Updates from: 03/09/2023 04:05:36
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
f1.keywords:
Previously updated : 03/06/2023 Last updated : 03/07/2023 audience: Admin
Before you can scope a label to just files or emails, you must first remove it i
**Limitation for this preview:** -- If the label is configured as the default label in one or more label policies, and Outlook isn't configured with its own default label in the same policy, you can't remove the scope for **Email**. As a workaround, remove this label as the default label, and then you can remove the email scope.
+- If the label is configured as the default label in one or more label policies, and Outlook isn't configured with its own default label in the same policy, you can't remove the scope for **Email**. As a workaround, first remove this label as the default label. You'll then be able to remove the email scope. Finally, reselect the now modified label as the default label for documents.
## Configure a label to apply S/MIME protection in Outlook
lighthouse M365 Lighthouse Configure Portal Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-configure-portal-security.md
f1.keywords: CSH
-+ Last updated 07/09/2021 audience: Admin
lighthouse M365 Lighthouse Mitigate Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-mitigate-threats.md
f1.keywords: NOCSH
-+ Last updated 11/19/2021 audience: Admin
lighthouse M365 Lighthouse Review Audit Logs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-review-audit-logs.md
f1.keywords: CSH
-+ Last updated 01/20/2022 audience: Admin
lighthouse M365 Lighthouse Threat Management Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-threat-management-page-overview.md
f1.keywords: NOCSH
-+ Last updated 07/07/2021 audience: Admin
security Add Or Remove Machine Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags.md
Last updated 02/24/2023
**Applies to:** -- [Microsoft Defender for Endpoint Plan 1 ](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2 ](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Exposed Apis Create App Webapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp.md
The following code was tested with NuGet Microsoft.Identity.Client 3.19.8.
string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place!
- const string authority = https://login.microsoftonline.com;
- const string audience = https://api.securitycenter.microsoft.com;
+ const string authority = "https://login.microsoftonline.com";
+ const string audience = "https://api.securitycenter.microsoft.com";
IConfidentialClientApplication myApp = ConfidentialClientApplicationBuilder.Create(appId).WithClientSecret(appSecret).WithAuthority($"{authority}/{tenantId}").Build();
security Get Assessment Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-inventory.md
Property (ID)|Data type|Description|Example of a returned value
:|:|:|: DeviceId|string|Unique identifier for the device in the service.|9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1 DeviceName|string|Fully qualified domain name (FQDN) of the device.|johnlaptop.europe.contoso.com
-DiskPaths|Array[string]|Disk evidence that the product is installed on the device.|[ "C:\\Program Files (x86)\\Microsoft\\Silverlight\\Application\\silverlight.exe" ]
+DiskPaths|Array[string]|Disk evidence that the product is installed on the device.|["C:\\Program Files (x86)\\Microsoft\\Silverlight\\Application\\silverlight.exe"]
EndOfSupportDate|string|The date in which support for this software has or will end.|2020-12-30 EndOfSupportStatus|string|End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software.|Upcoming EOS NumberOfWeaknesses|int|Number of weaknesses on this software on this device|3 OSPlatform|string|Platform of the operating system running on the device. These are specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See Microsoft Defender Vulnerability Management supported operating systems and platforms for details.|Windows10 and Windows 11 RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."|Servers
-RegistryPaths|Array[string]|Registry evidence that the product is installed in the device.|[ "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Silverlight" ]
+RegistryPaths|Array[string]|Registry evidence that the product is installed in the device.|["HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Silverlight"]
SoftwareFirstSeenTimestamp|string|The first time this software was seen on the device.|2019-04-07 02:06:47 SoftwareName|string|Name of the software product.|Silverlight SoftwareVendor|string|Name of the software vendor.|microsoft
security Get Assessment Software Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities.md
CveId|String|Unique identifier assigned to the security vulnerability under the
CvssScore|String|The CVSS score of the CVE.|6.2 DeviceId|String|Unique identifier for the device in the service.|9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1 DeviceName|String|Fully qualified domain name (FQDN) of the device.|johnlaptop.europe.contoso.com
-DiskPaths|Array\[string\]|Disk evidence that the product is installed on the device.|[ "C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe" ]
+DiskPaths|Array\[string\]|Disk evidence that the product is installed on the device.|["C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe"]
ExploitabilityLevel|String|The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)|ExploitIsInKit FirstSeenTimestamp|String|First time the CVE of this product was seen on the device.|2020-11-03 10:13:34.8476880 Id|String|Unique identifier for the record.|123ABG55_573AG&mnp!
RbacGroupName|String|The role-based access control (RBAC) group. If this device
RecommendationReference|String|A reference to the recommendation ID related to this software.|va-_-microsoft-_-silverlight RecommendedSecurityUpdate (optional)|String|Name or description of the security update provided by the software vendor to address the vulnerability.|April 2020 Security Updates RecommendedSecurityUpdateId (optional)|String|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles|4550961
-RegistryPaths|Array\[string\]|Registry evidence that the product is installed in the device.|[ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftSilverlight" ]
+RegistryPaths|Array\[string\]|Registry evidence that the product is installed in the device.|["HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftSilverlight"]
SecurityUpdateAvailable|Boolean|Indicates whether a security update is available for the software.| Possible values are true or false. SoftwareName|String|Name of the software product.|Chrome SoftwareVendor|String|Name of the software vendor.|Google
RbacGroupName|String|The role-based access control (RBAC) group. If this device
RecommendationReference|string|A reference to the recommendation ID related to this software.|va--microsoft--silverlight RecommendedSecurityUpdate |String|Name or description of the security update provided by the software vendor to address the vulnerability.|April 2020 Security Updates RecommendedSecurityUpdateId |String|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles|4550961
-RegistryPaths |Array[string]|Registry evidence that the product is installed in the device.|[ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome" ]
+RegistryPaths |Array[string]|Registry evidence that the product is installed in the device.|["HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome"]
SoftwareName|String|Name of the software product.|Chrome SoftwareVendor|String|Name of the software vendor.|Google SoftwareVersion|String|Version number of the software product.|81.0.4044.138
security Get Security Baselines Assessment Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-security-baselines-assessment-configurations.md
If successful, this method returns 200 OK with the list of baseline configuratio
|Property | Type | Description | |:|:|:| |Id | String | Unique identifier for the specific configuration in the baseline benchmark.
+|benchmarkName| String | The name of the benchmark.
|name | String | The configuration name at it appears in the benchmark. |description | String | The configuration description as it appears in the benchmark. |category | String | The configuration category as it appears in the benchmark. |complianceLevel|String|The compliance level of the benchmark where this configuration appears. |`cce`|Int|The CCE for this configuration as it appears in the benchmark. |rationale |String|The rationale for this configuration as it appears in the benchmark. For STIG benchmark this isn't supplied for this configuration.
+|source|String| The registry path or other location used to determine the current device setting.
+|remediation|String| The recommended steps to remediate.
## 1.6 Example
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
Cert and File IoC policy handling conflict will follow the below order:
- Else if the file is blocked by ASR rules, CFA, AV, SmartScreen, then **Block** - Else **Allow** (passes Windows Defender Application Control & AppLocker policy, no IoC rules apply to it)
->[!NOTE]
+> [!NOTE]
> In situations when Microsoft Defender Antivirus is set to **Block**, but Defender for Endpoint - Indicators - File hash or Certificate is set to **Allow**, the policy will default to **Allow**. If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure (meaning longer) hash will be applied. For example, an SHA-256 file hash IoC policy will win over an MD5 file hash IoC policy if both hash types define the same file.
security Investigate Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier2
Last updated 12/18/2020
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
When you investigate a specific device, you'll see:
- Device details - Response actions - Tabs (overview, alerts, timeline, security recommendations, software inventory, discovered vulnerabilities, missing KBs)-- Cards (active alerts, logged on users, security assessment, device health status)
-
+- Cards (active alerts, logged on users, security assessment, device health status)
:::image type="content" source="images/specific-device.png" alt-text="The device view" lightbox="images/specific-device.png":::
The **Discovered vulnerabilities** tab shows the name, severity, and threat insi
:::image type="content" source="images/discovered-vulnerabilities-device.png" alt-text="The Discovered vulnerabilities tab" lightbox="images/discovered-vulnerabilities-device.png"::: ### Missing KBs+ The **Missing KBs** tab lists the missing security updates for the device. :::image type="content" source="images/missing-kbs-device.png" alt-text="The Missing KBs tab" lightbox="images/missing-kbs-device.png":::
The **Device health status** card shows a summarized health report for the speci
- Device is up to date - Status not available for macOS & Linux
-Other information in the card include: the last full scan, last quick scan, security intelligence update version, engine update version, platform update version, and Defender Antivirus mode.
+Other information in the card include: the last full scan, last quick scan, security intelligence update version, engine update version, platform update version, and Defender Antivirus mode.
-Please note that a grey circle indicates that the data is unknown.
+Please note that a grey circle indicates that the data is unknown.
> [!NOTE]
-> The overall status message for macOS and Linux devices currently shows up as 'Status not available for macOS & Linux'. Currently, the status summary is only available for Windows devices. All other information in the table is up to date to show the individual states of each device health signal for all supported platforms.
+> The overall status message for macOS and Linux devices currently shows up as 'Status not available for macOS & Linux'. Currently, the status summary is only available for Windows devices. All other information in the table is up to date to show the individual states of each device health signal for all supported platforms.
-To gain an in-depth view of the device health report, you can go to **Reports > Devices health**. For more information, see [Device health and compliance report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machine-reports).
-
->[!NOTE]
->The date and time for Defender Antivirus mode is currently not available.
+To gain an in-depth view of the device health report, you can go to **Reports > Devices health**. For more information, see [Device health and compliance report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machine-reports).
+> [!NOTE]
+> The date and time for Defender Antivirus mode is currently not available.
:::image type="content" source="images/device-health-status.png" alt-text="The device health status card" lightbox="images/device-health-status.png":::
security Investigate User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md
The **User details** pane on left provides information about the user, such as r
The Overview, Alerts, and Observed in organization are different tabs that display various attributes about the user account. -
->[!NOTE]
->For Linux devices, information about logged in users is not displayed.
-
+> [!NOTE]
+> For Linux devices, information about logged in users is not displayed.
### Overview
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
This configuration is available for both the enrolled (MDM) devices as well as u
Network protection in Microsoft Defender for endpoint is disabled by default. Admins can use the following steps to configure Network Protection. This configurations is available for both enrolled devices through MDM config and unenrolled devices through MAM config.
->[!NOTE]
->Only one policy should be created for Network Protection, either MDM or MAM.
+> [!NOTE]
+> Only one policy should be created for Network Protection, either MDM or MAM.
**For enrolled devices (MDM)**:
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier3
Last updated 12/18/2020
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) -
->[!TIP]
->Looking for advanced guidance on deploying Microsoft Defender for Endpoint on Linux? See [Advanced deployment guide on Defender for Endpoint on Linux](comprehensive-guidance-on-linux-deployment.md).
-
+> [!TIP]
+> Looking for advanced guidance on deploying Microsoft Defender for Endpoint on Linux? See [Advanced deployment guide on Defender for Endpoint on Linux](comprehensive-guidance-on-linux-deployment.md).
This article describes how to deploy Microsoft Defender for Endpoint on Linux manually. A successful deployment requires the completion of all of the following tasks:
Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
> [!WARNING] > Upgrading your operating system to a new major version after the product installation requires the product to be reinstalled. You need to [Uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux) the existing Defender for Endpoint on Linux, upgrade the operating system, and then reconfigure Defender for Endpoint on Linux following the below steps. --- ## Configure the Linux software repository Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
In order to preview new features and provide early feedback, it is recommended t
sudo apt -t bionic install mdatp ```
->[!NOTE]
->Reboots are NOT required after installing or updating Microsoft Defender for Endpoint on Linux except when you're running auditD in immutable mode.
--
+> [!NOTE]
+> Reboots are NOT required after installing or updating Microsoft Defender for Endpoint on Linux except when you're running auditD in immutable mode.
## Download the onboarding package
Download the onboarding package from Microsoft 365 Defender portal.
> [!NOTE] > To run this command, you must have `python` or `python3` installed on the device depending on the distro and version. If needed, see [Step-by-step Instructions for Installing Python on Linux](https://opensource.com/article/20/4/install-python-linux).
-
+ > [!NOTE] > To onboard a device that was previously offboarded you must remove the mdatp_offboard.json file located at /etc/opt/microsoft/mdatp.
Download the onboarding package from Microsoft 365 Defender portal.
The following external package dependencies exist for the mdatp package:
+- The mdatp RPM package requires "glibc >= 2.17", "audit", "policycoreutils", "semanage" "selinux-policy-targeted", "mde-netfilter"
+- For RHEL6 the mdatp RPM package requires "audit", "policycoreutils", "libselinux", "mde-netfilter"
+- For DEBIAN the mdatp package requires "libc6 >= 2.23", "uuid-runtime", "auditd", "mde-netfilter"
The mde-netfilter package also has the following package dependencies:
+- For DEBIAN the mde-netfilter package requires "libnetfilter-queue1", "libglib2.0-0"
+- for RPM the mde-netfilter package requires "libmnl", "libnfnetlink", "libnetfilter_queue", "glib2"
If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies.
security Linux Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md
The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces,
To run the client analyzer for troubleshooting performance issues, see [Run the client analyzer on macOS and Linux](run-analyzer-macos-linux.md).
->[!NOTE]
->In case after following the above steps, the performance problem persists, please contact customer support for further instructions and mitigation.
+> [!NOTE]
+> In case after following the above steps, the performance problem persists, please contact customer support for further instructions and mitigation.
-## Troubleshoot AuditD performance issues
+## Troubleshoot AuditD performance issues
-**Background:**
+**Background:**
-- Microsoft Defender for Endpoint on Linux OS distributions uses AuditD framework to collect certain types of telemetry events.
+- Microsoft Defender for Endpoint on Linux OS distributions uses AuditD framework to collect certain types of telemetry events.
-- System events captured by rules added to `/etc/audit/rules.d/` will add to audit.log(s) and might affect host auditing and upstream collection.
+- System events captured by rules added to `/etc/audit/rules.d/` will add to audit.log(s) and might affect host auditing and upstream collection.
-- Events added by Microsoft Defender for Endpoint on Linux will be tagged with `mdatp` key.
+- Events added by Microsoft Defender for Endpoint on Linux will be tagged with `mdatp` key.
- If the AuditD service is misconfigured or offline, then some events might be missing. To troubleshoot such an issue, refer to: [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux.](linux-support-events.md)
-In certain server workloads, two issues might be observed:
+In certain server workloads, two issues might be observed:
-- **High CPU** resource consumption from ***mdatp_audisp_plugin*** process.
+- **High CPU** resource consumption from ***mdatp_audisp_plugin*** process.
-- ***/var/log/audit/audit.log*** becoming large or frequently rotating.
+- ***/var/log/audit/audit.log*** becoming large or frequently rotating.
-These issues may occur on servers with many events flooding AuditD.
+These issues may occur on servers with many events flooding AuditD.
-This can happen if there are multiple consumers for AuditD, or too many rules with the combination of Microsoft Defender for Endpoint and third party consumers, or high workload that generates a lot of events.
+This can happen if there are multiple consumers for AuditD, or too many rules with the combination of Microsoft Defender for Endpoint and third party consumers, or high workload that generates a lot of events.
-To troubleshoot such issues, begin by [collecting MDEClientAnalyzer logs](run-analyzer-macos-linux.md) on the sample affected server.
+To troubleshoot such issues, begin by [collecting MDEClientAnalyzer logs](run-analyzer-macos-linux.md) on the sample affected server.
> [!NOTE] > As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming issue still persists before investigating further.
+>
+> That there are additional configurations that can affect AuditD subsystem CPU strain.
+>
+> Specifically, in [auditd.conf](https://linux.die.net/man/8/auditd.conf), the value for **disp_qos** can be set to "lossy" to reduce the high CPU consumption.
+>
+> However, this means that some events may be dropped during peak CPU consumption.
-> [!NOTE]
-> That there are additional configurations that can affect AuditD subsystem CPU strain. <BR>
-> Specifically, in [auditd.conf](https://linux.die.net/man/8/auditd.conf), the value for **disp_qos** can be set to "lossy" to reduce the high CPU consumption. <BR>
-> However, this means that some events may be dropped during peak CPU consumption. <BR>
-
-### XMDEClientAnalyzer
+### XMDEClientAnalyzer
When you use [XMDEClientAnalyzer](run-analyzer-macos-linux.md), the following files will display output that provides insights to help you troubleshoot issues.+ - auditd_info.txt - auditd_log_analysis.txt - #### auditd_info.txt Contains general AuditD configuration and will display: -- What processes are registered as AuditD consumers.
+- What processes are registered as AuditD consumers.
+
+- **Auditctl -s** output with **enabled=2**
-- **Auditctl -s** output with **enabled=2**
+ - Suggests auditd is in immutable mode (requires restart for any config changes to take effect).
- - Suggests auditd is in immutable mode (requires restart for any config changes to take effect).
+- **Auditctl -l** output
-- **Auditctl -l** output
+ - Will show what rules are currently loaded into the kernel (which may be different that what exists on disk in "/etc/auditd/rules.d/mdatp.rules").
+
+ - Will show which rules are related to Microsoft Defender for Endpoint.
- - Will show what rules are currently loaded into the kernel (which may be different that what exists on disk in "/etc/auditd/rules.d/mdatp.rules").
-
- - Will show which rules are related to Microsoft Defender for Endpoint.
-
#### auditd_log_analysis.txt
-Contains important aggregated information that is useful when investigating AuditD performance issues.
+Contains important aggregated information that is useful when investigating AuditD performance issues.
-- Which component owns the most reported events (Microsoft Defender for Endpoint events will be tagged with `key=mdatp`).
+- Which component owns the most reported events (Microsoft Defender for Endpoint events will be tagged with `key=mdatp`).
-- The top reporting initiators.
+- The top reporting initiators.
-- The most common system calls (network or filesystem events, and others).
+- The most common system calls (network or filesystem events, and others).
-- What file system paths are the noisiest.
+- What file system paths are the noisiest.
-**To mitigate most AuditD performance issues, you can implement AuditD exclusion. **
+**To mitigate most AuditD performance issues, you can implement AuditD exclusion.**
> [!NOTE] > Exclusions should be made only for low threat and high noise initiators or paths. For example, do not exclude /bin/bash which risks creating a large blind spot. > [Common mistakes to avoid when defining exclusions](/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus).
+### Exclusion Types
-### Exclusion Types
-
-The XMDEClientAnalyzer support tool contains syntax that can be used to add AuditD exclusion configuration rules:
+The XMDEClientAnalyzer support tool contains syntax that can be used to add AuditD exclusion configuration rules:
AuditD exclusion ΓÇô support tool syntax help: :::image type="content" source="images/auditd-exclusion-support-tool-syntax-help.png" alt-text="syntax that can be used to add AuditD exclusion configuration rules" lightbox="images/auditd-exclusion-support-tool-syntax-help.png":::
-**By initiator**
+**By initiator**
-- **-e/ -exe** full binary path > Removes all events by this initiator
+- **-e/ -exe** full binary path > Removes all events by this initiator
-**By path**
+**By path**
-- **-d / -dir** full path to a directory > Removes filesystem events targeting this directory
+- **-d / -dir** full path to a directory > Removes filesystem events targeting this directory
-Examples:
+Examples:
-If "`/opt/app/bin/app`" writes to "`/opt/app/cfg/logs/1234.log`", then you can use the support tool to exclude with various options:
+If "`/opt/app/bin/app`" writes to "`/opt/app/cfg/logs/1234.log`", then you can use the support tool to exclude with various options:
`-e /opt/app/bin/app` `-d /opt/app/cfg`
-`-x /usr/bin/python /etc/usercfg`
+`-x /usr/bin/python /etc/usercfg`
`-d /usr/app/bin/`
-More examples:
+More examples:
`./mde_support_tool.sh exclude -p <process id>` `./mde_support_tool.sh exclude -e <process name>`
-To exclude more than one item - concatenate the exclusions into one line:
+To exclude more than one item - concatenate the exclusions into one line:
`./mde_support_tool.sh exclude -e <process name> -e <process name 2> -e <process name3>`
-
-The -x flag is used to exclude access to subdirectories by specific initiators for example:
+
+The -x flag is used to exclude access to subdirectories by specific initiators for example:
`./mde_support_tool.sh exclude -x /usr/sbin/mv /tmp`
-The above will exclude monitoring of /tmp subfolder, when accessed by mv process.
+The above will exclude monitoring of /tmp subfolder, when accessed by mv process.
-
> [!NOTE]
-> Please contact Microsoft support if you need assistance with analyzing and mitigating AuditD related performance issues, or with deploying AuditD exclusions at scale.
+> Please contact Microsoft support if you need assistance with analyzing and mitigating AuditD related performance issues, or with deploying AuditD exclusions at scale.
## See also
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
ms.localizationpriority: medium
Last updated 11/03/2022 audience: ITPro-+ - m365-security - tier3
search.appverid: met150
**Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) -
-This article is updated frequently to let you know what's new in the latest releases of Microsoft Defender for Endpoint on Linux.
+This article is updated frequently to let you know what's new in the latest releases of Microsoft Defender for Endpoint on Linux.
- [What's new in Defender for Endpoint on macOS](mac-whatsnew.md) - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md)
This article is updated frequently to let you know what's new in the latest rele
**What's new** -- There are multiple fixes and new changes in this release
- - Skip quarantine of threats in passive mode by default.
- - New config, nonExecMountPolicy, can now be used to specify behavior of RTP on mount point marked as noexec.
- - New config, unmonitoredFilesystems, can be used to unmonitor certain filesystems.
- - Improved performance under high load and in speed test scenarios.
- - Fixes an issue with accessing SMB shares behind Cisco AnyConnect VPN connections.
- - Fixes an issue with Network Protection and SMB.
- - lttng performance tracing support.
- - TVM, eBPF, auditd, telemetry and mdatp cli improvements.
- - mdatp health will now report behavior_monitoring
- - Other fixes.
+- There are multiple fixes and new changes in this release
+ - Skip quarantine of threats in passive mode by default.
+ - New config, nonExecMountPolicy, can now be used to specify behavior of RTP on mount point marked as noexec.
+ - New config, unmonitoredFilesystems, can be used to unmonitor certain filesystems.
+ - Improved performance under high load and in speed test scenarios.
+ - Fixes an issue with accessing SMB shares behind Cisco AnyConnect VPN connections.
+ - Fixes an issue with Network Protection and SMB.
+ - lttng performance tracing support.
+ - TVM, eBPF, auditd, telemetry and mdatp cli improvements.
+ - mdatp health will now report behavior_monitoring
+ - Other fixes.
**Known issues** - - While upgrading mdatp to version 101.94.13, you may notice that health is false, with health_issues as "no active supplementary event provider". This may happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines needs to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Please take backup of following file: /etc/audit/rules.d/audit.rules as these steps are only to identify failures. - ```bash echo -c >> /etc/audit/rules.d/audit.rules augenrules --load
augenrules --load
There are two ways to mitigate the problem in upgrading. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.+ Example:+ ```bash sudo apt purge mdatp sudo apt-get install mdatp ```
-
+ As an alternative to the above, you can follow the instructions to [uninstall](/microsoft-365/security/defender-endpoint/linux-resources#uninstall), then [install](/microsoft-365/security/defender-endpoint/linux-install-manually#application-installation) the latest version of the package.
-In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade.
-Caution: Some customers(<1%) are experiencing issues with this method.
+In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade.
+Caution: Some customers(<1%) are experiencing issues with this method.
```bash sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
**What's new** -- There are multiple fixes and new changes in this release
- - V2 engine is default with this release and V1 engine bits are completely removed for enhanced security.
- - V2 engine support configuration path for AV definitions. (mdatp definition set path)
- - Removed external packages dependencies from MDE package. Removed dependencies are libatomic1, libselinux, libseccomp, libfuse, and libuuid
- - In case crash collection is disabled by configuration, crash monitoring process will not be launched.
- - Performance fixes to optimally use system events for AV capabilities.
- - Stability improvement in case of mdatp restart and loading of epsext issues.
- - Other fixes
+- There are multiple fixes and new changes in this release
+ - V2 engine is default with this release and V1 engine bits are completely removed for enhanced security.
+ - V2 engine support configuration path for AV definitions. (mdatp definition set path)
+ - Removed external packages dependencies from MDE package. Removed dependencies are libatomic1, libselinux, libseccomp, libfuse, and libuuid
+ - In case crash collection is disabled by configuration, crash monitoring process will not be launched.
+ - Performance fixes to optimally use system events for AV capabilities.
+ - Stability improvement in case of mdatp restart and loading of epsext issues.
+ - Other fixes
**Known issues**
sudo systemctl disable mdatp
There are two ways to mitigate the problem in upgrading. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.+ Example:+ ```bash sudo apt purge mdatp sudo apt-get install mdatp ```
-
+ As an alternative to the above, you can follow the instructions to [uninstall](/microsoft-365/security/defender-endpoint/linux-resources#uninstall), then [install](/microsoft-365/security/defender-endpoint/linux-install-manually#application-installation) the latest version of the package.
-In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade.
-Caution: Some customers(<1%) are experiencing issues with this method.
+In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade.
+Caution: Some customers(<1%) are experiencing issues with this method.
```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ```
-
+ </details> <details>
sudo systemctl disable mdatp
**What's new** - Fixes a kernel hang observed on select customer workloads running mdatp version 101.75.43. After RCA this was attributed to a race condition while releasing the ownership of a sensor file descriptor. The race condition was exposed due to a recent product change in the shutdown path. Customers on newer Kernel versions (5.1+) are not impacted by this issue. More information about the underlying issue can be found at [System hang due to blocked tasks in fanotify code](https://access.redhat.com/solutions/2838901).
-
+ **Known issues** - When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.80.97. This should prevent the issue from occurring.
sudo systemctl disable mdatp
sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ```
-After executing the above, use your package manager to perform the upgrade.
-
+
+After executing the above, use your package manager to perform the upgrade.
+ As an alternative to the above, you can follow the instructions to [uninstall](/microsoft-365/security/defender-endpoint/linux-resources#uninstall), then [install](/microsoft-365/security/defender-endpoint/linux-install-manually#application-installation) the latest version of the package. </br>
As an alternative to the above, you can follow the instructions to [uninstall](/
&ensp;Engine version: **1.1.19200.3**<br/> &ensp;Signature version: **1.367.1011.0**<br/> - **What's new** - Added an option to [configure file hash computation](linux-preferences.md#configure-file-hash-computation-feature)
As an alternative to the above, you can follow the instructions to [uninstall](/
&ensp;Build: **101.71.18**<br/> &ensp;Release version: **30.122052.17118.0**<br/> - **What's new** - Fix to support definitions storage in non-standard locations (outside of /var) for v2 definition updates
As an alternative to the above, you can follow the instructions to [uninstall](/
<br/><br/> </details> - <details> <summary>May-2022 (Build: 101.68.80 | Release version: 30.122042.16880.0)</summary>
As an alternative to the above, you can follow the instructions to [uninstall](/
&ensp;Build: **101.68.80**<br/> &ensp;Release version: **30.122042.16880.0**<br/>
-**What's new**
+**What's new**
- Added support for kernel version `2.6.32-754.47.1.el6.x86_64` when running on RHEL 6 - On RHEL 6, product can now be installed on devices running Unbreakable Enterprise Kernel (UEK)
As an alternative to the above, you can follow the instructions to [uninstall](/
&ensp;Build: **101.65.77**<br/> &ensp;Release version: **30.122032.16577.0**<br/> - **What's new** - Improved the `conflicting_applications` field in `mdatp health` to show only the most recent 10 processes and also to include the process names. This makes it easier to identify which processes are potentially conflicting with Microsoft Defender for Endpoint for Linux. - Bug fixes - <br/><br/> </details><details> <summary>Mar-2022 (Build: 101.62.74 | Release version: 30.122022.16274.0)</summary>
As an alternative to the above, you can follow the instructions to [uninstall](/
&ensp;Build: **101.62.74**<br/> &ensp;Release version: **30.122022.16274.0**<br/> - **What's new** - Addressed an issue where the product would incorrectly block access to files greater than 2GB in size when running on older kernel versions - Bug fixes - <br/><br/> </details><details> <summary>Mar-2022 (Build: 101.60.93 | Release version: 30.122012.16093.0)</summary>
As an alternative to the above, you can follow the instructions to [uninstall](/
- This version contains a security update for [CVE-2022-23278](https://msrc-blog.microsoft.com/2022/03/08/guidance-for-cve-2022-23278-spoofing-in-microsoft-defender-for-endpoint/) - <br/><br/> </details><details> <summary>Mar-2022 (Build: 101.60.05 | Release version: 30.122012.16005.0)</summary>
As an alternative to the above, you can follow the instructions to [uninstall](/
- Added support for kernel version 2.6.32-754.43.1.el6.x86_64 for RHEL 6.10 - Bug fixes - <br/><br/> </details><details> <summary>Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)</summary>
As an alternative to the above, you can follow the instructions to [uninstall](/
- Starting with this version, network protection for Linux can be evaluated on demand - Bug fixes -- <br/><br/> </details><details> <summary>Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)</summary>
As an alternative to the above, you can follow the instructions to [uninstall](/
- Fixed a product crash introduced in 101.53.02 and that has impacted multiple customers - <br/><br/> </details><details> <summary>Jan-2022 (Build: 101.53.02 | Release version: (30.121112.15302.0)</summary>
As an alternative to the above, you can follow the instructions to [uninstall](/
- Performance improvements & bug fixes -- </details> <details><summary> 2021 releases</summary><blockquote> <details><summary>(Build: 101.52.57 | Release version: 30.121092.15257.0)</summary>
-
- <p><b>
+
+ <p><b>
Build: 101.52.57 <br> Release version: 30.121092.15257.0</b></p>
-
+ <p><b> What's new </b></p> - Added a capability to detect vulnerable log4j jars in use by Java applications. The machine is periodically inspected for running Java processes with loaded log4j jars. The information is reported to the Microsoft Defender for Endpoint backend and is exposed in the Vulnerability Management area of the portal.
-
+ </details> <details><summary>(Build: 101.47.76 | Release version: 30.121092.14776.0)</summary>
-
- <p><b>
+
+ <p><b>
Build: 101.47.76 <br> Release version: 30.121092.14776.0</b></p>
-
+ <p><b>What's new</b></p> - Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this is set to enabled.
As an alternative to the above, you can follow the instructions to [uninstall](/
</details> <details><summary>(Build: 101.45.13 | Release version: 30.121082.14513.0)</summary>
-
- <p>
+
+ <p>
Build: <b>101.45.13 </b> <br> Release version:<b> 30.121082.14513.0 </b></p>
-
+ <p><b>What's new</b></p> - Starting with this version, we are bringing Microsoft Defender for Endpoint support to the following distros:
As an alternative to the above, you can follow the instructions to [uninstall](/
</details> - <details><summary>(Build: 101.45.00 | Release version: 30.121072.14500.0)</summary>
-
- <p>
+
+ <p>
Build:<b> 101.45.00</b> <br> Release version: <b>30.121072.14500.0</b></p>
-
+ <p><b>What's new</b></p>
-
- Added new switches to the command-line tool: - Control degree of parallelism for on-demand scans. This can be configured through `mdatp config maximum-on-demand-scan-threads --value [number-between-1-and-64]`. By default, a degree of parallelism of `2` is used.
As an alternative to the above, you can follow the instructions to [uninstall](/
</details> <details><summary>(Build: 101.39.98 | Release version: 30.121062.13998.0)</summary>
-
- <p>
+
+ <p>
Build: <b>101.39.98 </b><br> Release version: <b>30.121062.13998.0</b></p>
-
+ <p><b>What's new</b></p> - Performance improvements & bug fixes
-
+ </details> <details><summary>(Build: 101.34.27 | Release version: 30.121052.13427.0)</summary>
-
- <p>
+
+ <p>
Build:<b> 101.34.27</b> <br> Release version: <b>30.121052.13427.0</b></p>
-
+ <p><b>What's new</b></p> - Performance improvements & bug fixes
-
+ </details> <details><summary>(Build: 101.29.64 | Release version: 30.121042.12964.0)</summary>
-
- <p>
+
+ <p>
Build:<b> 101.29.64 </b><br> Release version:<b> 30.121042.12964.0</b></p>
-
+ <p><b>What's new</b></p> - Starting with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.
As an alternative to the above, you can follow the instructions to [uninstall](/
- `--sort`: sorts the output descending by total number of files scanned - `--top N`: displays the top N results (only works if `--sort` is also specified) - Performance improvements & bug fixes
-
+ </details> <details><summary>(Build: 101.25.72 | Release version: 30.121022.12563.0)</summary>
-
- <p>
+
+ <p>
Build:<b> 101.25.72</b> <br> Release version: <b>30.121022.12563.0</b></p>
-
+ <p><b>What's new</b></p> - Microsoft Defender for Endpoint on Linux is now available in preview for US Government customers. For more information, see [Microsoft Defender for Endpoint for US Government customers](gov.md). - Fixed an issue where usage of Microsoft Defender for Endpoint on Linux on systems with FUSE filesystems was leading to OS hang - Performance improvements & other bug fixes
-
+ </details>
-
<details><summary>(Build: 101.25.63 | Release version: 30.121022.12563.0)</summary>
-
- <p>
+
+ <p>
Build:<b> 101.25.63</b> <br> Release version: <b>30.121022.12563.0</b></p>
-
+ <p><b>What's new</b></p> - Performance improvements & bug fixes
-
+ </details> <details><summary>(Build: 101.23.64 | Release version: 30.121021.12364.0)</summary>
-
+ <p> Build:<b> 101.23.64 </b><br> Release version: 30.121021.12364.0</b></p>
-
+ <p><b>What's new</b></p> - Performance improvement for the situation where an entire mount point is added to the antivirus exclusion list. Prior to this version, file activity originating from the mount point was still processed by the product. Starting with this version, file activity for excluded mount points is suppressed, leading to better product performance - Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run `mdatp health --details antivirus` - Other performance improvements & bug fixes
-
+ </details> <details><summary>(Build: 101.18.53)</summary>
-
- <p>
- Build:<b> 101.18.53 </b><br>
-
- <p>What's new</b></p>
+
+ <p>
+ Build:<b> 101.18.53 </b><br>
+
+ <p>What's new</b></p>
- EDR for Linux is now [generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-is-generally-available/ba-p/2048539) - Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`) - Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory
- - Performance improvements & bug fixes
-
- </details>
---
+ - Performance improvements & bug fixes
+ </details>
</blockquote></details>-
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
Before you can initiate a session on a device, make sure you fulfill the followi
> [!NOTE] > Only admins and users who have "Manage Portal Settings" permissions can enable live response. - - **Enable live response unsigned script execution** (optional).
- >[!IMPORTANT]
- >Signature verification only applies for PowerShell scripts.
+ > [!IMPORTANT]
+ > Signature verification only applies for PowerShell scripts.
> [!WARNING] > Allowing the use of unsigned scripts may increase your exposure to threats.
To enable your security operations team to continue investigating an impacted de
Here are some examples:
-<br>
-
-****
- |Command|What it does| ||| |`getfile "C:\windows\some_file.exe" &`|Starts downloading a file named *some_file.exe* in the background.|
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier3
This topic describes how to deploy Microsoft Defender for Endpoint on macOS thro
## Prerequisites and system requirements - Before you get started, see [the main Microsoft Defender for Endpoint on macOS page](microsoft-defender-endpoint-mac.md) for a description of prerequisites and system requirements for the current software version. > [!NOTE]
Before you get started, see [the main Microsoft Defender for Endpoint on macOS p
The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender for Endpoint on Macs, via Microsoft Intune. More detailed steps are available below.
-<br>
-
-****
- |Step|Sample file names|BundleIdentifier| |||| |[Download the onboarding package](#download-the-onboarding-package)|WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml|com.microsoft.wdav.atp|
The following table summarizes the steps you would need to take to deploy and ma
|[Configure Microsoft AutoUpdate (MAU)](mac-updates.md#intune)|MDATP_Microsoft_AutoUpdate.xml|com.microsoft.autoupdate2| |[Microsoft Defender for Endpoint configuration settings](mac-preferences.md#intune-full-profile) <p> **Note:** If you're planning to run a third-party AV for macOS, set `passiveMode` to `true`.|MDATP_WDAV_and_exclusion_settings_Preferences.xml|com.microsoft.wdav| |[Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notifications](mac-updates.md)|MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig|com.microsoft.autoupdate2 or com.microsoft.wdav.tray|
-|
## Download the onboarding package
This profile is needed for macOS 11 (Big Sur) or later. It will be ignored on ol
1. In the **Assignments** tab, assign this profile to **All Users & All devices**. 1. Review and create this configuration profile. -
-### Full Disk Access
+### Full Disk Access
> [!NOTE] > Enabling **TCC** (Transparency, Consent & Control) through an Mobile Device Management solution such as [Intune](mac-install-with-intune.md), will eliminate the risk of Defender for Endpoint losing **Full Disk Access** Authorization to function properly.
->This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile.
+>
+> This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile.
Download [**fulldisk.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
security Mac Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-preferences.md
This article describes the structure of the configuration profile, includes a re
The configuration profile is a *.plist* file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences. > [!CAUTION]
->The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune.
+> The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune.
The top level of the configuration profile includes product-wide preferences and entries for subareas of Microsoft Defender for Endpoint, which are explained in more detail in the next sections.
The top level of the configuration profile includes product-wide preferences and
The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of Microsoft Defender for Endpoint.
-<br>
-
-****
- |Section|Value| ||| |**Domain**|`com.microsoft.wdav`| |**Key**|antivirusEngine| |**Data type**|Dictionary (nested preference)| |**Comments**|See the following sections for a description of the dictionary contents.|
-|||
#### Enforcement level for antivirus engine
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
This topic provides some general steps that can be used to narrow down performan
Depending on the applications that you're running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender for Endpoint on macOS. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender for Endpoint on macOS.
->[!WARNING]
->Before starting, please make sure that other security products are not currently running on the device. Multiple security products may conflict and impact the host performance.
+> [!WARNING]
+> Before starting, please make sure that other security products are not currently running on the device. Multiple security products may conflict and impact the host performance.
## Troubleshoot performance issues using Real-time Protection Statistics **Applies to:**+ - Only performance issues related to AV Real-time protection (RTP) is a feature of Defender for Endpoint on macOS that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
security Manage Indicators https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-indicators.md
When creating a new indicator (IoC), one or more of the following actions are av
- **Block execution** - the IoC will not be allowed to run. - **Block and remediate** - the IoC will not be allowed to run and a remediation action will be applied to the IoC.
->[!NOTE]
+> [!NOTE]
> Using Warn mode will prompt your users with a warning if they open a risky app or website. The prompt won't block them from allowing the application or website to run, but you can provide a custom message and links to a company page that describes appropriate usage of the app. Users can still bypass the warning and continue to use the app if they need. For more information, see Govern apps discovered by Microsoft Defender for Endpoint. You can create an indicator for:
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
Title: Microsoft Defender for Endpoint on iOS
+ Title: Microsoft Defender for Endpoint on iOS
description: Describes how to install and use Microsoft Defender for Endpoint on iOS keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, overview, installation, deploy, uninstallation, intune
Last updated 03/22/2021
## Prerequisites
-**For End Users**
+### For End Users
- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](/microsoft-365/security/defender-endpoint/minimum-requirements#licensing-requirements). - **For enrolled devices**:
- - Device(s) are [enrolled](/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
- - Intune Company Portal app can be downloaded from the [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358).
-
- >[!NOTE]
- >Apple does not allow redirecting users to download other apps from the app store so this step needs to be done by the user before onboarding to Microsoft Defender for Endpoint app.
+ - Device(s) are [enrolled](/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
+ - Intune Company Portal app can be downloaded from the [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358).
+ > [!NOTE]
+ > Apple does not allow redirecting users to download other apps from the app store so this step needs to be done by the user before onboarding to Microsoft Defender for Endpoint app.
- - Device(s) are registered with Azure Active Directory. This requires the end user to be signed in through [Microsoft Authenticator app](https://apps.apple.com/app/microsoft-authenticator/id983156458).
+ - Device(s) are registered with Azure Active Directory. This requires the end user to be signed in through [Microsoft Authenticator app](https://apps.apple.com/app/microsoft-authenticator/id983156458).
- **For unenrolled devices**: Device(s) are registered with Azure Active Directory. This requires the end user to be signed in through [Microsoft Authenticator app](https://apps.apple.com/app/microsoft-authenticator/id983156458). - For more information on how to assign licenses, see [Assign licenses to users](/azure/active-directory/users-groups-roles/licensing-groups-assign).
-**For Administrators**
+### For Administrators
- Access to the Microsoft 365 Defender portal. - Access to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to:
- - Deploy the app to enrolled user groups in your organization.
- - Configure Microsoft Defender for Endpoint risk signals in app protection policy (MAM)
-
+ - Deploy the app to enrolled user groups in your organization.
+ - Configure Microsoft Defender for Endpoint risk signals in app protection policy (MAM)
> [!NOTE] > > - Microsoft Defender for Endpoint now extends protection to an organization's data within a managed application for those who aren't using mobile device management (MDM) but are using Intune to manage mobile applications. It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for [mobile application management (MAM)](/mem/intune/apps/mam-faq).
- > - In addition, Microsoft Defender for Endpoint already supports devices that are enrolled using Intune mobile device management (MDM).
+ > - In addition, Microsoft Defender for Endpoint already supports devices that are enrolled using Intune mobile device management (MDM).
-**System Requirements**
+### System Requirements
-- iOS device running iOS 14.0 and above. iPads are also supported.
+- iOS device running iOS 14.0 and above. iPads are also supported.
- The device is either enrolled with the [Intune Company Portal app](https://apps.apple.com/us/app/intune-company-portal/id719171358) or is registered with Azure Active Directory through [Microsoft Authenticator](https://apps.apple.com/app/microsoft-authenticator/id983156458) with the same account.
- > [!NOTE]
+> [!NOTE]
> > - Microsoft Defender for Endpoint on iOS isn't supported on user-less or shared devices. > - Microsoft Defender for Endpoint on iOS isn't supported currently while using iOS User Enrollment.
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier3
This topic describes how to install, configure, update, and use Microsoft Defend
## How to install Microsoft Defender for Endpoint on Linux
-Microsoft Defender for Endpoint for Linux includes antimalware and endpoint detection and response (EDR) capabilities.
-
+Microsoft Defender for Endpoint for Linux includes antimalware and endpoint detection and response (EDR) capabilities.
### Prerequisites - Access to the Microsoft 365 Defender portal - Linux distribution using the [systemd](https://systemd.io/) system manager
- >[!NOTE]
- >Linux distribution using system manager, except for RHEL/CentOS 6.x support both SystemV and Upstart.
+ > [!NOTE]
+ > Linux distribution using system manager, except for RHEL/CentOS 6.x support both SystemV and Upstart.
- Beginner-level experience in Linux and BASH scripting - Administrative privileges on the device (in case of manual deployment)
Microsoft Defender for Endpoint for Linux includes antimalware and endpoint dete
> [!NOTE] > Microsoft Defender for Endpoint on Linux agent is independent from [OMS agent](/azure/azure-monitor/agents/agents-overview#log-analytics-agent). Microsoft Defender for Endpoint relies on its own independent telemetry pipeline. - ### Installation instructions There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux.
In general you need to take the following steps:
If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender for Endpoint on Linux](linux-support-install.md). > [!NOTE]
-> It is not supported to install Microsoft Defender for Endpoint in any other location other than the default install path.
-
-> [!NOTE]
+> It is not supported to install Microsoft Defender for Endpoint in any other location other than the default install path.
+>
> Microsoft Defender for Endpoint on Linux creates an "mdatp" user with random UID and GID. If you want to control the UID and GID, create an "mdatp" user prior to installation using the "/usr/sbin/nologin" shell option. > For example: `mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin`.
If you experience any installation failures, refer to [Troubleshooting installat
> [!NOTE] > Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions). --- - List of supported kernel versions > [!NOTE] > Microsoft Defender for Endpoint on Red Hat Enterprise Linux and CentOS - 6.7 to 6.10 is a Kernel based solution. You must verify that the kernel version is supported before updating to a newer kernel version. See the list below for the list of supported kernels.
If you experience any installation failures, refer to [Troubleshooting installat
- For 6.8: 2.6.32-642.* - For 6.9: 2.6.32-696.* (except 2.6.32-696.el6.x86_64) - For 6.10: 2.6.32.754.2.1.el6.x86_64 to 2.6.32-754.48.1:
-
- - 2.6.32-754.10.1.el6.x86_64
- - 2.6.32-754.11.1.el6.x86_64
- - 2.6.32-754.12.1.el6.x86_64
- - 2.6.32-754.14.2.el6.x86_64
- - 2.6.32-754.15.3.el6.x86_64
- - 2.6.32-754.17.1.el6.x86_64
- - 2.6.32-754.18.2.el6.x86_64
- - 2.6.32-754.2.1.el6.x86_64
- - 2.6.32-754.22.1.el6.x86_64
- - 2.6.32-754.23.1.el6.x86_64
- - 2.6.32-754.24.2.el6.x86_64
- - 2.6.32-754.24.3.el6.x86_64
- - 2.6.32-754.25.1.el6.x86_64
- - 2.6.32-754.27.1.el6.x86_64
- - 2.6.32-754.28.1.el6.x86_64
- - 2.6.32-754.29.1.el6.x86_64
- - 2.6.32-754.29.2.el6.x86_64
- - 2.6.32-754.3.5.el6.x86_64
- - 2.6.32-754.30.2.el6.x86_64
- - 2.6.32-754.33.1.el6.x86_64
- - 2.6.32-754.35.1.el6.x86_64
- - 2.6.32-754.39.1.el6.x86_64
- - 2.6.32-754.41.2.el6.x86_64
- - 2.6.32-754.43.1.el6.x86_64
- - 2.6.32-754.47.1.el6.x86_64
- - 2.6.32-754.48.1.el6.x86_64
- - 2.6.32-754.6.3.el6.x86_64
- - 2.6.32-754.9.1.el6.x86_64
-
- > [!NOTE]
- > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
-
+ - 2.6.32-754.10.1.el6.x86_64
+ - 2.6.32-754.11.1.el6.x86_64
+ - 2.6.32-754.12.1.el6.x86_64
+ - 2.6.32-754.14.2.el6.x86_64
+ - 2.6.32-754.15.3.el6.x86_64
+ - 2.6.32-754.17.1.el6.x86_64
+ - 2.6.32-754.18.2.el6.x86_64
+ - 2.6.32-754.2.1.el6.x86_64
+ - 2.6.32-754.22.1.el6.x86_64
+ - 2.6.32-754.23.1.el6.x86_64
+ - 2.6.32-754.24.2.el6.x86_64
+ - 2.6.32-754.24.3.el6.x86_64
+ - 2.6.32-754.25.1.el6.x86_64
+ - 2.6.32-754.27.1.el6.x86_64
+ - 2.6.32-754.28.1.el6.x86_64
+ - 2.6.32-754.29.1.el6.x86_64
+ - 2.6.32-754.29.2.el6.x86_64
+ - 2.6.32-754.3.5.el6.x86_64
+ - 2.6.32-754.30.2.el6.x86_64
+ - 2.6.32-754.33.1.el6.x86_64
+ - 2.6.32-754.35.1.el6.x86_64
+ - 2.6.32-754.39.1.el6.x86_64
+ - 2.6.32-754.41.2.el6.x86_64
+ - 2.6.32-754.43.1.el6.x86_64
+ - 2.6.32-754.47.1.el6.x86_64
+ - 2.6.32-754.48.1.el6.x86_64
+ - 2.6.32-754.6.3.el6.x86_64
+ - 2.6.32-754.9.1.el6.x86_64
+
+ > [!NOTE]
+ > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
> [!CAUTION] > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. - Disk space: 2 GB
-
- >[!NOTE]
+
+ > [!NOTE]
> An additional 2 GB disk space might be needed if cloud diagnostics are enabled for crash collections. - /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-install).
When adding exclusions to Microsoft Defender Antivirus, you should be mindful of
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
-<br>
-
-****
- |Spreadsheet of domains list| Description| |||
-|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)
-| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
+|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)|
+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)|
> [!NOTE] > For a more specific URL list, see [Configure proxy and internet connectivity settings](/microsoft-365/security/defender-endpoint/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
High I/O workloads from certain applications can experience performance issues w
## Resources - For more information about logging, uninstalling, or other topics, see [Resources](linux-resources.md).
-
+ ## Related articles
-
+ - [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/defender-for-cloud/integration-defender-for-endpoint) - [Connect your non-Azure machines to Microsoft Defender for Cloud](/azure/defender-for-cloud/quickstart-onboard-machines) - [Turn on network protection for Linux](network-protection-linux.md)
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
Access to Defender for Endpoint is done through a browser, supporting the follow
- [Windows 10 Enterprise LTSC 2016 (or later)](/windows/whats-new/ltsc/) - Windows 10 Enterprise IoT
- >[!NOTE]
- >While Windows 10 IoT Enterprise is a supported OS in Microsoft Defender for Endpoint and enables OEMs/ODMs to distribute it as part of their product or solution, customers should follow the OEM/ODM's guidance around host-based installed software and supportability.
+ > [!NOTE]
+ > While Windows 10 IoT Enterprise is a supported OS in Microsoft Defender for Endpoint and enables OEMs/ODMs to distribute it as part of their product or solution, customers should follow the OEM/ODM's guidance around host-based installed software and supportability.
- Windows 10 Education - Windows 10 Pro
The hardware requirements for Defender for Endpoint on devices are the same for
For more information on supported versions of Windows 10, see [Windows 10 release information](/windows/release-health/release-information). > [!NOTE]
+>
> - Endpoints running mobile versions of Windows (such as Windows CE and Windows 10 Mobile) aren't supported. > > - Virtual Machines running Windows 10 Enterprise 2016 LTSB may encounter performance issues if run on non-Microsoft virtualization platforms.
When components are up-to-date on Microsoft Windows operating systems, Microsoft
- [Android](microsoft-defender-endpoint-android.md) - [iOS](microsoft-defender-endpoint-ios.md) - > [!NOTE] > You'll need to confirm the Linux distributions and versions of Android, iOS, and macOS are compatible with Defender for Endpoint for the integration to work.
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier2
Review the following details to verify minimum system requirements:
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
- >[!NOTE]
- >Due to the [deprecation of SHA-1 support by the MMA agent](/azure/azure-monitor/agents/agent-windows#sha-2-code-signing-support-requirement), the MMA agent needs to be version 10.20.18029 or newer.
-
+ > [!NOTE]
+ > Due to the [deprecation of SHA-1 support by the MMA agent](/azure/azure-monitor/agents/agent-windows#sha-2-code-signing-support-requirement), the MMA agent needs to be version 10.20.18029 or newer.
2. Obtain the workspace ID: - In the Defender for Endpoint navigation pane, select **Settings > Device management > Onboarding**
Review the following details to verify minimum system requirements:
Once completed, you should see onboarded endpoints in the portal within an hour. ## Configure proxy and Internet connectivity settings+ If your servers need to use a proxy to communicate with Defender for Endpoint, use one of the following methods to configure the MMA to use the proxy server: - [Configure the MMA to use a proxy server](/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard)
After completing the onboarding steps, you'll need to [Configure and update Syst
> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started. > - This is also required if the server is configured to use an OMS Gateway server as proxy. -- ## Verify onboarding
-Verify that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are running.
+Verify that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are running.
> [!NOTE]
-> Running Microsoft Defender Antivirus is not required but it is recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. You can only confirm that passive mode is on after verifying that Microsoft Defender for Endpoint sensor (SENSE) is running.
+> Running Microsoft Defender Antivirus is not required but it is recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. You can only confirm that passive mode is on after verifying that Microsoft Defender for Endpoint sensor (SENSE) is running.
> [!NOTE] > As Microsoft Defender Antivirus is only supported for Windows 10 and Windows 11, step 1 does not apply when running Windows Server 2008 R2 SP1. 1. Run the following command to verify that Microsoft Defender Antivirus is installed:
- ```sc.exe query Windefend```
-
-If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender Antivirus. For more information, see [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-windows.md).
+ ```dos
+ sc.exe query Windefend
+ ```
-For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](use-group-policy-microsoft-defender-antivirus.md).
+ If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender Antivirus. For more information, see [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-windows.md).
+ For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](use-group-policy-microsoft-defender-antivirus.md).
2. Run the following command to verify that Microsoft Defender for Endpoint is running:
- ```sc.exe query sense```
-
+ ```dos
+ sc.exe query sense
+ ```
+ The result should show it is running. If you encounter issues with onboarding, see [Troubleshoot onboarding](troubleshoot-onboarding.md). ## Run a detection test
-Follow the steps in [Run a detection test on a newly onboarded device](run-detection-test.md) to verify that the server is reporting to Defender for the Endpoint service.
---
+Follow the steps in [Run a detection test on a newly onboarded device](run-detection-test.md) to verify that the server is reporting to Defender for the Endpoint service.
-## Onboarding endpoints with no management solution
+## Onboarding endpoints with no management solution
### Using Group Policy
Follow the steps in [Run a detection test on a newly onboarded device](run-detec
1. Navigate to c:\windows\sysvol\domain\scripts (Change control could be needed on one of the domain controllers.) 1. Create a folder named MMA. 1. Download the following and place them in the MMA folder:
-
+ - Update for customer experience and diagnostic telemetry: - [For Windows Server 2008 R2 x64](https://www.microsoft.com/download/details.aspx?familyid=1bd1d18d-4631-4d8e-a897-327925765f71)
-
+ For Windows Server 2008 R2 SP1, following updates are also required: February 2018 Monthly Roll up - KB4074598 (Windows Server 2008 R2) [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4074598)<br> Download updates for Windows Server 2008 R2 x64
-
+ .NET Framework 3.5.1 (KB315418)<br> [For Windows Server 2008 R2 x64](/iis/install/installing-iis-7/install-windows-server-2008-and-windows-server-2008-r2)
-
- >[!NOTE]
- > This article assumes you are using x64-based servers (MMA Agent .exe x64 New SHA-2 compliant version).
+ > [!NOTE]
+ > This article assumes you are using x64-based servers (MMA Agent .exe x64 New SHA-2 compliant version).
**Step 2: Create a file name DeployMMA.cmd (using notepad)** Add the following lines to the cmd file. Note that you'll need your WORKSPACE ID and KEY. The following command is an example. Replace the following values:+ - KB - Use the applicable KB relevant to the endpoint you're onboarding - Workspace ID and KEY - Use your ID and key - ```dos
-@echo off
-cd "C:"
-IF EXIST "C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" (
-exit
-) ELSE (
-
-wusa.exe C:\Windows\MMA\Windows6.1-KB3080149-x64.msu /quiet /norestart
-wusa.exe C:\Windows\MMA\Windows6.1-KB4074598-x64.msu /quiet /norestart
-wusa.exe C:\Windows\MMA\Windows6.1-KB3154518-x64.msu /quiet /norestart
-wusa.exe C:\Windows\MMA\Windows8.1-KB3080149-x64.msu /quiet /norestart
+@echo off
+cd "C:"
+IF EXIST "C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" (
+exit
+) ELSE (
+
+wusa.exe C:\Windows\MMA\Windows6.1-KB3080149-x64.msu /quiet /norestart
+wusa.exe C:\Windows\MMA\Windows6.1-KB4074598-x64.msu /quiet /norestart
+wusa.exe C:\Windows\MMA\Windows6.1-KB3154518-x64.msu /quiet /norestart
+wusa.exe C:\Windows\MMA\Windows8.1-KB3080149-x64.msu /quiet /norestart
"c:\windows\MMA\MMASetup-AMD64.exe" /c /t:"C:\Windows\MMA" c:\windows\MMA\setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID="<your workspace ID>" OPINSIGHTS_WORKSPACE_KEY="<your workspace key>" AcceptEndUserLicenseAgreement=1
-)
+)
``` ---- ### Group Policy Configuration Create a new group policy specifically for onboarding devices such as "Microsoft Defender for Endpoint Onboarding".
Repeat the process but create item level targeting on the COMMON tab, so the fil
:::image type="content" source="images/targeteditor.png" alt-text="The target editor" lightbox="images/targeteditor.png"::: For Windows Server 2008 R2 you'll need (and it will only copy down) the following:+ - Windows6.1-KB3080149-x64.msu - Windows6.1-KB3154518-x64.msu - Windows6.1-KB4075598-x64.msu - Once this is done, you'll need to create a start-up script policy: :::image type="content" source="images/startupprops.png" alt-text="The start up properties" lightbox="images/startupprops.png":::
For Windows Server 2008 R2 SP1, ensure that you fulfill the following requiremen
Please check the KBs are present before onboarding Windows Server 2008 R2. This process allows you to onboard all the servers if you don't have Configuration Manager managing Servers. - ## Offboard endpoints You have two options to offboard Windows endpoints from the service:
You can use either of the following methods:
1. Get your Workspace ID: 1. In the navigation pane, select **Settings** > **Onboarding**.- 1. Select the relevant operating system and get your Workspace ID.
-
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
- ```
+ ```powershell
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg+ # Remove OMS Workspace $AgentCfg.RemoveCloudWorkspace("WorkspaceID")+ # Reload the configuration and apply changes $AgentCfg.ReloadConfiguration()- ```
security Onboarding Notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md
The following image is an example of an email notification.
- Take all devices last seen in the past 7 days. - For each device:
- - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility.
+ - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes] -> Alert for offboarding possibility.
- If first seen is on the past hour -> Alert for onboarding. In this solution you will not have duplicate alerts:
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
You can access these events in Windows Event viewer:
|Attack surface reduction|Windows Defender (Operational)|1122|Event when rule fires in Audit-mode| |Attack surface reduction|Windows Defender (Operational)|1121|Event when rule fires in Block-mode|
->[!NOTE]
+> [!NOTE]
> From the user's perspective, ASR Warn mode notifications are made as a Windows Toast Notification for attack surface reduction rules. > > In ASR, Network Protection provides only Audit and Block modes.
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
ms.localizationpriority: medium
Last updated 01/06/2023 audience: ITPro-+ - m365-security - tier2
Response actions run along the top of a specific device page and include:
> [!IMPORTANT] > [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) includes only the following manual response actions:
+>
> - Run antivirus scan > - Isolate device > - Stop and quarantine a file > - Add an indicator to block or allow a file.
->
-> [Microsoft Defender for Business](../defender-business/mdb-overview.md) does not include the "Stop and quarantine a file" action at this time.
-> Your subscription must include Defender for Endpoint Plan 2 to have all of the response actions described in this article.
+>
+> [Microsoft Defender for Business](../defender-business/mdb-overview.md) does not include the "Stop and quarantine a file" action at this time.
+>
+> Your subscription must include Defender for Endpoint Plan 2 to have all of the response actions described in this article.
You can find device pages from any of the following views:
Response actions run along the top of a specific device page and include:
- **Search box** - Select Device from the drop-down menu and enter the device name. > [!IMPORTANT]
+>
> - These response actions are only available for devices on Windows 10, version 1703 or later, Windows 11, Windows Server 2019, and Windows Server 2022. > - For non-Windows platforms, response capabilities (such as isolate device) are dependent on the third-party capabilities. > - For Microsoft first party agents, please refer to the "more information" link under each feature for minimum OS requirements.
The package contains the following folders:
|Users and Groups|Provides a list of files that each represent a group and its members.| |WdSupportLogs|Provides the MpCmdRunLog.txt and MPSupportFiles.cab <p> <div class="alert"><b>NOTE:</b> This folder will only be created on Windows 10, version 1709 or later with February 2020 update rollup or more recent installed: <ul><li>Win10 1709 (RS3) Build 16299.1717: [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)</li><li>Win10 1803 (RS4) Build 17134.1345: [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)</li><li>Win10 1809 (RS5) Build 17763.1075: [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)</li><li>Win10 1903/1909 (19h1/19h2) Builds 18362.693 and 18363.693: [KB4535996](https://support.microsoft.com/help/4535996/windows-10-update-kb4535996)</li></ul> </div>| |CollectionSummaryReport.xls|This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code if there is failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.|
-|
## Run Microsoft Defender Antivirus scan on devices As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. > [!IMPORTANT]
+>
> - This action is not currently supported for macOS and Linux. Use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md) > - A Microsoft Defender Antivirus scan can run alongside other antivirus solutions, whether Microsoft Defender Antivirus is the active antivirus solution or not. Microsoft Defender Antivirus can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
The Action center will show the scan information and the device timeline will in
In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. > [!IMPORTANT]
-> - This action is available for devices on Windows 10, version 1709 or later, Windows 11, and Windows Server 2019 or later.
+>
+> - This action is available for devices on Windows 10, version 1709 or later, Windows 11, and Windows Server 2019 or later.
> - This feature is available if your organization uses Microsoft Defender Antivirus. > - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications)).
When an app is restricted, the following notification is displayed to inform the
:::image type="content" source="images/atp-app-restriction.png" alt-text="The application restriction message" lightbox="images/atp-app-restriction.png":::
->[!NOTE]
->The notification is not available on Windows Server 2016 and Windows Server 2012 R2.
+> [!NOTE]
+> The notification is not available on Windows Server 2016 and Windows Server 2012 R2.
## Isolate devices from the network Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. -- > [!IMPORTANT]
+>
> - Isolating devices from the network is not currently supported for devices running macOS. For macOS, use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md). > - Full isolation is available for devices running Windows 11, Windows 10, version 1703 or later, Windows Server 2022, Windows Server 2019, and Windows Server 2016.
->- You can use the device isolation capability **in public preview** on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](microsoft-defender-endpoint-linux.md#system-requirements).
+> - You can use the device isolation capability **in public preview** on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](microsoft-defender-endpoint-linux.md#system-requirements).
> - Selective isolation is available for devices running Windows 10, version 1709 or later, and Windows 11. > - When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.
->- The feature supports VPN connection.
->- You must have at least one the following role permissions: 'Active remediation actions'. For more information, see [Create and manage roles](user-roles.md).
->- You must have access to the device based on the device group settings. For more information, see [Create and manage device groups](machine-groups.md).
->- Exclusion for Linux isolation is not supported.
+> - The feature supports VPN connection.
+> - You must have at least one the following role permissions: 'Active remediation actions'. For more information, see [Create and manage roles](user-roles.md).
+> - You must have access to the device based on the device group settings. For more information, see [Create and manage device groups](machine-groups.md).
+> - Exclusion for Linux isolation is not supported.
This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device. - On Windows 10, version 1709 or later, you'll have more control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation'). - > [!NOTE] > You'll be able to reconnect the device back to the network at any time. The button on the device page will change to say **Release from isolation**, and then you take the same steps as isolating the device. -- Once you have selected **Isolate device** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event. :::image type="content" source="images/isolate-device.png" alt-text="An isolated device details page" lightbox="images/isolate-device.png":::
When a device is being isolated, the following notification is displayed to info
:::image type="content" source="images/atp-notification-isolate.png" alt-text="A no network connection message" lightbox="images/atp-notification-isolate.png"::: -
->[!NOTE]
->The notification is not available on non-Windows platforms.
+> [!NOTE]
+> The notification is not available on non-Windows platforms.
## Contain devices from the network
-
+ > [!NOTE] > Contain capabilities are currently in public preview. To learn about new features in the Microsoft 365 Defender preview release and be among the first to try upcoming features by turning on the preview experience, see [Preview features in Micrsoft 365 Defender](../defender/preview.md).
When you have identified an unmanaged device that is compromised or potentially
> Blocking incoming and outgoing communication with a 'contained' device is supported on onboarded Microsoft Defender for Endpoint Windows 10 and Windows Server 2019+ devices. ### How to contain a device
-
+ 1. Go to the **Device inventory** page and select the device to contain. 2. Select **Contain device** from the actions menu in the device flyout.
+ :::image type="content" alt-text="Screenshot of the contain device popup message." source="../../media/defender-endpoint/contain_device.png" lightbox="../../media/defender-endpoint/contain_device.png":::
3. On the contain device popup, type a comment, and select **Confirm**.
A device can also be contained from the device page by selecting **Contain devic
> It can take up to 5 minutes for the details about a newly contained device to reach Microsoft Defender for Endpoint onboarded devices. > [!IMPORTANT]
-> - If a contained device changes its IP address, then all Microsoft Defender for Endpoint onboarded devices will recognize this and start blocking communications with the new IP address. The original IP address will no longer be blocked (It may take up to 5 mins to see these changes).
+>
+> - If a contained device changes its IP address, then all Microsoft Defender for Endpoint onboarded devices will recognize this and start blocking communications with the new IP address. The original IP address will no longer be blocked (It may take up to 5 mins to see these changes).
> - In cases where the contained device's IP is used by another device on the network, there will be a warning while containing the device, with a link to advanced hunting (with a pre-populated query). This will provide visibility to the other devices using the same IP to help you make a conscious decision if you'd like to continue with containing the device. > - In cases where the contained device is a network device, a warning will appear with a message that this may cause network connectivity issues (for example, containing a router that is acting as a default gateway). At this point, you'll be able to choose whether to contain the device or not.
All other related details are also shown, for example, submission date/time, sub
:::image type="content" source="images/action-center-details.png" alt-text="The action center with information" lightbox="images/action-center-details.png"::: - ## See also - [Take response actions on a file](respond-file-alerts.md)
security Run Analyzer Macos Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md
ms.localizationpriority: medium
Last updated 01/18/2023 audience: ITPro-+ - m365-security - tier2
search.appverid: met150
# Run the client analyzer on macOS and Linux - **Applies to:** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
search.appverid: met150
The XMDEClientAnalyzer is used for diagnosing Microsoft Defender for Endpoint health or reliability issues on onboarded devices running either Linux, or macOS. There are two ways to run the client analyzer tool:+ 1. Using a binary version (no Python dependency) 2. Using a Python-based solution
There are two ways to run the client analyzer tool:
1. Download the [XMDE Client Analyzer Binary](https://aka.ms/XMDEClientAnalyzerBinary) tool to the macOS or Linux machine you need to investigate.\ If using a terminal download using the command:
- ```
+ ```console
wget --quiet -O XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary ``` 2. Verify the download
- >[!NOTE]
- >The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from the above link is: '550EAE6FAA26972D49D3013520644E551AFA846E92CD59F5C6A6A72A6B77E9E9'
-
+ > [!NOTE]
+ > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from the above link is: '550EAE6FAA26972D49D3013520644E551AFA846E92CD59F5C6A6A72A6B77E9E9'
- ```
+ ```console
echo '550EAE6FAA26972D49D3013520644E551AFA846E92CD59F5C6A6A72A6B77E9E9 XMDEClientAnalyzerBinary.zip' | sha256sum -c ```
If using a terminal download using the command:
If using a terminal download using the command:
- ```
- unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
+ ```console
+ unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
``` 4. Change to the tool's directory using the following command:
- ```
+ ```console
cd XMDEClientAnalyzerBinary ```
If using a terminal download using the command:
When using a terminal, unzip the file using one of the following commands based on machine type: - Linux
-
- ```
+
+ ```console
unzip -q SupportToolLinuxBinary.zip ``` - Intel based Mac
-
- ```
+
+ ```console
unzip -q SupportToolmacOSBinary.zip ``` - For Arm based Mac devices
-
- ```
+
+ ```console
unzip -q SupportToolmacOS-armBinary.zip ``` 7. Run the tool as <i>root</i> to generate diagnostic package:
- ```
+ ```console
sudo ./MDESupportTool -d ``` > [!NOTE]
- > The binary is currently unsigned. To allow the package run on MacOS, you will need to use the command
+ > The binary is currently unsigned. To allow the package run on MacOS, you will need to use the command
> > `spctl --add /Path/To/MDESupportTool`
- >
---
+ >
## Running the Python-based client analyzer > [!NOTE]
->- The analyzer depends on few extra pip packages(sh, distro, lxml, pandas) to produce the result output. If not installed, the analyzer will try to fetch it from the [official repository for Python packages](https://pypi.org/search/?q=lxml).
->
+>
+> - The analyzer depends on few extra pip packages(sh, distro, lxml, pandas) to produce the result output. If not installed, the analyzer will try to fetch it from the [official repository for Python packages](https://pypi.org/search/?q=lxml).
+>
> - In addition, the tool currently requires Python version 3 or later to be installed. > > - If your device is behind a proxy, then you can simply pass the proxy server as an environment variable to the mde_support_tool.sh script. For example:
-> `https_proxy=https://myproxy.contoso.com:8080 ./mde_support_tool.sh"`
->
-
+.
+> `https_proxy=https://myproxy.contoso.com:8080 ./mde_support_tool.sh"`
1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the macOS or Linux machine you need to investigate. If using a terminal, download by running the command:
- ```
+ ```console
wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer ```
-
+ 2. Verify the download
- ```
+ ```console
echo 'E3119C47975A3E50A5144B0751F59BFC42327A151BDA5D8334D1ED64F7898A7F XMDEClientAnalyzer.zip' | sha256sum -c ``` 3. Extract the contents of XMDEClientAnalyzer.zip on the machine.\ If using a terminal unzip using the command:
- ```
+ ```console
unzip -q XMDEClientAnalyzer.zip -d XMDEClientAnalyzer ```+ 4. Change directory to the extracted location.
- ```
+ ```console
cd XMDEClientAnalyzer ``` 5. Give the tool executable permission:
- ```
+ ```console
chmod a+x mde_support_tool.sh ```+ 6. Run as a non-root user to install required dependencies:
- ```
+ ```console
./mde_support_tool.sh ```
-5. To collect actual diagnostic package and generate the result archive file run again as root:
+7. To collect actual diagnostic package and generate the result archive file run again as root:
- ```
+ ```console
sudo ./mde_support_tool.sh -d ``` ## Command line options
-
+ ### Primary command lines
- Use this for getting machine diagnostic
+Use this for getting machine diagnostic
- ```
- -h, --help show this help message and exit
- --output OUTPUT, -o OUTPUT
+```console
+-h, --help show this help message and exit
+--output OUTPUT, -o OUTPUT
Output path to export report
- --no-zip, -nz If set a directory will be created instead of an archive file
- --force, -f Will overwrite if output directory exists
- --diagnostic, -d Collect extensive machine diagnostic information
- --bypass-disclaimer Do not display disclaimer banner
- --mdatp-log {info,trace,error,warning,debug,verbose}
+--no-zip, -nz If set a directory will be created instead of an archive file
+--force, -f Will overwrite if output directory exists
+--diagnostic, -d Collect extensive machine diagnostic information
+--bypass-disclaimer Do not display disclaimer banner
+--mdatp-log {info,trace,error,warning,debug,verbose}
Set MDATP log level
- --max-log-size MAX_LOG_SIZE
+--max-log-size MAX_LOG_SIZE
Maximum log file size in MB before rotating(Will restart mdatp)
- ```
-
- Usage example: `sudo ./MDESupportTool -d`
-
+```
+
+Usage example: `sudo ./MDESupportTool -d`
+ ### Positional arguments
-#### Collect performance info
- Collect extensive machine performance tracing for analysis of a performance scenario that can be reproduced on demand
- ```
+#### Collect performance info
+
+Collect extensive machine performance tracing for analysis of a performance scenario that can be reproduced on demand
+
+```console
-h, --help show this help message and exit --frequency FREQUENCY profile at this frequency --length LENGTH length of time to collect (in seconds)
- ```
- Usage example: `sudo ./MDESupportTool performance --frequency 2`
+```
+Usage example: `sudo ./MDESupportTool performance --frequency 2`
#### Use OS trace (for macOS only)+ Use OS tracing facilities to record Defender for Endpoint performance traces.
-
+ > [!NOTE] > This functionality exists in the Python solution only. -
-```
+```console
-h, --help show this help message and exit --length LENGTH Length of time to record the trace (in seconds). --mask MASK Mask to select with event to trace. Defaults to all
Use OS tracing facilities to record Defender for Endpoint performance traces.
On running this command for the first time, it will install a Profile configuration.
-Follow this to approve profile installation: [Apple Support Guide](https://support.apple.com/en-in/guide/mac-help/mh35561/mac#:~:text=Choose%20Apple%20menu%20%3E%20System%20Settings,%2C%20double%2Dclick%20the%20profile.)
+Follow this to approve profile installation: [Apple Support Guide](https://support.apple.com/guide/mac-help/mh35561/mac#:~:text=Choose%20Apple%20menu%20%3E%20System%20Settings,%2C%20double%2Dclick%20the%20profile.)
Usage example `./mde_support_tool.sh trace --length 5` - #### Exclude mode+ Add exclusions for audit-d monitoring.
-
+ > [!NOTE]
-> This functionality exists for Linux only
-
-
-```
+> This functionality exists for Linux only
+
+```console
-h, --help show this help message and exit -e <executable>, --exe <executable> exclude by executable name, i.e: bash
Add exclusions for audit-d monitoring.
-s, --stat get statistics about common executables -l, --list list auditd rules ```
-
+ Usage example `sudo ./MDESupportTool exclude -d /var/foo/bar`
-
+ ## Result package contents on macOS and Linux - report.html
Usage example `sudo ./MDESupportTool exclude -d /var/foo/bar`
- perf_benchmark.tar.gz Description: The performance test reports. You will see this only if you are using the performance parameter.
-
security Server Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/server-migration.md
ms.localizationpriority: medium
Last updated 09/19/2022 audience: ITPro-+ - m365-security - tier2
> [!NOTE] > Always ensure the operating system, and Microsoft Defender Antivirus on Windows Server 2016, are fully updated before proceeding with installation or upgrade. To receive regular product improvements and fixes for the EDR Sensor component, ensure Windows Update [KB5005292](https://go.microsoft.com/fwlink/?linkid=2168277) gets applied or approved after installation. In addition, to keep protection components updated, please reference [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions).
-These instructions apply to the new unified solution and installer (MSI) package of Microsoft Defender for Endpoint for Windows Server 2012 R2 and Windows Server 2016. This article contains high-level instructions for various possible migration scenarios from the previous to the current solution. These high-level steps are intended as guidelines to be adjusted to the deployment and configuration tools available in your environment.
+These instructions apply to the new unified solution and installer (MSI) package of Microsoft Defender for Endpoint for Windows Server 2012 R2 and Windows Server 2016. This article contains high-level instructions for various possible migration scenarios from the previous to the current solution. These high-level steps are intended as guidelines to be adjusted to the deployment and configuration tools available in your environment.
**If you are using Microsoft Defender for Cloud to perform deployment, you can automate installation and upgrade. See [Defender for Servers Plan 2 now integrates with MDE unified solution](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-servers-plan-2-now-integrates-with-mde-unified/ba-p/3527534)**
These instructions apply to the new unified solution and installer (MSI) package
## Installer script
->[!NOTE]
->Make sure the machines you run the script on is not blocking the execution of the script. The recommended execution policy setting for PowerShell is Allsigned. This requires importing the script's signing certificate into the Local Computer Trusted Publishers store if the script is running as SYSTEM on the endpoint.
+> [!NOTE]
+> Make sure the machines you run the script on is not blocking the execution of the script. The recommended execution policy setting for PowerShell is Allsigned. This requires importing the script's signing certificate into the Local Computer Trusted Publishers store if the script is running as SYSTEM on the endpoint.
To facilitate upgrades when Microsoft Endpoint Configuration Manager is not yet available or updated to perform the automated upgrade, you can use this [upgrade script](https://github.com/microsoft/mdefordownlevelserver/archive/refs/heads/main.zip). Download it by selection the "Code" button and downloading the .zip file, then extracting install.ps1. It can help automate the following required steps:
EXAMPLE: .\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -OnboardingScript ".\Windo
For more information on how to use the script, use the PowerShell command "get-help .\install.ps1".
-## Microsoft Endpoint Configuration Manager migration scenarios
+## Microsoft Endpoint Configuration Manager migration scenarios
->[!NOTE]
->You'll need Microsoft Endpoint Configuration Manager, version 2107 or later to perform Endpoint Protection policy configuration. From [version 2207 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2207#improved-microsoft-defender-for-endpoint-mde-onboarding-for-windows-server-2012-r2-and-windows-server-2016) deployment and upgrades can be fully automated.
+> [!NOTE]
+> You'll need Microsoft Endpoint Configuration Manager, version 2107 or later to perform Endpoint Protection policy configuration. From [version 2207 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2207#improved-microsoft-defender-for-endpoint-mde-onboarding-for-windows-server-2012-r2-and-windows-server-2016) deployment and upgrades can be fully automated.
For instructions on how to migrate using Microsoft Endpoint Configuration Manager older than version 2207 please see [Migrating servers from Microsoft Monitoring Agent to the unified solution.](/microsoft-365/security/defender-endpoint/application-deployment-via-mecm)
appropriate. Make sure to remove passive mode configuration.*
To move a machine out of passive mode, set the following key to 0:
-Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
+Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode Type: REG_DWORD Value: 0
Value: 0
1. Fully update the machine including Microsoft Defender Antivirus (Windows Server 2016) ensuring [prerequisites](configure-server-endpoints.md#prerequisites) have been met. 2. Create and apply policies using Group Policy, PowerShell, or a 3rd party management solution. 3. Uninstall System Center Endpoint Protection (Windows Server 2012 R2).
-5. Install Microsoft Defender for Endpoint (see [Configure server endpoints](configure-server-endpoints.md).)
-6. Apply the onboarding script **for use with Group Policy** downloaded from [Microsoft 365 Defender](https://security.microsoft.com).
-7. Apply updates.
+4. Install Microsoft Defender for Endpoint (see [Configure server endpoints](configure-server-endpoints.md).)
+5. Apply the onboarding script **for use with Group Policy** downloaded from [Microsoft 365 Defender](https://security.microsoft.com).
+6. Apply updates.
> [!TIP] > You can use the installer script to automate the above steps.
Value: 0
## Microsoft Defender for Cloud scenarios ### You're using Microsoft Defender for Cloud. The Microsoft Monitoring Agent (MMA) and/or Microsoft Antimalware for Azure (SCEP) are installed and you want to upgrade.+ If you're using Microsoft Defender for Cloud, you can leverage the automated upgrade process. See [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/security-center/security-center-wdatp#enable-the-microsoft-defender-for-endpoint-integration). ## Group Policy configuration+ For configuration using Group Policy, ensure you're using the latest ADMX files in your central store to access the correct Defender for Endpoint policy options. Please reference [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) and download the latest files **for use with Windows 10**.
security Supported Capabilities By Platform https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform.md
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier2
Learn how to [Onboard devices and configure Microsoft Defender for Endpoint capa
The following table gives information about the supported Microsoft Defender for Endpoint capabilities by platform.
-|Operating System |Windows 10 & 11 |Windows Server 2012 R2 <sup>[[1](#fn1)]</sup>, <br> 2016 <sup>[[1](#fn1)]</sup>, <br> 2019 & 2022, <br> 1803+ |macOS |Linux|
-||||||
-|**Prevention** | | | | |
-|[Attack Surface Reduction rules](attack-surface-reduction.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
-|[Controlled folder access](controlled-folders.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
-|Device Control | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) |
-|[Firewall](host-firewall-reporting.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
-|[Exploit Protection](exploit-protection.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
-|[Network Protection](network-protection.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> |
-|[Next-generation protection](next-generation-protection.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
-|[Tamper Protection](prevent-changes-to-security-settings-with-tamper-protection.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) |
-|[Web Protection](web-protection-overview.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> |
+|Operating System|Windows 10 & 11|Windows Server 2012 R2 <sup>[[1](#fn1)]</sup>, <br> 2016 <sup>[[1](#fn1)]</sup>, <br> 2019 & 2022, <br> 1803+|macOS|Linux|
+||::|::|::|::|
+|**Prevention**|||||
+|[Attack Surface Reduction rules](attack-surface-reduction.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|
+|[Controlled folder access](controlled-folders.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|
+|Device Control|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|
+|[Firewall](host-firewall-reporting.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|
+|[Exploit Protection](exploit-protection.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|
+|[Network Protection](network-protection.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup>|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup>|
+|[Next-generation protection](next-generation-protection.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|
+|[Tamper Protection](prevent-changes-to-security-settings-with-tamper-protection.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|
+|[Web Protection](web-protection-overview.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup>|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup>|
||||||
-|**Detection** | | | | |
-|[Advanced Hunting](../defender/advanced-hunting-overview.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
-|[Custom file indicators](indicator-file.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
-|[Custom network indicators](indicator-ip-domain.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> |
-|[EDR Block](edr-in-block-mode.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
-|[Passive Mode](microsoft-defender-antivirus-compatibility.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
-|Sense detection sensor | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
-|Endpoint & network device discovery | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
-|[Vulnerability management](../defender-vulnerability-management/defender-vulnerability-management.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
+|**Detection**|||||
+|[Advanced Hunting](../defender/advanced-hunting-overview.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|
+|[Custom file indicators](indicator-file.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|
+|[Custom network indicators](indicator-ip-domain.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup>|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup>|
+|[EDR Block](edr-in-block-mode.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|
+|[Passive Mode](microsoft-defender-antivirus-compatibility.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|
+|Sense detection sensor|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|
+|Endpoint & network device discovery|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|
+|[Vulnerability management](../defender-vulnerability-management/defender-vulnerability-management.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|
||||||
-|**Response** | | | ||
-|[Automated Investigation & Response (AIR)](automated-investigations.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
-|[Device response capabilities: collect investigation package, run AV scan](respond-machine-alerts.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)][[3](#fn3)]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)][[3](#fn3)]</sup> |
-|[Device isolation](respond-machine-alerts.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)][[3](#fn3)]</sup> | ![Yes (public preview)](images/svg/check-no.svg) |
-|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) <sup>[[4](#fn4)]</sup> | ![No](images/svg/check-no.svg) <sup>[[4](#fn4)]</sup> |
-|[Live Response](live-response.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> |
-
+|**Response**|||||
+|[Automated Investigation & Response (AIR)](automated-investigations.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|
+|[Device response capabilities: collect investigation package, run AV scan](respond-machine-alerts.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)][[3](#fn3)]</sup>|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)][[3](#fn3)]</sup>|
+|[Device isolation](respond-machine-alerts.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)][[3](#fn3)]</sup>|![Yes (public preview)](images/svg/check-no.svg)|
+|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) <sup>[[4](#fn4)]</sup>|![No](images/svg/check-no.svg) <sup>[[4](#fn4)]</sup>|
+|[Live Response](live-response.md)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup>|![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup>|
(<a id="fn1">1</a>) Refers to the modern, unified solution for Windows Server 2012 R2 and 2016. For more information, see [Onboard Windows Servers to the Defender for Endpoint service](configure-server-endpoints.md).
-(<a id="fn2">2</a>) Feature is currently in preview ([Microsoft Defender for Endpoint preview features](preview.md))
+(<a id="fn2">2</a>) Feature is currently in preview ([Microsoft Defender for Endpoint preview features](preview.md))
-(<a id="fn3">3</a>) Response capabilities using Live Response [2]
+(<a id="fn3">3</a>) Response capabilities using Live Response [2]
-(<a id="fn4">4</a>) Collect file only, using Live Response [2]
->[!NOTE]
->Windows 7, 8.1, Windows Server 2008 R2 include support for the EDR sensor, and AV using System Center Endpoint Protection (SCEP).
+(<a id="fn4">4</a>) Collect file only, using Live Response [2]
+> [!NOTE]
+> Windows 7, 8.1, Windows Server 2008 R2 include support for the EDR sensor, and AV using System Center Endpoint Protection (SCEP).
security Switch To Mde Troubleshooting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting.md
Certain exclusions for Defender for Endpoint must be defined in your existing no
`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection` - ### Set Microsoft Defender Antivirus to passive mode manually On Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, you must set Microsoft Defender Antivirus to passive mode manually. This action helps prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
If Microsoft Defender Antivirus is stuck in passive mode, set it to active mode
## I am having trouble re-enabling Microsoft Defender Antivirus on Windows Server 2016
-If you are using a non-Microsoft antivirus/antimalware solution on Windows Server 2016, your existing solution might have required Microsoft Defender Antivirus to be disabled or uninstalled. You can use the[ Malware Protection Command-Line Utility](command-line-arguments-microsoft-defender-antivirus.md) to re-enable Microsoft Defender Antivirus on Windows Server 2016.
+If you are using a non-Microsoft antivirus/antimalware solution on Windows Server 2016, your existing solution might have required Microsoft Defender Antivirus to be disabled or uninstalled. You can use the [Malware Protection Command-Line Utility](command-line-arguments-microsoft-defender-antivirus.md) to re-enable Microsoft Defender Antivirus on Windows Server 2016.
1. As a local administrator on the server, open Command Prompt.
If you are using a non-Microsoft antivirus/antimalware solution on Windows Serve
- [Microsoft Defender Antivirus compatibility with other security products](microsoft-defender-antivirus-compatibility.md) -- [Onboarding tools and methods for Windows devices in Defender for Endpoint](configure-endpoints.md)
+- [Onboarding tools and methods for Windows devices in Defender for Endpoint](configure-endpoints.md)
security Troubleshoot Security Config Mgt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt.md
Last updated 10/19/2021
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration)
To successfully register devices to Azure Active Directory, you'll need to ensur
- Computers can authenticate with the domain controller - Computers have access to the following Microsoft resources from inside your organization's network: - /windows/iot/iot-enterprise/commercialization/licensing
- - https://login.microsoftonline.com
- - https://device.login.microsoftonline.com
+ - <https://login.microsoftonline.com>
+ - <https://device.login.microsoftonline.com>
- Azure AD connect is configured to sync the computer objects. By default, computer OUs are in Azure AD connect sync scope. If the computer objects belong to specific organizational units (OUs), configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Organizational unitΓÇôbased filtering](/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#organizational-unitbased-filtering). > [!IMPORTANT]
To successfully register devices to Azure Active Directory, you'll need to ensur
> [!NOTE] > To successfully complete the onboarding flow, and independent of a device's Operating System, the Azure Active Directory state of a device can change, based on the devices' initial state: >
-> <br>
>
->|Starting Device State|New Device State|
->|||
->|Already AADJ or HAADJ|Remains as is|
->|Not AADJ or Hybrid Azure Active Directory Join (HAADJ) + Domain joined|Device is HAADJ'd|
->|Not AADJ or HAADJ + Not domain joined|Device is AADJ'd|
+> |Starting Device State|New Device State|
+> |||
+> |Already AADJ or HAADJ|Remains as is|
+> |Not AADJ or Hybrid Azure Active Directory Join (HAADJ) + Domain joined|Device is HAADJ'd|
+> |Not AADJ or HAADJ + Not domain joined|Device is AADJ'd|
> > Where AADJ represents Azure Active Directory Joined and HAADJ represents Hybrid Azure Active Directory Joined.
To see a list of all devices managed by Microsoft Defender for Endpoint, select
In the list, if a device's enrollment status is not "Success", select the device to see troubleshooting details in the side panel, pointing to the root cause of the error, and corresponding documentation. - :::image type="content" source="./images/secconfig-mde-error.png" alt-text="The filter criteria applied on the device inventory page" lightbox="./images/secconfig-mde-error.png":::
-> [!NOTE]
-> We are aware of an issue impacting the accurate detection of third-party MDMs when trying to use the security management feature and are working on a fix.
+> [!NOTE]
+> We are aware of an issue impacting the accurate detection of third-party MDMs when trying to use the security management feature and are working on a fix.
## Run Microsoft Defender for Endpoint Client Analyzer on Windows
In the **Detailed Results** section of the report, the Client Analyzer also prov
For example, as part of the Security Management onboarding flow, it is required for the Azure Active Directory Tenant ID in your Microsoft Defender for Endpoint Tenant to match the SCP Tenant ID that appears in the reports' **Device Configuration Management Details** section. If relevant, the report output will recommend to perform this verification. ## General troubleshooting
From the information in the message, it's possible in most cases to understand w
For Security Management for Microsoft Defender for Endpoint on Windows Server 2012 R2 domain joined computers, an update to Azure AD Connect sync rule "In from AD-Computer Join" is needed. This can be achieved by cloning and modifying the rule, which will disable the original "In from AD - Computer Join" rule. Azure AD Connect by default offers this experience for making changes to built-in rules. > [!NOTE]
->These changes need to be applied on the server where AAD Connect is running. If you have multiple instances of AAD Connect deployed, these changes must be applied to all instances.
+> These changes need to be applied on the server where AAD Connect is running. If you have multiple instances of AAD Connect deployed, these changes must be applied to all instances.
1. Open the Synchronization Rules Editor application from the start menu. In the rule list, locate the rule named **In from AD ΓÇô Computer Join**. **Take note of the value in the 'Precedence' column for this rule.**
security Update Alert https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/update-alert.md
Classification|String|Specifies the specification of the alert. The property val
Determination|String|Specifies the determination of the alert. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `Multistage attack` (MultiStagedAttack), `Malicious user activity` (MaliciousUserActivity), `Compromised account` (CompromisedUser) ΓÇô consider changing the enum name in public api accordingly, `Malware` (Malware), `Phishing` (Phishing), `Unwanted software` (UnwantedSoftware), and `Other` (Other). <li> <b>Informational, expected activity:</b> `Security test` (SecurityTesting), `Line-of-business application` (LineOfBusinessApplication), `Confirmed activity` (ConfirmedUserActivity) - consider changing the enum name in public api accordingly, and `Other` (Other). <li> <b>False positive:</b> `Not malicious` (Clean) - consider changing the enum name in public api accordingly, `Not enough data to validate` (InsufficientData), and `Other` (Other).| Comment|String|Comment to be added to the alert.|
->[!NOTE]
->Around August 29, 2022, previously supported alert determination values ('Apt' and 'SecurityPersonnel') will be deprecated and no longer available via the API.
+> [!NOTE]
+> Around August 29, 2022, previously supported alert determination values ('Apt' and 'SecurityPersonnel') will be deprecated and no longer available via the API.
## Response
security Upload Library https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/upload-library.md
Title: Upload files to the live response library
+ Title: Upload files to the live response library
description: Learn how to upload a file to the live response library. keywords: apis, graph api, supported apis, upload to library search.product: eADQiWindows 10XVcnh
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier2
Last updated 06/03/2021
-# Upload files to the live response library
+# Upload files to the live response library
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
Last updated 06/03/2021
[!include[Prerelease information](../../includes/prerelease.md)]
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Upload file to live response library.
## Limitations
-1. File max size limitation is 20MB.
+1. File max size limitation is 20MB.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per
hour. ## Permissions
Upload file to live response library.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md). - | Permission type | Permission | Permission display name | ||-|--| | Application | Library.Manage | Manage live response library |
In the request body, supply a form-data object with the following parameters:
| ParametersDescription | String | (Optional) Parameters required for the script to run. Default value is an empty string. | | OverrideIfExists | Boolean | (Optional) Whether to override the file if it already exists. Default value is an empty string. | -- ## Response -- If successful, this method returns 200 - OK response code and the uploaded
+- If successful, this method returns 200 - OK response code and the uploaded
live response library entity in the response body. -- If not successful: this method returns 400 - Bad Request.
+- If not successful: this method returns 400 - Bad Request.
Bad request usually indicates incorrect body. ## Example
Here is an example of the request using curl.
```CURL curl -X POST https://api.securitycenter.microsoft.com/api/libraryfiles -H "Authorization: Bearer \$token" -F "file=\@mdatp1.png" -F
-"ParametersDescription=test"
+"ParametersDescription=test"
-F "HasParameters=true" -F "OverrideIfExists=true" -F "Description=test description" ``` ## Related topic -- [Run live response](run-live-response.md)
+- [Run live response](run-live-response.md)
security User Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/user-roles.md
The following steps guide you on how to create roles in Microsoft 365 Defender.
- **Security baselines** - **Threat and vulnerability management ΓÇô Manage security baselines assessment profiles** - Create and manage profiles so you can assess if your devices comply to security industry baselines.
- >[!Note]
+ > [!NOTE]
> For the Defender Vulnerability Management public preview trial this permission is not required. Users with "Threat and vulnerability management - View data" permissions can manage security baselines. However, when the trial ends and a license is purchased, this permission is required. - **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files
security Whats New In Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
For more information on Microsoft Defender for Endpoint on specific operating sy
- [KB5016690](https://support.microsoft.com/topic/august-23-2022-kb5016690-os-build-17763-3346-preview-b81d1ac5-75c7-42c1-b638-f13aa4242f42) > [!NOTE]
- > This integration doesnΓÇÖt currently support the use of custom scripts to gain visibility into extra signals.
+ > This integration doesn't currently support the use of custom scripts to gain visibility into extra signals.
## October 2022
security Directory Service Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/directory-service-accounts.md
search.appverid: met150
This article explains how to configure the [Microsoft Defender for Identity](/defender-for-identity) Directory Services account in [Microsoft 365 Defender](/microsoft-365/security/defender/overview-security-center).
->[!IMPORTANT]
->As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
+> [!IMPORTANT]
+> As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
## Configure Directory Services account
security Entity Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/entity-tags.md
search.appverid: met150
This article explains how to apply [Microsoft Defender for Identity](/defender-for-identity) entity tags in [Microsoft 365 Defender](/microsoft-365/security/defender/overview-security-center).
->[!IMPORTANT]
->As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
+> [!IMPORTANT]
+> As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
## Entity tags
security Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/exclusions.md
This article explains how to configure [Microsoft Defender for Identity](/defend
For example, a **DNS Reconnaissance** alert could be triggered by a security scanner that uses DNS as a scanning mechanism. Creating an exclusion helps Defender for Identity ignore such scanners and reduce false positives.
->[!NOTE]
->Of the most common domains with [Suspicious communication over DNS](/defender-for-identity/exfiltration-alerts#suspicious-communication-over-dns-external-id-2031) alerts opened on them, we observed the domains that customers most excluded from the alert. These domains are added to the exclusions list by default, but you have the option to easily remove them.
+> [!NOTE]
+> Of the most common domains with [Suspicious communication over DNS](/defender-for-identity/exfiltration-alerts#suspicious-communication-over-dns-external-id-2031) alerts opened on them, we observed the domains that customers most excluded from the alert. These domains are added to the exclusions list by default, but you have the option to easily remove them.
## How to add detection exclusions
security Sensor Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/sensor-health.md
Title: Microsoft Defender for Identity sensor health and settings in Microsoft 365 Defender
-description: Learn how to configure Microsoft Defender for Identity sensors and monitor their health in Microsoft 365 Defender
+ Title: Microsoft Defender for Identity sensor health and settings in Microsoft 365 Defender
+description: Learn how to configure Microsoft Defender for Identity sensors and monitor their health in Microsoft 365 Defender
Last updated 06/07/2021
search.appverid: met150
This article explains how to configure and monitor [Microsoft Defender for Identity](/defender-for-identity) sensors in [Microsoft 365 Defender](/microsoft-365/security/defender/overview-security-center).
->[!IMPORTANT]
->As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
+> [!IMPORTANT]
+> As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
## View Defender for Identity sensor settings and status
This article explains how to configure and monitor [Microsoft Defender for Ident
[![Sensor page.](../../media/defender-identity/sensor-page.png)](../../media/defender-identity/sensor-page.png#lightbox)
- >[!NOTE]
- >In the Defender for Identity portal, the sensor settings and health information were in separate locations. Note that in Microsoft 365 Defender they're now on the same page.
+ > [!NOTE]
+ > In the Defender for Identity portal, the sensor settings and health information were in separate locations. Note that in Microsoft 365 Defender they're now on the same page.
1. If you select **Filters**, you can choose which filters will be available. Then with each filter, you can choose which sensors to display.
This article explains how to configure and monitor [Microsoft Defender for Ident
1. If you select any of the health issues, you'll get a pane with more details about them. If you choose a closed issue, you can reopen it from here. :::image type="content" source="../../media/defender-identity/issue-details.png" alt-text="The Issue details" lightbox="../../media/defender-identity/issue-details.png":::
-
1. If you select **Manage sensor**, a pane will open where you can configure the sensor details.
security Vpn Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/vpn-integration.md
search.appverid: met150
This article explains how to integrate a VPN with [Microsoft Defender for Identity](/defender-for-identity) in [Microsoft 365 Defender](/microsoft-365/security/defender/overview-security-center).
->[!IMPORTANT]
->As part of the convergence with <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
+> [!IMPORTANT]
+> As part of the convergence with <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
[!INCLUDE [Product long](includes/product-long.md)] can collect accounting information from VPN solutions. When configured, the user's profile page includes information from the VPN connections, such as the IP addresses and locations where connections originated. This complements the investigation process by providing additional information on user activity as well as a new detection for abnormal VPN connections. The call to resolve an external IP address to a location is anonymous. No personal identifier is sent in this call.
security Defender Vulnerability Management Capabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities.md
For Microsoft Defender for Cloud customers, Defender Vulnerability Management is
Microsoft Defender for Servers Plan 2 includes access to the additional vulnerability management capabilities that are part of the Defender Vulnerability Management add-on. The table below shows the availability of Defender Vulnerability Management capabilities across the Defender for Servers plans.
->[!Note]
+> [!NOTE]
> The Microsoft Defender Vulnerability Management add-on capabilities included in Defender for Servers Plan 2 are only available through the [Microsoft Defender 365 portal](https://security.microsoft.com/homepage). |Capability|Defender For Servers Plan 1|Defender For Servers Plan 2|
security Defender Vulnerability Management Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-trial.md
Your trial will be effective immediately:
It can take up to 6 hours for all vulnerability management features to appear in your left navigation. Sign out and sign back in to see the updates. > [!NOTE]
->Defender Vulnerability Management Standalone trial is in public preview. Details on your purchase options for this new offering will be made available once the offering is generally available.
+> Defender Vulnerability Management Standalone trial is in public preview. Details on your purchase options for this new offering will be made available once the offering is generally available.
## Required roles for starting the trial
security Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management.md
Watch the following video to learn more about Defender Vulnerability Management.
Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md). > [!TIP]
->For more information on the features and capabilities that are included in each offering, see [Compare Microsoft Defender Vulnerability Management offerings.](defender-vulnerability-management-capabilities.md)
+> For more information on the features and capabilities that are included in each offering, see [Compare Microsoft Defender Vulnerability Management offerings.](defender-vulnerability-management-capabilities.md)
:::image type="content" source="../../medivm-asset.png" alt-text="Microsoft Defender Vulnerability Management features and capabilities.":::
security Get Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management.md
Microsoft Defender Vulnerability Management is available as a standalone and as
- If you already have Defender for Endpoint Plan 2, sign up to try the [Defender Vulnerability Management Add-on Trial](#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers) > [!NOTE]
-> Trials will be available to customers using the New Commerce Experience (NCE) for a 30 day period. After the 30 day period customers will be able to purchase Microsoft Defender Vulnerability Management through NCE.
+> Trials will be available to customers using the New Commerce Experience (NCE) for a 30 day period. After the 30 day period customers will be able to purchase Microsoft Defender Vulnerability Management through NCE.
## Try Defender Vulnerability Management Standalone
security Tvm Block Vuln Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps.md
Last updated 04/12/2022
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
->[!Note]
-> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+> [!NOTE]
+> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
For both actions, you can customize the message the users will see. For example,
6. Pick a **Remediation due date** and select **Next**. 7. Under **Mitigation action**, select **Block** or **Warn**. Once you submit a mitigation action, it will be immediately applied.
+ :::image type="content" alt-text="Mitigation action" source="../../media/defender-vulnerability-management/mitigation-action.png" lightbox="../../media/defender-vulnerability-management/mitigation-action.png":::
8. Review the selections you made and **Submit request**. On the final page you can choose to go directly to the remediation page to view the progress of remediation activities and see the list of blocked applications.
-> [!Important]
+> [!IMPORTANT]
> Based on the available data, the block action will take effect on endpoints in the organization that have Microsoft Defender Antivirus. Microsoft Defender for Endpoint will make a best attempt effort of blocking the applicable vulnerable application or version from running. If additional vulnerabilities are found on a different version of an application, you'll get a new security recommendation, asking you to update the application, and you can choose to also block this different version.
The option to **View details of blocked versions in the Indicator page** brings
> [!NOTE] > If you use the Indicators API with programmatic indicator queries as part of your workflows, be aware that the block action will give additional results.-
-> [!NOTE]
+>
> Currently some detections related to warn policies may show up as active malware in Microsoft 365 Defender and/or Microsoft Intune. This behavior will be fixed in an upcoming release. You can also **Unblock software** or **Open software page**:
security Tvm Browser Extensions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-browser-extensions.md
Title: Browser extensions assessment
+ Title: Browser extensions assessment
description: Find out about the browsers extensions installed in your environment keywords: Microsoft Defender for Endpoint browser extensions, mdvm, threat & vulnerability management,Microsoft Defender Vulnerability Management
Last updated 04/11/2022
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
->[!Note]
-> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+> [!NOTE]
+> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
The **Browser extensions** page displays a list of the browser extensions instal
1. Go to **Vulnerability management** \> **Software inventory** in the [Microsoft 365 Defender portal](https://security.microsoft.com). 2. Select the **Browser extensions** tab.
->[!Note]
+> [!NOTE]
> Browser extension assessment is only available on Windows devices. Only extensions that exist in Edge, Chrome, and Firefox, will appear in browser extension list. The **Browser extensions** page opens with a list of the browser extensions installed across your organization, including details on the extension name, browser, the number of devices the extension is installed on, and the number that have it turned on.
Select the **Permissions** tab, from the browser extension flyout pane, to see i
The permission risk level generated is based on the type of access the permission is requesting. You can use this information to help make an informed decision on whether you want to allow or block this extension.
->[!Note]
->Risk is subjective, and it's up to each organization to determine the types of risk they are willing to take on.
+> [!NOTE]
+> Risk is subjective, and it's up to each organization to determine the types of risk they are willing to take on.
Select a permission to see a further flyout with more information.
security Tvm Certificate Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-certificate-inventory.md
Last updated 04/11/2022
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
->[!Note]
-> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+> [!NOTE]
+> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
The **Certificate inventory** lets you view a list of the certificates installed
The **Certificate inventory** page opens with a list of the certificates installed across your organization, including details on the expiration date, key size, who issued the certificate, and the number of instances.
->[!Note]
->Only certificates found on Windows devices (in the local machine certificate store) will be displayed in certificate inventory list.
+> [!NOTE]
+> Only certificates found on Windows devices (in the local machine certificate store) will be displayed in certificate inventory list.
:::image type="content" source="../../media/defender-vulnerability-management/certificate_inventory.png" alt-text="Screenshot of the certificate inventory list" lightbox="../../media/defender-vulnerability-management/certificate_inventory.png":::::::::
security Tvm Hardware And Firmware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-hardware-and-firmware.md
Last updated 11/23/2022
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
->[!Note]
-> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+> [!NOTE]
+> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
The **Hardware and Firmware** page opens with individual pages available for:
- [Processor inventory](#processor-inventory) - [BIOS inventory](#bios-inventory)
->[!Note]
+> [!NOTE]
> Weaknesses and exposed devices information is based on security advisories from HP, Dell, and Lenovo and relates to processors and BIOS only. Weaknesses for other vendors are not reported. > > Inventory and weaknesses data is collected on Windows, Linux, and MacOS (refer to the [list of supported platforms](tvm-supported-os.md)).
security Tvm Manage Log4shell Guidance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-manage-Log4shell-guidance.md
Defender Vulnerability Management provides you with the following capabilities t
> > Support on macOS requires Microsoft Defender for Endpoint macOS client version 20.121111.15416.0 or later. >
->For more information on supported versions, see [Supported operating systems platforms and capabilities](tvm-supported-os.md).
+> For more information on supported versions, see [Supported operating systems platforms and capabilities](tvm-supported-os.md).
## Exposed devices discovery
security Tvm Microsoft Secure Score Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-microsoft-secure-score-devices.md
Improve your security configuration by remediating issues from the security reco
6. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you've addressed won't be listed there anymore. Your Microsoft Secure Score for Devices should increase. > [!IMPORTANT]
->To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
+> To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
> > - 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) > - RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
security Tvm Network Share Assessment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-network-share-assessment.md
Last updated 04/27/2022
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
->[!Note]
-> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+> [!NOTE]
+> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
security Tvm Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-prerequisites.md
Last updated 03/04/2022
# Prerequisites & permissions for Microsoft Defender Vulnerability Management
->[!NOTE]
->The same minimum requirements as Microsoft Defender for Endpoint apply to Microsoft Defender Vulnerability Management, for more information, see [Minimum requirements](../defender-endpoint/minimum-requirements.md).
+> [!NOTE]
+> The same minimum requirements as Microsoft Defender for Endpoint apply to Microsoft Defender Vulnerability Management, for more information, see [Minimum requirements](../defender-endpoint/minimum-requirements.md).
Ensure that your devices:
security Tvm Security Baselines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-security-baselines.md
Last updated 04/12/2022
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
->[!Note]
-> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+> [!NOTE]
+> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
Security baselines provide support for Center for Internet Security (**CIS)** be
8. Select **Submit** to create your profile. 9. On the final page, select **View profile page** to see the assessment results.
->[!Note]
->You can create multiple profiles for the same operating system with various customizations.
+> [!NOTE]
+> You can create multiple profiles for the same operating system with various customizations.
When you customize a configuration an icon will appear beside it to indicate that it has been customized and is no longer using the recommended value. Select the **reset** button to revert to the recommended value.
security Tvm Usage Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-usage-insights.md
The Recommendations page opens with the software usage information displayed:
:::image type="content" alt-text="Software usage information in recommendations" source="../../media/defender-vulnerability-management/usage-insights-recommendations.png" lightbox="../../media/defender-vulnerability-management/usage-insights-recommendations.png"::: -
->[!NOTE]
->If you don't see usage insights, it's because that application is currently not supported. Software usage is currently not supported for:
+> [!NOTE]
+> If you don't see usage insights, it's because that application is currently not supported. Software usage is currently not supported for:
> > - Software usage related to operating systems > - Software usage related to apps for macOS and Linux
security Windows Authenticated Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/windows-authenticated-scan.md
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
->[!Note]
-> To use this feature youΓÇÖll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+> [!NOTE]
+> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
This is applicable for devices that don't have the Defender Vulnerability Manage
Similar to [network device](../defender-endpoint/network-devices.md) authenticated scan, you'll need a scanning device with the scanner installed. If you don't already have the scanner installed, see [Install the scanner](../defender-endpoint/network-devices.md#install-the-scanner) for steps on how to download and install it.
->[!NOTE]
+> [!NOTE]
> No changes are required for pre-existing installed scanners. ## Pre-requisites
The following section lists the pre-requisites you need to configure to use Auth
A scanning account is required to remotely access the devices. This must be a [Group Managed Service Account (gMsa)](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview/).
->[!NOTE]
+> [!NOTE]
> We recommend the gMSA account is a least privileged account with only the required scanning permissions and is set to cycle the password regularly. To create a gMsa account:
security Activate Defender Rbac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/activate-defender-rbac.md
The following steps guide you on how to activate the Microsoft 365 Defender RBAC
1. [Activate in the permissions and roles page](#activate-from-the-permissions-and-roles-page) 2. [Activate in Microsoft 365 Defender settings](#activate-in-microsoft-365-defender-settings)
->[!Important]
->You must be a Global Administrator or Security Administrator in Azure Active Directory to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).
+> [!IMPORTANT]
+> You must be a Global Administrator or Security Administrator in Azure Active Directory to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).
### Activate from the Permissions and roles page
You can activate your workloads in two ways from the Permissions and roles page:
:::image type="content" source="../../media/defender/m365-defender-rbac-activate-workload-selection.png" alt-text="Screenshot of the choose workloads to activate screen" lightbox="../../media/defender/m365-defender-rbac-activate-workload-selection.png":::
- >[!Note]
+ > [!NOTE]
> The **Activate workloads** button is only available when there are existing roles in the roles list. 2. **Workload settings**
Follow these steps to activate your workloads directly in Microsoft 365 Defender
You have now successfully activated (or deactivated) that workload.
->[!Note]
+> [!NOTE]
> The Microsoft 365 Defender RBAC model only impacts the Microsoft 365 Defender security portal. It does not impact the [Microsoft Purview Compliance center](https://compliance.microsoft.com) or the [Exchange Admin Center](https://admin.exchange.microsoft.com). ## Deactivate Microsoft 365 Defender RBAC
security Advanced Hunting Best Practices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-best-practices.md
There are various functions you can use to efficiently handle strings that need
To learn about all supported parsing functions, [read about Kusto string functions](/azure/data-explorer/kusto/query/scalarfunctions#string-functions).
->[!NOTE]
->Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+> [!NOTE]
+> Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
## Related topics+ - [Kusto query language documentation](/azure/data-explorer/kusto/query/) - [Quotas and usage parameters](advanced-hunting-limits.md) - [Handle advanced hunting errors](advanced-hunting-errors.md)
security Advanced Hunting Deviceevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceevents-table.md
Last updated 02/16/2021
The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Devicefileevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefileevents-table.md
Last updated 02/16/2021
The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
For information on other tables in the advanced hunting schema, [see the advance
| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity | | `AdditionalFields` | `string` | Additional information about the entity or event |
->[!NOTE]
+> [!NOTE]
> File hash information will always be shown when it is available. However, there are several possible reasons why a SHA1, SHA256, or MD5 cannot be calculated. For instance, the file might be located in remote storage, locked by another process, compressed, or marked as virtual. In these scenarios, the file hash information appears empty. ## Related topics
security Advanced Hunting Deviceimageloadevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceimageloadevents-table.md
Last updated 02/16/2021
The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Devicelogonevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicelogonevents-table.md
Last updated 02/16/2021
The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events on devices. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
For information on other tables in the advanced hunting schema, [see the advance
| `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity | | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
->[!NOTE]
->The collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008R2 devices onboarded to Defender for Endpoint. We recommend upgrading to a more recent operating system for optimal visibility into user logon activity.
+> [!NOTE]
+> The collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008R2 devices onboarded to Defender for Endpoint. We recommend upgrading to a more recent operating system for optimal visibility into user logon activity.
## Related topics+ - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Use shared queries](advanced-hunting-shared-queries.md)
security Advanced Hunting Devicenetworkevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table.md
Last updated 02/16/2021
The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Deviceprocessevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table.md
Last updated 02/16/2021
The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Deviceregistryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceregistryevents-table.md
Last updated 02/16/2021
The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Devicetvminfogathering Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvminfogathering-table.md
Last updated 06/22/2022
- Microsoft 365 Defender - Microsoft Defender for Endpoint
->[!IMPORTANT]
+> [!IMPORTANT]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The `DeviceTvmInfoGathering` table in the advanced hunting schema contains [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management) assessment events including the status of various configurations and attack surface area states of devices. You can use this table to hunt for assessment events related to mitigation for zero-days, posture assessment for emerging threats supporting threat analytics mitigation status reports, enabled TLS protocol versions on servers, and more. Use this reference to construct queries that return information from the table.
security Advanced Hunting Devicetvmsoftwareinventory Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwareinventory-table.md
Last updated 04/14/2021
- Microsoft 365 Defender
->[!IMPORTANT]
+> [!IMPORTANT]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The `DeviceTvmSoftwareInventory` table in the advanced hunting schema contains the [Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) inventory of software currently installed on devices in your network, including end of support information. You can, for instance, hunt for events involving devices that are installed with a currently vulnerable software version. Use this reference to construct queries that return information from the table.
->[!NOTE]
+> [!NOTE]
> The `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables have replaced the `DeviceTvmSoftwareInventoryVulnerabilities` table. Together, the first two tables include more columns you can use to help inform your vulnerablity management activities or hunt for vulnerable devices. For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Devicetvmsoftwarevulnerabilities Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md
Last updated 03/22/2021
- Microsoft 365 Defender
->[!IMPORTANT]
+> [!IMPORTANT]
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The `DeviceTvmSoftwareVulnerabilities` table in the advanced hunting schema contains the [Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) list of vulnerabilities in installed software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. You can use this table, for example, to hunt for events involving devices that have severe vulnerabilities in their software. Use this reference to construct queries that return information from the table.
->[!NOTE]
+> [!NOTE]
> The `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables have replaced the `DeviceTvmSoftwareInventoryVulnerabilities` table. Together, the first two tables include more columns you can use to help inform your vulnerability management activities or hunt for vulnerable devices. For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Emailpostdeliveryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table.md
Last updated 02/16/2021
The `EmailPostDeliveryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. To get more information about individual email messages, you can also use the [`EmailEvents`](advanced-hunting-emailevents-table.md), [`EmailAttachmentInfo`](advanced-hunting-emailattachmentinfo-table.md), and the [`EmailUrlInfo`](advanced-hunting-emailurlinfo-table.md) tables. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Extend Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-extend-data.md
If you're running Active Directory on premises, you need to install the Microsof
| | | | | | Domain controller | Data from on-premises Active Directory sent to Microsoft Defender for Identity, enriching identity-related information, such as account details, logon activity, and Active Directory queries | Multiple tables, including [IdentityInfo](advanced-hunting-identityinfo-table.md), [IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md), and [IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md) | - [Install the Microsoft Defender for Identity sensor](/azure-advanced-threat-protection/install-atp-step4)<br>- [Turn on relevant Windows Events](/azure-advanced-threat-protection/configure-event-collection) |
->[!NOTE]
->Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+> [!NOTE]
+> Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
## Related topics+ - [Advanced hunting overview](advanced-hunting-overview.md) - [Understand the schema](advanced-hunting-schema-tables.md)
security Advanced Hunting Fileprofile Function https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-fileprofile-function.md
invoke FileProfile(x,y)
- **y**ΓÇölimit to the number of records to enrich, 1-1000; function uses 100 if unspecified
->[!TIP]
+> [!TIP]
> Enrichment functions will show supplemental information only when they are available. Availability of information is varied and depends on a lot of factors. Make sure to consider this when using FileProfile() in your queries or in creating custom detections. For best results, we recommend using the FileProfile() function with SHA1. ## Examples
security Advanced Hunting Go Hunt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-go-hunt.md
Last updated 02/16/2021
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender
The *go hunt* action is available in various sections of Microsoft 365 Defender.
:::image type="content" source="../../media/go-hunt-2-entity.png" alt-text="The Go hunt option for a piece of evidence in the Incident page in Microsoft 365 Defender portal" lightbox="../../media/go-hunt-2-entity.png"::: - - When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting. :::image type="content" source="../../media/go-hunt-3-event.png" alt-text="The Hunt for related events option on an event's page in the Timelines tab in Microsoft 365 Defender portal" lightbox="../../media/go-hunt-3-event.png":::
The *go hunt* action is available in various sections of Microsoft 365 Defender.
Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event. ## Query for entity information+ You can use *go hunt* to query for information about a user, device, or any other type of entity; the query checks all relevant schema tables for any events involving that entity to return information. To keep the results manageable, the query is:+ - scoped to around the same time period as the earliest activity in the past 30 days that involves the entity - associated with the incident.
and DeviceName == deviceName
// or DeviceId == deviceId | take 100 ```+ ### Supported entity types+ You can use the *go hunt* option after selecting any of these entity types: - Files
You can use the *go hunt* option after selecting any of these entity types:
- URLs ## Query for event information+ When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device: ```kusto
search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEv
``` ## Adjust the query+ With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window: ```kusto
Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
``` In addition to modifying the query to get more relevant results, you can also:+ - [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart) - [Create a custom detection rule](custom-detection-rules.md)
->[!NOTE]
->Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+> [!NOTE]
+> Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
## Related topics+ - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Work with query results](advanced-hunting-query-results.md)
security Advanced Hunting Identitydirectoryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table.md
Last updated 02/16/2021
The `IdentityDirectoryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains events involving an on-premises domain controller running Active Directory (AD). This table captures various identity-related events, like password changes, password expiration, and user principal name (UPN) changes. It also captures system events on the domain controller, like scheduling of tasks and PowerShell activity. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Identityinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identityinfo-table.md
Last updated 02/16/2021
The `IdentityInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user accounts obtained from various services, including Azure Active Directory. Use this reference to construct queries that return information from this table.
->[!NOTE]
->This table was renamed from `AccountInfo`. During renames, all queries saved in the portal are automatically updated. Check queries you have saved elsewhere.
+> [!NOTE]
+> This table was renamed from `AccountInfo`. During renames, all queries saved in the portal are automatically updated. Check queries you have saved elsewhere.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
For information on other tables in the advanced hunting schema, [see the advance
| `IsAccountEnabled` | `boolean` | Indicates whether the account is enabled or not | ## Related topics+ - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Use shared queries](advanced-hunting-shared-queries.md)
security Advanced Hunting Identitylogonevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table.md
Last updated 02/16/2021
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender The `IdentityLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about authentication activities made through your on-premises Active Directory captured by Microsoft Defender for Identity and authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender.
->[!NOTE]
->This table covers Azure Active Directory (Azure AD) logon activities tracked by Defender for Cloud Apps, specifically interactive sign-ins and authentication activities using ActiveSync and other legacy protocols. Non-interactive logons that are not available in this table can be viewed in the Azure AD audit log. [Learn more about connecting Defender for Cloud Apps to Microsoft 365](/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security)
+> [!NOTE]
+> This table covers Azure Active Directory (Azure AD) logon activities tracked by Defender for Cloud Apps, specifically interactive sign-ins and authentication activities using ActiveSync and other legacy protocols. Non-interactive logons that are not available in this table can be viewed in the Azure AD audit log. [Learn more about connecting Defender for Cloud Apps to Microsoft 365](/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security)
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
For information on other tables in the advanced hunting schema, [see the advance
| `AdditionalFields` | `string` | Additional information about the entity or event | ## Related topics+ - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Use shared queries](advanced-hunting-shared-queries.md)
security Advanced Hunting Identityqueryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identityqueryevents-table.md
Last updated 02/16/2021
The `IdentityQueryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about queries performed against Active Directory objects, such as users, groups, devices, and domains. Use this reference to construct queries that return information from this table.
->[!TIP]
+> [!TIP]
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Limits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-limits.md
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier3
Last updated 02/16/2021
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender
-
- ## Understand advanced hunting quotas and usage parameters
Refer to the following table to understand existing quotas and usage parameters.
| Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error. | CPU resources | Based on tenant size | Every 15 minutes | The [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next 15-minute cycle. |
->[!NOTE]
->A separate set of quotas and parameters apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](./api-advanced-hunting.md)
+> [!NOTE]
+> A separate set of quotas and parameters apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](./api-advanced-hunting.md)
## View query resources report to find inefficient queries
This report is useful in identifying the most resource-intensive queries and und
### Access the query resources report The report can be accessed in two ways:+ - In the advanced hunting page, select **Query resources report**:
+ :::image type="content" source="../../media/ah-query-resources/view-query-resources report.png" alt-text="view the query resources report button in the AH portal" lightbox="../../media/ah-query-resources/view-query-resources report.png":::
+ - Within the **Reports** page, find the new report entry in the **General** section
+ :::image type="content" source="../../media/ah-query-resources/reports-general-query-resources.png" alt-text="view the query resources report in the Reports section" lightbox="../../media/ah-query-resources/reports-general-query-resources.png":::
All users can access the reports, however, only the AAD global admin, AAD security admin, and AAD security reader roles can see queries done by all users in all interfaces. Any other user can only see:+ - Queries they ran via the portal - Public API queries they ran themselves and not through the application - Custom detections they created ### Query resource report contents
-By default, the report table displays queries from the last day, and is sorted by Resource usage, to help you easily identify which queries consumed the highest amount of CPU resources.
+
+By default, the report table displays queries from the last day, and is sorted by Resource usage, to help you easily identify which queries consumed the highest amount of CPU resources.
The query resources report contains all queries that ran, including detailed resource information per query:+ - **Time** ΓÇô when the query was run - **Interface** ΓÇô whether the query ran in the portal, in custom detections, or via API query-- **User/App** ΓÇô the user or app that ran the query
+- **User/App** ΓÇô the user or app that ran the query
- **Resource usage** ΓÇô an indicator of the amount of CPU resources a query consumed (can be Low, Medium, or High, where High means the query used a large amount of CPU resources and should be improved to be more efficient) - **State** ΓÇô whether the query was completed, failed, or was throttled-- **Query time** ΓÇô how long it took to run the query
+- **Query time** ΓÇô how long it took to run the query
- **Time range** ΓÇô the time range used in the query > [!TIP]
The query resources report contains all queries that ran, including detailed res
:::image type="content" source="../../media/ah-query-resources/excessive-usage-sample.png" alt-text="view inefficient queries" lightbox="../../media/ah-query-resources/excessive-usage-sample.png"::: ### Find resource-heavy queries
-Queries with high resource usage or a long query time can probably be optimized to prevent throttling via this interface.
-The graph displays resource usage over time per interface. You can easily identify excessive usage and click the spikes in the graph to filter the table accordingly. Once you select an entry in the graph, the table is filtered to that specific date.
+Queries with high resource usage or a long query time can probably be optimized to prevent throttling via this interface.
+
+The graph displays resource usage over time per interface. You can easily identify excessive usage and click the spikes in the graph to filter the table accordingly. Once you select an entry in the graph, the table is filtered to that specific date.
You can identify the queries that used the most resources on that day and take action to improve them ΓÇô by [applying query best practices](advanced-hunting-best-practices.md) or educating the user who ran the query or created the rule to take query efficiency and resources into consideration. For guided mode, the user needs to [switch to advanced mode](advanced-hunting-query-builder-details.md#switch-to-advanced-mode-after-building-a-query) to edit the query.
-
-The graph supports two views:
+The graph supports two views:
+ - Average use per day ΓÇô the average use of resources per day - Highest use per day ΓÇô the highest actual use of resources per day
security Advanced Hunting Migrate From Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-migrate-from-mde.md
Move your advanced hunting workflows from Microsoft Defender for Endpoint to pro
- Microsoft Defender for Cloud Apps - Microsoft Defender for Identity
->[!NOTE]
->Most Microsoft Defender for Endpoint customers can [use Microsoft 365 Defender without additional licenses](prerequisites.md#licensing-requirements). To start transitioning your advanced hunting workflows from Defender for Endpoint, [turn on Microsoft 365 Defender](m365d-enable.md).
+> [!NOTE]
+> Most Microsoft Defender for Endpoint customers can [use Microsoft 365 Defender without additional licenses](prerequisites.md#licensing-requirements). To start transitioning your advanced hunting workflows from Defender for Endpoint, [turn on Microsoft 365 Defender](m365d-enable.md).
You can transition without affecting your existing Defender for Endpoint workflows. Saved queries remain intact, and custom detection rules continue to run and generate alerts. They will, however, be visible in Microsoft 365 Defender.
The [Microsoft 365 Defender advanced hunting schema](advanced-hunting-schema-tab
| [IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md) | Authentication events on Active Directory and Microsoft online services | | [IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md) | Queries for Active Directory objects, such as users, groups, devices, and domains |
->[!IMPORTANT]
+> [!IMPORTANT]
> Queries and custom detections which use schema tables that are only available in Microsoft 365 Defender can only be viewed in Microsoft 365 Defender. ## Map DeviceAlertEvents table
security Advanced Hunting Modes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-modes.md
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-security - m365initiative-m365-defender - tier2
Last updated 08/04/2022
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender
-You can find the **advanced hunting** page by going to the left navigation bar in Microsoft 365 Defender and selecting **Hunting** > **Advanced hunting**. If the navigation bar is collapsed, select the hunting icon ![hunting icon](../../media/guided-hunting/hunting-icon.png).
+You can find the **advanced hunting** page by going to the left navigation bar in Microsoft 365 Defender and selecting **Hunting** > **Advanced hunting**. If the navigation bar is collapsed, select the hunting icon ![hunting icon](../../media/guided-hunting/hunting-icon.png).
In the **advanced hunting** page, two modes are supported:+ - **Guided mode** ΓÇô to query using the query builder - **Advanced mode** ΓÇô to query using the query editor using Kusto Query Language (KQL)
-The main difference between the two modes is that the guided mode *does not* require the hunter to know KQL to query the database, while advanced mode requires KQL knowledge.
+The main difference between the two modes is that the guided mode *does not* require the hunter to know KQL to query the database, while advanced mode requires KQL knowledge.
Guided mode features a query builder that has an easy-to-use, visual, building-block style of constructing queries through dropdown menus containing available filters and conditions. To use guided mode, see [Get started with guided hunting mode](advanced-hunting-modes.md#get-started-with-guided-hunting-mode).
Advanced mode features a query editor area where users can create queries from s
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-When you open the advanced hunting page for the first time after guided hunting is made available to you, you are invited to take the tour to learn more about the different parts of the page like the tabs and query areas.
+When you open the advanced hunting page for the first time after guided hunting is made available to you, you are invited to take the tour to learn more about the different parts of the page like the tabs and query areas.
To take the tour, select **Take tour** when this banner appears: -
-[ ![banner inviting user to take the tour](../../media/guided-hunting/1-guided-hunting-banner-tb.png) ](../../media/guided-hunting/1-guided-hunting-banner.png#lightbox)
+[![banner inviting user to take the tour](../../media/guided-hunting/1-guided-hunting-banner-tb.png)](../../media/guided-hunting/1-guided-hunting-banner.png#lightbox)
Follow the blue teaching bubbles that appear throughout the page and select **Next** to move from one step to the next.
You can take the tour again at any time by going to **Help resources** > **Learn
![Screenshot of help resources](../../media/guided-hunting/help-resources.png) - You can then start building your query to hunt for threats. The following articles can help you get the most out of hunting in guided mode: - | Learning goal | Description | Resource | |--|--|--| | **Craft your first query** | Learn the basics of the query builder like specifying the data domain and adding conditions and filters to help you create a meaningful query. Learn further by running sample queries. | [Build hunting queries using guided mode](advanced-hunting-query-builder.md) |
You can then start building your query to hunt for threats. The following articl
| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](custom-detections-overview.md) <br />- [Custom detection rules](custom-detection-rules.md) | ## Get started with advanced hunting mode
-We recommend going through these steps to quickly get started with advanced hunting:
+
+We recommend going through these steps to quickly get started with advanced hunting:
| Learning goal | Description | Resource | |--|--|--|
We recommend going through these steps to quickly get started with advanced hunt
| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](custom-detections-overview.md) <br />- [Custom detection rules](custom-detection-rules.md)| ## See also+ - [Understand the schema](advanced-hunting-schema-tables.md) - [Build hunting queries using guided mode](advanced-hunting-query-builder.md) - [Learn the query language](advanced-hunting-query-language.md)
security Advanced Hunting Query Builder Details https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-builder-details.md
Selecting EventType under Registry Events allows you to choose from different re
![Screenshot of EventType RegistryValueDeleted](../../media/guided-hunting/hunt-specific-events-2.png)
->[!NOTE]
+> [!NOTE]
>`EventType` is the equivalent of `ActionType` in the data schema, which users of advanced mode might be more familiar with. ## Test your query with a smaller sample size
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detection-rules.md
When you save a new rule, it runs and checks for matches from the past 30 days o
- **Every 12 hours**ΓÇöruns every 12 hours, checking data from the past 48 hours - **Every 3 hours**ΓÇöruns every 3 hours, checking data from the past 12 hours - **Every hour**ΓÇöruns hourly, checking data from the past 4 hours
+- **Continuous (NRT)**ΓÇöruns continuously, checking data from events as they are collected and processed in near real-time
+
+>[!NOTE]
+>If you choose the continuous frequency, make sure that the query references one table only and uses an operator from the [list of supported KQL operators](/azure/azure-monitor/essentials/data-collection-transformations-structure#supported-kql-features). You cannot use unions or joins. The `externaldata` operator is not supported.
When you edit a rule, it will run with the applied changes in the next run time scheduled according to the frequency you set. The rule frequency is based on the event timestamp and not the ingestion time.
When you edit a rule, it will run with the applied changes in the next run time
Select the frequency that matches how closely you want to monitor detections. Consider your organization's capacity to respond to the alerts.
+##### Tables that support Continuous (NRT) frequency
+
+Near real-time detections are supported for the following tables:
+- `AlertEvidence`
+- `DeviceEvents`
+- `DeviceFileCertificateInfo`
+- `DeviceFileEvents`
+- `DeviceImageLoadEvents`
+- `DeviceLogonEvents`
+- `DeviceNetworkEvents`
+- `DeviceNetworkInfo`
+- `DeviceInfo`
+- `DeviceProcessEvents`
+- `DeviceRegistryEvents`
+- `EmailAttachmentInfo`
+- `EmailEvents`
+- `EmailPostDeliveryEvents`
+- `EmailUrlInfo`
+- `UrlClickEvents`
+
+>[!NOTE]
+> Only columns that are generally available can support **Continuous (NRT)** frequency.
+ ### 3. Choose the impacted entities. Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return sender (`SenderFromAddress` or `SenderMailFromAddress`) and recipient (`RecipientEmailAddress`) addresses. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
To view all existing custom detection rules, navigate to **Hunting** > **Custom
### View rule details, modify rule, and run rule
-To view comprehensive information about a custom detection rule, go to **Hunting** > **Custom detection rules** and then select the name of rule. You can then view general information about the rule, including information its run status and scope. The page also provides the list of triggered alerts and actions.
+To view comprehensive information about a custom detection rule, go to **Hunting** > **Custom detection rules** and then select the name of rule. You can then view general information about the rule, including information, its run status, and scope. The page also provides the list of triggered alerts and actions.
:::image type="content" source="../../media/custom-detect-rules-view.png" alt-text="The Custom detection rule details page in the Microsoft 365 Defender portal" lightbox="../../media/custom-detect-rules-view.png":::<br> *Custom detection rule details*
security Microsoft 365 Security Center Defender Cloud Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud-apps.md
Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This simplifies workflows, and adds the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. SOC analysts will be able to triage, investigate and hunt across all Microsoft 365 Defender workloads, including cloud apps.
-Defender for Cloud Apps alerts will continue to appear in Microsoft 365 Defender's incidents queue and alerts queue, but now with relevant content inside the alert pages available in the Microsoft 365 Defender portal, in a unified format with the proper adaptations to each alerts type.
+
+Defender for Cloud Apps **alerts** will continue to appear in Microsoft 365 Defender's incidents queue and alerts queue, but now with relevant content inside the alert pages available in the Microsoft 365 Defender portal, in a unified format with the proper adaptations to each alerts type. For more information, see [Investigate incidents in Microsoft 365 Defender](/microsoft-365/security/defender/investigate-incidents).
Take a look in Microsoft 365 Defender at <https://security.microsoft.com>.
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
For more information on what's new with other Microsoft Defender security produc
You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
+## March 2023
++
+- (Preview) Near real-time custom detection is now available for public preview in advanced hunting custom detections. There is a new [Continuous (NRT)](custom-detection-rules.md) frequency, which checks data from events as they are collected and processed in near real-time.
+ ## February 2023 - (GA) The [query resources report in advanced hunting](advanced-hunting-limits.md#view-query-resources-report-to-find-inefficient-queries) is now generally available. + ## January 2023 - The new version of Microsoft Defender Experts for Hunting report is now available. The report's new interface now lets customers have more contextual details about the suspicious activities Defender Experts have observed in their environments. It also shows which suspicious activities have been continuously trending from month to month. For details, see [Understand the Defender Experts for Hunting report in Microsoft 365 Defender](defender-experts-report.md).
security Attack Simulation Training Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md
For step by step instructions on how to create a payload for use within a simula
For step by step instructions on how to gain insights with reporting, see [Gain insights through Attack simulation training](attack-simulation-training-insights.md).
+### Predicted compromise rate
+
+One of the most crucial elements in a phishing simulation is the payload selection. If you're tracking only click-through as a quality metric, there's an incentive to decrease the click rate by selecting easier-to-spot phishing payloads. Eventually, it's less likely that the user will change their behavior when a real phishing messages comes along.
+
+To combat the tendency to use low click rate payloads and to maximize educational returns, we've created a new piece of metadata for every global payload called the predicted compromise rate (PCR).
+
+PCR uses historical data across Microsoft 365 that predicts the percentage of people who will be compromised by the payload. The formula is: users compromised / total number of users who receive the simulation. PCR is an intelligent mechanism that's built on information like payload content, compromise rates (aggregated and anonymized), and payload metadata. PCR predicts a more accurate potential compromise rate when the payload is used within a simulation. The benefit of PCR comes from predicting actual vs. predicted click through for a given simulation and payload.
+
+You can also review the overall performance of your organization by measuring the difference between the predicted compromise rate and the actual compromise rate across simulations using the Training efficacy report.
+ > [!NOTE] > Attack Simulator uses Safe Links in Defender for Office 365 to securely track click data for the URL in the payload message that's sent to targeted recipients of a phishing campaign, even if the **Track user clicks** setting in Safe Links policies is turned off.
security Attack Simulation Training Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md
description: Admins can learn how Attack simulation training in the Microsoft 365 Defender portal affects users and can gain insights from simulation and training outcomes. search.appverid: met150 Previously updated : 1/31/2023 Last updated : 3/7/2023 # Insights and reports for Attack simulation training in Defender for Office 365
The **Behavior impact on compromise rate** card on the **Overview** tab shows ho
The chart data itself shows the following information: -- **Predicted compromise rate**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this simulation (users compromised / total number of users who receive the simulation).
+- **Predicted compromise rate**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this simulation (users compromised / total number of users who receive the simulation). To learn more about the predicted compromise rate (PCR), see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).
+ - **Actual compromise rate**: The actual percentage of people who were compromised by the simulation (actual users compromised / total number of users in your organization who received the simulation). If you hover over a data point in the chart, the actual percentage values are shown.
security Reports Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-defender-for-office-365.md
To view the report, open the [Microsoft 365 Defender portal](https://security.mi
The available views on the **URL protection** report page are described in the following sections.
-> [!NOTE]
-> This is a *protection trend report*, meaning data represents trends in a larger dataset. As a result, the data in the charts is not available in real time here, but the data in the details table is, so you may see a slight discrepancy between the two. The charts are refreshed once every four hours and contain data for the last 90 days. For detailed real-time information, see [View phishing URL and click verdict data](threat-explorer-about.md#view-phishing-url-and-click-verdict-data).
- ### View data by URL click protection action :::image type="content" source="../../media/url-threat-protection-report-url-click-protection-action-view.png" alt-text="The view namely URL click protection action in the URL protection report" lightbox="../../media/url-threat-protection-report-url-click-protection-action-view.png":::
If you click **Filters**, you can modify the report and the details table by sel
When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
-The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last 7 days:
+The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last 30 days:
- **Click time** - **User**