| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| compliance | Archive Bloomberg Message Data | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-bloomberg-message-data.md | The last step is to create a Bloomberg Message connector in the Microsoft 365 co 7. After the connection is successfully validated, click **Next**. -8. On the **Map Bloomberg Message users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required. +8. On the **Define user** page, specify the users to import data for. ++ - **All users in your organization**. Select this option to import data for all users. ++ - **Only users on Litigation hold**. Select this option to import data only for users whose mailboxes are placed on Litigation hold. This option imports data to user mailboxes that have the LitigationHoldEnabled property set to True. For more information, see [Create a Litigation hold](create-a-litigation-hold.md). ++9. On the **Map Bloomberg Message users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required. > [!NOTE] > The connector imports message items to the mailbox of a specific user. A new folder named **BloombergMessage** is created in the specific user's mailbox and the items will be imported to it. The connector does by using the value of the *CorporateEmailAddress* property. Every chat message contains this property, and the property is populated with the email address of every participant of the chat message. In addition to automatic user mapping using the value of the *CorporateEmailAddress* property, you can also define custom mapping by uploading a CSV mapping file. The mapping file should contain the Bloomberg UUID and corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every message item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's Bloomberg UUID, the connector will use the *CorporateEmailAddress* property of the chat item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *CorporateEmailAddress* property of the message item, the item won't be imported. -9. Click **Next**, review your settings, and then click **Finish** to create the connector. +10. Click **Next**, review your settings, and then click **Finish** to create the connector. -10. Go to the **Data connectors** page to see the progress of the import process for the new connector. Click the connector to display the flyout page, which contains information about the connector. +11. Go to the **Data connectors** page to see the progress of the import process for the new connector. Click the connector to display the flyout page, which contains information about the connector. ## Set up a connector using private keys After your Bloomberg SFTP site is configured, the next step is to create a Bloom 7. After the connection is successfully validated, click **Next**. -8. On the **Map Bloomberg Message users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required. +8. On the **Define user** page, specify the users to import data for ++ - **All users in your organization**. Select this option to import data for all users. ++ - **Only users on Litigation hold**. Select this option to import data only for users whose mailboxes are placed on Litigation hold. This option imports data to user mailboxes that have the LitigationHoldEnabled property set to True. For more information, see [Create a Litigation hold](create-a-litigation-hold.md). ++9. On the **Map Bloomberg Message users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required. > [!NOTE] > The connector imports message items to the mailbox of a specific user. A new folder named **BloombergMessage** is created in the specific user's mailbox and the items will be imported to it. The connector does by using the value of the *CorporateEmailAddress* property. Every chat message contains this property, and the property is populated with the email address of every participant of the chat message. In addition to automatic user mapping using the value of the *CorporateEmailAddress* property, you can also define custom mapping by uploading a CSV mapping file. The mapping file should contain the Bloomberg UUID and corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every message item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's Bloomberg UUID, the connector will use the *CorporateEmailAddress* property of the chat item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *CorporateEmailAddress* property of the message item, the item won't be imported. -9. Click **Next**, review your settings, and then click **Finish** to create the connector. +10. Click **Next**, review your settings, and then click **Finish** to create the connector. -10. Go to the **Data connectors** page to see the progress of the import process for the new connector. Click the connector to display the flyout page, which contains information about the connector. +11. Go to the **Data connectors** page to see the progress of the import process for the new connector. Click the connector to display the flyout page, which contains information about the connector. ## Known issues |
| compliance | Archive Icechat Data | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-icechat-data.md | The last step is to create an ICE Chat connector in the Microsoft 365 compliance 7. After the connection is successfully validated, click **Next**. -8. On the **Map external users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required. You can download a copy of the user-mapping CSV file on this page. You can add the user mappings to the file and then upload it. +8. On the **Define user** page, specify the users to import data for. ++ - **All users in your organization**. Select this option to import data for all users. ++ - **Only users on Litigation hold**. Select this option to import data only for users whose mailboxes are placed on Litigation hold. This option imports data to user mailboxes that have the LitigationHoldEnabled property set to True. For more information, see [Create a Litigation hold](create-a-litigation-hold.md). ++9. On the **Map external users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required. You can download a copy of the user-mapping CSV file on this page. You can add the user mappings to the file and then upload it. > [!NOTE] > As previously explained, custom mapping file CSV file contains the ICE Chat imid and corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every chat item, the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's ICE Chat imid, the connector will import the item to the mailboxes for the users specified in the *SenderEmail* and *RecipientEmail* properties of the chat item. If the connector doesn't find a valid Microsoft 365 user by either automatic or custom user mapping, the item won't be imported. -9. Click **Next**, review your settings, and then click **Finish** to create the connector. +10. Click **Next**, review your settings, and then click **Finish** to create the connector. -10. Go to the **Data connectors** page to see the progress of the import process for the new connector. +11. Go to the **Data connectors** page to see the progress of the import process for the new connector. ## Set up a connector using private keys After your ICE Chat SFTP site is configured, the next step is to create an ICE C 7. After the connection is successfully validated, click **Next**. -8. On the **Map ICE Chat users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required. +8. On the **Define user** page, specify the users to import data for. ++ - **All users in your organization**. Select this option to import data for all users. ++ - **Only users on Litigation hold**. Select this option to import data only for users whose mailboxes are placed on Litigation hold. This option imports data to user mailboxes that have the LitigationHoldEnabled property set to True. For more information, see [Create a Litigation hold](create-a-litigation-hold.md). ++9. On the **Map ICE Chat users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required. > [!NOTE] > As previously explained, custom mapping file CSV file contains the ICE Chat imid and corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every chat item, the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's ICE Chat imid, the connector will import the item to the mailboxes for the users specified in the *SenderEmail* and *RecipientEmail* properties of the chat item. If the connector doesn't find a valid Microsoft 365 user by either automatic or custom user mapping, the item won't be imported. -9. Click **Next**, review your settings, and then click **Finish** to create the connector. +10. Click **Next**, review your settings, and then click **Finish** to create the connector. -10. Go to the **Data connectors** page to see the progress of the import process for the new connector. Click the connector to display the flyout page, which contains information about the connector. +11. Go to the **Data connectors** page to see the progress of the import process for the new connector. Click the connector to display the flyout page, which contains information about the connector. |
| compliance | Archive Instant Bloomberg Data | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-instant-bloomberg-data.md | The last step is to create an Instant Bloomberg connector in the Microsoft 365 c - **SFTP port:** The port number for Bloomberg SFTP site. The connector uses this port to connect to the SFTP site. -5. On the **Select data types to import** page, select the required data types to be imported apart from **Messages** +5. On the **Define user** page, select one of the following options to specify the users whose data you want to import. -6. On the **Map Instant Bloomberg users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required + - **All users in your organization**. Select this option to import data for all users. ++ - **Only users on Litigation hold**. Select this option to import data only for users whose mailboxes are placed on Litigation hold. This option imports data to user mailboxes that have the LitigationHoldEnabled property set to True. For more information, see [Create a Litigation hold](create-a-litigation-hold.md). ++6. On the **Select data types to import** page, select the required data types to be imported apart from **Messages** ++7. On the **Map Instant Bloomberg users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required > [!NOTE] > The connector imports the chat message items to the mailbox of a specific user. A new folder named **InstantBloomberg** is created in the specific user's mailbox and the items will be imported to it. The connector does by using the value of the *CorporateEmailAddress* property. Every chat message contains this property, and the property is populated with the email address of every participant of the chat message. In addition to automatic user mapping using the value of the *CorporateEmailAddress* property, you can also define custom mapping by uploading a CSV mapping file. The mapping file should contain the Bloomberg UUID and corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every chat item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's Bloomberg UUID, the connector will use the *CorporateEmailAddress* property of the chat item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *CorporateEmailAddress* property of the chat item, the item won't be imported. After your Bloomberg SFTP site is configured, the next step is to create an Inst 7. After the connection is successfully validated, click **Next**. -8. On the **Map Instant Bloomberg users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required. +8. On the **Define user** page, select one of the following options to specify the users whose data you want to import. ++ - **All users in your organization**. Select this option to import data for all users. ++ - **Only users on Litigation hold**. Select this option to import data only for users whose mailboxes are placed on Litigation hold. This option imports data to user mailboxes that have the LitigationHoldEnabled property set to True. For more information, see [Create a Litigation hold](create-a-litigation-hold.md). ++9. On the **Map Instant Bloomberg users to Microsoft 365 users** page, enable automatic user mapping and provide custom user mapping as required. > [!NOTE] > The connector imports the chat message items to the mailbox of a specific user. A new folder named **InstantBloomberg** is created in the specific user's mailbox and the items will be imported to it. The connector does by using the value of the *CorporateEmailAddress* property. Every chat message contains this property, and the property is populated with the email address of every participant of the chat message. In addition to automatic user mapping using the value of the *CorporateEmailAddress* property, you can also define custom mapping by uploading a CSV mapping file. The mapping file should contain the Bloomberg UUID and corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every chat item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's Bloomberg UUID, the connector will use the *CorporateEmailAddress* property of the chat item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *CorporateEmailAddress* property of the chat item, the item won't be imported. -9. Click **Next**, review your settings, and then click **Finish** to create the connector. +10. Click **Next**, review your settings, and then click **Finish** to create the connector. -10. Go to the **Data connectors** page to see the progress of the import process for the new connector. Click the connector to display the flyout page, which contains information about the connector. +11. Go to the **Data connectors** page to see the progress of the import process for the new connector. Click the connector to display the flyout page, which contains information about the connector. |
| compliance | Retention Policies Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md | For the two paths in the diagram: > [!NOTE] > Messages stored in mailboxes, including the hidden folders, are searchable by eDiscovery tools. Until messages are permanently deleted from the SubstrateHolds folder, they remain searchable by eDiscovery tools. -When messages are permanently deleted from the SubstrateHolds folder, a delete operation is communicated to the backend Azure chat service, that then relays the same operation to the Teams client app. Delays in this communication or caching can explain why, for a short period of time, users who are assigned the policy might still see these messages in their Teams app, but data from these messages isn't returned in eDiscovery searches. +When the retention period expires and moves a message to the SubstrateHolds folder, a delete operation is communicated to the backend Azure chat service, that then relays the same operation to the Teams client app. Delays in this communication or caching can explain why, for a short period of time, users continue to see these messages in their Teams app. In this scenario where the Azure chat service receives a delete command because of a retention policy, the corresponding message in the Teams client app is deleted for all users in the conversation. Some of these users might be from another organization, have a retention policy with a longer retention period, or no retention policy assigned to them. For these users, copies of the messages are still stored in their mailboxes and remain searchable for eDiscovery until the messages are permanently deleted by another retention policy. |
| includes | Purview Rebrand Banner | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/purview-rebrand-banner.md | +<!-- This file is maintained by the Compliance content team. Please connect Robert Mazzoli (robmazz) before making any changes.--> ++>[!NOTE] +>Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see [Title of the Announcement](aka.ms/microsoftpurviewblog). |
| security | Device Control Removable Storage Access Control | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md | DeviceEvents | order by Timestamp desc ``` +```kusto +//information of file written to removable storage +DeviceEvents +| where ActionType contains "RemovableStorageFileEvent" +| extend parsed=parse_json(AdditionalFields) +| extend Policy = tostring(parsed.Policy) +| extend PolicyRuleId = tostring(parsed.PolicyRuleId) +| extend MediaClassName = tostring(parsed.ClassName) +| extend MediaInstanceId = tostring(parsed.InstanceId) +| extend MediaName = tostring(parsed.MediaName) +| extend MediaProductId = tostring(parsed.ProductId) +| extend MediaVendorId = tostring(parsed.VendorId) +| extend MediaSerialNumber = tostring(parsed.SerialNumber) +| extend FileInformationOperation = tostring(parsed.DuplicatedOperation) +| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation) +| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields +| order by Timestamp desc +``` + + ## Frequently asked questions |
| security | Linux Install With Puppet | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md | $version = undef case $::osfamily { 'Debian' : { apt::source { 'microsoftpackages' :- location => "https://packages.microsoft.com/config/${distro}/${version}/prod", + location => "https://packages.microsoft.com/${distro}/${version}/prod", release => $channel, repos => 'main', key => { $version = undef } 'RedHat' : { yumrepo { 'microsoftpackages' :- baseurl => "https://packages.microsoft.com/config/${distro}/${version}/${channel}", + baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}", descr => "packages-microsoft-com-prod-${channel}", enabled => 1, gpgcheck => 1, |
| security | Linux Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md | ms.technology: mde ## 101.58.80 (30.122012.15880.0) - The command-line tool now supports restoring quarantined files to a location other than the one where the file was originally detected. This can be done through `mdatp threat quarantine restore --id [threat-id] --path [destination-folder]`.+- Starting with this version, network protection for Linux can be evaluated on demand - Bug fixes ## 101.56.62 (30.121122.15662.0) |
| security | Mde P1 Setup Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration.md | The following table lists the basic requirements for Defender for Endpoint Plan | Requirement | Description | |:|:|-| Licensing requirements | Defender for Endpoint Plan 1 (formerly referred to as Microsoft Defender for Endpoint Lite)| +| Licensing requirements | Defender for Endpoint Plan 1 | | Browser requirements | Microsoft Edge <br/> Internet Explorer version 11 <br/> Google Chrome | | Operating systems | Windows 10, version 1709 or later <br/>macOS: 11.5 (Big Sur), 10.15.7 (Catalina), or 10.14.6 (Mojave) <br/>iOS <br/>Android OS | | Datacenter | One of the following datacenter locations: <br/>- European Union <br/>- United Kingdom <br/>- United States | |
| security | Mssp List | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-list.md | Logo |Partner name | Description  | [Aujas managed MDE Service](https://go.microsoft.com/fwlink/?linkid=2162429) | Aujas cybersecurity provides 24*7 managed security services across the entire enterprise spectrum, using Microsoft Defender for Endpoint through its Cyber Defense Centers. | [BDO Digital](https://go.microsoft.com/fwlink/?linkid=2090394) | BDO Digital's Managed Defense uses best practice tools, AI, and in-house security experts for 24/7/365 identity protection | [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender for Endpoint provides support in monitoring, investigating, and mitigating advanced attacks on endpoints | [Cloud Defender for Cloud](https://go.microsoft.com/fwlink/?linkid=2099315) | InSpark's Cloud Defender for Cloud is a 24x7 managed service that delivers protect, detect & respond capabilities | [Cloud SOC](https://go.microsoft.com/fwlink/?linkid=2104265) | Cloud SOC provides 24/7 security monitoring services based on Microsoft cloud and helps you to continuously improve your security posture | [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2091005) | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when and how security incidents have taken place |
| security | Eval Defender Investigate Respond | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond.md | Title: Investigate and respond using Microsoft 365 Defender in a pilot environment -description: Set up attack simulations at Microsoft 365 Defender trial lab or pilot environment to try out the security solution designed to teach users to protect devices, identity, data, and applications. +description: Set up attack simulations in Microsoft 365 Defender trial lab or pilot environment to try out the security solution designed to teach users to protect devices, identity, data, and applications. search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security |
| security | Eval Defender Mcas Pilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-pilot.md | Use the following steps to set up and configure the pilot for Microsoft Defender - [Step 2. Configure protectionΓÇöConditional Access App Control](#step-2-configure-protectionconditional-access-app-control) - [Step 3. Try out capabilitiesΓÇöWalk through tutorials for protecting your environment](#step-3-try-out-capabilitieswalk-through-tutorials-for-protecting-your-environment) - ## Step 1. Create the pilot groupΓÇöScope your pilot deployment to certain user groups Microsoft Defender for Cloud Apps enables you to scope your deployment. Scoping allows you to select certain user groups to be monitored for apps or excluded from monitoring. You can include or exclude user groups. To scope your pilot deployment, see [Scoped Deployment](/cloud-app-security/scoped-deployment). |
| security | Eval Defender Office 365 Architecture | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-architecture.md | Title: Review architecture requirements and planning concepts for Microsoft Defender for Office 365 -description: The technical diagram for Microsoft Defender for Office 365 in Microsoft 365 Defender will help you understand identity in Microsoft 365 before you build your trial lab or pilot environment. +description: The technical diagram for Microsoft Defender for Office 365 in Microsoft 365 Defender will help you understand identity at Microsoft 365 before you build your trial lab or pilot environment. search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security |
| security | Eval Defender Office 365 Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-overview.md | Use the following steps to enable and pilot Microsoft Defender for Office 365. The following table describes the steps in the illustration. -| Serial Number|Step |Description | +| Step number | Link |Description | |||| |1|[Review architecture requirements and key concepts](eval-defender-office-365-architecture.md) | Understand the Defender for Office architecture and be sure your Exchange Online environment meets the architecture prerequisites. | |2|[Enable the evaluation environment](eval-defender-office-365-enable-eval.md) | Follow the steps to setup the evaluation environment. | |
| security | First Incident Path Identity | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-path-identity.md | Selecting the **Suspected overpass-the-hash attack** alert goes to a page in Mic Alternatively, an analyst can use Defender for Endpoint to learn more about the activity on an endpoint. Select the incident from the incident queue, then select the **Alerts** tab. From here, they can identify the detection source as well. A detection source labeled as EDR stands for Endpoint Detection and Response, which is Defender for Endpoint. From here, the analyst selects an alert detected by EDR. The alert page displays various pertinent information such as the impacted device name, username, status of auto-investigation, and the alert details. The alert story depicts a visual representation of the process tree. The process tree is a hierarchical representation of parent and child processes related to the alert. |
| security | First Incident Prepare | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-prepare.md | Make time in your schedule to regularly check the [Threat Analytics](threat-anal ## Next step -[ - Learn how to [triage and analyze incidents](first-incident-analyze.md). ## See also |
| security | First Incident Remediate | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-remediate.md | Playbooks can also be created during [post-incident review](first-incident-post. ## Next step -[ - Learn how to [perform a post-incident review of an incident](first-incident-post.md). ## See also |
| security | Incident Queue | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md | ms.technology: m365d **Applies to:** - Microsoft 365 Defender -Microsoft 365 Defender applies correlation analytics and aggregates related alerts and automated investigations from different products into an incident. Microsoft 365 Defender also triggers unique alerts on activities that can only be identified as malicious given the end-to-end visibility that Microsoft 365 Defender has across the entire suite of products. This view gives your security analysts the broader attack story, which helps them better understand and deal with complex threats across your organization. +Microsoft 365 Defender applies correlation analytics and aggregates related alerts and automated investigations from different products into an incident. Microsoft 365 Defender also triggers unique alerts on activities that can only be identified as malicious given the end-to-end visibility in Microsoft 365 Defender has across the entire suite of products. This view gives your security analysts the broader attack story, which helps them better understand and deal with complex threats across your organization. The **Incident queue** shows a collection of incidents that were created across devices, users, and mailboxes. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision, a process known as incident triage. |
| security | Investigate Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md | You can start by selecting the incident from the check mark column. Here's an ex When you do, a summary pane opens with key information about the incident, such as severity, to whom it is assigned, and the [MITRE ATT&CK™](https://attack.mitre.org/) categories for the incident. Here's an example. From here, you can select **Open incident page**. This opens the main page for the incident where you'll find more summary information and tabs for alerts, devices, users, investigations, and evidence. |
| security | M365d Action Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-action-center.md | When you visit the Action center, you see two tabs: **Pending actions** and **Hi You can customize, sort, filter, and export data in the Action center. - Select a column heading to sort items in ascending or descending order. - Use the time period filter to view data for the past day, week, 30 days, or 6 months. |
| security | Microsoft 365 Security Center Mde | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mde.md | Microsoft Defender for Endpoint in Microsoft 365 Defender supports [granting acc >- US Department of Defense >- All US government institutions with commercial licenses -Take a look at Microsoft 365 Defender at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a>. +Take a look in Microsoft 365 Defender at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a>. Learn more about the benefits: [Overview of Microsoft 365 Defender](microsoft-365-defender.md) |
| security | Microsoft Secure Score Improvement Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-improvement-actions.md | When you select a specific improvement action, a full page flyout appears. To complete the action, you have a few options: -- Select **Manage** to go the configuration screen and make the change. You'll then gain the points that the action is worth, visible in the fly out. Points generally take about 24 hours to update.+- Select **Manage in Microsoft 365 Defender** to go to the configuration screen and make the change. You'll then gain the points that the action is worth, visible in the flyout. Points generally take about 24 hours to update. - Select **Share** to copy the direct link to the improvement action. You can also choose the platform to share the link, such as email, Microsoft Teams, or Microsoft Planner. |
| security | Threat Analytics Analyst Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics-analyst-reports.md | Like the list of antivirus detections, some EDR alerts are designed to generical Email-related detections and mitigations from Microsoft Defender for Office 365, are included in analyst reports in addition to the endpoint data already available from Microsoft Defender for Endpoint. -Prevented email attempt information gives you insights on whether your organization were a target of the threat tackled in the analyst report even if the attack has been effectively blocked before delivery or delivered to the junk mail folder. +Prevented email attempt information gives you insights on whether your organization was a target of the threat tackled in the analyst report even if the attack has been effectively blocked before delivery or delivered to the junk mail folder. ## Find subtle threat artifacts using advanced hunting While detections allow you to identify and stop the tracked threat automatically Advanced hunting queries in the analyst reports have been vetted by Microsoft analysts and are ready for you to run in the [advanced hunting query editor](https://security.microsoft.com/advanced-hunting). You can also use the queries to create [custom detection rules](custom-detection-rules.md) that trigger alerts for future matches. >[!NOTE]-> Threat analytics is also available in [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/threat-analytics). However, it does not have the data integration between Microsoft Defender for Office and Microsoft Defender for Endpoint that Microsoft 365 Defender threat analytics has. +> Threat analytics is also available in [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/threat-analytics). However, it does not have the data integration between Microsoft Defender for Office and Microsoft Defender for Endpoint. ## Related topics |
| security | Automated Investigation Response Office | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/automated-investigation-response-office.md | Remediation is the final phase of the playbook. During this phase, remediation s ## Example: A security administrator triggers an investigation from Threat Explorer -In addition to automated investigations that are triggered by an alert, your organization's security operations team can trigger an automated investigation from a view in [Threat Explorer](threat-explorer.md). This investigation also creates an alert, so that Microsoft 365 Defender incidents and external SIEM tools can see that this investigation was triggered. +In addition to automated investigations that are triggered by an alert, your organization's security operations team can trigger an automated investigation from a view in [Threat Explorer](threat-explorer.md). This investigation also creates an alert, so Microsoft 365 Defender incidents and external SIEM tools can see that this investigation was triggered. For example, suppose that you are using the **Malware** view in Explorer. Using the tabs below the chart, you select the **Email** tab. If you select one or more items in the list, the **+ Actions** button activates. |
| security | Removing User From Restricted Users Portal After Spam | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md | ms.prod: m365-security If a user exceeds one of the outbound sending limits as specified in [the service limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or in [outbound spam policies](configure-the-outbound-spam-policy.md), the user is restricted from sending email, but they can still receive email. -The user is added to the **Restricted users** page in the Microsoft 365 Defender portal. When they try to send email, the message is returned in a non-delivery report (also known as an NDR or bounce messages) with the error code [5.1.8](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-1-8-in-exchange-online) and the following text: +The user is added to the **Restricted users** page in the Microsoft 365 Defender portal. When they try to send email, the message is returned in a non-delivery report (also known as an NDR or bounce message) with the error code [5.1.8](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-1-8-in-exchange-online) and the following text: > "Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that > your email address is suspected of sending spam and it's no longer allowed to send email. Contact your email admin for > assistance. Remote Server returned '550 5.1.8 Access denied, bad outbound sender." -Admins can remove users from the Restricted users page in the Microsoft 365 Defender or in Exchange Online PowerShell. +Admins can remove users from the **Restricted users** page in the Microsoft 365 Defender or in Exchange Online PowerShell. ## What do you need to know before you begin? The default alert policy named **User restricted from sending email** will autom > [!IMPORTANT] > For alerts to work, audit log search must to be turned on. For more information, see [Turn the audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md). -1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. To go directly to the **Alert policy** page, use <https://security.microsoft.com/alertpolicies>. -2. On the **Alert policy** page, find and select the alert named **User restricted from sending email**. You can sort the policies by name, or use the **Search box** to find the policy. +2. On the **Alert policy** page, find and select the alert named **User restricted from sending email**. You can sort the policies by name, or use the **Search** box to find the policy. 3. In the **User restricted from sending email** flyout that appears, verify or configure the following settings: - **Status**: Verify the alert is turned on . |
| security | Sharepoint File Access Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/sharepoint-file-access-policies.md | The following table lists the policies you either need to review and update or c ## Use app-enforced restrictions in SharePoint -If you implement access controls in SharePoint, you must create this Conditional Access policy in Azure AD to tell Azure AD to enforce the policies you configure in SharePoint. This policy applies to all users, but only affects access to the sites you specify using PowerShell when you create the access controls in SharePoint. +If you implement access controls in SharePoint, Conditional Access policies are created in Azure AD to tell Azure AD to enforce the policies you configure in SharePoint. By default, this policy applies to all users, but only affects access to the sites you specify using PowerShell when you create the access controls in SharePoint. The policy can also be scoped for specific users, groups, or sites. To configure this policy see "Block or limit access to specific SharePoint site collections or OneDrive accounts" in [Control access from unmanaged devices](/sharepoint/control-access-from-unmanaged-devices). James has starting point Conditional Access policies assigned, but he can be giv Configure Conditional Access policies for: - [Microsoft Teams](teams-access-policies.md)-- [Exchange Online](secure-email-recommended-policies.md)+- [Exchange Online](secure-email-recommended-policies.md) |