png) Release file: In the flyout pane that appears, turn on or turn off Report files to Microsoft for analysis, and then click Release. - ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) Delete from quarantine: After you click Yes in the warning that appears, the file is immediately deleted.
security	Manage Tenant Allows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-tenant-allows.md	Allow senders (or domains) on the Submissions page in Microsoft 365 Defender 7. When you're finished, click the Submit button. -> [!div class="mx-imgBorder"] > ![Submit malware to Microsoft for analysis example.](../../media/admin-submission-allow-messages.png)- ## Add URL allows using the Submissions portal Allow URLs on the Submissions page in Microsoft 365 Defender. Allow URLs on the Submissions page in Microsoft 365 Defender. > [!div class="mx-imgBorder"] > ![Submit URL for analysis.](../../media/submit-url-for-analysis.png)- ## Add File allows using the Submissions portal Allow Files on the Submissions page in Microsoft 365 Defender.
security	Mcas Saas Access Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mcas-saas-access-policies.md	Permissions to SaaS apps are typically based on business need for access to the To protect data across your collection of SaaS apps, the following diagram illustrates the necessary Azure AD conditional access policy plus suggested policies you can create in Defender for Cloud Apps. In this example, the policies created in Defender for Cloud Apps apply to all SaaS apps you are managing. These are designed to apply appropriate controls based on whether devices are managed as well as sensitivity labels that are already applied to files. The following table lists the new conditional access policy you must create in Azure AD. Defender for Cloud Apps can be a valuable tool for configuring protection for co The following illustration and table provide several examples of policies that can be configured to help comply with the General Data Protection Regulation (GDPR). In these examples, policies look for specific data. Based on the sensitivity of the data, each policy is configured to take appropriate action. \|Protection level\|Example policies\| \|\|\|
security	Mdo Email Entity Page	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md	The email entity page is available in the Microsoft 365 Defender portal at <http In Explorer, select the subject of an email you're investigating. A gold bar will display at the top of the email fly-out for that mail. This invitation to the new page, reads 'Try out our new email entity page with enriched data...'. Select to view the new page. > [!NOTE] > The permissions needed to view and use this page are the same as to view Explorer. The admin must be a member of Global admin or global reader, or Security admin or Security Reader. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md). The structure is designed to be easy to read and navigate through at a glance. V 1. The most required fields are on the left side of the fly-out. These details are 'sticky', meaning they're anchored to the left no matter the tab you navigate to in the rest of the fly-out. - :::image type="content" source="../../media/email-entities-3-left-panel.png" alt-text="Graphic of the email entity page with the left side highlighted. The title and facts about the mail delivery are over here."::: + :::image type="content" source="../../media/email-entities-3-left-panel.png" alt-text="The Graphic of the email entity page with the left side highlighted" lightbox="../../media/email-entities-3-left-panel.png"::: 2. On the top-right corner are the actions that can be taken on an email. Any actions that can be taken through Explorer will also be available through email entity page. - :::image type="content" source="../../media/email-entities-5-preview.png" alt-text="Graphic of the email entity page with the right side highlighted, this time. Actions like 'Email preview' and 'Go to quarantine' are here."::: + :::image type="content" source="../../media/email-entities-5-preview.png" alt-text="The Graphic of the email entity page with the right side highlighted" lightbox="../../media/email-entities-5-preview.png"::: 3. Deeper analysis can be done by sorting through the rest of the page. Check the email detection details, email authentication status, and header. This area should be looked on a case-by-case basis, but the info in these tabs is available for any email. - :::image type="content" source="../../media/email-entities-4-middle-panel.png" alt-text="The main panel of this page includes the email header and authentication status."::: + :::image type="content" source="../../media/email-entities-4-middle-panel.png" alt-text="The main panel of the page which includes the email header and authentication status" lightbox="../../media/email-entities-4-middle-panel.png"::: ### Use email entity page tabs Users will see enriched detonation details for known malicious attachments or UR 1. Behavior Details are an export that shows behavior details like exact events that took place during detonation, and observables that contain URLs, IPs, domains, and files that were found during detonation (and can either be problematic or benign). Be aware, there may be no behavior details for: - Container files like .zip or .rar that are holding other files. ### Other innovations
security	Mdo For Spo Odb And Teams	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-for-spo-odb-and-teams.md	Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is not enabled by When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled and identifies a file as malicious, the file is locked using direct integration with the file stores. The following image shows an example of a malicious file detected in a library. -![Files in OneDrive for Business with one detected as malicious.](../../media/2bba71cc-7ad1-4799-8b9d-d56f923db3a7.png) Although the blocked file is still listed in the document library and in web, mobile, or desktop applications, people can't open, copy, move, or share the file. But they can delete the blocked file. Here's an example of what a blocked file looks like on a mobile device: -![Deleting a blocked file from OneDrive for Business from the OneDrive mobile app.](../../media/cb1c1705-fd0a-45b8-9a26-c22503011d54.png) By default, people can download a blocked file. Here's what downloading a blocked file looks like on a mobile device: -![Downloading a blocked file in OneDrive for Business.](../../media/be288a82-bdd8-4371-93d8-1783db3b61bc.png) SharePoint Online admins can prevent people from downloading malicious files. For instructions, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](turn-on-mdo-for-spo-odb-and-teams.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).
security	Mfi Auto Forwarded Messages Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report.md	The Auto-forwarded messages insight in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) displays information about messages that are automatically forwarded from your organization to recipients in external domains. -![Auto-forwarded messages widget in the Security & Compliance Center.](../../media/mfi-auto-forwarded-messages.png) ## Auto-forwarded messages details When you click the number of messages in the widget, a flyout pane appears that - New users (last week) - A link to the [Forwarding modifications report](mfi-new-users-forwarding-email.md#forwarding-modifications-report) for more details. -![Details flyout for the Auto-forwarded messages report in the Security & Compliance Center.](../../media/mfi-auto-forwarded-messages-details.png) ## Insights
security	Mfi Domain Mail Flow Status Insight	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-domain-mail-flow-status-insight.md	The Top domain mail flow status insight in the [Mail flow dashboard](mail-fl This insight helps you identify and troubleshoot domains that are experiencing *mail flow* issues. For example, the domain is unable to receive external email because the domain has expired or the domain has an incorrect MX record. -![Top domain flow status widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-top-domain-mail-flow-status-widget.png) When you click View details in the widget, a Domain status flyout appears that shows you more details for the status of each domain: When you click View details in the widget, a Domain status flyout appear You can click View more to see the same information for more domains. -![Details flyout in the Top domain mail flow status insight.](../../media/mfi-top-domain-mail-flow-status-view-details.png) ## See also
security	Mfi Mail Flow Map Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-mail-flow-map-report.md	ms.prod: m365-security The Mail flow map in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) gives insight as to how mail flows through your organization. You can use this information to learn patterns, identify anomalies, and fix issues as they occur. -![Mail flow map widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-mail-flow-map-widget.png) By default, the widget shows the mail flow pattern from the previous day in a chart known as a Sankey diagram. You can use the left arrow ![Left arrow.](../../media/scc-left-arrow.png) and right arrow ![Right arrow](../../media/scc-right-arrow.png) to show information from different days. Each different color represents mail flow over a different inbound or outbound connector (or without using connectors). If you hover over a specific color, the number of messages is displayed for that type of connector. The following charts are available in the report view: - Show data for: Overview: This is basically a larger view of the widget. If you hover over a specific color, the number of messages is displayed for that type of connector. - ![Overview view in the Mail flow map report.](../../media/mfi-mail-flow-map-report-overview.png) + :::image type="content" source="../../media/mfi-mail-flow-map-report-overview.png" alt-text="The Overview view in the Mail flow map report" lightbox="../../media/mfi-mail-flow-map-report-overview.png"::: - Show data for: Detail: This view shows details about the connectors and destination domains. The top sender and recipient domains are listed, and the rest are put in Others. If you hover over a specific color and section, the number of messages is displayed. - ![Detail view in the Mail flow map report.](../../media/mfi-mail-flow-map-report-detail.png) + :::image type="content" source="../../media/mfi-mail-flow-map-report-detail.png" alt-text="The Detail view in the Mail flow map report" lightbox="../../media/mfi-mail-flow-map-report-detail.png"::: If you click Filters in a report view, you can specify a date range with Start date and End date. If you click Filters in a details table view, you can specify a date range w If you select a row, similar details are shown in a flyout: -![Details flyout from the details table in the Mail flow map.](../../media/mfi-mail-flow-map-view-details-table-details.png) To email the report for a specific date range to one or more recipients, click Request download.
security	Mfi Mail Loop Insight	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-mail-loop-insight.md	The Fix possible mail loop insight in the Recommended for you area of th This insight appears only after the condition is detected (if you don't have any mail loops, you won't see the insight). -![Fix slow mail flow rules insight in the Recommended for you area of the Mail flow dashboard.](../../media/mfi-fix-possible-mail-loop.png) When you click View details on the widget, a flyout appears with more information: When you click View details on the widget, a flyout appears with more inform - MX record: The host (Mail server) and Priority values of the MX record for the domain. - Loop reason and How to fix: We'll identify the most common mail loop scenarios and provide recommended actions to fix the loop. -![Details flyout that appears after clicking View details on the Fix possible mail loop insight.](../../media/mfi-fix-possible-mail-loop-details.png) ## See also
security	Mfi New Domains Being Forwarded Email	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-new-domains-being-forwarded-email.md	The New domains being forwarded email insight in the [Security & Compliance This insight appears only when the issue is detected, and it appears on the [Forwarding report](view-mail-flow-reports.md#forwarding-report) page. -![New domains being forwarded email insight.](../../media/mfi-new-domains-being-forwarded.png) + When you click on the widget, a flyout appears where you can find more details about the forwarded messages, including a link back to the [Forwarding report](view-mail-flow-reports.md#forwarding-report). -![Details flyout that appears after clicking on the New domains being forwarded email insight.](../../media/mfi-new-domains-being-forwarded-details.png) You can also get to this details page when you select the insight after you click View all in the Top insights & recommendations area on (Reports \> Dashboard or <https://protection.office.com/insightdashboard>).
security	Mfi New Users Forwarding Email	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-new-users-forwarding-email.md	The New domains being forwarded email insight in the [Security & Compliance This insight appears only when the issue is detected, and it appears on the [Forwarding report](view-mail-flow-reports.md#forwarding-report) page. -![New users forwarding email insight.](../../media/mfi-new-users-forwarding-email.png) When you click on the widget, a flyout appears where you can find more details about the forwarded messages, including a link to the [Forwarding modifications report](#forwarding-modifications-report) as described later in this article. -![Details flyout that appears after clicking on the New users forwarding email insight.](../../media/mfi-new-users-forwarding-email-details.png) You can also get to this details page when you select the insight after you click View all in the Top insights & recommendations area on (Reports \> Dashboard or <https://protection.office.com/insightdashboard>). The following charts are available in the report view: - Show data for: New forwarding users: - ![New forwarding users view in the Forwarding modifications report.](../../media/forwarding-modifications-report-new-forwarding-users.png) + :::image type="content" source="../../media/forwarding-modifications-report-new-forwarding-users.png" alt-text="The New forwarding users view in the Forwarding modifications report" lightbox="../../media/forwarding-modifications-report-new-forwarding-users.png"::: - Show data for: New forwarding domains: - ![New forwarded domains view in the Forwarding modifications report.](../../media/forwarding-modifications-report-new-forwarded-domains.png) + :::image type="content" source="../../media/forwarding-modifications-report-new-forwarded-domains.png" alt-text="The New forwarded domains view in the Forwarding modifications report" lightbox="../../media/forwarding-modifications-report-new-forwarded-domains.png"::: If you click Filters in a report view, you can specify a date range with Start date and End date. If you select a row from the table, a Details flyout appears with the follow - Start date - Recommendation: From here, you can click the link to manage the user in the Microsoft 365 admin center. -![Details flyout from the details table of the New forwarding users view in the Forwarding modifications report.](../../media/mfi-forwarding-modifications-report-new-forwarding-users-view-details-table-details.png) + :::image type="content" source="../../media/mfi-forwarding-modifications-report-new-forwarding-users-view-details-table-details.png" alt-text="The Details flyout from the details table of the New forwarding users view in the Forwarding modifications report" lightbox="../../media/mfi-forwarding-modifications-report-new-forwarding-users-view-details-table-details.png"::: To go back to the reports view, click View report.
security	Mfi Non Accepted Domain Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-non-accepted-domain-report.md	The Non-accepted domain report in the [Mail flow dashboard](mail-flow-insigh Microsoft 365 might throttle these messages if we have data to prove that the intent of these messages is malicious. Therefore, it's important for you to understand what's happening and to fix the issue. -![Non-accepted domain widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-non-accepted-domain-report-widget.png) ## Report view for the Non-accepted domain report By default, the activity for all affected connectors is shown. If you click Sh If you hover over a data point (day) in the chart, you'll see the total number of messages for the connector. -![Report view in the Non-accepted domain report.](../../media/mfi-non-accepted-domain-report-overview-view.png) ## Details table view for the Non-accepted domain report When you select a row in the table, a flyout appears with the following informat - Message count - Sample messages: You can click View sample messages to see the [message trace](message-trace-scc.md) results for a sample of the affected messages. -![Details flyout after selecting a row in Details table view in the Non-accepted domain report.](../../media/mfi-non-accepted-domain-report-details-flyout.png) To go back to the reports view, click View report**.
security	Mfi Non Delivery Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-non-delivery-report.md	ms.prod: m365-security The Non-delivery report in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) shows the most-encountered error codes in non-delivery reports (also known as NDRs or bounce messages) for users in your organization. This report shows the details of NDRs so you can troubleshoot email delivery problems. -![Non-delivery report widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-non-delivery-report-widget.png) ## Report view for the Non-delivery report By default, the activity for all error codes is shown. If you click Show data If you hover over a specific color (error code) on a specific day in the chart, you'll see the total number of messages for the error. -![Report view in the Non-accepted domain report.](../../media/mfi-non-delivery-report-overview-view.png) ## Details table view for the Non-delivery report When you select a row in the table, a flyout appears with the following informat - Count - Sample messages: You can click View sample messages** to see the [message trace](message-trace-scc.md) results for a sample of the affected messages. -![Details flyout after selecting a row in Details table view in the Non-delivery report.](../../media/mfi-non-delivery-report-details-flyout.png) + ## Related topics
security	Mfi Outbound And Inbound Mail Flow	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-outbound-and-inbound-mail-flow.md	The Outbound and inbound mail flow insight in the [Mail flow dashboard](mail The widget displays the TLS encryption that's used for the connection when messages are delivered to and from your organization. The connections that are established with other email services are encrypted by TLS when TLS is offered by both sides. The widget offers a snapshot of the last week of mail flow. -![Outbound and inbound mail flow widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-outbound-and-inbound-mail-flow-report-widget.png) The information in the widget is related to connectors and TLS message protection in Microsoft 365. For more information, see these topics: The information in the widget is related to connectors and TLS message protectio When you click View Details on the widget, the Message protected in transit (by TLS) flyout shows you the TLS protection for messages entering and leaving your organization. -![Messages protected in transit (by TLS) flyout that appears after you click View details on the Outbound and inbound email widget.](../../media/mfi-outbound-and-inbound-mail-flow-report-details.png) Currently, TLS 1.2 is the most secure version of TLS that's offered by Microsoft 365. Often, you'll need to know the TLS encryption that's being used for compliance audits. You probably don't have a direct relationship with most of the source and destination email servers (you don't own them, and neither does Microsoft), so you don't have many options to improve the TLS encryption that's used by those servers.
security	Mfi Queue Alerts And Queues	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues.md	If the queued email volume exceeds the pre-defined threshold (the default value - An alert is displayed in Recent alerts the Alerts dashboard in the [Security & Compliance Center](https://protection.office.com) (Alerts \> Dashboard or <https://protection.office.com/alertsdashboard>). - ![Recent alerts in the Alerts dashboard in the Security & Compliance Center.](../../media/mfi-queued-messages-alert.png) + :::image type="content" source="../../media/mfi-queued-messages-alert.png" alt-text="The Recent alerts in the Alerts dashboard in the Security & Compliance Center" lightbox="../../media/mfi-queued-messages-alert.png"::: + - Admins will receive an email notification based on the configuration of the default alert policy named Messages have been delayed. To configure the notification settings for this alert, see the next section. If the queued email volume exceeds the pre-defined threshold (the default value 3. In the Message have been delayed flyout that opens, you can turn the alert on or off and configure the notification settings. - ![Messages have been delayed alert policy details the Security & Compliance Center.](../../media/mfi-queued-messages-alert-policy.png) + :::image type="content" source="../../media/mfi-queued-messages-alert-policy.png" alt-text="The details of the Messages have been delayed alert" lightbox="../../media/mfi-queued-messages-alert-policy.png"::: - Status: You can toggle the alert on or off. If the queued email volume exceeds the pre-defined threshold (the default value - Daily notification limit: The default value is No limit. - Threshold: The default value is 200. - ![Notification settings in the Messages have been delayed alert policy details the Security & Compliance Center.](../../media/mfi-queued-messages-alert-policy-notification-settings.png) + :::image type="content" source="../../media/mfi-queued-messages-alert-policy-notification-settings.png" alt-text="The Notification settings in the Messages have been delayed alert" lightbox="../../media/mfi-queued-messages-alert-policy-notification-settings.png"::: 5. When you're finished, click Save and Close. If the queued email volume exceeds the pre-defined threshold (the default value Even if the queued message volume hasn't exceeded the threshold and generated an alert, you can still use the Queues insight in the [Mail flow dashboard](mail-flow-insights-v2.md) to see messages that have been queued for more than one hour, and take action before the number of queued messages becomes too large. -![Queues widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-queues-widget.png) If you click the number of messages on the widget, a Messages queued flyout appears with the following information: If you click the number of messages on the widget, a Messages queued flyout - Last error - How to fix: Common issues and solutions are available. If a Fix it now link is available, click it to fix the problem. Otherwise, click on any available links for more information about the error and possible solutions. -![Details after clicking on the Queues insight in the Mail flow dashboard.](../../media/mfi-queues-details.png) The same flyout is displayed after you click View queue in the details of a Messages have been delayed alert. -![Messages have been delayed alert details in the Security & Compliance Center.](../../media/mfi-queued-messages-alert-details.png) ## See also
security	Mfi Slow Mail Flow Rules Insight	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-slow-mail-flow-rules-insight.md	This insight appears only after the condition is detected (if you don't have any You can use this notification to help you to identify and fine-tune mail flow rules to help reduce mail flow delays. -![Fix slow mail flow rules insight in the Recommended for you area of the Mail flow dashboard.](../../media/mfi-fix-slow-mail-flow-rules.png) When you click View details on the widget, a flyout appears with more information: When you click View details on the widget, a flyout appears with more inform - Average time spent on each message - Median time spent on a message: The middle value that separates the upper half from the lower half of time data. -![Details flyout that appears after clicking View details on the Fix slow mail flow rules insight.](../../media/mfi-fix-slow-mail-flow-rules-details.png) For more information about conditions and exceptions in mail flow rules, see [Mail flow rule conditions and exceptions (predicates) in Exchange Online](/Exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions).
security	Mfi Smtp Auth Clients Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-smtp-auth-clients-report.md	The SMTP Auth clients insight in the [Mail flow dashboard](mail-flow-insight The widget indicates the number of users or service accounts that have used the SMTP Auth protocol in the last 7 days. -![SMTP Auth clients widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-smtp-auth-clients-report-widget.png) If you click the number of messages on the widget, an SMTP Auth clients flyout appears. The flyout provides an aggregated view of the TLS usage and volumes for the last week. -![Details flyout after clicking on the SMTP Auth clients widget in the Mail flow dashboard.](../../media/mfi-smtp-auth-clients-report-details.png) You can click the SMTP Auth clients report link to go to the SMTP Auth clients report as described in the next section. The overview section contains the following charts: - View data by: Sending volume: By default, the chart shows the number of SMTP Auth client messages that were sent from all domains (Show data for: All sender domains is selected by default). You can filter the results to a specific sender domain by clicking Show data for and selecting the sender domain from the dropdown list. If you hover a specific data point (day), the number of messages is shown. - ![Sending volume view in the SMTP Auth clients report in the Security & Compliance Center.](../../media/mfi-smtp-auth-clients-report-sending-volume-view.png) + :::image type="content" source="../../media/mfi-smtp-auth-clients-report-sending-volume-view.png" alt-text="The Sending volume view in the SMTP Auth clients report in the Security & Compliance Center" lightbox="../../media/mfi-smtp-auth-clients-report-sending-volume-view.png"::: - View data by: TLS Usage: The chart shows the percentage of TLS usage for all SMTP Auth client messages during the selected time period. This chart allows you to identify and take action on users and system accounts that are still using older versions of TLS. - ![TLS usage view in the SMTP Auth clients report in the Security & Compliance Center.](../../media/mfi-smtp-auth-clients-report-tls-usage-view.png) + :::image type="content" source="../../media/mfi-smtp-auth-clients-report-tls-usage-view.png" alt-text="The TLS usage view in the SMTP Auth clients report in the Security & Compliance Center" lightbox="../../media/mfi-smtp-auth-clients-report-tls-usage-view.png"::: If you click Filters in a report view, you can specify a date range with Start date and End date. If you click Filters in a details table view, you can specify a date range w If you select a row, similar details are shown in a flyout: -![Details flyout from the details table of the TLS usage view in the SMTP Auth clients report.](../../media/mfi-smtp-auth-clients-report-tls-usage-view-view-details-table-details.png) Click Request report to receive a more detailed version of the report in an email message. You can specify the date range and the recipients to receive the report.
security	Microsoft 365 Policies Configurations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md	Each industry also has their own set of specialized regulations. Rather than pro - Enterprise: Some customers have a subset of data that must be protected at higher levels, or they may require all data to be protected at a higher level. You can apply increased protection to all or specific data sets in your Microsoft 365 environment. We recommend protecting identities and devices that access sensitive data with comparable levels of security. - Specialized security: As needed, a few customers have a small amount of data that is highly classified, constitutes trade secrets, or is regulated. Microsoft provides capabilities to help these customers meet these requirements, including added protection for identities and devices. -![Security cone - All customers > Some customers > A few customers](../../media/microsoft-365-policies-configurations/M365-idquality-threetiers.png) This guidance shows you how to implement Zero Trust protection for identities and devices for each of these levels of protection. Use this guidance as a minimum for your organization and adjust the policies to meet your organization's specific requirements. Additionally, see the [Deploy information protection for data privacy regulation Implementing any security strategy requires trade-offs between security and productivity. It's helpful to evaluate how each decision affects the balance of security, functionality, and ease of use. -![Security triad balancing security, functionality, and ease of use.](../../media/microsoft-365-policies-configurations/security-triad.png) The recommendations provided are based on the following principles: Azure AD provides a full suite of identity management capabilities. We recommend Here are the components of Zero Trust identity and device access, including Intune and Azure AD objects, settings, and subservices. ### Microsoft Intune Microsoft recommends that you do not create policy sets that apply to all apps b ## Steps to configure Zero Trust identity and device access -![Steps to configure Zero Trust identity and device access.](../../media/microsoft-365-policies-configurations/identity-device-access-steps.png) 1. Configure prerequisite identity features and their settings. 2. Configure the common identity and access Conditional Access policies.
security	Migrate To Defender For Office 365 Onboard	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md	ms.prod: m365-security <br> -\|[![Phase 1: Prepare.](../../medi)\|![Phase 3: Onboard.](../../media/phase-diagrams/onboard.png) <br> Phase 3: Onboard\| +\|[![Phase 1: Prepare.](../../medi)\|![Phase 3: Onboard.](../../media/phase-diagrams/onboard.png) <br> Phase 3: Onboard\| \|\|\|\| \|\|\|You are here!\| Congratulations! You have completed your [migration to Microsoft Defender for Of Now you begin the normal operation and maintenance of Defender for Office 365. Monitor and watch for issues that are similar to what you experienced during the pilot, but on a larger scale. The [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [impersonation insight](impersonation-insight.md) will be most helpful, but consider making the following activities a regular occurrence: -- Review user submissions, especially [user-reported phishing messages](https://docs.microsoft.com/microsoft-365/security/office-365-security/automated-investigation-response-office) +- Review user submissions, especially [user-reported phishing messages](automated-investigation-response-office.md) - Review overrides in the [Threat protection status report](view-email-security-reports.md#threat-protection-status-report). - Use [Advanced Hunting](/microsoft-365/security/defender/advanced-hunting-example) queries to look for tuning opportunities and risky messages.
security	Migrate To Defender For Office 365 Prepare	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-prepare.md	ms.prod: m365-security <br> -\|![Phase 1: Prepare.](../../medi)\| +\|![Phase 1: Prepare.](../../medi)\| \|\|\|\| \|You are here!\|\|\|
security	Migrate To Defender For Office 365 Setup	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-setup.md	ms.prod: m365-security <br> -\|[![Phase 1: Prepare.](../../medi)\| +\|[![Phase 1: Prepare.](../../medi)\| \|\|\|\| \|\|You are here!\|\|
security	Migrate To Defender For Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365.md	This guide provides specific and actionable steps for your migration, and assume - You already have Microsoft 365 mailboxes, but you're currently using a third-party service or device for email protection. Mail from the internet flows through the protection service before delivery into your Microsoft 365 organization, and Microsoft 365 protection is as low as possible (it's never completely off; for example, malware protection is always enforced). - ![Mail flows from the internet through the third-party protection service or device before delivery into Microsoft 365.](../../media/mdo-migration-before.png) + :::image type="content" source="../../medio-migration-before.png"::: - You're beyond the investigation and consideration phase for protection by Defender for Office 365. If you need to evaluate Defender for Office 365 to decide whether it's right for your organization, we recommend that you consider [Evaluation Mode](office-365-evaluation.md). This guide provides specific and actionable steps for your migration, and assume - You need to retire your existing third-party protection service, which means you'll ultimately need to point the MX records for your email domains to Microsoft 365. When you're done, mail from the internet will flow directly into Microsoft 365 and will be protected exclusively by Exchange Online Protection (EOP) and Defender for Office 365. - ![Your existing protection service or devices is eliminated, so mail flows from the internet into Microsoft 365, with full protection from Microsoft Defender for Office 365.](../../media/mdo-migration-after.png) + :::image type="content" source="../../medio-migration-after.png"::: Eliminating your existing protection service in favor of Defender for Office 365 is a big step that you shouldn't take lightly, nor should you rush to make the change. The guidance in this migration guide will help you transition your protection in an orderly manner with minimal disruption to your users. The very high-level migration steps are illustrated in the following diagram. The actual steps are listed in the section named [The migration process](#the-migration-process) later in this article. -![Migrate from a third-party protection solution or device to Defender for Office 365.](../../media/mdo-migration-overview.png) ## Why use the steps in this guide? This migration guide gives you a plan for gradually "turning the dial" so you ca The process of migrating from a third-party protection service to Defender for Office 365 can be divided into three phases as described in the following table: -![The process for migrating to Defender for Office 365.](../../media/phase-diagrams/migration-phases.png) \|Phase\|Description\| \|\|\|
security	Monitor For Leaks Of Personal Data	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data.md	ms.prod: m365-security There are many tools that can be used to monitor the use and transport of personal data. This topic describes three tools that work well. -![Tools to monitor the use and transport of personal data.](../../media/Monitor-for-leaks-of-personal-data-image1.png) In the illustration: DLP reports are in the Microsoft 365 compliance center. Go to Reports \> **O For more information, see [View the reports for data loss prevention](../../compliance/view-the-dlp-reports.md). -![Report showing DLP policy matches.](../../media/Monitor-for-leaks-of-personal-data-image2.png) ## Audit log and alert policies To better understand your cloud environment, the Defender for Cloud Apps investi For examples, the following illustration demonstrates two Defender for Cloud Apps policies that can help with GDPR. -![Example Defender for Cloud Apps policies.](../../media/Monitor-for-leaks-of-personal-data-image3.png) The first policy alerts when files with a predefined PII attribute or custom expression that you choose is shared outside the organization from the SaaS apps that you choose. If you haven't yet started to use Defender for Cloud Apps, begin by starting it > [!NOTE] > Be sure to enable 'Automatically scan files for Azure Information Protection classification labels' (in General settings) when getting started with Defender for Cloud Apps or before you assign labels. After setup, Defender for Cloud Apps does not scan existing files again until they are modified. -![Dashboard showing information about alerts.](../../media/Monitor-for-leaks-of-personal-data-image4.png) More information:
security	Office 365 Air	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md	Permissions are granted through certain roles, such as those that are described If you're already using AIR capabilities in Microsoft Defender for Office 365, you're about to see some changes in the [improved Microsoft 365 Defender portal](../defender/microsoft-365-defender.md#the-microsoft-365-defender-portal). The new and improved Microsoft 365 Defender portal <https://security.microsoft.com> brings together AIR capabilities in [Microsoft Defender for Office 365](defender-for-office-365.md) and in [Microsoft Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.
security	Office 365 Ti	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md	Threat investigation and response capabilities in the Microsoft 365 Defender por Use [Explorer (and real-time detections)](threat-explorer.md) to analyze threats, see the volume of attacks over time, and analyze data by threat families, attacker infrastructure, and more. Explorer (also referred to as Threat Explorer) is the starting place for any security analyst's investigation workflow. -![Threat explorer.](../../media/7a7cecee-17f0-4134-bcb8-7cee3f3c3890.png) To view and use this report in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Explorer. Or, to go directly to the Explorer page, use <https://security.microsoft.com/threatexplorer>. To receive contextual device integration in Office 365 Threat Intelligence, you' Use the Incidents list (this is also called Investigations) to see a list of in flight security incidents. Incidents are used to track threats such as suspicious email messages, and to conduct further investigation and remediation. -![List of current Threat Incidents in Office 365.](../../media/acadd4c7-d2de-4146-aeb8-90cfad805a9c.png) To view the list of current incidents for your organization in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Incidents & alerts \> Incidents. Or, to go directly to the Incidents page, use <https://security.microsoft.com/incidents>. -![In the Security & Compliance Center, choose Threat management \> Review.](../../media/e0f46454-fa38-40f0-a120-b595614d1d22.png) ### Attack simulation training Use automated investigation and response (AIR) capabilities to save time and eff As part of the Microsoft Defender for Office 365 Plan 2 offering, security analysts can review details about a known threat. This is useful to determine whether there are additional preventative measures/steps that can be taken to keep users safe. -![Security Trends showing information about recent threats.](../../media/11e7d40d-139b-4c56-8d52-c091c8654151.png) ## How do we get these capabilities?
security	Old Index	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/old-index.md	But in terms of architecture, let's start by thinking of each piece as cumulativ <!--:::image type="content" source="../../media/tp-EOPATPStack.PNG" alt-text="Placeholder graphic.":::--> Though each of these services emphasizes a goal from among Protect, Detect, Investigate, and Respond, *all* the services can carry out *any* of the goals of protecting, detecting, investigating, and responding.
security	Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/overview.md	You may be accustomed to seeing these three components discussed in this way: But in terms of architecture, let's start by thinking of each piece as cumulative layers of security, each with a security emphasis. More like this: Though each of these services emphasizes a goal from among Protect, Detect, Investigate, and Respond, *all* the services can carry out *any* of the goals of protecting, detecting, investigating, and responding.
security	Permissions In The Security And Compliance Center	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md	The Security & Compliance Center lets you grant permissions to people who perfor Permissions in the Security & Compliance Center are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by Exchange, so if you're familiar with Exchange, granting permissions in the Security & Compliance Center will be very similar. It's important to remember, however, that Exchange role groups and Security & Compliance Center role groups don't share membership or permissions. While both have an Organization Management role group, they aren't the same. The permissions they grant, and the members of the role groups, are different. There's a list of Security & Compliance Center role groups below. -![Permissions page in the Security & Compliance Center.](../../media/992c20ca-e82e-497c-9c8d-6fab212deb80.png) ## Relationship of members, roles, and role groups A role group is a set of roles that lets people do their jobs across the Sec The Security & Compliance Center includes default role groups for the most common tasks and functions that you'll need to assign people to. We recommend simply adding individual users as members to the default role groups. -![Diagram showing relationship of role groups to roles and members.](../../media/2a16d200-968c-4755-98ec-f1862d58cb8b.png) ## Role groups in the Security & Compliance Center To see how to grant access to the Security & Compliance Center, check out [Give \|\|\|\| \|Attack Simulation Administrators\|Don't use this role group in the Security & Compliance Center. Use the corresponding role in Azure AD.\|Attack Simulator Admin\| \|Attack Simulator Payload Authors\|Don't use this role group in the Security & Compliance Center. Use the corresponding role in Azure AD.\|Attack Simulator Payload Author\| -\|Communication Compliance\|Provides permission to all the communication compliance roles: administrator, analyst, investigator, and viewer.\|Case Management <p><p> Communication Compliance Admin <p> Communication Compliance Analysis <p> Communication Compliance Case Management <p> Communication Compliance Investigation <p> Communication Compliance Viewer <p> Data Classification Feedback Provider <p> Data Connector Admin <p> View-Only Case\| -\|Communication Compliance Administrators\|Administrators of communication compliance that can create/edit policies and define global settings.\|Communication Compliance Admin <p><p> Communication Compliance Case Management <p> Data Connector Admin\| -\|Communication Compliance Analysts\|Analysts of communication compliance that can investigate policy matches, view message meta data, and take remediation actions.\|Communication Compliance Analysis <p><p> Communication Compliance Case Management\| -\|Communication Compliance Investigators\|Analysts of communication compliance that can investigate policy matches, view message content, and take remediation actions.\|Case Management <p><p> Communication Compliance Analysis <p> Communication Compliance Case Management <p> Communication Compliance Investigation <p> Data Classification Feedback Provider <p> View-Only Case\| -\|Communication Compliance Viewers\|Viewer of communication compliance that can access the available reports and widgets.\|Communication Compliance Case Management <p><p> Communication Compliance Viewer\| -\|Compliance Administrator<sup>1</sup>\|Members can manage settings for device management, data loss prevention, reports, and preservation.\|Case Management <p><p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Classification Feedback Provider <p> Data Classification Feedback Reviewer <p> Data Connector Admin <p> Data Investigation Management <p> Device Management <p> Disposition Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> RecordManagement <p> Retention Management <p> View-Only Audit Logs <p> View-Only Case <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management\| -\|Compliance Data Administrator\|Members can manage settings for device management, data protection, data loss prevention, reports, and preservation.\|Compliance Administrator <p><p> Compliance Search <p> Data Connector Admin <p> Device Management <p> Disposition Management <p> DLP Compliance Management <p> IB Compliance Management <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader <p> Manage Alerts <p> Organization Configuration <p> RecordManagement <p> Retention Management <p> Sensitivity Label Administrator <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management\| -\|Compliance Manager Administrators\|Manage template creation and modification.\|Compliance Manager Administration <p><p> Compliance Manager Assessment <p> Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin\| -\|Compliance Manager Assessors\|Create assessments, implement improvement actions, and update test status for improvement actions.\|Compliance Manager Assessment <p><p> Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin\| -\|Compliance Manager Contributors\|Create assessments and perform work to implement improvement actions.\|Compliance Manager Contribution <p><p> Compliance Manager Reader <p> Data Connector Admin\| +\|Communication Compliance\|Provides permission to all the communication compliance roles: administrator, analyst, investigator, and viewer.\|Case Management <br/><br/> Communication Compliance Admin <br/><br/> Communication Compliance Analysis <br/><br/> Communication Compliance Case Management <br/><br/> Communication Compliance Investigation <br/><br/> Communication Compliance Viewer <br/><br/> Data Classification Feedback Provider <br/><br/> Data Connector Admin <br/><br/> View-Only Case\| +\|Communication Compliance Administrators\|Administrators of communication compliance that can create/edit policies and define global settings.\|Communication Compliance Admin <br/><br/> Communication Compliance Case Management <br/><br/> Data Connector Admin\| +\|Communication Compliance Analysts\|Analysts of communication compliance that can investigate policy matches, view message meta data, and take remediation actions.\|Communication Compliance Analysis <br/><br/> Communication Compliance Case Management\| +\|Communication Compliance Investigators\|Analysts of communication compliance that can investigate policy matches, view message content, and take remediation actions.\|Case Management <br/><br/> Communication Compliance Analysis <br/><br/> Communication Compliance Case Management <br/><br/> Communication Compliance Investigation <br/><br/> Data Classification Feedback Provider <br/><br/> View-Only Case\| +\|Communication Compliance Viewers\|Viewer of communication compliance that can access the available reports and widgets.\|Communication Compliance Case Management <br/><br/> Communication Compliance Viewer\| +\|Compliance Administrator<sup>1</sup>\|Members can manage settings for device management, data loss prevention, reports, and preservation.\|Case Management <br/><br/> Communication Compliance Admin <br/><br/> Communication Compliance Case Management <br/><br/> Compliance Administrator <br/><br/> Compliance Search <br/><br/> Data Classification Feedback Provider <br/><br/> Data Classification Feedback Reviewer <br/><br/> Data Connector Admin <br/><br/> Data Investigation Management <br/><br/> Device Management <br/><br/> Disposition Management <br/><br/> DLP Compliance Management <br/><br/> Hold <br/><br/> IB Compliance Management <br/><br/> Information Protection Admin <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator <br/><br/> Information Protection Reader <br/><br/> Insider Risk Management Admin <br/><br/> Manage Alerts <br/><br/> Organization Configuration <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> View-Only Audit Logs <br/><br/> View-Only Case <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management\| +\|Compliance Data Administrator\|Members can manage settings for device management, data protection, data loss prevention, reports, and preservation.\|Compliance Administrator <br/><br/> Compliance Search <br/><br/> Data Connector Admin <br/><br/> Device Management <br/><br/> Disposition Management <br/><br/> DLP Compliance Management <br/><br/> IB Compliance Management <br/><br/> Information Protection Admin <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator <br/><br/> Information Protection Reader <br/><br/> Manage Alerts <br/><br/> Organization Configuration <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> Sensitivity Label Administrator <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management\| +\|Compliance Manager Administrators\|Manage template creation and modification.\|Compliance Manager Administration <br/><br/> Compliance Manager Assessment <br/><br/> Compliance Manager Contribution <br/><br/> Compliance Manager Reader <br/><br/> Data Connector Admin\| +\|Compliance Manager Assessors\|Create assessments, implement improvement actions, and update test status for improvement actions.\|Compliance Manager Assessment <br/><br/> Compliance Manager Contribution <br/><br/> Compliance Manager Reader <br/><br/> Data Connector Admin\| +\|Compliance Manager Contributors\|Create assessments and perform work to implement improvement actions.\|Compliance Manager Contribution <br/><br/> Compliance Manager Reader <br/><br/> Data Connector Admin\| \|Compliance Manager Readers\|View all Compliance Manager content except for administrator functions.\|Compliance Manager Reader\| \|Content Explorer Content Viewer\|View the contents files in Content explorer.\|Data Classification Content Viewer\| \|Content Explorer List Viewer\|View all items in Content explorer in list format only.\|Data Classification List Viewer\| -\|Data Investigator\|Perform searches on mailboxes, SharePoint Online sites, and OneDrive for Business locations.\|Communication <p><p> Compliance Search <p> Custodian <p> Data Investigation Management <p> Export <p> Preview <p> Review <p> RMS Decrypt <p> Search And Purge\| -\|eDiscovery Manager\|Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery. <p> An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:<ul><li>View all eDiscovery cases in the organization.</li><li>Manage any eDiscovery case after they add themselves as a member of the case.</li></ul> <p> The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the eDiscovery cases page in the Security & Compliance Center. An eDiscovery manager can only access the cases they created or cases they are a member of. For more information about making a user an eDiscovery Administrator, see [Assign eDiscovery permissions in the Security & Compliance Center](../../compliance/assign-ediscovery-permissions.md).\|Case Management <p><p> Communication <p> Compliance Search <p> Custodian <p> Export <p> Hold <p> Preview <p> Review <p> RMS Decrypt\| -\|Global Reader\|Members have read-only access to reports, alerts, and can see all the configuration and settings. <p> The primary difference between Global Reader and Security Reader is that a Global Reader can access configuration and settings.\|Security Reader <p><p> Sensitivity Label Reader <p> Service Assurance View <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management\| -\|Information Protection\|Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports.\|Data Classification Content Viewer <p><p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader\| +\|Data Investigator\|Perform searches on mailboxes, SharePoint Online sites, and OneDrive for Business locations.\|Communication <br/><br/> Compliance Search <br/><br/> Custodian <br/><br/> Data Investigation Management <br/><br/> Export <br/><br/> Preview <br/><br/> Review <br/><br/> RMS Decrypt <br/><br/> Search And Purge\| +\|eDiscovery Manager\|Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery. <br/><br/> An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:<ul><li>View all eDiscovery cases in the organization.</li><li>Manage any eDiscovery case after they add themselves as a member of the case.</li></ul> <br/><br/> The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the eDiscovery cases page in the Security & Compliance Center. An eDiscovery manager can only access the cases they created or cases they are a member of. For more information about making a user an eDiscovery Administrator, see [Assign eDiscovery permissions in the Security & Compliance Center](../../compliance/assign-ediscovery-permissions.md).\|Case Management <br/><br/> Communication <br/><br/> Compliance Search <br/><br/> Custodian <br/><br/> Export <br/><br/> Hold <br/><br/> Preview <br/><br/> Review <br/><br/> RMS Decrypt\| +\|Global Reader\|Members have read-only access to reports, alerts, and can see all the configuration and settings. <br/><br/> The primary difference between Global Reader and Security Reader is that a Global Reader can access configuration and settings.\|Security Reader <br/><br/> Sensitivity Label Reader <br/><br/> Service Assurance View <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management\| +\|Information Protection\|Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports.\|Data Classification Content Viewer <br/><br/> Information Protection Admin <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator <br/><br/> Information Protection Reader\| \|Information Protection Admins\|Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.\|Information Protection Admin\| -\|Information Protection Analysts\|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.\|Data Classification List Viewer <p><p> Information Protection Analyst\| -\|Information Protection Investigators\|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.\|Data Classification Content Viewer <p><p> Information Protection Analyst <p> Information Protection Investigator\| +\|Information Protection Analysts\|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.\|Data Classification List Viewer <br/><br/> Information Protection Analyst\| +\|Information Protection Investigators\|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.\|Data Classification Content Viewer <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator\| \|Information Protection Readers\|View-only access to reports for DLP polcies and sensitivity labels and their policies.\|Information Protection Reader\| -\|Insider Risk Management\|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.\|Case Management <p><p> Data Connector Admin <p> Insider Risk Management Admin <p> Insider Risk Management Analysis <p> Insider Risk Management Audit <p> Insider Risk Management Investigation <p> Insider Risk Management Sessions <p> View-Only Case\| -\|Insider Risk Management Admins\|Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments.\|Case Management <p><p> Data Connector Admin <p> Insider Risk Management Admin <p> View-Only Case\| -\|Insider Risk Management Analysts\|Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer.\|Case Management <p><p> Insider Risk Management Analysis <p> View-Only Case\| +\|Insider Risk Management\|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.\|Case Management <br/><br/> Data Connector Admin <br/><br/> Insider Risk Management Admin <br/><br/> Insider Risk Management Analysis <br/><br/> Insider Risk Management Audit <br/><br/> Insider Risk Management Investigation <br/><br/> Insider Risk Management Sessions <br/><br/> View-Only Case\| +\|Insider Risk Management Admins\|Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments.\|Case Management <br/><br/> Data Connector Admin <br/><br/> Insider Risk Management Admin <br/><br/> View-Only Case\| +\|Insider Risk Management Analysts\|Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer.\|Case Management <br/><br/> Insider Risk Management Analysis <br/><br/> View-Only Case\| \|Insider Risk Management Auditors\|Use this group to assign permissions to users that will audit insider risk management activities. Users in this role group can access the insider risk audit log.\|Insider Risk Management Audit\| -\|Insider Risk Management Investigators\|Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.\|Case Management <p><p> Insider Risk Management Investigation <p> View-Only Case\| +\|Insider Risk Management Investigators\|Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.\|Case Management <br/><br/> Insider Risk Management Investigation <br/><br/> View-Only Case\| \|Insider Risk Management Session Approvers\|Manage group modification requests for session recording.\|Insider Risk Management Sessions\| -\|IRM Contributors\|This role group is visible, but is used by background services only.\|Insider Risk Management Permanent contribution <p><p> Insider Risk Management Temporary contribution\| +\|IRM Contributors\|This role group is visible, but is used by background services only.\|Insider Risk Management Permanent contribution <br/><br/> Insider Risk Management Temporary contribution\| \|Knowledge Administrators\|Configure knowledge, learning, assign trainings and other intelligent features.\|Knowledge Admin\| \|MailFlow Administrator\|Members can monitor and view mail flow insights and reports in the Security & Compliance Center. Global admins can add ordinary users to this group, but, if the user isn't a member of the Exchange Admin group, the user will not have access to Exchange admin-related tasks.\|View-Only Recipients\| -\|Organization Management<sup>1</sup>\|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <p> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <p> Global admins are automatically added as members of this role group, but you won't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance Center PowerShell](/powershell/module/exchange/get-rolegroupmember).\|Audit Logs <p><p> Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> Quarantine <p> RecordManagement <p> Retention Management <p> Role Management <p> Search And Purge <p> Security Administrator <p> Security Reader <p> Sensitivity Label Administrator <p> Sensitivity Label Reader <p> Service Assurance View <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Case <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management\| -\|Privacy Management\|Manage access control for Priva in the Microsoft 365 compliance center.\|Case Management <p><p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Admin <p> Privacy Management Analysis <p> Privacy Management Investigation <p> Privacy Management Permanent contribution <p> Privacy Management Temporary contribution <p> Privacy Management Viewer <p> Subject Rights Request Admin <p> View-Only Case\| -\|Privacy Management Administrators\|Administrators of privacy management solution that can create/edit policies and define global settings.\|Case Management <p><p> Privacy Management Admin <p> View-Only Case\| -\|Privacy Management Analysts\|Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions.\|Case Management <p><p> Data Classification List Viewer <p> Privacy Management Analysis <p> View-Only Case\| -\|Privacy Management Contributors\|Manage contributor access for privacy management cases.\|Privacy Management Permanent contribution <p><p> Privacy Management Temporary contribution\| -\|Privacy Management Investigators\|Investigators of privacy management solution that can investigate policy matches, view message content, and take remediation actions.\|Case Management <p><p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Investigation <p> View-Only Case\| -\|Privacy Management Viewers\|Viewer of privacy management solution that can access the available dashboards and widgets.\|Data Classification List Viewer <p><p> Privacy Management Viewer\| +\|Organization Management<sup>1</sup>\|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <br/><br/> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <br/><br/> Global admins are automatically added as members of this role group, but you won't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance Center PowerShell](/powershell/module/exchange/get-rolegroupmember).\|Audit Logs <br/><br/> Case Management <br/><br/> Communication Compliance Admin <br/><br/> Communication Compliance Case Management <br/><br/> Compliance Administrator <br/><br/> Compliance Search <br/><br/> Data Connector Admin <br/><br/> Device Management <br/><br/> DLP Compliance Management <br/><br/> Hold <br/><br/> IB Compliance Management <br/><br/> Insider Risk Management Admin <br/><br/> Manage Alerts <br/><br/> Organization Configuration <br/><br/> Quarantine <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> Role Management <br/><br/> Search And Purge <br/><br/> Security Administrator <br/><br/> Security Reader <br/><br/> Sensitivity Label Administrator <br/><br/> Sensitivity Label Reader <br/><br/> Service Assurance View <br/><br/> Tag Contributor <br/><br/> Tag Manager <br/><br/> Tag Reader <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Case <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management\| +\|Privacy Management\|Manage access control for Priva in the Microsoft 365 compliance center.\|Case Management <br/><br/> Data Classification Content Viewer <br/><br/> Data Classification List Viewer <br/><br/> Privacy Management Admin <br/><br/> Privacy Management Analysis <br/><br/> Privacy Management Investigation <br/><br/> Privacy Management Permanent contribution <br/><br/> Privacy Management Temporary contribution <br/><br/> Privacy Management Viewer <br/><br/> Subject Rights Request Admin <br/><br/> View-Only Case\| +\|Privacy Management Administrators\|Administrators of privacy management solution that can create/edit policies and define global settings.\|Case Management <br/><br/> Privacy Management Admin <br/><br/> View-Only Case\| +\|Privacy Management Analysts\|Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions.\|Case Management <br/><br/> Data Classification List Viewer <br/><br/> Privacy Management Analysis <br/><br/> View-Only Case\| +\|Privacy Management Contributors\|Manage contributor access for privacy management cases.\|Privacy Management Permanent contribution <br/><br/> Privacy Management Temporary contribution\| +\|Privacy Management Investigators\|Investigators of privacy management solution that can investigate policy matches, view message content, and take remediation actions.\|Case Management <br/><br/> Data Classification Content Viewer <br/><br/> Data Classification List Viewer <br/><br/> Privacy Management Investigation <br/><br/> View-Only Case\| +\|Privacy Management Viewers\|Viewer of privacy management solution that can access the available dashboards and widgets.\|Data Classification List Viewer <br/><br/> Privacy Management Viewer\| \|Quarantine Administrator\|Members can access all Quarantine actions. For more information, see [Manage quarantined messages and files as an admin in EOP](manage-quarantined-messages-and-files.md)\|Quarantine\| -\|Records Management\|Members can configure all aspects of records management, including retention labels and disposition reviews.\|Disposition Management <p><p> RecordManagement <p> Retention Management\| +\|Records Management\|Members can configure all aspects of records management, including retention labels and disposition reviews.\|Disposition Management <br/><br/> RecordManagement <br/><br/> Retention Management\| \|Reviewer\|Members can access review sets in [Advanced eDiscovery](../../compliance/overview-ediscovery-20.md) cases. Members of this role group can see and open the list of cases on the eDiscovery > Advanced page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select Review sets to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Members of this role group can only access the data in a review set.\|Review\| -\|Security Administrator\|Members have access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <p> By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. <p> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services. <p> This role group includes all of the read-only permissions of the Security reader role, plus a number of additional administrative permissions for the same -\|Security Operator\|Members can manage security alerts, and also view reports and settings of security features.\|Compliance Search <p><p> Manage Alerts <p> Security Reader <p> Tag Contributor <p> Tag Reader <p> Tenant AllowBlockList Manager <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts\| -\|Security Reader\|Members have read-only access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <p> By default, this role group may not appear to have any members. However, the Security Reader role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Azure Active Directory. <p> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services.\|Security Reader <p><p> Sensitivity Label Reader <p> Tag Reader <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts\| +\|Security Administrator\|Members have access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <br/><br/> By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. <br/><br/> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services. <br/><br/> This role group includes all of the read-only permissions of the Security reader role, plus a number of additional administrative permissions for the same +\|Security Operator\|Members can manage security alerts, and also view reports and settings of security features.\|Compliance Search <br/><br/> Manage Alerts <br/><br/> Security Reader <br/><br/> Tag Contributor <br/><br/> Tag Reader <br/><br/> Tenant AllowBlockList Manager <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts\| +\|Security Reader\|Members have read-only access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <br/><br/> By default, this role group may not appear to have any members. However, the Security Reader role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Azure Active Directory. <br/><br/> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services.\|Security Reader <br/><br/> Sensitivity Label Reader <br/><br/> Tag Reader <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts\| \|Service Assurance User\|Members can access the Service assurance section in the Security & Compliance Center. Service assurance provides reports and documents that describe Microsoft's security practices for customer data that's stored in Microsoft 365. It also provides independent third-party audit reports on Microsoft 365. For more information, see [Service assurance in the Security & Compliance Center](../../compliance/service-assurance.md).\|Service Assurance View\| -\|Subject Rights Request Administrators\|Create subject rights requests.\|Case Management <p><p> Subject Rights Request Admin <p> View-Only Case\| +\|Subject Rights Request Administrators\|Create subject rights requests.\|Case Management <br/><br/> Subject Rights Request Admin <br/><br/> View-Only Case\| \|Supervisory Review\|Members can create and manage the policies that define which communications are subject to review in an organization. For more information, see [Configure communication compliance policies for your organization](../../compliance/communication-compliance-configure.md).\|Supervisory Review Administrator\| > [!NOTE] Note that the following roles aren't assigned to the Organization Management rol \|\|\|\| \|Attack Simulator Admin\|Don't use this role in the Security & Compliance Center. Use the corresponding role in Azure AD.\|Attack Simulator Administrators\| \|Attack Simulator Payload Author\|Don't use this role in the Security & Compliance Center. Use the corresponding role in Azure AD.\|Attack Simulator Payload Authors\| -\|Audit Logs\|Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file.\|Organization Management <p><p> Security Administrator\| -\|Case Management\|Create, edit, delete, and control access to eDiscovery cases.\|Communication Compliance <p><p> Communication Compliance Investigators <p> Compliance Administrator <p> eDiscovery Manager <p> Insider Risk Management <p> Insider Risk Management Admins <p> Insider Risk Management Analysts <p> Insider Risk Management Investigators <p> Organization Management <p> Privacy Management <p> Privacy Management Administrators <p> Privacy Management Analysts <p> Privacy Management Investigators <p> Subject Rights Request Administrators\| -\|Communication\|Manage all communications with the custodians identified in an Advanced eDiscovery case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that is used by each custodian in a case to track communications for the cases where they were identified as a custodian.\|Data Investigator <p><p> eDiscovery Manager\| -\|Communication Compliance Admin\|Used to manage policies in the Communication Compliance feature.\|Communication Compliance <p><p> Communication Compliance Administrators <p> Compliance Administrator <p> Organization Management\| -\|Communication Compliance Analysis\|Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data.\|Communication Compliance <p><p> Communication Compliance Analysts <p> Communication Compliance Investigators\| -\|Communication Compliance Case Management\|Used to access Communication Compliance cases.\|Communication Compliance <p><p> Communication Compliance Administrators <p> Communication Compliance Analysts <p> Communication Compliance Investigators <p> Communication Compliance Viewers <p> Compliance Administrator <p> Organization Management\| -\|Communication Compliance Investigation\|Used to perform investigation, remediation, and review message violations in the Communication Compliance feature. Can view message meta data and message.\|Communication Compliance <p><p> Communication Compliance Investigators\| -\|Communication Compliance Viewer\|Used to access reports and widgets in the Communication Compliance feature.\|Communication Compliance <p><p> Communication Compliance Viewers\| -\|Compliance Administrator\|View and edit settings and reports for compliance features.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management\| +\|Audit Logs\|Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file.\|Organization Management <br/><br/> Security Administrator\| +\|Case Management\|Create, edit, delete, and control access to eDiscovery cases.\|Communication Compliance <br/><br/> Communication Compliance Investigators <br/><br/> Compliance Administrator <br/><br/> eDiscovery Manager <br/><br/> Insider Risk Management <br/><br/> Insider Risk Management Admins <br/><br/> Insider Risk Management Analysts <br/><br/> Insider Risk Management Investigators <br/><br/> Organization Management <br/><br/> Privacy Management <br/><br/> Privacy Management Administrators <br/><br/> Privacy Management Analysts <br/><br/> Privacy Management Investigators <br/><br/> Subject Rights Request Administrators\| +\|Communication\|Manage all communications with the custodians identified in an Advanced eDiscovery case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that is used by each custodian in a case to track communications for the cases where they were identified as a custodian.\|Data Investigator <br/><br/> eDiscovery Manager\| +\|Communication Compliance Admin\|Used to manage policies in the Communication Compliance feature.\|Communication Compliance <br/><br/> Communication Compliance Administrators <br/><br/> Compliance Administrator <br/><br/> Organization Management\| +\|Communication Compliance Analysis\|Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data.\|Communication Compliance <br/><br/> Communication Compliance Analysts <br/><br/> Communication Compliance Investigators\| +\|Communication Compliance Case Management\|Used to access Communication Compliance cases.\|Communication Compliance <br/><br/> Communication Compliance Administrators <br/><br/> Communication Compliance Analysts <br/><br/> Communication Compliance Investigators <br/><br/> Communication Compliance Viewers <br/><br/> Compliance Administrator <br/><br/> Organization Management\| +\|Communication Compliance Investigation\|Used to perform investigation, remediation, and review message violations in the Communication Compliance feature. Can view message meta data and message.\|Communication Compliance <br/><br/> Communication Compliance Investigators\| +\|Communication Compliance Viewer\|Used to access reports and widgets in the Communication Compliance feature.\|Communication Compliance <br/><br/> Communication Compliance Viewers\| +\|Compliance Administrator\|View and edit settings and reports for compliance features.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Organization Management\| \|Compliance Manager Administration\|Manage template creation and modification.\|Compliance Manager Administrators\| -\|Compliance Manager Assessment\|Create assessments, implement improvement actions, and update test status for improvement actions.\|Compliance Manager Administrators <p><p> Compliance Manager Assessors\| -\|Compliance Manager Contribution\|Create assessments and perform work to implement improvement actions.\|Compliance Manager Administrators <p><p> Compliance Manager Assessors <p> Compliance Manager Contributors\| -\|Compliance Manager Reader\|View all Compliance Manager content except for administrator functions.\|Compliance Manager Administrators <p><p> Compliance Manager Assessors <p> Compliance Manager Contributors <p> Compliance Manager Readers\| -\|Compliance Search\|Perform searches across mailboxes and get an estimate of the results.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Data Investigator <p> eDiscovery Manager <p> Organization Management <p> Security Operator\| -\|Custodian\|Identify and manage custodians for Advanced eDiscovery cases and use the information from Azure Active Directory and other sources to find data sources associated with custodians. Associate other data sources such as mailboxes, SharePoint sites, and Teams with custodians in a case. Place a legal hold on the data sources associated with custodians to preserve content in the context of a case.\|Data Investigator <p><p> eDiscovery Manager\| -\|Data Classification Content Viewer\|View in-place rendering of files in Content explorer.\|Content Explorer Content Viewer <p><p> Information Protection <p> Information Protection Investigators <p> Privacy Management <p> Privacy Management Investigators\| -\|Data Classification Feedback Provider\|Allows providing feedback to classifiers in content explorer.\|Communication Compliance <p><p> Communication Compliance Investigators <p> Compliance Administrator\| +\|Compliance Manager Assessment\|Create assessments, implement improvement actions, and update test status for improvement actions.\|Compliance Manager Administrators <br/><br/> Compliance Manager Assessors\| +\|Compliance Manager Contribution\|Create assessments and perform work to implement improvement actions.\|Compliance Manager Administrators <br/><br/> Compliance Manager Assessors <br/><br/> Compliance Manager Contributors\| +\|Compliance Manager Reader\|View all Compliance Manager content except for administrator functions.\|Compliance Manager Administrators <br/><br/> Compliance Manager Assessors <br/><br/> Compliance Manager Contributors <br/><br/> Compliance Manager Readers\| +\|Compliance Search\|Perform searches across mailboxes and get an estimate of the results.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Data Investigator <br/><br/> eDiscovery Manager <br/><br/> Organization Management <br/><br/> Security Operator\| +\|Custodian\|Identify and manage custodians for Advanced eDiscovery cases and use the information from Azure Active Directory and other sources to find data sources associated with custodians. Associate other data sources such as mailboxes, SharePoint sites, and Teams with custodians in a case. Place a legal hold on the data sources associated with custodians to preserve content in the context of a case.\|Data Investigator <br/><br/> eDiscovery Manager\| +\|Data Classification Content Viewer\|View in-place rendering of files in Content explorer.\|Content Explorer Content Viewer <br/><br/> Information Protection <br/><br/> Information Protection Investigators <br/><br/> Privacy Management <br/><br/> Privacy Management Investigators\| +\|Data Classification Feedback Provider\|Allows providing feedback to classifiers in content explorer.\|Communication Compliance <br/><br/> Communication Compliance Investigators <br/><br/> Compliance Administrator\| \|Data Classification Feedback Reviewer\|Allows reviewing feedback from classifiers in feedback explorer.\|Compliance Administrator\| -\|Data Classification List Viewer\|View the list of files in content explorer.\|Content Explorer List Viewer <p><p> Information Protection Analysts <p> Privacy Management <p> Privacy Management Analysts <p> Privacy Management Investigators <p> Privacy Management Viewers\| -\|Data Connector Admin\|Create and manage connectors to import and archive non-Microsoft data in Microsoft 365.\|Communication Compliance <p><p> Communication Compliance Administrators <p> Compliance Administrator <p> Compliance Data Administrator <p> Compliance Manager Administrators <p> Compliance Manager Assessors <p> Compliance Manager Contributors <p> Insider Risk Management <p> Insider Risk Management Admins <p> Organization Management\| -\|Data Investigation Management\|Create, edit, delete, and control access to data investigation.\|Compliance Administrator <p><p> Data Investigator\| -\|Device Management\|View and edit settings and reports for device management features.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Security Administrator\| -\|Disposition Management\|Control permissions for accessing Manual Disposition in the Security & Compliance Center.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Records Management\| -\|DLP Compliance Management\|View and edit settings and reports for data loss prevention (DLP) policies.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Security Administrator\| -\|Export\|Export mailbox and site content that's returned from searches.\|Data Investigator <p><p> eDiscovery Manager\| -\|Hold\|Place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners will still be able to modify or delete the original content.\|Compliance Administrator <p><p> eDiscovery Manager <p> Organization Management\| -\|IB Compliance Management\|View, create, remove, modify, and test Information Barrier policies.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Security Administrator\| -\|Information Protection Admin\|Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Information Protection <p> Information Protection Admins\| -\|Information Protection Analyst\|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Information Protection <p> Information Protection Analysts <p> Information Protection Investigators\| -\|Information Protection Investigator\|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Information Protection <p> Information Protection Investigators\| -\|Information Protection Reader\|View-only access to reports for DLP policies and sensitivity labels and their policies.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Information Protection <p> Information Protection Readers\| -\|Insider Risk Management Admin\|Create, edit, delete, and control access to Insider Risk Management feature.\|Compliance Administrator <p><p> Insider Risk Management <p> Insider Risk Management Admins <p> Organization Management\| -\|Insider Risk Management Analysis\|Access all insider risk management alerts, cases, and notices templates.\|Insider Risk Management <p><p> Insider Risk Management Analysts\| -\|Insider Risk Management Audit\|Allow viewing Insider Risk audit trails.\|Insider Risk Management <p><p> Insider Risk Management Auditors\| -\|Insider Risk Management Investigation\|Access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.\|Insider Risk Management <p><p> Insider Risk Management Investigators\| +\|Data Classification List Viewer\|View the list of files in content explorer.\|Content Explorer List Viewer <br/><br/> Information Protection Analysts <br/><br/> Privacy Management <br/><br/> Privacy Management Analysts <br/><br/> Privacy Management Investigators <br/><br/> Privacy Management Viewers\| +\|Data Connector Admin\|Create and manage connectors to import and archive non-Microsoft data in Microsoft 365.\|Communication Compliance <br/><br/> Communication Compliance Administrators <br/><br/> Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Compliance Manager Administrators <br/><br/> Compliance Manager Assessors <br/><br/> Compliance Manager Contributors <br/><br/> Insider Risk Management <br/><br/> Insider Risk Management Admins <br/><br/> Organization Management\| +\|Data Investigation Management\|Create, edit, delete, and control access to data investigation.\|Compliance Administrator <br/><br/> Data Investigator\| +\|Device Management\|View and edit settings and reports for device management features.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Organization Management <br/><br/> Security Administrator\| +\|Disposition Management\|Control permissions for accessing Manual Disposition in the Security & Compliance Center.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Records Management\| +\|DLP Compliance Management\|View and edit settings and reports for data loss prevention (DLP) policies.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Organization Management <br/><br/> Security Administrator\| +\|Export\|Export mailbox and site content that's returned from searches.\|Data Investigator <br/><br/> eDiscovery Manager\| +\|Hold\|Place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners will still be able to modify or delete the original content.\|Compliance Administrator <br/><br/> eDiscovery Manager <br/><br/> Organization Management\| +\|IB Compliance Management\|View, create, remove, modify, and test Information Barrier policies.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Organization Management <br/><br/> Security Administrator\| +\|Information Protection Admin\|Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Information Protection <br/><br/> Information Protection Admins\| +\|Information Protection Analyst\|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Information Protection <br/><br/> Information Protection Analysts <br/><br/> Information Protection Investigators\| +\|Information Protection Investigator\|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Information Protection <br/><br/> Information Protection Investigators\| +\|Information Protection Reader\|View-only access to reports for DLP policies and sensitivity labels and their policies.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Information Protection <br/><br/> Information Protection Readers\| +\|Insider Risk Management Admin\|Create, edit, delete, and control access to Insider Risk Management feature.\|Compliance Administrator <br/><br/> Insider Risk Management <br/><br/> Insider Risk Management Admins <br/><br/> Organization Management\| +\|Insider Risk Management Analysis\|Access all insider risk management alerts, cases, and notices templates.\|Insider Risk Management <br/><br/> Insider Risk Management Analysts\| +\|Insider Risk Management Audit\|Allow viewing Insider Risk audit trails.\|Insider Risk Management <br/><br/> Insider Risk Management Auditors\| +\|Insider Risk Management Investigation\|Access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.\|Insider Risk Management <br/><br/> Insider Risk Management Investigators\| \|Insider Risk Management Permanent contribution\|This role group is visible, but is used by background services only.\|IRM Contributors\| -\|Insider Risk Management Sessions\|Allow managing group modification requests for session recording.\|Insider Risk Management <p><p> Insider Risk Management Session Approvers\| +\|Insider Risk Management Sessions\|Allow managing group modification requests for session recording.\|Insider Risk Management <br/><br/> Insider Risk Management Session Approvers\| \|Insider Risk Management Temporary contribution\|This role group is visible, but is used by background services only.\|IRM Contributors\| \|Knowledge Admin\|Configure knowledge, learning, assign trainings and other intelligent features.\|Knowledge Administrators\| -\|Manage Alerts\|View and edit settings and reports for alerts.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Security Administrator <p> Security Operator\| -\|Organization Configuration\|Run, view, and export audit reports and manage compliance policies for DLP, devices, and preservation.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management\| -\|Preview\|View a list of items that are returned from content searches, and open each item from the list to view its contents.\|Data Investigator <p><p> eDiscovery Manager\| -\|Privacy Management Admin\|Manage policies in Privacy Management and has access to all functionality of the solution.\|Privacy Management <p><p> Privacy Management Administrators\| -\|Privacy Management Analysis\|Perform investigation and remediation of the message violations in Privacy Management. Can only view messages metadata.\|Privacy Management <p> Privacy Management Analysts\| -\|Privacy Management Investigation\|Perform investigation, remediation, and review message violations in Privacy Management. Can view message metadata and the full message.\|Privacy Management <p><p> Privacy Management Investigators\| -\|Privacy Management Permanent contribution\|Access Privacy Management cases as a permanent contributor.\|Privacy Management <p><p> Privacy Management Contributors\| -\|Privacy Management Temporary contribution\|Access Privacy Management cases as a temporary contributor.\|Privacy Management <p><p> Privacy Management Contributors\| -\|Privacy Management Viewer\|Access dashboards and widgets in Privacy Management.\|Privacy Management <p><p> Privacy Management Viewers\| -\|Quarantine\|Allows viewing and releasing quarantined email.\|Quarantine Administrator <p><p> Security Administrator <p> Organization Management\| -\|RecordManagement\|View and edit the configuration of the records management feature.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Records Management\| -\|Retention Management\|Manage retention policies, retention labels, and retention label policies.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Records Management\| -\|Review\|This role lets users access review sets in Advanced eDiscovery cases. Users who are assigned this role can see and open the list of cases on the eDiscovery > Advanced page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select Review sets to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set.\|Data Investigator <p><p> eDiscovery Manager <p> Reviewer\| -\|RMS Decrypt\|Decrypt RMS-protected content when exporting search results.\|Data Investigator <p><p> eDiscovery Manager\| +\|Manage Alerts\|View and edit settings and reports for alerts.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Organization Management <br/><br/> Security Administrator <br/><br/> Security Operator\| +\|Organization Configuration\|Run, view, and export audit reports and manage compliance policies for DLP, devices, and preservation.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Organization Management\| +\|Preview\|View a list of items that are returned from content searches, and open each item from the list to view its contents.\|Data Investigator <br/><br/> eDiscovery Manager\| +\|Privacy Management Admin\|Manage policies in Privacy Management and has access to all functionality of the solution.\|Privacy Management <br/><br/> Privacy Management Administrators\| +\|Privacy Management Analysis\|Perform investigation and remediation of the message violations in Privacy Management. Can only view messages metadata.\|Privacy Management <br/><br/> Privacy Management Analysts\| +\|Privacy Management Investigation\|Perform investigation, remediation, and review message violations in Privacy Management. Can view message metadata and the full message.\|Privacy Management <br/><br/> Privacy Management Investigators\| +\|Privacy Management Permanent contribution\|Access Privacy Management cases as a permanent contributor.\|Privacy Management <br/><br/> Privacy Management Contributors\| +\|Privacy Management Temporary contribution\|Access Privacy Management cases as a temporary contributor.\|Privacy Management <br/><br/> Privacy Management Contributors\| +\|Privacy Management Viewer\|Access dashboards and widgets in Privacy Management.\|Privacy Management <br/><br/> Privacy Management Viewers\| +\|Quarantine\|Allows viewing and releasing quarantined email.\|Quarantine Administrator <br/><br/> Security Administrator <br/><br/> Organization Management\| +\|RecordManagement\|View and edit the configuration of the records management feature.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Organization Management <br/><br/> Records Management\| +\|Retention Management\|Manage retention policies, retention labels, and retention label policies.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Organization Management <br/><br/> Records Management\| +\|Review\|This role lets users access review sets in Advanced eDiscovery cases. Users who are assigned this role can see and open the list of cases on the eDiscovery > Advanced page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select Review sets to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set.\|Data Investigator <br/><br/> eDiscovery Manager <br/><br/> Reviewer\| +\|RMS Decrypt\|Decrypt RMS-protected content when exporting search results.\|Data Investigator <br/><br/> eDiscovery Manager\| \|Role Management\|Manage role group membership and create or delete custom role groups.\|Organization Management\| -\|Search And Purge\|Lets people bulk-remove data that matches the criteria of a content search.\|Data Investigator <p><p> Organization Management\| -\|Security Administrator\|View and edit the configuration and reports for Security features.\|Organization Management <p><p> Security Administrator\| -\|Security Reader\|View the configuration and reports for Security features.\|Global Reader <p><p> Organization Management <p> Security Operator <p> Security Reader\| -\|Sensitivity Label Administrator\|View, create, modify, and remove sensitivity labels.\|Compliance Data Administrator <p><p> Organization Management <p> Security Administrator\| -\|Sensitivity Label Reader\|View the configuration and usage of sensitivity labels.\|Global Reader <p><p> Organization Management <p> Security Reader\| -\|Service Assurance View\|Download the available documents from the Service Assurance section. Content includes independent auditing, compliance documentation, and trust-related guidance for using Microsoft 365 features to manage regulatory compliance and security risks.\|Global Reader <p><p> Organization Management <p> Service Assurance User\| +\|Search And Purge\|Lets people bulk-remove data that matches the criteria of a content search.\|Data Investigator <br/><br/> Organization Management\| +\|Security Administrator\|View and edit the configuration and reports for Security features.\|Organization Management <br/><br/> Security Administrator\| +\|Security Reader\|View the configuration and reports for Security features.\|Global Reader <br/><br/> Organization Management <br/><br/> Security Operator <br/><br/> Security Reader\| +\|Sensitivity Label Administrator\|View, create, modify, and remove sensitivity labels.\|Compliance Data Administrator <br/><br/> Organization Management <br/><br/> Security Administrator\| +\|Sensitivity Label Reader\|View the configuration and usage of sensitivity labels.\|Global Reader <br/><br/> Organization Management <br/><br/> Security Reader\| +\|Service Assurance View\|Download the available documents from the Service Assurance section. Content includes independent auditing, compliance documentation, and trust-related guidance for using Microsoft 365 features to manage regulatory compliance and security risks.\|Global Reader <br/><br/> Organization Management <br/><br/> Service Assurance User\| \|Supervisory Review Administrator\|Manage supervisory review policies, including which communications to review and who should do the review.\|Supervisory Review\| -\|Tag Contributor\|View and update membership of existing user tags.\|Organization Management <p><p> Security Administrator <p> Security Operator\| -\|Tag Manager\|View, update, create, and delete user tags.\|Organization Management <p><p> Security Administrator\| +\|Tag Contributor\|View and update membership of existing user tags.\|Organization Management <br/><br/> Security Administrator <br/><br/> Security Operator\| +\|Tag Manager\|View, update, create, and delete user tags.\|Organization Management <br/><br/> Security Administrator\| \|Tag Reader\|Read-only access to existing user tags.\|Security Reader\| \|Tenant AllowBlockList Manager\|Manage tenant allow block list settings.\|Security Operator\| -\|View-Only Audit Logs\|View and export audit reports. Because these reports might contain sensitive information, you should only assign this role to people with an explicit need to view this information.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator\| -\|View-Only Case\|\|Communication Compliance <p><p> Communication Compliance Investigators <p> Compliance Administrator <p> Insider Risk Management <p> Insider Risk Management Admins <p> Insider Risk Management Analysts <p> Insider RiskManagement Investigators <p> Organization Management <p> Privacy Management <p> Privacy Management Administrators <p> Privacy Management Analysts <p> Privacy Management Investigators <p> Subject Rights Request Administrators\| -\|View-Only Device Management\|View the configuration and reports for the Device Management feature.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader\| -\|View-Only DLP Compliance Management\|View the settings and reports for data loss prevention (DLP) policies.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader\| -\|View-Only IB Compliance Management\|View the configuration and reports for the Information Barriers feature.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader\| -\|View-Only Manage Alerts\|View the configuration and reports for the Manage Alerts feature.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader\| -\|View-Only Recipients\|View information about users and groups.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> MailFlow Administrator <p> Organization Management\| -\|View-Only Record Management\|View the configuration of the records management feature.\|Compliance Administrator <p><p> Compliance Data Administrator <p> <p> Global Reader <p> Organization Management\| -\|View-Only Retention Management\|View the configuration of retention policies, retention labels, and retention label policies.\|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Administrator <p> Organization Management\| +\|View-Only Audit Logs\|View and export audit reports. Because these reports might contain sensitive information, you should only assign this role to people with an explicit need to view this information.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Global Reader <br/><br/> Organization Management <br/><br/> Security Administrator <br/><br/> Security Operator\| +\|View-Only Case\|\|Communication Compliance <br/><br/> Communication Compliance Investigators <br/><br/> Compliance Administrator <br/><br/> Insider Risk Management <br/><br/> Insider Risk Management Admins <br/><br/> Insider Risk Management Analysts <br/><br/> Insider RiskManagement Investigators <br/><br/> Organization Management <br/><br/> Privacy Management <br/><br/> Privacy Management Administrators <br/><br/> Privacy Management Analysts <br/><br/> Privacy Management Investigators <br/><br/> Subject Rights Request Administrators\| +\|View-Only Device Management\|View the configuration and reports for the Device Management feature.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Global Reader <br/><br/> Organization Management <br/><br/> Security Administrator <br/><br/> Security Operator <br/><br/> Security Reader\| +\|View-Only DLP Compliance Management\|View the settings and reports for data loss prevention (DLP) policies.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Global Reader <br/><br/> Organization Management <br/><br/> Security Administrator <br/><br/> Security Operator <br/><br/> Security Reader\| +\|View-Only IB Compliance Management\|View the configuration and reports for the Information Barriers feature.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Global Reader <br/><br/> Organization Management <br/><br/> Security Administrator <br/><br/> Security Operator <br/><br/> Security Reader\| +\|View-Only Manage Alerts\|View the configuration and reports for the Manage Alerts feature.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Global Reader <br/><br/> Organization Management <br/><br/> Security Administrator <br/><br/> Security Operator <br/><br/> Security Reader\| +\|View-Only Recipients\|View information about users and groups.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Global Reader <br/><br/> MailFlow Administrator <br/><br/> Organization Management\| +\|View-Only Record Management\|View the configuration of the records management feature.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> <br/><br/> Global Reader <br/><br/> Organization Management\| +\|View-Only Retention Management\|View the configuration of retention policies, retention labels, and retention label policies.\|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Global Administrator <br/><br/> Organization Management\|
security	Permissions Microsoft 365 Security Center	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-microsoft-365-security-center.md	A role group is a set of roles that lets people do their jobs in the Microso The Microsoft 365 Defender portal> includes default role groups for the most common tasks and functions that you'll need to assign. Generally, we recommend simply adding individual users as members to the default role groups. -![Diagram showing relationship of role groups to roles and members.](../../media/2a16d200-968c-4755-98ec-f1862d58cb8b.png) ## Roles and role groups in the Microsoft 365 Defender portal The following types of roles and role groups are available in on the Permissio - Email & collaboration roles: These are the same role groups that are available in the Security & Compliance Center, but you can manage them directly in the Microsoft 365 Defender portal. The permissions that you assign here are specific to the Microsoft 365 Defender portal, the Microsoft 365 compliance center, and the Security & Compliance Center, and don't cover all of the permissions that are needed in other Microsoft 365 workloads. -![Permissions & roles page in the Microsoft 365 Defender portal.](../../media/m365-sc-permissions-and-roles-page.png) ### Azure AD roles in the Microsoft 365 Defender portal When you open the Microsoft 365 Defender portal at <https://security.microsoft.c When you select a role, a details flyout that contains the description of the role and the user assignments appears. But to manage those assignments, you need to click Manage members in Azure AD** in the details flyout. -![Link to manage permissions in Azure Active Directory.](../../media/permissions-manage-in-azure-ad-link.png) For more information, see [View and assign administrator roles in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-manage-roles-portal).
security	Protection Stack Microsoft Defender For Office365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md	Unfortunately, Edge blocks that were once critical are now relatively simple f Edge blocks are designed to be automatic. In the case of false positive, senders will be notified and told how to address their issue. Connectors from trusted partners with limited reputation can ensure deliverability, or temporary overrides can be put in place, when onboarding new endpoints. 1. Network throttling protects Office 365 infrastructure and customers from Denial of Service (DOS) attacks by limiting the number of messages that can be submitted by a specific set of infrastructure. Edge blocks are designed to be automatic. In the case of false positive, senders Features in sender intelligence are critical for catching spam, bulk, impersonation, and unauthorized spoof messages, and also factor into phish detection. Most of these features are individually configurable. 1. Account compromise detection triggers and alerts are raised when an account has anomalous behavior, consistent with compromise. In some cases, the user account is blocked and prevented from sending any further email messages until the issue is resolved by an organization's security operations team. Features in sender intelligence are critical for catching spam, bulk, impersonat In this phase the filtering stack begins to handle the specific contents of the mail, including its hyperlinks and attachments. 1. Transport rules (also known as mail flow rules or Exchange transport rules) allow an admin to take a wide range of actions when an equally wide range of conditions are met for a message. All messages that flow through your organization are evaluated against the enabled mail flow rules / transport rules. In this phase the filtering stack begins to handle the specific contents of the The last stage takes place after mail or file delivery, acting on mail that is in various mailboxes and files and links that appear in clients like Microsoft Teams. 1. Safe Links is Defender for Office 365's time-of-click protection. Every URL in every message is wrapped to point to Microsoft Safe Links servers. When a URL is clicked it is checked against the latest reputation, before the user is redirected to the target site. The URL is asynchronously sandboxed to update its reputation. The last stage takes place after mail or file delivery, acting on mail that is i The final diagram (as with all parts of the diagram composing it) is subject to change as the product grows and develops. Bookmark this page and use the feedback option you'll find at the bottom if you need to ask after updates. For your records, this is the stack with all the phases in order: ## More information
security	Quarantine Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md	The default quarantine policies, preset permission groups, and permissions are d Note: When you create a new policy, a blank Select quarantine policy value indicates the default quarantine policy for that verdict is used. When you later edit the policy, the blank values are replaced by the actual default quarantine policy names as described in the previous table. - ![Quarantine policy selections in an anti-spam policy.](../../media/quarantine-tags-in-anti-spam-policies.png) + :::image type="content" source="../../media/quarantine-tags-in-anti-spam-policies.png" alt-text="The Quarantine policy selections in an anti-spam policy" lightbox="../../media/quarantine-tags-in-anti-spam-policies.png"::: Full instructions for creating and modifying anti-spam policies are described in [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md). Spoof intelligence is available in EOP and Defender for Office 365. User imperso Note: When you create a new policy, a blank Apply quarantine policy value indicates the default quarantine policy for that action is used. When you later edit the policy, the blank values are replaced by the actual default quarantine policy names as described in the previous table. - ![Quarantine policy selections in an anti-phishing policy.](../../media/quarantine-tags-in-anti-phishing-policies.png) + :::image type="content" source="../../media/quarantine-tags-in-anti-phishing-policies.png" alt-text="The Quarantine policy selections in an anti-phishing policy" lightbox="../../media/quarantine-tags-in-anti-phishing-policies.png"::: Full instructions for creating and modifying anti-phishing policies are available in the following topics: The global settings for quarantine policies allow you to customize the quarantin The following screenshot shows the customized display name in a quarantine notification: - ![A customized sender display name in a quarantine notification.](../../media/quarantine-tags-esn-customization-display-name.png) + :::image type="content" source="../../media/quarantine-tags-esn-customization-display-name.png" alt-text="A customized sender display name in a quarantine notification" lightbox="../../media/quarantine-tags-esn-customization-display-name.png"::: - Disclaimer: Add a custom disclaimer to the bottom of quarantine notifications. The localized text, A disclaimer from your organization: is always included first, followed by the text you specify. The global settings for quarantine policies allow you to customize the quarantin The following screenshot shows the customized disclaimer in a quarantine notification: - ![A custom disclaimer at the bottom of a quarantine notification.](../../media/quarantine-tags-esn-customization-disclaimer.png) + :::image type="content" source="../../media/quarantine-tags-esn-customization-disclaimer.png" alt-text="A custom disclaimer at the bottom of a quarantine notification" lightbox="../../media/quarantine-tags-esn-customization-disclaimer.png"::: - Choose language: Quarantine notifications are already localized based on the recipient's language settings. You can specify customized text in different languages for the Display name and Disclaimer values. Select at least one language from the first language box and then click Add. You can select multiple languages by clicking Add after each one. A section language box shows all of the languages that you've selected: - ![Selected languages in the second language box in the global quarantine notification settings of quarantine policies.](../../media/quarantine-tags-esn-customization-selected-languages.png) + :::image type="content" source="../../media/quarantine-tags-esn-customization-selected-languages.png" alt-text="The selected languages in the second language box in the global quarantine notification settings of quarantine policies" lightbox="../../media/quarantine-tags-esn-customization-selected-languages.png"::: - Use my company logo: Select this option to replace the default Microsoft logo that's used at the top of quarantine notifications. Before you do this, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo. The following screenshot shows a custom logo in a quarantine notification: - ![A custom logo in a quarantine notification.](../../media/quarantine-tags-esn-customization-logo.png) + :::image type="content" source="../../media/quarantine-tags-esn-customization-logo.png" alt-text="A custom logo in a quarantine notification" lightbox="../../media/quarantine-tags-esn-customization-logo.png"::: - Send end-user spam notification every (days): Select the frequency for quarantine notifications. If the quarantine policy assigns the Limited access permissions, users get t - Remove from quarantine - Block sender - ![Available buttons in the quarantined message details if the quarantine policy gives the user Limited access permissions.](../../media/quarantine-tags-quarantined-message-details-limited-access.png) + :::image type="content" source="../../media/quarantine-tags-quarantined-message-details-limited-access.png" alt-text="The available buttons in the quarantined message details if the quarantine policy gives the user limited access permissions" lightbox="../../media/quarantine-tags-quarantined-message-details-limited-access.png"::: - Quarantine notifications: The following buttons are available: - Block sender - Request release - Review - ![Available buttons in the quarantine notification if the quarantine policy gives the user Limited access permissions.](../../media/quarantine-tags-esn-limited-access.png) + :::image type="content" source="../../media/quarantine-tags-esn-limited-access.png" alt-text="The available buttons in the quarantine notification if the quarantine policy gives the user limited access permissions" lightbox="../../media/quarantine-tags-esn-limited-access.png"::: #### Full access If the quarantine policy assigns the Full access permissions (all available - Remove from quarantine - Block sender - ![Available buttons in the quarantined message details if the quarantine policy gives the user Full access permissions.](../../media/quarantine-tags-quarantined-message-details-full-access.png) + :::image type="content" source="../../media/quarantine-tags-quarantined-message-details-full-access.png" alt-text="The available buttons in the quarantined message details if the quarantine policy gives the user full access permissions" lightbox="../../media/quarantine-tags-quarantined-message-details-full-access.png"::: - Quarantine notifications: The following buttons are available: - Block sender - Release - Review - ![Available buttons in the quarantine notification if the quarantine policy gives the user Full access permissions.](../../media/quarantine-tags-esn-full-access.png) + :::image type="content" source="../../media/quarantine-tags-esn-full-access.png" alt-text="The available buttons in the quarantine notification if the quarantine policy gives the user full access permissions" lightbox="../../media/quarantine-tags-esn-full-access.png"::: ### Individual permissions
security	Report False Positives And False Negatives	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-false-positives-and-false-negatives.md	For messages in the Inbox or any other email folder except Junk Email, use the f 1. Select the More actions ellipses on the top-right corner of the selected message, select Report message from the dropdown menu, and then select Junk or Phishing. - ![Report Message - More actions.](../../media/report-message-more-actions.png) + :::image type="content" source="../../media/report-message-more-actions.png" alt-text="The More actions icon" lightbox="../../media/report-message-more-actions.png"::: - ![Report Message - Junk and Phishing.](../../media/report-message-junk-phishing.png) + :::image type="content" source="../../media/report-message-junk-phishing.png" alt-text="The Junk and Phishing option in the Report Message pane" lightbox="../../media/report-message-junk-phishing.png"::: 2. The selected messages will be sent to Microsoft for analysis and: - Moved to the Junk Email folder if they were reported as spam. For messages in the Inbox or any other email folder except Junk Email, use the f 1. Select the More actions ellipses on the top-right corner of the selected message, select Report message from the dropdown menu, and then select Not Junk. - ![Report Message - More actions.](../../media/report-message-more-actions.png) + :::image type="content" source="../../media/report-message-more-actions.png" alt-text="The icon that provides more actions" lightbox="../../media/report-message-more-actions.png"::: - ![Report Message - Not junk.](../../media/report-message-not-junk.png) + :::image type="content" source="../../media/report-message-not-junk.png" alt-text="The Not Junk option under the Report Message pane" lightbox="../../media/report-message-not-junk.png"::: 2. The selected message will be sent to Microsoft for analysis and moved to Inbox or any other specified folder.
security	Reports And Insights In Security And Compliance	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance.md	If you are part of your organization's Microsoft for 365 for business security t Monitoring capabilities available in the Security & Compliance Center include smart reports and insights that enable your compliance and security admins to focus on high-priority issues, such as security attacks or increased suspicious activity. In a dashboard, smart reports and insights resemble the following image: -![The Reports dashboard in the Security & Compliance Center.](../../media/2a668c3d-3fa3-4e37-8149-46989b33ae8c.png) In addition to highlighting problem areas, smart reports and insights include recommendations and links to view and explore data and also take quick actions. For example, if your organization suddenly has a high number of email messages being marked as spam by end users, you might be advised to revisit your anti-spam policies to ensure the right level of protection is in place.
security	Safe Docs	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-docs.md	Files sent by Safe Documents are not retained in Defender for Endpoint beyond th When you're finished, click Save. - ![Safe Documents settings after selecting Global settings on the Safe Attachments page.](../../media/safe-docs-global-settings.png) + :::image type="content" source="../../media/safe-docs-global-settings.png" alt-text="The Safe Documents settings after selecting Global settings on the Safe Attachments page" lightbox="../../media/safe-docs-global-settings.png"::: ### Use Exchange Online PowerShell to configure Safe Documents
security	Safe Links	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md	After you turn on Safe Links protection for Microsoft Teams, URLs in Teams are c If the user who sent the link isn't included in a Safe Links policy where Teams protection is enabled, the user is free to click through to the original URL on their computer or device. -![A Safe Links for Teams page reporting a malicious link.](../../media/tp-safe-links-for-teams-malicious.png) Clicking the Go Back button on the warning page will return the user to their original context or URL location. However, clicking on the original link again will cause Safe Links to rescan the URL, so the warning page will reappear. Note that several warning pages have been updated. If you're not already seeing The clicked URL is being scanned by Safe Links. You might need to wait a few moments before trying the link again. -!["The link is being scanned" notification](../../media/ee8dd5ed-6b91-4248-b054-12b719e8d0ed.png) The original notification page looked like this: -![Original "The link is being scanned" notification](../../media/04368763-763f-43d6-94a4-a48291d36893.png) ### Suspicious message warning The clicked URL was in an email message that's similar to other suspicious messages. We recommend that you double-check the email message before proceeding to the site. -!["A link was clicked from a suspicious message" warning](../../media/33f57923-23e3-4b0f-838b-6ad589ba897b.png) ### Phishing attempt warning The clicked URL was in an email message that has been identified as a phishing attack. As a result, all URLs in the email message are blocked. We recommend that you do not proceed to the site. -!["The link was clicked from a phishing message" warning](../../media/6e544a28-0604-4821-aba6-d5a57bb917e5.png) ### Malicious website warning The clicked URL points to a site that has been identified as malicious. We recommend that you do not proceed to the site. -!["This website is classified as malicious" warning](../../media/058883c8-23f0-4672-9c1c-66b084796177.png) The original warning page looked like this: -![Original "This website has been classified as malicious" warning](../../media/b9efda09-6dd8-46ef-82cb-56e4d538b8f5.png) ### Blocked URL warning The clicked URL has been manually blocked by an admin in your organization (the There are several reasons why an admin would manually block specific URLs. If you think the site should not be blocked, contact your admin. -!["This website was blocked by your admin" warning](../../media/6b4bda2d-a1e6-419e-8b10-588e83c3af3f.png) The original warning page looked like this: -![Original "This website has been blocked per your organization's URL policy" warning](../../media/3d6ba028-30bf-45fc-958e-d3aad3defc83.png) ### Error warning Some kind of error has occurred, and the URL can't be opened. -!["The page that you are trying to access cannot be loaded" warning](../../media/2f7465a4-1cf4-4c1c-b7d4-3c07e4b795b4.png) The original warning page looked like this: -![Original "This web page could not be loaded" warning](../../media/9aaa4383-2f23-48be-bdaa-8efbcb2acc70.png)
security	Secure Email Recommended Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-email-recommended-policies.md	These recommendations require your users to use modern email clients, including To protect email, the following diagram illustrates which policies to update from the common identity and device access policies. Note the addition of a new policy for Exchange Online to block ActiveSync clients. This forces the use of Outlook mobile. For more information, see [Set up new Office 365 Message Encryption capabilities ## Next steps -![Step 4: Policies for Microsoft 365 cloud apps.](../../media/microsoft-365-policies-configurations/identity-device-access-steps-next-step-4.png) Configure Conditional Access policies for:
security	Security Dashboard	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-dashboard.md	To view the Security Dashboard in the Security & Compliance Center, go to go to The Threat Management Summary widget tells you at a glance how your organization was protected from threats over the past seven (7) days. -![Security Dashboard - Threat Management Summary widget.](../../media/SecDash-ThreatMgmtSummary.png) The information you'll see in the Threat Management Summary depends on what your subscription includes. The following table describes what information is included for Office 365 E3 and Office 365 E5. To view or access the Threat Management Summary widget, you must have permission The Threat Protection Status widget shows threat protection effectiveness with a trending and detailed view of phish and malware. -![Threat protection status widget.](../../media/tpswidget.png) The details depend on whether your Microsoft 365 subscription includes [Exchange Online Protection](exchange-online-protection-overview.md) (EOP) with or without [Microsoft Defender for Office 365](defender-for-office-365.md). To view or access the Threat Protection Status widget, you must have permissions The Global Weekly Threat Detections widget shows how many threats were detected in email messages over the past seven (7) days. -![Global Weekly Threat Detections widget.](../../media/globalweeklythreatdetections.png) The metrics are calculated as described in the following table: The metrics are calculated as described in the following table: Malware widgets show details about malware trends and malware family types over the past seven (7) days. -![Malware trends and family types.](../../media/malwarewidgetatpe5.png) ## Insights Insights not only surface key issues you should review, they also include recommendations and actions to consider. -![Smart insights.](../../media/smartinsights.png) For example, you might see that phishing email messages are being delivered because some users have disabled their junk mail options. To learn more about how insights work, see [Reports and insights in the Security & Compliance Center](reports-and-insights-in-security-and-compliance.md). To learn more, see [Get started using Automated investigation and response (AIR) Near the bottom of the Security Dashboard is a Trends section, which summarizes email flow trends for your organization. Reports provide information about email categorized as spam, malware, phishing attempts, and good email. Click a tile to view more detailed information in the report. -![The Trends section summarizes email flow trends for the organization.](../../media/trends.png) And, if your organization's subscription includes [Defender for Office 365 Plan 2](office-365-ti.md), you will also have a Recent threat management alerts report in this section that enables your security team to view and take action on high-priority security alerts.
security	Security Recommendations For Priority Accounts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts.md	For attackers, ordinary phishing attacks that cast a random net for ordinary or Microsoft 365 and Microsoft Defender for Office 365 contain several key features that provide additional layers of security for your priority accounts. This article describes these capabilities and how to use them. -![Summary of the security recommendations in icon form.](../../media/security-recommendations-for-priority-users.png) \|Task\|All Office 365 Enterprise plans\|Microsoft 365 E3\|Microsoft 365 E5\| \|\|::\|::\|::\|
security	Set Up Anti Phishing Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md	The Show first contact safety tip settings is available in EOP and Defender - The first time they get a message from a sender - They don't often get messages from the sender. -![First contact safety tip for messages with one recipient.](../../media/safety-tip-first-contact-one-recipient.png) -![First contact safety tip for messages with multiple recipients.](../../media/safety-tip-first-contact-multiple-recipients.png) This capability adds an extra layer of security protection against potential impersonation attacks, so we recommend that you turn it on.
security	Sharepoint File Access Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/sharepoint-file-access-policies.md	In addition to implementing this guidance, be sure to configure SharePoint sites To protect files in SharePoint and OneDrive, the following diagram illustrates which policies to update from the common identity and device access policies. If you included SharePoint when you created the common policies, you only need to create the new policies. For Conditional Access policies, SharePoint includes OneDrive. It's important to understand that SharePoint site permissions are typically base The following illustration provides an example of how SharePoint device access policies protect access to sites for a user. James has starting point Conditional Access policies assigned, but he can be given access to SharePoint sites with enterprise or specialized security protection. James has starting point Conditional Access policies assigned, but he can be giv ## Next step -![Step 4: Policies for Microsoft 365 cloud apps.](../../media/microsoft-365-policies-configurations/identity-device-access-steps-next-step-4.png) + Configure Conditional Access policies for:
security	Submitting Malware And Non Malware To Microsoft For Analysis	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis.md	Go to the Microsoft Security Intelligence website at <https://www.microsoft.com/ After you've uploaded the file or files, note the Submission ID that's created for your sample submission (for example, `7c6c214b-17d4-4703-860b-7f1e9da03f7f`). -![Submission details in the Windows Defender Security Intelligence website.](../../media/EOP-Malware-Protection-Center.png) After we receive the sample, we'll investigate. If we determine that the sample file is malicious, we'll take corrective action to prevent the malware from going undetected.
security	Teams Access Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/teams-access-policies.md	You don't need to enable dependent services to get started with Microsoft Teams. To protect chat, groups and content in Teams, the following diagram illustrates which policies to update from the common identity and device access policies. For each policy to update, make sure that Teams and dependent services are included in the assignment of cloud apps. These services are the dependent services to include in the assignment of cloud apps for Teams: This table lists the policies that need to be revisited and links to each policy For reference, the following diagram illustrates the services Teams relies on. For more information and illustrations, see [Microsoft Teams and related productivity services in Microsoft 365 for IT architects](../../solutions/productivity-illustrations.md). ## Guest and external access for Teams For more reading about App Permission Policies, check out [Manage app permission ## Next steps -![Step 4: Policies for Microsoft 365 cloud apps.](../../media/microsoft-365-policies-configurations/identity-device-access-steps-next-step-4.png) Configure Conditional Access policies for:
security	Tenant Wide Setup For Increased Security	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md	More information: - [More information about Microsoft Defender for Cloud Apps](https://www.microsoft.com/cloud-platform/cloud-app-security) - [What is Defender for Cloud Apps?](/cloud-app-security/what-is-cloud-app-security) -![Defender for Cloud Apps dashboard.](../../media/1fb2aa65-54b8-4746-9f5e-c187d339e9f5.png) ## Additional resources
security	Threat Explorer Views	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-views.md	ms.prod: m365-security - [Microsoft 365 Defender](../defender/microsoft-365-defender.md) -![Threat Explorer.](../../media/explorer.png) [Threat Explorer](threat-explorer.md) (and the real-time detections report) is a powerful, near real-time tool to help Security Operations teams investigate and respond to threats in the Microsoft 365 Defender portal. Explorer (and the real-time detections report) displays information about suspected malware and phish in email and files in Office 365, as well as other security threats and risks to your organization. When you first open Explorer (or the real-time detections report), the default v Use the View menu to change what information is displayed. Tooltips help you determine which view to use. -![Threat Explorer View menu.](../../media/all-email.png) Once you have selected a view, you can apply filters and set up queries to conduct further analysis. The following sections provide a brief overview of the various views available in Explorer (or real-time detections). Once you have selected a view, you can apply filters and set up queries to condu To view this report, in Explorer (or real-time detections), choose View \> Email \> Malware. This view shows information about email messages that were identified as containing malware. -![View data about email identified as malware.](../../media/detection-technology.png) Click Sender to open your list of viewing options. Use this list to view data by sender, recipients, sender domain, subject, detection technology, protection status, and more. For example, to see what actions were taken on detected email messages, choose Protection status in the list. Select an option, and then click the Refresh button to apply that filter to your report. -![Threat Protection Status options for Threat Explorer.](../../media/ThreatExplorerProtectionStatusOptions.png) Below the chart, view more details about specific messages. When you select an item in the list, a fly-out pane opens, where you can learn more about the item you selected. -![Threat Explorer with flyout opened.](../../media/ThreatExplorerMalwareItemSelectedFlyout.png) ## Email > Phish To view this report, in Explorer (or real-time detections), choose View \> Email \> Phish. This view shows email messages identified as phishing attempts. -![View data about email identified as phishing attempts.](../../media/phish.png) Click Sender to open your list of viewing options. Use this list to view data by sender, recipients, sender domain, sender IP, URL domain, click verdict, and more. For example, to see what actions were taken when people clicked on URLs that were identified as phishing attempts, choose Click verdict in the list, select one or more options, and then click the Refresh button. -![Click verdict options for the Phish report.](../../media/click-verdict.png) Below the chart, view more details about specific messages, URL clicks, URLs, and email origin. -![URLs detected as phish in email messages.](../../media/ThreatExplorerEmailPhishURLs.png) When you select an item in the list, such as a URL that was detected, a fly-out pane opens, where you can learn more about the item you selected. -![Details about a detected URL.](../../media/ThreatExplorerEmailPhishURLDetails.png) ## Email > Submissions To view this report, in Explorer (or real-time detections), choose View \> Email \> Submissions. This view shows email that users have reported as junk, not junk, or phishing email. -![Email messages reported by users.](../../media/ThreatExplorerEmailUserReportedViewOptions.png) Click Sender to open your list of viewing options. Use this list to view information by sender, recipients, report type (the user's determination that the email was junk, not junk, or phish), and more. For example, to view information about email messages that were reported as phis Below the chart, view more details about specific email messages, such as subject line, the sender's IP address, the user that reported the message as junk, not junk, or phish, and more. -![Messages that were reported as phishing attempts.](../../media/ThreatExplorerEmailPhishUserReportedPhishDetails.png) Select an item in the list to view additional details. To view this report, in Explorer, choose View \> Email \> All mail. To apply a filter, choose Sender, select an item in the list, and then click the Refresh button. In our example, we used Detection technology as a filter (there are several options available). View information by sender, sender's domain, recipients, subject, attachment filename, malware family, protection status (actions taken by your threat protection features and policies in Office 365), detection technology (how the malware was detected), and more. -![View data about detected email by detection technology.](../../media/0c032eb3-6021-4174-9f06-ff8f30c245ca.png) Below the chart, view more details about specific email messages, such as subject line, recipient, sender, status, and so on. To view this report, in Explorer (or real-time detections), choose View \> * View information by malware family, detection technology (how the malware was detected), and workload (OneDrive, SharePoint, or Teams). -![View data about detected malware.](../../media/malware-family.png) Below the chart, view more details about specific files, such as attachment filename, workload, file size, who last modified the file, and more. Below the chart, view more details about specific files, such as attachment file With Explorer (and real-time detections), you can apply a filter in a click. Click an item in the legend, and that item becomes a filter for the report. For example, suppose we are looking at the Malware view in Explorer: -![Go to Threat management \> Explorer.](../../media/cab32fa2-66f1-4ad5-bc1d-2bac4dbeb48c.png) Clicking ATP Detonation in this chart results in a view like this: -![Explorer filtered to display only Defender for Office 365 Detonation results.](../../media/7241d7dd-27bc-467d-9db8-6e806c49df14.png) In this view, we are now looking at data for files that were detonated by [Safe Attachments](safe-attachments.md). Below the chart, we can see details about specific email messages that had attachments that were detected by Safe Attachments. -![Specific details about email messages with detected attachments.](../../media/c91fb05c-d1d4-4085-acc6-f7008a415c2a.png) Selecting one or more items activates the Actions menu, which offers several choices from which to choose for the selected item(s). -![Selecting an item activates the Actions menu.](../../media/95f127a4-1b2a-4a76-88b9-096e3ba27d1b.png) The ability to filter in a click and navigate to specific details can save you a lot of time in investigating threats.
security	Threat Explorer	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer.md	If your organization has [Microsoft Defender for Office 365](defender-for-office Explorer or Real-time detections helps your security operations team investigate and respond to threats efficiently. The report resembles the following image: -![Go to Threat management \> Explorer.](../../media/cab32fa2-66f1-4ad5-bc1d-2bac4dbeb48c.png) With this report, you can: We are making this integration more relevant by introducing the alert ID (see an Alert ID is available within the URL when you are viewing an individual alert; an example being `https://protection.office.com/viewalerts?id=372c9b5b-a6c3-5847-fa00-08d8abb04ef1`. > [!div class="mx-imgBorder"] -> ![Filtering for Alert ID.](../../media/AlertID-Filter.png) +> :::image type="content" source="../../media/AlertID-Filter.png" alt-text="The Filtering for Alert ID" lightbox="../../media/AlertID-Filter.png"::: > [!div class="mx-imgBorder"] -> ![Alert ID in details flyout.](../../media/AlertID-DetailsFlyout.png) +> :::image type="content" source="../../media/AlertID-DetailsFlyout.png" alt-text="The Alert ID in details flyout" lightbox="../../media/AlertID-DetailsFlyout.png"::: ### Extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 to 30 days In Threat Explorer, you can see information about user tags in the following exp The Tags column in the email grid contains all the tags that have been applied to the sender or recipient mailboxes. By default, system tags like priority accounts are shown first. > [!div class="mx-imgBorder"] -> ![Filter tags in email grid view.](../../media/tags-grid.png) +> :::image type="content" source="../../media/tags-grid.png" alt-text="The Filter tags in email grid view" lightbox="../../media/tags-grid.png"::: #### Filtering You can use tags as a filter. Hunt just across priority accounts or specific use [![Filter tags.](../../media/tags-filter-normal.png)](../../media/tags-filter-normal.png#lightbox) > [!div class="mx-imgBorder"] -> ![Not filter tags.](../../media/tags-filter-not.png) +> :::image type="content" source="../../media/tags-filter-not.png" alt-text="The tags that are not filtered" lightbox="../../media/tags-filter-not.png"::: #### Email detail flyout To view the individual tags for sender and recipient, select the subject to open The information about individual tags for sender and recipient also extends to exported CSV data, where you can see these details in two separate columns. > [!div class="mx-imgBorder"] -> ![Email Details tags.](../../media/tags-flyout.png) +> :::image type="content" source="../../media/tags-flyout.png" alt-text="The Email Details tags" lightbox="../../media/tags-flyout.png"::: Tags information is also shown in the URL clicks flyout. To view it, go to Phish or All Email view and then to the URLs or URL Clicks tab. Select an individual URL flyout to view additional details about clicks for that URL, including tags associated with that click. ### Updated Timeline View > [!div class="mx-imgBorder"] -> ![URL tags.](../../media/tags-urls.png) +> :::image type="content" source="../../media/tags-urls.png" alt-text="The URL tags" lightbox="../../media/tags-urls.png"::: > Learn more by watching [this video](https://www.youtube.com/watch?v=UoVzN0lYbfY&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=4). The set of detection technologies now includes new detection methods, as well as You can now see the specific threat for a URL on the email flyout Details tab. The threat can be malware, phish, spam, or none.) > [!div class="mx-imgBorder"] -> ![URL threats.](../../media/URL_Threats.png) +> :::image type="content" source="../../media/URL_Threats.png" alt-text="The URL threats" lightbox="../../media/URL_Threats.png"::: ### Updated timeline view (upcoming) > [!div class="mx-imgBorder"] -> ![Updated Timeline View.](../../media/Email_Timeline.png) +> :::image type="content" source="../../media/Email_Timeline.png" alt-text="The updated Timeline View" lightbox="../../media/Email_Timeline.png"::: Timeline view identifies all delivery and post-delivery events. It includes information about the threat identified at that point of time for a subset of these events. Timeline view also provides information about any additional action taken (such as ZAP or manual remediation), along with the result of that action. Timeline view information includes: Currently, we surface delivery location in the email grid and email flyout. The Original delivery location will give more information about where an email was delivered initially. Latest delivery location will state where an email landed after system actions like ZAP or admin actions like Move to deleted items. Latest delivery location is intended to tell admins the message's last-known location post-delivery or any system/admin actions. It doesn't include any end-user actions on the email. For example, if a user deleted a message or moved the message to archive/pst, the message "delivery" location won't be updated. But if a system action updated the location (for example, ZAP resulting in an email moving to quarantine), Latest delivery location would show as "quarantine." > [!div class="mx-imgBorder"] -> ![Updated delivery locations.](../../media/Updated_Delivery_Location.png) +> :::image type="content" source="../../media/Updated_Delivery_Location.png" alt-text="The updated delivery locations" lightbox="../../media/Updated_Delivery_Location.png"::: > [!NOTE] > There are a few cases where Delivery location and Delivery action may show as "unknown": Currently, we surface delivery location in the email grid and email flyout. The > - Latest delivery location can be unknown if an admin/system action (such as ZAP) was attempted, but the message wasn't found. Typically, the action happens after the user moved or deleted the message. In such cases, verify the Result/Details column in timeline view. Look for the statement "Message moved or deleted by the user." > [!div class="mx-imgBorder"] -> ![Delivery locations for timeline.](../../media/Updated_Timeline_Delivery_Location.png) +> :::image type="content" source="../../media/Updated_Timeline_Delivery_Location.png" alt-text="The delivery locations for timeline" lightbox="../../media/Updated_Timeline_Delivery_Location.png"::: ### Additional actions Currently, we surface delivery location in the email grid and email flyout. The > As part of the pending changes, the "Removed by ZAP" value currently surfaced in the Delivery Action filter is going away. You'll have a way to search for all email with the ZAP attempt through Additional actions. > [!div class="mx-imgBorder"] -> ![Additional Actions in Explorer.](../../media/Additional_Actions.png) +> :::image type="content" source="../../media/Additional_Actions.png" alt-text="The additional actions in Explorer" lightbox="../../media/Additional_Actions.png"::: ### System overrides Currently, we surface delivery location in the email grid and email flyout. The [![System Overrides in Explorer.](../../media/System_Overrides.png)](../../media/System_Overrides.png#lightbox) > [!div class="mx-imgBorder"] -> ![System Overrides Grid in Explorer.](../../media/System_Overrides_Grid.png) +> :::image type="content" source="../../media/System_Overrides_Grid.png" alt-text="The System Overrides Grid in Explorer" lightbox="../../media/System_Overrides_Grid.png"::: ### Improvements for the URL and clicks experience You can now sort and filter on system or custom user tags to quickly grasp the s > Filtering and sorting by user tags is currently in public preview. This functionality may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided about it. > [!div class="mx-imgBorder"] -> ![Tags column in Explorer.](../../media/threat-explorer-tags.png) +> :::image type="content" source="../../media/threat-explorer-tags.png" alt-text="The Tags column in Explorer" lightbox="../../media/threat-explorer-tags.png"::: ### Timezone improvements You'll see the time zone for the email records in the Portal as well as for Exported data. It will be visible across experiences like Email Grid, Details flyout, Email Timeline, and Similar Emails, so the time zone for the result set is clear. > [!div class="mx-imgBorder"] -> ![View time zone in Explorer.](../../media/TimezoneImprovements.png) +> :::image type="content" source="../../media/TimezoneImprovements.png" alt-text="The View time zone in Explorer" lightbox="../../media/TimezoneImprovements.png"::: ### Update in the refresh process Some users have commented about confusion with automatic refresh (for example, a From an experience standpoint, the user can apply and remove the different range of filters (from the filter set and date) and select the refresh button to filter the results after they've defined the query. The refresh button is also now emphasized on the screen. We've also updated the related tooltips and in-product documentation. > [!div class="mx-imgBorder"] -> ![Select Refresh to filter results.](../../media/ManualRefresh.png) +> :::image type="content" source="../../media/ManualRefresh.png" alt-text="The Refresh button to filter results" lightbox="../../media/ManualRefresh.png"::: ### Chart drilldown to add to filters You can now chart legend values to add them as filters. Select the Refresh button to filter the results. > [!div class="mx-imgBorder"] -> ![Drill down through charts to Filter.](../../media/ChartDrilldown.png) +> :::image type="content" source="../../media/ChartDrilldown.png" alt-text="The Drill down through charts to Filter" lightbox="../../media/ChartDrilldown.png"::: ### In-product information updates Additional details are now available within the product, such as the total number of search results within the grid (see below). We've improved labels, error messages, and tooltips to provide more information about the filters, search experience, and result set. > [!div class="mx-imgBorder"] -> ![View in-product information.](../../media/ProductInfo.png) +> :::image type="content" source="../../media/ProductInfo.png" alt-text="The in-product information to be viewed" lightbox="../../media/ProductInfo.png"::: ## Extended capabilities in Threat Explorer Today we expose the list of the top targeted users in the Malware view for email You'll be able to export the list of targeted users, up to a limit of 3,000, along with the number of attempts for offline analysis for each email view. In addition, selecting the number of attempts (for example, 13 attempts in the image below) will open a filtered view in Threat Explorer, so you can see more details across emails and threats for that user. > [!div class="mx-imgBorder"] -> ![Top targeted users.](../../media/Top_Targeted_Users.png) +> :::image type="content" source="../../media/Top_Targeted_Users.png" alt-text="The top-targeted users" lightbox="../../media/Top_Targeted_Users.png"::: ### Exchange transport rules You'll be able to see both the GUID and the name of the transport rules that wer > Within the email grid, Details flyout, and Exported CSV, the ETRs are presented with a Name/GUID as shown below. > > > [!div class="mx-imgBorder"] -> > ![Exchange Transport Rules.](../../media/ETR_Details.png) +> > :::image type="content" source="../../media/ETR_Details.png" alt-text="The Exchange transport rules" lightbox="../../media/ETR_Details.png"::: ### Inbound connectors Connectors are a collection of instructions that customize how your email flows The search for connectors is "contains" in nature, which means partial keyword searches should work as well. Within the Main grid view, the Details flyout, and the Exported CSV, the connectors are shown in the Name/GUID format as shown here: > [!div class="mx-imgBorder"] -> ![Connector details.](../../media/Connector_Details.png) +> :::image type="content" source="../../media/Connector_Details.png" alt-text="The Connector details" lightbox="../../media/Connector_Details.png"::: ## New features in Threat Explorer and Real-time detections This example uses Threat Explorer. 5. Select the Subject of any message under Email tab > Details tab to see additional impersonation information about the user or domain, and the Detected location. - :::image type="content" source="../../media/threat-ex-views-impersonated-user-image.png" alt-text="The Threat Explorer details pane for a protected user showing the detection location, and the threat that was detected (here phish impersonation of a user)."::: + :::image type="content" source="../../media/threat-ex-views-impersonated-user-image.png" alt-text="The Threat Explorer details pane for a protected user showing the detection location, and the threat that was detected (here phish impersonation of a user)" lightbox="../../media/threat-ex-views-impersonated-user-image.png"::: > [!NOTE] > In step 3 or 5, if you choose Detection Technology and select Impersonation domain or Impersonation user respectively, the information in the Email tab > Details tab about the user or domain, and the Detected location will be shown only on the messages that are related to the user or domain listed on the Anti-Phishing policy page. Follow this path to get to the same location in the Real-time detections report: > The Network Message ID maps the click back to specific mails when you search on the ID through Explorer or associated third-party tools. Such searches identify the email associated with a click result. Having the correlated Network Message ID makes for quicker and more powerful analysis. > [!div class="mx-imgBorder"] -> ![Clicks tab in Explorer.](../../media/tp_ExportClickResultAndNetworkID.png) +> :::image type="content" source="../../media/tp_ExportClickResultAndNetworkID.png" alt-text="The Clicks tab in Explorer" lightbox="../../media/tp_ExportClickResultAndNetworkID.png"::: ## See malware detected in email by technology Suppose you want to see malware detected in email sorted by Microsoft 365 techno 2. In the View menu, choose Email \> Malware. > [!div class="mx-imgBorder"] - > ![View menu for Explorer.](../../media/ExplorerViewEmailMalwareMenu.png) + > :::image type="content" source="../../media/ExplorerViewEmailMalwareMenu.png" alt-text="The View menu for Explorer" lightbox="../../media/ExplorerViewEmailMalwareMenu.png"::: 3. Click Sender, and then choose Basic \> Detection technology. Your detection technologies are now available as filters for the report. > [!div class="mx-imgBorder"] - > ![Malware detection technologies.](../../media/ExplorerEmailMalwareDetectionTech.png) + > :::image type="content" source="../../media/ExplorerEmailMalwareDetectionTech.png" alt-text="The Malware detection technologies" lightbox="../../media/ExplorerEmailMalwareDetectionTech.png"::: 4. Choose an option. Then select the Refresh button to apply that filter. > [!div class="mx-imgBorder"] - > ![Selected detection technology.](../../media/ExplorerEmailMalwareDetectionTechATP.png) + > :::image type="content" source="../../media/ExplorerEmailMalwareDetectionTechATP.png" alt-text="The selected detection technology" lightbox="../../media/ExplorerEmailMalwareDetectionTechATP.png"::: The report refreshes to show the results that malware detected in email, using the technology option you selected. From here, you can conduct further analysis. To review phish URLs in messages and clicks on URLs in phish messages, use the [ 2. In the View menu, choose Email \> Phish. > [!div class="mx-imgBorder"] - > ![View menu for Explorer in phishing context.](../../media/ExplorerViewEmailPhishMenu.png) + > :::image type="content" source="../../media/ExplorerViewEmailPhishMenu.png" alt-text="The View menu for Explorer in phishing context" lightbox="../../media/ExplorerViewEmailPhishMenu.png"::: 3. Click Sender, and then choose URLs \> Click verdict. 4. Select one or more options, such as Blocked and Block overridden, and then select the Refresh button on the same line as the options to apply that filter. (Don't refresh your browser window.) > [!div class="mx-imgBorder"] - > ![URLs and click verdicts.](../../media/ThreatExplorerEmailPhishClickVerdictOptions.png) + > :::image type="content" source="../../media/ThreatExplorerEmailPhishClickVerdictOptions.png" alt-text="The URLs and click verdicts" lightbox="../../media/ThreatExplorerEmailPhishClickVerdictOptions.png"::: The report refreshes to show two different URL tables on the URL tab under the report: To review phish URLs in messages and clicks on URLs in phish messages, use the [ The two URL tables show top URLs in phishing email messages by delivery action and location. The tables show URL clicks that were blocked or visited despite a warning, so you can see what potential bad links were presented to users and that the user's clicked. From here, you can conduct further analysis. For example, below the chart you can see the top URLs in email messages that were blocked in your organization's environment. > [!div class="mx-imgBorder"] - > ![Explorer URLs that were blocked.](../../media/ExplorerPhishClickVerdictURLs.png) + > :::image type="content" source="../../media/ExplorerPhishClickVerdictURLs.png" alt-text="The Explorer URLs that were blocked" lightbox="../../media/ExplorerPhishClickVerdictURLs.png"::: Select a URL to view more detailed information. Suppose that you want to see email messages that users in your organization repo 2. In the View menu, choose Email \> Submissions. > [!div class="mx-imgBorder"] - > ![View menu for Explorer for emails.](../../media/explorer-view-menu-email-user-reported.png) + > :::image type="content" source="../../media/explorer-view-menu-email-user-reported.png" alt-text="The View menu for Explorer for emails" lightbox="../../media/explorer-view-menu-email-user-reported.png"::: 3. Click Sender, and then choose Basic \> Report type. 4. Select an option, such as Phish, and then select the Refresh button. > [!div class="mx-imgBorder"] - > ![User-reported phish.](../../media/EmailUserReportedReportType.png) + > :::image type="content" source="../../media/EmailUserReportedReportType.png" alt-text="The user-reported phish" lightbox="../../media/EmailUserReportedReportType.png"::: The report refreshes to show data about email messages that people in your organization reported as a phishing attempt. You can use this information to conduct further analysis, and, if necessary, adjust your [anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md).
security	Threat Hunting In Threat Explorer	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-hunting-in-threat-explorer.md	Defender for Office 365 Plan 1 uses Real-time detections, which is a subset of After you go to Explorer, by default, you'll arrive on the Malware page, but use the View drop down to get familiar with your options. If you're hunting Phish, or digging into a threat campaign, choose those views. > [!div class="mx-imgBorder"] -> ![View drop down in Threat Explorer.](../../media/view-drop-down.png) +> :::image type="content" source="../../media/view-drop-down.png" alt-text="The View drop down in Threat Explorer" lightbox="../../media/view-drop-down.png"::: Once a security operations (Sec Ops) person selects the data they want to see, whether the scope is narrow view like user Submissions, or a wider view, like All email, they can use the Sender button to further filter. Remember to select Refresh to complete your filtering actions. > [!div class="mx-imgBorder"] -> ![Sender button in Threat Explorer.](../../media/sender-drop-down.png) +> :::image type="content" source="../../media/sender-drop-down.png" alt-text="The Sender button in Threat Explorer" lightbox="../../media/sender-drop-down.png"::: + Refining focus in Explorer or Real-time detection can be thought of in layers. The first is View. The second can be thought of as a filtered focus. For example, you can retrace the steps you took in finding a threat by recording your decisions like this: To find the issue in Explorer, I chose the Malware View with a Recipient filter focus. This makes retracing your steps easier. Refining focus in Explorer or Real-time detection can be thought of in layers. T Refinements can be made on date ranges by using the date range controls. Here you can see Explorer in Malware view, with a Detection Technology filter focus. But it's the Advanced filter button that lets Sec Ops teams dig deep. > [!div class="mx-imgBorder"] -> ![Advanced filter in Threat Explorer.](../../media/advanced-filter.png) +> :::image type="content" source="../../media/advanced-filter.png" alt-text="The Advanced filter in Threat Explorer" lightbox="../../media/advanced-filter.png"::: Clicking the Advanced filter pops a panel that will let Sec Ops hunters build queries themselves, letting them include or exclude the information they need to see. Both the chart and table on the Explorer page will reflect their results. > [!div class="mx-imgBorder"] -> ![Results from a query.](../../media/threat-explorer-chart-table.png) +> :::image type="content" source="../../media/threat-explorer-chart-table.png" alt-text="The Results from a query" lightbox="../../media/threat-explorer-chart-table.png"::: Use the Column options button to get the kind of information on the table that would be most helpful: > [!div class="mx-imgBorder"] -> ![Column options button highlighted.](../../media/threat-explorer-column-options.png) +> :::image type="content" source="../../media/threat-explorer-column-options.png" alt-text="The Column options button highlighted" lightbox="../../media/threat-explorer-column-options.png"::: > [!div class="mx-imgBorder"] -> ![Available options in Columns.](../../media/column-options.png) +> :::image type="content" source="../../media/column-options.png" alt-text="The available options in Columns" lightbox="../../media/column-options.png"::: In the same mien, make sure to test your display options. Different audiences will react well to different presentations of the same data. For some viewers, the Email Origins map can show that a threat is widespread or discreet more quickly than the Campaign display option right next to it. Sec Ops can make use of these displays to best make points that underscore the need for security and protection, or for later comparison, to demonstrate the effectiveness of their actions. > [!div class="mx-imgBorder"] -> ![Email Origins map.](../../media/threat-explorer-email-origin-map.png) +> :::image type="content" source="../../media/threat-explorer-email-origin-map.png" alt-text="The Email Origins map" lightbox="../../media/threat-explorer-email-origin-map.png"::: > [!div class="mx-imgBorder"] -> ![Campaign display options.](../../media/threat-explorer-campaign-display.png) +> :::image type="content" source="../../media/threat-explorer-campaign-display.png" alt-text="The Campaign display options" lightbox="../../media/threat-explorer-campaign-display.png"::: ### Email investigation The email entity page pulls together contents that can be found under *Details When you reach this stage, the email entity page will be critical to the final stepΓÇöremediation. > [!div class="mx-imgBorder"] -> ![The email entity page.](../../media/threat-explorer-email-entity-page.png) +> :::image type="content" source="../../media/threat-explorer-email-entity-page.png" alt-text="The email entity page" lightbox="../../media/threat-explorer-email-entity-page.png"::: > [!TIP] > To learn more about the rich email entity page (seen below on the Analysis tab), including the results of detonated Attachments, findings for included URLs, and safe Email preview, click [here](mdo-email-entity-page.md). > [!div class="mx-imgBorder"] -> ![Analysis tab of the email entity page.](../../media/threat-explorer-analysis-tab.png) +> :::image type="content" source="../../media/threat-explorer-analysis-tab.png" alt-text="The Analysis tab of the email entity page" lightbox="../../media/threat-explorer-analysis-tab.png"::: ### Email remediation Once a Sec Ops person determines that an email is a threat, the next Explorer or Real-time detection step is dealing with the threat and remediating it. This can be done by returning to Threat Explorer, selecting the checkbox for the problem email, and using the Actions button. > [!div class="mx-imgBorder"] -> ![Actions button in Threat Explorer.](../../media/threat-explorer-email-actions-button.png) +> :::image type="content" source="../../media/threat-explorer-email-actions-button.png" alt-text="The Actions button in the Threat Explorer" lightbox="../../media/threat-explorer-email-actions-button.png"::: Here, the analyst can take actions like reporting the mail as Spam, Phishing, or Malware, contacting recipients, or further investigations that can include triggering Automated Investigation and Response (or AIR) playbooks (if you have Plan 2). Or, the mail can also be reported as clean. > [!div class="mx-imgBorder"] -> ![The Actions drop down.](../../media/threat-explorer-email-actions-drop-down.png) +> :::image type="content" source="../../media/threat-explorer-email-actions-drop-down.png" alt-text="The Actions drop down" lightbox="../../media/threat-explorer-email-actions-drop-down.png"::: ## Improvements to threat hunting experience When navigating from an alert into Threat Explorer, the View will be filtere Finally, alert ID is included in the URL, for example: `https://https://security.microsoft.com/viewalerts` > [!div class="mx-imgBorder"] -> ![Filtering for Alert ID.](../../media/AlertID-Filter.png) +> :::image type="content" source="../../media/AlertID-Filter.png" alt-text="The Filter for Alert ID" lightbox="../../media/AlertID-Filter.png"::: > [!div class="mx-imgBorder"] -> ![Alert ID in details flyout.](../../media/AlertID-DetailsFlyout.png) +> :::image type="content" source="../../media/AlertID-DetailsFlyout.png" alt-text="The Alert ID in details flyout" lightbox="../../media/AlertID-DetailsFlyout.png"::: ### Extending Explorer (and Real-time detections) data retention and search limit for trial tenants In Threat Explorer, you can see information about user tags in the following exp When analysts look at the Tags column the email grid, they are seeing all tags that have been applied to sender or recipient mailboxes. By default, system tags like priority accounts are shown first. > [!div class="mx-imgBorder"] -> ![Filter tags in email grid view.](../../media/tags-grid.png) +> :::image type="content" source="../../media/tags-grid.png" alt-text="The Filter tags in email grid view" lightbox="../../media/tags-grid.png"::: #### Filtering Tags can be used as filters. Hunt among priority accounts only, or use specific [![Filter tags.](../../media/tags-filter-normal.png)](../../media/tags-filter-normal.png#lightbox) > [!div class="mx-imgBorder"] -> ![Not filter tags.](../../media/tags-filter-not.png) +> :::image type="content" source="../../media/tags-filter-not.png" alt-text="The tags that have not been filtered" lightbox="../../media/tags-filter-not.png"::: #### Email detail flyout To view the individual tags for sender and recipient, select an email to open the message details flyout. On the Summary tab, the sender and recipient tags are shown separately. The information about individual tags for sender and recipient can be exported as CSV data. > [!div class="mx-imgBorder"] -> ![Email Details tags.](../../media/tags-flyout.png) +> :::image type="content" source="../../media/tags-flyout.png" alt-text="The Email Details tags" lightbox="../../media/tags-flyout.png"::: Tags information is also shown in the URL clicks flyout. To see it, go to Phish or All Email view > URLs or URL Clicks tab. Select an individual URL flyout to see additional details about clicks for that URL, including any Tags associated with that click. ### Updated Timeline View > [!div class="mx-imgBorder"] -> ![URL tags.](../../media/tags-urls.png) +> :::image type="content" source="../../media/tags-urls.png" alt-text="The URL tags" lightbox="../../media/tags-urls.png"::: > Learn more by watching [this video](https://www.youtube.com/watch?v=UoVzN0lYbfY&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=4). Top Malware Families shows the top targeted users in the Malware section. To Security operations people be able to export the list of targeted users, up to a limit of 3,000, along with the number of attempts made, for offline analysis for each email view. Also, selecting the number of attempts (for example, 13 attempts in the image below) will open a filtered view in Threat Explorer, so you can see more details across emails, and threats for that user. > [!div class="mx-imgBorder"] -> ![Top targeted users.](../../media/Top_Targeted_Users.png) +> :::image type="content" source="../../media/Top_Targeted_Users.png" alt-text="The users targeted the most" lightbox="../../media/Top_Targeted_Users.png"::: ### Exchange transport rules Names and GUIDs of the transport rules applied to the message appear. Analysts w > Within the email grid, Details flyout, and Exported CSV, the ETRs are presented with a Name/GUID as shown below. > > > [!div class="mx-imgBorder"] -> > ![Exchange Transport Rules.](../../media/ETR_Details.png) +> > :::image type="content" source="../../media/ETR_Details.png" alt-text="The rules in Exchange Transport" lightbox="../../media/ETR_Details.png"::: ### Inbound connectors Connectors are a collection of instructions that customize how your email flows The search for connectors is a CONTAINS query, which means partial keyword searches can work: > [!div class="mx-imgBorder"] -> ![Connector details.](../../media/Connector_Details.png) +> :::image type="content" source="../../media/Connector_Details.png" alt-text="The Connector details" lightbox="../../media/Connector_Details.png"::: ## Required licenses and permissions
security	Threat Trackers	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-trackers.md	ms.prod: m365-security Threat Trackers are informative widgets and views that provide you with intelligence on different cybersecurity issues that might impact your company. For example, you can view information about trending malware campaigns using Threat Trackers. -![Example of Threat Tracker showing malware campaigns.](../../media/a883b5ac-8e2b-469a-90e0-f8ad39bb63b7.png) Most tracker pages include trending numbers that are updated periodically, widgets to help you understand which issues are the biggest or have grown the most, and a quick link in the Actions column that takes you to Explorer, where you can view more detailed information. -![Example of campaign information in Explorer.](../../media/e426f220-fdcb-4dd9-99a2-db97dbcf71d5.png) Trackers are just a few of the many great features you get with [Microsoft Defender for Office 365 Plan 2](office-365-ti.md). Threat Trackers include [Noteworth trackers](#noteworthy-trackers), [Trending trackers](#trending-trackers), [Tracked queries](#tracked-queries), and [Saved queries](#saved-queries). Typically Noteworthy trackers will be posted for just a couple of weeks when we Trending trackers (formerly called Campaigns) highlight new threats received in your organization's email in the past week. -![Example of trending malware campaigns widget.](../../media/d2ccc1a0-2a1d-4e36-99b5-6766c207772f.png) Trending trackers give you an idea of new threats you should review to ensure your broader corporate environment is prepared against attacks. Trending trackers give you an idea of new threats you should review to ensure yo Tracked queries leverage your saved queries to periodically assess Microsoft 365 activity in your organization. This gives you event trending, with more to come in the coming months. Tracked queries run automatically, giving you up-to-date information without having to remember to re-run your queries. -![Example of tracked queries with one selected.](../../media/0c556174-06eb-4ae5-b32a-5ff76b9e4f13.png) ### Saved queries Saved queries are also found in the Trackers section. You can use Saved queries to store the common Explorer searches that you want to get back to quicker and repeatedly, without having to re-create the search every time. -![Example of saved queries with one selected.](../../media/188cf3ff-58f1-41ea-81aa-76158d8f40c3.png) You can always save a Noteworthy tracker query or any of your own Explorer queries using the Save query button at the top of the Explorer page. Anything saved there will show up in the Saved queries list on the Tracker page. Whether you're reviewing email, content, or Office activities (coming soon), Exp And remember that you can always provide us feedback on this or other Microsoft 365 security features by clicking on the Feedback button in the lower-right corner. -![Microsoft 365 Defender portal.](../../media/microsoft-365-defender-portal.png) ## Trackers and Microsoft Defender for Office 365 With our inaugural Noteworthy threat, we're highlighting advanced malware threats detected by [Safe Attachments](safe-attachments.md). If you're an Office 365 Enterprise E5 customer and you're not using [Microsoft Defender for Office 365](defender-for-office-365.md), you should be - it's included in your subscription. Defender for Office 365 provides value even if you have other security tools filtering email flow with your Office 365 services. However, anti-spam and [Safe Links](safe-links.md) features work best when your main email security solution is through Office 365. -![Microsoft Defender for Office 365 in the Microsoft 365 Defender portal.](../../media/policies.png) In today's threat-riddled world, running only traditional anti-malware scans means you are not protected well enough against attacks. Today's more sophisticated attackers use commonly available tools to create new, obfuscated, or delayed attacks that won't be recognized by traditional signature-based anti-malware engines. The Safe Attachments feature takes email attachments and detonates them in a virtual environment to determine whether they're safe or malicious. This detonation process opens each file in a virtual computer environment, then watches what happens after the file is opened. Whether it's a PDF, and compressed file, or an Office document, malicious code can be hidden in a file, activating only once the victim opens it on their computer. By detonating and analyzing the file in the email flow, Defender for Office 365 capabilities finds these threats based on behaviors, file reputation, and a number of heuristic rules.
security	Trial Playbook Defender For Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/trial-playbook-defender-for-office-365.md	description: "Microsoft Defender for Office 365 solutions trial playbook." Welcome to the Microsoft Defender for Office 365 trial playbook. This playbook will help you make the most of your 90-day free trial by teaching you how to safeguard your organization with Defender for Office 365. Using Microsoft recommendations, you'll learn how Defender for Office 365 can help you define protection policies, analyze threats to your organization, and respond to attacks. -![A graphical representation of all components of Microsoft Defender for Office 365.](../../medio.png) These actions are recommendations from the Microsoft Defender team on key features to try in your 90-day trial. Use the reporting capabilities in Defender for Office 365 to get more details ab - See where threats are blocked with the [Mailflow status report](view-email-security-reports.md#mailflow-status-report). - [Review links](view-reports-for-mdo.md#url-protection-report) that were viewed by users or blocked by the system. -![Email & collaboration reports in the Microsoft 365 Defender portal.](../../media/mdo-trial-playbook-reporting.png) ## Step 2: Intermediate steps Protect your most targeted and most visible users with Priority Account Protecti Watch this video to learn more: [Protecting priority accounts in Microsoft Defender for Office 365 - YouTube](https://www.youtube.com/watch?v=tqnj0TlzQcI&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=11). -![Alerts in the Microsoft 365 Defender portal.](../../media/mdo-trial-playbook-alerts.png) ### Avoid costly breaches by preventing user compromise Get alerted to potential compromise and automatically limit the impact of these - Review [compromised user alerts](address-compromised-users-quickly.md#compromised-user-alerts). - [Investigate and respond](address-compromised-users-quickly.md) to compromised users. -![Investigate compromised users.](../../media/mdo-trial-playbook-investigation.png) Watch this video to learn more: [Detect and respond to compromise in Microsoft Defender for Office 365 - YouTube](https://www.youtube.com/watch?v=Pc7y3a-wdR0&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=5). See the bigger picture with Campaign Views in Defender for Office 365, which giv - [Visualize the scope](campaigns.md#campaign-views-in-the-microsoft-365-defender-portal) of the attack. - [Track user interaction](campaigns.md#campaign-details) with these messages. -![Campaign details in the Microsoft 365 Defender portal.](../../media/mdo-trial-playbook-campaign-details.png) + :::image type="content" source="../../medio-trial-playbook-campaign-details.png"::: Watch this video to learn more: [Campaign Views in Microsoft Defender for Office 365 - YouTube](https://www.youtube.com/watch?v=DvqzzYKu7cQ&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=14). Respond efficiently using Automated investigation and response (AIR) to review, - [View details and results](email-analysis-investigations.md) of an investigation. - Eliminate threats by [approving remediation actions](air-remediation-actions.md). -![Investigation results.](../../media/mdo-trial-playbook-investigation-results.png) ## Step 3: Advanced content Equip your users with the right knowledge to identify threats and report suspici - [Assign training](attack-simulation-training.md#assign-training) to users based on simulation results. - [Track progress](attack-simulation-training-insights.md) of your organization in simulations and training completion. -![Attack simulation training insights in the Microsoft 365 Defender portal.](../../media/mdo-trial-playbook-attack-simulation-training-results.png) + :::image type="content" source="../../medio-trial-playbook-attack-simulation-training-results.png"::: ## Additional resources
security	Use Dkim To Validate Outbound Email	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md	Once your domain is added, follow the steps as shown below to configure DKIM. Step 1: Click on the domain you wish to configure DKIM on DKIM page (https://security.microsoft.com/dkimv2 or https://protection.office.com/dkimv2). -![DKIM page in the Microsoft 365 Defender portal with a domain selected.](../../media/126996261-2d331ec1-fc83-4a9d-a014-bd7e1854eb07.png) Step 2: Slide the toggle to Enable. You will see a pop-up window stating that you need to add CNAME records. -![Slide the toggle to Enabled to enable DKIM.](../../media/126995186-9b3fdefa-a3a9-4f5a-9304-1099a2ce7cef.png) Step 3: Copy the CNAMES shown in the pop up window + Step 4: Publish the copied CNAME records to your DNS service provider. On your DNS provider's website, add CNAME records for DKIM that you want to enable. Make sure that the fields are set to the following values for each: TTL: 3600 (or your provider default) Step 5: Return to DKIM page to enable DKIM. -![Slide the toggle to Enabled to enable DKIM.](../../media/126995186-9b3fdefa-a3a9-4f5a-9304-1099a2ce7cef.png) If you see CNAME record doesn't exist error, it might be due to: Once you have published the CNAME records in DNS, you are ready to enable DKIM s #### To enable DKIM signing for your custom domain by using PowerShell > [!IMPORTANT] -> :::image type="content" source="../../media/dkim.png" alt-text="The 'No DKIM keys saved for this domain.' error."::: +> :::image type="content" source="../../media/dkim.png" alt-text="The No DKIM keys saved for this domain error" lightbox="../../media/dkim.png"::: > If you are configuring DKIM for the first time and see the error 'No DKIM keys saved for this domain' complete the command in step 2 below (for example, `Set-DkimSigningConfig -Identity contoso.com -Enabled $true`) to see the key. 1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). Next, see [Use DMARC to validate email](use-dmarc-to-validate-email.md). [An Key rotation via PowerShell: [Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig) -[Use DMARC to validate email](use-dmarc-to-validate-email.md) +[Use DMARC to validate email](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide&preserve-view=true) +
security	Use Dmarc To Validate Email	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dmarc-to-validate-email.md	contoso.com 3600 IN MX 10 contoso-com.mail.protection.outlook.com All, or most, email will first be routed to mail.contoso.com since it's the primary MX, and then mail will get routed to EOP. In some cases, you might not even list EOP as an MX record at all and simply hook up connectors to route your email. EOP does not have to be the first entry for DMARC validation to be done. It just ensures the validation, to be certain that all on-premise/non-O365 servers will do DMARC checks. DMARC is eligible to be enforced for a customer's domain (not server) when you set up the DMARC TXT record, but it is up to the receiving server to actually do the enforcement. If you set up EOP as the receiving server, then EOP does the DMARC enforcement. ## For more information
security	Use Privileged Identity Management In Defender For Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-privileged-identity-management-in-defender-for-office-365.md	The name of your user (here 'Alex') will appear under Eligible assignments on th > [!NOTE] > For a quick review of Privileged Identity Management see [this video](https://www.youtube.com/watch?v=VQMAg0sa_lE). *Step 2*. Create the required second (elevated) permission group for additional tasks and assign eligibility. In the Microsoft 365 Defender portal, create a custom role group that contains t 3. If you try to purge an email using Threat Explorer, you get an error stating you need additional permissions. 4. PIM a second time into the more elevated role, after a short delay you should now be able to purge emails without issue. - :::image type="content" source="../../medio-add-the-search-and-purge-role-assignment-to-this-pim-role.PNG" alt-text="If the user we added (Alex) through the Security Reader PIM role tries to delete a suspicious email he'll get a message saying 'You need the Search and Purge role to take action on this email. Contact your administrator to get the role assignment or add the email to an incident."::: + :::image type="content" source="../../medio-add-the-search-and-purge-role-assignment-to-this-pim-role.PNG"::: Permanent assignment of administrative roles and permissions such as Search and Purge Role doesn't hold with the Zero Trust security initiative, but as you can see, PIM can be used to grant just-in-time access to the toolset required.
security	Use Spam Notifications To Release And Report Quarantined Messages	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages.md	By default, the following actions are available in the quarantine notification f - Release: You can release the message here without going to Quarantine in the Microsoft 365 Defender portal. - Review: Click this link to go to Quarantine in the Microsoft 365 Defender portal, where you can (depending on why the message was quarantined) view, release, delete or report your quarantined messages. For more information, see [Find and release quarantined messages as a user in EOP](find-and-release-quarantined-messages-as-a-user.md). -![Example quarantine notification.](../../media/end-user-spam-notification.png) > [!NOTE] > A blocked sender can still send you mail. Any messages from this sender that make it to your mailbox will be immediately moved to the Junk Email folder. Future messages from this sender will go to your Junk Email folder or to quarantine. If you would like to delete these messages on arrival instead of quarantining them, use [mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) to delete the messages on arrival.
security	Use The Delist Portal To Remove Yourself From The Office 365 Blocked Senders Lis	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md	There are good reasons for senders to wind up on the blocked senders list, but m The portal sends an email to the email address that you supply. The email will look something like the following: - ![Screenshot of email received when you submit a request through the delist portal.](../../media/bf13e4f7-f68c-4e46-baa7-b6ab4cfc13f3.png) + :::image type="content" source="../../media/bf13e4f7-f68c-4e46-baa7-b6ab4cfc13f3.png" alt-text="The email received when you submit a request through the delist portal" lightbox="../../media/bf13e4f7-f68c-4e46-baa7-b6ab4cfc13f3.png"::: + 4. Click the confirmation link in the email sent to you by the delisting portal.
security	View Email Security Reports	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md	The Exchange Online Protection (EOP) and Microsoft Defender for Office 365 repor The Compromised users report shows the number of user accounts that were marked as Suspicious or Restricted within the last 7 days. Accounts in either of these states are problematic or even compromised. With frequent use, you can use the report to spot spikes, and even trends, in suspicious or restricted accounts. For more information about compromised users, see [Responding to a compromised email account](responding-to-a-compromised-email-account.md). -![Compromised users widget on the Email & collaboration reports page.](../../media/compromised-users-report-widget.png) The aggregate view shows data for the last 90 days and the detail view shows data for the last 30 days. When you're finished configuring the filters, click Apply, Cancel, or On the Compromised users page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) [Create schedule](#schedule-report), ![Request report icon.](../../media/m365-cc-sc-download-icon.png) [Request report](#request-report), and ![Export icon.](../../media/m365-cc-sc-download-icon.png) [Export](#export-report) buttons are available. -![Report view in the Compromised users report.](../../media/compromised-users-report-activity-view.png) ## Exchange transport rule report +The Exchange transport rule report shows the effect of mail flow rules (also known as transport rules) on incoming and outgoing messages in your organization. + +To view the report in the Microsoft 365 Defender portal, go to Reports \> Email & collaboration \> Email & collaboration reports. On the Email & collaboration reports page, find Exchange transport rule and then click View details. To go directly to the report, open <https://security.microsoft.com/reports/ETRRuleReport>. ++ +On the Exchange transport rule report page, the available charts and data are described in the following sections. > [!NOTE] > The Exchange transport rule report is now available in the EAC. For more information, see [Exchange transport rule report in the new EAC](/exchange/monitoring/mail-flow-reports/mfr-exchange-transport-rule-report). + ### Chart breakdown by Direction -![Direction view for Exchange Transport rules in the Exchange transport rule report.](../../media/transport-rule-report-etr-direction-view.png) If you select Chart breakdown by Direction, the follow charts are available: On the Exchange transport rule report page, the ![Create schedule icon.](../ ### Chart breakdown by Severity -![Severity view for Exchange Transport rules in the Exchange transport rule report.](../../media/transport-rule-report-etr-severity-view.png) If you select Chart breakdown by Severity, the follow charts are available: The Mailflow status report is a smart report that shows information about in To view the report in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Reports \> Email & collaboration \> Email & collaboration reports. On the Email & collaboration reports page, find Mailflow status summary and then click View details. To go directly to the report, open <https://security.microsoft.com/reports/mailflowStatusReport>. -![Mailflow status summary widget on the Email & collaboration reports page.](../../media/mail-flow-status-report-widget.png) ### Type view for the Mailflow status report -![Type view in the Mailflow status report.](../../media/mail-flow-status-report-type-view.png) On the Mailflow status report page, the Type tab is selected by default. The chart shows the following information for the specified date range: On the Mailflow status report page, the ![Create schedule icon.](../../media ### Direction view for the Mailflow status report -![Direction view in the Mailflow status report.](../../media/mail-flow-status-report-direction-view.png) If you click the Direction tab, the chart shows the following information for the specified date range: On the Mailflow status report page, the ![Create schedule icon.](../../media The Mailflow** view shows you how Microsoft's email threat protection features filter incoming and outgoing email in your organization. This view uses a horizontal flow diagram (known as a _Sankey_ diagram) to provide details on the total email count, and how the configured threat protection features, including edge protection, anti-malware, anti-phishing, anti-spam, and anti-spoofing affect this count. -![Mailflow view in the Mailflow status report.](../../media/mail-flow-status-report-mailflow-view.png) The aggregate view and details table view allow for 90 days of filtering. If you hover over a horizontal band in the diagram, you'll see the number of rel <sup>\</sup> If you click on this element, the diagram is expanded to show further details. For a description of each element in the expanded nodes, see [Detection technologies](/office/office-365-management-api/office-365-management-activity-api-schema#detection-technologies). -![Phishing block details in Mailflow view in the Mailflow status report.](../../media/mail-flow-status-report-mailflow-view-details.png) The details table below the diagram shows the following information: When you're finished configuring the filters, click Apply, Cancel, or * Back on the Mailflow status report page, you can click Show trends to see trend graphs in the Mailflow trends flyout that appears. -![Mailflow trends flyout in Mailflow view in the Mailflow status report.](../../media/mail-flow-status-report-mailflow-view-show-trends.png) On the Mailflow status report page, the ![Export icon.](../../media/m365-cc-sc-download-icon.png) Export button is available. The aggregate view of the report allows for 90 days of filtering, while the deta To view the report in the Microsoft 365 Defender portal, go to Reports \> Email & collaboration \> Email & collaboration reports. On the Email & collaboration reports page, find Spoof detections and then click View details. To go directly to the report, open <https://security.microsoft.com/reports/SpoofMailReport>. -![Spoof detections widget on the Email & collaboration reports page.](../../media/spoof-detections-widget.png) The chart shows the following information: You can filter both the chart and the details table by clicking Filter and s - Other - Spoof type: Internal and External -![Spoof mail report page in the Microsoft 365 Defender portal.](../../media/spoof-detections-report-page.png) The details table below the graph shows the following information: The Submissions report shows information about items that admins have report To view the report in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Reports \> Email & collaboration \> Email & collaboration reports. On the Email & collaboration reports page, find Submissions and then click View details. To go directly to the report, open <https://security.microsoft.com/adminSubmissionReport>. To go to [admin submissions in the Microsoft 365 Defender portal](admin-submission.md), click Go to Submissions. Admins will be able to view the report for last 30 days. -![Submissions widget on the Email & collaboration reports page.](../../media/submissions-report-widget.png) The chart shows the following information: The details table below the graph shows the same information and has the same On the Submissions page, the [Export](#export-report) button is available. -![Submissions report page in the Microsoft 365 Defender portal.](../../media/submissions-report-page.png) ## Threat protection status report To view the report in the Microsoft 365 Defender portal, go to Reports \> - Defender for Office 365: <https://security.microsoft.com/reports/TPSAggregateReportATP> - EOP: <https://security.microsoft.com/reports/TPSAggregateReport> -![Threat protection status widget on the Email & collaboration reports page.](../../media/threat-protection-status-report-widget.png) By default, the chart shows data for the past 7 days. If you click Filter on the Threat protection status report page, you can select a 90 day date range (trial subscriptions might be limited to 30 days). The details table allows filtering for 30 days. The available views are described in the following sections. ### View data by Overview -![Overview view in the Threat protection status report.](../../media/threat-protection-status-report-overview-view.png) In the View data by Overview view, the following detection information is shown in the chart: When you're finished configuring the filters, click Apply, Cancel, or ### View data by Email \> Phish and Chart breakdown by Detection Technology -![Detection technology view for phishing email in the Threat protection status report.](../../media/threat-protection-status-report-phishing-detection-tech-view.png) > [!NOTE] > Starting in May 2021, phishing detections in email were updated to include message attachments that contain phishing URLs. This change might shift some of the detection volume out of the View data by Email \> Malware view and into the View data by Email \> Phish view. In other words, message attachments with phishing URLs that were traditionally identified as malware now might be identified as phishing instead. On the Threat protection status page, the ![Create schedule icon.](../../med ### View data by Email \> Spam and Chart breakdown by Detection Technology -![Detection technology view for spam in the Threat protection status report.](../../media/threat-protection-status-report-spam-detection-tech-view.png) In the View data by Email \> Spam and Chart breakdown by Detection Technology view, the following information is shown in the chart: On the Threat protection status page, the ![Create schedule icon.](../../med ### View data by Email \> Malware and Chart breakdown by Detection Technology -![Detection technology view for malware in the Threat protection status report.](../../media/threat-protection-status-report-malware-detection-tech-view.png) > [!NOTE] > Starting in May 2021, malware detections in email were updated to include harmful URLs in messages attachments. This change might shift some of the detection volume out of the View data by Email \> Phish view and into the View data by Email \> Malware view. In other words, harmful URLs in message attachments that were traditionally identified as phishing now might be identified as malware instead. On theThreat protection status page, the ![Create schedule icon.](../../medi ### Chart breakdown by Policy type -![Policy type view for phishing email, spam email, or malware email in the Threat protection status report.](../../media/threat-protection-status-report-phishing-policy-type-view.png) In the View data by Email \> Phish, View data by Email \> Spam, or View data by Email \> Malware views, selecting Chart breakdown by Policy type shows the following information in the chart: On the Threat protection status page, the ![Create schedule icon.](../../med ### Chart breakdown by Delivery status -![Delivery status view for phishing email and malware email in the Threat protection status report.](../../media/threat-protection-status-report-phishing-delivery-status-view.png) In the View data by Email \> Phish, View data by Email \> Spam, or View data by Email \> Malware views, selecting Chart breakdown by Delivery status shows the following information in the chart: On the Threat protection status page, the ![Create schedule icon.](../../med ### View data by Content \> Malware -![Content malware view in the Threat protection status report.](../../media/threat-protection-status-report-content-malware-view.png) In the View data by Content \> Malware view, the following information is shown in the chart for Microsoft Defender for Office 365 organizations: On the Threat protection status page, the ![Create schedule icon.](../../med ### View data by System override and Chart breakdown by Reason -![Message override and Chart breakdown by Reason view in the Threat protection status report.](../../media/threat-protection-status-report-system-override-view-breakdown-by-reason.png) In the View data by System override and Chart breakdown by Reason view, the following override reason information is shown in the chart: On the Threat protection status page, the ![Export icon.](../../media/m365-c ### View data by System override and Chart breakdown by Delivery location -![Message override and Chart breakdown by Delivery Location view in the Threat protection status report.](../../media/threat-protection-status-report-system-override-view-breakdown-by-delivery-location.png) In the View data by System override and Chart breakdown by Delivery location view, the following override reason information is shown in the chart: The Top malware report shows the various kinds of malware that was detected To view the report in the Microsoft 365 Defender portal, go to Reports \> Email & collaboration \> Email & collaboration reports. On the Email & collaboration reports page, find Top malware and then click View details. To go directly to the report, open <https://security.microsoft.com/reports/TopMalware>. -![Top malware widget on the Email & collaboration reports page.](../../media/top-malware-report-widget.png) When you hover over a wedge in the pie chart, you can see the name of a kind of malware and how many messages were detected as having that malware. If you click Filter, you can specify a date range with Start date and On the Top malware page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) [Create schedule](#schedule-report) and ![Export icon.](../../media/m365-cc-sc-download-icon.png) [Export](#export-report) buttons are available. -![Top malware report view.](../../media/top-malware-report-view.png) ## Top senders and recipients report To view the report in the Microsoft 365 Defender portal at <https://security.mic - Defender for Office 365: <https://security.microsoft.com/reports/TopSenderRecipientsATP> - EOP: <https://security.microsoft.com/reports/TopSenderRecipient> -![Top senders and recipients widget in the Reports dashboard.](../../media/top-senders-and-recipients-widget.png) When you hover over a wedge in the pie chart, you can see the number of messages for the sender or recipient. When you're finished configuring the filters, click Apply, Cancel, or On the Top senders and recipients page, the ![Export icon.](../../media/m365-cc-sc-download-icon.png) Export button is available. -![Show data for Top mail senders view in the Top senders and recipients report.](../../media/top-senders-and-recipients-report-view.png) ## URL protection report The User reported messages report shows information about email messages tha To view the report in the Microsoft 365 Defender portal, go to Reports \> Email & collaboration \> Email & collaboration reports. On the Email & collaboration reports page, find User reported messages and then click View details. To go directly to the report, open <https://security.microsoft.com/reports/userSubmissionReport>. To go to [admin submissions in the Microsoft 365 Defender portal](admin-submission.md), click Go to Submissions. -![User reported messages widget on the Email & collaboration reports page.](../../media/user-reported-messages-widget.png) You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears: To group the entries, click Group and select one of the following values fro - Rescan result - Phish simulation** -![User reported messages report.](../../media/user-reported-messages-report.png) The details table below the graph shows the following information:
security	View Mail Flow Reports	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-mail-flow-reports.md	In addition to the mail flow reports that are available in the [Mail flow dashbo If you have the [necessary permissions](#what-permissions-are-needed-to-view-these-reports), you can view these reports in the Security & Compliance Center at <https://protection.office.com> by going to Reports \> Dashboard. To go directly to the Reports dashboard, open <https://protection.office.com/insightdashboard>. -![Reports dashboard in the Security & Compliance Center.](../../media/6b213d34-adbb-44af-8549-be9a7e2db087.png) ## Connector report If you have the [necessary permissions](#what-permissions-are-needed-to-view-the ## Exchange transport rule report +The Exchange transport rule report shows the effect of mail flow rules (also known as transport rules) on incoming and outgoing messages in your organization. + +To view the report, open the Security & Compliance Center at <https://protection.office.com>, go to Reports \> Dashboard and select Exchange Transport rule. To go directly to the report, open <https://security.microsoft.com/reports/ETRRuleReport>. ++ > [!NOTE] > The Exchange transport rule report is now available in the EAC. For more information, see [Exchange transport rule report in the new EAC](/exchange/monitoring/mail-flow-reports/mfr-exchange-transport-rule-report). The Mailflow status report is similar to the [Sent and received email report To view the report, open the [Security & Compliance Center](https://protection.office.com), go to Reports \> Dashboard and select Mailflow status report. To go directly to the Mail flow status report, open <https://security.microsoft.com/reports/mailflowStatusReport>. -![Mailflow status report widget in the Reports dashboard.](../../media/scc-mail-flow-status-report-widget.png) > [!NOTE] > Clicking on the widget for this report in the Security & Compliance Center (protection.office.com) now takes you to the full report in the Microsoft 365 Defender portal (security.microsoft.com). For details about the report, see [Mailflow status report](view-email-security-reports.md#mailflow-status-report). To view the report, open the Security & Compliance Center at <https://protection - Defender for Office 365: <https://protection.office.com/TopSenderRecipientsATP> - EOP: <https://protection.office.com/TopSenderRecipients> -![Top senders and recipients widget in the Reports dashboard.](../../media/scc-top-senders-and-recipients-widget.png) > [!NOTE] > Although clicking on the widget for this report in the Security & Compliance Center takes you to a protection.office.com page, the page content is from the Microsoft 365 Defender portal. For details about the report, see [Top senders and recipients report](view-email-security-reports.md#top-senders-and-recipients-report).
security	View Reports For Mdo	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-reports-for-mdo.md	Microsoft Defender for Office 365 organizations (for example, Microsoft 365 E5 s 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Reports > Email & collaboration \> Reports for download. To go directly to the Reports for download page, use <https://security.microsoft.com/ReportsForDownload?viewid=custom>. -![Email & collaboration reports page in the Microsoft 365 Defender portal.](../../media/email-collaboration-download-reports.png) > [!NOTE] > To view the report, open the Microsoft 365 Defender portal at <https://security. On the Email & collaboration reports page, find Mail latency report and then click View details. To go directly to the report, use <https://security.microsoft.com/mailLatencyReport>. -![Mail latency report widget on the Email & collaboration reports page.](../../media/mail-latency-report-widget.png) + On the Mail latency report page, the following tabs are available on the Mail latency report page: Regardless of the tab you select, the chart shows messages organized into the fo When you hover over a category in the chart, you can see a breakdown of the latency in each category. -![50th percentiles view of the Mail latency report.](../../media/mail-latency-report-50th-percentile-view.png) If you click Filter, you can filter both the chart and the details table by the following values: The URL protection report provides summary and trend views for threats detec To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to Reports \> Email & collaboration \> Email & collaboration reports. On the Email & collaboration reports page, find URL protection page and then click View details. To go directly to the report, open <https://security.microsoft.com/reports/URLProtectionActionReport>. -![URL protection report widget on the Email & collaboration reports page.](../../media/url-protection-report-widget.png) The available views on the URL protection report page are described in the following sections. The available views on the URL protection report page are described in the f ### View data by URL click protection action -![URL click protection action view in the URL protection report.](../../media/url-threat-protection-report-url-click-protection-action-view.png) The View data by URL click protection action view shows the number of URL clicks by users in the organization and the results of the click: On the main report page, the ![Create schedule icon.](../../media/m365-cc-sc-cre ### View data by URL click by application -![URL click by application view in the URL protection report.](../../media/url-threat-protection-report-url-click-by-application-view.png) The View data by URL click by application view shows the number of URL clicks by apps that support Safe Links:
security	Walkthrough Spoof Intelligence Insight	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight.md	There are two ways to allow and block spoofed senders: 2. On the Anti-spam policies page, select Spoof intelligence policy by clicking on the name. - ![Select the spoof intelligence policy.](../../media/anti-spam-settings-spoof-intelligence-policy.png) + :::image type="content" source="../../media/anti-spam-settings-spoof-intelligence-policy.png" alt-text="The option to select the spoof intelligence policy" lightbox="../../media/anti-spam-settings-spoof-intelligence-policy.png"::: 3. On the Spoof intelligence policy flyout that appears, make one of the following selections: - Show me senders I already reviewed There are two ways to allow and block spoofed senders: - Yes: Allow the spoofed sender. - No: Mark the message as spoofed. The action is controlled by the default anti-phishing policy or custom anti-phishing policies. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings). - ![Screenshot showing the spoofed senders flyout, and whether the sender is allowed to spoof.](../../media/spoof-allow-block-flyout.png) + :::image type="content" source="../../media/spoof-allow-block-flyout.png" alt-text="The spoofed senders flyout, and whether the sender is allowed to spoof" lightbox="../../media/spoof-allow-block-flyout.png"::: The columns and values that you see are explained in the following list: For detailed syntax and parameter information, see [Set-PhishFilterPolicy](/powe 3. The insight on the dashboard shows you information like this: - ![Screenshot of spoof intelligence insight.](../../media/28aeabac-c1a1-4d16-9fbe-14996f742a9a.png) + :::image type="content" source="../../media/28aeabac-c1a1-4d16-9fbe-14996f742a9a.png" alt-text="The spoof intelligence insight" lightbox="../../media/28aeabac-c1a1-4d16-9fbe-14996f742a9a.png"::: This insight has two modes: For detailed syntax and parameter information, see [Set-PhishFilterPolicy](/powe From here, you can also choose to add or remove the domain/sending infrastructure pair from the Allowed to spoof sender allow list. Simply set the toggle accordingly. - ![Screenshot of a domain in the Spoof intelligence insight details pane.](../../media/03ad3e6e-2010-4e8e-b92e-accc8bbebb79.png) + :::image type="content" source="../../media/03ad3e6e-2010-4e8e-b92e-accc8bbebb79.png" alt-text="A domain in the Spoof intelligence insight details pane" lightbox="../../media/03ad3e6e-2010-4e8e-b92e-accc8bbebb79.png"::: ## How do you know these procedures worked?
security	Top Security Tasks For Remote Work	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/top-security-tasks-for-remote-work.md	description: "Protect your business email and data from cyber threats, including If you are like [Microsoft](https://www.microsoft.com/microsoft-365/blog/2020/03/10/staying-productive-while-working-remotely-with-microsoft-teams/) and suddenly find yourself supporting a primarily home-based workforce, we want to help you ensure your organization is working as securely as possible. This article prioritizes tasks to help security teams implement the most important security capabilities as quickly as possible. + If you are a small or medium-size organization using one of Microsoft's business plans, see these resources instead: You'll need to work with your Exchange Online administrator and SharePoint Onlin Now that you have Microsoft Defender for Office 365 and Microsoft Defender for Identity configured, you can view the combined signals from these capabilities in one dashboard. [Microsoft 365 Defender](./defender/microsoft-365-defender.md) brings together alerts, incidents, automated investigation and response, and advanced hunting across workloads (Microsoft Defender for Identity, Defender for Office 365, Microsoft Defender for Endpoint, and Microsoft Defender for Cloud Apps) into a single pane in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. -<!-- > After you have configured one or more of your Defender for Office 365 services, turn on MTP. New features are added continually to MTP; consider opting in to receive preview features.
solutions	Collaborate Teams Direct Connect	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-teams-direct-connect.md	To configure inbound settings for an organization 1. In [Azure Active Directory](https://aad.portal.azure.com), select External Identities, and then select Cross-tenant access settings (preview). 1. Select the inbound access link for the organization that you want to modify. 1. On the B2B direct connect tab, choose Customize settings. -1. On the External users and groups tab, choose Allow access and All users and groups. +1. On the External users and groups tab, choose Allow access and All users and groups. (You can choose Select external users and groups if you want to limit access to specific users and groups, such as those who have signed a non-disclosure agreement.) 1. On the Applications tab, choose Allow access and Select applications. 1. Select Add Microsoft applications. 1. Select the Office 365 application, and then choose Select.