Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
threat-intelligence | Security Copilot And Defender Threat Intelligence | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence.md | Title: Microsoft Security Copilot and Microsoft Defender Threat Intelligence -description: Learn about Microsoft Defender Threat Intelligence capabilities embedded in Security Copilot. -keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins + Title: Microsoft Copilot for Security and Microsoft Defender Threat Intelligence +description: Learn about Microsoft Defender Threat Intelligence capabilities embedded in Copilot for Security. +keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, copilot for security, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins -# Microsoft Security Copilot (preview) and Microsoft Defender Threat Intelligence +# Microsoft Copilot for Security and Microsoft Defender Threat Intelligence -> [!IMPORTANT] -> The information in this article applies to the Microsoft Security Copilot Early Access Program, which is an invite-only paid preview program. Some information in this article relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided in this article. +Microsoft Copilot for Security is a cloud-based AI platform that provides natural language copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, read [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot). -Microsoft Security Copilot is a cloud-based AI platform that provides natural language copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, read [What is Microsoft Security Copilot?](/security-copilot/microsoft-security-copilot). +**Copilot for Security integrates with Microsoft Defender Threat Intelligence** -## Security Copilot integrates with Microsoft Defender Threat Intelligence +Copilot for Security delivers information about threat actors, indicators of compromise (IOCs), tools, and vulnerabilities, as well as contextual threat intelligence from Microsoft Defender Threat Intelligence (Defender TI). You can use the prompts and promptbooks to investigate incidents, enrich your hunting flows with threat intelligence information, or gain more knowledge about your organization's or the global threat landscape. -Security Copilot delivers from Microsoft Defender Threat Intelligence (Defender TI) information about threat actors, indicators of compromise (IOCs), and tools, as well as contextual threat intelligence. You can use the prompts and promptbooks to investigate incidents, enrich your hunting flows with threat intelligence information, or gain more knowledge about your organization's or the global threat landscape. --This article introduces you to Security Copilot and includes sample prompts that can help Defender TI users. +This article introduces you to Copilot and includes sample prompts that can help Defender TI users. ## Know before you begin-+- You can use Copilot capabilities to surface threat intelligence in either the [Copilot for Security portal](#using-copilot-for-security-standalone-portal-to-get-threat-intelligence) or the [Microsoft Defender portal](#using-microsoft-copilot-in-defender-to-get-threat-intelligence). [Learn more about Copilot for Security experiences](/security-copilot/experiences-security-copilot) - Be clear and specific with your prompts. You might get better results if you include specific threat actor names or IOCs in your prompts. It might also help if you add **threat intelligence** to your prompt, like: - Show me threat intelligence data for Aqua Blizzard. - Summarize threat intelligence data for "malicious.com."-- Be specific when referencing an incident (for example, ΓÇ£incident ID 15324ΓÇ¥).+- Be specific when referencing an incident (for example, "incident ID 15324"). - Experiment with different prompts and variations to see what works best for your use case. Chat AI models vary, so iterate and refine your prompts based on the results you receive.-- Security Copilot saves your prompt sessions. To see the previous sessions, from the Security Copilot [Home menu](/security-copilot/navigating-security-copilot#home-menu), go to **My sessions**.-- ![Partial screenshot of the Microsoft Security Copilot Home menu with My sessions highlighted.](media/defender-ti-and-copilot/copilot-my-sessions.png) +- Copilot for Security saves your prompt sessions. To see the previous sessions, from the Copilot [Home menu](/security-copilot/navigating-security-copilot#home-menu), go to **My sessions**. + + ![Partial screenshot of the Microsoft Copilot for Security Home menu with My sessions highlighted.](/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-my-sessions.png) > [!NOTE]- > For a walkthrough on Security Copilot, including the pin and share feature, read [Navigate Microsoft Security Copilot](/security-copilot/navigating-security-copilot). + > For a walkthrough on Copilot, including the pin and share feature, read [Navigate Microsoft Copilot for Security](/security-copilot/navigating-security-copilot). [Learn more about creating effective prompts](/security-copilot/prompting-tips) -## Open Security Copilot --1. Go to [Microsoft Security Copilot](https://go.microsoft.com/fwlink/?linkid=2247989) and sign in with your credentials. -2. Make sure that the Defender TI plugin is turned on. Select the **Security Copilot plugin** icon in the lower-left corner of your screen. +## Using Copilot for Security standalone portal to get threat intelligence - ![Screenshot of the Microsoft Security Copilot home page with the plugin icon at the lower-left corner highlighted.](media/defender-ti-and-copilot/copilot-plugin-button.png) +1. Go to [Microsoft Copilot for Security](https://go.microsoft.com/fwlink/?linkid=2247989) and sign in with your credentials. +2. Make sure that the Defender TI plugin is turned on. In the prompt bar, select the **Sources** icon ![Screenshot of the Sources icon.](/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-sources-icon.png). + ![Screenshot of the prompt bar in Microsoft Copilot for Security with the Sources icon highlighted.](media/defender-ti-and-copilot/copilot-prompts-bar-sources.png) + + In the **Manage plugins** pop-up window that appears, confirm that the **Microsoft Defender Threat Intelligence** toggle is turned on, then close the window. ![Screenshot of the Manage plugins pop-up window with the Microsoft Defender Threat Intelligence plugin highlighted.](media/defender-ti-and-copilot/copilot-manage-plugins.png) > [!NOTE]- > Some roles can turn the toggle on or off for plugins like Defender TI. For more information, read [Manage plugins in Microsoft Security Copilot](/security-copilot/manage-plugins). + > Some roles can turn the toggle on or off for plugins like Defender TI. For more information, read [Manage plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins). 3. Enter your prompt in the prompt bar. -## Built-in system features +### Built-in system features -Security Copilot has built-in system features that can get data from the different plugins that are turned on. +Copilot for Security has built-in system features that can get data from the different plugins that are turned on. To view the list of built-in system capabilities for Defender TI: -1. In the prompt bar, enter **/**. -2. Select **See all system capabilities**. The *ThreatIntelligence.DTI* section lists all the available capabilities for Defender TI that you can use. +1. In the prompt bar, select the **Prompts** icon ![Screenshot of the prompts icon.](/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-prompts-icon.png). -Security Copilot also has the following promptbooks that also deliver information from Defender TI: + ![Screenshot of the prompt bar in Microsoft Copilot for Security with the Prompts icon highlighted.](media/defender-ti-and-copilot/copilot-prompts-bar-prompts.png) -- **Vulnerability impact assessment** - Generates a report summarizing the intelligence for a known vulnerability, including steps on how to address it.-- **Threat actor profile** - Generates a report profiling a known threat actor, including suggestions to defend against their common tools and tactics.+2. Select **See all system capabilities**. The *Microsoft Defender Threat Intelligence* section lists all the available capabilities for Defender TI that you can use. -To view these promptbooks, in the prompt bar, enter \*. +Copilot also has the following promptbooks that also deliver information from Defender TI: +- **Threat actor profile** ΓÇô Generates a report profiling a known threat actor, including suggestions to defend against their common tools and tactics. +- **Vulnerability impact assessment** ΓÇô Generates a report summarizing the intelligence for a known vulnerability, including steps on how to address it. -## Sample prompts for Defender TI +To view these promptbooks, in the prompt bar, select the **Prompts** icon then select **See all promptbooks**. ++### Sample prompts for Defender TI You can use many prompts to get information from Defender TI. This section lists some ideas and examples. -### General information about threat intelligence trends +#### General information about threat intelligence trends Get threat intelligence from threat articles and threat actors. Get threat intelligence from threat articles and threat actors. - Summarize the recent threat intelligence. - Show me the latest threat articles.-- Get threat articles associated with the finance industry.+- Get threat articles related to ransomware in the last six months. -### IP address and host contextual information in relation to threat intelligence +#### IP address and host contextual information in relation to threat intelligence Get information on datasets associated with IP addresses and hosts, such as ports, reputation scores, components, certificates, cookies, services, and host pairs. **Sample prompts**: -- Give me the reputation score of the host _\<host name\>_.-- Get open ports for IP address _\<IP address\>_.-- Get the SSL certificates for the IP address _\<IP address\>_.--### Threat actor mapping and infrastructure +- Show me the reputation of the host _\<host name\>_. +- Get resolutions for IP address _\<IP address\>_. +#### Threat actor mapping and infrastructure Get information on threat actors and the tactics, techniques, and procedures (TTPs), sponsored states, industries, and IOCs associated with them. **Sample prompts**: Get information on threat actors and the tactics, techniques, and procedures (TT - Share the TTPs associated with Silk Typhoon. - Share threat actors associated with Russia. -### CVE vulnerability data +#### Vulnerability data by CVE Get contextual information and threat intelligence on Common Vulnerabilities and Exposures (CVEs). Get contextual information and threat intelligence on Common Vulnerabilities and - Show me threat actors associated with CVE-2021-44228. - Show me the threat articles associated with CVE-2021-44228. -## Provide feedback --Your feedback on the Defender TI integration with Security Copilot helps with development. To provide feedback, in Security Copilot, select any of the following buttons at the bottom of each completed prompt: +### Provide feedback -- **Looks right** - Select this button if the results are accurate, based on your assessment.-- **Needs improvement** - Select this button if any detail in the results is incorrect or incomplete, based on your assessment.+Your feedback on the Defender TI integration with Copilot for Security helps with development. To provide feedback, in Copilot, select **HowΓÇÖs this response?** At the bottom of each completed prompt and choose any of the following options: +- **Looks right** - Select this button if the results are accurate, based on your assessment. +- **Needs improvement** - Select this button if any detail in the results is incorrect or incomplete, based on your assessment. - **Inappropriate** - Select this button if the results contain questionable, ambiguous, or potentially harmful information. For each feedback button, you can provide more information in the next dialog box that appears. Whenever possible, and when the result is **Needs improvement**, write a few words explaining what can be done to improve the outcome. If you entered prompts specific to Defender TI and the results aren't related, then include that information. +## Using Microsoft Copilot in Defender to get threat intelligence ++Copilot for Security customers gain for each of their authenticated Copilot users access to Defender TI within the Microsoft Defender portal. To ensure that you have access to Copilot, see the [Copilot for Security purchase and licensing information](/security-copilot/faq-security-copilot). ++Once you have access to Copilot for Security, the key features discussed in the next section become accessible in the following *Threat intelligence* sections of the Defender portal: +- Threat analytics +- Intel profiles +- Intel explorer +- Intel projects ++### Key features +Copilot in Defender brings Copilot for SecurityΓÇÖs capability to look up threat intelligence into the portal, letting security teams understand, prioritize, and take action on threat intelligence information immediately. ++You can ask about a threat actor, attack campaign, or any other threat intelligence that you want to know more about, and Copilot generates responses based on threat analytics reports, intel profiles and articles, and other Defender TI content. You can also select any of the available built-in prompts that let you do the following actions: +- [Summarize](using-copilot-threat-intelligence-defender-xdr.md#summarize-the-latest-threats-related-to-your-organization) the latest threats related to your organization +- [Prioritize](using-copilot-threat-intelligence-defender-xdr.md#prioritize-which-threats-to-focus-on) which threats to focus on based on your environment's highest exposure level to these threats +- [Ask](using-copilot-threat-intelligence-defender-xdr.md#ask-about-the-threat-actors-targeting-the-communications-infrastructure) about the threat actors targeting the communications infrastructure ++[Learn more about using Copilot in Defender for threat intelligence](using-copilot-threat-intelligence-defender-xdr.md) + ## Data processing and privacy -When you interact with the Security Copilot to get Defender TI data, Security Copilot pulls that data from Defender TI. The prompts, the data retrieved, and the output shown in the prompt results are processed and stored within the Security Copilot service. [Learn more about privacy and data security in Microsoft Security Copilot](/security-copilot/privacy-data-security) +When you interact with Copilot for Security to get Defender TI data, Copilot pulls that data from Defender TI. The prompts, the data retrieved, and the output shown in the prompt results are processed and stored within the Copilot service. [Learn more about privacy and data security in Microsoft Copilot for Security](/security-copilot/privacy-data-security) ### See also--- [What is Microsoft Security Copilot?](/security-copilot/microsoft-security-copilot)-- [Privacy and data security in Microsoft Security Copilot](/security-copilot/privacy-data-security)+- [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot) +- [Privacy and data security in Microsoft Copilot for Security](/security-copilot/privacy-data-security) +- [Using Microsoft Copilot for Security for threat intelligence](using-copilot-threat-intelligence-defender-xdr.md) |
threat-intelligence | Using Copilot Threat Intelligence Defender Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/using-copilot-threat-intelligence-defender-xdr.md | + + Title: Use Microsoft Copilot for Security for threat intelligence +description: Learn about Copilot for Security embedded experience in Microsoft Defender for Microsoft Defender Threat Intelligence. +keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, copilot for security, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins ++++ms.localizationpriority: medium ++audience: ITPro ++ - Tier1 + Last updated : 03/15/2024+++# Using Microsoft Copilot for Security for threat intelligence ++**Applies to:** +- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) ++Microsoft Copilot in Defender applies the capabilities of [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) to deliver Microsoft Defender Threat Intelligence (Defender TI) information about threat actors and tools, as well as contextual threat intelligence, directly into the Microsoft Defender portal. Based on threat analytics reports, intel profiles, and other available Defender TI content, you can use Copilot in Defender to summarize the latest threats affecting your organization, know which threats to prioritize based on your exposure level, or gain more knowledge about your organization's or the global threat landscape. ++> [!NOTE] +> Defender TI capabilities are also available in Copilot for Security standalone experience through the Microsoft Defender Threat Intelligence plugin. [Learn more about Defender TI integration with Copilot for Security](security-copilot-and-defender-threat-intelligence.md) ++## Technical requirements ++Copilot for Security customers gain for each of their authenticated Copilot users access to Defender TI within the Defender portal. [Learn how you can get started with Copilot for Security](/security-copilot/get-started-security-copilot) ++## Accessing Copilot in Defender for threat intelligence content ++You can experience Copilot for SecurityΓÇÖs capability to look up threat intelligence in the following pages of the Defender portal: +- Threat analytics +- Intel profiles +- Intel explorer +- Intel projects ++## Try your first request +1. Open any of the pages mentioned previously from the Defender portal navigation bar. The Copilot side pane appears on the right hand side. ++ :::image type="content" source="/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-side-pane.png" alt-text="Screenshot of the Microsoft Defender portal Threat analytics page with the open Microsoft Copilot in Defender side pane highlighted." lightbox="/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-side-pane.png"::: ++ You can also reopen Copilot by selecting the **Copilot icon** ![Screenshot of the Copilot icon in the Microsoft Defender portal.](media/defender-ti-and-copilot/copilot-defender-icon.png) at the top of the page. +2. In the Copilot prompt bar, ask about a threat actor, attack campaign, or any other threat intelligence that you want to know more about, then select the **Send message** icon ![Screenshot of the Send message icon in Copilot in Defender.](medi#sample-prompts-for-defender-ti) ++3. Copilot generates a response from your text instruction or question. While Copilot is generating, you can cancel the response by selecting **Stop generating**. + + ![Screenshot of Copilot in Defender generating a response to the prompt "Give me an overview of the latest threats to my organization".](media/defender-ti-and-copilot/copilot-defender-generate-response.png) ++4. Review the generated response. Copilot typically generates responses that include summaries and links to related Defender TI intel profiles and articles. ++ ![Partial screenshot of a response generated by Copilot in Defender.](media/defender-ti-and-copilot/copilot-defender-response.png) ++5. You can provide feedback about the generated response by selecting the **Provide feedback** icon ![Screenshot of the Provide feedback icon in Copilot in Defender.](media/defender-ti-and-copilot/copilot-defender-feedback.png) and choosing **Confirmed, it looks great**; **Off-target, inaccurate**; or **Potentially harmful, inappropriate**. [Learn more](/microsoft-365/security/defender/security-copilot-in-microsoft-365-defender#data-security-and-feedback-in-copilot) +6. To start a new chat session with Copilot, select the **New chat** icon ![Screenshot of the New chat icon in Copilot in Defender.](media/defender-ti-and-copilot/copilot-defender-new-chat.png). ++> [!NOTE] +> Copilot saves your sessions from the Defender portal in the [Copilot for Security standalone portal](https://go.microsoft.com/fwlink/?linkid=2247989). To see the previous sessions, from the Copilot [Home menu](/security-copilot/navigating-security-copilot#home-menu), go to **My sessions**. [Learn more about navigating Microsoft Copilot for Security](/security-copilot/navigating-security-copilot) ++> [!IMPORTANT] +> Copilot in Defender starts a new chat session every time you navigate to a different *Threat intelligence* page (for example, when you go from *Threat analytics* to *Intel profiles*) in the Defender portal. If you wish to go back or continue a previous session, go to the Copilot for Security standalone site. ++## Use the built-in Defender TI prompts ++Copilot in Defender also has the following built-in prompts when accessing the *Threat intelligence* pages to get you started: ++- [Summarize](#summarize-the-latest-threats-related-to-your-organization) +- [Prioritize](#prioritize-which-threats-to-focus-on) +- [Ask](#ask-about-the-threat-actors-targeting-the-communications-infrastructure) +++### Summarize the latest threats related to your organization +Gathering and digesting threat intelligence data and trends can be a daunting task, especially when they come from multiple data sets and sources. Choose the **Summarize** prompt if you want Copilot to give you an overview of the latest threats in your environment. Copilot lists and summarizes relevant campaigns, activities, and threat actors, and includes links to related threat analytics reports or intel profiles for more information. ++### Prioritize which threats to focus on +Copilot provides insights on which threats you should prioritize and focus on based on your environment's highest exposure level to these threats. Choose the **Prioritize** prompt if you want to find out which threats are likely to significantly impact your organization. This prompt gives you a starting point and could thus make triaging, investigating, and mitigating incidents less complex. ++### Ask about the threat actors targeting the communications infrastructure ++An important aspect of threat intelligence is keeping up to date with the global threat landscape. Choose the **Ask** prompt if you want Copilot to summarize the latest threat articles about threat actors that target the communications infrastructure so you can gather information on their latest TTPs or campaigns, and promptly assess and apply mitigation or prevention strategies. ++### See also +- [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot) +- [Microsoft Copilot for Security and Microsoft Defender Threat Intelligence](security-copilot-and-defender-threat-intelligence.md) |
enterprise | Urls And Ip Address Ranges 21Vianet | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet.md | Title: "URLs and IP address ranges for Microsoft 365 operated by 21Vianet" Previously updated : 12/01/2023 Last updated : 03/29/2024 audience: ITPro hideEdit: true **Microsoft 365 endpoints:** [Worldwide (including GCC)](urls-and-ip-address-ranges.md) | *Microsoft 365 operated by 21 Vianet* | [Microsoft 365 U.S. Government DoD](microsoft-365-u-s-government-dod-endpoints.md) | [Microsoft 365 U.S. Government GCC High](microsoft-365-u-s-government-gcc-high-endpoints.md) | -**Last updated:** 12/01/2023 - ![RSS.](../media/5dc6bb29-25db-4f44-9580-77c735492c4b.png) [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) +**Last updated:** 03/29/2024 - ![RSS.](../media/5dc6bb29-25db-4f44-9580-77c735492c4b.png) [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) **Download:** all required and optional destinations in one [JSON formatted](https://endpoints.office.com/endpoints/China?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) list. |
enterprise | Urls And Ip Address Ranges | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/urls-and-ip-address-ranges.md | Title: "Microsoft 365 URLs and IP address ranges" Previously updated : 01/30/2024 Last updated : 03/29/2024 audience: Admin Microsoft 365 requires connectivity to the Internet. The endpoints below should |Notes|Download|Use| ||||-|**Last updated:** 01/30/2024 - ![RSS.](../medi#pacfiles)| +|**Last updated:** 03/29/2024 - ![RSS.](../medi#pacfiles)| | Start with [Managing Microsoft 365 endpoints](managing-office-365-endpoints.md) to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This cadence allows for customers who don't yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you're using a script or a network device to access this data, you should go to the [Web service](microsoft-365-ip-web-service.md) directly. |
includes | Microsoft 365 Multi Geo Locations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-multi-geo-locations.md | Previously updated : 05/24/2023 Last updated : 04/01/2024 | Geo location | Code | eDiscovery data location | |:|:-|:| |Macro Region Geography 2 - Asia-Pacific |APC |Southeast or East Asia datacenters| |Australia |AUS |Southeast or East Asia datacenters| |Brazil |BRA |(eDiscovery data location coming soon)| -|Canada |CAN |Canada datacenters | +|Canada |CAN |- eDiscovery (Premium): Canada datacenters <br> - eDiscovery (Standard): US datacenters| |Macro Region Geography 1 - EMEA |EUR |Europe datacenters | |France |FRA |Europe datacenters | |Germany |DEU |Europe datacenters | |
security | Data Storage Privacy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md | |
security | Manage Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-security-policies.md | Title: Manage endpoint security policies in Microsoft Defender for Endpoint description: Learn how to set windows, mac, and linux endpoint security policies such as antivirus, firewall, endpoint detection and response in Microsoft Defender for Endpoint. --++ ms.localizationpriority: medium audience: ITPro |
security | Troubleshoot Onboarding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md | If the script fails and the event is an error, you can check the event ID in the > [!NOTE] > The following event IDs are specific to the onboarding script only. -<br> --**** - |Event ID|Error Type|Resolution steps| |::||| |`5`|Offboarding data was found but couldn't be deleted|Check the permissions on the registry, specifically <p> `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.| If the script fails and the event is an error, you can check the event ID in the |`40`|SENSE service onboarding status isn't set to **1**|The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).| |`65`|Insufficient privileges|Run the script again with administrator privileges.| |`70`|Offboarding script is for a different organization|Get an offboarding script for the correct organization that the SENSE service is onboarded to.|-| ### Troubleshoot onboarding issues using Microsoft Intune If none of the event logs and troubleshooting steps work, download the Local scr #### Microsoft Intune error codes and OMA-URIs -<br> --**** - |Error Code Hex|Error Code Dec|Error Description|OMA-URI|Possible cause and troubleshooting steps| |::||||| |0x87D1FDE8|-2016281112|Remediation failed|Onboarding <p> Offboarding|**Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <p> **Troubleshooting steps:** <p> Check the event IDs in the [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) section. <p> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows](/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10).| If none of the event logs and troubleshooting steps work, download the Local scr ||||SenseIsRunning <p> OnboardingState <p> OrgId|**Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <p> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device). <p> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows](/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10).| ||||All|**Possible cause:** Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU. <p> Currently supported platforms: <p> Enterprise, Education, and Professional.<p> Server isn't supported.| |0x87D101A9|-2016345687|SyncML(425): The requested command failed because the sender doesn't have adequate access control permissions (ACL) on the recipient.|All|**Possible cause:** Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU.<p> Currently supported platforms: <p> Enterprise, Education, and Professional.|-| #### Known issues with non-compliance The following table provides information on issues with non-compliance and how you can address the issues. -<br> --**** - |Case|Symptoms|Possible cause and troubleshooting steps| |::||| |`1`|Device is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs.|**Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <p> **Troubleshooting steps:** Wait for OOBE to complete.| |`2`|Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI.|**Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start. <p> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.| |`3`|Device is non-compliant|**Troubleshooting steps:** Ensure that Onboarding and Offboarding policies aren't deployed on the same device at same time.|-| #### Mobile Device Management (MDM) event logs Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider Channel name: Admin -<br> --**** - |ID|Severity|Event description|Troubleshooting steps| ||||| |1819|Error|Microsoft Defender for Endpoint CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3).|Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).|-| ## Troubleshoot onboarding issues on the device If the deployment tools used do not indicate an error in the onboarding process, 6. Events which can indicate issues appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table: - <br> -- **** - |Event ID|Message|Resolution steps| |::||| |`5`|Microsoft Defender for Endpoint service failed to connect to the server at _variable_|[Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection).| If the deployment tools used do not indicate an error in the onboarding process, |`64`|Starting stopped external service. Name: %1, exit code: %2|Contact support if the event keeps re-appearing.| |`68`|The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3|Identify what is causing changes in start type. Fix mentioned service start type.| |`69`|The service is stopped. Service name: %1|Start the mentioned service. Contact support if the issue persists.|- | There are additional components on the device that the Microsoft Defender for Endpoint agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender for Endpoint agent event log, proceed with the following steps to ensure that the additional components are configured correctly. If the verification fails and your environment is using a proxy to connect to th :::image type="content" source="media/atp-disableantispyware-regkey.png" alt-text="The registry key for Microsoft Defender Antivirus" lightbox="media/atp-disableantispyware-regkey.png"::: > [!NOTE]- > All Windows Defender services (wdboot, wdfilter, wdnisdrv, wdnissvc, and windefend) should be in their default state. Changing the startup of these services is unsupported and may force you to reimage your system. - > - > Example default configurations for WdBoot and WdFilter: + > All Windows Defender services (`wdboot`, `wdfilter`, `wdnisdrv`, `wdnissvc`, and `windefend`) should be in their default state. Changing the startup of these services is unsupported and may force you to reimage your system. Example default configurations for `WdBoot` and `WdFilter`: > > - `<Key Path="SYSTEM\CurrentControlSet\Services\WdBoot"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>` > - `<Key Path="SYSTEM\CurrentControlSet\Services\WdFilter"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>`+ > + > If Microsoft Defender Antivirus is in passive mode, these drivers are set to manual (`0`). ## Troubleshoot onboarding issues > [!NOTE]-> The following troubleshooting guidance is only applicable for Windows Server 2016 and lower. +> The following troubleshooting guidance is only applicable for Windows Server 2016 and earlier versions of Windows Server. If you encounter issues while onboarding a server, go through the following verification steps to address possible issues. - - [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints.md) - [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints.md) The steps below provide guidance for the following scenario: :::image type="content" source="media/mecm-28.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-28" lightbox="media/mecm-28.png"::: - The status is then displayed :::image type="content" source="media/mecm-29.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-29" lightbox="media/mecm-29.png"::: |
security | Advanced Hunting Security Copilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-security-copilot.md | Title: Microsoft Security Copilot in advanced hunting -description: Create Microsoft Security Copilot advanced hunting (NL2KQL) plugin generate a KQL query for you. -keywords: advanced hunting, threat hunting, cyber threat hunting, Security Copilot, AI, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill-down + Title: Microsoft Copilot for Security in advanced hunting +description: Learn how Microsoft Copilot for Security advanced hunting (NL2KQL) plugin can generate a KQL query for you. +keywords: advanced hunting, threat hunting, cyber threat hunting, Security Copilot, AI, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill-down, copilot for security advanced hunting, Microsoft Copilot for Security search.product: eADQiWindows 10XVcnh search.appverid: met150 -# Microsoft Security Copilot in advanced hunting +# Microsoft Copilot for Security in advanced hunting **Applies to:** +- Microsoft Defender - Microsoft Defender XDR -> [!IMPORTANT] -> The information in this article only applies to the Microsoft Security Copilot Early Access Program, an invite-only paid preview program for commercial customers. Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +## Copilot for Security in advanced hunting -## Security Copilot in advanced hunting +[Microsoft Copilot for Security in Microsoft Defender](security-copilot-in-microsoft-365-defender.md) comes with a query assistant capability in advanced hunting. -[Microsoft Security Copilot in Microsoft Defender XDR](security-copilot-in-microsoft-365-defender.md) comes with a query assistant capability in advanced hunting. --Threat hunters or security analysts who are not yet familiar with or have yet to learn KQL can make a request or ask a question in natural language (for instance, *Get all alerts involving user admin123*). Security Copilot then generates a KQL query that corresponds to the request using the advanced hunting data schema. +Threat hunters or security analysts who are not yet familiar with or have yet to learn KQL can make a request or ask a question in natural language (for instance, *Get all alerts involving user admin123*). Copilot for Security then generates a KQL query that corresponds to the request using the advanced hunting data schema. This feature reduces the time it takes to write a hunting query from scratch so that threat hunters and security analysts can focus on hunting and investigating threats. -Users with access to Security Copilot have access to this capability in advanced hunting. +Users with access to Copilot for Security have access to this capability in advanced hunting. > [!NOTE]-> The advanced hunting capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Microsoft Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). +> The advanced hunting capability is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins). ## Try your first request-1. Open the **advanced hunting** page from the navigation bar in Microsoft Defender XDR. The Security Copilot side pane for advanced hunting appears at the right hand side. - :::image type="content" source="../../media/advanced-hunting-security-copilot-pane.png" alt-text="Screenshot of Security Copilot pane in advanced hunting." lightbox="../../media/advanced-hunting-security-copilot-pane.png"::: +1. Open the **advanced hunting** page from the navigation bar in Microsoft Defender XDR. The Copilot for Security side pane for advanced hunting appears at the right hand side. ++ :::image type="content" source="../../media/advanced-hunting-security-copilot-pane.png" alt-text="Screenshot of the Copilot pane in advanced hunting." lightbox="../../media/advanced-hunting-security-copilot-pane-big.png"::: - You can also reopen Security Copilot by selecting ![Security Copilot button](../../media/security-copilot-ah-button.png) at the top of the query editor. -1. In the Security Copilot prompt bar, ask any threat hunting query that you want to run and press ![Send icon](../../media/Send.png) or **Enter** . + You can also reopen Copilot by selecting **Copilot** at the top of the query editor. +1. In the Copilot prompt bar, ask any threat hunting query that you want to run and press ![Send icon](../../media/Send.png) or **Enter** . - :::image type="content" source="../../media/advanced-hunting-security-copilot-query.png" alt-text="Screenshot that shows Prompt bar in the Security Copilot for advanced hunting." lightbox="../../media/advanced-hunting-security-copilot-query.png"::: + :::image type="content" source="../../media/advanced-hunting-security-copilot-query.png" alt-text="Screenshot that shows prompt bar in the Copilot for Security for advanced hunting." lightbox="../../media/advanced-hunting-security-copilot-query-big.png"::: -1. Security Copilot generates a KQL query from your text instruction or question. While Security Copilot is generating, you can cancel the query generation by selecting **Cancel**. +1. Copilot generates a KQL query from your text instruction or question. While Copilot is generating, you can cancel the query generation by selecting **Stop generating**. - :::image type="content" source="../../media/advanced-hunting-security-copilot-generate.png" alt-text="Screenshot of Security Copilot in advanced hunting generating a response." lightbox="../../media/advanced-hunting-security-copilot-generate.png"::: + ![Screenshot of Copilot for Security in advanced hunting generating a response.](../../media/advanced-hunting-security-copilot-generate.png) 1. Review the generated query. You can then choose to run the query by selecting **Add and run**. - :::image type="content" source="../../media/advanced-hunting-security-copilot-run-query.png" alt-text="Screenshot of Security Copilot button showing Add the query to query editor and run." lightbox="../../media/advanced-hunting-security-copilot-run-query.png"::: + ![Screenshot of Copilot button showing Add the query to query editor and run.](../../media/advanced-hunting-security-copilot-run-query.png) The generated query then appears as the last query in the query editor and runs automatically. If you need to make further tweaks, select **Add to editor**. - :::image type="content" source="../../media/advanced-hunting-security-copilot-add-editor.png" alt-text="Screenshot of Security Copilot in advanced hunting showing the Add to editor option." lightbox="../../media/advanced-hunting-security-copilot-add-editor.png"::: + ![Screenshot of Copilot for Security in advanced hunting showing the Add to editor option.](../../media/advanced-hunting-security-copilot-add-editor.png) The generated query appears in the query editor as the last query, where you can edit it before running using the regular **Run query** above the query editor. -1. You can provide feedback about the generated response by selecting the feedback **smiley icon** and choosing **Confirm**, **Off-target**, or **Report**. +1. You can provide feedback about the generated response by selecting the feedback icon ![Screenshot of feedback icon](../../media/advanced-hunting-security-copilot-feedback-icon.png) and choosing **Confirm**, **Off-target**, or **Potentially harmful**. - > [!TIP]-> Providing feedback is an important way to let the Microsoft Security Copilot team know how well the query assistant was able to help in generating a useful KQL query. Feel free to articulate what could have made the query better, what adjustments you had to make before running the generated KQL query, or share the KQL query that you eventually used. +> Providing feedback is an important way to let the Copilot for Security team know how well the query assistant was able to help in generating a useful KQL query. Feel free to articulate what could have made the query better, what adjustments you had to make before running the generated KQL query, or share the KQL query that you eventually used. ## Query sessions -You can start your first session anytime by asking a question in the Security Copilot side pane in advanced hunting. Your session contains the requests you made using your user account. Closing the side pane or refreshing the advanced hunting page does not discard the session. You can still access the generated queries should you need them. +You can start your first session anytime by asking a question in the Copilot side pane in advanced hunting. Your session contains the requests you made using your user account. Closing the side pane or refreshing the advanced hunting page does not discard the session. You can still access the generated queries should you need them. -Select the trash icon (**Clear session**) to discard the current session. +Select the chat bubble icon (**New chat**) to discard the current session. + ![Screenshot of Copilot for Security in advanced hunting showing the new chat icon.](../../media/advanced-hunting-security-copilot-clear-session.png) ## Modify settings -Select the gear icon in the Security Copilot side pane to choose whether or not to automatically add and run the generated query in advanced hunting. +Select the ellipses in the Copilot side pane to choose whether or not to automatically add and run the generated query in advanced hunting. + ![Screenshot of Copilot for Security in advanced hunting showing the settings ellipses icon.](../../media/advanced-hunting-security-copilot-settings.png) Deselecting the **Run generated query automatically** setting gives you the option of running the generated query automatically (**Add and run**) or adding the generated query to the query editor for further modification (**Add to editor**). |
security | Api Advanced Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-advanced-hunting.md | search.appverid: - MOE150 - MET150 Previously updated : 02/08/2023 Last updated : 04/01/2024 # Microsoft Defender XDR Advanced hunting API |
security | Copilot In Defender Device Summary | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/copilot-in-defender-device-summary.md | + + Title: Summarize device information with Microsoft Copilot in Microsoft Defender +description: Generate a summary for devices with Microsoft Copilot in Microsoft Defender. ++f1.keywords: + - NOCSH +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 ++search.appverid: + - MOE150 + - MET150 Last updated : 04/01/2024+++# Summarize device information with Microsoft Copilot in Microsoft Defender +++**Applies to:** ++- Microsoft Defender XDR +- Microsoft Defender unified security operations center (SOC) platform ++[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal helps security teams in speeding up device inspection through AI-powered investigation capabilities. ++Security operations teams are tasked to sift through device data to find suspicious activities or entities to prevent malicious attacks. These teams need to summarize large amounts of data and simplify complex information to quickly assess, triage, and connect a device's status and activities to potentially malicious attacks. ++The device summary capability of Copilot in Defender enables security teams to get a device's security posture, vulnerable software information, and any unusual behaviors. Security analysts can use a device's summary to speed up their investigation of incidents and alerts. ++The device summary capability is available in the Microsoft Defender portal through the [Copilot for Security license](/security-copilot/faq-security-copilot). This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin. ++## Summarize device information ++The device summary generated by Copilot contains noteworthy information about the device, including: ++- The status of important Defender XDR protection capabilities, like attack surface reduction and tamper protection +- Any significant user activity observed, like unusual log in attempts +- A list of vulnerable software installed in the device +- The status of other security features, like firewall settings, that contribute to the device's risk +- Other notable insights that signify the device's status, like when the device was last seen active +- Device insights delivered by Microsoft Intune, like information on the device's primary user, device group, or discovered apps ++You can access the device summary capability through the following ways: ++1. From the main menu, open the Device inventory page by selecting **Devices** under Assets. Choose a device to investigate from the list. Upon opening the device page, Copilot automatically summarizes the device information of the chosen device and displays the summary in the Copilot pane. + :::image type="content" source="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-device-page-small.png" alt-text="Screenshot of the device summary results in Copilot in Defender." lightbox="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-device-page.png"::: +2. From an incident page, you can choose a device on the incident graph and then select **Device details** (1). On the device pane, select **Summarize** (2) to generate the device summary. The summary is displayed in the Copilot pane. + :::image type="content" source="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-ΓÇîincident-small.png" alt-text="Screenshot highlighting the steps to access the device summary in an incident page in Copilot in Defender." lightbox="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-ΓÇîincident.png"::: + You can also access the device summary capability by choosing a device listed in the **Assets** tab of an incident. Select **Copilot** in the device pane to generate the device summary. + :::image type="content" source="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets-small.png" alt-text="Screenshot highlighting the device summary option in the assets tab of an incident page in Copilot in Defender." lightbox="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets.png"::: ++Review the results. You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the device summary card. ++You can provide feedback about the results by navigating to the bottom of the Copilot pane and selecting the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](../../media/copilot-in-defender/copilot-defender-feedback.png). ++## See also ++- [Run script analysis](security-copilot-m365d-script-analysis.md) +- [Analyze files](copilot-in-defender-file-analysis.md) +- [Summarize an incident](security-copilot-m365d-incident-summary.md) +- [Resolve incidents with guided responses](security-copilot-m365d-guided-response.md) +- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) +- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) +- [Know more about preinstalled plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins) + |
security | Copilot In Defender File Analysis | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/copilot-in-defender-file-analysis.md | + + Title: Analyze files with Microsoft Copilot in Microsoft Defender +description: Analyze files with Microsoft Copilot in Microsoft Defender. ++f1.keywords: + - NOCSH +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 ++search.appverid: + - MOE150 + - MET150 Last updated : 03/28/2024+++# File analysis with Microsoft Copilot in Microsoft Defender +++**Applies to:** ++- Microsoft Defender XDR +- Microsoft Defender unified security operations center (SOC) platform ++[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities. ++Security operations teams tracking and resolving attacks need tools and techniques to quickly analyze potentially malicious files. Sophisticated attacks often use files that mimic legitimate or system files to avoid detection. In addition, new-to-the-field security analysts might require time and gain significant experience to use available analysis tools and techniques. ++The file analysis capability of Copilot in Defender reduces the barrier to learning file analysis by immediately delivering reliable and complete file investigation results. This capability empowers security analysts from all levels to complete their investigation with a shorter turnaround time. The report includes an overview of the file, details of the file's contents, and a summary of the file's assessment. ++The file analysis capability is available in Microsoft Defender through the [Copilot for Security license](/security-copilot/faq-security-copilot). Copilot for Security standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin. ++## Analyze a file ++The file analysis results generated by Copilot usually contains the following information: ++- **Overview** - contains an assessment of the file, including a detection name when the file is malicious/potentially unwanted, important file information like certificates and signer, and a summary of the contents of the file that contributes to the assessment. +- **Details** - highlights *Strings* found in the file, lists *API calls* that the file uses, and lists information of the file's relevant *Certificates*. ++> [!NOTE] +> The analysis results vary depending on the contents of the file. ++You can access the file analysis capability through the following ways: ++1. Open a file page. Copilot automatically generates an analysis upon opening a file page. The results, which shows the overview information by default, are then displayed on the Copilot pane. + :::image type="content" source="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-small.png" alt-text="Screenshot of the file analysis results in Copilot in Defender with the Show details option highlighted." lightbox="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis.png"::: + Select **Show details** (shown above) to display the full results or **Hide details** (highlighted below) to minimize the results. + :::image type="content" source="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-hide-small.png" alt-text="Screenshot of the file analysis results in Copilot in Defender with the Hide details option highlighted." lightbox="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-hide.png"::: +2. From an incident page, choose a file to investigate in the [attack story](investigate-incidents.md#attack-story) graph. You can also choose a file to investigate in an alert page. + :::image type="content" source="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-attack-story-small.png" alt-text="Screenshot of the attack story graph with the file entities highlighted." lightbox="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-attack-story.png"::: + Select a file to investigate then select **Analyze** on the side pane to begin analysis. The results are then displayed on the Copilot pane. + :::image type="content" source="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-file-pane-small.png" alt-text="Screenshot of the incident page with the file analysis button highlighted." lightbox="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-file-pane.png"::: ++You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the file analysis card. ++Always review the results generated by Copilot in Defender. Select the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](../../media/copilot-in-defender/copilot-defender-feedback.png) at the bottom of the Copilot pane to provide feedback. ++## See also ++- [Run script analysis](security-copilot-m365d-script-analysis.md) +- [Summarize an incident](security-copilot-m365d-incident-summary.md) +- [Generate device summary](copilot-in-defender-device-summary.md) +- [Resolve incidents with guided responses](security-copilot-m365d-guided-response.md) +- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) +- [Know more about preinstalled plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins) +- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) + |
security | Data Privacy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/data-privacy.md | Title: Microsoft Defender XDR data security and privacy description: Describes the privacy and data security of the service. f1.keywords: - NOCSH |
security | Integrate Microsoft 365 Defender Secops Plan | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-plan.md | Title: Step 1. Plan for Microsoft Defender XDR operations readiness description: The basics of planning for Microsoft Defender XDR operations readiness when integrating Microsoft Defender XDR into your security operations. -keywords: incidents, alerts, investigate, correlation, attack, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack, secops, security operations, soc -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Integrate Microsoft 365 Defender Secops Readiness | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-readiness.md | Title: Step 2. Perform a SOC integration readiness assessment using the Zero Trust Framework description: The basics of performing a SOC integration readiness assessment using the Zero Trust Framework when integrating Microsoft Defender XDR into your security operations. -keywords: incidents, alerts, investigate, correlation, attack, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack, secops, security operations, soc -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH Last updated 07/15/2021 Once the core functions of the Security Operations Center (SOC) team are defined, the next step for your organization is to prepare for the adoption of Microsoft Defender XDR through a [Zero Trust approach](/security/zero-trust/). Adoption can help you determine the requirements needed for deploying Microsoft Defender XDR using modern industry-leading practices, while evaluating Microsoft Defender XDR's capabilities against your environment. -This approach is based on a strong foundation of protections and includes key areas such as identity, endpoints (devices), data, apps, infrastructure, and networking. The Readiness Assessment team will determine the areas where a foundational requirement for enabling Microsoft Defender XDR has not yet been met and will need remediation. +This approach is based on a strong foundation of protections and includes key areas such as identity, endpoints (devices), data, apps, infrastructure, and networking. The Readiness Assessment team determines the areas where a foundational requirement for enabling Microsoft Defender XDR hasn't yet been met and what needs remediation. -The following are some of the items that will need to be remediated in order for the SOC to fully optimize processes in the SOC: +The following list provides some examples of things that must be remediated in order for the SOC to fully optimize processes in the SOC: - **Identity:** Legacy on-premises Active Directory Domain Services (AD DS) domains, no MFA plan, no inventory of privileged accounts, and others. - **Endpoints (devices):** Large number of legacy operating systems, limited device inventory, and others.-- **Data and apps:** Lack of data governance standards, no inventory of custom apps that won't integrate.+- **Data and apps:** Lack of data governance standards, or no inventory of custom apps that won't integrate. - **Infrastructure:** Large number of unsanctioned SaaS licenses, no container security, and others. - **Networking:** Performance issues due to low bandwidth, flat network, wireless security issues, and others. -Organizations should also follow the [turning on Microsoft Defender XDR](m365d-enable.md) article to capture the baseline set of configuration requirements. These steps will in turn determine remediation activities the SOC teams will have to carry out to effectively develop use cases. +Use the guidance in [turning on Microsoft Defender XDR](m365d-enable.md) to capture the baseline set of configuration requirements. These steps will in turn determine remediation activities the SOC teams have to carry out to effectively develop use cases. Adoption procedures and use case creation are described in Steps 3 and 4. |
security | Integrate Microsoft 365 Defender Secops Roles | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-roles.md | Title: Step 4. Define Microsoft Defender XDR roles, responsibilities, and oversight description: The basics of defining roles, responsibilities, and oversight when integrating Microsoft Defender XDR into your security operations. -keywords: incidents, alerts, investigate, correlation, attack, devices, users, identities, identity, mailbox, email, 365, microsoft, Microsoft 365, incident response, cyber-attack, secops, security operations, soc -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Integrate Microsoft 365 Defender Secops Tasks | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-tasks.md | Title: Step 6. Identify SOC maintenance tasks description: Identify SOC maintenance tasks when integrating Microsoft Defender XDR into your security operations. -keywords: incidents, alerts, investigate, correlation, attack, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack, secops, security operations, soc -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Integrate Microsoft 365 Defender Secops Use Cases | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-use-cases.md | Title: Step 5. Develop and test use cases description: The basics of developing and testing use cases when integrating Microsoft Defender XDR into your security operations. -keywords: incidents, alerts, investigate, correlation, attack, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack, secops, security operations, soc -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Integrate Microsoft 365 Defender Secops | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops.md | Title: Integrating Microsoft Defender XDR into your security operations description: The basics of integrating Microsoft Defender XDR into your security operations. -keywords: incidents, alerts, investigate, correlation, attack, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack, secops, security operations, soc -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Investigate Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md | Title: Investigate incidents in Microsoft Defender XDR description: Investigate incidents related to devices, users, and mailboxes. -keywords: incident, incidents, attack story, analyze, response, machines, devices, users, identities, mail, email, mailbox, investigation, graph, evidence -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Investigate Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md | Title: Investigate users in Microsoft Defender XDR description: Investigate users for an incident in the Microsoft Defender portal. -keywords: security, malware, Microsoft 365, M365, security center, monitor, report, identities, data, devices, apps, incident, analyze, response ms.localizationpriority: medium f1.keywords: - NOCSH |
security | Manage Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md | Title: Manage incidents in Microsoft Defender XDR + Title: Manage incidents in Microsoft Defender description: Learn how to assign, update the status, f1.keywords: -# Manage incidents in Microsoft Defender XDR +# Manage incidents in Microsoft Defender [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] Last updated 03/28/2024 **Applies to:** - Microsoft Defender XDR+- Microsoft Defender unified security operations center (SOC) platform Incident management is critical to ensuring that incidents are named, assigned, and tagged to optimize time in your incident workflow and more quickly contain and address threats. Here are the ways you can manage your incidents: - [Specify its classification](#specify-the-classification) - [Add comments](#add-comments) - Assess the activity audit and add comments in the [Activity log](#activity-log)+- [Export incident data to PDF](#export-incident-data-to-pdf) You can manage incidents from the **Manage incident** pane for an incident. Here's an example. In cases where you want to move alerts from one incident to another, you can als ## Edit the incident name -Microsoft Defender XDR automatically assigns a name based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. The incident name allows you to quickly understand the scope of the incident. For example: *Multi-stage incident on multiple endpoints reported by multiple sources.* +Microsoft Defender automatically assigns a name based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. The incident name allows you to quickly understand the scope of the incident. For example: *Multi-stage incident on multiple endpoints reported by multiple sources.* You can edit the incident name from the **Incident name** field on the **Manage incident** pane. You can also add your own comments using the comment box available within the ac :::image type="content" source="../../media/incidents-queue/fig5-res-manageincidents.png" alt-text="Highlighting the comment box from the incident page in the Microsoft Defender portal" lightbox="../../media/incidents-queue/fig5-manageincidents.png"::: +## Export incident data to PDF ++> [!IMPORTANT] +> Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> +> The export incident data feature is currently available to Microsoft Defender XDR and Microsoft Defender unified security operations center (SOC) platform customers with the Microsoft Copilot for security license. ++You can export an incidentΓÇÖs data to PDF through the **Export incident as PDF** function and save it into PDF format. This function allows security teams to review an incidentΓÇÖs details offline at any given time. ++The incident data exported includes the following information: ++- An overview containing the incident details +- The [attack story](investigate-incidents.md#attack-story) graph and threat categories +- The impacted [assets](investigate-incidents.md#assets), covering up to 10 assets for each asset type +- The [evidence list](investigate-incidents.md#evidence-and-response) covering up to 100 items +- Supporting data, including all [related alerts](investigate-incidents.md#alerts) and activities recorded in the [activity log](#activity-log) ++Here's an example of the exported PDF: +++If you have the [Copilot for Security](/security-copilot/microsoft-security-copilot) license, the exported PDF contains the following additional incident data: ++- [Incident summary](security-copilot-m365d-incident-summary.md) +- [Incident report](security-copilot-m365d-create-incident-report.md) ++The export to PDF function is also available in the Copilot side panel of a generated incident report. ++![Screenshot of additional actions in the incident report results card.](../../media/incidents-queue/export-incident-more-actions1.png) ++To generate the PDF, perform the following steps: ++1. Open an incident page. Select the **More actions** ellipsis (...) on the upper right corner and choose **Export incident as PDF**. The function becomes grayed out while the PDF is being generated. ++ :::image type="content" source="../../media/incidents-queue/export-incident-main-small.png" alt-text="Screenshot highlighting the export incident to PDF option." lightbox="../../media/incidents-queue/export-incident-main.png"::: ++1. A dialog box appears, indicating that the PDF is being generated. Select **Got it** to close the dialog box. Additionally, a status message indicating the current state of the download appears below the incident title. The export process may take a few minutes depending on the incident's complexity and the amount of data to be exported. ++ :::image type="content" source="../../media/incidents-queue/export-incident-predownload-small.png" alt-text="Screenshot highlighting export message and status before download." lightbox="../../media/incidents-queue/export-incident-predownload.png"::: ++1. Once the PDF is ready, the status message indicates that the PDF is ready and another dialog box appears. Select **Download** from the dialog box to save the PDF to your device. ++ :::image type="content" source="../../media/incidents-queue/export-incident-download-small.png" alt-text="Screenshot highlighting export message and status when download is available." lightbox="../../media/incidents-queue/export-incident-download.png"::: ++The report is cached for a couple of minutes. The system provides the previously generated PDF if you try to export the same incident again within a short time frame. To generate a newer version of the PDF, wait for the cache to expire. + ## Next steps For new incidents, begin your [investigation](investigate-incidents.md). |
security | Security Copilot In Microsoft 365 Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-in-microsoft-365-defender.md | Title: Microsoft Security Copilot in Microsoft Defender XDR -description: Learn about Security Copilot capabilities embedded in Microsoft Defender XDR. -keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response automated, automatic incident response, summarize incidents, summarize incident report, plugins, Microsoft plugins + Title: Microsoft Copilot in Microsoft Defender +description: Learn about Microsoft Copilot for Security capabilities embedded in Microsoft Defender. +keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response automated, automatic incident response, summarize incidents, summarize incident report, plugins, Microsoft plugins, preinstalled plugins, Microsoft Copilot for Security, Copilot for Security, file analysis, file analyzer, summarize device, device summary, summarize device information, device report, file information report, Microsoft Defender, Copilot in Defender ms.mktglfcycl: deploy ms.sitesec: library f1.keywords: ms.localizationpriority: medium-+ audience: ITPro - m365-security-# Microsoft Security Copilot in Microsoft Defender XDR +# Microsoft Copilot in Microsoft Defender [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] **Applies to:** - Microsoft Defender XDR+- Microsoft Defender unified security operations center (SOC) platform -The Microsoft Security Copilot in Microsoft Defender XDR Early Access Program is an invitation-only, paid preview. If your organization is interested in this program, work with your Microsoft account manager to learn more about nominations for a potential invite. To learn more about this program, see the [Microsoft Security Copilot Early Access Program FAQ](/security-copilot/faq-security-copilot). +[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Copilot for Security is embedded in the Microsoft Defender portal to enable security teams to efficiently summarize incidents, analyze scripts and codes, analyze files, summarize device information, use guided responses to resolve incidents, generate KQL queries, create incident reports. -[Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) is a platform that brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Security Copilot is embedded in Microsoft Defender XDR for security teams to efficiently summarize incidents, analyze scripts and codes, use guided responses to resolve incidents, generate KQL queries, and create incident reports. --This article provides an overview for users of the Security Copilot embedded experience in Microsoft Defender XDR, including steps to access, key capabilities, and links that detail these capabilities. +This article provides an overview for users of the Copilot in Defender, including steps to access, key capabilities, and links to the details of these capabilities. <a name='access-security-copilot-in-microsoft-365-defender'></a> -## Access Security Copilot in Microsoft Defender XDR +## Access Copilot in Defender -To ensure that you have access to Security Copilot, see the [Security Copilot purchase and licensing information](/security-copilot/faq-security-copilot). Once you have access to Security Copilot, the key capabilities discussed below become accessible in the Microsoft Defender portal. +To ensure that you have access to Copilot in Defender, see the [Copilot for Security purchase and licensing information](/security-copilot/faq-security-copilot). Once you have access to Copilot for Security, the key capabilities discussed below become accessible in the Microsoft Defender portal. -## Key features +## Investigate and respond to incidents like an expert -Microsoft Defender XDR brings the capabilities of Security Copilot to the portal, enabling security teams to tackle attack investigations in a timely manner with ease and precision. Bringing AI to Microsoft Defender XDR allows teams to understand attacks immediately, promptly assess and apply appropriate mitigation to stop and contain attacks, quickly analyze complex files, and hunt for threats with ease. +Enable security teams to tackle attack investigations in a timely manner with ease and precision. Copilot helps teams to understand attacks immediately, quickly analyze suspicious files and scripts, and promptly assess and apply appropriate mitigation to stop and contain attacks. ### Summarize incidents quickly -Investigating incidents with multiple alerts can be a daunting task. To immediately understand an incident, you can tap Security Copilot in Microsoft Defender XDR to [summarize an incident](security-copilot-m365d-incident-summary.md) for you. Security Copilot creates an overview of the attack containing essential information for you to understand what transpired in the attack, what assets are involved, and the timeline of the attack. Security Copilot automatically creates a summary when you navigate to an incident's page. +Investigating incidents with multiple alerts can be a daunting task. To immediately understand an incident, you can tap Copilot to [summarize an incident](security-copilot-m365d-incident-summary.md) for you. Copilot creates an overview of the attack containing essential information for you to understand what transpired in the attack, what assets are involved, and the timeline of the attack. Copilot automatically creates a summary when you navigate to an incident's page. ### Take action on incidents through guided responses -Approaching solutions and mitigation for any incident can oftentimes be complex for several reasons, including understanding where to begin, what solutions are appropriate, and following new investigation flows for security teams. Security Copilot minimizes these complications through [guided responses](security-copilot-m365d-guided-response.md). These responses are recommended actions specific to each incident. +Resolving incidents require analysts to have an understanding of an attack to know what solutions are appropriate. Copilot recommends solutions through [guided responses](security-copilot-m365d-guided-response.md) that are specific to each incident. -### Get results fast when analyzing scripts and codes +### Run script analysis with ease -Most attackers rely on sophisticated malware when launching attacks to avoid detection and analysis. These files are usually obfuscated and arrive as scripts, Powershell, batch, and bash. Security Copilot can quickly analyze these file types, reducing the time for [script or code analysis](security-copilot-m365d-script-analysis.md) and helping security teams decide on the next action steps using information from the analysis. +Most attackers rely on sophisticated malware when launching attacks to avoid detection and analysis. These malware are usually obfuscated, and might be in the form of scripts or command lines in PowerShell. Copilot can quickly [analyze scripts](security-copilot-m365d-script-analysis.md), reducing the time for investigation. -### Generate KQL queries from natural-language input +### Generate device summaries ++Investigating devices involved in incidents can be a tasking job. To quickly assess a device, Copilot can [summarize a device's information](copilot-in-defender-device-summary.md), including the device's security posture, any unusual behaviors, a list of vulnerable software, and relevant Microsoft Intune information. +++### Analyze files promptly -Security teams who use advanced hunting to proactively hunt for threats in their network can now use a query assistant that converts any natural-language question in the context of threat hunting, into a ready-to-run KQL query. The query assistant saves security teams time by generating a KQL query that can then be automatically run or further tweaked according to the analyst needs. Read more about the query assistant in [Security Copilot in advanced hunting](advanced-hunting-security-copilot.md). +Copilot helps security teams quickly assess and understand suspicious files with [file analysis](copilot-in-defender-file-analysis.md). Copilot provides a file's summary, including detection information, related file certificates, a list of API calls, and strings found in the file. ### Write incident reports efficiently -Security operations teams usually write reports to record important information, including what response actions were taken and the corresponding results, the team members involved, and other information to aid future security decisions and learning. Oftentimes, documenting incidents can be time-consuming. For incident reports to be effective, it must contain an incident's summary along with the actions taken, including what actions were taken by whom and when. Security Copilot helps security teams consolidate these information pieces through the [create incident report](security-copilot-m365d-create-incident-report.md) feature. +Security operations teams usually write reports to record important information, including what response actions were taken and the corresponding results, the team members involved, and other information to aid future security decisions and learning. Oftentimes, documenting incidents can be time-consuming. For incident reports to be effective, it must contain an incident's summary along with the actions taken, including what actions were taken by whom and when. Copilot [generates an incident report](security-copilot-m365d-create-incident-report.md) by quickly consolidating these pieces of information. +++## Hunt like a pro ++Copilot in Defender helps security teams proactively hunt for threats in their network by quickly building appropriate KQL queries. ++### Generate KQL queries from natural-language input -## Providing feedback +Security teams who use advanced hunting to proactively hunt for threats in their network can now use a query assistant that converts any natural-language question in the context of threat hunting, into a ready-to-run KQL query. The query assistant saves security teams time by generating a KQL query that can then be automatically run or further tweaked according to the analyst needs. Read more about the query assistant in [Copilot for Security in advanced hunting](advanced-hunting-security-copilot.md). -Security Copilot and Microsoft Defender XDR uses AI and machine learning to process data and generate responses for each of the key features. However, AI might misinterpret some data, which sometimes cause a mismatch in responses. Providing your feedback about the generated responses enable both Security Copilot and Microsoft Defender XDR to continuously improve delivery of more accurate responses in the future. -All key features have an option for providing feedback. To provide feedback, perform the following steps: +## Protect your organization with relevant threat intelligence -1. Select the down arrow beside the face icon located at the bottom of any response card in the Security Copilot pane. -2. Select **Confirmed, it looks great** if the results are accurate based on your assessment. When results are confirmed, you can provide more information in the next dialog box. +Empower your security organization to make informed decisions with the latest threat intelligence. Copilot consolidates and summarizes threat intelligence to help security teams prioritize and respond to threats effectively. ++### Monitor threat intelligence ++Ask Copilot to summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry. Read more about [Copilot for Security in threat intelligence](/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence). +++## Data security and feedback in Copilot ++Copilot continuously evolves using [data](/security-copilot/privacy-data-security#customer-data-and-system-generated-logs) that is [stored](/security-copilot/privacy-data-security#customer-data-storage-location), [processed](/security-copilot/privacy-data-security#location-for-prompt-evaluation), and [shared](/security-copilot/privacy-data-security#customer-data-sharing-preferences) depending on the settings defined by your administrator. Microsoft ensures that your data is always protected and secure when using Copilot. To learn more about data security and privacy in Copilot, see [Privacy and data security in Copilot](/security-copilot/privacy-data-security). ++Because of its continuing evolution, Copilot might miss some things. Reviewing and [providing feedback](/security-copilot/rai-faqs-security-copilot#what-are-the-limitations-of-security-copilot-how-can-users-minimize-the-impact-of-security-copilots-limitations-when-using-the-system) about the results helps improve Copilot's future responses. ++All Copilot in Defender capabilities have an option for providing feedback. To provide feedback, perform the following steps: ++1. Select the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](../../media/copilot-in-defender/copilot-defender-feedback.png) located at the bottom of any results card in the Copilot side panel. +2. Select **Confirmed, it looks great** if the results are accurate based on your assessment. You can provide more information in the next dialog box. 3. Select **Off-target, inaccurate** if any detail is incorrect or incomplete based on your assessment. You can provide more information about your assessment in the next dialog box and submit this assessment to Microsoft. 4. You can also report the results if it contains questionable or ambiguous information by selecting **Potentially harmful, inappropriate**. Provide more information about the results in the next dialog box and select Submit. <a name='microsoft-365-defender-plugin-in-security-copilot'></a> -## Microsoft Defender XDR plugin in Security Copilot --Microsoft Defender XDR is one of the [Microsoft plugins](/security-copilot/manage-plugins#microsoft-plugins) that enable the Security Copilot platform to generate accurate and relevant information. Through the Microsoft Defender XDR plugin, the Security Copilot portal can provide more context to incidents and generate more accurate results. The key features mentioned in this article are capabilities that are also available in the Security Copilot portal. +## Plugins in Copilot for Security -You can learn more about plugins implemented in the Security Copilot portal in [Manage plugins in Security Copilot](/security-copilot/manage-plugins). Additionally, you can learn more about the embedded experiences in other Microsoft security products in [Microsoft Security Copilot experiences](/security-copilot/experiences-security-copilot) +Copilot uses [preinstalled Microsoft plugins](/security-copilot/manage-plugins#preinstalled-plugins) like Microsoft Defender XDR, Defender Threat Intelligence, and Natural Language to KQL for Microsoft Sentinel and Defender XDR plugins to generate relevant information, provide more context to incidents, and generate more accurate results. Ensure that [plugins are turned on in Copilot](/security-copilot/manage-plugins#managing-preinstalled-plugins) to allow access to relevant data and to generate requested content from other Microsoft services in your organization. ## Next steps - [Learn how to summarize incidents](security-copilot-m365d-incident-summary.md) - [Use guided responses when responding to incidents](security-copilot-m365d-guided-response.md)-- [Analyze scripts and codes](security-copilot-m365d-script-analysis.md)+- [Run script analysis](security-copilot-m365d-script-analysis.md) +- [Analyze files](copilot-in-defender-file-analysis.md) +- [Generate device summary](copilot-in-defender-device-summary.md) - [Generate KQL queries](advanced-hunting-security-copilot.md) - [Create incident reports](security-copilot-m365d-create-incident-report.md)+- [Use threat intelligence](/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence) ## See also -- [Get started with Security Copilot](/security-copilot/get-started-security-copilot)-- [Privacy and data security in Security Copilot](/security-copilot/privacy-data-security)+- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) +- [Privacy and data security in Copilot](/security-copilot/privacy-data-security) - [Responsible AI FAQs](/security-copilot/responsible-ai-overview-security-copilot)+- Other [Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Security Copilot M365d Create Incident Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-create-incident-report.md | Title: Create incident reports with Security Copilot in Microsoft Defender XDR -description: Use Security Copilot incident report creation embedded in Microsoft Defender XDR to write incident reports. -keywords: security copilot, Microsoft Defender XDR, embedded experience, incident report, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, incident report creation, create report, create incident report, write incident report, write report + Title: Create incident reports with Microsoft Copilot in Microsoft Defender +description: Write incident reports with Microsoft Copilot in Microsoft Defender. +keywords: security copilot, Microsoft Defender XDR, embedded experience, incident report, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, incident report creation, create report, create incident report, write incident report, write report, Microsoft Copilot for Security, Microsoft Defender, Copilot in Defender ms.mktglfcycl: deploy ms.sitesec: library f1.keywords: ms.localizationpriority: medium-+ audience: ITPro - m365-security-# Create an incident report with Microsoft Security Copilot in Microsoft Defender XDR +# Create an incident report with Microsoft Copilot in Microsoft Defender [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] **Applies to:** - Microsoft Defender XDR+- Microsoft Defender unified security operations center (SOC) platform -> [!IMPORTANT] -> The information in this article only applies to the Microsoft Security Copilot Early Access Program, an invite-only paid preview program for commercial customers. Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal assists security operations teams with writing incident reports efficiently. Utilizing Copilot for Security's AI-powered data processing, security teams can immediately create incident reports with a click of a button in the Microsoft Defender portal. -[Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) in Microsoft Defender XDR assists security operations teams with writing incident reports efficiently. Utilizing Security Copilot's AI-powered data processing, security teams can immediately create incident reports with a click of a button in Microsoft Defender XDR. +A comprehensive and clear incident report is an essential reference for security teams and security operations management. However, writing a comprehensive report with the important details present can be a time-consuming task for security operations teams. Collecting, organizing, and summarizing incident information from multiple sources requires focus and detailed analysis to create an information-rich report. With Copilot in Defender, security teams can now instantly create an extensive incident report within the portal. -A comprehensive and clear incident report is an essential reference for security teams and security operations management. However, writing a comprehensive report with the important details present can be a time-consuming task for security operations teams as it involves collecting, organizing, and summarizing incident information from multiple sources. Security teams can now instantly create an extensive incident report within the portal. +While an [incident summary](security-copilot-m365d-incident-summary.md) provides an overview of an incident and how it happened, an incident report consolidates incident information from various data sources available in Microsoft Sentinel and Defender XDR. The Copilot-generated incident report also includes all analyst-driven steps and automated actions, the analysts involved in incident response, and the comments from the analysts. Whether security teams are using Microsoft Sentinel, Defender XDR, or both, all relevant incident data are added into the generated incident report. -While an [incident summary](security-copilot-m365d-incident-summary.md) provides an overview of an incident and how it happened, an incident report consolidates incident information from various data sources available in Microsoft Sentinel and Microsoft Defender XDR. The incident report also includes all analyst-driven steps and automated actions, the analysts involved in the response, and the comments from the analysts. Whether security teams are using Microsoft Defender XDR, Microsoft Sentinel, or both, all relevant incident data are added into the generated incident report. +Copilot generates the incident report based on the automatic and manual actions implemented, and the analysts' comments and notes posted in the incident. You can review and follow [recommendations](security-copilot-m365d-create-incident-report.md#recommendations-for-incident-report-creation) to ensure that Copilot creates a comprehensive incident report. -This guide lists the data in incident reports and contains steps on how to access the incident report creation capability within the portal. It also includes information on how to provide feedback about the generated report. +The incident report generation capability in Microsoft Defender is available through the [Copilot for Security license](/security-copilot/faq-security-copilot). This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin. -> [!NOTE] -> The incident report generation capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Microsoft Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). +This guide lists the data in incident reports and contains steps on how to access the incident report creation capability within the Microsoft Defender portal. It also includes information on how to provide feedback about the generated report. -## Technical requirements +## Incident report content -[Learn how you can get started with Security Copilot](/security-copilot/get-started-security-copilot). --## Create an incident report --Security Copilot creates an incident report containing the following information: +Copilot in Defender creates an incident report containing the following information: - The main incident management actions' timestamps, including: - Incident creation and closure - First and last logs, whether the log was analyst-driven or automated, captured in the incident-- The analysts involved in incident response.-- [Incident classification](manage-incidents.md#specify-the-classification), including analysts' comments on how the incident was evaluated and classified.-- Investigation actions applied by analysts and noted in the incident logs-- Remediation actions done, including:- - Manual actions applied by analysts and noted in the incident logs - - Automated actions applied by the system, including Microsoft Sentinel Playbooks ran and Microsoft Defender XDR actions applied -- Follow up actions like recommendations, open issues, or next steps noted by the analysts in the incident logs.+- The analysts involved in incident response +- [Incident classification](manage-incidents.md#specify-the-classification), including the analyst's reason for classification that Copilot summarizes +- Investigation and remediation actions +- Follow up actions like recommendations, open issues, or next steps noted by the analysts in the incident logs ++Actions like device isolation, disabling a user, and soft delete of emails are included in the incident report. For a full list of actions included in the incident report, see the [Action center](m365d-action-center.md). The incident report also includes [Microsoft Sentinel playbooks ran](/azure/sentinel/automate-responses-with-playbooks). [Live response commands](/microsoft-365/security/defender-endpoint/live-response) and response actions coming from public API sources or from custom detections are not yet supported. ++We recommend resolving the incident to view all actions that have been taken. Incidents that are not resolved will partially reflect the actions in the incident report. ++## Create an incident report ++To create an incident report with Copilot in Defender, perform the following steps: ++1. Open an incident page. In the incident page, navigate to the **More actions** ellipsis (...) and then select **Generate incident report**. Alternately, you can select the report icon found in the Copilot side panel. ++ :::image type="content" source="../../media/copilot-in-defender/create-report/incident-report-create-small.png" alt-text="Screenshot highlighting the generated incident report and report icon buttons in the incident page." lightbox="../../media/copilot-in-defender/create-report/incident-report-create.png"::: ++2. Copilot creates the incident report. You can stop the report creation by selecting **Cancel** and restart report creation by selecting **Regenerate**. Additionally, you can restart report creation if you encounter an error. -To create an incident report, perform the following steps: +3. The incident report card appears on the Copilot pane. The generated report depends on the incident information available from Microsoft Defender XDR and Microsoft Sentinel. Refer to the [recommendations](security-copilot-m365d-create-incident-report.md#recommendations-for-incident-report-creation) to ensure a comprehensive incident report. -1. Open an incident page. In the incident page, select **Generate incident report** located at the top right corner of the page. Alternately, you can select the report icon found in the Security Copilot pane. + :::image type="content" source="../../media/copilot-in-defender/create-report/incident-report-main1-small.png" alt-text="Screenshot of the incident report card in the incident page showing the top half of the card." lightbox="../../media/copilot-in-defender/create-report/incident-report-main1.png"::: - :::image type="content" source="../../media/copilot-in-defender/incident-report/fig1-new-sec-copilot-m365d-create-report.png" alt-text="Screenshot highlighting the generate incident report and report icon buttons in the incident page." lightbox="../../media/copilot-in-defender/incident-report/fig1-expand-sec-copilot-m365d-create-report.png"::: + :::image type="content" source="../../media/copilot-in-defender/create-report/incident-report-main2-small.png" alt-text="Screenshot of the incident report card in the incident page showing the lower bottom of the card." lightbox="../../media/copilot-in-defender/create-report/incident-report-main2.png"::: -2. Security Copilot creates the incident report. You can stop the report creation by selecting **Cancel** and restart report creation by selecting **Regenerate**. Additionally, you can restart report creation if you encounter an error. -3. The incident report card appears on the Security Copilot pane. The generated report depends on the incident information available from Microsoft Defender XDR and Microsoft Sentinel. Refer to the [recommendations](security-copilot-m365d-create-incident-report.md#recommendations-for-incident-report-creation) to ensure a comprehensive incident report. +4. Select the More actions ellipsis (...) located on the upper right of the incident report card. To copy the report, select **Copy to clipboard** and paste the report to your preferred system, **Post to activity log** to add the report to the activity log in the Microsoft Defender portal, or **Export incident as PDF** to [export the incident data to PDF](manage-incidents.md#export-incident-data-to-pdf). Select **Regenerate** to restart report creation. You can also **Open in Copilot for Security** to view the results and continue accessing other plugins available in the Copilot for Security standalone portal. - :::image type="content" source="../../media/copilot-in-defender/incident-report/fig2-new-sec-copilot-m365d-create-report.png" alt-text="Screenshot of the incident report card in the incident page." lightbox="../../media/copilot-in-defender/incident-report/fig2-expand-sec-copilot-m365d-create-report.png"::: + ![Screenshot of additional actions in the incident report results card.](../../media/copilot-in-defender/create-report/incident-report-more-actions1.png) -4. Select the three dots located on the right side of the incident report card. To copy the report, select **copy to clipboard** and paste the report to your preferred system, or **Post to comments and history** to add the report to the comments and history of the incident. -5. Select **Regenerate** to restart report creation. You can also opt to **Open in Security Copilot** to view the results and continue accessing other plugins available in the Security Copilot standalone portal. +5. Review the generated incident report. You can provide feedback on the report by selecting the feedback icon found on the bottom of the results ![Screenshot of the feedback icon for Copilot in Defender cards](../../media/copilot-in-defender/create-report/copilot-defender-feedback.png). -## Managing feedback +## Export incident to PDF -You can validate and submit feedback about a generated incident report. Validating the generated report enables Security Copilot to learn further and deliver more accurate answers in the future. +You can export the incident data to PDF to create a report that you can easily share with stakeholders. The exported incident data contains relevant information like the attack story, impacted assets, relevant alerts, and AI-generated content from Copilot, like the incident summary and incident report. With this capability, security teams can quickly export more incident information for post-incident discussions within team members or with other stakeholders. -[Follow these steps when providing feedback about the results](security-copilot-in-microsoft-365-defender.md#providing-feedback). +You can follow the steps in [export incident data to PDF](manage-incidents.md#export-incident-data-to-pdf) to generate the PDF. ## Recommendations for incident report creation -Here are some recommendations to consider to ensure that Security Copilot generates a comprehensive and complete incident report: +Here are some recommendations to consider to ensure that Copilot generates a comprehensive and complete incident report: - Classify and resolve the incident before generating the incident report.-- Ensure that you write and save comments in the Microsoft Sentinel activity log or in the Microsoft Defender XDR incident comments and history to include the comments in the incident report.+- Ensure that you write and save comments in the Microsoft Sentinel activity log or in the [Microsoft Defender XDR incident activity log](manage-incidents.md#activity-log) to include the comments in the incident report. - Write comments using comprehensive and clear language. In-depth and clear comments provide better context about the response actions. See the following steps to know how to access the comments field:- - [Add comments to incidents in Microsoft Defender XDR](manage-incidents.md#add-comments) - - [Add comments to incidents in Microsoft Sentinel](/azure/sentinel/investigate-cases#comment-on-incidents) + - [Add comments to incidents in the Microsoft Defender portal](manage-incidents.md#add-comments) + - Add comments to incidents in Microsoft Sentinel - For ServiceNow users, [enable the Microsoft Sentinel and ServiceNow bi-directional sync](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-introducing-microsoft-sentinel-solution-for/ba-p/3692840) to get more robust incident data.-- Copy the generated incident report and post it to the comments and history of the incident to ensure that the incident report is saved in the incident page.+- Copy the generated incident report and post it to the activity log in the Microsoft Defender portal to ensure that the incident report is saved in the incident page. ## See also -- [Security Copilot Early Access Program FAQs](/security-copilot/faq-security-copilot)-- [Get started with Security Copilot](/security-copilot/get-started-security-copilot)-- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot)+- [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot) +- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) +- Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins) |
security | Security Copilot M365d Guided Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-guided-response.md | Title: Use guided responses with Security Copilot in Microsoft Defender XDR -description: Use guided responses with Security Copilot in Microsoft Defender XDR to respond to incidents. -keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, incident response playbooks, remediate incident, remediation actions, incident solution, resolve incidents, guided responses, security copilot guided response, copilot in security guided response, security copilot guided response in Microsoft Defender XDR + Title: Resolve incidents with guided responses with Microsoft Copilot in Microsoft Defender +description: Resolve incidents using guided responses delivered by Microsoft Copilot in Microsoft Defender. +keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, incident response playbooks, remediate incident, remediation actions, incident solution, resolve incidents, guided responses, security copilot guided response, copilot in security guided response, security copilot guided response in Microsoft Defender XDR, Microsoft Copilot for Security, Microsoft Defender, Copilot in Defender ms.mktglfcycl: deploy ms.sitesec: library f1.keywords: ms.localizationpriority: medium-+ audience: ITPro - m365-security-# Use guided responses with Microsoft Security Copilot in Microsoft Defender XDR +# Resolve incidents with guided responses from Microsoft Copilot in Microsoft Defender [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] **Applies to:** - Microsoft Defender XDR+- Microsoft Defender unified security operations center (SOC) platform -> [!IMPORTANT] -> The information in this article only applies to the Microsoft Security Copilot Early Access Program, an invite-only paid preview program for commercial customers. Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal supports incident response teams in immediately resolving incidents with guided responses. Copilot in Defender uses AI and machine learning capabilities to contextualize an incident and learn from previous investigations to generate appropriate response actions. -[Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) in Microsoft Defender XDR supports incident response teams in immediately resolving incidents with guided responses. Security Copilot and Microsoft Defender XDR use AI and machine learning capabilities to contextualize an incident and learn from previous investigations to generate appropriate response actions. +Responding to incidents in the Microsoft Defender portal often requires familiarity with the portal's available actions to stop attacks. In addition, new incident responders might have different ideas of where and how to start responding to incidents. The guided response capability of Copilot in Defender allows incident response teams at all levels to confidently and quickly apply response actions to resolve incidents with ease. -Responding to incidents in Microsoft Defender XDR often requires familiarity with the portal's available actions to stop attacks. In addition, new incident responders might have different ideas of where and how to start responding to incidents. The guided response capability of Security Copilot in Microsoft Defender XDR allows incident response teams at all levels to confidently and quickly apply response actions to resolve incidents with ease. +Guided responses are available in the Microsoft Defender portal through the [Copilot for Security license](/security-copilot/faq-security-copilot). Guided responses are also available in the Copilot for Security standalone experience through the Defender XDR plugin. -This guide outlines how to access the guided response capability of Security Copilot in Microsoft Defender XDR, including information on providing feedback about the responses. +This guide outlines how to access the guided response capability, including information on providing feedback about the responses. -> [!NOTE] -> The guided response capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Microsoft Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). --## Technical requirements --[Learn how you can get started with Security Copilot](/security-copilot/get-started-security-copilot). --## Use guided responses to resolve incidents +## Apply guided responses to resolve incidents Guided responses recommend actions in the following categories: Guided responses recommend actions in the following categories: - Investigation - includes recommended actions for further investigation - Remediation - includes recommended response actions to apply to specific entities involved in an incident -Each card contains information about the recommended action, including the entity where the action will be applied and why the action is recommended. +Each card contains information about the recommended action, including the entity where the action needs to be applied and why the action is recommended. The cards also emphasize when a recommended action was done by automated investigation like [attack disruption](automatic-attack-disruption.md) or [automated investigation response](m365d-autoir.md). ++The guided response cards can be sorted based on the available status for each card. You can select a specific status when viewing the guided responses by clicking on **Status** and selecting the appropriate status you want to view. All guided response cards regardless of status are shown by default. + To use guided responses, perform the following steps: -1. Open an incident page. Once the page loads, Security Copilot automatically generates guided responses. -2. Review the guided response cards generated by Security Copilot. -3. **Classify the incident** by selecting an option from the dropdown menu on the Triage card. You can classify the incident as true positive, informational, or false positive. -4. Review and apply each response generated by Security Copilot on the Containment, Investigation, and Remediation cards. You can provide feedback to each recommended action to continually enhance future responses. -5. Actions that are grayed out might mean they are unavailable to you due to insufficient permission. [Refer to the unified role-based access (RBAC) permissions](manage-rbac.md) page for more information. +1. Open an incident page. Copilot automatically generates guided responses upon opening an incident page. The Copilot pane appears on the right side of the incident page, showing the guided response cards. -Security Copilot and Microsoft Defender XDR make it easy for incident response teams to gain more context about actions with additional insights. For remediation responses, incident response teams can view additional information with options like **View similar incidents** or **View similar emails**. + :::image type="content" source="../../media/copilot-in-defender/guided-response/copilot-defender-guided-response-small.png" alt-text="Screenshot highlighting the Copilot pane with the guided responses in the Microsoft Defender incident page." lightbox="../../media/copilot-in-defender/guided-response/copilot-defender-guided-response.png"::: -The **View similar incidents** action becomes available when there are other incidents within the organization that are similar to the current incident. The Similar incidents tab lists similar incidents that you can review. Microsoft Defender XDR automatically identifies similar incidents within the organization through machine learning. Incident response teams can use the information from these similar incidents to classify incidents and further review the actions done in those similar incidents. +2. Review each card before applying the recommendations. Select the More actions ellipsis (...) on top of a response card to view the options available for each recommendation. Here are some examples. -The **View similar emails** action, which is specific to phishing incidents, takes you to the [advanced hunting](advanced-hunting-overview.md) page, where a KQL query to list similar emails within the organization is automatically generated. This automatic query generation related to an incident helps incident response teams further investigate other emails that might be related to the incident. You can review the query and modify it as needed. + ![Screenshot highlighting the options available to users in a guided response card in the Copilot side panel.](../../media/copilot-in-defender/guided-response/copilot-defender-guided-response-more-actions1.png) -## Managing feedback + ![Screenshot highlighting the options available to users in an automation response card in the Copilot pane in Microsoft Defender XDR.](../../media/copilot-in-defender/guided-response/copilot-defender-guided-response-more-actions2.png) -You can validate or report the responses provided by Security Copilot. Validating and reporting results improve Security Copilot's delivery of more accurate responses in the future. +3. To apply an action, select the desired action found on each card. The guided response action on each card is tailored to the type of incident and the specific entity involved. -Each response card has an option for providing feedback. [Follow these steps to provide your feedback about the results](security-copilot-in-microsoft-365-defender.md#providing-feedback). + :::image type="content" source="../../media/copilot-in-defender/guided-response/copilot-defender-guided-response-actions-small.png" alt-text="Screenshot of the guided response cards in the Copilot pane in Microsoft Defender." lightbox="../../media/copilot-in-defender/guided-response/copilot-defender-guided-response-actions.png"::: -## Next steps +4. You can provide feedback to each response card to continuously enhance future responses from Copilot. To provide feedback, select the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](../../media/copilot-in-defender/copilot-defender-feedback.png) found on the bottom right of each card. -- [Summarize an incident](security-copilot-m365d-incident-summary.md)-- [Create an incident report](security-copilot-m365d-create-incident-report.md)-- [Generate KQL queries](advanced-hunting-security-copilot.md)+> [!NOTE] +> Grayed out action buttons mean these actions are limited by your permission. [Refer to the unified role-based access (RBAC) permissions](manage-rbac.md) page for more information. ++Copilot in Defender supports incident response teams by enabling analysts to gain more context about response actions with additional insights. For remediation responses, incident response teams can view additional information with options like **View similar incidents** or **View similar emails**. ++The **View similar incidents** action becomes available when there are other incidents within the organization that are similar to the current incident. The Similar incidents tab lists similar incidents that you can review. Microsoft Defender automatically identifies similar incidents within the organization through machine learning. Incident response teams can use the information from these similar incidents to classify incidents and further review the actions done in those similar incidents. ++The **View similar emails** action, which is specific to phishing incidents, takes you to the [advanced hunting](advanced-hunting-overview.md) page, where a KQL query to list similar emails within the organization is automatically generated. This automatic query generation related to an incident helps incident response teams further investigate other emails that might be related to the incident. You can review the query and modify it as needed. ## See also -- [Security Copilot Early Access Program FAQs](/security-copilot/faq-security-copilot)-- [Get started with Security Copilot](/security-copilot/get-started-security-copilot)-- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot)+- [Summarize an incident](security-copilot-m365d-incident-summary.md) +- [Analyze files](copilot-in-defender-file-analysis.md) +- [Run script analysis](security-copilot-m365d-script-analysis.md) +- [Create an incident report](security-copilot-m365d-create-incident-report.md) +- [Generate KQL queries](advanced-hunting-security-copilot.md) +- [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot) +- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) +- Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins) [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Security Copilot M365d Incident Summary | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-incident-summary.md | Title: Summarize incidents with Security Copilot in Microsoft Defender XDR -description: Use Security Copilot incident summary capabilities embedded in Microsoft Defender XDR. -keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, guided response, incident response playbooks, incident response, summary, summarize incident, summarize incidents, incident overview, write incident summary + Title: Summarize incidents with Microsoft Copilot in Microsoft Defender +description: Generate incident summaries with Microsoft Copilot embedded in Microsoft Defender. +keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, guided response, incident response playbooks, incident response, summary, summarize incident, summarize incidents, incident overview, write incident summary, Microsoft Copilot for Security, Copilot in Defender, Microsoft Defender ms.mktglfcycl: deploy ms.sitesec: library f1.keywords: ms.localizationpriority: medium-+ audience: ITPro - m365-security-# Summarize an incident with Microsoft Security Copilot in Microsoft Defender XDR +# Summarize an incident with Microsoft Copilot in Microsoft Defender [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] **Applies to:** - Microsoft Defender XDR+- Microsoft Defender unified security operations center (SOC) platform -> [!IMPORTANT] -> The information in this article only applies to the Microsoft Security Copilot Early Access Program, an invite-only paid preview program for commercial customers. Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +Microsoft Defender XDR applies the capabilities of [Copilot for Security](/security-copilot/microsoft-security-copilot) to summarize incidents, delivering impactful information and insights to simplify investigation tasks. Attack investigation is a crucial step for incident response teams to successfully defend an organization against further damage from a cyber threat. Investigations can oftentimes be time-consuming as it involves numerous steps. Incident response teams need to understand how the attack happened: sort through numerous alerts, identify which assets and entities are involved, and assess the scope and impact of an attack. -Microsoft Defender XDR applies the capabilities of [Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) to summarize incidents, delivering impactful information and insights to simplify investigation tasks. Attack investigation is a crucial step for incident response teams to successfully defend an organization against further damage from a cyber threat. Investigations can oftentimes be time-consuming since it involves numerous steps. Incident response teams need to understand how the attack happened: sort through numerous alerts, identify which assets and entities are involved, and assess the scope and impact of an attack. +Incident responders can easily gain the right context to investigate and remediate incidents through Defender XDR's correlation capabilities and Copilot for Security's AI-powered data processing and contextualization. With an incident summary, responders can quickly get important information to help in their investigation. -Incident responders can easily gain the right context to investigate and remediate incidents through Microsoft Defender XDR's correlation capabilities and Security Copilot's AI-powered data processing and contextualization. With an incident summary, responders can quickly get important information to help in their investigation. +The incident summary capability is available in the Microsoft Defender portal through the [Copilot for Security license](/security-copilot/faq-security-copilot). This capability is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. -This guide outlines what to expect and how to access the summarizing capability of Security Copilot within Microsoft Defender XDR, including information on providing feedback. --> [!NOTE] -> The incident summary capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Microsoft Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). --## Technical requirements --[Learn how you can get started with Security Copilot](/security-copilot/get-started-security-copilot). +This guide outlines what to expect and how to access the summarizing capability of Copilot in Defender, including information on providing feedback. ## Summarize an incident Incidents containing up to 100 alerts can be summarized into one incident summar - The entity or asset where the attack started. - A summary of timelines of how the attack unfolded. - The assets involved in the attack.-- Indicators of compromise (IOCs).+- Indicators of compromise (IoCs). - Names of [threat actors](/microsoft-365/security/intelligence/microsoft-threat-actor-naming) involved. To summarize an incident, perform the following steps: -1. Open an incident page. Security Copilot automatically creates an incident summary upon opening the page. You can stop the summary creation by selecting **Cancel** or restart creation by selecting **Regenerate**. -2. The incident summary card loads on the Security Copilot pane in the incident page. Review the generated summary on the card. -3. Select the three dots at the top of the incident summary card to copy or regenerate the summary, or view the summary in Security Copilot. Selecting **Open in Security Copilot** opens a new tab to the Security Copilot standalone portal where you can input prompts and access other plugins. --## Managing feedback --You can validate or report the results of the incident summary provided by Security Copilot. Validating and reporting results enable Security Copilot to continuously improve delivery of more accurate responses in the future. +1. Open an incident page. Copilot automatically creates an incident summary upon opening the page. You can stop the summary creation by selecting **Cancel** or restart creation by selecting **Regenerate**. -[Follow these steps to provide your feedback about the results](security-copilot-in-microsoft-365-defender.md#providing-feedback). +2. The incident summary card loads on the Copilot pane. Review the generated summary on the card. + :::image type="content" source="../../media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-small.png" alt-text="Screenshot of the incident summary card on the Copilot pane as seen in the Microsoft Defender incident page." lightbox="../../media/copilot-in-defender/incident-summary/copilot-defender-incident-summary.png"::: + > [!TIP] + > You can navigate to a file, IP, or URL page from the Copilot results pane by clicking on the evidence in the results. +3. Select the **More actions** ellipsis (...) at the top of the incident summary card to copy or regenerate the summary, or view the summary in the Copilot for Security portal. Selecting **Open in Copilot for Security** opens a new tab to the Copilot for Security standalone portal where you can input prompts and access other plugins. + :::image type="content" source="../../media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-more-actions.png" alt-text="Screenshot highlighting the actions available on the incident summary card." lightbox="../../media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-more-actions.png"::: +4. Review the summary and use the information to guide your investigation and response to the incident. You can provide feedback on the summary by selecting the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](../../media/copilot-in-defender/copilot-defender-feedback.png) found on the bottom of the Copilot pane. -## Next steps +## See also -- [Analyze scripts and codes](security-copilot-m365d-script-analysis.md)+- [Run script analysis](security-copilot-m365d-script-analysis.md) +- [Analyze files](copilot-in-defender-file-analysis.md) +- [Generate device summary](copilot-in-defender-device-summary.md) - [Use guided responses when responding to threats](security-copilot-m365d-guided-response.md) - [Generate KQL queries](advanced-hunting-security-copilot.md) - [Create incident reports](security-copilot-m365d-create-incident-report.md)--## See also --- [Security Copilot Early Access Program FAQs](/security-copilot/faq-security-copilot)+- [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot) +- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) +- Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins) - [Investigate incidents in Microsoft Defender XDR](investigate-incidents.md)-- [Get started with Security Copilot](/security-copilot/get-started-security-copilot)-- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot) [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Security Copilot M365d Script Analysis | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-script-analysis.md | Title: Run script and code analysis with Security Copilot in Microsoft Defender XDR -description: Use Security Copilot script analysis embedded in Microsoft Defender XDR to investigate scripts and codes. -keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, powershell, powershell analysis, bash, batch, bash analysis, batch analysis, code analysis, code analyzer, security copilot script analysis, copilot in security script analysis, security copilot script analysis in Microsoft Defender XDR + Title: Script analysis with Microsoft Copilot in Microsoft Defender +description: Use Microsoft Copilot script analysis in Microsoft Defender to investigate scripts and command lines. +keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, powershell, powershell analysis, bash, batch, bash analysis, batch analysis, code analysis, code analyzer, security copilot script analysis, copilot in security script analysis, security copilot script analysis in Microsoft Defender XDR, Microsoft Copilot for Security, Microsoft Defender, Copilot in Defender ms.mktglfcycl: deploy ms.sitesec: library f1.keywords: ms.localizationpriority: medium-+ audience: ITPro - m365-security-# Run script and code analysis with Microsoft Security Copilot in Microsoft Defender XDR +# Script analysis with Microsoft Copilot in Microsoft Defender [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] **Applies to:** - Microsoft Defender XDR+- Microsoft Defender unified security operations center (SOC) platform -> [!IMPORTANT] -> The information in this article only applies to the Microsoft Security Copilot Early Access Program, an invite-only paid preview program for commercial customers. Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +Through AI-powered investigation capabilities from [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal, security teams can speed up their analysis of malicious or suspicious scripts and command lines. -Through AI-powered investigation capabilities from [Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) embedded in Microsoft Defender XDR, security teams can speed up their analysis of malicious or suspicious scripts and codes within PowerShell, batch, and bash. +Most complex and sophisticated attacks like [ransomware](/security/ransomware) evade detection through numerous ways, including the use of scripts and PowerShell command lines. Moreover, these scripts are often obfuscated, which adds to the complexity of detection and analysis. Security operations teams need to quickly analyze scripts to understand capabilities and apply appropriate mitigation, immediately stopping attacks from progressing further within a network. -Most complex and sophisticated attacks like [ransomware](/security/ransomware) evade detection through numerous ways, including the use of scripts and PowerShell. Moreover, these scripts are often obfuscated, which adds to the complexity of detection and analysis. Security operations teams need to quickly analyze scripts and codes to understand capabilities and apply appropriate mitigation, immediately stopping attacks from progressing further within a network. --> [!NOTE] -> Script analysis functions are continuously in development. Analysis of scripts in languages other than PowerShell, batch, and bash are being evaluated. --The script analysis capability of Security Copilot in Microsoft Defender XDR provides security teams added capacity to inspect scripts and codes without using external tools. This capability also reduces complexity of analysis, minimizing challenges and allowing security teams to quickly assess and identify a script as malicious or benign. +The script analysis capability provides security teams added capacity to inspect scripts without using external tools. This capability also reduces complexity of analysis, minimizing challenges and allowing security teams to quickly assess and identify a script as malicious or benign. Script analysis is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins). This guide describes what the script analysis capability is and how it works, including how you can provide feedback on the results generated. -> [!NOTE] -> The script analysis capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Microsoft Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). +## Analyze a script -## Technical requirements +You can access the script analysis capability within the attack story below the incident graph on an incident page and in the [device timeline](/microsoft-365/security/defender-endpoint/device-timeline-event-flag). -[Learn how you can get started with Security Copilot](/security-copilot/get-started-security-copilot). +To begin analysis, perform the following steps: -## Analyze a script or code +1. Open an incident page then select an item on the left pane to open the attack story below the incident graph. Within the attack story, select an event with a script or command line that you want to analyze. Click **Analyze** to start the analysis. -You can access the script analysis capability in the alert timeline within an incident and in the [device timeline](/microsoft-365/security/defender-endpoint/device-timeline-event-flag). + :::image type="content" source="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-incident-small.png" alt-text="Screenshot highlighting the script analysis button in the attack story view." lightbox="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-incident.png"::: -To begin analysis, perform the following steps: + Alternately, you can select an event to inspect in the device timeline view. On the file details pane, select **Analyze** to run the script analysis capability. -1. Open an incident page. In the attack story tab, select an alert on the left pane to open the alert timeline. Select an event within the timeline and select **Analyze** to start the script analysis. -Alternately, you can select an event to inspect in the device timeline view. In the process tree shown on the file details pane, select **Analyze**. -2. Security Copilot analyzes the script and displays the results in the script analysis card. In the script analysis card, select **Show code** to expand and see specific lines in the code related to the analysis. Select **Hide code** to close. -3. Select the three dots on the upper right of the script analysis card to copy or regenerate the results, or view the results in the Security Copilot standalone experience. Selecting **Open in Security Copilot** opens a new tab to the Security Copilot standalone portal where you can input prompts and access other plugins. + :::image type="content" source="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-device-timeline-small.png" alt-text="Screenshot highlighting the Analyze button in the device timeline." lightbox="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-device-timeline.png"::: + +2. Copilot runs script analysis and displays the results in the Copilot pane. Select **Show code** to expand the script, or **Hide code** to close the expansion. -## Managing feedback + :::image type="content" source="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-results-small.png" alt-text="Screenshot of the Copilot pane with script analysis results in the Microsoft Defender XDR incident page." lightbox="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-results.png"::: -You can validate or report the script analysis results provided by Security Copilot. Validating and reporting results enable Security Copilot to improve and deliver more accurate results in the future. +3. Select the **More actions** ellipsis (...) on the upper right of the script analysis card to copy or regenerate the results, or view the results in the Copilot for Security standalone experience. Selecting **Open in Copilot for Security** opens a new tab to the Copilot standalone portal where you can input prompts and access other plugins. + + ![Screenshot highlighting the More actions option in the Copilot script analysis card.](../../media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-more-actions.png) -[Follow these steps to provide your feedback about the results](security-copilot-in-microsoft-365-defender.md#providing-feedback). +4. Review the results. You can provide feedback on the results by selecting the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards.](../../media/copilot-in-defender/copilot-defender-feedback.png) found at the end of the script analysis card. -## Next steps +## See also +- [Analyze files](copilot-in-defender-file-analysis.md) +- [Generate device summary](copilot-in-defender-device-summary.md) - [Respond to incidents using guided responses](security-copilot-m365d-guided-response.md) - [Generate KQL queries](advanced-hunting-security-copilot.md) - [Create an incident report](security-copilot-m365d-create-incident-report.md)+- [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot) +- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) -## See also -- [Security Copilot Early Access Program FAQs](/security-copilot/faq-security-copilot)-- [Get started with Security Copilot](/security-copilot/get-started-security-copilot)-- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot)- |
security | Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md | For more information on what's new with other Microsoft Defender security produc You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter). +## April 2024 ++- (GA) **[Microsoft Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md)** is now generally available. Copilot in Defender helps you investigate and respond to incidents faster and more effectively. Copilot provides guided responses, incident summaries and reports, helps you build KQL queries to hunt for threats, provide file and script analyses, and enable you to summarize relevant and actionable threat intelligence. + ## February 2024 - (GA) **Dark mode** is now available in the Microsoft Defender portal. In the Defender portal, on the top right-hand side of the homepage, select **Dark mode**. Select **Light mode** to change the color mode back to the default. |
security | Defender For Office 365 Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md | search.appverid: met150 f1.keywords: NOCSH Previously updated : 3/12/2024 +ms.localizationpriority: medium Last updated : 4/1/2024 audience: ITPro - m365-security This article lists new features in the latest release of Microsoft Defender for Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=3). +To search the Microsoft 365 Roadmap for Defender for Office 365 features, use [this link](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=Microsoft%2CDefender%2Cfor%2COffice%2C365). + For more information on what's new with other Microsoft Defender security products, see: - [What's new in Microsoft Defender XDR](../defender/whats-new.md) |
security | Detect And Remediate Illicit Consent Grants | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md | Title: Detect and Remediate Illicit Consent Grants f1.keywords: - NOCSH--++ audience: ITPro |
security | Detect And Remediate Outlook Rules Forms Attack | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack.md | Title: Detect and remediate the Outlook rules and custom forms injections attacks. f1.keywords: - NOCSH--++ Last updated 9/7/2023 audience: ITPro |
security | Email Authentication About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-about.md | The following examples focus on the results of email authentication only (the `c To: michelle@fabrikam.com ``` -## How to avoid email authentication failures when sending mail to Microsoft 36 +## How to avoid email authentication failures when sending mail to Microsoft 365 > [!TIP] > Microsoft 365 customers can use the following methods to allow messages from senders that are identified as spoofing or authentication failures: |
security | External Senders Use The Delist Portal To Unblock Yourself | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/external-senders-use-the-delist-portal-to-unblock-yourself.md | Title: Remove yourself from the blocked senders list and address 5.7.511 Access denied errors f1.keywords: - NOCSH--++ Last updated 6/20/2023 audience: ITPro |
security | Mdo About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-about.md | +search.appverid: - MET150 - MOE150 ms.assetid: e100fe7c-f2a1-4b7d-9e08-622330b83653-+ - m365-security - tier1 - highpri+adobe-target: true Last updated : 4/1/2024 appliesto:+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> # Microsoft Defender for Office 365 overview -> [!IMPORTANT] -> **If Safe Links pages is blocking your access**, go here for info: [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2?storagetype=live). -**Microsoft Defender for Office 365 is a seamless integration into your Office 365 subscription** that protects against threats in email, links (URLS), attachments, or collaboration tools. +Microsoft Defender for Office 365 is a seamless integration into Microsoft 365 subscriptions that protects against threats in email, links (URLS), file attachments, and collaboration tools. This article explains the _protection ladder_ in Microsoft 365 organizations. The protection ladder starts with Exchange Online Protection (EOP) and continues through to Defender for Office 365, which includes Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2. -For email threats that are identified after the fact, Zero-hour autopurge (ZAP) can remove those messages from user mailboxes. Automated Investigation and Response (AIR) allows you to automate monitoring and remediation, making it more efficient for security operations (SecOps) teams. The deep integration with Office 365 and robust reporting ensures that you're always on top of security operations. +This article is intended for Security Operations (SecOps) personnel, admins in Microsoft 365, or decisions makers who want to learn more about Defender for Office 365. -Defender for Office 365 safeguards organizations against malicious threats by providing admins and SecOps teams a wide range of capabilities. Users, admins, and SecOps personnel benefit from these features from the beginning of the organization. For example: --- **[Preset security policies can configure everything for you](preset-security-policies.md)**: The protection policies included in Standard and Strict preset security policies contain our recommended settings. All you need to do is decide who gets the protection (by user, group, domain, or all recipients) and specify the entries and optional exceptions for user and domain impersonation protection. For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).--- **[Threat protection policies](#defender-for-office-365-protection-policies)**: Define threat-protection policies so admins can set the right level of protection for the organization.--- **[Reports](#view-defender-for-office-365-reports)**: SecOps personnel can view real-time reports to monitor Defender for Office 365 performance in the organization.--- **[Threat investigation and response capabilities](#best-of-class-threat-investigation-and-response-capabilities)**: These tools are leading-edge and allow you to investigate, understand, simulate, and prevent threats.--- **[Automated investigation and response capabilities](air-about.md)**: Save time and effort investigating and mitigating threats by automating what you can.--## Interactive guide to Defender for Office 365 --If you need more information, this interactive guide shows why Defender for Office 365 is worth it, and give examples on how to safeguard your organization. --You can also see how Defender for Office 365 can help you define protection policies, analyze threats to your organization, and respond to attacks. --[Check out the interactive guide](https://aka.ms/MSDO-IG) --## What is the difference between Plan 1 and Plan 2 Defender for Office 365? --For more information on what's included in Microsoft 365 Plan 1 and Plan 2, see [this article](mdo-security-comparison.md). Not only does this article quickly spell out what makes up the two products, but it also describes the ***emphasis*** of each part of *Defender for Office 365* using a familiar structure: *Protect*, *Detect*, *Investigate*, and *Respond*. --Graphics and short, scannable paragraphs answer questions like: --- What is *Plan 1* optimized to do for you?-- What's the biggest benefit to your company in *Plan 2*?-- Who has *Exchange Online Protection* and what's it optimized to do?--So, don't miss it! --## How do you get started? --There are two methods to enhance the default protection that's provided in Defender for Office 365: --- **Preset security policies**: We **recommended** that you turn on and use the Standard and/or strict [preset security policies](preset-security-policies.md). The Standard and Strict profiles contain anti-malware, anti-spam, anti-phishing, Safe Links, and Safe Attachments policies that are pre-configured with our recommended standard and strict settings based on observations from the Microsoft datacenters.+> [!TIP] +> If you're using **Outlook.com**, **Microsoft 365 Family**, or **Microsoft 365 Personal**, and need information about _Safelinks_ or _advanced attachment scanning_, see [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2). +> +> If you're new to your Microsoft 365 subscription and would like to know your licenses before you begin, go the **Your products** page in the Microsoft 365 admin center at <https://admin.microsoft.com/Adminportal/Home#/subscriptions>. - For a quick comparison of the differences between Standard and Strict, see the table at [Policy settings in preset security policies](preset-security-policies.md#policy-settings-in-preset-security-policies). For a complete comparison of all policy values, see the tables in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md). +All Microsoft 365 subscriptions include built-in security and protection features. The goals and available actions of these features vary. In Microsoft 365, there are three main security services (or products): - And, we can tune the protection in preset security policies automatically if the security landscape changes (for example, we might change an action from deliver to Junk to quarantine if the threat level increases). For more information and set up instructions, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md#preset-security-policies-in-eop-and-microsoft-defender-for-office-365). +1. **Exchange Online Protection (EOP)**: Included in any subscription that includes Exchange Online mailboxes. Also available as a [standalone subscription](/exchange/standalone-eop/standalone-eop) to protect on-premises email environments. +2. **Defender for Office 365 365 Plan 1**: Included in some Microsoft 365 subscriptions with Exchange Online mailboxes that cater to small to medium-sized businesses (for example, Microsoft 365 Business Premium). +3. **Defender for Office 365 365 Plan 2**: Included in some Microsoft 365 subscriptions with Exchange Online mailboxes that cater to enterprise organizations (for example, Microsoft 365 E5, Microsoft 365 A5, and Microsoft 365 GCC G5). -- **Manual setup**: Most of the policy settings in preset security policies are locked down. If your organization requires security settings that are *different* from or *undefined* in preset security policies, you can go manual. Keep in mind that anti-malware, anti-spam, anti-phishing, outbound spam, and connection filtering have default policies that are always on and apply to all recipients (and you can change any of the settings). The settings and values in the default policies are described in the tables in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).+Defender for Office 365 always includes EOP. Defender for Office 365 is also available as an add-in subscription to many Microsoft 365 subscriptions with Exchange Online mailboxes. - You can also create custom policies to meet your business needs. For a discussion about when or why to use preset vs. custom policies, see [Determine your protection policy strategy](mdo-deployment-guide.md#determine-your-protection-policy-strategy). +Defender for Office 365 Plan 1 contains a subset of the features that are available in Plan 2. Defender for Office 365 Plan 2 contains many features that aren't available in Plan 1. > [!TIP]-> Defender for Office 365 comes in two different licenses: +> For information about subscriptions that contain Defender for Office 365, see the [Microsoft 365 business plan comparison](https://aka.ms/M365BusinessPlans) and the [Microsoft 365 Enterprise plan comparison](https://aka.ms/M365EnterprisePlans). >-> - You have **Plan 1** if you have **Real-time detections** at <https://security.microsoft.com/realtimereports>. -> - You have **Plan 2**, if you have **Threat Explorer** (also called *Explorer*) at <https://security.microsoft.com/threatexplorer> and **Attack simulation training** at <https://security.microsoft.com/attacksimulator>. +> Use the following exhaustive reference to determine if Defender for Office 365 Plan 1 or Plan 2 licenses are included in a Microsoft 365 subscription: [Product names and service plan identifiers for licensing](/entra/identity/users/licensing-service-plan-reference). >-> Your license influences the tools you see, so be sure that you're aware of your license as you learn. --## Defender for Office 365 protection policies --The protection policies that are configured in your organization determine the behavior and protection level from threats. --Policy options are flexible. For example, your organization's security team can set fine-grained threat protection at the user, group, and domain level for both preset security policies and custom policies. It's important to use the [configuration analyzer](configuration-analyzer-for-security-policies.md) regularly to *review the settings in the default and any custom policies*, because new threats and challenges emerge regularly. --### Anti-phishing policies --In addition to [anti-spoofing protection](anti-phishing-policies-about.md#spoof-settings) that's available in anti-phishing policies in EOP, anti-phishing policies in Defender for Office 365 also contain [additional impersonation protection features](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) for specified users and domains. Machine learning models and advanced impersonation-detection algorithms are applied to these users and domains to avert phishing attacks. --Anti-phishing policies with spoofing and impersonation protection are included in the Standard and Strict preset security policies. There's also a default anti-phishing policy, and you can create custom policies as needed. You need to configure the entries and optional exceptions for user and domain impersonation protection in any of these policies. +> Use the following interactive guide to see how Defender for Office 365 is able to protect your organization: [Safeguard your organization with Microsoft Defender for Office 365](https://aka.ms/MSDO-IG). +> +> Use [this page](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-office-365#pmg-allup-content) to compare plans and purchase Defender for Office 365. -### Safe Attachments policies +EOP and Defender for Office 365 can be summarized with the following descriptions: -[Safe Attachments](safe-attachments-about.md) provides zero-day protection for email by checking message attachments for malicious content *in addition to* the regular malware scanning in EOP. Safe Attachments opens all attachments in virtual environment to see what happens (a process known as _detonation_). If no suspicious activity is detected, the message is delivered to the mailbox. +- **EOP** prevents broad, volume-based, known email attacks. +- **Defender for Office 365 Plan 1** protects email and collaboration features from zero-day malware, phishing, and business email compromise (BEC). +- **Defender for Office 365 Plan 2** adds phishing simulations, post-breach investigation, hunting, and response, and automation. -Safe Attachments protection is on by default for all recipients thanks to the [Built-in protection preset security policy](preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy), but you can specify exceptions. +However, you can also think about the _architecture_ of EOP and Defender for Office 365 as _cumulative layers of security_, where each layer has a different _security emphasis_. This architecture is shown in the following diagram: -Safe Attachments policies are also included in the Standard and Strict preset security policies, and you can create custom policies as needed. -### Safe Attachments for SharePoint, OneDrive, and Microsoft Teams +EOP and Defender for Office 365 are capable of protecting, detecting, investigating, and responding to threats. But as you move up the protection ladder, the _available features_ and _automation_ increase. -[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)**: Protects your organization when users collaborate and share files, by identifying and blocking malicious files in Teams sites and document libraries. To turn it on, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-configure.md). +Whether you're using the onmicrosoft.com domain only or custom domains for email in Microsoft 365, it's important to configure email authentication for your used and unused domains. SPF, DKIM, and DMARC records in DNS allow Microsoft 365 to more accurately protect against spoofing attacks. For more information, see [Email authentication in Microsoft 365](email-authentication-about.md). -### Safe Links policies +## The Microsoft 365 security ladder from EOP to Defender for Office 365 -[Safe Links](safe-links-about.md) provides time-of-click verification of URLs in email messages, supported Office files, and Microsoft Teams. Protection is ongoing and applies across your messaging and Office environment. Links are scanned for each click. Benign links remain accessible, but malicious links are dynamically blocked. +It can be difficult to identity the advantages of Defender for Office 365 over EOP. The following subsections describe the capabilities of each product using the following security emphases: -Safe Links protection is on by default for all recipients thanks to the [Built-in protection preset security policy](preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy), but you can specify exceptions. +- Preventing and detecting threats. +- Investigating threats. +- Responding to threats. -Safe Links policies are also included in the Standard and Strict preset security policies, and you can create custom policies as needed. +### EOP capabilities -## View Defender for Office 365 reports +The capabilities of **EOP** are summarized in the following table: -Defender for Office 365 includes [reports](reports-defender-for-office-365.md) to monitor Defender for Office 365. You can access the reports in the Microsoft Defender portal at <https://security.microsoft.com> at **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. You can also go directly to the **Email and collaboration reports** page using <https://security.microsoft.com/securityreports>. +|Prevent/Detect|Investigate|Respond| +|||| +|<ul><li>[Anti-malware protection](anti-malware-protection-about.md)<sup>\*</sup></li><li>[Anti-spam protection](anti-spam-protection-about.md)<sup>\*</sup>, including [bulk email protection](anti-spam-spam-vs-bulk-about.md)</li><li>[Anti-phishing (spoofing) protection](anti-phishing-protection-spoofing-about.md)<sup>\*</sup>, including the [Spoof intelligence insight](anti-spoofing-spoof-intelligence.md)</li><li>[Outbound spam filtering](outbound-spam-protection-about.md)</li><li>[Connection filtering](connection-filter-policies-configure.md)</li><li>[Quarantine](quarantine-about.md) and [quarantine policies](quarantine-policies.md)</li><li>False positives and false negative reporting by [admin submissions to Microsoft](submissions-admin.md) and [user reported messages](submissions-user-reported-messages-custom-mailbox.md)</li><li>[Allow and block entries in the Tenant Allow/Block List](tenant-allow-block-list-about.md) for: <ul><li>Domains and email addresses</li><li>Spoof</li><li>URLs</li><li>Files</li></ul></li></ul>|<ul><li>[Audit log search](audit-log-search-defender-portal.md)</li><li>[Message Trace](message-trace-defender-portal.md)</li><li>[Email security reports](reports-email-security.md)</li></ul>|<ul><li>[Zero-hour auto purge (ZAP) for email](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-for-email-messages)</li><li>Refine and test entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md)</li></ul>| -Reports update in real-time, providing you with the latest insights. These reports also provide recommendations and alert you to imminent threats. Available predefined reports include: +<sup>\*</sup> The associated protection polices are available in default policies, custom policies, and [the Standard and Strict preset security policies](preset-security-policies.md). For help with deciding which method to use, see [Determine your protection policy strategy](mdo-deployment-guide.md#determine-your-protection-policy-strategy). -- [Threat Explorer (or real-time detections)](threat-explorer-real-time-detections-about.md)-- [Threat protection status report](reports-defender-for-office-365.md#threat-protection-status-report)-- ... and several more.+For more information about EOP, see [Exchange Online Protection overview](eop-about.md). -## Best of class threat investigation and response capabilities +### Defender for Office 365 Plan 1 capabilities -Defender for Office 365 Plan 2 includes best-of-class [threat investigation and response tools](office-365-ti.md) that enable your organization's security team to anticipate, understand, and prevent malicious attacks. +Defender for Office 365 Plan 1 expands on the _prevention_ and _detection_ capabilities of EOP. -### Threat Trackers on the latest threats +The additional features that you get in **Defender for Office 365 Plan 1** on top of EOP are described in the following table: -**[Threat trackers](threat-trackers.md)** are [saved queries from Threat Explorer](threat-explorer-real-time-detections-about.md#saved-queries-in-threat-explorer) that you run manually or that can be configured to periodically run automatically. The **Trending campaigns** tab automatically highlights new email threats that were recently received by your organization. +|Prevent/Detect|Investigate|Respond| +|||| +|<ul><li>The following [additional features in anti-phishing policies](anti-phishing-protection-about.md#additional-anti-phishing-protection-in-microsoft-defender-for-office-365): <ul><li>User and domain impersonation protection</li><li>Mailbox intelligence impersonation protection (contact graph)</li><li>Advanced phishing thresholds</li></ul></li><li>[Safe Attachments in email](safe-attachments-about.md)</li><li>[Safe Attachments for files in SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Safe Links in email, Office clients, and Teams](safe-links-about.md)</li><li>Email & collaboration alerts at <https://security.microsoft.com/viewalertsv2><li>SIEM integration API for **alerts**</li></ul>|<ul><li>[Real-time detections](threat-explorer-real-time-detections-about.md)<sup>\*</sup></li><li>[The Email entity page](mdo-email-entity-page.md)</li><li>SIEM integration API for **detections**</li><li>[URL trace](../defender-endpoint/investigate-domain.md)</li><li>[Defender for Office 365 reports](reports-defender-for-office-365.md)</li></ul>|<ul><li>Same</li></ul>| -### Threat Explorer or Real-Time Detections +<sup>\*</sup> The presence of **Email & collaboration** \> **Real-time detections** in the Microsoft Defender portal is a quick way to differentiate between Defender for Office 365 Plan 1 and Plan 2. -- **[Threat Explorer in Plan 2 (or real-time detections in Plan 1)](threat-explorer-real-time-detections-about.md)** (also referred to as Explorer) is a real-time report that allows you to identify and analyze recent threats. You can configure Explorer to show data for custom periods. -### Attack simulation training for user readiness +### Defender for Office 365 Plan 2 capabilities -- **[Attack simulation training](attack-simulation-training-simulations.md)** in Defender for Office 365 Plan 2 allows you to run realistic simulated attacks in your organization to identify vulnerabilities and offer training.+Defender for Office 365 Plan 2 expands on the _investigation_ and _response_ capabilities of Plan 1 and EOP, including the addition of _automation_. -## Save time with automated investigation and response +The additional features that you get in **Defender for Office 365 Plan 2** on top of Defender for Office 365 Plan 1 and EOP are described in the following table: -When SecOps is investigating a potential cyberattack, time is of the essence. The sooner you can identify and mitigate threats, the better off your organization will be. +|Prevent/Detect|Investigate|Respond| +|||| +|<ul><li>[Attack simulation training](attack-simulation-training-get-started.md)</li>|<li>[Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md) instead of Real-time detections.<sup>\*</sup></li><li>[Threat Trackers](threat-trackers.md)</li><li>[Campaigns](campaigns.md)</li></ul>|<ul><li>[Automated Investigation and Response (AIR)](air-about.md): <ul><li>AIR from Threat Explorer</li><li>AIR for compromised users</li></ul></li><li>SIEM Integration API for **Automated Investigations**</li></ul>| -[Automated investigation and response](air-about.md) (AIR) capabilities include a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually, such as from a view in Explorer. +<sup>\*</sup> The presence of **Email & collaboration** \> **Explorer** in the Microsoft Defender portal is a quick way to differentiate between Defender for Office 365 Plan 2 and Plan 1. -AIR can save your security operations team time and effort in mitigating threats effectively and efficiently. To learn more, see [AIR in Office 365](air-about.md). -## Permissions needed to use Defender for Office 365 features +## Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet -To access Defender for Office 365 features, you *must* be assigned an appropriate role. The following table includes some examples: +This quick-reference section summarizes the different capabilities between Defender for Office 365 Plan 1 and Plan 2 that aren't included in EOP. -|Role or role group|Resources to learn more| +|Defender for Office 365 Plan 1|Defender for Office 365 Plan 2| |||-|Global Administrator (or Organization Management)|You can assign this role in Azure Active Directory or in the Microsoft Defender portal. For more information, see [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md).| -|Security Administrator|You can assign this role in Azure Active Directory or in the Microsoft Defender portal. For more information, see [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md).| -|Organization Management in Exchange Online|[Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo) <p> [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell)| -|Search and Purge|This role is available only in the Microsoft Defender portal or the Microsoft Purview compliance portal. For more information, see [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md) and [Permissions in the Microsoft Purview compliance portal](/purview/microsoft-365-compliance-center-permissions).| --## Where can you get MDefender for Office 365? --Defender for Office 365 is included in certain subscriptions. For example, Microsoft 365 E5, Office 365 E5, Office 365 A5, and Microsoft 365 Business Premium. --### What if your subscription doesn't include Defender for Office 365 --If your subscription doesn't include Defender for Office 365, you can get Defender for Office 365 as an add-on. To learn more, take a look at the following resources: --- [Microsoft Defender for Office 365 availability](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#office-365-advanced-threat-protection-atp-availability) for a list of subscriptions that include Defender for Office 365 plans.--- [Feature availability across Microsoft Defender for Office 365 plans](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability-across-advanced-threat-protection-atp-plans) for a list of features included in Plan 1 and 2.--- [Get the right Microsoft Defender for Office 365](https://products.office.com/exchange/advance-threat-protection#pmg-allup-content) to compare plans and purchase Defender for Office 365.+|Prevent and detect capabilities: <ul><li>[Anti-phishing policies with impersonation protection and Advanced phishing thresholds](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Safe Attachments](safe-attachments-about.md), including [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Safe Links](safe-links-about.md)</li></ul> <br/> Investigate and respond capabilities: <ul><li>[Real-time detections](threat-explorer-real-time-detections-about.md)</li><li>[The Email entity page](mdo-email-entity-page.md)</li></ul>|Everything in Defender for Office 365 Plan 1 capabilities <br/><br/> plus <br/><br/> Prevent and detect capabilities: <ul><li>[Attack simulation training](attack-simulation-training-simulations.md)</li></ul> <br/> Investigate and respond capabilities: <ul><li>[Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md)</li><li>[Threat Trackers](threat-trackers.md)</li><li>[AIR](air-about.md)</li><li>[Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](../defender/advanced-hunting-overview.md)</li><li>[Investigate incidents in Microsoft Defender XDR](../defender/investigate-incidents.md)</li><li>[Investigate alerts in Microsoft Defender XDR](../defender/investigate-alerts.md)</li></ul>| -- [Start a free trial](https://go.microsoft.com/fwlink/p/?LinkID=698279)+- For more information, see [Feature availability across Defender for Office 365 plans](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability). +- [Safe Documents](safe-documents-in-e5-plus-security-about.md) is available to users with the Microsoft 365 A5 or Microsoft 365 E5 Security licenses (not included in Defender for Office 365 plans). +- If your current subscription doesn't include Defender for Office 365 Plan 2, you can [try Defender for Office 365](try-microsoft-defender-for-office-365.md) free for 90 days. Or, [contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html). +- Defender for Office 365 P2 customers have access to **Microsoft Defender XDR integration** to efficiently detect, review, and respond to incidents and alerts. -## What new features are coming for Defender for Office 365? +## Where to go next -New features are continually added to Defender for Office 365 continually. To learn more, see the following resources: +[Get started with Microsoft Defender for Office 365](mdo-deployment-guide.md) -- [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=Microsoft%2CDefender%2Cfor%2COffice%2C365) provides a list of new features in development and rolling out.+[Microsoft Defender for Office 365 Security Operations Guide](mdo-sec-ops-guide.md) -- [Microsoft Defender for Office 365 Service Description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#whats-new-in-office-365-advanced-threat-protection-atp) describes features and availability across Defender for Office 365 plans.+[Migrate from a third-party protection service or device to Microsoft Defender for Office 365](migrate-to-defender-for-office-365.md) -## See also +[What's new in Microsoft Defender for Office 365](defender-for-office-365-whats-new.md) -- [Microsoft Defender XDR](../defender/microsoft-365-defender.md)-- [Automated investigation and response (AIR) in Microsoft Defender XDR](../defender/m365d-autoir.md)+The [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=Microsoft%2CDefender%2Cfor%2COffice%2C365) describes new features that are being added to Defender for Office 365. |
security | Mdo Security Comparison | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-security-comparison.md | - Title: Office 365 Security including Microsoft Defender for Office 365 and Exchange Online Protection---- - - MET150 - - MOE150 -- - m365-security - - m365initiative-defender-office365 - - EngageScoreSep2022 - - ContentEngagementFY23 - - tier1 -description: Security in Office 365, from EOP to Defender for Office 365 Plans 1 and 2, Standard vs. Strict security configurations, and more. Understand what you have, and how to secure your properties. ---adobe-target: true Previously updated : 8/7/2023-appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> ---# Microsoft Defender for Office 365 security comparison ---This article introduces you to your new Microsoft Defender for Office 365 security properties in the cloud. Whether you're part of a Security Operations Center, you're a Security Administrator new to the space, or you want a refresher, let's get started. --> [!CAUTION] -> If you're using **Outlook.com**, **Microsoft 365 Family**, or **Microsoft 365 Personal**, and need *Safe Links* or *Safe Attachments* information, ***go here***: [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-office-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2). --## What is Defender for Office 365 security --Every Microsoft 365 subscription comes with security capabilities. The goals and available actions depend on the focus of these different subscriptions. In Microsoft 365 security, there are three main security services (or products) tied to your subscription type: --1. Exchange Online Protection (EOP). -1. Microsoft Defender for Office 365 365 Plan 1 (Defender for Office 365 P1). -1. Microsoft Defender for Office 365 365 Plan 2 (Defender for Office 365 P2). --> [!TIP] -> If you're new to your subscription and would like to know your license before you begin, go the **Your products** page in the Microsoft 365 admin center at <https://admin.microsoft.com/Adminportal/Home#/subscriptions>. --Microsoft 365 security builds on the core protections offered by EOP. EOP is present in any subscription where Exchange Online mailboxes can be found (remember, all the security products discussed here are cloud-based). --You may be accustomed to seeing these three components discussed in this way: --|EOP|Defender for Office 365 P1|Defender for Office 365 P2| -|||| -|Prevents broad, volume-based, known attacks.|Protects email and collaboration from zero-day malware, phish, and business email compromise.|Adds post-breach investigation, hunting, and response, as well as automation, and simulation (for training).| --But in terms of architecture, let's start by thinking of each piece as cumulative layers of security, each with a security emphasis. More like this: ---Though each of these services emphasizes a goal from among Protect, Detect, Investigate, and Respond, ***all*** the services can carry out ***any*** of the goals of protecting, detecting, investigating, and responding. --The core of Microsoft 365 security is EOP protection. Defender for Office 365 P1 contains EOP. Defender for Office 365 P2 contains P1 and EOP plus more features. The structure is cumulative. That's why, when configuring this product, you should start with EOP and work up to Defender for Office 365 Plan 2. --Though email authentication configuration takes place in public DNS, it's important to configure this feature to help defend against spoofing. *If you have EOP,* ***you should [configure email authentication](email-authentication-about.md)***. --If you have a Microsoft 365 E3 or virtually any subscription with Exchange Online mailboxes, you definitely have EOP. You can most likely purchase Defender for Office 365 as an add-on subscription. If you have Microsoft 365 E5, you already have Defender for Office 365 P2. --> [!TIP] -> If your subscription is neither Microsoft 365 E3 or E5, you can use [this page](https://www.microsoft.com/microsoft-365/exchange/advance-threat-protection#coreui-contentrichblock-x07wids) to see if you can upgrade to Defender for Office 365 (check the end of the page for the fine-print). --## The Microsoft 365 security ladder from EOP to Defender for Office 365 --> [!IMPORTANT] -> Learn the details on these pages: [Exchange Online Protection](eop-about.md), and [Defender for Office 365](defender-for-office-365.md). --What makes adding Defender for Office 365 plans an advantage to pure EOP threat management can be difficult to tell at first glance. To determine if an upgrade path is right for your organization, let's look at the capabilities of each product when it comes to: --- Preventing and detecting threats-- Investigating-- Responding--The capabilities of **Exchange Online Protection** are summarized in the following table: --|Prevent/Detect|Investigate|Respond| -|||| -|Technologies include:<ul><li>Spam</li><li>Phishing</li><li>Malware</li><li>Bulk mail</li><li>Spoof intelligence</li><li>Quarantine</li><li>False positives and false negative reporting by admin submissions and user reported messages</li><li>Allow and block entries in the Tenant Allow/Block List for: <ul><li>Domains and email addresses</li><li>Spoof</li><li>URLs</li><li>Files</li></ul></li></ul>|<ul><li>Audit log search</li><li>Message Trace</li><li>Email security reports</li></ul>|<ul><li>Zero-hour auto purge (ZAP)</li><li>Refinement and testing of entries in the Tenant Allow/Block List</li></ul>| --If you want to dig in to EOP, **[jump to this article](eop-about.md)**. --If you evaluate and ultimately purchase **Defender for Office 365 P1**, you get these additional capabilities over EOP: --|Prevent/Detect|Investigate|Respond| -|||| -|<ul><li>Safe Attachments in email</li><li>Safe Attachments for SharePoint, OneDrive, and Microsoft Teams</li><li>Safe Links in email, Office clients, and Teams</li><li>Advanced anti-phishing thresholds in anti-phishing policies</li><li>User, domain, and mailbox intelligence impersonation protection in anti-phishing policies</li><li>Alerts, and SIEM integration API for alerts</li></ul>|<ul><li>SIEM integration API for detections</li><li>**Real-time detections**</li><li>URL trace</li><li>Specific Defender for Office 365 reports</li></ul>|<li>Same</li></ul> --So, Defender for Office 365 P1 expands on the ***prevention*** side of the house, and adds extra forms of ***detection***. --Defender for Office 365 P1 also adds **Real-time detections** for investigations. The presence of **Real-time detections** as a selection in the Microsoft Defender portal means you have Defender for Office 365 P1. --If you evaluate and ultimately purchase **Defender for Office 365 P2**, you get these additional capabilities over EOP and Defender for Office 365 P1: --|Prevent/Detect|Investigate|Respond| -|||| -|<ul><li>Attack simulation training</li>|<li>**Threat Explorer**</li><li>Threat Trackers</li><li>Campaign views</li>|<li>Automated Investigation and Response (AIR)</li><li>AIR from Threat Explorer</li><li>AIR for compromised users</li><li>SIEM Integration API for Automated Investigations</li> --So, Defender for Office 365 P2 expands on the ***investigation and response*** side of the house, and adds a new hunting strength: Automation. --In Defender for Office 365 P2, the primary hunting tool is called **Threat Explorer** rather than Real-time detections. If you see Threat Explorer when you navigate to the Microsoft Defender portal, you're in Defender for Office 365 P2. --To get into the details of Defender for Office 365 P1 and P2, **[jump to this article](defender-for-office-365.md)**. --> [!TIP] -> EOP and Defender for Office 365 are also different when it comes to users. In EOP and Defender for Office 365 P1, the focus is *awareness*. The [Microsoft Report Message and Report Phishing add-ins](submissions-users-report-message-add-in-configure.md) are available for users to report messages that they find suspicious. -> -> In Defender for Office 365 P2 (which contains everything in EOP and P1), the focus shifts to *further training* for end-users. The Security Operations Center has access to a powerful *Threat Simulator* tool, and the end-user metrics it provides. --## Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet --This quick-reference helps you understand what capabilities come with each Defender for Office 365 subscription. When combined with your knowledge of EOP features, it can help business decision makers determine what Defender for Office 365 is best for their needs. --|Defender for Office 365 Plan 1|Defender for Office 365 Plan 2| -||| -|Prevent and detect capabilities: <ul><li>[Safe Attachments](safe-attachments-about.md), including [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Safe Links](safe-links-about.md)</li><li>[Advanced phishing thresholds and impersonation protection](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer-real-time-detections-about.md)</li></ul>|Everything in Defender for Office 365 Plan 1 capabilities <br/><br/> plus <br/><br/> Prevent and detect capabilities: <ul><li>[Attack simulation training](attack-simulation-training-simulations.md)</li></ul> <br/> Automate, investigate, and respond capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer-real-time-detections-about.md)</li><li>[Automated investigation and response](air-about.md)</li><li>[Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](../defender/advanced-hunting-overview.md)</li><li>[Investigate incidents in Microsoft Defender XDR](../defender/investigate-incidents.md)</li><li>[Investigate alerts in Microsoft Defender XDR](../defender/investigate-alerts.md)</li></ul>| --- Defender for Office 365 Plan 2 is included in Microsoft 365 E5, Microsoft 365 A5, and Microsoft 365 E5.-- Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium.-- Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are each available as an add-on for certain subscriptions. To learn more, see [Feature availability across Defender for Office 365 plans](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability-across-advanced-threat-protection-atp-plans).-- [Safe Documents](safe-documents-in-e5-plus-security-about.md) is available to users with the Microsoft 365 A5 or Microsoft 365 E5 Security licenses (not included in Defender for Office 365 plans).-- If your current subscription doesn't include Defender for Office 365 Plan 2, you can [try Defender for Office 365](try-microsoft-defender-for-office-365.md) free for 90 days. Or, [contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html).-- Defender for Office 365 P2 customers have access to **Microsoft Defender XDR integration** to efficiently detect, review, and respond to incidents and alerts.--> [!TIP] -> ***Insider tip***. You can use the Microsoft Learn table of contents to learn about EOP and Defender for Office 365. Navigate back to this page, [Microsoft 365 Security overview](index.yml), and you'll notice that table of contents organization in the side-bar. It begins with Deployment (including migration) and then continues into prevention, detection, investigation, and response. -> -> This structure is divided so that **Security Administration** topics are followed by **Security Operations** topics. If you're a new member of either job role, use the link in this tip, and your knowledge of the table of contents, to help learn the space. Remember to use *feedback links* and *rate articles* as you go. Feedback helps us improve what we offer you. --## Where to go next --If you're a Security Admin, you may need to configure DKIM or DMARC for your mail. You may want to roll out 'Strict' security presets for your priority users, or look for what's new in the product. Or if you're with Security Ops, you may want to use Real-time detections or Threat Explorer to investigate and respond, or train end-user detection with Attack Simulator. Either way, here are some additional recommendations for what to look at next: --[Email Authentication, including SPF, DKIM, and DMARC (with links to setup of all three)](email-authentication-about.md) --[See the specific recommended 'golden' configs](recommended-settings-for-eop-and-office365.md) and [use their recommended presets to configure security policies quickly](preset-security-policies.md) --Catch up on [what's new in Microsoft Defender for Office 365 (including EOP developments)](defender-for-office-365-whats-new.md) --[Use Threat Explorer or Real-time detections](threat-explorer-real-time-detections-about.md) --Use [Attack simulation training](attack-simulation-training-simulations.md) |
security | Office 365 Ti | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md | Title: Threat investigation & response capabilities in Microsoft Defender for Office 365 f1.keywords: - NOCSH--++ Last updated 10/10/2023 audience: Admin |
security | Pim In Mdo Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/pim-in-mdo-configure.md | Title: Use Azure Privileged Identity Management (PIM) in Microsoft Defender for Office 365 to limit admin access to cyber security tools. f1.keywords: - NOCSH--++ Last updated 2/20/2024 audience: ITPro |
security | Protection Stack Microsoft Defender For Office365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md | Title: Step-by-step threat protection stack in Microsoft Defender for Office 365 f1.keywords: - NOCSH--++ Last updated 8/22/2023 |
security | Remediate Malicious Email Delivered Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365.md | Title: Remediate malicious email that was delivered in Office 365--++ |
security | Assess The Impact Of Security Configuration Changes With Explorer | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/assess-the-impact-of-security-configuration-changes-with-explorer.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH-+ ms.localizationpriority: medium |
security | Connect Microsoft Defender For Office 365 To Microsoft Sentinel | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/connect-microsoft-defender-for-office-365-to-microsoft-sentinel.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | Deploy And Configure The Report Message Add In | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH-+ ms.localizationpriority: medium |
security | Ensuring You Always Have The Optimal Security Controls With Preset Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | How To Configure Quarantine Permissions With Quarantine Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-configure-quarantine-permissions-with-quarantine-policies.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | How To Enable Dmarc Reporting For Microsoft Online Email Routing Address Moera And Parked Domains | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | How To Handle False Negatives In Microsoft Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | How To Handle False Positives In Microsoft Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-positives-in-microsoft-defender-for-office-365.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | How To Prioritize And Manage Automated Investigations And Response Air | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-prioritize-and-manage-automated-investigations-and-response-air.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | How To Prioritize Manage Investigate And Respond To Incidents In Microsoft 365 Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-prioritize-manage-investigate-and-respond-to-incidents-in-microsoft-365-defender.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | How To Run Attack Simulations For Your Team | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-run-attack-simulations-for-your-team.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | How To Setup Attack Simulation Training For Automated Attacks And Training | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-setup-attack-simulation-training-for-automated-attacks-and-training.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | Optimize And Correct Security Policies With Configuration Analyzer | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/optimize-and-correct-security-policies-with-configuration-analyzer.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | Protect Your C Suite With Priority Account Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/protect-your-c-suite-with-priority-account-protection.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | Reducing Attack Surface In Microsoft Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH-+ ms.localizationpriority: medium |
security | Review Allow Entries | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/review-allow-entries.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH-+ ms.localizationpriority: medium |
security | Search For Emails And Remediate Threats | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/search-for-emails-and-remediate-threats.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | Stay Informed With Message Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/stay-informed-with-message-center.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | Step By Step Guide Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/step-by-step-guide-overview.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | Track And Respond To Emerging Threats With Campaigns | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/track-and-respond-to-emerging-threats-with-campaigns.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
security | Tune Bulk Mail Filtering Walkthrough | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/tune-bulk-mail-filtering-walkthrough.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH-+ ms.localizationpriority: medium |
security | Understand Detection Technology In Email Entity | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/understand-detection-technology-in-email-entity.md | Title: Understanding detection technology within the email entity page in Microsoft Defender for Office 365 description: Guide to understanding the detection technology shown on the email entity page in Microsoft Defender for Office 365, what the detection technologies mean, how they're triggered, and how to resolve false positives (see the admin submission video).--++ |
security | Utilize Microsoft Defender For Office 365 In Sharepoint Online | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online.md | ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH-+ ms.localizationpriority: medium |
security | Teams Message Entity Panel | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/teams-message-entity-panel.md | Title: The Teams Message Entity Panel in Microsoft Defender for Office 365--++ audience: Admin |
security | Zero Trust Continuous Access Evaluation Microsoft 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365.md | Title: Continuous access evaluation for Microsoft 365 - Microsoft 365 for enterprise description: Describes how conditional access evaluation for Microsoft 365 and Microsoft Entra ID proactively terminates active user sessions and enforces tenant policy changes in near real time.--++ |
security | Zero Trust Identity Device Access Policies Exchange | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-exchange.md | Title: Secure email recommended policies description: Describes the policies for Microsoft recommendations about how to apply email policies and configurations.--++ |
security | Zero Trust Identity Device Access Policies Guest Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-guest-access.md | Title: Identity and device access policies for allowing guest and external user description: Describes the recommended Conditional Access and related policies for protecting access of guests and external users. --++ audience: Admin f1.keywords: |
security | Zero Trust Identity Device Access Policies Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-overview.md | Title: Zero Trust identity and device access configurations - Microsoft 365 for enterprise description: Describes Microsoft recommendations and core concepts for deploying secure email, docs, and apps policies and configurations for Zero Trust.--++ |
security | Zero Trust Identity Device Access Policies Prereq | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-prereq.md | Title: Prerequisite work for implementing Zero Trust identity and device access policies description: This article describes the prerequisites you need to meet to use Zero Trust identity and device access policies and configurations.--++ |
security | Zero Trust Identity Device Access Policies Sharepoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-sharepoint.md | Title: Recommended secure document policies description: Describes the policies for Microsoft recommendations about how to secure SharePoint file access.--++ |
security | Zero Trust With Microsoft 365 Defender Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-with-microsoft-365-defender-office-365.md | search.appverid: met150 f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro |
solutions | Empower People To Work Remotely Teams Productivity Apps | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/empower-people-to-work-remotely-teams-productivity-apps.md | To be productive, people need to communicate and collaborate with one another. T | IT function | Microsoft 365 components | Description | |:-|:--|:-| | Email services | Exchange Online | Exchange email and manage calendars, contacts, and tasks with the Outlook client. |-| Organizational chat, voice over IP (VOIP), and team-based collaboration | Microsoft Teams | Keep people connected while they work apart with a common hub of communication for meetings, chats, and file storage for the organization, departments, and for small teams and individuals. | | Intranet sites, document collaboration | SharePoint and OneDrive | Store and collaborate on files within a web browser or within Teams. | | Desktop and mobile device Office applications | Microsoft 365 Apps | Create new content or collaborate on existing content with versions of Word, PowerPoint, Excel, and Outlook that are installed on your local computer and receive ongoing feature and security updates. | |||| -![Use Teams, Outlook, SharePoint, OneDrive, and Microsoft 365 Apps to stay productive.](../media/empower-people-to-work-remotely/remote-workers-productivity-grid.png) --## Keep people connected with Microsoft Teams --Teams with Microsoft Teams allows your organization to chat, meet, call, and collaborate all in one place. Millions of people get their work done with teams every day because it brings together everything you need to work on-site or remotely into a hub for teamwork. --For detailed guidance, see [Support remote workers using Microsoft Teams](/microsoftteams/support-remote-work-with-teams). --Read [Enabling hybrid work with Microsoft 365 and collaborative apps](https://www.microsoft.com/en-us/microsoft-365/blog/2022/07/19/from-enabling-hybrid-work-to-creating-collaborative-experiences-heres-whats-new-in-microsoft-365/) for guidance and demos on using Teams for hybrid work. --### Chat and conversations --Chat and threaded conversations are at the center of Teams with support for individual 1:1 chats and group chats and conversations. Remote workers can share information, opinions, and personality by using pictures, stickers, and emojis in group chats or one-to-one messages. --### Meetings and conferencing --Teams can certainly help maintain communications and information sharing with hybrid workers, especially with meetings that support up to 250 people. Teams meetings enable interactive, collaborative meetings with people inside and outside your organization. Remote workers can use Teams meetings for day-to-day activities including recurring project checkpoints, catching-up with colleagues, brainstorming sessions, and facilitating conversations with customers. --### Calling --Teams supports direct VoIP calling between users and even other organizations using federation. It uses the same codecs as meetings and provides great audio world-wide without additional PSTN charges. However, some users may need a dedicated phone number to take external calls when working on-site or remotely. Teams can quickly provide cloud phone service for these users to make and receive phone calls. --### Apps and workflows --Teams provides a platform for apps and workflows that can be accessed from the desktop, web, and mobile versions of Teams. Teams provides hundreds of apps published by Microsoft and by third parties to engage users, support productivity, and integrate commonly used business services into Teams. Users and Admins can also create custom apps and automated workflows for Teams using the low-code Power Apps and Power Automate development tools. --Apps and workflows let hybrid workers be more productive in Teams, by collecting and sharing critical information, automating repetitive tasks, and allowing them to chat with interactive bot. Pinning apps to a channel or the Teams app bar is a great way for users to make these apps easily accessible in a relevant space, and admins can pin apps to drive awareness and adoption of the apps that everyone should be using. - ## Exchange email and manage calendars, contacts, and tasks with Exchange Online and Outlook With Outlook, hybrid workers can stay connected and organized with email, calendars, contacts, tasks, and moreΓÇötogether in one place. Outlook helps you stay on track and prioritize your day based on whatΓÇÖs relevant to you. Outlook enables you to share attachments right from OneDrive, plan and join Teams meetings, view and share calendars, and provide delegate permissions to others. Knowing whatΓÇÖs coming up next across both work and personal commitments and what needs attention can help hybrid workers focus on what matters. Outlook provides helpful ways for hybrid workers to manage their time and to find what they need easily, including files, people in the organization, and more. |
solutions | Empower People To Work Remotely | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/empower-people-to-work-remotely.md | Microsoft 365 has the capabilities to empower your hybrid workers to work either > [!NOTE] > If you are new to Microsoft 365, see [these resources](https://www.microsoft.com/microsoft-365). -Watch this video for an overview of the deployment process. -<br> -<br> -> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4F1af] - For IT professionals managing onsite and cloud-based infrastructure to enable hybrid worker productivity, this solution provides these key capabilities: - Connected For IT professionals managing onsite and cloud-based infrastructure to enable hy For a seamless sign-in experience, your on-premises Active Directory Domain Services (AD DS) user accounts should be synchronized with Microsoft Entra ID. To protect your Windows 11 or 10 devices, they should be enrolled in Intune. Here is a high-level view of the infrastructure. -![The basic infrastructure for hybrid workers with Microsoft 365.](../media/empower-people-to-work-remotely/remote-workers-basic-infrastructure.png) - To enable the capabilities of Microsoft 365 for your hybrid workers, use these Microsoft 365 features. |Capability or feature|Description|Licensing| To enable the capabilities of Microsoft 365 for your hybrid workers, use these M |Configuration Manager|Manage software installations, updates, and settings on your devices|Requires separate Configuration Manager licenses| |Endpoint Analytics|Determine the update readiness of your Windows clients.|Requires separate Configuration Manager licenses| |Windows Autopilot|Set up and pre-configure new Windows 11 or 10 devices for productive use.|Microsoft 365 E3 or E5|-|Microsoft Teams, Exchange Online, SharePoint Online and OneDrive, Microsoft 365 Apps, Microsoft Power Platform, and Viva Engage|Create, communicate, and collaborate.|Microsoft 365 E3 or E5| +|Microsoft Teams, Exchange Online, SharePoint Online and OneDrive, Microsoft 365 Apps, Microsoft Power Platform, and Viva Engage|Create, communicate, and collaborate.|Microsoft 365 E3 or E5 and Microsoft Teams Enterprise | |||| For security and compliance criteria, see [Deploy security and compliance for remote workers](empower-people-to-work-remotely-security-compliance.md). -<a name="poster"></a> -For a 2-page summary of this solution, see the [Empower hybrid workers poster](https://download.microsoft.com/download/9/b/b/9bb5fa79-74e9-497b-87c5-4021e53d9fc2/hybrid-worker-infrastructure.pdf). --[![Empower hybrid workers poster.](../media/empower-people-to-work-remotely/empower-remote-workers-poster.png)](https://download.microsoft.com/download/9/b/b/9bb5fa79-74e9-497b-87c5-4021e53d9fc2/hybrid-worker-infrastructure.pdf) - ## Provide hybrid working for all of your workers You can enable all of your workers to stay productive from anywhere with these devices: |
solutions | Setup Secure Collaboration With Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/setup-secure-collaboration-with-teams.md | To configure secure collaboration, use these Microsoft 365 capabilities and feat |||| |Microsoft Defender for Office 365|Safe Attachments for SharePoint, OneDrive and Microsoft Teams; Safe Documents; Safe Links for Teams|Microsoft 365 E1, E3 and E5| |SharePoint|Site and file sharing policies, Site sharing permissions, Sharing links, Access requests, Site guest sharing settings|Microsoft 365 E1, E3 and E5|-|Microsoft Teams|Guest access, private teams, private channels, shared channels|Microsoft 365 E1, E3 and E5| +|Microsoft Teams|Guest access, private teams, private channels, shared channels|Microsoft 365 E3 and E5 with a Microsoft Teams Enterprise license| |Microsoft Purview|Sensitivity labels|Microsoft 365 E3 and E5| |Microsoft Syntex - SharePoint Advanced Management|Site access restrictions, conditional access policies for sites, default sensitivity labels for libraries|Microsoft Syntex - SharePoint Advanced Management| |