Updates from: 03/29/2024 02:17:56
Category Microsoft Docs article Related commit history on GitHub Change details
admin M365 Feature Descriptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/m365-feature-descriptions.md
Title: "Microsoft 365 feature descriptions" -+ Last updated 06/18/2022 audience: ITPro
For other issues, visit the [Microsoft support center](https://support.microsoft
**Group management:** Security groups are used in SharePoint Online to control access to sites. Security groups can be created in the Microsoft 365 admin center. For more information about security groups, see [Create, edit, or delete a security group](/office365/admin/email/create-edit-or-delete-a-security-group).
-**Microsoft Entra
+**Microsoft Entra
# [**Support, help, and training**](#tab/Support)
admin User Consent https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/user-consent.md
f1.keywords:
Previously updated : 09/15/2023 Last updated : 03/25/2024 audience: Admin
A user can give access only to apps they own that access their Microsoft 365 inf
## Turning user consent on or off
-Here's how to turn User consent to apps on or off.
-
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, go to the **Settings** > **Org settings** > [Services](https://go.microsoft.com/fwlink/p/?linkid=2053743) page, and then select **User consent to apps**.
-
-2. On the **User consent to apps** page, select the option to turn user consent on or off.
+Contact your Global Administrator to edit the user consent policy in the Microsoft Entra portal by following [these steps](https://learn.microsoft.com/entra/identity/enterprise-apps/configure-user-consent).
## Related content
commerce Italy Billing Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/italy-billing-info.md
+
+ Title: "Billing information for Microsoft 365 for business in Italy"
+f1.keywords:
+- NOCSH
++++
+audience: Admin
+++
+ms.localizationpriority: medium
+
+- Tier1
+- scotvorg
+- M365-subscription-management
+- Adm_O365
+search.appverid: MET150
+description: "Learn about information specifically for Microsoft 365 for business in Italy."
+
+- commerce_billing
+- admindeeplinkMAC
+monikerRange: 'o365-worldwide'
Last updated : 03/27/2024++
+# Billing information for Microsoft 365 for business in Italy
+
+## 1. Where can I get an invoice for my Microsoft 365 for business purchase?
+
+Your invoice is sent to the registered billing notification email address 24 hours after your purchase is confirmed. To download your invoice in the Microsoft 365 admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.
+
+> [!IMPORTANT]
+> If you want the invoice to include your Codice Fiscale/Tax ID, you must add it before the purchase confirmation.
+
+## 2. How can I add my Codice Fiscale/Tax ID to the invoice I get for the purchase of Microsoft 365 for business?
+
+### During the purchase process (Checkout)
+
+During the checkout purchase process, when you get to step **4. Payment and billing**, select the box to enter a Codice Fiscale/Tax ID. This step is necessary so that you can see it reflected in your purchase invoice.
+
+### For your future purchases
+
+You can add or modify your Codice Fiscale/Tax ID so that the information is reflected in future Microsoft 365 for business purchases. To add or modify your Codice Fiscale/Tax ID, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page.
+
+> [!NOTE]
+> If you're in a recurrent billing subscription, the addition or modification of the Codice Fiscale/Tax ID is reflected on the invoice of your next charge.
+
+#### Add your Codice Fiscale/Tax ID
+
+If your invoice number begins with "G," to ensure you can still receive invoices, update your Microsoft account to include your Codice Fiscale/Tax ID.
+
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
+2. In the navigation menu, select **Billing**, then select <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">**Billing accounts**</a>.
+3. Select the billing account you want to update.
+4. In the **Tax ID** section, select **Add tax ID**. If you already have a tax ID listed, such as a VAT ID, select **Add another tax ID**.
+5. In the **Codice Fiscale ID** field, add your ID, then select **Save**.
+
+## 3. Can I add or modify my Codice Fiscale/Tax ID to an invoice that was already generated?
+
+It's important that you add or modify your Codice Fiscale/Tax ID before you make your purchase. You can't add or modify the Codice Fiscale/Tax ID information after we generate your Microsoft 365 for business invoice.
+
+## 4. Why wasn't an e-invoice issued by Sistema di Interscambio (SDI)?
+
+If a Codice Fiscale/Tax ID isn't provided, e-invoices aren't issued by SDI per Italian e-invoicing regulations. For such scenarios, invoices issued by Microsoft are still available.
+
+## 5. What's the wire payment information for Italy?
+
+For details about making a payment, see [Payment information for Italy](/legal/pay/italy).
+
+## Related content
+
+[View your invoice in the Microsoft 365 admin center](view-your-bill-or-invoice.md) (article)\
+[Understand your invoice for your Microsoft MCA billing account](understand-your-invoice.md) (article)\
+[Understand your invoice for your Microsoft MOSA billing account](understand-your-invoice2.md) (article)
commerce Manage Self Service Purchases Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-purchases-users.md
Title: Manage self-service purchases (Users)
+ Title: "Manage self-service purchases and trials (for users)"
f1.keywords: - NOCSH
- admindeeplinkMAC search.appverid: - MET150
-description: "Users can learn how to manage their self-service purchases."
Previously updated : 12/19/2023
+description: "Users can learn how to manage their self-service purchases in the Microsoft 365 admin center."
Last updated : 02/22/2024
-# Manage self-service purchases (Users)
+# Manage self-service purchases and trials (for users)
As a user, you can buy subscriptions to certain products and assign licenses for those subscriptions to people in your team. You're responsible for paying for any self-service purchases you make. You can manage your subscriptions in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
Your admin has a read-only view into any subscriptions that you buy. They can se
You can view a list of all self-service purchased subscriptions that you bought.
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, then go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
2. On the **Products** tab, select the filter icon, then select **Self-service**.
-## How to buy more or reduce licenses
+## Buy more or reduce licenses
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
2. Select the subscription for which you want to buy more license or reduce the number of licenses. 3. Select **Buy licenses** or **Remove licenses**. 4. In the details pane, in the **Total licenses** box, enter the total number of licenses that you want for this subscription, then select **Save**. For example, if you have 100 licenses and you want to add 5 more, enter 105.
You can view a list of all self-service purchased subscriptions that you bought.
### To assign licenses
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
-2. Select the subscription for which you want to assign licenses.
-3. Select **Assign licenses**.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
+2. Select the product for which you want to assign licenses.
+3. On the product details page, select **Assign licenses**.
4. In the **Assign licenses to users** pane, begin typing a name, and then select it from the results to add it to the list. You can add up to 20 users at a time. > [!NOTE] > You can only assign licenses to people in your organization.
-5. Select **Assign**, then select **Close**.
+5. Select **Assign**, then select close the details pane.
### To unassign licenses
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
2. Select the product for which you want to unassign licenses. 3. Select the users from whom you want to unassign licenses. 4. Select **Unassign licenses**.
You can view a list of all self-service purchased subscriptions that you bought.
## Cancel a subscription
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
2. On the **Products** tab, find the subscription that you want to cancel. Select the three dots (more actions), then select **Cancel subscription**. 3. In the **Cancel subscription** pane, select a reason why you're canceling. Optionally, provide any feedback you have. 4. Select **Save**. ## Manage your payment details
-1. In the admin center, go to the **Billing** > **Bills & payments** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page.
-2. Select a billing profile from the list.
-3. On the billing profile details page, under **Payment method**, choose one of the following options:
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page.
+2. On the **Overview** tab, select a billing account.
+3. On the billing account details page, select the **Billing profile** tab. The tab lists all billing profiles associated with the selected billing account.
+4. Select a billing profile name to view the details page.
+5. In the **Invoice and billing notifications** section, under **Payment method**, choose one of the following options:
- If you want to update an existing payment method, select **Edit**. - If you want to add a new payment method, select **Replace**.
-4. In the right pane, enter the card details, then select **Save**.
+6. In the details pane, enter the card details, then select **Save** or **Replace**.
### Update an existing payment method
You can view a list of all self-service purchased subscriptions that you bought.
### Add a new payment method 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.
-2. On the **Payment methods** tab, select **Add a payment method**.
-3. In the **Add a payment method** pane, enter the information for the new payment method, then select **Add**.
+2. On the **Payment methods** page, select **Add a payment method**, then select **Add a payment method** from the drop-down list.
+3. In the **Add a payment method** pane, enter the information for the new payment method, then select **Save*.
## View your invoices
security Comprehensive Guidance On Linux Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment.md
Use the following steps to check the network connectivity of Microsoft Defender
3. Verify that the traffic isn't being inspected by SSL inspection (TLS inspection). This is the most common network related issue when setting up Microsoft Defender Endpoint, see [Verify SSL inspection isn't being performed on the network traffic](#step-3-verify-ssl-inspection-isnt-being-performed-on-the-network-traffic).
+> [!NOTE]
+> It is generally recommended that traffic for Defender for Endpoint is not inspected by SSL inspection (TLS inspection). This applies to all supported operating systems (Windows, Linux, and MacOS).
+ #### Step 1: Allow URLs for the Microsoft Defender for Endpoint traffic 1. Download the [Microsoft Defender for Endpoint URL list for commercial customers](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx
security Configure Endpoints Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md
Title: Onboard Windows devices to Defender for Endpoint using Intune
-description: Use Microsoft Intune to deploy the configuration package on devices so that they are onboarded to the Defender for Endpoint service.
+description: Use Microsoft Intune to deploy the configuration package on devices so that they're onboarded to the Defender for Endpoint service.
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 03/28/2024 # Onboard Windows devices to Defender for Endpoint using Intune
Last updated 12/18/2020
You can use mobile device management (MDM) solutions to configure Windows 10 devices. Defender for Endpoint supports MDMs by providing OMA-URIs to create policies to manage devices.
-For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
+For more information on using Defender for Endpoint CSP, see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
## Before you begin
Check out [Identify Defender for Endpoint architecture and deployment method](de
Follow the instructions from [Intune](/mem/intune/protect/advanced-threat-protection-configure#enable-microsoft-defender-for-endpoint-in-intune).
-For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
+For more information on using Defender for Endpoint CSP, see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
> [!NOTE] >
For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThr
## Run a detection test to verify onboarding+ After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
For security reasons, the package used to Offboard devices will expire 30 days a
1. Get the offboarding package from <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>:
- 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
+ 2. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
- 1. Select Windows 10 or Windows 11 as the operating system.
+ 3. Select Windows 10 or Windows 11 as the operating system.
- 1. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
+ 4. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
- 1. Click **Download package**, and save the .zip file.
+ 5. Click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.+ - OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding - Date type: String - Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]
For more information on Microsoft Intune policy settings, see [Windows 10 policy
> [!IMPORTANT] > Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
-## Related topics
+## Related articles
+ - [Onboard Windows devices using Group Policy](configure-endpoints-gp.md) - [Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows devices using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Evaluate Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-network-protection.md
- tier2 - mde-asr search.appverid: met150 Previously updated : 02/28/2024 Last updated : 03/28/2024 # Evaluate network protection
This article helps you evaluate network protection by enabling the feature and g
Enable network protection in audit mode to see which IP addresses and domains might be blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur.
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
-2. Enter the following cmdlet:
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
+
+2. Run the following cmdlet:
```PowerShell Set-MpPreference -EnableNetworkProtection AuditMode
To review apps that would have been blocked, open Event Viewer and filter for Ev
### Troubleshooting Network Protection
-If network protection fails to detect, make sure that the following pre-requisites are enabled:
+If network protection fails to detect, make sure that the following prerequisites are enabled:
1. Microsoft Defender Antivirus is the primary antivirus app (active mode)
-1. [Behavior Monitoring is enabled](/microsoft-365/security/defender-endpoint/behavior-monitor)
+2. [Behavior Monitoring is enabled](/microsoft-365/security/defender-endpoint/behavior-monitor)
-1. [Cloud Protection is enabled](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus)
+3. [Cloud Protection is enabled](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus)
-1. [Cloud Protection network connectivity is functional](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)
+4. [Cloud Protection network connectivity is functional](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)
-## See also
+## Related articles
- [Network protection](network-protection.md)
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
ms.localizationpriority: medium Previously updated : 03/27/2024 Last updated : 03/28/2024 audience: ITPro
This article is updated frequently to let you know what's new in the latest rele
There are multiple fixes and new changes in this release: -- Addition of `microsoft_defender_scan_skip.log` file which logs scans that mdatp is unable to complete due to any reason.
+- The addition of a new log file - `microsoft_defender_scan_skip.log`. This will log the filenames that were skipped from various antivirus scans by Microsoft Defender for Endpoint due to any reason.
- Stability and performance improvements. - Bug fixes.
security Manage Sys Extensions Using Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-using-jamf.md
Title: Manage system extensions using JamF
-description: Manage system extensions using JamF for Microsoft Defender for Endpoint to work properly on macOS.
+ Title: Manage system extensions using Jamf
+description: Manage system extensions using Jamf for Microsoft Defender for Endpoint to work properly on macOS.
search.appverid: met150
Last updated 02/21/2024
-# Manage system extensions using JamF
+# Manage system extensions using Jamf
This article describes the procedures to implement in the process of managing the system extensions to ensure Microsoft Defender for Endpoint works properly on macOS.
-## JamF
+## Jamf
-### JAMF System Extensions Policy
+### Jamf System Extensions Policy
To approve the system extensions, perform the following steps:
To approve the system extensions, perform the following steps:
- com.microsoft.wdav.epsext - com.microsoft.wdav.netext
- :::image type="content" source="media/jamf-system-extensions-approval.png" alt-text="Approving system extensions in JamF." lightbox="media/jamf-system-extensions-approval.png":::
+ :::image type="content" source="media/jamf-system-extensions-approval.png" alt-text="Approving system extensions in Jamf." lightbox="media/jamf-system-extensions-approval.png":::
### Privacy Preferences Policy Control (also known as Full Disk Access)
-Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender for Endpoint Security Extension. This policy is a prerequisite for running the extension on your device.
+Add the following Jamf payload to grant Full Disk Access to the Microsoft Defender for Endpoint Security Extension. This policy is a prerequisite for running the extension on your device.
1. Select **Options > Privacy Preferences Policy Control**.
Add the following JAMF payload to grant Full Disk Access to the Microsoft Defend
As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender portal. The following policy allows the network extension to perform this functionality: > [!NOTE]
-> JAMF doesn't have built-in support for content filtering policies, which are a prerequisite for enabling the network extensions that Microsoft Defender for Endpoint on macOS installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. As such, the following steps provide a workaround that involves signing the configuration profile.
+> Jamf doesn't have built-in support for content filtering policies, which are a prerequisite for enabling the network extensions that Microsoft Defender for Endpoint on macOS installs on the device. Furthermore, Jamf sometimes changes the content of the policies being deployed. As such, the following steps provide a workaround that involves signing the configuration profile.
1. Save the following content to your device as **com.microsoft.network-extension.mobileconfig** using a text editor:
$ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig
<PathToFile>/com.microsoft.network-extension.mobileconfig: OK ```
-4. Follow the instructions on [this page](https://learn.jamf.com/bundle/technical-articles/page/Welcome.html) to create a signing certificate using JAMF's built-in certificate authority.
+4. Follow the instructions on [this page](https://learn.jamf.com/bundle/technical-articles/page/Welcome.html) to create a signing certificate using Jamf's built-in certificate authority.
5. After the certificate is created and installed to your device, run the following command from terminal to sign the file:
For example, if the certificate name is *SigningCertificate* and the signed file
$ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig ```
-6. From the JAMF portal, navigate to **Configuration Profiles** and select the **Upload** button. Select **com.microsoft.network-extension.signed.mobileconfig** when prompted for the file.
+6. From the Jamf portal, navigate to **Configuration Profiles** and select the **Upload** button. Select **com.microsoft.network-extension.signed.mobileconfig** when prompted for the file.
security Advanced Hunting Best Practices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-best-practices.md
Title: Advanced hunting query best practices in Microsoft Defender XDR description: Learn how to construct fast, efficient, and error-free threat hunting queries with advanced hunting
-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema, kusto, avoid timeout, command lines, process id, optimize, best practice, parse, join, summarize
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
security Advanced Hunting Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-overview.md
Title: Overview - Advanced hunting description: Learn about advanced hunting queries in Microsoft 365 and how to use them to proactively find threats and weaknesses in your network
-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto
-
-ms.sitesec: library
ms.pagetype: security f1.keywords: - NOCSH
search.appverid: met150 Previously updated : 02/16/2021 Last updated : 03/28/2024 # Proactively hunt for threats with advanced hunting in Microsoft Defender XDR
security Advanced Hunting Query Language https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-language.md
Title: Learn the advanced hunting query language in Microsoft Defender XDR description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types, powershell download, query example
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
- m365initiative-m365-defender - tier1 Previously updated : 02/16/2021 Last updated : 03/28/2024 # Learn the advanced hunting query language
security Alert Classification Malicious Exchange Connectors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-classification-malicious-exchange-connectors.md
Title: Alert classification for malicious exchange connectors description: Alert grading recipients from malicious exchange connectors activity and protect their network from malicious attack.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Alert Classification Password Spray Attack https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-classification-password-spray-attack.md
Title: Alert classification for password spray attacks description: Alert classification guide for password spray attacks coming to review the alerts and take recommended actions to remediate the attack and protect your network.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, devices, users, 365, microsoft, m365, password, spray, alert classification, alert grading, cloud apps, password spray, password spray attack
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Alert Classification Playbooks https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-classification-playbooks.md
Title: Alert classification playbooks description: Review the alerts for well-known attacks and take recommended actions to remediate the attack and protect your network.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, alert classification, alert grading, classify alert
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Alert Classification Suspicious Ip Password Spray https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-classification-suspicious-ip-password-spray.md
Title: Alert classification for suspicious IP address related to password spraying activity description: Alert classification for suspicious IP address related to password spraying activity to review the alerts and take recommended actions to remediate the attack and protect your network.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, devices, users, 365, microsoft, m365, password, spray, alert classification, alert grading, cloud apps, suspicious IP, classify alert
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Alert Grading Playbook Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-playbook-email-forwarding.md
Title: Alert classification for suspicious email forwarding activity description: Alert classification for suspicious email forwarding activity to review the alerts and take recommended actions to remediate the attack and protect your network.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, alert classification, alert grading, classify alert
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
Last updated 04/05/2023
**Applies to:** - Microsoft Defender XDR
-Threat actors can use compromised user accounts for several malicious purposes, including reading emails in a user's inbox, forwarding emails to external recipients, and sending phishing mails, among others. The targeted user might be unaware that their emails are being forwarded. This is a very common tactic that attackers use when user accounts are compromised.
+Threat actors can use compromised user accounts for several malicious purposes, including reading emails in a user's inbox, forwarding emails to external recipients, and sending phishing mails, among others. The targeted user might be unaware that their emails are being forwarded. This is a common tactic that attackers use when user accounts are compromised.
-Emails can be forwarded either manually or automatically using forwarding rules. Automatic forwarding can be implemented in multiple ways like Inbox Rules, Exchange Transport Rule (ETR), and SMTP Forwarding. While manual forwarding requires direct action from users, they might not be aware of all the auto-forwarded emails. In Microsoft 365, an alert is raised when a user auto-forwards an email to a potentially malicious email address.
+Emails can be forwarded either manually or automatically using forwarding rules. Automatic forwarding can be implemented in multiple ways like Inbox Rules, Exchange Transport Rule (ETR), and SMTP Forwarding. While manual forwarding requires direct action from users, they might not be aware of all the autoforwarded emails. In Microsoft 365, an alert is raised when a user autoforwards an email to a potentially malicious email address.
This playbook helps you investigate Suspicious Email Forwarding Activity alerts and quickly grade them as either a true positive (TP) or a false positive (FP). You can then take recommended actions for the TP alerts to remediate the attack.
For an overview of alert classifications for Microsoft Defender for Office 365 a
The results of using this playbook are: -- You have identified the alerts associated with auto-forwarded emails as malicious (TP) or benign (FP) activities.
+- You identify the alerts associated with autoforwarded emails as malicious (TP) or benign (FP) activities.
- If malicious, you have [stopped email auto-forwarding](../office-365-security/outbound-spam-policies-external-email-forwarding.md) for the affected mailboxes.
+ If malicious, you have [stop email autoforwarding](../office-365-security/outbound-spam-policies-external-email-forwarding.md) for the affected mailboxes.
-- You have taken the necessary action if emails have been forwarded to a malicious email address.
+- You take the necessary action if emails were forwarded to a malicious email address.
## Email forwarding rules
Email forwarding rules allow users to create a rule to forward email messages se
Attackers might set up email rules to hide incoming emails in the compromised user mailbox to obscure their malicious activities from the user. They might also set rules in the compromised user mailbox to delete emails, move the emails into another less noticeable folder such as an RSS folder, or forward emails to an external account.
-Some rules might move all the emails to another folder and mark them as "read", while some rules might move only mails which contain specific keywords in the email message or subject. For example, the inbox rule might be set to look for keywords like "invoice", "phish", "do not reply", "suspicious email", or "spam" among others, and move them to an external email account. Attackers might also use the compromised user mailbox to distribute spam, phishing emails, or malware.
+Some rules might move all the emails to another folder and mark them as "read", while some rules might move only mails that contain specific keywords in the email message or subject. For example, the inbox rule might be set to look for keywords like "invoice," "phish," "do not reply," "suspicious email," or "spam," among others, and move them to an external email account. Attackers might also use the compromised user mailbox to distribute spam, phishing emails, or malware.
Microsoft Defender for Office 365 can detect and alert on suspicious email forwarding rules, allowing you to find and delete hidden rules at the source.
While investigating this alert, you must determine:
By looking at sender's past behavior and recent activities, you should be able to determine whether the user's account should be considered compromised or not. You can see the details of alerts raised from the user's page in the Microsoft Defender portal.
-You can also analyze these additional activities for the affected mailbox:
+You can also analyze these other activities for the affected mailbox:
- Use Threat Explorer to understand email related threats
- - Observe how many of the recent email sent by the sender are detected as phish, spam or malware.
+ - Observe how many of the recent email sent by the sender are detected as phish, spam, or malware.
- Observe how many of the sent emails contain sensitive information. - Assess risky sign-in behavior in the Microsoft Azure portal.
Investigate the email forwarding activity. For instance, check the type of email
For more information, see the following articles: -- [Auto-forwarded messages report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report)
+- [Autoforwarded messages report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report)
- [New users forwarding email insight in the EAC](/exchange/monitoring/mail-flow-insights/mfi-new-users-forwarding-email-insight) - [Responding to a Compromised Email Account](/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account) - [Report false positives and false negatives in Outlook](/microsoft-365/security/office-365-security/submissions-outlook-report-messages)
-Here is the workflow to identify suspicious email forwarding activities.
+Here's the workflow to identify suspicious email forwarding activities.
:::image type="content" source="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-workflow.png" alt-text="Alert investigation workflow for email forwarding" lightbox="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-workflow.png":::
Threat Explorer provides an interactive investigation experience for email relat
:::image type="content" source="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-network-message-id.png" alt-text="Example of the Network Message ID" lightbox="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-network-message-id.png":::
- - What additional details are available for this email? For example: subject, return path, and timestamp.
+ - What other details are available for this email? For example: subject, return path, and timestamp.
- What is the origin of this email? Are there any similar emails? - Does this email contain any URLs? Does the URL point to any sensitive data? - Does the email contain any attachments? Do the attachments contain sensitive information?
To use [advanced Hunting](advanced-hunting-overview.md) queries to gather inform
- CloudAppEvents -Contains audit log of user activities. -- IdentityLogonEvents - Contains login information for all users.
+- IdentityLogonEvents - Contains sign-in information for all users.
> [!NOTE] > Certain parameters are unique to your organization or network. Fill in these specific parameters as instructed in each query.
-Run this query to find out who else has forwarded emails to these recipients (SRL/RL).
+Run this query to find out who else forwarded emails to these recipients (SRL/RL).
```kusto let srl=pack_array("{SRL}"); //Put values from SRL here.
CloudAppEvents
| where ActionType in (action_types) ```
-Run this query to find out if there were any anomalous login events from this user. For example: unknown IPs, new applications, uncommon countries/regions, multiple LogonFailed events.
+Run this query to find out if there were any anomalous sign-in events from this user. For example: unknown IPs, new applications, uncommon countries/regions, multiple LogonFailed events.
```kusto let sender = "{SENDER}"; //Replace {SENDER} with email of the Forwarder
Once you determine that the activities associated make this alert a True Positiv
- Reset the user account's credentials.
-4. Check for additional activities originated from impacted accounts, IP addresses, and suspicious senders.
+4. Check for other activities originated from impacted accounts, IP addresses, and suspicious senders.
## See also
Once you determine that the activities associated make this alert a True Positiv
- [Suspicious inbox forwarding rules](alert-grading-playbook-inbox-forwarding-rules.md) - [Suspicious inbox manipulation rules](alert-grading-playbook-inbox-manipulation-rules.md) - [Investigate alerts](investigate-alerts.md)+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Alert Grading Playbook Inbox Forwarding Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-playbook-inbox-forwarding-rules.md
Title: Alert classification for suspicious inbox forwarding rules description: Alert classification for suspicious inbox forwarding rules to review the alerts and take recommended actions to remediate the attack and protect your network.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, alert classification, alert grading, classify alert
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Alert Grading Playbook Inbox Manipulation Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-playbook-inbox-manipulation-rules.md
Title: Alert classification for suspicious inbox manipulation rules description: Alert classification for suspicious inbox manipulation rules to review the alerts and take recommended actions to remediate the attack and protect your network.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, alert classification, alert grading, classify alert
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
Last updated 04/05/2023
**Applies to:** - Microsoft Defender XDR
-Threat actors can use compromised user accounts for many malicious purposes including reading emails in a user's inbox, creating inbox rules to forward emails to external accounts, deleting traces, and sending phishing mails. Malicious inbox rules are common during business email compromise (BEC) and phishing campaigns and it is important to monitor for them consistently.
+Threat actors can use compromised user accounts for many malicious purposes including reading emails in a user's inbox, creating inbox rules to forward emails to external accounts, deleting traces, and sending phishing mails. Malicious inbox rules are common during business email compromise (BEC) and phishing campaigns and it's important to monitor for them consistently.
This playbook helps you investigate any incident related to suspicious inbox manipulation rules configured by attackers and take recommended actions to remediate the attack and protect your network. This playbook is for security teams, including security operations center (SOC) analysts and IT administrators who review, investigate, and grade the alerts. You can quickly grade alerts as either a true positive (TP) or a false positive (TP) and take recommended actions for the TP alerts to remediate the attack. The results of using this playbook are: -- You have identified the alerts associated with inbox manipulation rules as malicious (TP) or benign (FP) activities.
+- You identify the alerts associated with inbox manipulation rules as malicious (TP) or benign (FP) activities.
- If malicious, you have removed malicious inbox manipulation rules.
+ If malicious, you remove malicious inbox manipulation rules.
-- You have taken the necessary action if emails have been forwarded to a malicious email address.
+- You take the necessary action if emails were forwarded to a malicious email address.
## Inbox manipulation rules
Inbox rules are set to automatically manage email messages based on predefined c
### Malicious inbox manipulation rules
-Attackers might set up email rules to hide incoming emails in the compromised user mailbox to obscure their malicious activities from the user. They might also set rules in the compromised user mailbox to delete emails, move the emails into another less noticeable folder (like RSS), or forward mails to an external account. Some rules might move all the emails to another folder and mark them as "read", while some rules might move only mails which contain specific keywords in the email message or subject.
+Attackers might set up email rules to hide incoming emails in the compromised user mailbox to obscure their malicious activities from the user. They might also set rules in the compromised user mailbox to delete emails, move the emails into another less noticeable folder (like RSS), or forward mails to an external account. Some rules might move all the emails to another folder and mark them as "read", while some rules might move only mails that contain specific keywords in the email message or subject.
-For example, the inbox rule might be set to look for keywords like "invoice", "phish", "do not reply", "suspicious email", or "spam" among others, and move them to an external email account. Attackers might also use the compromised user mailbox to distribute spam, phishing emails, or malware.
+For example, the inbox rule might be set to look for keywords like "invoice," "phish," "do not reply," "suspicious email," or "spam," among others, and move them to an external email account. Attackers might also use the compromised user mailbox to distribute spam, phishing emails, or malware.
## Workflow
-Here is the workflow to identify suspicious inbox manipulation rule activities.
+Here's the workflow to identify suspicious inbox manipulation rule activities.
:::image type="content" source="../../media/alert-grading-playbook-inbox-manipulation-rules/alert-grading-playbook-inbox-manipulation-rules-workflow.png" alt-text="Alert investigation workflow for inbox manipulation rules" lightbox="../../media/alert-grading-playbook-inbox-manipulation-rules/alert-grading-playbook-inbox-manipulation-rules-workflow.png":::
Determine if the rules look suspicious according to the following rule parameter
- Keywords
- The attacker might apply the manipulation rule only to emails that contains certain words. You can find these keywords under certain attributes such as: "BodyContainsWords", "SubjectContainsWords" or "SubjectOrBodyContainsWords".
+ The attacker might apply the manipulation rule only to emails that contains certain words. You can find these keywords under certain attributes such as: "BodyContainsWords," "SubjectContainsWords," or "SubjectOrBodyContainsWords."
- If there are filtering by keywords, then check whether the keywords seem suspicious to you (common scenarios are to filter emails related to the attacker activities, such as "phish", "spam", "do not reply", among others).
+ If there are filtering by keywords, then check whether the keywords seem suspicious to you (common scenarios are to filter emails related to the attacker activities, such as "phish," "spam," and "do not reply," among others).
If there is no filter at all, it might be suspicious as well.
security Api Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-access.md
Title: Access the Microsoft Defender XDR APIs description: Learn how to access the Microsoft Defender XDR APIs
-keywords: access, apis, application context, user context, aad application, access token
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Api Advanced Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-advanced-hunting.md
Title: Microsoft Defender XDR advanced hunting API description: Learn how to run advanced hunting queries using Microsoft Defender XDR's advanced hunting API
-keywords: Advanced Hunting, APIs, api, M365 Defender, Microsoft Defender XDR
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Api Articles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-articles.md
Title: Other security and threat protection APIs description: View a list of APIs related to Microsoft security and threat protection products.
-keywords: api, security, threat protection, mde, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, cloud app security
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Api Create App User Context https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-create-app-user-context.md
Title: Create an app to access Microsoft Defender XDR APIs on behalf of a user description: Learn how to access Microsoft Defender XDR APIs on behalf of a user.
-keywords: access, on behalf of user, api, application, user, access token, token,
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Api Create App Web https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-create-app-web.md
Title: Create an app to access Microsoft Defender XDR without a user description: Learn how to create an app to access Microsoft Defender XDR without a user.
-keywords: app, access, api, create
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Api Error Codes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-error-codes.md
Title: Common Microsoft Defender XDR REST API error codes
-description: Learn about the common Microsoft Defender XDR REST API error codes
-keywords: api, error, codes, common errors, Microsoft Defender XDR, api error codes
-search.product: eADQiWindows 10XVcnh
+description: Learn about the common Microsoft Defender XDR REST API error codes.
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
Last updated 02/08/2023
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Error codes may be returned by an operation on any of the Microsoft Defender XDR APIs. Every error response will contain an error message, which can help resolve the problem. The error message column in the table section provides some sample messages. The content of actual messages will vary based on the factors that triggered the response. Variable content is indicated in the table by angle brackets.
+Error codes can be returned by an operation on any of the Microsoft Defender XDR APIs. Every error response contains an error message, which can help resolve the problem. The error message column in the table section provides some sample messages. The content of actual messages varies based on the factors that triggered the response. Variable content is indicated by angle brackets (`< >`) in the following table:
## Error codes
-Error code | HTTP status code | Message
--|-|-
-BadRequest | BadRequest (400) | General Bad Request error message.
-ODataError | BadRequest (400) | Invalid OData URI query \<the specific error is specified\>.
-InvalidInput | BadRequest (400) | Invalid input \<the invalid input\>.
-InvalidRequestBody | BadRequest (400) | Invalid request body.
-InvalidHashValue | BadRequest (400) | Hash value \<the invalid hash\> is invalid.
-InvalidDomainName | BadRequest (400) | Domain name \<the invalid domain\> is invalid.
-InvalidIpAddress | BadRequest (400) | IP address \<the invalid IP\> is invalid.
-InvalidUrl | BadRequest (400) | URL \<the invalid URL\> is invalid.
-MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Received: \<batch size received\>, allowed: {batch size allowed}.
-MissingRequiredParameter | BadRequest (400) | Parameter \<the missing parameter\> is missing.
-OsPlatformNotSupported | BadRequest (400) | OS Platform \<the client OS Platform\> is not supported for this action.
-ClientVersionNotSupported | BadRequest (400) | \<The requested action\> is supported on client version \<supported client version\> and above.
-Unauthorized | Unauthorized (401) | Unauthorized <br /><br />*Note: Usually caused by an invalid or expired authorization header.*
-Forbidden | Forbidden (403) | Forbidden <br /><br />*Note: Valid token but insufficient permission for the action*.
-DisabledFeature | Forbidden (403) | Tenant feature is not enabled.
-DisallowedOperation | Forbidden (403) | \<the disallowed operation and the reason\>.
-NotFound | Not Found (404) | General Not Found error message.
-ResourceNotFound | Not Found (404) | Resource \<the requested resource\> was not found.
-InternalServerError | Internal Server Error (500) | *Note: No error message, retry the operation or [contact Microsoft](../../admin/get-help-support.md) if it does not get resolved*
+| Error code | HTTP status code | Message |
+|--|--|--|
+| BadRequest | BadRequest (400) | General Bad Request error message. |
+| ODataError | BadRequest (400) | Invalid OData URI query \<the specific error is specified\>. |
+| InvalidInput | BadRequest (400) | Invalid input \<the invalid input\>. |
+| InvalidRequestBody | BadRequest (400) | Invalid request body. |
+| InvalidHashValue | BadRequest (400) | Hash value \<the invalid hash\> is invalid. |
+| InvalidDomainName | BadRequest (400) | Domain name \<the invalid domain\> is invalid. |
+| InvalidIpAddress | BadRequest (400) | IP address \<the invalid IP\> is invalid. |
+| InvalidUrl | BadRequest (400) | URL \<the invalid URL\> is invalid. |
+| MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Received: \<batch size received\>, allowed: {batch size allowed}. |
+| MissingRequiredParameter | BadRequest (400) | Parameter \<the missing parameter\> is missing. |
+| OsPlatformNotSupported | BadRequest (400) | OS Platform \<the client OS Platform\> isn't supported for this action. |
+| ClientVersionNotSupported | BadRequest (400) | \<The requested action\> is supported on client version \<supported client version\> and later. |
+| Unauthorized | Unauthorized (401) | Unauthorized <br /><br />*This error is usually caused by an invalid or expired authorization header.* |
+| Forbidden | Forbidden (403) | Forbidden <br /><br />*This error can occur with a valid token but insufficient permission for the action*. |
+| DisabledFeature | Forbidden (403) | Tenant feature isn't enabled. |
+| DisallowedOperation | Forbidden (403) | \<the disallowed operation and the reason\>. |
+| NotFound | Not Found (404) | General Not Found error message. |
+| ResourceNotFound | Not Found (404) | Resource \<the requested resource\> wasn't found. |
+| InternalServerError | Internal Server Error (500) | *If there's no error message, retry the operation. [Contact Microsoft](../../admin/get-help-support.md) if it doesn't get resolved*. |
## Examples
If you experience an *InvalidRequestBody* or *MissingRequiredParameter* error, i
## Tracking ID
-Each error response contains a unique ID parameter for tracking. The property name of this parameter is *target*. When contacting us about an error, attaching this ID will help us find the root cause of the problem.
+Each error response contains a unique ID parameter for tracking. The property name of this parameter is *target*. If you contact Microsoft about an error, attaching your tracking ID helps Microsoft find the root cause of the problem.
## Related articles - [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview)- - [Microsoft Defender XDR APIs overview](api-overview.md) - [Supported Microsoft Defender XDR APIs](api-supported.md) - [Access the Microsoft Defender XDR APIs](api-access.md) - [Learn about API limits and licensing](api-terms.md)+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Api Get Incident https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-get-incident.md
Title: Get incident API description: Learn how to use the Get incidents API to get a single incident in Microsoft Defender XDR.
-keywords: apis, graph api, supported apis, get, file, hash
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
Retrieves a specific incident by its ID
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.
## Permissions One of the following permissions is required to call this API.
-Permission type|Permission|Permission display name
-||
-Application|Incident.Read.All|'Read all Incidents'
-Application|Incident.ReadWrite.All|'Read and write all Incidents'
-Delegated (work or school account)|Incident.Read|'Read Incidents'
-Delegated (work or school account)|Incident.ReadWrite|'Read and write Incidents'
+| Permission type|Permission|Permission display name |
+||||
+|Application|Incident.Read.All|`Read all Incidents`|
+|Application|Incident.ReadWrite.All|`Read and write all Incidents`|
+|Delegated (work or school account)|Incident.Read|`Read Incidents`|
+|Delegated (work or school account)|Incident.ReadWrite|`Read and write Incidents`|
> [!NOTE] > > When obtaining a token using user credentials: >
-> - The user needs to have at least the following role permission: 'View Data'
+> - The user needs to have at least the following role permission: `View Data`
> - The response will only include incidents that the user is exposed to ## HTTP request
GET .../api/incidents/{id}
## Request headers
-Name|Type|Description
-||
-Authorization|String|Bearer {token}. **Required**.
+|Name|Type|Description|
+||||
+|Authorization|String|Bearer {token}. **Required**.|
## Request body
Empty
## Response
-If successful, this method returns 200 OK, and the incident entity in the response body.
-If incident with the specified id wasn't found - 404 Not Found.
+If successful, this method returns `200 OK`, and the incident entity in the response body.
+If incident with the specified ID wasn't found - 404 Not Found.
## Example
GET https://api.security.microsoft.com/api/incidents/{id}
## Related articles [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview)+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Api Hello World https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-hello-world.md
Title: Hello World for Microsoft Defender XDR REST API description: Learn how to create an app and use a token to access the Microsoft Defender XDR APIs
-keywords: app, token, access, aad, app, application registration, powershell, script, global administrator, permission, Microsoft Defender XDR
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Api Incident https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-incident.md
Title: Microsoft Defender XDR incidents APIs and the incidents resource type
-description: Learn about the methods and properties of the Incidents resource type in Microsoft Defender XDR
-keywords: incident, incidents, api
-search.product: eADQiWindows 10XVcnh
+description: Learn about the methods and properties of the Incidents resource type in Microsoft Defender XDR.
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
Last updated 02/08/2023
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-An [incident](incidents-overview.md) is a collection of related alerts that help describe an attack. Events from different entities in your organization are automatically aggregated by Microsoft Defender XDR. You can use the incidents API to programmatically access your organization's incidents and related alerts.
+An [incident](incidents-overview.md) is a collection of related alerts that help describe an attack. Events from different entities in your organization are aggregated automatically by Microsoft Defender XDR. You can use the incidents API to programmatically access your organization's incidents and related alerts.
## Quotas and resource allocation
-You can request up to 50 calls per minute or 1500 calls per hour. Each method also has its own quotas. For more information on method-specific quotas, see the respective article for the method you want to use.
+You can request up to 50 calls per minute or 1,500 calls per hour. Each method also has its own quotas. For more information on method-specific quotas, see the respective article for the method you want to use.
-A `429` HTTP response code indicates that you've reached a quota, either by number of requests sent, or by allotted running time. The response body will include the time until the quota you reached will be reset.
+A `429` HTTP response code indicates that you've reached a quota, either by number of requests sent, or by allotted running time. The response body includes the time until the quota you reached is reset.
## Permissions
Refer to the respective method articles for more details on how to construct a r
## Common properties
-Property | Type | Description
--|-|-
-incidentId | long | Incident unique ID.
-redirectIncidentId | nullable long | The Incident ID the current Incident was merged to.
-incidentName | string | The name of the Incident.
-createdTime | DateTimeOffset | The date and time (in UTC) the Incident was created.
-lastUpdateTime | DateTimeOffset | The date and time (in UTC) the Incident was last updated.
-assignedTo | string | Owner of the Incident.
-severity | Enum | Severity of the Incident. Possible values are: `UnSpecified`, `Informational`, `Low`, `Medium`, and `High`.
-status | Enum | Specifies the current status of the incident. Possible values are: `Active`, `InProgress`, `Resolved`, and `Redirected`.
-classification | Enum | Specification of the incident. Possible values are: `TruePositive`, `Informational, expected activity`, and `FalsePositive`.
-determination | Enum | Specifies the determination of the incident. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `Multistage attack` (MultiStagedAttack), `Malicious user activity` (MaliciousUserActivity), `Compromised account` (CompromisedUser) ΓÇô consider changing the enum name in public api accordingly, `Malware` (Malware), `Phishing` (Phishing), `Unwanted software` (UnwantedSoftware), and `Other` (Other). <li> <b>Informational, expected activity:</b> `Security test` (SecurityTesting), `Line-of-business application` (LineOfBusinessApplication), `Confirmed activity` (ConfirmedUserActivity) - consider changing the enum name in public api accordingly, and `Other` (Other). <li> <b>False positive:</b> `Not malicious` (Clean) - consider changing the enum name in public api accordingly, `Not enough data to validate` (InsufficientData), and `Other` (Other).
-tags | string list | List of Incident tags.
-comments | List of incident comments | Incident Comment object contains: comment string, createdBy string, and createTime date time.
-alerts | alert list | List of related alerts. See examples at [List incidents](api-list-incidents.md) API documentation.
+| Property | Type | Description |
+|-|-|-|
+| incidentId | long | Incident unique ID. |
+| redirectIncidentId | nullable long | The Incident ID the current Incident was merged to. |
+| incidentName | string | The name of the Incident. |
+| createdTime | DateTimeOffset | The date and time (in UTC) the Incident was created. |
+| lastUpdateTime | DateTimeOffset | The date and time (in UTC) the Incident was last updated. |
+| assignedTo | string | Owner of the Incident. |
+| severity | Enum | Severity of the Incident. Possible values are: `UnSpecified`, `Informational`, `Low`, `Medium`, and `High`. |
+| status | Enum | Specifies the current status of the incident. Possible values are: `Active`, `InProgress`, `Resolved`, and `Redirected`. |
+| classification | Enum | Specification of the incident. Possible values are: `TruePositive`, `Informational, expected activity`, and `FalsePositive`. |
+| determination | Enum | Specifies the determination of the incident. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `Multistage attack` (MultiStagedAttack), `Malicious user activity` (MaliciousUserActivity), `Compromised account` (CompromisedUser) ΓÇô consider changing the enum name in public api accordingly, `Malware` (Malware), `Phishing` (Phishing), `Unwanted software` (UnwantedSoftware), and `Other` (Other). <li> <b>Informational, expected activity:</b> `Security test` (SecurityTesting), `Line-of-business application` (LineOfBusinessApplication), `Confirmed activity` (ConfirmedUserActivity) - consider changing the enum name in public api accordingly, and `Other` (Other). <li> <b>False positive:</b> `Not malicious` (Clean) - consider changing the enum name in public api accordingly, `Not enough data to validate` (InsufficientData), and `Other` (Other). |
+| tags | string list | List of Incident tags. |
+| comments | List of incident comments | Incident Comment object contains: comment string, createdBy string, and createTime date time. |
+| alerts | alert list | List of related alerts. See examples at [List incidents](api-list-incidents.md) API documentation. |
> [!NOTE]
-> Around August 29, 2022, previously supported alert determination values ('Apt' and 'SecurityPersonnel') will be deprecated and no longer available via the API.
+> Around August 29, 2022, previously supported alert determination values (`Apt` and `SecurityPersonnel`) will be deprecated and no longer available via the API.
## Related articles
alerts | alert list | List of related alerts. See examples at [List incidents](a
- [Incidents overview](incidents-overview.md) - [List incidents API](api-list-incidents.md) - [Update incident API](api-update-incidents.md)+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Api List Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-list-incidents.md
Title: List incidents API in Microsoft Defender XDR description: Learn how to list incidents API in Microsoft Defender XDR
-keywords: list, incident, incidents, api
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
resolvedTime|Time when alert was resolved.|2020-09-10T05:22:59Z
firstActivity|Time when alert first reported that activity was updated at the backend.|2020-09-04T05:22:59Z title|Brief identifying string value available for each alert.|Ransomware activity description|String value describing each alert.|The user Test User2 (testUser2@contoso.com) manipulated 99 files with multiple extensions ending with the uncommon extension *herunterladen*. This is an unusual number of file manipulations and is indicative of a potential ransomware attack.
-category|Visual and numeric view of how far the attack has progressed along the kill chain. Aligned to the [MITRE ATT&CKΓäó framework](https://attack.mitre.org/).|Impact
+category|Visual and numeric view of how far the attack has progressed along the kill chain. Aligned to the [MITRE ATT&CK&trade; framework](https://attack.mitre.org/).|Impact
status|Categorize alerts (as *New*, *Active*, or *Resolved*). It can help you organize and manage your response to alerts.|New severity|Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.<br>One of the following values: *Informational*, *Low*, *Medium*, and *High*.|Medium investigationId|The automated investigation ID triggered by this alert.|1234
determination|Specifies the determination of the incident. The property values a
assignedTo|Owner of the incident, or *null* if no owner is assigned.|secop2@contoso.com actorName|The activity group, if any, the associated with this alert.|BORON threatFamilyName|Threat family associated with this alert.|null
-mitreTechniques|The attack techniques, as aligned with the [MITRE ATT&CK](https://attack.mitre.org/)Γäó framework.|\[\]
+mitreTechniques|The attack techniques, as aligned with the [MITRE ATT&CK](https://attack.mitre.org/)&trade; framework.|\[\]
devices|All devices where alerts related to the incident were sent.|\[\] (see details on entity fields below) ### Device format
security Api Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-overview.md
Title: Overview of Microsoft Defender XDR APIs description: Learn about the available APIs in Microsoft Defender XDR
-keywords: api, apis, overview, incident, incidents, threat hunting, Microsoft Defender XDR
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Api Partner Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-partner-access.md
Title: Partner access through Microsoft Defender XDR APIs description: Learn how to create an app to get programmatic access to Microsoft Defender XDR on behalf of your users.
-keywords: partner, access, api, multi tenant, consent, access token, app
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Api Supported https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-supported.md
Title: Supported Microsoft Defender XDR APIs description: Supported Microsoft Defender XDR APIs
-keywords: Microsoft Defender XDR, APIs, api
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Api Update Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-update-incidents.md
Title: Update incident API description: Learn how to update incidents using Microsoft Defender XDR API
-search.product: eADQiWindows 10XVcnh
f1.keywords: - NOCSH
security Auditing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/auditing.md
Title: How to search the audit logs for actions performed by Defender Experts description: As a tenant administrator, you can use Microsoft Purview to search the audit logs for the actions Microsoft Defender Experts did in your tenant to perform their investigations
-keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, real-time visibility with XDR experts, threat hunting and analysis
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Autoad Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/autoad-results.md
Title: Details and results of an automatic attack disruption action description: View the results and key findings of automatic attack disruption in Microsoft Defender XDR
-keywords: automated, attack, disruption, investigation, results, analyze, details
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Automatic Attack Disruption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/automatic-attack-disruption.md
Title: Automatic attack disruption in Microsoft Defender XDR description: Automatically contain assets controlled by attackers by using automatic attack disruption in Microsoft Defender XDR.
-keywords: attack, disruption, automatic, analyze, response, machines, devices, users, identities, mail, email, mailbox, investigation, graph, evidence
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Before You Begin Defender Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-defender-experts.md
Title: Key infrastructure requirements before enrolling in the Microsoft Defender Experts for Hunting service description: This section outlines the key infrastructure requirements you must meet and important information on data access and compliance
-keywords: managed threat hunting service, defender experts eligibility, managed detection and response (MDR) service, defender experts notifications, apply for defender experts service, dex, defender experts notification, Microsoft Defender Experts for hunting, threat hunting and analysis, managed response
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Before You Begin Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-xdr.md
Title: Before you begin using Defender Experts for XDR description: To enable us to get started with this managed service, we require the following licensing prerequisites
-keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Microsoft Defender Experts for hunting, threat hunting and analysis, Microsoft XDR service
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Communicate Defender Experts Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/communicate-defender-experts-xdr.md
Title: Communicating with Microsoft Defender Experts description: Defender Experts for XDR has multiple channels to discuss incidents, managed response, and service support
-keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Managed response in Teams, real-time visibility with XDR experts, ask defender experts, in-portal chat in teams
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
The **Chat** tab within the Microsoft Defender XDR portal provides you with a sp
Apart from using the in-portal chat, you can also engage in real-time chat conversations with Defender Experts directly within Microsoft Teams. This capability provides you and your security operations center (SOC) team more flexibility when responding to incidents that require managed response. [Learn more about turning on notifications and chat on Teams](get-started-xdr.md#receive-managed-response-notifications-and-updates-in-microsoft-teams)
-Once you turn on chat on Teams, a new team named **Defender Experts team** is created and the Defender Experts Teams app is installed in it. Each incident that requires your attention is posted on this teamΓÇÖs **Managed response** channel as a new post. To engage with our experts (for example, ask follow-up questions about the investigation summary or actions published by Defender Experts), use the **Reply** text bar to mention or tag *@Defender Experts* and type your message.
+Once you turn on chat on Teams, a new team named **Defender Experts team** is created and the Defender Experts Teams app is installed in it. Each incident that requires your attention is posted on this team's **Managed response** channel as a new post. To engage with our experts (for example, ask follow-up questions about the investigation summary or actions published by Defender Experts), use the **Reply** text bar to mention or tag *@Defender Experts* and type your message.
:::image type="content" source="../../media/xdr/teams-chat-managed-response-01.png" alt-text="Screenshot of managed response teams channel." lightbox="../../media/xdr/teams-chat-managed-response-01.png":::
Once you turn on chat on Teams, a new team named **Defender Experts team** is cr
- Our experts have access to messages in **Defender Experts team** through the Defender Experts Teams app so you don't have to explicitly them to this team. - Our experts only see replies to existing posts created by Defender Experts regarding a managed response. If you create a new post, our experts won't be able to see it. - While Defender Experts might have access to all messages in any channel in **Defender Experts team**, tag or mention our experts by typing *@Defender Experts* in your replies, so they're notified to join the chat conversation.-- DonΓÇÖt attach any attachments (for example, files for analysis) in the chat. For security reasons, Defender Experts won't be able to view the attachments. Instead, send them to appropriate submissions channels or provide links where they can be found in Microsoft Defender XDR portal.-- Conversations in the Teams chat about an incident are also synchronized with the incidentΓÇÖs **Chat** tab in the Microsoft Defender XDR portal so that you can see messages and updates about an investigation wherever you go.
+- Don't attach any attachments (for example, files for analysis) in the chat. For security reasons, Defender Experts won't be able to view the attachments. Instead, send them to appropriate submissions channels or provide links where they can be found in Microsoft Defender XDR portal.
+- Conversations in the Teams chat about an incident are also synchronized with the incident's **Chat** tab in the Microsoft Defender XDR portal so that you can see messages and updates about an investigation wherever you go.
### Email
security Configure Asset Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-asset-rules.md
Title: Asset rule management - Dynamic rules description: You can use Microsoft Defender for Endpoint to configure dynamic tagging
-keywords: asset rule management, dynamic tagging, Microsoft Defender for Endpoint, devices, Microsoft Defender XDR, Defender
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Configure Deception https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-deception.md
Title: Configure the deception capability in Microsoft Defender XDR description: Learn how to create, edit, and delete deception rules in Microsoft Defender XDR.
-keywords: deception, defender for endpoint, Microsoft Defender XDR, Microsoft defender for endpoint, lures, fake hosts, fake users, fake network, honeypot, honeytoken, decoy, fake host, fake user, deception technology, create deception rule, modify deception rule, edit deception rule, delete deception rule
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Configure Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-email-notifications.md
Title: Configure alert notifications in Microsoft Defender XDR description: You can use Microsoft Defender for Endpoint to configure email notification settings for security alerts, based on severity and other criteria.
-keywords: email notifications, configure alert notifications, Microsoft Defender for Endpoint, Microsoft Defender for Endpoint notifications, Microsoft Defender for Endpoint alerts, windows enterprise, windows education, Microsoft Defender XDR, Defender
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Configure Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-event-hub.md
Title: Configure your Event Hubs description: Learn how to configure your Event Hubs
-keywords: event hub, configure, insights
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Configure Siem Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-siem-defender.md
Title: Integrate your SIEM tools with Microsoft Defender XDR description: Learn how to use REST API and configure supported security information and events management tools to receive and pull detections.
-keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Criteria https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/criteria.md
Title: How Microsoft identifies malware and potentially unwanted applications description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application.
-keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
-ms.sitesec: library
ms.localizationpriority: medium
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detection-rules.md
Title: Create and manage custom detection rules in Microsoft Defender XDR
-description: Learn how to create and manage custom detections rules based on advanced hunting queries
-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, rules, schema, kusto, RBAC, permissions, Microsoft Defender for Endpoint
-search.product: eADQiWindows 10XVcnh
+description: Learn how to create and manage custom detections rules based on advanced hunting queries.
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
- m365initiative-m365-defender - tier2 Previously updated : 02/16/2021 Last updated : 03/28/2024 # Create and manage custom detections rules
DeviceEvents
With the query in the query editor, select **Create detection rule** and specify the following alert details: - **Detection name**ΓÇöname of the detection rule; should be unique-- **Frequency**ΓÇöinterval for running the query and taking action. [See additional guidance below](#rule-frequency)
+- **Frequency**ΓÇöinterval for running the query and taking action. [See more guidance in the rule frequency section](#rule-frequency)
- **Alert title**ΓÇötitle displayed with alerts triggered by the rule; should be unique - **Severity**ΓÇöpotential risk of the component or activity identified by the rule - **Category**ΓÇöthreat component or activity identified by the rule
When you save a new rule, it runs and checks for matches from the past 30 days o
- **Every 12 hours**ΓÇöruns every 12 hours, checking data from the past 48 hours - **Every 3 hours**ΓÇöruns every 3 hours, checking data from the past 12 hours - **Every hour**ΓÇöruns hourly, checking data from the past 4 hours-- **Continuous (NRT)**ΓÇöruns continuously, checking data from events as they are collected and processed in near real-time (NRT), see [Continuous (NRT) frequency](custom-detection-rules.md#continuous-nrt-frequency)
+- **Continuous (NRT)**ΓÇöruns continuously, checking data from events as they're collected and processed in near real-time (NRT), see [Continuous (NRT) frequency](custom-detection-rules.md#continuous-nrt-frequency)
> [!TIP] > Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.
Setting a custom detection to run in Continuous (NRT) frequency allows you to in
You can run a query continuously as long as: - The query references one table only. - The query uses an operator from the list of supported KQL operators. **[Supported KQL features](/azure/azure-monitor/essentials/data-collection-transformations-structure#supported-kql-features)**-- The query does not use joins, unions, or the `externaldata` operator.
+- The query doesn't use joins, unions, or the `externaldata` operator.
###### Tables that support Continuous (NRT) frequency
Near real-time detections are supported for the following tables:
Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return sender (`SenderFromAddress` or `SenderMailFromAddress`) and recipient (`RecipientEmailAddress`) addresses. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
-You can select only one column for each entity type (mailbox, user, or device). Columns that are not returned by your query can't be selected.
+You can select only one column for each entity type (mailbox, user, or device). Columns that aren't returned by your query can't be selected.
### 4. Specify actions
These actions are applied to devices in the `DeviceId` column of the query resul
#### Actions on files -- When selected, the **Allow/Block** action can be applied to the file. Blocking files are only allowed if you have *Remediate* permissions for files and if the query results have identified a file ID, such as a SHA1. Once a file is blocked, other instances of the same file in all devices are also blocked. You can control which device group the blocking is applied to, but not specific devices.
+- When selected, the **Allow/Block** action can be applied to the file. Blocking files are only allowed if you have *Remediate* permissions for files and if the query results have identified a file ID, such as an SHA1. Once a file is blocked, other instances of the same file in all devices are also blocked. You can control which device group the blocking is applied to, but not specific devices.
- When selected, the **Quarantine file** action can be applied to files in the `SHA1`, `InitiatingProcessSHA1`, `SHA256`, or `InitiatingProcessSHA256` column of the query results. This action deletes the file from its current location and places a copy in quarantine.
These actions are applied to devices in the `DeviceId` column of the query resul
- Select **Disable user** to temporarily prevent a user from logging in. - Select **Force password reset** to prompt the user to change their password on the next sign in session.
-Both the Disable user and Force password reset options require the user SID, which are in the columns `AccountSid`, `InitiatingProcessAccountSid`, `RequestAccountSid`, and `OnPremSid`.
+Both the `Disable user` and `Force password reset` options require the user SID, which are in the columns `AccountSid`, `InitiatingProcessAccountSid`, `RequestAccountSid`, and `OnPremSid`.
For more details on user actions, read [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions).
When setting the scope, you can select:
- All devices - Specific device groups
-Only data from devices in the scope will be queried. Also, actions will be taken only on those devices.
+Only data from devices in the scope will be queried. Also, actions are taken only on those devices.
> [!NOTE] > Users are able to create or edit a custom detection rule only if they have the corresponding permissions for the devices included in the scope of the rule. For instance, admins can only create or edit rules that are scoped to all device groups if they have permissions for all device groups.
After reviewing the rule, select **Create** to save it. The custom detection rul
## Manage existing custom detection rules
-You can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+You can view the list of existing custom detection rules, check their previous runs, and review the alerts that were triggered. You can also run a rule on demand and modify it.
> [!TIP] > Alerts raised by custom detections are available over alerts and incident APIs. For more information, see [Supported Microsoft Defender XDR APIs](api-supported.md).
security Custom Detections Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detections-overview.md
Title: Overview of custom detections in Microsoft Defender XDR description: Understand how you can use advanced hunting to create custom detections and generate alerts
-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Custom Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-roles.md
Title: Custom roles for role-based access control description: Learn how to manage custom roles in the Microsoft Defender portal
-keywords: access, permissions, Microsoft Defender XDR, M365, security, Defender for Cloud Apps, Microsoft Defender for Endpoint, scope, scoping, RBAC, roles-based access, custom roles-based access, roles-based auth, RBAC in MDO, roles, rolegroups, permissions inheritance, fine-grained permissions
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Data Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/data-privacy.md
Title: Microsoft Defender XDR data security and privacy description: Describes the privacy and data security of the service.
-keywords: privacy, data, security, trust center, information collection
-search.product: eADQiWindows 10XVcnh
ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Deception Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/deception-overview.md
Title: Manage the deception capability in Microsoft Defender XDR description: Detect human-operated attacks with lateral movement in the early stages using high confidence signals from the deception feature in Microsoft Defender XDR.
-keywords: deception, defender for endpoint, Microsoft Defender XDR, Microsoft defender for endpoint, lures, fake hosts, fake users, fake network, honeypot, honeytoken, decoy, fake host, fake user, deception technology
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Defender Experts For Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-experts-for-hunting.md
Title: What is Microsoft Defender Experts for Hunting offering description: Defender Experts for Hunting is a proactive threat hunting service that goes beyond the endpoint to hunt across endpoints
-keywords: defender experts notifications, managed threat hunting, managed detection and response (MDR) service, DEX, Microsoft Defender Experts, Defender experts service, Microsoft Defender Experts for hunting, threat hunting and analysis, microsoft incident response, experts on demand, EOD, Defender experts reports
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Defender Experts Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-experts-report.md
Title: Understand the Defender Experts for Hunting report in Microsoft Defender XDR description: The Defender Experts for Hunting service publishes reports to help you understand all the threats the hunting service surfaced in your environment
-keywords: analyst report, DEX report, DEX hunting report, defender experts for hunting report, detections, defender experts notification, hunting, notifications, threat categories, hunting reports, suspicious activities report, security weak spots, identify threats
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Defender Threat Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-threat-intelligence.md
Title: Microsoft Defender Threat Intelligence in Microsoft Defender XDR description: Learn what steps you need to take to get started with Defender Threat Intelligence in Microsoft Defender XDR
-keywords: defender threat intelligence, Microsoft Defender XDR
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Defender Xdr Custom Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-xdr-custom-reports.md
Title: Create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI description: How to create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI.
-keywords: reports, Microsoft Defender XDR, Microsoft Graph security API, Power BI
ms.sitesec: library ms.pagetype: security
security Deploy Configure M365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/deploy-configure-m365-defender.md
Title: Setup guides for Microsoft Defender XDR description: Learn how to deploy and configure Microsoft Defender XDR by using online setup guides
-keywords: deploy, licenses, supported services, provisioning, configuration Microsoft Defender XDR, M365, license eligibility, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Deploy Supported Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/deploy-supported-services.md
Title: Deploy services supported by Microsoft Defender XDR description: Learn about the Microsoft security services that can be integrated by Microsoft Defender XDR, their licensing requirements, and deployment procedures
-keywords: deploy, licenses, supported services, provisioning, configuration Microsoft Defender XDR, M365, license eligibility, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, MCAS, E5, A5, EMS
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Device Profile https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/device-profile.md
Title: Device profile in Microsoft 365 security portal description: View risk and exposure levels for a device in your organization. Analyze past and present threats, and protect the device with the latest updates.
-keywords: security, malware, Microsoft 365, M365, Microsoft Defender XDR, security center, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, device page, device profile, machine page, machine profile
ms.localizationpriority: medium
security Dex Xdr Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/dex-xdr-overview.md
Title: What is Microsoft Defender Experts for XDR offering description: Defender Experts for XDR augments your SOC with a combination of automation and human expertise
-keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Microsoft Defender Experts for hunting, threat hunting and analysis.
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Dex Xdr Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/dex-xdr-permissions.md
Title: How Microsoft Defender Experts for XDR permissions work description: Configuring permissions in customer's XDR tenants
-keywords: XDR, Xtended detection and response, defender experts for xdr, configuring permissions in xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, real-time visibility with XDR experts
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Dlp Investigate Alerts Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/dlp-investigate-alerts-defender.md
Title: Investigate data loss alerts with Microsoft Defender XDR description: Investigate data loss in Microsoft Defender XDR.
-keywords: Data Loss Prevention, incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
f1.keywords: - NOCSH
security Dlp Investigate Alerts Sentinel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/dlp-investigate-alerts-sentinel.md
Title: Investigate data loss prevention alerts with Microsoft Sentinel description: Investigate data loss prevention alerts in Microsoft Sentinel.
-keywords: Data Loss Prevention, incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
f1.keywords: - NOCSH
security Eval Create Eval Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-create-eval-environment.md
Title: Create the Microsoft Defender XDR Evaluation Environment for greater cyber security and XDR
-description: Learn what's included in the Microsoft Defender XDR XDR you will evaluate, and se up your Microsoft Defender XDR trial lab or pilot environment by activating trial licenses. Start your XDR cyber security journey here and learn how to take that test to production.
-search.product: eADQiWindows 10XVcnh
+description: Learn what's included in the Microsoft Defender XDR you evaluate, and se up your Microsoft Defender XDR trial lab or pilot environment by activating trial licenses. Start your XDR cyber security journey here and learn how to take that test to production.
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
You can learn about and build out this Microsoft Defender XDR solution in steps
- [Promote the trial environment to production](eval-defender-promote-to-production.md) - [Back to the Overview](eval-overview.md)
-The steps in this series run end-to-end, from learning the concepts behind the Microsoft Defender XDR XDR to building it, and into taking the evaluation environment live to production.
+The steps in this series run end-to-end, from learning the concepts behind the Microsoft Defender XDR to building it, and into taking the evaluation environment live to production.
-There are two common ways to do this next step in evaluation. This series assumes you already have a production Microsoft 365 tenant and will activate E5 trial licenses to evaluate Microsoft Defender XDR in *the current environment*. An in-place evaluation will let you keep any security methods with the purchase of licenses after the evaluation period.
+There are two common ways to do this next step in evaluation. This series assumes you already have a production Microsoft 365 tenant and are activating Microsoft 365 E5 trial licenses to evaluate Microsoft Defender XDR in *the current environment*. An in-place evaluation will let you keep any security methods with the purchase of licenses after the evaluation period.
-The second is to [Set up your Microsoft Defender XDR trial lab environment](setup-m365deval.md) for the purpose of evaluation. Note that it may not have many real signals from the business while in testing.
+The second is to [Set up your Microsoft Defender XDR trial lab environment](setup-m365deval.md) for evaluation. It might not have many real signals from the business while in testing.
<a name='you-will-need-to-activate-e5-trial-licenses-to-evaluate-microsoft-365-defender'></a>
-## You will need to activate E5 trial licenses to evaluate Microsoft Defender XDR
+## You need to activate Microsoft 365 E5 trial licenses to evaluate Microsoft Defender XDR
-1. Log on to your existing Microsoft 365 tenant administration portal.
+1. Sign in your existing Microsoft 365 tenant administration portal.
2. Select **Purchase Services** from the navigation menu. 3. Scroll down to the Office 365 section and select **Details** button under Office 365 E5 license.
The second is to [Set up your Microsoft Defender XDR trial lab environment](set
:::image type="content" source="../../medio-eval/3-m365-purchase-button.png":::
-5. Confirm your request and click **Try now** button.
+5. Confirm your request and select **Try now** button.
:::image type="content" source="../../medio-trial-order.png":::
security Eval Defender Endpoint Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-architecture.md
Title: Review Microsoft Defender for Endpoint architecture requirements and key concepts description: The technical diagram for Microsoft Defender for Endpoint in Microsoft Defender XDR will help you understand identity in Microsoft 365 before you build your trial lab or pilot environment.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Endpoint Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-enable-eval.md
Title: Enable Microsoft Defender for Endpoint evaluation description: Enable your Microsoft Defender XDR trial lab or pilot environment, including checking license state, and onboarding endpoints
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Endpoint Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-overview.md
Title: Step 4. Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture description: Steps for the setup of a Microsoft Defender XDR trial lab or pilot environment. Test and experience how the security solution is designed to protect devices, identity, data, and apps in your organization.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Endpoint Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-pilot.md
Title: Pilot Microsoft Defender for Endpoint description: Learn how to run a pilot for Microsoft Defender for Endpoint, including verifying the pilot group and trying out capabilities.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Identity Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-architecture.md
Title: Review architecture requirements and the technical framework for Microsoft Defender for Identity description: The technical diagram for Microsoft Defender for Identity in Microsoft Defender XDR will help you understand identity in Microsoft 365 before you build your trial lab or pilot environment.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Identity Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-enable-eval.md
Title: Enable the evaluation environment for Microsoft Defender for Identity description: Set up Microsoft Defender for Identity in Microsoft Defender XDR trial lab or pilot environment by installing & configuring the sensor, and discovering local admins on other computers.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Identity Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-overview.md
Title: Step 2. An Overview of Microsoft Defender XDR for Identity evaluation description: Use Microsoft Defender XDR for Identity in your Microsoft Defender XDR XDR solution. Steps for the evaluation of Microsoft Defender XDR for Identity including requirements, enabling or activating the eval, and set up of the pilot or test.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Identity Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-pilot.md
Title: Pilot Microsoft Defender for Identity description: Pilot Microsoft Defender for Identity, set benchmarks, take tutorials on reconnaissance, compromised credential, lateral movement, domain dominance, and exfiltration alerts, among others.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Investigate Respond Additional https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-additional.md
Title: Try Microsoft Defender XDR incident response capabilities in a pilot environment description: Try incident response capabilities in Microsoft Defender XDR to prioritize and manage incidents, automate investigations, and use advanced hunting in threat detection.
-keywords: Microsoft Defender XDR trial, try Microsoft Defender XDR, evaluate Microsoft Defender XDR, Microsoft Defender XDR evaluation lab, Microsoft Defender XDR pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH ms.localizationpriority: medium
security Eval Defender Investigate Respond Simulate Attack https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack.md
Title: Run an attack simulation in a Microsoft Defender XDR pilot environment description: Run attack simulations for Microsoft Defender XDR to see how alerts and incidents are presented, insights are gained, and threats are quickly remediated.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Investigate Respond https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond.md
Title: Investigate and respond using Microsoft Defender XDR in a pilot environment description: Set up attack simulations in Microsoft Defender XDR trial lab or pilot environment to try out the security solution designed to teach users to protect devices, identity, data, and applications.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH ms.localizationpriority: medium
security Eval Defender Mcas Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-architecture.md
Title: Review architecture requirements and the structure for Microsoft Defender for Cloud Apps description: Microsoft Defender for Cloud Apps technical diagrams explain the architecture in Microsoft Defender XDR, which will help you build a pilot environment.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Mcas Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-enable-eval.md
Title: Enable the evaluation environment for Microsoft Defender for Cloud Apps description: Learn the architecture of Defender for Cloud Apps within Microsoft Defender for Office 365 and understand interactions between the Microsoft Defender XDR products.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Mcas Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-overview.md
Title: Step 5. Evaluate Microsoft Defender for Cloud Apps overview description: Steps to set up your Microsoft Defender XDR trial lab or pilot environment to try out and experience the security solution designed to protect devices, identity, data, and applications in your organization.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Mcas Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-pilot.md
Title: Pilot Microsoft Defender for Cloud Apps with Microsoft Defender XDR description: Set up your Microsoft Defender XDR trial lab or pilot environment to test and experience the security solution designed to protect devices, identity, data, and applications.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Office 365 Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-architecture.md
Title: Review architecture requirements and planning concepts for Microsoft Defender for Office 365 description: The technical diagram for Microsoft Defender for Office 365 in Microsoft Defender XDR will help you understand identity at Microsoft 365 before you build your trial lab or pilot environment.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Office 365 Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-enable-eval.md
Title: Enable the evaluation environment for Microsoft Defender for Office 365 in your production environment description: Steps to activate Microsoft Defender for Office 365 evaluation, with trial licenses, MX record handling, & auditing of accepted domains and inbound connections.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Office 365 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-overview.md
Title: Step 3. Evaluate Microsoft Defender for Office 365 overview description: Use this overview to learn the steps to set up an MDO pilot, including requirements, enabling or activating the eval, and setting up the pilot.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Office 365 Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-pilot.md
Title: Pilot Microsoft Defender for Office 365, use the evaluation in your production environment description: Steps to pilot your Evaluation with groups of active and existing users in order to properly test the features of Microsoft Defender for Office 365.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Eval Defender Promote To Production https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-promote-to-production.md
Title: Step 7. Promote your Microsoft Defender XDR evaluation environment to Production
-description: Use this article to promote your evals of MDI, MDO, MDE, and Defender for Cloud Apps to your live environment in Microsoft Defender XDR or M365D.
-search.product: eADQiWindows 10XVcnh
+description: Use this article to promote your trial subscriptions of Defender for Identity, Defender for Office 365, Defender for Endpoint, and Defender for Cloud Apps to your live environment in Microsoft Defender XDR.
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords:
Last updated 05/13/2021
To promote your Microsoft Defender XDR evaluation environment to production, first purchase the necessary license. Follow the steps in [Create the eval environment](eval-create-eval-environment.md) and purchase the Office 365 E5 license (instead of selecting Start free trial).
-Next, complete any other configuration and expand your pilot groups until these have reached full production.
+Next, complete any other configuration and expand your pilot groups until these reach full production.
## Microsoft Defender for Identity
-Defender for Identity doesn't require any other configuration. Just make sure you've purchased the necessary licenses and installed the sensor on all of your Active Directory domain controllers and Active Directory Federation Services (AD FS) servers.
+Defender for Identity doesn't require any other configuration. Just make sure to purchase the necessary licenses and install the sensor on all of your Active Directory domain controllers and Active Directory Federation Services (AD FS) servers.
## Microsoft Defender for Office 365
-After successfully evaluating or piloting MDO, it can be promoted to your entire production environment.
+After successfully evaluating or piloting Defender for Office 365, it can be promoted to your entire production environment.
1. Purchase and provision the necessary licenses and assign them to your production users.
-2. Re-run recommended baseline policy configurations (either Standard or Strict) against your production email domain or specific groups of users.
-3. Optionally create and configure any custom MDO policies against your production email domain or groups of users. However, remember that any assigned baseline policies will always take precedence over custom policies.
+2. Rerun recommended baseline policy configurations (either Standard or Strict) against your production email domain or specific groups of users.
+3. Optionally create and configure any custom Defender for Office 365 policies against your production email domain or groups of users. However, remember that any assigned baseline policies will always take precedence over custom policies.
4. Update the public MX record for your production email domain to resolve directly to EOP. 5. Decommission any third-party SMTP gateways and disable or delete any EXO connectors associated with this relay.
Use the following general guidelines to onboard more devices to Microsoft Defend
## Microsoft Defender for Cloud Apps
-Microsoft Defender for Cloud Apps doesn't require any other configuration. Just make sure you've purchased the necessary licenses. If you've scoped the deployment to certain user groups, increase the scope of these groups until you reach production scale.
+Microsoft Defender for Cloud Apps doesn't require any other configuration. Just make sure to purchase the necessary licenses. If you've scoped the deployment to certain user groups, increase the scope of these groups until you reach production scale.
+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Eval Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-overview.md
Title: Evaluate and pilot Microsoft Defender XDR security, an XDR solution that unifies threat data so you can take action. description: What is XDR security? How can you evaluate a Microsoft XDR in Microsoft Defender XDR? Use this blog series to plan your Microsoft Defender XDR trial lab or pilot environment and test and pilot a security solution designed to protect devices, identity, data, and applications. Take that XDR seccurity test to production.
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Export Incidents Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/export-incidents-queue.md
Title: Export incidents queue to CSV files description: Learn about the newly introduced Export button to migrate incidents queue-related data to CSV files
-keywords: incident, queue, export, csv
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Faq Incident Notifications Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/faq-incident-notifications-xdr.md
Title: FAQs related to Microsoft Defender Experts for XDR incident notifications description: Frequently asked questions related to Defender Experts for XDR incident notifications
-keywords: XDR, XDR incidents, Xtended detection and response, FAQ's related to XDR, defender experts for xdr, XDR incident notifications, defender experts analyst, managed threat hunting, managed detection and response (MDR) service, real-time visibility with XDR experts, DEX-XDR FAQ's
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Faq Managed Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/faq-managed-response.md
Title: FAQs related to Microsoft Defender Experts for XDR managed response
+ Title: FAQs related to Microsoft Defender Experts for XDR Managed response
description: Frequently asked questions related to managed response notifications
-keywords: managed response, xdr, extended detection and response, defender experts for xdr, managed response faq xdr, managed detection and response (MDR) service, app execution, app restriction, real-time visibility with XDR experts, FAQ's related to XDR, isolate device, exclusions, high-value devices
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
search.appverid: met150
Last updated 01/30/2024
-# Understanding managed response
+# Understanding Managed response
**Applies to:** - [Microsoft Defender XDR](microsoft-365-defender.md)
-The following section lists down questions you or your SOC team might have regarding [managed response](managed-detection-and-response-xdr.md).
+The following section lists down questions you or your SOC team might have regarding [Managed response](managed-detection-and-response-xdr.md).
| Questions | Answers | |||
-| **What is managed response?** | Microsoft Defender Experts for XDR offers **Managed response** where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf.|
-| **What actions are in scope for managed response?** | All actions found below are in scope for managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Run antivirus scan<br><li>Stop and quarantine file<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users (Coming soon)*<ul><li>Force password reset<br><li>Disable user<br><li>Enable user<br><li>Soft delete emails </ul><br> |
-| **Can I customize the extent of managed response?** | You can configure the extent to which our experts do managed response actions on your behalf by excluding certain devices and users (individually or by groups) either during onboarding or later by modifying your service's settings. [Read more about excluding device groups](../defender/get-started-xdr.md#exclude-devices-from-remediation) |
-| **What support do Defender Experts offer for excluded assets?** | If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender XDR portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal, and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. |
-| **How am I going to be informed about the response actions?** | Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the **Managed response** panel in your Microsoft Defender XDR portal's **Incidents** page. <br><br>In addition, you'll also receive an email containing a link to the incident and instructions to view the managed response in the portal. Moreover if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for DEX statuses. For more information, see [FAQs related to Microsoft Defender Experts for XDR incident notifications](../defender/faq-incident-notifications-xdr.md).|
-| **Can I customize managed response based on actions?** | No. If you have devices or users that are considered high-value or sensitive, you can add them to your exclusion list. Our experts will NOT take any action on them and will only provide guidance if they're impacted by an incident.|
+|**What is Managed response?** | Microsoft Defender Experts for XDR offers **Managed response** where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf.|
+|**What actions are in scope for Managed response?** | All actions found below are in scope for Managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Stop and quarantine file<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users (Coming soon)*<ul><li>Force password reset<br><li>Disable user<br><li>Enable user<br><li>Soft delete emails </ul> |
+|**Can I customize the extent of Managed response?** | You can configure the extent to which our experts do Managed response actions on your behalf by excluding certain devices and users (individually or by groups) either during onboarding or later by modifying your service's settings. [Read more about excluding device groups](../defender/get-started-xdr.md#exclude-devices-from-remediation) |
+|**What support do Defender Experts offer for excluded assets?** | If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender XDR portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. |
+|**How am I going to be informed about the response actions?** | Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the **Managed response** panel in your Defender portal's **Incidents** page. <br><br>In addition, you'll also receive an email containing a link to the incident and instructions to view the Managed response in the portal. Moreover, if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for Defender Experts statuses. For more information, see [FAQs related to Microsoft Defender Experts for XDR incident notifications](../defender/faq-incident-notifications-xdr.md).|
+|**Can I customize Managed response based on actions?** | No. If you have devices or users that are considered high-value or sensitive, you can add them to your exclusion list. Our experts will NOT take any action on them and will only provide guidance if they're impacted by an incident.|
### See also
-[Managed detection and response](managed-detection-and-response-xdr.md)
+- [Managed detection and response](managed-detection-and-response-xdr.md)
+- [FAQs related to Microsoft Defender Experts for XDR incident notifications](../defender/faq-incident-notifications-xdr.md)
[!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Feedback https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/feedback.md
Title: Provide feedback on Microsoft Defender XDR
-description: Provide product feedback on Microsoft Defender XDR
-keywords: feedback, m365 security, security, 365, capabilities
-search.product: eADQiWindows 10XVcnh
+description: Provide product feedback on Microsoft Defender XDR.
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
Last updated 02/16/2021
**Applies to:** - Microsoft Defender XDR
-Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience, impressions, and requests by providing feedback.
+Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience, impressions, and requests by providing feedback.
-Check out this video to see how easy it is to provide feedback.
+Check out this video to see how to provide feedback.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4LWeP]
-1. From any part of the portal, select **Give feedback**.
+1. From any part of the Microsoft Defender portal, select **Give feedback**.
:::image type="content" source="../../media/feedback.png" alt-text="The incidents in the Microsoft 365 security portal" lightbox="../../media/feedback.png"::: 2. Rate your experience and provide details on what you liked or where improvement can be made. You can also choose to be contacted about the feedback. 3. Select **Submit**.+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Fetch Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/fetch-incidents.md
Title: Fetch Microsoft Defender XDR incidents description: Learn how to fetch Microsoft Defender XDR incidents from a customer tenant
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security First Incident Path Identity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-path-identity.md
Title: Example of an identity-based attack description: Step through an example analysis of an identity-based attack.
-keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security First Incident Path Phishing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-path-phishing.md
Title: Example of a phishing email attack description: Step through an example analysis of a phishing attack.
-keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Frequently Asked Questions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/frequently-asked-questions.md
Title: FAQs related to Microsoft Defender Experts for XDR description: Frequently asked questions related to Defender Experts for XDR
-keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, real-time visibility with XDR experts, FAQ's related to XDR
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Get Started Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started-xdr.md
Title: Get started with Microsoft Defender Experts for XDR description: Defender Experts for XDR lets you determine the individuals or groups within your organization that need to be notified if there's a critical incident
-keywords: XDR, protected assets, defender experts for xdr, set up microsoft xdr, set up permissions in xdr, managed detection and response (MDR) service, service delivery manager, managed response in Teams, readiness, threat hunting and analysis, actions needed xdr
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
The readiness assessment has two parts:
After you complete all the required tasks and met the onboarding targets in your readiness assessment, your service delivery manager (SDM) initiates the monitoring phase of the Defender Experts for XDR service, where, for a few days, our experts start monitoring your environment closely to identify latent threats, sources of risk, and normal activity. As we get better understanding of your critical assets, we can streamline the service and fine-tune our responses.
-Once our experts begin to perform comprehensive response work on your behalf, youΓÇÖll start receiving [notifications about incidents](managed-detection-and-response-xdr.md#incident-updates) that require remediation steps and targeted recommendations on critical incidents. You can also [chat with our experts](communicate-defender-experts-xdr.md) or your SDMs regarding important queries and regular business and security posture reviews, and [view real-time reports](reports-xdr.md) on the number of incidents weΓÇÖve investigated and resolved on your behalf.
+Once our experts begin to perform comprehensive response work on your behalf, you'll start receiving [notifications about incidents](managed-detection-and-response-xdr.md#incident-updates) that require remediation steps and targeted recommendations on critical incidents. You can also [chat with our experts](communicate-defender-experts-xdr.md) or your SDMs regarding important queries and regular business and security posture reviews, and [view real-time reports](reports-xdr.md) on the number of incidents we've investigated and resolved on your behalf.
### Next step
security Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started.md
Title: Get started with Microsoft Defender XDR description: Learn what steps you need to take to get started with Microsoft Defender XDR
-keywords: get started, Microsoft Defender XDR, turn on, onboard, deploy
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Incident Response Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-response-overview.md
Title: Investigate and respond with Microsoft Defender XDR description: Investigate and respond to incidents with the capabilities of Microsoft Defender XDR.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyberattack
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-action-center.md
Title: Go to the Action center to view and approve your automated investigation and remediation tasks description: Use the Action center to view details about automated investigation and approve pending actions
-keywords: Action center, threat protection, investigation, alert, pending, automated, detection
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Autoir Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-actions.md
Title: View and manage actions in the Action center description: Use the Action center to view and manage remediation actions
-keywords: action, center, autoair, automated, investigation, response, remediation
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Autoir Report False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-report-false-positives-negatives.md
Title: Address false positives or false negatives in Microsoft Defender XDR description: Was something missed or wrongly detected by AIR in Microsoft Defender XDR? Learn how to submit false positives or false negatives to Microsoft for analysis.
-keywords: automated, investigation, alert, remediation, false positive, false negative
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Autoir Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-results.md
Title: Details and results of an automated investigation description: View the results and key findings of automated investigation in Microsoft Defender XDR
-keywords: automated, investigation, results, analyze, details, remediation, autoair
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Autoir https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir.md
Title: Automated investigation and response in Microsoft Defender XDR description: Get an overview of automated investigation and response capabilities, also called self-healing, in Microsoft Defender XDR
-keywords: automated, investigation, alert, trigger, action, remediation, self-healing
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Enable Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-enable-faq.md
Title: Frequently asked questions when turning on Microsoft Defender XDR description: Get answers to the most commonly asked questions about licensing, permissions, initial settings, and other products and services related to enabling Microsoft Defender XDR
-keywords: frequently asked questions, FAQ, GCC, get started, enable Microsoft Defender XDR, Microsoft Defender XDR, M365, security, data location, required permissions, license eligibility, settings page
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Enable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-enable.md
Title: Turn on Microsoft Defender XDR description: Learn how to enable Microsoft Defender XDR and start integrating your security incident and response.
-keywords: get started, enable Microsoft Defender XDR, Microsoft Defender XDR, M365, security, data location, required permissions, license eligibility, settings page
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Notifications Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-notifications-incidents.md
Title: Get incident notifications by email in Microsoft Defender XDR description: Set up email notifications to get notified of new incidents or updates to incidents in Microsoft Defender XDR.
-keywords: email, notifications, incident response, incident response notifications, incident notifications, email notifications, Microsoft Defender XDR notifications
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-permissions.md
Title: Manage access to Microsoft Defender XDR data in the Microsoft Defender portal description: Learn how to manage permissions to data in Microsoft Defender XDR
-keywords: access, permissions, Microsoft Defender XDR, M365, security, Defender for Cloud Apps, Microsoft Defender for Endpoint, scope, scoping, RBAC
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-remediation-actions.md
Title: Remediation actions in Microsoft Defender XDR description: Get an overview of remediation actions that follow automated investigations in Microsoft Defender XDR
-keywords: automated, investigation, alert, trigger, action, remediation
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security M365d Response Actions Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-response-actions-notifications.md
Title: Get email notifications for response actions in Microsoft Defender XDR description: Set up email notifications to get notified of manual and automated response actions in Microsoft Defender XDR.
-keywords: email, notifications, automatic attack disruption, manual response, incident response, response actions, email notifications, response action notifications, Microsoft Defender XDR notifications
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: - MOE150 - MET150 Previously updated : 09/18/2023 Last updated : 03/28/2024 # Get email notifications for response actions in Microsoft Defender XDR
security M365d Threat Analytics Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-threat-analytics-notifications.md
Title: Get email notifications for Threat analytics updates in Microsoft Defender XDR description: Set up email notifications to get notified of new Threat analytics reports in Microsoft Defender XDR.
-keywords: threat analytics, risk evaluation, Microsoft Defender XDR, M365D, mitigation status, secure configuration, Microsoft Defender for Office 365, Microsoft Defender for Office 365 threat analytics, MDO threat analytics, integrated MDE and MDO threat analytics data, threat analytics data integration, integrated Microsoft Defender XDR threat analytics, notifications, email notifications
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: met150 Previously updated : 09/18/2023 Last updated : 03/28/2024 # Get email notifications for Threat analytics updates in Microsoft Defender XDR
security M365d Time Zone https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-time-zone.md
Title: Set the time zone for Microsoft Defender XDR features description: Learn how to choose the time zone for date and time information associated with incidents, automated investigation and remediation, and advanced hunting
-keywords: time zone, date, time, Microsoft Defender XDR, M365, security, incidents, automated investigation and response, AIR, advanced hunting
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: - MOE150 - MET150 Previously updated : 02/17/2021 Last updated : 03/28/2024 # Set the time zone for Microsoft Defender XDR
security Malware Naming https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/malware-naming.md
Title: How Microsoft names malware description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware.
-keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name
-ms.sitesec: library
ms.localizationpriority: medium
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
Title: Manage incidents in Microsoft Defender XDR description: Learn how to assign, update the status,
-keywords: incident, incidents, attack story, analyze, response, alerts, correlated alerts, assign, update, status, manage, classification, microsoft, 365, m365
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: - MOE150 - MET150 Previously updated : 01/22/2024 Last updated : 03/28/2024 # Manage incidents in Microsoft Defender XDR
security Manage Rbac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-rbac.md
Title: Microsoft Defender XDR Unified role-based access control (RBAC)
-description: Manage permissions and access to Microsoft Defender XDR Security portal experiences using unified role-based access control (RBAC)
+description: Manage permissions and access to Microsoft Defender XDR Security portal experiences using unified role-based access control (RBAC).
ms.localizationpriority: medium-+ audience: ITPro - m365-security - tier3 Previously updated : 1/16/2024 Last updated : 03/28/2024 search.appverid: met150
Centralized permissions management is supported for the following solutions:
|Microsoft Defender XDR|Centralized permissions management for Microsoft Defender XDR experiences.| |Microsoft Defender for Endpoint|Full support for all endpoint data and actions. All roles are compatible with the device group's scope as defined on the device groups page.| |Microsoft Defender Vulnerability Management|Centralized permissions management for all Defender Vulnerability Management capabilities.|
-|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](../office-365-security/mdo-portal-permissions.md) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) isn't supported.</li><li>Cmdlets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</li><li>Azure B2B invited guests aren't supported by experiences that were previously under Exchange Online RBAC.</li></ul>|
-|Microsoft Defender for Identity|Full support for all identity data and actions. </br></br> **Note:** Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).|
+|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](../office-365-security/mdo-portal-permissions.md) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) aren't supported.</li><li>Cmdlets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</li><li>Azure B2B invited guests aren't supported by experiences that were previously under Exchange Online RBAC.</li></ul>|
+|Microsoft Defender for Identity|Full support for all identity data and actions. </br></br> **Note:** Defender for Identity experiences also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).|
|Microsoft Defender for Cloud|Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.| |Microsoft Secure Score|Full support for all Secure Score data from the [Products included in Secure Score](../defender/microsoft-secure-score.md#products-included-in-secure-score).|
This section provides useful information on what you need to know before you sta
- Manage roles and permissions in Microsoft Defender XDR Unified RBAC.
- - Create a custom role that can grant access to security groups or individual users to manage roles and permissions in Microsoft Defender XDR unified RBAC. This will remove the need for Microsoft Entra global roles to manage permissions. To do this you need assign the **Authorization** permission in Microsoft Defender XDR Unified RBAC. For details on how to assign the Authorization permission, see [Create a role to access and manage roles and permissions](../defender/create-custom-rbac-roles.md#create-a-role-to-access-and-manage-roles-and-permissions).
+ - Create a custom role that can grant access to security groups or individual users to manage roles and permissions in Microsoft Defender XDR unified RBAC. This removes the need for Microsoft Entra global roles to manage permissions. To do this, you need to assign the **Authorization** permission in Microsoft Defender XDR Unified RBAC. For details on how to assign the Authorization permission, see [Create a role to access and manage roles and permissions](../defender/create-custom-rbac-roles.md#create-a-role-to-access-and-manage-roles-and-permissions).
-- The Microsoft Defender XDR security solution will continue to respect existing Microsoft Entra global roles when you activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads i.e. Global Admins will retain assigned admin privileges.
+- The Microsoft Defender XDR security solution continues to respect existing Microsoft Entra global roles when you activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads, that is, Global Admins retain assigned admin privileges.
### Migration of existing roles and permissions
All permissions listed within the Microsoft Defender XDR Unified RBAC model alig
### Activation of the Microsoft Defender XDR Unified RBAC model
-You must activate the workloads in Microsoft Defender XDR to use the Microsoft Defender XDR Unified RBAC model. Until activated, Microsoft Defender XDR will continue to respect the existing RBAC models. For more information, see [Activate Microsoft Defender XDR Unified RBAC](activate-defender-rbac.md).
+You must activate the workloads in Microsoft Defender XDR to use the Microsoft Defender XDR Unified RBAC model. Until activated, Microsoft Defender XDR continues to respect the existing RBAC models. For more information, see [Activate Microsoft Defender XDR Unified RBAC](activate-defender-rbac.md).
-When you activate some or all of your workloads to use the new permission model, the roles and permissions for these workloads will be fully controlled by the Microsoft Defender XDR Unified RBAC model in the Microsoft Defender portal.
+When you activate some or all of your workloads to use the new permission model, the roles and permissions for these workloads are fully controlled by the Microsoft Defender XDR Unified RBAC model in the Microsoft Defender portal.
<a name='start-using-microsoft-365-defender-unified-rbac-model'></a>
Use the following steps as a guide to start using the Microsoft Defender XDR Uni
1. **Get started with creating custom roles and importing roles from existing RBAC role models** - [Create custom roles](create-custom-rbac-roles.md) - [Import existing RBAC roles](import-rbac-roles.md)
- - [View, edit and delete RBAC roles](edit-delete-rbac-roles.md)
+ - [View, edit, and delete RBAC roles](edit-delete-rbac-roles.md)
2. **Activate and manage your roles with the Microsoft Defender XDR Unified RBAC model** - [Activate Microsoft Defender XDR Unified RBAC](activate-defender-rbac.md)
Use the following steps as a guide to start using the Microsoft Defender XDR Uni
- [Microsoft Defender XDR Unified RBAC permissions](custom-permissions-details.md) - [Map existing RBAC roles to Microsoft Defender XDR Unified RBAC roles](compare-rbac-roles.md)
-Watch the following video to see the steps above in action:
+Watch the following video to see the preceding steps in action:
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RW12hyh]
security Managed Detection And Response Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/managed-detection-and-response-xdr.md
Title: Managed detection and response description: Defender Experts for XDR provides actionable managed response to your security operations center (SOC) teams.
-keywords: XDR, extended detection and response, managed detection and response in defender experts for XDR, experts for xdr, managed response faq, managed threat hunting, managed detection and response (MDR) service, Managed response in Teams, guided response
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Microsoft 365 Defender Integration With Azure Sentinel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-integration-with-azure-sentinel.md
Title: Microsoft Defender XDR integration with Microsoft Sentinel description: Use Microsoft Sentinel as the SIEM for Microsoft Defender XDR incident and events.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Microsoft 365 Defender Train Security Staff https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-train-security-staff.md
Title: Train your security staff for Microsoft Defender XDR description: Get to the key training resources for quick ramp-up of your security staff.
-keywords: videos, self-help, self-study, ramp-up, instruction, courses, learning path, Microsoft Learn, course, courses, SecOps, security analyst
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md
Title: What is Microsoft Defender XDR?
-description: Microsoft Defender XDR is a coordinated threat protection solution designed to protect devices, identity, data and applications
-keywords: introduction to MMicrosoft Defender XDR, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+description: Microsoft Defender XDR is a coordinated threat protection solution designed to protect devices, identity, data, and applications.
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
- intro-overview adobe-target: true Previously updated : 03/08/2024 Last updated : 03/28/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>-+ # What is Microsoft Defender XDR?
With the integrated Microsoft Defender XDR solution, security professionals can
Microsoft Defender XDR services protect: - **Endpoints with Defender for Endpoint** - Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.+ - **Assets with Defender Vulnerability Management** - Microsoft Defender Vulnerability Management delivers continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization.+ - **Email and collaboration with Defender for Office 365** - Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools.-- **Identities with Defender for Identity and Microsoft Entra ID Protection** - Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Entra ID Protection uses the learnings Microsoft has acquired from their position in organizations with Microsoft Entra ID, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users.+
+- **Identities with Defender for Identity and Microsoft Entra ID Protection** - Microsoft Defender for Identity is a cloud-based security solution that uses your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Entra ID Protection uses the learnings Microsoft acquired from their position in organizations with Microsoft Entra ID, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users.
+ - **Applications with Microsoft Defender for Cloud Apps** - Microsoft Defender for Cloud Apps is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps. Microsoft Defender XDR's unique cross-product layer augments the individual service components to: - Help protect against attacks and coordinate defensive responses across the services through signal sharing and automated actions.-- Narrate the full story of the attack across product alerts, behaviors, and context for security teams by joining data on alerts, suspicious events and impacted assets to 'incidents'.+
+- Narrate the full story of the attack across product alerts, behaviors, and context for security teams by joining data on alerts, suspicious events and impacted assets to incidents.
+ - Automate response to compromise by triggering self-healing for impacted assets through automated remediation.+ - Enable security teams to perform detailed and effective threat hunting across endpoint and Office data. Microsoft Defender XDR cross-product features include: - **Cross-product single pane of glass in the Microsoft Defender portal** - A central view for all information on detections, impacted assets, automated actions taken, and related evidence in a single queue and a single pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>. + - **Combined incidents queue** - To help security professionals focus on what is critical by ensuring the full attack scope, impacted assets and automated remediation actions are grouped together and surfaced in a timely manner. + - **Automatic response to threats** - Critical threat information is shared in real time between the Microsoft Defender XDR products to help stop the progression of an attack.
- For example, if a malicious file is detected on an endpoint protected by Defender for Endpoint, it will instruct Defender for Office 365 to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite.
+ For example, if a malicious file is detected on an endpoint protected by Defender for Endpoint, it instructs Defender for Office 365 to scan and remove the file from all e-mail messages. The file is blocked on sight by the entire Microsoft 365 security suite.
- **Self-healing for compromised devices, user identities, and mailboxes** - Microsoft Defender XDR uses AI-powered automatic actions and playbooks to remediate impacted assets back to a secure state. Microsoft Defender XDR leverages automatic remediation capabilities of the suite products to ensure all impacted assets related to an incident are automatically remediated where possible.+ - **Cross-product threat hunting** - Security teams can leverage their unique organizational knowledge to hunt for signs of compromise by creating their own custom queries over the raw data collected by the various protection products. Microsoft Defender XDR provides query-based access to 30 days of historic raw signals and alert data across endpoint and Defender for Office 365 data. ## Get started
security Microsoft 365 Security Center Defender Cloud Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud-apps.md
Title: Microsoft Defender for Cloud Apps in Microsoft Defender XDR description: Learn about changes from the Microsoft Defender for Cloud Apps to Microsoft Defender XDR
-keywords: Getting started with Microsoft Defender XDR, Microsoft Defender for Cloud Apps
ms.localizationpriority: medium f1.keywords: - NOCSH
security Microsoft Sentinel Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-sentinel-onboard.md
search.appverid:
- MOE150 - MET150 Last updated 11/10/2023
-appliesto: Microsoft Sentinel in the Microsoft Defender portal
+appliesto:
+ - Microsoft Sentinel in the Microsoft Defender portal
# Connect Microsoft Sentinel to Microsoft Defender XDR (preview)
security Threat Analytics Analyst Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics-analyst-reports.md
Title: Understand the analyst report section in threat analytics in Microsoft Defender XDR description: Learn about the analyst report section of each threat analytics report. Understand how it provides information about threats, mitigations, detections, advanced hunting queries, and more.
-keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations,
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Threat Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics.md
Title: Threat analytics in Microsoft Defender XDR description: Learn about emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience.
-keywords: threat analytics, risk evaluation, Microsoft Defender XDR, M365D, mitigation status, secure configuration, Microsoft Defender for Office 365, Microsoft Defender for Office 365 threat analytics, MDO threat analytics, integrated MDE and MDO threat analytics data, threat analytics data integration, integrated Microsoft Defender XDR threat analytics
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Tickets https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/tickets.md
Title: Integrate ServiceNow tickets into the Microsoft Defender portal and compliance center description: Learn how to create and track tickets in ServiceNow from the Microsoft Defender portal and compliance center.
-keywords: security, Microsoft 365, M365, compliance, compliance center, security center, ServiceNow, tickets, tasks, SNOW, connection
ms.localizationpriority: medium f1.keywords: - NOCSH
security Top Scoring Industry Tests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/top-scoring-industry-tests.md
Title: Top scoring in industry tests - Microsoft Defender XDR description: View the latest scores and analysis of Microsoft Defender XDR. It consistently achieves high scores in independent tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK). View the latest scores and analysis.
-keywords: Microsoft Defender Antivirus, Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Windows 11 Microsoft Defender Antivirus, WDAV, Microsoft Defender for Endpoint, Microsoft Defender XDR, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success
-ms.sitesec: library
ms.localizationpriority: high
Microsoft Defender XDR combines the capabilities of [Microsoft Defender for Endp
Core to MITRE's testing approach is emulating real-world attacks to understand whether solutions can adequately detect and respond to them. While the test focused on endpoint detection and response, MITRE's simulated APT29 attack spans multiple attack domains, creating opportunities to empower defenders beyond just endpoint protection. Microsoft expanded visibility beyond the endpoint with Microsoft Defender XDR. -- ATT&CK-based evaluation of Microsoft Defender XDR - April 2022: [Microsoft Defender XDR demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations]([Microsoft Security Blog: Microsoft Defender XDR demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations](https://www.microsoft.com/en-us/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/))
+- ATT&CK-based evaluation of Microsoft Defender XDR - April 2022: [Microsoft Defender XDR demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK&reg; Evaluations]([Microsoft Security Blog: Microsoft Defender XDR demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK&reg; Evaluations](https://www.microsoft.com/en-us/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/))
- ATT&CK-based evaluation of Microsoft Defender XDR - April 2021: [Evaluation proves Microsoft Defender for Endpoint stops advanced attacks across platforms](https://www.microsoft.com/security/blog/2021/04/21/)
security Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/troubleshoot.md
Title: Troubleshoot Microsoft Defender XDR service issues
-description: Find solutions and workarounds to known Microsoft Defender XDR issues
-keywords: troubleshoot Microsoft Defender XDR, troubleshoot, Microsoft Defender for Identity, issues, add-on, settings page
-search.product: eADQiWindows 10XVcnh
+description: Find solutions and workarounds to known Microsoft Defender XDR issues.
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
search.appverid: - MOE150 - MET150 Previously updated : 02/16/2021 Last updated : 03/28/2024 # Troubleshoot Microsoft Defender XDR service issues
This section addresses issues that might arise as you use the Microsoft Defender
## I don't see Microsoft Defender XDR content
-If you don't see capabilities on the navigation pane such as the Incidents, Action center, or Hunting in your portal, you'll need to verify that your tenant has the appropriate licenses.
+If you don't see capabilities on the navigation pane such as the Incidents, Action center, or Hunting in your portal, you need to verify that your tenant has the appropriate licenses.
For more information, see [Prerequisites](prerequisites.md).
For more information, see [Prerequisites](prerequisites.md).
## Microsoft Defender for Identity alerts are not showing up in the Microsoft Defender XDR incidents
-If you have Microsoft Defender for Identity deployed in your environment but you're not seeing Defender for Identity alerts as part of Microsoft Defender XDR incidents, you'll need to ensure that the Microsoft Defender for Cloud Apps and Defender for Identity integration is enabled.
+If you have Microsoft Defender for Identity deployed in your environment but you're not seeing Defender for Identity alerts as part of Microsoft Defender XDR incidents, you need to ensure that the Microsoft Defender for Cloud Apps and Defender for Identity integration is enabled.
For more information, see [Microsoft Defender for Identity integration](/cloud-app-security/mdi-integration).
To turn on Microsoft Defender XDR, access **Settings** from the navigation pane
## How do I create an exception for my file/URL?
-A false positive is a file or URL that is detected as malicious but is not a threat. You can create indicators and define exclusions to unblock and allow certain files/URLs. See [Address false positives/negatives in Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives).
+A false positive is a file or URL that is detected as malicious but isn't a threat. You can create indicators and define exclusions to unblock and allow certain files/URLs. See [Address false positives/negatives in Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives).
[!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Usgov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/usgov.md
Title: Microsoft Defender XDR for US Government customers description: Learn about the Microsoft Defender XDR for US Government customers requirements and capabilities available
-keywords: government, gcc, high, requirements, capabilities, defender, Microsoft Defender XDR, xdr, dod
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
security Whats New In Microsoft Defender Urbac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new-in-microsoft-defender-urbac.md
ms.localizationpriority: medium-+ audience: ITPro - m365-security-compliance
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
Title: What's new in Microsoft Defender XDR description: Lists the new features and functionality in Microsoft Defender XDR
-keywords: what's new in Microsoft Defender XDR, ga, generally available, capabilities, available, new
search.appverid: met150
This change introduces a new navigation menu within the Microsoft Defender porta
- (GA) Live Response is now generally available for macOS and Linux. -- (GA) Identity timeline is now generally available as part of the new Identity page in Microsoft Defender XDR. The updated User page has a new look, an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days. It unifies a userΓÇÖs identity entries across all available workloads: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. Using the timeline helps you easily focus on a user's activities (or activities performed on them) in specific timeframes.
+- (GA) Identity timeline is now generally available as part of the new Identity page in Microsoft Defender XDR. The updated User page has a new look, an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days. It unifies a user's identity entries across all available workloads: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. Using the timeline helps you easily focus on a user's activities (or activities performed on them) in specific timeframes.
## December 2022
security Zero Trust With Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/zero-trust-with-microsoft-365-defender.md
Title: Zero Trust with Microsoft Defender XDR description: Microsoft Defender XDR contributes to a strong Zero Trust strategy and architecture
-keywords: Zero Trust, Microsoft Defender XDR, security architecture, security strategy, cyber security, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Anti Phishing From Email Address Validation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-from-email-address-validation.md
description: Admins can learn how Exchange Online Protection (EOP) and Outlook.c
Previously updated : 06/09/2023 Last updated : 3/28/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
Phishing attacks are a constant threat to any email organization. In addition to
A standard SMTP email message consists of a *message envelope* and message content. The message envelope contains information that's required for transmitting and delivering the message between SMTP servers. The message content contains message header fields (collectively called the *message header*) and the message body. The message envelope is described in [RFC 5321](https://tools.ietf.org/html/rfc5321), and the message header is described in [RFC 5322](https://tools.ietf.org/html/rfc5322). Recipients never see the actual message envelope because it's generated by the message transmission process, and it isn't actually part of the message. -- The `5321.MailFrom` address (also known as the **MAIL FROM** address, P1 sender, or envelope sender) is the email address that's used in the SMTP transmission of the message. This email address is typically recorded in the **Return-Path** header field in the message header (although it's possible for the sender to designate a different **Return-Path** email address).
+- The MAIL FROM address (also known as the `5321.MailFrom` address, P1 sender, or envelope sender) is the email address that's used in the SMTP transmission of the message. This email address is typically recorded in the **Return-Path** header field in the message header (although it's possible for the sender to designate a different **Return-Path** email address).
-- The `5322.From` address (also known as the From address or P2 sender) is the email address in the **From** header field, and is the sender's email address that's displayed in email clients. The From address is the focus of the requirements in this article.
+- The From address (also known as the `5322.From` address or P2 sender) is the email address in the **From** header field, and is the sender's email address that's displayed in email clients. The From address is the focus of the requirements in this article.
The From address is defined in detail across several RFCs (for example, RFC 5322 sections 3.2.3, 3.4, and 3.4.1, and [RFC 3696](https://tools.ietf.org/html/rfc3696)). There are many variations on addressing and what's considered valid or invalid. To keep it simple, we recommend the following format and definitions: `From: "Display Name" <EmailAddress>` - **Display Name**: An optional phrase that describes the owner of the email address.- - We recommend that you always enclose the display name in double quotation marks (") as shown. If the display name contains a comma, you *must* enclose the string in double quotation marks per RFC 5322. - If the From address includes a display name, the EmailAddress value must be enclosed in angle brackets (< >) as shown. - Microsoft strongly recommends that you insert a space between the display name and the email address. - **EmailAddress**: An email address uses the format `local-part@domain`:- - **local-part**: A string that identifies the mailbox associated with the address. This value is unique within the domain. Often, the mailbox owner's username or GUID is used. - **domain**: The fully qualified domain name (FQDN) of the email server that hosts the mailbox identified by the local-part of the email address.
The following table contains examples of From addresses that aren't valid:
|Address|Comments| |||
-|**No From address**|In the past, when Microsoft 365 or Outlook.com received a message without a From address, the service added `From: <>` to make the message deliverable. As of November 2017, messages with blank From addresses aren't accepted.|
+|**No From address**|When a message arrives at Microsoft 365 or Outlook.com without a From address, we try to assign the MAIL FROM address to the From address to ensure the message is deliverable. Currently, these messages are accepted by the service, even if the original From address is `From: <>`.|
|`From: <firstname lastname@contoso.com>`|The email address contains a space.| |`From: Microsoft 365 sender@contoso.com`|The display name is present, but the email address isn't enclosed in angle brackets.| |`From: "Microsoft 365" <sender@contoso.com> (Sent by a process)`|Text after the email address.|
security Email Authentication Spf Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-spf-configure.md
v=spf1 ip4:192.168.0.10 ip4:192.168.0.12 include:spf.protection.outlook.com -all
Most Microsoft 365 organizations require `include:spf.protection.outlook.com` in the SPF TXT record for the domain. Other third-party email services often require an additional `include:` value to identify the service as a valid source of email from the original domain. - **IP addresses**: An IP address value includes both of the following elements:
- - The value `ipv4:` or `ipv6:` to identify the type of IP address.
+ - The value `ip4:` or `ip6:` to identify the type of IP address.
- The publicly resolvable IP address of the source email system. For example: - An individual IP address (for example, 192.168.0.10). - An IP address range using Classless Inter-Domain Routing (CIDR) notation (for example 192.168.0.1/26). Be sure that the range isn't too big or too small.
Important points to remember:
**SPF TXT record for contoso.com**: ```text
- v=spf1 ipv4:192.168.0.10 include:spf.protection.outlook.com -all
+ v=spf1 ip4:192.168.0.10 include:spf.protection.outlook.com -all
``` **SPF TXT record for marketing.contoso.com**:
security Threat Explorer Real Time Detections About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about.md
The rest of this article explains the views and features that are available in T
To use Explorer or Real-time detections, you need to be assigned permissions. You have the following options: - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell):
- - _Read access for email and Teams message headers_: **Security operations/Raw data (email & collaboration)/Email message headers (read)**.
- - _Preview and download email messages_: **Security operations/Raw data (email & collaboration)/Email content (read)**.
- - _Remediate malicious email_: **Security operations/Security data/Email advanced actions (manage)**.
+ - _Read access for email and Teams message headers_: **Security operations/Raw data (email & collaboration)/Email & collaboration metadata (read)**.
+ - _Preview and download email messages_: **Security operations/Raw data (email & collaboration)/Email & collaboration content (read)**.
+ - _Remediate malicious email_: **Security operations/Security data/Email & collaboration advanced actions (manage)**.
- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): - _Full access_: Membership in the **Organization Management** or **Security Administrator** role groups. More permissions are required to do all available actions: - _Preview and download messages_: Membership in the **Data Investigator** or **eDiscovery Manager** role groups. Or, [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the same roles as **Organization Management** or **Security Administrator**, and then add the **Preview** role.