-<!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->

-## Week of February 26, 2024

-| Published On |Topic title | Change |

-|||--|

-| 3/1/2024 | [Microsoft Security Copilot and Microsoft Defender Threat Intelligence](/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence) | modified |

-<!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->

-## Week of June 20, 2022

-| Published On |Topic title | Change |

-|||--|

-| 6/23/2022 | [Defender Threat Intelligence](/defender-threat-intelligence/index) | modified |

-

-description: 'In this overview article, learn about the Microsoft Defender Threat Intelligence (Defender TI)ΓÇÖs analyst insights feature.'

-# Analyst insights

-In Microsoft Defender Threat Intelligence (Defender TI), the Analyst Insights section provides quick insights about the artifact that may help determine the next step in an investigation. This section will list any insights that apply to the artifact, as well as those that do not apply for additional visibility. In the below example, we can quickly determine that the IP Address is routable, hosts a web server, and had an open port within the past five days. Furthermore, the system displays rules that were not triggered, which can be equally helpful when kickstarting an investigation.

-

-## Analyst insight types and questions they can address

-| Analyst insight types | Questions they can address |

-|--||

-| Blocklisted | Is/when was the domain, host, or IP address blocklisted? |

-| | How many times has Defender TI blocklisted the domain, host, or IP? |

-| Registered & Updated | How many days, months, years ago was the domain registered? |

-| | When was the domain WHOIS Record updated? |

-| Subdomain IP count | How many different IPs are associated with the subdomains of the domain? |

-| New subdomain observations | When was the last time Microsoft observed a new subdomain for the domain in question? |

-| Registered & Resolving | Does the domain queried exist? |

-| | Does the domain resolve to an IP address? |

-| Number of Domains sharing the WHOIS record | What other domains share the same WHOIS record? |

-| Number of domains sharing the Name Server | What other domains share the same name server record? |

-| Crawled by RiskIQ | When was this host or domain last crawled by Microsoft? |

-| International Domain | Is the domain queried for an international domain name (IDN)? |

-| Blocklisted by Third Party | Is this indicator blocklisted by a third-party? |

-| Tor Exit Node Status | Is the IP address in questions associated with The Onion Router Network (Tor)? |

-| Open Ports Detected | When did Microsoft last port scan this IP address? |

-| Proxy Status | What is the proxy status of this indicator? |

-| Host Last Observed | Is the IP address in question internet accessible? |

-| Hosts a Web Server | Does the IP address have a DNS server that uses its resources to resolve the name into it for the appropriate web server? |

-## Next steps

-For more information, see:

-

-description: 'In this overview article, learn about Microsoft Defender Threat Intelligence (Defender TI)ΓÇÖs data sets feature.'

-# Data sets

-Microsoft centralizes numerous data sets into a single platform, Microsoft Defender Threat Intelligence (Defender TI), making it easier for MicrosoftΓÇÖs community and customers to conduct infrastructure analysis. MicrosoftΓÇÖs primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases.

-Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversariesΓÇÖ infrastructure associated with actor groups targeting their organization. Microsoft collects internet data via itsΓÇÖ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data.

-This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, Whois, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details.

-

-## Resolutions

-Passive DNS (PDNS) is a system of record that stores DNS resolution data for a given location, record, and timeframe. This historical resolution data set allows users to view which domains resolved to an IP address and vice versa. This data set allows for time-based correlation based on domain or IP overlap.

-PDNS may enable the identification of previously unknown or newly stood-up threat actor infrastructure. Proactive addition of indicators to blocklists can cut off communication paths before campaigns take place. Users will find A record resolution data within the Resolutions data set tab and will find more types of DNS records in the DNS data set tab.

-Our PDNS resolution data includes the following:

-

-## Questions this data set may help answer:

-### Domains

- 

- 

- 

-

-### IP Addresses

- 

- 

-

- 

- 

- 

-## Whois

-Thousands of times a day, domains are bought and/or transferred between individuals and organizations. The process to make all of this happen is easy and only takes a few minutes and roughly $7 depending on the registrar provider. Beyond payment details, you must supply additional information about yourself, some of which gets stored as part of a Whois record once the domain has been set up. This would be considered a public domain registration. However, there are private domain registration services, where you can hide your personal information from your domainΓÇÖs Whois record. In these situations, the domain ownerΓÇÖs information is safe and replaced by their registrarΓÇÖs information. More actor groups are performing private domain registrations to make it more difficult for analysts to find other domains that they own. Defender TI provides a variety of data sets to find actorsΓÇÖ shared infrastructure when Whois records donΓÇÖt provide leads.

-Whois is a protocol that lets anyone query information about a domain, IP address, or subnet. One of the most common functions for Whois in threat infrastructure research is to identify or connect disparate entities based on unique data shared within Whois records. If you were reading carefully or ever purchased a domain yourself, you may have noticed that the content requested from the registrars is never verified. In fact, you could have put anything in the record (and a lot of people do) which would then be displayed to the world.

-Each Whois record has several different sections, all of which could include different information. Commonly found sections include ΓÇ£registrarΓÇ¥, ΓÇ£registrantΓÇ¥, ΓÇ£administratorΓÇ¥, and ΓÇ£technicalΓÇ¥ with each potentially corresponding to a different contact for the record. A lot of the time this data is duplicated across sections, but in some cases, there may be slight discrepancies, especially if an actor made a mistake. When viewing Whois information within Defender TI, you will see a condensed record that de-duplicates any data and notates which part of the record it came from. We have found this process greatly speeds up the analyst workflow and avoids any overlooking of data. The Defender TI's Whois information is powered by the WhoisIQΓäó database.

-Our Whois data includes the following:

-## Current Whois lookups

-

-Defender TIΓÇÖs current Whois repository highlights all domains in MicrosoftΓÇÖs Whois collection that are currently registered and associated with the Whois attribute of interest. This data highlights the domain's registration and expiration date, along with the email address used to register the domain. This data is displayed in the Whois Search tab of the platform.

-## Historical Whois lookups

-

-Defender TIΓÇÖs Whois History repository provides users with access to all known historical domain associations to Whois attributes based on the systemΓÇÖs observations. This data set highlights all domains associated with an attribute that a user pivots from displaying the first time and the last time we observed the association between the domain and attribute queried. This data is displayed in a separate tab next to the current Whois Search tab.

-**Questions this data set may help answer:**

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

-## Certificates

-Beyond securing your data, SSL Certificates are a fantastic way for users to connect disparate network infrastructure. Modern scanning techniques allow us to perform data requests against every node on the Internet in a matter of hours, meaning we can easily associate a certificate to an IP address hosting it on a regular basis.

-Much like a Whois record, SSL certificates require information to be supplied by the user to generate the final product. Aside from the domain, the SSL certificate is being created for (unless self-signed), any of the additional information can be made up by the user. Where MicrosoftΓÇÖs users see the most value from SSL certificates is not necessarily the unique data someone may use when generating the certificate, but where it's hosted.

-To access an SSL certificate, it needs to be associated with a web server and exposed through a particular port (most often 443). Using mass Internet scans on a weekly basis, it's possible to scan all IP addresses and obtain any certificate being hosted to build a historic repository of certificate data. Having a database of IP addresses to SSL certificate mappings provides users with a way to identify overlaps in infrastructure.

-To further illustrate this concept, imagine an actor has set up a server with a self-signed SSL certificate. After several days, defenders become wise to their infrastructure and block the webserver hosting malicious content. Instead of destroying all their hard work, the actor merely copies all the contents (including the SSL certificate) and places them on a new server. As a user, a connection can now be made using the unique SHA-1 value of the certificate to say that both web servers (one blocked, one unknown) are connected in some way.

-What makes SSL certificates more valuable is that they are capable of making connections that passive DNS or Whois data may miss. This means more ways of correlating potential malicious infrastructure and identifying potential operational security failures of actors. Defender TI has collected over 30 million certificates from 2013 until the present day and provides users with the tools to make correlations on certificate content and history.

-SSL certificates are files that digitally bind a cryptographic key to a set of user-provided details. Using internet-scanning techniques, Defender TI collects SSL certificate associations from IP addresses on various ports. These certificates are stored inside of a local database and allow us to create a timeline for where a given SSL certificate appeared on the Internet.

-Our certificate data includes the following:

-

-When a user expands on a SHA1 hash, the user will be able to see details about the following, which includes:**

-

-**Questions this data set may help answer:**

- 

- 

- 

- 

- 

-## Subdomains

-A subdomain is an internet domain, which is part of a primary domain. Subdomains are also referred to as "hosts". As an example,`learn.microsoft.com` is a subdomain of `microsoft.com`. For every subdomain, there could be a new set of IP addresses to which the domain resolves to and this can be a great data source for finding related infrastructure.

-Our subdomain data includes the following:

-

-**Questions this data set may help answer:**

- 

- 

-## Trackers

-Trackers are unique codes or values found within web pages and often used to track user interaction. These codes can be used to correlate a disparate group of websites to a central entity. Often, actors will copy the source code of a victimΓÇÖs website they are looking to impersonate for a phishing campaign. Seldomly will actors take the time to remove these IDs that allow users to identify these fraudulent sites using MicrosoftΓÇÖs Trackers data set. Actors may also deploy tracker IDs to see how successful their cyber-attack campaigns are. This is similar to marketers when they leverage SEO IDs, such as a Google Analytics Tracker ID, to track the success of their marketing campaign.

-MicrosoftΓÇÖs Tracker data set includes IDs from providers like Google, Yandex, Mixpanel, New Relic, Clicky, and is continuing to grow on a regular basis.

-Our tracker data includes the following:

-

-**Questions this data set may help answer:**

- 

- 

- 

- 

- 

-## Components

-Web components are details describing a web page or server infrastructure gleaned from Microsoft performing a web crawl or scan. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure.

-Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.

-Our component data includes the following:

-

-**Questions this data set may help answer:**

- 

- 

- Magento v1.9 is so dated that Microsoft could not locate reliable documentation for that particular version.

- 

- 

-## Host pairs

-Host pairs are two pieces of infrastructure (a parent and a child) that share a connection observed from a virtual userΓÇÖs web crawl. The connection could range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference.

-Our host pair data includes the following:

-

-**Questions this data set may help answer:**

- 

- 

- 

-## Cookies

-Cookies are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain a state for the application or little bits of tracking data. Defender TI highlights and indexes cookie names observed when crawling a website and allows users to dig into everywhere we have observed specific cookie names across its crawling and data collection. Cookies are also used by malicious actors to keep track of infected victims or store data to be used later.

-Our cookie data includes the following:

-

-**Questions this data set may help answer:**

- 

- 

- 

-## Services

-Service names and port numbers are used to distinguish between different services that run over transport protocols such as TCP, UDP, DCCP, and SCTP. Port numbers can suggest what type of application is running on a particular port. But applications or services can be changed to use a different port to obfuscate or hide the service or application on an IP address. Knowing the port and header/banner information can identify the true application/service and the combination of ports being used. Defender TI surfaces 14 days of history within the Services tab, displaying the last banner response associated with a port observed.

-Our Services data includes the following:

- - Open

- - Filtered

- - Closed

-

-**Questions this data set may help answer:**

- 

- 

- 

- 

- 

- 

-## DNS

-Microsoft has been collecting DNS records over the years, providing users insight into mail exchange (MX) records, nameserver (NS) records, text (TXT) records, start of authority (SOA) records, canonical name (CNAME) records, and pointer (PTR) records. Reviewing DNS records can be helpful to identify shared infrastructure used by actors across the domains they own. For example, actor groups tend to use the same nameservers to segment their infrastructure or the same mail exchange servers to administer their command and control.

-Our DNS data includes the following:

-

-**Questions this data set may help answer:**

-## Reverse DNS

-While a forward DNS lookup queries the IP address of a certain hostname, a reverse DNS lookup queries a specific hostname of an IP address. This dataset will show similar results as the DNS dataset. Reviewing DNS records can be helpful to identify shared infrastructure used by actors across the domains they own. For example, actor groups tend to use the same nameservers to segment their infrastructure or the same mail exchange servers to administer their command and control.

-Our Reverse DNS data includes the following:

-

-**Questions This Data Set May Help Answer:**

-## Next steps

-For more information, see:

-

-description: 'In this tutorial, learn how to gather threat intelligence and infrastructure chain together indicators of compromise in Microsoft Defender Threat Intelligence (Defender TI). This article will cover a historical investigation of the MyPillow Magecart breach.'

-# Tutorial: Gathering threat intelligence and infrastructure chaining

-In this tutorial, you will learn how to:

- 

-## Prerequisites

- > [!NOTE]

- > Users without a Defender TI Premium license will still be able to log into the Defender Threat Intelligence Portal and access our free Defender TI offering.

-## Disclaimer

-Microsoft Defender Threat Intelligence (Defender TI) may include live, real-time observations and threat indicators, including malicious infrastructure and adversary-threat tooling. Any IP and domain searches within our Defender TI platform are safe to search.

-Microsoft will share online resources (e.g., IP addresses, domain names) that should be considered real threats posing a clear and present danger.

-We ask that users use their best judgment and minimize unnecessary risk while interacting with malicious systems when performing the tutorial below. Please note that Microsoft has worked to minimize risk by defanging malicious IP addresses, hosts, and domains.

-## Before You Begin

-As the disclaimer states above, suspicious, and malicious indicators have been defanged for your safety. Please remove any brackets from IPs, domains, and hosts when searching in Defender TI. Do not search these indicators directly in your browser.

-## Perform several types of indicator searches and gather threat and adversary intelligence

-In this tutorial, you will perform a series of steps to [infrastructure chain](infrastructure-chaining.md) together indicators of compromise (IOCs) related to a Magecart breach and gather threat and adversary intelligence along the way. Infrastructure chaining leverages the highly connected nature of the internet to expand one IOC into many based on overlapping details or shared characteristics. Building infrastructure chains enables threat hunters or incident responders to profile an adversary's digital presence, letting them quickly pivot across these data sets to create context around an incident or investigation, allowing for more effective triage of alerting and actioning of incidents within an organization.

-

-**Relevant Personas:** Threat Intelligence Analyst, Threat Hunter, Incident Responder, Security Operations Analyst

-### Magecart Breach

-Microsoft has been profiling and following the activities of Magecart, a syndicate of criminal cybergroups behind hundreds of breaches of online retail platforms by placing digital skimmers on compromised e-commerce sites.

-They do this by injecting a script designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers that websites might depend upon to make their sites function.

-Back in October 2018, they infiltrated MyPillowΓÇÖs online website, mypillow.com, to steal payment information by injecting a script into their web store that was hosted on a typo-squat domain containing the skimmer, mypiltow.com.

-The MyPillow breach was a two-stage attack, with the first skimmer only active for a brief time before being identified as illicit and removed, but the attackers still had access to MyPillowΓÇÖs network and on October 26, 2018, Microsoft observed that they registered a new domain, livechatinc[.]org

-Magecart actors will typically register a domain infringement to make it look as similar as possible to the legitimate domain, so that if youΓÇÖre looking at the JavaScript code, unless you look really carefully, you may not notice they injected their own script thatΓÇÖs capturing the credit card payment information and pushing it to their own infrastructure, as a way to hide essentially.

-But because our virtual users capture the DOM and find all the dynamic links and changes made by JavaScript from the crawls on the backend, we were able to detect that activity and pinpoint that fake domain that was hosting the injected script into the MyPillow webstore.

-1. Access the [Defender Threat Intelligence portal](https://ti.defender.microsoft.com/).

-2. Complete Microsoft authentication to access portal.

-3. Search ΓÇÿmypillow.comΓÇÖ in Defender TIΓÇÖs Threat Intelligence Home Page.

- a. What articles are associated with this domain?

- - Consumers May Lose Sleep Over These Two Magecart Breaches

- 

-4. Select the ΓÇÿConsumers May Lose Sleep Over These Two Magecart BreachesΓÇÖ Article.

- a. What information is available about this related campaign?

- - This article was published on March 20, 2019, and provides insights as to how MyPillow was breached by the Magecart threat actor group in October of 2018. The article details how the attack was executed.

-5. Select the Public Indicators tab.

- a. What IOCs are listed related to this campaign?

- - amerisleep.github[.]io

- - cmytuok[.]top

- - livechatinc[.]org

- - mypiltow[.]com

-6. Select All in the drop down of the search bar and query ΓÇÿmypillow.comΓÇÖ. Then, navigate to the Data tab.

- a. What data set might be useful in finding evidence of a script injection?

- - Host pairs reveal connections between websites traditional data sources wouldnΓÇÖt surface (pDNS, Whois) and enables you to see where your resources are being used and vice-versa.

-7. Select the Host Pairs Data blade, sort by First Seen, and filter by script.src as the Cause. Page over until you find host pair relationships that took place in October of 2018.

- a. Do you notice any typosquat mypillow domains?

- - Notice that mypillow[.]com is pulling content via a script from the typosquat, mypiltow.com (Oct 3-5) as evidence of the script injection breach

- 

-8. Pivot on ΓÇÿmypiltow[.]comΓÇÖ.

- a. At first glance, what appears different about this domain compared to mypillow.comΓÇÖs domain?

- - Reputation: Malicious, while mypillow.comΓÇÖs reputation is unknown

- 

- 

-9. Navigate to the Data tab and from the Resolutions results, pivot off the IP address that mypiltow[.]com resolved to during October of 2018. Repeat this step for mypillow.com as well.

- a. What do you notice about the differences in IP addresses between mypillow.com and mypiltow[.]com during October of 2018?

- - IP address, 195.161.41[.]65, mypiltow[.]com had resolved to, is hosted in Russia.

- - Different ASN used.

- 

- 

-10. Scroll to the Articles section.

- a. What other Articles have been published that relate to mypiltow.com?

- - RiskIQ: Magecart Injected URLs and C2 Domains, June 3-14, 2022

- - RiskIQ: Magecart injected URLs and C2 Domains, May 20-27, 2022

- - Commodity Skimming & Magecart Trends in First Quarter of 2022

- - RiskIQ: Magecart Group 8 Activity in Early 2022

- - Magecart Group 8 Real Estate: Hosting Patterns Associated with the Skimming Group

- - Inter Skimming Kit Used in Homoglyph Attacks

- - Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims

- 

-11. Review each of the additional articles from Step 9.

- a. What additional information can you find about the Magecart threat actor group? (targets, TTPs, additional IOCs, etc.)

-12. Navigate to the Data tab and select the Whois Data blade and compare the Whois information between ΓÇÿmypillow.comΓÇÖ and ΓÇÿmypiltow[.]comΓÇÖ

- a. What Whois values differ?

- - mypillow.com

- 1. If you select the Whois record from October of 2011, you will find that the domain is clearly owned by My Pillow Inc.

- 

- 2. mypiltow[.]com

- 3. If you select the Whois record from October of 2018, you will find that mypiltow[.]com was registered in Hong Kong SAR and is privacy protected by Domain ID Shield Service CO.

- 4. mypiltow[.]comΓÇÖs registrar is OnlineNIC, Inc.

- 

- b. What appears suspicious thus far about mypiltow[.]com given the A records and Whois details we have analyzed?

- - When assessing if mypiltow[.]com may be legitimate company infrastructure, an analyst should find it odd that a Russian IP is primarily guarded by a Chinese privacy service for a US based company.

-13. Search ΓÇÿlivechatinc[.]orgΓÇÖ in Defender TIΓÇÖs Threat Intelligence Home Page.

- a. What new articles are associated with this domain that we did not see when we searched mypillow.com in Part 1?

- - Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims

-14. Select the Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims article.

- a. What information is available about this related campaign?

- - The ΓÇÿMagecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of VictimsΓÇÖ article was published on March 18, 2020. In this article, we find out that Nutribullet, Amerisleep, ABS-CBN were also victims of the Magecart threat actor group.

-15. Select the Public Indicators tab.

- a. What IOCs are listed related to this campaign?

- - URLs

- 1. hxxps://coffemokko[.]com/tr/, hxxps://freshdepor[.]com/tr/, hxxps://prodealscenter[.]com/tr/, hxxps://scriptoscript[.]com/tr/, hxxps://swappastore[.]com/tr/

- 2. Domains

- - 3lift[.]org, abtasty[.]net, adaptivecss[.]org, adorebeauty[.]org, all-about-sneakers[.]org, amerisleep.github[.]io, ar500arnor[.]com, authorizecdn[.]com, bannerbuzz[.]info, battery-force[.]org, batterynart[.]com, blackriverimaging[.]org, braincdn[.]org, btosports[.]net, cdnassels[.]com, cdnmage[.]com, chicksaddlery[.]net, childsplayclothing[.]org, christohperward[.]org, citywlnery[.]org, closetlondon[.]org, cmytuok[.]top, coffemokko[.]com, coffetea[.]org, configsysrc[.]info, dahlie[.]org, davidsfootwear[.]org, dobell[.]su, elegrina[.]com, energycoffe[.]org, energytea[.]org, etradesupply[.]org, exrpesso[.]org, foodandcot[.]com, freshchat[.]info, freshdepor[.]com, greatfurnituretradingco[.]org, info-js[.]link, jewsondirect[.]com, js-cloud[.]com, kandypens[.]net, kikvape[.]org, labbe[.]biz, lamoodbighats[.]net, link js[.]link, livechatinc[.]org, londontea[.]net, mage-checkout[.]org, magejavascripts[.]com, magescripts[.]pw, magesecuritys[.]com, majsurplus[.]com, map-js[.]link, mcloudjs[.]com, mechat[.]info, melbounestorm[.]com, misshaus[.]org, mylrendyphone[.]com, mypiltow[.]com, nililotan[.]org, oakandfort[.]org, ottocap[.]org, parks[.]su, paypaypay[.]org, pmtonline[.]su, prodealscenter[.]com, replacemyremote[.]org, sagecdn[.]org, scriptoscript[.]com, security-payment[.]su, shop-rnib[.]org, slickjs[.]org, slickmin[.]com, smart-js[.]link, swappastore[.]com, teacoffe[.]net, top5value[.]com, track-js[.]link, ukcoffe[.]com, verywellfitnesse[.]com, walletgear[.]org, webanalyzer[.]net, zapaljs[.]com, zoplm[.]com

-16. Search mypillow.com in Defender TIΓÇÖs Threat Intelligence Home Page and select the Data tab. Select the Host Pairs Data blade. Sort by First Seen and locate Host Pair relationships that occurred in October of 2018.

- a. Do you notice a similar script relationship between mypillow.com and secure.livechatinc[.]org that mirrors the same relationship mypillow.com had with mypiltow[.]com?

- - Notice how www.mypillow.com was first observed reaching out to secure.livechatinc[.]org on 10/26/2018, because a script GET request was observed from www.mypillow.com to secure.livechatinc[.]org. That relationship lasted until 11/19/2018.

- 

- ii. In addition, secure.livechatinc[.]org reached out to www.mypillow.com to access www.mypillow.comΓÇÖs server (xmlhttprequest).

-17. Review mypillow.comΓÇÖs Host Pair relationships further.

- a. Does mypillow.com have any host pair relationships with a similar domain name to secure.livechatinc[.]org?

- - Yes. There are multiple types of observed relationships mypillow.com hosts had with the following domains:

- 1. cdn.livechatinc[.]com, secure.livechatinc[.]com, api.livechatinc[.]com

- - The relationship causes include:

- 1. script.src

- 2. iframe.src

- 3. unknown

- 4. topLevelRedirect

- 5. img.src

- 6. xmlhttprequest

- - Livechat is a live support chat service that online retailers can add to their websites, so itΓÇÖs a third-party resource and itΓÇÖs used by a lot of e-commerce platforms, including MyPillow. This fake domain is a little bit more interesting because their official site is actually livechatinc.com. Therefore, in this case, they used a top-level-domain typosquat to hide the fact they placed a second skimmer on the MyPillow website.

-18. Go back and find a host pair relationship with ΓÇÿsecure.livechatinc[.]orgΓÇÖ and pivot off that hostname.

- a. What IP address did this host resolve to during October of 2018?

- - 212.109.222[.]230

- 

- - Notice how this IP address is also hosted in Russia and the ASN Organization is JSC IOT.

- 

-19. Search ΓÇÿsecure.livechatinc[.]orgΓÇÖ in Defender TIΓÇÖs Threat Intelligence Home Page, select the Data tab, and click on the Whois blade. Select the record from 12/25/2018.

- a. What Registrar was used for this record?

- - OnlineNIC Inc.

- 1. This is the same Registrar that was used to register mypiltow[.]com during the same campaign.

- 2. If you select the record from 12/25/2018, you will notice that the domain was also using the same Chinese privacy guarding service, Domain ID Shield Service, that mypiltow[.]com had also used.

- b. What name servers were used for this record?

- - ns1.jino.ru

- - ns2.jino.ru

- - ns3.jino.ru

- - ns4.jino.ru

- 1. These were the same nameservers used in the 10/01/2018 record for mypiltow[.]com. Adversaries will often use the same nameservers to segment their infrastructure.

- 

- 

-20. Select the Host Pairs Data blade.

- a. What host pair relationships do you see from October and November of 2018?

- - secure.livechatinc[.]org redirected users to secure.livechatinc.com on 11/19/2022. This is more than likely an obfuscation technique to evade detection.

- - www.mypillow.com was pulling a script hosted on secure.livechatinc[.]org (the fake LiveChat site) from 10/26/2018 through 11/19/2022. During this timeframe, www.mypillow.comΓÇÖs user purchases were potentially compromised.

- - secure.livechatinc[.]org was requesting data from the server, www.mypillow.com, hosting the real MyPillow website (xmlhttprequest) between 10/27/2018 through 10/29/2018.

- 

- b. What do you believe these relationships mean?

-## Clean up resources

-There are no resources to clean up in this section.

-## Next Steps

-In this tutorial, you learned how to gather threat intelligence and infrastructure chain together indicators of compromise.

-

-description: 'In this tutorial, practice gathering vulnerability intelligence associated with the Darkside threat actor group using Microsoft Defender Threat Intelligence (Defender TI).'

-# Tutorial: Gathering vulnerability intelligence

-## In this tutorial, you will learn how to:

-

-## Prerequisites

- > [!NOTE]

- > Users without a Defender TI Premium license will still be able to log into the Defender Threat Intelligence Portal and access our free Defender TI offering.

-## Disclaimer

-Microsoft Defender Threat Intelligence (Defender TI) may include live, real-time observations and threat indicators, including malicious infrastructure and adversary-threat tooling. Any IP and domain searches within our Defender TI platform are safe to search.

-Microsoft will share online resources (e.g., IP addresses, domain names) that should be considered real threats posing a clear and present danger.

-We ask that users use their best judgment and minimize unnecessary risk while interacting with malicious systems when performing the tutorial below. Please note that Microsoft has worked to minimize risk by defanging malicious IP addresses, hosts, and domains.

-## Before You Begin

-As the disclaimer states above, suspicious, and malicious indicators have been defanged for your safety. Please remove any brackets from IPs, domains, and hosts when searching in Defender TI. Do not search these indicators directly in your browser.

-## Open Defender TIΓÇÖs Threat Intelligence Home Page

-## Learn about Defender TIΓÇÖs Threat Intelligence Home Page features

-1. Review the Search bar options by selecting the search bar and clicking on the All drop-down option.

- 

-2. Review the featured articles and articles within the Threat Intelligence Home Page.

- 

-## Perform several types of indicator searches to gather vulnerability intelligence

-1. Search ΓÇÿCVE-2020-1472' and review the associated vulnerability article, ΓÇÿCVE-2020-1472'.

- 

-2. The "Related Articles" tab displays the article titled ΓÇÿRiskIQ detections into components and indicators related to FireEyeΓÇÖs breach disclosure and countermeasuresΓÇÖ. Click on the article to investigate.

- 

-3. Review the articleΓÇÖs public indicators.

- 

-4. Search ΓÇÿ173.234.155[.]208ΓÇÖ IP address in the Threat Intelligence Search bar.

- 

-5. Review the Summary tab results that return: reputation, analyst insights, articles, services, resolutions, certificates, and projects.

- 

-6. Navigate to the Data tab and review the data and intelligence data sets: resolutions, Whois, certificates, trackers, components, cookies, services, dns, and articles.

- 

- 

-7. Navigate back to the Resolutions data blade and pivot on ΓÇÿmyaeroplan[.]comΓÇÖ.

- 

-8. Navigate to the Data tab and review the resolutions, Whois, certificates, subdomains, trackers, components, cookies, DNS, and reverse DNS data sets.

- 

-9. Take note of the following artifacts from steps 5 and 7:

- |&nbsp;|&nbsp;|

- | | |

- | Whois Address | 1928 E. Highland Ave. Ste F104 PMB# 255 |

- | Whois City | phoenix |

- | Whois State | az |

- | Whois Postal Code | 85016 |

- | Whois Country | United States |

- | Whois Phone | 13478717726 |

- | Whois Nameserver | ns0.1984[.]is |

- | Whois Nameserver | ns1.1984[.]is |

- | Whois Nameserver | ns2.1984[.]is |

- | Whois Nameserver | ns1.1984hosting[.]com |

- | Whois Nameserver | ns2.1984hosting[.]com |

- | Certificate Sha1 | [ead5b033ed4fd342261f389f0930aa7de1fba33d](https://ti.defender.microsoft.com/search/certificates?query=ead5b033ed4fd342261f389f0930aa7de1fba33d&field=sha1) |

- | Certificate Serial Number | 236976486488328334603103229327145294996 |

- | Certificate Issuer Common Name | COMODO RSA Domain Validation Secure Server CA |

- | Certificate Subject Common Name | myaeroplan[.]com |

- | Certificate Subject Alternative Name | [myaeroplan[.]com](https://ti.defender.microsoft.com/search/trackers/hosts?query=www.aeroplan.com&field=MarkOfTheWebSourceHost) |

- | Certificate Subject Alternative Name | www.myaeroplan[.]com |

- | Tracker type | MarkOfTheWebSourceHost |

- | Tracker value | [www.aeroplan.com](https://ti.defender.microsoft.com/search/trackers/hosts?field=MarkOfTheWebSourceHost&query=www.aeroplan.com) |

- | Component Name + Version | [Apache (v2.4.29)](https://ti.defender.microsoft.com/search/components/hosts?category=Server&query=Apache&version=2.4.29) |

- | Cookie Name | [PHPSESSID](https://ti.defender.microsoft.com/search/cookies/hosts?query=PHPSESSID&field=name) |

- | Cookie Domain | [myaeroplan[.]com](https://ti.defender.microsoft.com/search/cookies/hosts?query=myaeroplan.com&field=domain) |

- | Threat Articles | [Points Guys: Aeroplan Frequent Flyer Program Credential Harvesting Campaign](https://ti.defender.microsoft.com/articles/99527909)|

-10. Perform the respective artifact searches from step 8. Note: YouΓÇÖll want to reference the search options you learned from the Learn about Defender TIΓÇÖs Threat Intelligence Home Page features section.

-## Clean up resources

-There are no resources to clean up in this section.

-

-description: 'In this overview article, learn about the main features that come with Microsoft Defender Threat Intelligence (Defender TI). - Backup'

-# What is Microsoft Defender Threat Intelligence (Defender TI)? - Backup

-Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. Analysts spend a significant amount of time on data discovery, collection, and parsing, instead of focusing on what actually helps their organization defend themselves--deriving insights about the actors through analysis and correlation.?

-Often, analysts must go to multiple repositories to obtain the critical data sets they need to assess a suspicious domain, host, or IP address. DNS data, WHOIS information, malware, and SSL certificates provide important context to indicators of compromise (IOCs), but these repositories are widely distributed and donΓÇÖt always share a common data structure, making it difficult to ensure analysts have all relevant data needed to make a proper and timely assessment of suspicious infrastructure.

-Interacting with these data sets can be cumbersome and pivoting between these repositories is time-consuming, draining the resources of security operations groups that constantly need to re-prioritize their response efforts.

-Cyber Threat Intelligence Analysts struggle with balancing a breadth of threat intelligence ingestion with the analysis of which threat intelligence poses the biggest threats to their organization and/or industry.

-In the same breadth, Vulnerability Intelligence Analysts battle correlating their asset inventory with CVE information to prioritize the investigation and remediation of the most critical vulnerabilities associated with their organization.

-MicrosoftΓÇÖs goal is to re-imagine the analyst workflow by developing a platform, Defender TI, that aggregates and enriches critical data sources and displays data in an innovative, easy to use interface to correlate when indicators are linked to articles and vulnerabilities, infrastructure chain together indicators of compromise (IOCs), and collaborate on investigations with fellow Defender TI licensed users within their tenant. With security organizations actioning an ever-increasing amount of intelligence and alerts within their environment, having a Threat Analysis & Intelligence Platform that allows for accurate and timely assessments of alerting is important.

-Below is a screenshot of Defender TIΓÇÖs Threat Intelligence Home Page. Analysts can quickly scan new featured articles as well as begin their intelligence gathering, triage, incident response, and hunting efforts by performing a keyword, artifact or CVE-ID search.

-

-## Defender TI articles

-Articles are narratives by Microsoft that provide insight into threat actors, tooling, attacks, and vulnerabilities. Defender TI featured and articles are not blog posts about threat intelligence; while they summarize different threats, they also link to actionable content and key indicators of compromise to help users take action. By including this technical information in the threat summaries, we enable users to continually track threat actors, tooling, attacks, and vulnerabilities as they change.

-## Featured articles

-The featured article section of the Defender TI Threat Intelligence Home Page (right below the search bar) shows you the featured Microsoft content:

-

-Clicking the article takes you to the underlying article content. The article synopsis gives the user a quick understanding of the article. The Indicators call-out shows how many Public and Defender TI indicators are associated with the article.

-

-## Articles

-All articles (including featured articles) are listed under the Microsoft Defender TI Threat Intelligence Home Page articles section, ordered by their creation date (descending):

-

-## Article descriptions

-The description section of the article detail screen contains information about the attack or attacker profiled. The content can range from very short (in the case of OSINT bulletins) or quite long (for long-form reporting ΓÇô especially when Microsoft has augmented the report with content). The longer descriptions may contain images, links to the underlying content, links to searches within Defender TI, attacker code snippets, and firewall rules to block the attack:

-

-## Public indicators

-The public indicators section of the screen shows the previously published indicators related to the article. The links in the public indicators take one to the underlying Defender TI data or relevant external sources (e.g., VirusTotal for hashes).

-

-## Defender TI indicators

-The Defender TI indicators section covers the indicators that Defender TIΓÇÖs research team has found and added to the articles.

-These links also pivot into the relevant Defender TI data or the corresponding external source.

-

-## Vulnerability articles

-Defender TI offers CVE-ID searches to help users identify critical information about the CVE. CVE-ID searches result in Vulnerability Articles.

-Vulnerability Articles provide key context behind CVEs of interest. Each article contains a description of the CVE, a list of affected components, tailored mitigation procedures and strategies, related intelligence articles, references in Deep & Dark Web chatter, and other key observations. These articles provide deeper context and actionable insights behind each CVE, enabling users to more quickly understand these vulnerabilities and quickly mitigate them.

-Vulnerability Articles also include a Defender TI Priority Score and severity indicator. The Defender TI Priority Score is a unique algorithm which reflects the priority of a CVE based on the CVSS score, exploits, chatter, and linkage to malware. Furthermore, the Defender TI Priority Score evaluates the recency of these components so users can understand which CVEs should be remediated first.

-## Reputation scoring

-Defender TI provides proprietary reputation scores for any Host, Domain, or IP Address. Whether validating the reputation of a known or unknown entity, this score helps users quickly understand any detected ties to malicious or suspicious infrastructure. The platform provides quick information about the activity of these entities, such as First and Last Seen timestamps, ASN, country/region, associated infrastructure, and a list of rules that impact the reputation score when applicable.

-

-IP reputation data is important to understanding the trustworthiness of your own attack surface and is also useful when assessing unknown hosts, domains or IP addresses that appear in investigations. These scores will uncover any prior malicious or suspicious activity that impacted the entity, or other known indicators of compromise that should be considered.

-For more information, see [Reputation scoring](reputation-scoring.md).

-## Analyst insights

-Analyst insights distill MicrosoftΓÇÖs vast data set into a handful of observations that simplify the investigation and make it more approachable to analysts of all levels.

-Insights are meant to be small facts or observations about a domain or IP address and provide Defender TI users with the ability to make an assessment about the artifact queried and improve a user's ability to determine if an indicator being investigated is malicious, suspicious, or benign.

-For more information, see [Analyst insights](analyst-insights.md).

-

-## Data sets

-Microsoft centralizes numerous data sets into a single platform, Defender TI, making it easier for MicrosoftΓÇÖs community and customers to conduct infrastructure analysis. MicrosoftΓÇÖs primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases.

-Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversariesΓÇÖ infrastructure associated with actor groups targeting their organization. Microsoft collects internet data via itsΓÇÖ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data.

-This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, WHOIS, SSL Certificates, Subdomains, Hashes, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific artifact type or time in history.

-For more information, see:

-

-## Tags

-Defender TI tags are used to provide quick insight about an artifact, whether derived by the system or generated by other users. Tags aid analysts in connecting the dots between current incidents and investigations and their historical context for improved analysis.

-The Defender TI platform offers two types of tags: system tags and custom tags.

-For more information, see [Using tags](using-tags.md).

-

-## Projects

-MicrosoftΓÇÖs Defender TI platform allows users to develop multiple project types for organizing indicators of interest and indicators of compromise from an investigation. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, and collaborators.

-When a user searches an IP address, domain, or host in Defender TI, if that indicator is listed within a project the user has access to, the user can see a link to the project from the Projects sections in the Summary tab as well as Data tab. From here, the user can navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information. This helps analysts to avoid reinventing the wheel of an investigation one of their Defender TI tenant users may have already started or add onto that investigation by adding new artifacts (indicators of compromise) related to that project (if they have been added as a collaborator to the project).

-For more information, see [Using projects](using-projects.md).

-

-## Data residency, availability, and privacy

-Microsoft Defender Threat Intelligence contains both global data and customer-specific data. The underlying internet data is global Microsoft data; labels applied by customers are considered customer data. All customer data is stored in the region of the customerΓÇÖs choosing.

-For security purposes, Microsoft collects users' IP addresses when they log in. This data is stored for up to 30 days but may be stored longer if needed to investigate potential fraudulent or malicious use of the product.

-In the case of a region down scenario, customers should see no downtime as Defender TI uses technologies that replicate data to a backup regions.

-Defender TI processes customer data. By default, customer data is replicated to the paired region.

-## Next steps

-For more information, see:

-

-description: 'In this concept article, learn about infrastructure chaining and how you can apply that process to perform threat infrastructure analysis using Microsoft Defender Threat Intelligence (Defender TI).'

-# Infrastructure Chaining

-Infrastructure chaining leverages the relationships between highly connected datasets to build out an investigation. This process is the core of threat infrastructure analysis and allows organizations to surface new connections, group similar attack activity and substantiate assumptions during incident response.

-

-## Prerequisites

-1. Review [Microsoft Defender Threat Intelligence (Defender TI)ΓÇÖs Data sets overview article](data-sets.md)

-2. Review [Microsoft Defender Threat Intelligence (Defender TI)ΓÇÖs Searching and pivoting how-to article](searching-and-pivoting.md)

-## All you need is a starting point...

-We see attack campaigns employ a wide array of obfuscation techniques such as simple geo filtering to complex tactics like passive OS fingerprinting. This can potentially stop a point in time investigation in its tracks. The screenshot above highlights the concept of infrastructure chaining. With our data enrichment capability, we could start with a piece of malware that attempts to connect to an IP address (possibly a C2). That IP address may have hosted an SSL cert that has a common name such as a domain name. That domain may be connected to a page that contains a unique tracker in the code, such as a NewRelicID or some other analytic ID we may have observed elsewhere. Or, perhaps the domain may have historically been connected to other infrastructure that may shed light on our investigation. The main takeaway is that one data point taken out of context may not be especially useful but when we observe the natural connection to all this other technical data, we can start to stitch together a story.

-## An adversaryΓÇÖs outside-In perspective

-An adversaryΓÇÖs outside-in perspective enables them to take advantage of your continually expanding web and mobile presence that operates outside of your firewall.

-Approaching and interacting with the web and mobile properties as a real user enables MicrosoftΓÇÖs crawling, scanning, and machine-learning technology to disarm adversariesΓÇÖ evasion techniques by collecting user session data, detecting phishing, malware, rogue apps, unwanted content, and domain infringement at scale. This helps deliver actionable, event-based threat alerts and workflows in the form of [threat intelligence](index.md), [system tags](using-tags.md), [analyst insights](analyst-insights.md), and [reputation scores](reputation-scoring.md) associated with adversariesΓÇÖ infrastructure.

-As more threat data becomes available, more tools, education, and effort are required for analysts to understand the data sets and their corresponding threats. Microsoft Defender Threat Intelligence (Defender TI) unifies these efforts by providing a single view into multiple data sources.

-## Next steps

-For more information, see [Tutorial: Gathering threat intelligence and infrastructure chaining](gathering-threat-intelligence-and-infrastructure-chaining.md).

-

-description: In this quickstart, learn how to access Microsoft Defender Threat Intelligence (Defender TI) in the Microsoft Defender portal, as well as configure your profile and preferences and access help resources in the Defender portal.

-# Quickstart: Learn how to access Microsoft Defender Threat Intelligence and make customizations

->[!IMPORTANT]

-> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) will be retired and will no longer be accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal)

-This guide walks you through how to access Microsoft Threat Intelligence (Defender TI) from the Microsoft Defender portal, adjust the portalΓÇÖs theme to make it easier on your eyes when using it, and find sources for enrichment so you can see more results when gathering threat intelligence.

- :::image type="content" source="/defender/threat-intelligence/media/quickstart-intel-explorer.png" alt-text="Screenshot of the Microsoft Defender Threat Intelligence Intel explorer in the Microsoft Defender portal." lightbox="/defender/threat-intelligence/media/quickstart-intel-explorer.png":::

-## Prerequisites

- > [!NOTE]

- > Users without a Defender TI premium license can still access our free Defender TI offering.

-## Open Defender TI in the Microsoft Defender portal

-1. Access the [Defender portal](https://security.microsoft.com/) and complete the Microsoft authentication process. [Learn more about the Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal)

-2. Navigate to **Threat intelligence**. You can access Defender TI in the following pages:

- - Intel profiles

- - Intel explorer

- - Intel projects

- :::image type="content" source="/defender/threat-intelligence/media/quickstart-navigation.png" alt-text="Screenshot of the Microsoft Defender portal with the Threat intelligence navigation links highlighted." lightbox="/defender/threat-intelligence/media/quickstart-navigation.png":::

-## Adjust the Defender portalΓÇÖs display theme to dark or light mode

-By default, the Defender portalΓÇÖs display theme is set to light mode. To switch to dark mode, on the Defender portal, navigate to **Home** then select **Dark mode** on the upper right-right corner of the home page.

-

-

-To switch back to light mode, select **Light mode** in the same upper-right hand corner of the home page.

-

-## Get help and learn about Defender TI support resources

-Select the **Help** icon in the upper right-hand corner of the Defender portal. The side panel displays a search bar where you can type your problem or support question.

-You can also review MicrosoftΓÇÖs [licensing resources](https://www.microsoft.com/licensing/docs) and [privacy statement](https://privacy.microsoft.com/privacystatement) by selecting **Legal** and **Privacy & Cookies**, respectively, at the lower right hand of the **Help** side panel.

-## Sign out of the Defender portal

-1. Select the **My account** icon in the upper right-hand corner of the Defender portal.

-2. Select **Sign out**.

-## Clean up resources

-There are no resources to clean up in this section.

-### See also

-

-description: 'In this overview article, learn about the Microsoft Defender Threat Intelligence (Defender TI)ΓÇÖs reputation scoring feature.'

-# Reputation scoring

-Microsoft Defender Threat Intelligence (Defender TI) provides proprietary reputation scores for any Host, Domain, or IP Address. Whether validating the reputation of a known or unknown entity, this score helps users quickly understand any detected ties to malicious or suspicious infrastructure. The platform provides quick information about the activity of these entities (e.g. First and Last Seen timestamps, ASN, associated infrastructure) and a list of rules that impact the reputation score when applicable.

-Reputation data is important to understanding the trustworthiness of your own attack surface and is also useful when assessing unknown hosts, domains or IP addresses that appear in investigations. These scores will uncover any prior malicious or suspicious activity that impacted the entity, or other known indicators of compromise that should be considered.

-

-## Understanding reputation scores

-Reputation Scores are determined by a series of algorithms designed to quickly quantify the risk associated with an entity. We develop Reputation Scores based on our proprietary data by leveraging our crawling infrastructure, as well as IP information collected from external sources.

-

-## Detection methods

-Reputation Scores are determined by a series of factors, including known associations to blocklisted entities and a series of machine learning rules used to assess risk.

-## Scoring brackets

-Reputation Scores are displayed as a numerical score with a range from 0 to 100. An entity with a score of ΓÇ£0ΓÇ¥ has no known associations to suspicious activity or known indicators of compromise; a score of ΓÇ£100ΓÇ¥ indicates that the entity is malicious. Hosts, Domains, and IP Addresses are grouped into the following categories depending on their numerical score:

-| Score | Category | Description |

-|--|||

-| 75+ | Malicious | The entity has confirmed associations to known malicious infrastructure that appears on our blocklist and matches machine learning rules that detect suspicious activity. |

-| 50 ΓÇô 74 | Suspicious | The entity is likely associated to suspicious infrastructure based on matches to three or more machine learning rules. |

-| 25 ΓÇô 49 | Neutral | The entity matches at least two machine learning rules. |

-| 0 ΓÇô 24 | Unknown (Green) | If the score is ΓÇ£UnknownΓÇ¥ and green, the entity has returned at least one matched rule. |

-| 0 ΓÇô 24 | Unknown (Grey) | If the score is ΓÇ£UnknownΓÇ¥ and grey, the entity has not returned any rule matches. |

-## Detection rules

-Reputation scores are based on many factors that an analyst may reference to determine the relative quality of a domain or address. These factors are reflected in the machine learning rules that comprise the reputation scores. For example, ΓÇ£.xyzΓÇ¥ or ΓÇ£.ccΓÇ¥ top-level domains (TLDs) are generally more suspicious than ".comΓÇ¥ or ΓÇ£.orgΓÇ¥ TLDs. An ASN (Autonomous System Number) hosted by a low-cost or free hosting provider is more likely to be associated with malicious activity, as would a self-signed SSL certificate. This reputation model was developed by looking at relative occurrences of these features among both malicious and benign indicators to score the overall reputation of an entity.

-Please refer to the list below for examples of rules used to determine the suspiciousness of a host, domain, or IP address. Please note that this list is not comprehensive and is constantly changing; our detection logic and consequent capabilities are dynamic as they reflect the evolving threat landscape. For this reason, we do not publish a comprehensive list of the machine learning rules used to assess an entityΓÇÖs reputation.

-See the example reputation scoring rules below:

-| Rule Name | Description |

-||--|

-| SSL-Certificate Self-Signed | Self-signed certificates may indicate malicious behavior |

-| Tagged as Malicious | Tagged as malicious by a member within your organization |

-| Web components observed | The number of web components observed may indicate maliciousness |

-| Name server | Domain is using a name server that is more likely to be used by malicious infrastructure |

-| Registrar | Domains registered with this registrar are more likely to be malicious |

-| Registrant email provider | Domain is registered with an email provider that is more likely to register malicious domains |

-It is important to remember that these factors must be assessed holistically to make an accurate assessment on the reputation of an entity. The specific combination of indicators, rather than any individual indicator, can predict whether an entity is likely to be malicious or suspicious.

-## Severity

-When creating rules for the machine learning detection system, a severity rating is applied to it. Each rule is assigned ΓÇ£HighΓÇ¥, ΓÇ£MediumΓÇ¥ or ΓÇ£LowΓÇ¥ severity based on the level of risk associated with the rule.

-## Use cases

-### Incident triage, response and threat hunting

-Defender TIΓÇÖs reputation score, classification, rules, and description of rules can be used to quickly assess if an IP address or domain indicator is good, suspicious, or malicious. Other times, we may not have observed enough infrastructure associated with an IP address or domain to infer if the indicator is good or bad. If an indicator has an unknown or neutral classification, users are encouraged to perform a deeper investigation by reviewing our data sets to infer if the indicator is good or bad. If an indicatorΓÇÖs reputation includes an article association, users are encouraged to review those listed article(s) to learn more about how the indicator is linked to a potential threat actorΓÇÖs campaign, what industries or nations they may be targeting, associated TTPs, and identify other related indicators of compromise to broaden the scope of the incidentΓÇÖs response and hunting efforts.

-### Intelligence gathering

-Any associated articles can be shared with the analystΓÇÖs cyber threat intelligence team, so they have a clearer understanding of who may be targeting their organization.

-## Next steps

-For more information, see [Analyst insights](analyst-insights.md).

-

-description: 'Learn how to search and pivot across internet data sets, threat articles, vulnerability articles, and projects using Microsoft Defender Threat Intelligence (Defender TI).'

-# Searching and pivoting

-Microsoft Defender Threat Intelligence (Defender TI) offers a robust and flexible search engine to streamline the investigation process. The platform is designed to allow users to pivot across a wide variety of indicators from different data sources, making it easier than ever to discover relationships between disparate infrastructure. This article will help users understand how to conduct a search and pivot across different data sets to discover relationships between different artifacts.

-

-## Prerequisites

- > [!Note]

- > Users without a Defender TI Premium license will still be able to log into the Defender Threat Intelligence Portal and access our free Defender TI offering.

-## Open Defender TIΓÇÖs Threat Intelligence Home Page

-1. Access the [Defender Threat Intelligence Portal](https://ti.defender.microsoft.com/).

-2. Complete Microsoft authentication to access portal.

-## Performing threat intelligence searches and pivots

-Defender TIΓÇÖs Threat Intelligence search is both simple and powerful, designed to surface immediate key insights while also allowing users to directly interact with the datasets that comprise these insights. The search bar supports a wide variety of different inputs; users can search for specific artifacts as well as Article or Project names.

-### Search artifact types

-1. **IP address:** Search ΓÇÿ195.161.141[.]65ΓÇÖ in the Threat Intelligence Search bar. This action results in an IP Address search.

- 

-2. **Domain:** Search `fabrikam.com` in the Threat Intelligence Search bar. This action results in a Domain search.

- 

-3. **Host:** Search `canary.fabrikam.com` in the Threat Intelligence Search bar. This action results in a Host search.

- 

-4. **Keyword:** Search ΓÇÿapt29ΓÇÖ in the Threat Intelligence Search bar. This action results in a Keyword search. Keyword searches cover any type of keyword, which may include a term, email address, etc. Keyword searches result in associations with articles, projects, as well as data sets.

- 

-5. **CVE-ID:** Search ΓÇÿCVE-2021-40444ΓÇÖ in the Threat Intelligence Search bar. This action results in a CVE-ID Keyword search.

-6. **Article:** Search ΓÇÿCommodity Skimming & Magecart Trends in First Quarter of 2022ΓÇÖ in the Threat Intelligence Search bar. This action results in an Article search.

- 

-7. **Tag:** Select ΓÇÿTagΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿmagecartΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Tag search.

- > [!NOTE]

- > This does not return articles that share that tag value.

- 

-8. **Component:** Select ΓÇÿComponentΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿcobalt strikeΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Component search.

- 

-9. **Tracker:** Select ΓÇÿTrackersΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿ07d14d16d21d21d00042d41d00041d47e4e0ae17960b2a5b4fd6107fbb0926ΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Tracker search. Note: In this example, this was a JarmHash Tracker type.

- > [!NOTE]

- > In this example, this was a JarmHash Tracker type.

- 

-10. **WHOIS Email:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿEmailΓÇÖ from the Threat Intelligence Search drop-down and type in domains@microsoft.com in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS Email search.

- 

-11. **WHOIS Name:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿNameΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿMSN HostmasterΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS Name search.

- 

-12. **WHOIS Organization:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿOrganizationΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿMicrosoft CorporationΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS Organization search.

- 

-13. **WHOIS Address:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿAddressΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿOne Microsoft WayΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS Address search.

- 

-14. **WHOIS City:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿCityΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿRedmondΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS City search.

- 

-15. **WHOIS State:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿStateΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿWAΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS State search.

- 

-16. **WHOIS Postal Code:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿPostal CodeΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿ98052ΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS Postal Code search.

- 

-17. **WHOIS Country:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿCountryΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿUSΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS Country/region search.

- 

-18. **WHOIS Phone:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿPhoneΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿ+1.4258828080ΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS Phone search.

- 

-19. **WHOIS Nameserver:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿNameserverΓÇÖ from the Threat Intelligence Search drop-down and type in `ns1-03.azure-dns.com` in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS Nameserver search.

- 

-20. **Certificate SHA-1:** Select ΓÇÿCertificateΓÇÖ > ΓÇÿSHA-1ΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿ35cd04a03ef86664623581cbd56e45ed07729678ΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Certificate SHA-1 search.

- 

-21. **Certificate Serial Number:** Select ΓÇÿCertificateΓÇÖ > ΓÇÿSerial NumberΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿ1137354899731266880939192213383415094395905558ΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Certificate Serial Number search.

- 

-22. **Certificate Issuer Common Name:** Select ΓÇÿCertificateΓÇÖ > ΓÇÿIssuer Common NameΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿMicrosoft Azure TLS Issuing CA 05ΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Certificate Issuer Common Name search.

- 

-23. **Certificate Issuer Alternative Name:** Select ΓÇÿCertificateΓÇÖ > ΓÇÿIssuer Alternative NameΓÇÖ from the Threat Intelligence Search drop-down and type in a certificate issuer alternative name in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Certificate Issuer Alternative Name search.

-24. **Certificate Subject Common Name:** Select ΓÇÿCertificateΓÇÖ > ΓÇÿSubject Common NameΓÇÖ from the Threat Intelligence Search drop-down and type in `*.oneroute.microsoft.com` in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Certificate Subject Common Name search.

- 

-25. **Certificate Subject Alternative Name:** Select ΓÇÿCertificateΓÇÖ > ΓÇÿSubject Alternative NameΓÇÖ from the Threat Intelligence Search drop-down and type in `oneroute.microsoft.com` in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Certificate Subject Alternative Name search.

- 

-26. **Cookie Name:** Select ΓÇÿCookieΓÇÖ > ΓÇÿNameΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿARRAffinityΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Cookie Name search.

- 

-27. **Cookie Domain:** Select ΓÇÿCookieΓÇÖ > ΓÇÿDomainΓÇÖ from the Threat Intelligence Search drop-down and type in `portal.fabrikam.com` in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a Cookie Domain search.

- 

-28. **Pivots:** For any of the searches performed in the steps above, there are artifacts with hyperlinks that you can pivot off to discover further enriched results associated with those indicators. Feel free to experiment with this on your own.

-## Search results

-### Key insights

-At the top of the page, the platform provides some basic information about the artifact. This information can include the following, depending on the artifact type:

-

-This section also shows any tags applied to the artifact or any projects that include it. Users can also add a tag or add the artifact to a project.

-## Summary tab

-### Overview

-The results of a Threat Intelligence search are grouped into two tabs: ΓÇ£SummaryΓÇ¥ and ΓÇ£Data.ΓÇ¥ The Summary tab provides key insights about an artifact that the platform has derived from our expansive datasets. This section is designed to surface key findings that can help kickstart an investigation.

-### Reputation

-Defender TI provides proprietary reputation scores for any Host, Domain, or IP Address. Whether validating the reputation of a known or unknown entity, this score helps users quickly understand any detected ties to malicious or suspicious infrastructure. Reputation Scores are displayed as a numerical score with a range from 0 to 100. An entity with a score of ΓÇ£0ΓÇ¥ has no known associations to suspicious activity or known indicators of compromise; a score of ΓÇ£100ΓÇ¥ indicates that the entity is malicious.

-The platform provides a list of rules with a description and severity rating. In the example below, we see four ΓÇ£high severityΓÇ¥ rules that are applicable to this domain.

-For more information, see [Reputation scoring](reputation-scoring.md).

-

-### Analyst insights

-The Analyst Insights section provides quick insights about the artifact that may help determine the next step in an investigation. This section will list any insights that apply to the artifact and those that do not apply for additional visibility. In the below example, we can quickly determine that the IP Address is routable, hosts a web server, and had an open port within the past five days. Furthermore, the system displays rules that were not triggered, which can be equally helpful when kickstarting an investigation.

-For more information, see [Analyst insights](analyst-insights.md).

-

-### Articles

-The Articles section displays any articles that may provide insight on how to best investigate and ultimately disarm the impacted artifact. These articles are written by researchers who study the behavior of known threat actors and their infrastructure, surfacing key findings that can help others mitigate risk to their organization. In this example, the searched IP Address has been identified as an IOC that relates to the findings within the article.

-For more information, see [What is Microsoft Defender Threat Intelligence (Defender TI)?](index.md)

-

-### Services

-This section lists any detected services running on the IP address artifact. This is helpful when trying to understand the intended use of the entity. When investigating malicious infrastructure, this information can help determine the capabilities of an artifact, enabling users to proactively defend their organization based on this information

-

-### Resolutions

-Resolutions are individual DNS records captured using passive sensors distributed throughout the world. These values reveal a history of how a Domain or IP address changes infrastructure over time. They can be used to discover additional infrastructure and measure risk based on levels of connection. For each resolution, we provide ΓÇ£first seenΓÇ¥ and ΓÇ£last seenΓÇ¥ timestamps to showcase the lifecycle of the resolutions.

-

-### Certificates

-Beyond securing your data, SSL Certificates are a fantastic way for users to connect disparate network infrastructure. SSL certificates can make connections that passive DNS or WHOIS data may miss. This means more ways of correlating potential malicious infrastructure and identifying potential operational security failures of actors. For each SSL certificate, we provide the certificate name, expiration date, subject common name, and subject organization name.

-

-### Projects

-The Defender TI platform allows users to create projects for organizing indicators of interest or compromise from an investigation. Projects are also created to monitor connecting artifacts for improved visibility. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, collaborators, and monitoring profiles.

-When a user searches an IP address, domain, or host, if that indicator is listed within a project the user has access to, the user can select the Projects tab and navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information.

-For more information, see [Using projects](using-projects.md).

-

-## Data tab

-### Overview

-The Data tab helps users deep-dive into the tangible connections observed by the Defender TI platform. While the Summary tab surfaces key findings to provide immediate context about an artifact, the Data tab enables analysts to study these connections much more granularly. Users can click on any returned value to pivot across any related metadata.

-

-### Data types

-The following datasets are available in Defender TI:

-These separate datasets will appear in separate tabs after submitting a search. The results are clickable, enabling a user to quickly pivot across related infrastructure to unveil insights that may have been missed with traditional investigative methods.

-### Resolutions

-Passive DNS is a system of record that stores DNS resolution data for a given location, record, and timeframe. This historical resolution data set allows users to view which domains resolved to an IP address and vice versa. This data set allows for time-based correlation based on domain or IP overlap.

-PDNS may enable the identification of previously unknown or newly stood-up threat actor infrastructure. Proactive addition of indicators to blocklists can cut off communication paths before campaigns take place. Users will find A record resolution data within the Resolutions data set tab and will find more types of DNS records in the DNS data set tab.

-Our PDNS resolution data includes the following:

-

-### WHOIS

-WHOIS is a protocol that lets anyone query information about the ownership of a domain, IP address, or subnet. One of the most common functions for WHOIS in threat infrastructure research is to identify or connect disparate entities based on unique data shared within WHOIS records.

-Each WHOIS record has several different sections, all of which could include different information. Commonly found sections include ΓÇ£registrarΓÇ¥, ΓÇ£registrantΓÇ¥, ΓÇ£administratorΓÇ¥, and ΓÇ£technicalΓÇ¥ with each potentially corresponding to a different contact for the record. A lot of the time this data is duplicated across sections, but in some cases, there may be slight discrepancies, especially if an actor made a mistake. When viewing WHOIS information within Defender TI, you will see a condensed record that de-duplicates any data and notates which part of the record it came from.

-Users can also view historic WHOIS records to understand how the registration data has changed over time.

-Our WHOIS data includes the following:

-

-### Certificates

-Beyond securing your data, SSL Certificates are a fantastic way for users to connect disparate network infrastructure. Modern scanning techniques allow us to perform data requests against every node on the Internet in a matter of hours, meaning we can easily associate a certificate to an IP address hosting it on a regular basis.

-Much like a WHOIS record, SSL certificates require information to be supplied by the user to generate the final product. Aside from the domain, the SSL certificate is being created for (unless self-signed), any of the additional information can be made up by the user. Where our users see the most value from SSL certificates is not necessarily the unique data someone may use when generating the certificate, but where it's hosted.

-What makes SSL certificates more valuable is that they can make connections that passive DNS or WHOIS data may miss. This means more ways of correlating potential malicious infrastructure and identifying potential operational security failures of actors. Microsoft has collected over 30 million certificates from 2013 until the present day and provides users with the tools to make correlations on certificate content and history.

-Our certificate data includes the following:

-

-When a user clicks on a Sha1 hash, the user will be able to see details about the certificate in the right-hand pane, which includes:

-

-### Subdomains

-A subdomain is an internet domain, which is part of a primary domain. Subdomains are also referred to as "hosts". As an example, `learn.microsoft.com` is a subdomain of `microsoft.com`. For every subdomain, there could be a new set of IP addresses to which the domain resolves to and this can be a great data source for finding related infrastructure.

-Our subdomain data includes the following:

-

-### Trackers

-Trackers are unique codes or values found within web pages and often used to track user interaction. These codes can be used to correlate a disparate group of websites to a central entity. Often, actors will copy the source code of a victimΓÇÖs website they are looking to impersonate for a phishing campaign. Seldomly will actors take the time to remove these IDs that allow users to identify these fraudulent sites using our Trackers data sets.

-MicrosoftΓÇÖs Tracker data set includes IDs from providers like Google, Yandex, Mixpanel, New Relic, Clicky, and is continuing to grow on a regular basis.

-Our tracker data includes the following:

-

-### Components

-Web components are details describing a web page or server infrastructure gleaned from Microsoft performing a web crawl or scan. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure.

-Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.

-Our component data includes the following:

-

-### Host pairs

-Host pairs are two pieces of infrastructure (a parent and a child) that share a connection observed from a MicrosoftΓÇÖs virtual userΓÇÖs web crawl. The connection could range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference.

-Our host pair data includes the following:

-

-### Cookies

-Cookies are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain a state for the application or little bits of tracking data. We highlight and index cookie names observed when crawling a website and allow users to dig into everywhere the system has observed specific cookie names across its crawling and data collection.

-Our cookie data includes the following:

-

-### Services

-Service names and port numbers are used to distinguish between different services that run over transport protocols such as TCP, UDP, DCCP, and SCTP. Port numbers can suggest what type of application is running on a particular port. But applications or services can be changed to use a different port to obfuscate or hide the service or application on an IP address. Knowing the port and header/banner information can identify the true application/service and the combination of ports being used. Defender TI surfaces 14 days of history within the Services tab, displaying the last banner response associated with a port observed.

-Our Services data includes the following:

- - Open

- - Filtered

- - Closed

-

-### DNS

-Microsoft has been collecting DNS records over the years, providing users insight into mail exchange (MX) records, nameserver (NS) records, text (TXT) records, start of authority (SOA) records, canonical name (CNAME) records, and pointer (PTR) records. Reviewing DNS records can be helpful to identify shared infrastructure used by actors across the domains they own. For example, actor groups tend to use the same nameservers to segment their infrastructure or the same mail exchange servers to administer their command and control.

-Our DNS data includes the following:

-

-### Reverse DNS

-While a forward DNS lookup queries the IP address of a certain hostname, a reverse DNS lookup queries a specific hostname of an IP address. This dataset will show comparable results as the DNS dataset. Reviewing DNS records can be helpful to identify shared infrastructure used by actors across the domains they own. For example, actor groups tend to use the same nameservers to segment their infrastructure or the same mail exchange servers to administer their command and control.

-Our reverse DNS data includes the following:

-

-### Intelligence

-The intelligence section highlights any curated insights in the Defender TI platform, whether derived from our Research Team via Articles or your own team via Projects. The Intelligence section helps users understand key additional context behind a queried artifact; analysts can learn from the investigation efforts of the larger security community to jumpstart their own.

-

-### Articles

-The Articles section displays any articles that may provide insight on how to best investigate and ultimately disarm the impacted artifact. These articles are written by researchers who study the behavior of known threat actors and their infrastructure, surfacing key findings that can help others mitigate risk to their organization. In this example, the searched IP Address has been identified as an IOC that relates to the findings within the article.

-For more information, see [What is Microsoft Defender Threat Intelligence (Defender TI)?](index.md)

-

-### Projects

-One of the primary byproducts from infrastructure analysis is almost always a set of indicators that tie back to a threat actor or group of actors. These indicators serve as a way of identifying threat actors when they initiate an attack campaign. Developing insight into adversaryΓÇÖs tactics, techniques, and procedures (TTPs) of how the threat actors operate. Projects provide a method to identify adversaries by their TTPs and to track how the adversaryΓÇÖs infrastructure is changing over time.

-When a user searches an IP address, domain, or host in Defender TI, if that indicator is listed within a project the user has access to, the user can select the Projects blade within the Intelligence section and navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information.

-Visiting a project's details shows a listing of all associated artifacts and a detailed history that retains all the context described above. Users within the same organization no longer need to spend time communicating back and forth. Threat actor profiles can be built within Defender TI and serve as a "living" set of indicators. As new information is discovered or found, it can be added to that project.

-The Defender TI platform allows users to develop multiple project types for organizing indicators of interest and indicators of compromise from an investigation.

-For more information, see [Using projects](using-projects.md).

-

-## Next steps

-For more information, see:

-description: Learn about Microsoft Defender Threat Intelligence capabilities embedded in Copilot for Security.

-keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, copilot for security, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins

- - Tier1

- - security-copilot

-# Microsoft Copilot for Security and Microsoft Defender Threat Intelligence

-Microsoft Copilot for Security is a cloud-based AI platform that provides natural language copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, read [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot).

-**Copilot for Security integrates with Microsoft Defender Threat Intelligence**

-Copilot for Security delivers information about threat actors, indicators of compromise (IOCs), tools, and vulnerabilities, as well as contextual threat intelligence from Microsoft Defender Threat Intelligence (Defender TI). You can use the prompts and promptbooks to investigate incidents, enrich your hunting flows with threat intelligence information, or gain more knowledge about your organization's or the global threat landscape.

-This article introduces you to Copilot and includes sample prompts that can help Defender TI users.

-## Know before you begin

- - Show me threat intelligence data for Aqua Blizzard.

- - Summarize threat intelligence data for "malicious.com."

-

- 

- > [!NOTE]

- > For a walkthrough on Copilot, including the pin and share feature, read [Navigate Microsoft Copilot for Security](/security-copilot/navigating-security-copilot).

-[Learn more about creating effective prompts](/security-copilot/prompting-tips)

-## Using Copilot for Security standalone portal to get threat intelligence

-1. Go to [Microsoft Copilot for Security](https://go.microsoft.com/fwlink/?linkid=2247989) and sign in with your credentials.

-2. Make sure that the Defender TI plugin is turned on. In the prompt bar, select the **Sources** icon .

- 

-

-

- In the **Manage sources** pop-up window that appears, under **Plugins**, confirm that the **Microsoft Defender Threat Intelligence** toggle is turned on, then close the window.

- 

- > [!NOTE]

- > Some roles can turn the toggle on or off for plugins like Defender TI. For more information, read [Manage plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins).

-3. Enter your prompt in the prompt bar.

-### Built-in system features

-Copilot for Security has built-in system features that can get data from the different plugins that are turned on.

-To view the list of built-in system capabilities for Defender TI:

-1. In the prompt bar, select the **Prompts** icon .

- 

-2. Select **See all system capabilities**. The *Microsoft Defender Threat Intelligence* section lists all the available capabilities for Defender TI that you can use.

-Copilot also has the following promptbooks that also deliver information from Defender TI:

-To view these promptbooks, in the prompt bar, select the **Prompts** icon then select **See all promptbooks**.

-### Sample prompts for Defender TI

-You can use many prompts to get information from Defender TI. This section lists some ideas and examples.

-#### General information about threat intelligence trends

-Get threat intelligence from threat articles and threat actors.

-**Sample prompts** :

-#### IP address and host contextual information in relation to threat intelligence

-Get information on datasets associated with IP addresses and hosts, such as ports, reputation scores, components, certificates, cookies, services, and host pairs.

-**Sample prompts**:

-#### Threat actor mapping and infrastructure

-Get information on threat actors and the tactics, techniques, and procedures (TTPs), sponsored states, industries, and IOCs associated with them.

-**Sample prompts**:

-#### Vulnerability data by CVE

-Get contextual information and threat intelligence on Common Vulnerabilities and Exposures (CVEs).

-**Sample prompts**:

-### Provide feedback

-Your feedback on the Defender TI integration with Copilot for Security helps with development. To provide feedback, in Copilot, select **HowΓÇÖs this response?** At the bottom of each completed prompt and choose any of the following options:

-For each feedback button, you can provide more information in the next dialog box that appears. Whenever possible, and when the result is **Needs improvement**, write a few words explaining what can be done to improve the outcome. If you entered prompts specific to Defender TI and the results aren't related, then include that information.

-## Using Microsoft Copilot in Defender to get threat intelligence

-Copilot for Security customers gain for each of their authenticated Copilot users access to Defender TI within the Microsoft Defender portal. To ensure that you have access to Copilot, see the [Copilot for Security purchase and licensing information](/security-copilot/faq-security-copilot).

-Once you have access to Copilot for Security, the key features discussed in the next section become accessible in the following *Threat intelligence* sections of the Defender portal:

-### Key features

-Copilot in Defender brings Copilot for SecurityΓÇÖs capability to look up threat intelligence into the portal, letting security teams understand, prioritize, and take action on threat intelligence information immediately.

-You can ask about a threat actor, attack campaign, or any other threat intelligence that you want to know more about, and Copilot generates responses based on threat analytics reports, intel profiles and articles, and other Defender TI content. You can also select any of the available built-in prompts that let you do the following actions:

-[Learn more about using Copilot in Defender for threat intelligence](using-copilot-threat-intelligence-defender-xdr.md)

-## Data processing and privacy

-When you interact with Copilot for Security to get Defender TI data, Copilot pulls that data from Defender TI. The prompts, the data retrieved, and the output shown in the prompt results are processed and stored within the Copilot service. [Learn more about privacy and data security in Microsoft Copilot for Security](/security-copilot/privacy-data-security)

-### See also

-

-description: 'Learn how to sort, filter and download data using Microsoft Defender Threat Intelligence (Defender TI).'

-# Sorting, filtering, and downloading data

-The Microsoft Defender Threat Intelligence (Defender TI) platform enables analysts to access our vast collection of crawling data in an indexed and pivot table format. These data sets can be very large, returning expansive amounts of historic and recent data. Thus, allowing analysts to appropriately sort and filter the data provides the ability easily to surface the connections of interest.

-

-In this how-to article, youΓÇÖll learn how to sort and filter data for the following data sets:

-For more information, see [Data sets](data-sets.md).

-In this how-to article, youΓÇÖll also learn how to download indicators/artifacts from the following features:

-## Prerequisites

- > [!NOTE]

- > Users without a Defender TI Premium license will still be able to log into the Defender Threat Intelligence Portal and access our free Defender TI offering.

-## Open Defender TIΓÇÖs Threat Intelligence Home Page

-1. Access the [Defender Threat Intelligence Portal](https://ti.defender.microsoft.com/).

-2. Complete Microsoft authentication to access portal.

-## Sorting data

-The sorting function on the Data tab enables users to quickly sort our datasets by the column values. By default, most results are sorted by ΓÇ£Last SeenΓÇ¥ (descending) so that the most recently observed results appear at the top of the list; this surfaces the most recent data to immediately provide insight on the current infrastructure of an artifact. Currently, all data sets are sortable by the following ΓÇ£First SeenΓÇ¥ and ΓÇ£Last SeenΓÇ¥ values:

-Data can be sorted across each data set blade within the Data tab for each IP, domain, or host entity that is searched or pivoted on.

-1. Search a domain, IP address, or host in the Defender TI Threat Intelligence search bar and navigate to the Data tab.

-2. Apply sorting preferences to the First Seen and Last Seen columns within the Resolutions Data blade.

-

-## Filtering data

-Data filtering allows analysts to access a select group of data based on a particular metadata value. For instance, an analyst can select to only view IP resolutions discovered from a select source, or components of a particular type (e.g. servers, frameworks). This enables users to narrow the query results to items of particular interest. Since the Threat Intelligence platform provides specific metadata that coincides with particular data types, the filter options will be different for each data set.

-## Resolution filters

-The following filters apply to resolution data:

-1. Search a domain, IP address, or host in the Defender TI Threat Intelligence search bar and navigate to the Data tab.

-2. Apply filters to each of the types of filter options noted above within the Resolutions Data blade.

-

-## Tracker filters

-The following filters apply to tracker data:

-1. Search a domain, IP address, or host in the Defender TI Threat Intelligence search bar and navigate to the Data tab.

-2. Navigate to the Trackers Data blade.

-3. Apply filters to each of the types of filter options noted above within the Trackers Data blade.

-

-## Component filters

-The following filters apply to component data:

-1. Search a domain, IP address, or host in the Defender TI Threat Intelligence search bar and navigate to the Data tab.

-2. Navigate to the Components Data blade.

-3. Apply filters to each of the types of filter options noted above within the Components Data blade.

-

-## Host pair filters

-The following filters apply to host pair data:

-1. Search a domain, IP address, or host in the Defender TI Threat Intelligence search bar and navigate to the Data tab.

-2. Navigate to the Host Pairs Data blade.

-3. Apply filters to each of the types of filter options noted above within the Host Pairs Data blade.

-

-## DNS & Reverse DNS filters

-The following filters apply to DNS and Reverse DNS data:

-1. Search a domain, IP address, or host in the Defender TI Threat Intelligence search bar and navigate to the Data tab.

-2. Navigate to the DNS and later, Reverse DNS Data blades.

-3. Apply filters to each of the types of filter options noted above within the DNS and Reverse DNS Data blades.

-

-## Downloading data

-In Defender TI, there are various sections that a user can download data as a csv export. Users need to look out for the download icon to export data as a csv.

-

-Data can be downloaded within the following sections:

-The following headers are exported as a result of downloading Resolutions, DNS, and reverse DNS data:

-| &nbsp; | &nbsp; |

-|-|-|

-| **Resolve** | A record associated with the domain searched (resolving IP Address) or domain that has resolved to an IP address when an IP address is searched |

-| **Location** | Country/region the IP address is hosted in |

-| **Network** | Netblock or subnet |

-| **autonomousSystemNumber** | Autonomous System Number |

-| **firstSeen** | Date / Time when Microsoft first observed the resolution (format: mm/dd/yyyy hh:mm) |

-| **lastSeen** | Date / Time when Microsoft last observed the resolution (format: mm/dd/yyyy hh:mm) |

-| **Source** | Source that observed this resolution |

-| **Tags** | Custom or system tags associated with the artifact |

-The following headers are exported as a result of downloading Subdomains data:

-| &nbsp; | &nbsp; |

-|-|-|

-| **hostname** | Subdomain of the domain searched |

-| **tags** | Custom or system tags associated with the artifact |

-The following headers are exported as a result of downloading Trackers data:

-| &nbsp; | &nbsp; |

-|-|-|

-| **hostname** | Hostname that observed or is currently observing the tracker |

-| **firstSeen** | Date / Time when Microsoft first observed the hostname was using the tracker (format: mm/dd/yyyy hh:mm) |

-| **lastSeen** | Date / Time when Microsoft first observed the hostname was using the tracker (format: mm/dd/yyyy hh:mm) |

-| **attributeType** | Type of tracker |

-| **attributeValue** | Tracker value |

-| **Tags** | Custom or system tags associated with the artifact |

-The following headers are exported as a result of downloading Components data:

-| &nbsp; | &nbsp; |

-|-|-|

-| **hostname** | Hostname that observed or is currently observing the component |

-| **firstSeen** | Date / Time when Microsoft first observed the hostname was using the tracker (format: mm/dd/yyyy hh:mm |

-| **lastSeen** | Date / Time when Microsoft last observed the hostname was using the component (format: mm/dd/yyyy hh:mm |

-| **category** | Type of component |

-| **name** | Name of the component |

-| **version** | Version of the component |

-| **Tags** | Custom or system tags associated with the artifact |

-The following headers are exported as a result of downloading Host Pairs data:

-| &nbsp; | &nbsp; |

-|-|-|

-| **parentHostname** | The hostname that is reaching out to the child hostname |

-| **childHostname** | The hostname that is feeding assets they host to the parent hostname. |

-| **firstSeen** | Date / Time when Microsoft first observed the relationship between the parent and child hostname (format: mm/dd/yyyy hh:mm) |

-| **lastSeen** | Date / Time when Microsoft last observed the relationship between the parent and child hostname (format: mm/dd/yyyy hh:mm) |

-| **attributeCause** | The cause of the relationship between the parent and child hostname |

-| **Tags** | Custom or system tags associated with the artifact |

-The following headers are exported as a result of downloading Cookies data:

-| &nbsp; | &nbsp; |

-|-|-|

-| **hostname** | Hostname that observed the Cookie name |

-| **firstSeen** | When the Cookie name was first observed to the hostname originating from the Cookie Domain (format: mm/dd/yyyy hh:mm) |

-| **lastSeen** | Date / time when the Cookie name was last observed to the hostname originating from the Cookie Domain (format: mm/dd/yyyy hh:mm) |

-| **cookieName** | Name of the cookie |

-| **cookieDomain** | The domain nameΓÇÖs server the cookie name originated from |

-| **Tags** | Custom or system tags associated with the artifact |

-The following headers are exported as a result of downloading projects lists for my, team, and shared projects:

-| &nbsp; | &nbsp; |

-|-|-|

-| **name** | Name of project |

-| **artifacts (count)** | Count of artifacts within the project |

-| **created by (user)** | User who created the project |

-| **created on** | When the project was created |

-| **tags** | Custom or system tags associated with the artifact |

-| **collaborators** | Who has been added as collaborator(s) to the project. This is only visible for projects that have been downloaded from the My Projects and Shared Projects pages. |

-The following headers are exported as a result of downloading project details (artifacts) from a project:

-| &nbsp; | &nbsp; |

-|-|-|

-| **artifact** | Artifact value (e.g. IP address, domain, host, WHOIS value, certificate SHA-1, etc.) |

-| **type** | Type of artifact (e.g. IP, domain, host, WHOIS Organization, WHOIS Phone, Certificate SHA-1, etc.) |

-| **created** | Date / Time when the artifact was added to the project (format: mm/dd/yyyy hh:mm) |

-| **creator** | Email address of user who added the artifact |

-| **context** | How the artifact was added to the project |

-| **tags** | Custom or system tags associated with the artifact |

-| **collaborators** | Who has been added as collaborator(s) to the project. This is only visible for projects that have been downloaded from the My Projects and Shared Projects pages. |

-The following headers are exported as a result of downloading threat intelligence public or riskiq indicators:

-| &nbsp; | &nbsp; |

-|-|-|

-| **type** | Type of indicator (e.g. ip, certificate, domain, _sha256) |

-| **value** | Value of the indicator (e.g. IP address, domain, hostname) |

-| **source** | Source of indicator (RiskIQ or OSINT) |

-## Next steps

-For more information, see [Data sets](data-sets.md).

-description: Learn about Copilot for Security embedded experience in Microsoft Defender for Microsoft Defender Threat Intelligence.

-keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, copilot for security, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins

- - Tier1

- - security-copilot

-# Using Microsoft Copilot for Security for threat intelligence

-**Applies to:**

-Microsoft Copilot in Defender applies the capabilities of [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) to deliver Microsoft Defender Threat Intelligence (Defender TI) information about threat actors and tools, as well as contextual threat intelligence, directly into the Microsoft Defender portal. Based on threat analytics reports, intel profiles, and other available Defender TI content, you can use Copilot in Defender to summarize the latest threats affecting your organization, know which threats to prioritize based on your exposure level, or gain more knowledge about your organization's or the global threat landscape.

-> [!NOTE]

-> Defender TI capabilities are also available in Copilot for Security standalone experience through the Microsoft Defender Threat Intelligence plugin. [Learn more about Defender TI integration with Copilot for Security](security-copilot-and-defender-threat-intelligence.md)

-## Technical requirements

-Copilot for Security customers gain for each of their authenticated Copilot users access to Defender TI within the Defender portal. [Learn how you can get started with Copilot for Security](/security-copilot/get-started-security-copilot)

-## Accessing Copilot in Defender for threat intelligence content

-You can experience Copilot for SecurityΓÇÖs capability to look up threat intelligence in the following pages of the Defender portal:

-## Try your first request

-1. Open any of the pages mentioned previously from the Defender portal navigation bar. The Copilot side pane appears on the right hand side.

- :::image type="content" source="/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-side-pane.png" alt-text="Screenshot of the Microsoft Defender portal Threat analytics page with the open Microsoft Copilot in Defender side pane highlighted." lightbox="/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-side-pane.png":::

- You can also reopen Copilot by selecting the **Copilot icon**  at the top of the page.

-2. In the Copilot prompt bar, ask about a threat actor, attack campaign, or any other threat intelligence that you want to know more about, then select the **Send message** icon 

-3. Copilot generates a response from your text instruction or question. While Copilot is generating, you can cancel the response by selecting **Stop generating**.

-

- 

-4. Review the generated response. Copilot typically generates responses that include summaries and links to related Defender TI intel profiles and articles.

- 

-5. You can provide feedback about the generated response by selecting the **Provide feedback** icon  and choosing **Confirmed, it looks great**; **Off-target, inaccurate**; or **Potentially harmful, inappropriate**. [Learn more](/microsoft-365/security/defender/security-copilot-in-microsoft-365-defender#data-security-and-feedback-in-copilot)

-6. To start a new chat session with Copilot, select the **New chat** icon .

-> [!NOTE]

-> Copilot saves your sessions from the Defender portal in the [Copilot for Security standalone portal](https://go.microsoft.com/fwlink/?linkid=2247989). To see the previous sessions, from the Copilot [Home menu](/security-copilot/navigating-security-copilot#home-menu), go to **My sessions**. [Learn more about navigating Microsoft Copilot for Security](/security-copilot/navigating-security-copilot)

-> [!IMPORTANT]

-> Copilot in Defender starts a new chat session every time you navigate to a different *Threat intelligence* page (for example, when you go from *Threat analytics* to *Intel profiles*) in the Defender portal. If you wish to go back or continue a previous session, go to the Copilot for Security standalone portal.

-## Use the built-in Defender TI prompts

-Copilot in Defender also has the following built-in prompts when accessing the *Threat intelligence* pages to get you started:

-### Summarize the latest threats related to your organization

-Gathering and digesting threat intelligence data and trends can be a daunting task, especially when they come from multiple data sets and sources. Choose the **Summarize** prompt if you want Copilot to give you an overview of the latest threats in your environment. Copilot lists and summarizes relevant campaigns, activities, and threat actors, and includes links to related threat analytics reports or intel profiles for more information.

-### Prioritize which threats to focus on

-Copilot provides insights on which threats you should prioritize and focus on based on your environment's highest exposure level to these threats. Choose the **Prioritize** prompt if you want to find out which threats are likely to significantly impact your organization. This prompt gives you a starting point and could thus make triaging, investigating, and mitigating incidents less complex.

-### Ask about the threat actors targeting the communications infrastructure

-An important aspect of threat intelligence is keeping up to date with the global threat landscape. Choose the **Ask** prompt if you want Copilot to summarize the latest threat articles about threat actors that target the communications infrastructure so you can gather information on their latest TTPs or campaigns, and promptly assess and apply mitigation or prevention strategies.

-### See also

-

-description: 'Learn how to manage projects using Microsoft Defender Threat Intelligence (MDTI).'

-# Using projects

-The Microsoft Defender Threat Intelligence (Defender TI) platform allows users to develop private personal or team project types for organizing indicators of interest and indicators of compromise from an investigation. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, collaborators, and monitoring profiles.

-When a user searches an IP address, domain, or host in Defender TI, if that indicator is listed within a project the user has access to, the user can select the Projects blade within the Intelligence section and navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information. Alternatively, users can view their private team projects by selecting the Projects icon on the left-hand menu pane.

-Visiting a project's details shows a listing of all associated artifacts and a detailed history that retains all the context described above. Users within the same organization no longer need to spend time communicating back and forth. Threat actor profiles can be built within Defender TI and serve as a "living" set of indicators. As new information is discovered or found, it can be added to that project.

-The Defender TI platform allows users to develop multiple project types for organizing indicators of interest and indicators of compromise from an investigation.

-The owner of a project can add collaborators (users listed in their Azure tenant with a Defender TI Premium license). This grants the collaborator(s)ΓÇÖ permissions to make any changes to the project as if they were the owner of the project. The exception being that collaborators cannot delete projects. Collaborators will view projects that have been shared with them in the Shared Projects section of the Projects Home Page.

-Users can also download artifacts within a project by selecting the download icon. This is a great way for threat hunting teams to use their findings from an investigation to block indicators of compromise or build additional detection rules within their SIEM.

-**Questions Projects May Help Answer:**

- - If so, what other related indicators of compromise has this team member captured and what description as well as tags did they include to describe the type of investigation?

- 

-## Prerequisites

- > [!NOTE]

- > Users without a Defender TI Premium license will still be able to log into the Defender Threat Intelligence Portal and access our free Defender TI offering.

-## Open Defender TIΓÇÖs Threat Intelligence Home Page

-1. Access the [Defender Threat Intelligence Portal](https://ti.defender.microsoft.com/).

-2. Complete Microsoft authentication to access portal.

-## Creating a Project

-Users can create a project in two different ways, through the Projects Home Page or while investigating results.

-When logging into the Defender TI Projects Home Page, users are presented with a dashboard showing projects they own or that have been shared with other Defender TI users in their tenant. Directly from this view, users can decide to create a new project, simply by selecting the "+" icon or visit the project page using the left-hand drawer menu.

-1. To create a project from the Project Home Page, navigate to the ΓÇÿProjectsΓÇÖ icon and select the ΓÇÿAdd New ProjectΓÇÖ icon within the Projects Home Page.

- 

- When conducting searches within Defender TI, users can select ΓÇÿAdd to ProjectΓÇÖ to add the artifact (indicator of compromise) to an existing project or create a new project to add the artifact to.

-2. To create a project through an investigation, perform an indicator search from the Threat Intelligence search bar and click on the ΓÇÿAdd to ProjectΓÇÖ icon.

-3. If creating a new project, select the ΓÇÿAdd New ProjectΓÇÖ link, fill in the required fields and ΓÇÿSaveΓÇÖ your new project. If you already have an existing project you would like to add the artifact to, please select or scroll down and select the project you want.

- 

-## Managing Projects

-Once a user has created projects, they can manage them inside of the Projects portion of the platform. The initial Project Home page highlights all the projects the user can see and provides filtering methods based on project properties. The Project Home page defaults to the Team projects associated with Defender TI users in their tenant. They have the option to select any personal projects they have created as well as projects that have been shared with them to contribute to.

-

-1. Users can view the details of a project simply by clicking on the project name.

-2. Depending on the level of access, users can then make changes to the project directly by clicking the edit button in the top right corner.

-3. Users may also delete a project if they are the owner of the project. They can also choose to manually add artifacts using the "Add Artifacts" button in the top right corner.

-## Best Practices

-When it comes to using Defender TI to investigate potential threats, we recommend executing the following workflows as these steps will enable you to gather strategic and operational intelligence before diving into tactical intelligence.

-Users can perform various types of searches within Defender TI. As such, itΓÇÖs important to approach your intelligence gathering method in a way that presents you with broad results before diving into investigating specific indicators. For example, if you search an IP address against the Defender TI Home Page, what articles have an association with that IP address? What information do these articles present about the IP address that you wouldnΓÇÖt otherwise find navigating directly to the IP addressΓÇÖ Data tab for dataset enrichment. For example, has this IP address been identified as a possible C2, who is the threat actor, what other related indicators of compromise is listed in the article, what TTPs is the threat actor using and who are they targeting?

-In addition to performing various types of searches with Defender TI, users can collaborate on investigations together. That said, users are encouraged to create projects, add indicators related to an investigation to a project and add collaborators to a project if more than one person is working on the same investigation. This helps reduce time spent analyzing the same IOCs and should result in a quicker workflow observed.

-

-Description: 'In this how-to article, learn about the tag types and how to add, modify, delete and search custom tags in Microsoft Defender Threat Intelligence (Defender TI).'

-# Using tags

-Microsoft Defender Threat Intelligence (Defender TI) tags are used to provide quick insight about an artifact, whether derived by the system or generated by other users. Tags aid analysts in connecting the dots between current incidents and investigations and their historical context for improved analysis.

-The Defender TI platform offers two types of tags: system and custom tags.

-

-## Prerequisites

- > [!NOTE]

- > Users without a Defender TI Premium license will still be able to log into the Defender Threat Intelligence Portal and access our free Defender TI offering.

-## System tags

-These tags are automatically generated by the platform for users to guide their analysis and require no input or effort on the user's part.

-System tags can include:

-

-## Custom tags

-Custom Tags inside of Defender TI to bring context to indicators of compromise (IOCs) and make analysis even simpler by identifying those domains that are known bad from public reporting or that have been categorized by your company's analysts. These tags are created manually by users based on their own investigations. These tags enable users to share key insights about an artifact with other Defender TI Premium license users within their tenant.

-

-## Adding, Modifying, and Removing Tags

-Users have the ability to add their custom own tags to the tag cluster by entering them into the tag bar. These tags are viewable to the individual user and the user's team members if their organization is a Defender TI customer. Tags entered into the system are private and not shared with the larger community.

-Just as users can add tags, they can also modify or remove them. Once a tag is added by a user, it can be modified or removed by that same user or by another paid licensed user within their Enterprise organization. This allows for easy collaboration amongst the Security team.

-1. Access the [Defender Threat Intelligence Portal](https://ti.defender.microsoft.com/) .

-2. Complete Microsoft authentication to access portal.

-3. Search an indicator in the Threat Intelligence search bar that you would like to add tag(s) for.

- 

-4. Select the ΓÇÿEdit TagsΓÇÖ drop-down in the upper left-hand corner of the Defender TI portal.

- 

-5. Add any tags you would like to associate with this indicator.

- > [!Note]

- > Press the Tab key to add a new indicator.

- 

-6. Once all your tags have been added, save your changes by selecting the Save button.

- 

-7. To edit tags, repeat step 3. Remove any tags by selecting the ΓÇÿXΓÇÖ at the end of the tag name or add new tags as you did in step 4.

-8. Save your changes.

- 

-## Viewing and Searching Tags

-Users can view tags that were added by themselves or others within their tenant after searching an IP, domain, or host artifact.

-

-1. Access the [Defender Threat Intelligence Portal](https://ti.defender.microsoft.com/).

-2. Complete Microsoft authentication to access portal.

-3. Users can search against custom tags via Defender TIΓÇÖs Threat Intelligence Search by selecting the Tag search type in the Threat Intelligence search bar drop-down and searching against the tag value to identify all other indicators that share that same tag value.

- 

-Common Tag Use Case Workflow

-LetΓÇÖs say a triage analyst investigates an incident and finds that it is related to phishing. That analyst can add ΓÇ£phishΓÇ¥ as a tag to the indicators of compromise related to that incident. Later, the incident response and threat hunting team can further analyze these indicators of compromise and work with their cyber threat intelligence counterparts to identify which actor group was responsible for their phishing incident. They can then add another ΓÇ£[actor name]ΓÇ¥ tag to those indicators of compromise or what infrastructure was used that connected them to other related indicators of compromise, such as a ΓÇ£[SHA-1 hash]ΓÇ¥ custom tag.

-## Next steps

-For more information, see:

-

-description: 'In this overview article, learn about the main features that come with Microsoft Defender Threat Intelligence (Defender TI).'

-# What is Microsoft Defender Threat Intelligence (Defender TI)?

-Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. Analysts spend a significant amount of time on data discovery, collection, and parsing, instead of focusing on what actually helps their organization defend themselves--deriving insights about the actors through analysis and correlation.

-Often, analysts must go to multiple repositories to obtain the critical data sets they need to assess a suspicious domain, host, or IP address. DNS data, WHOIS information, malware, and SSL certificates provide important context to indicators of compromise (IOCs), but these repositories are widely distributed and donΓÇÖt always share a common data structure, making it difficult to ensure analysts have all relevant data needed to make a proper and timely assessment of suspicious infrastructure.

-Interacting with these data sets can be cumbersome and pivoting between these repositories is time-consuming, draining the resources of security operations groups that constantly need to re-prioritize their response efforts.

-Cyber Threat Intelligence Analysts struggle with balancing a breadth of threat intelligence ingestion with the analysis of which threat intelligence poses the biggest threats to their organization and/or industry.

-In the same breadth, Vulnerability Intelligence Analysts battle correlating their asset inventory with CVE information to prioritize the investigation and remediation of the most critical vulnerabilities associated with their organization.

-MicrosoftΓÇÖs goal is to re-imagine the analyst workflow by developing a platform, Defender TI, that aggregates and enriches critical data sources and displays data in an innovative, easy to use interface to correlate when indicators are linked to articles and vulnerabilities, infrastructure chain together indicators of compromise (IOCs), and collaborate on investigations with fellow Defender TI licensed users within their tenant. With security organizations actioning an ever-increasing amount of intelligence and alerts within their environment, having a Threat Analysis & Intelligence Platform that allows for accurate and timely assessments of alerting is important.

-Below is a screenshot of Defender TIΓÇÖs Threat Intelligence Home Page. Analysts can quickly scan new featured articles as well as begin their intelligence gathering, triage, incident response, and hunting efforts by performing a keyword, indicator, or CVE-ID search.

-

-## Defender TI articles

-Articles are narratives by Microsoft that provide insight into threat actors, tooling, attacks, and vulnerabilities. Defender TI featured and articles are not blog posts about threat intelligence; while they summarize different threats, they also link to actionable content and key indicators of compromise to help users take action. By including this technical information in the threat summaries, we enable users to continually track threat actors, tooling, attacks, and vulnerabilities as they change.

-## Featured articles

-The featured article section of the Defender TI Threat Intelligence Home Page (right below the search bar) shows you the featured Microsoft content:

-

-Clicking the article takes you to the underlying article content. The article synopsis gives the user a quick understanding of the article. The Indicators call-out shows how many Public and Defender TI indicators are associated with the article.

-

-## Articles

-All articles (including featured articles) are listed under the Microsoft Defender TI Threat Intelligence Home Page articles section, ordered by their creation date (descending):

-

-## Article descriptions

-The description section of the article detail screen contains information about the attack or attacker profiled. The content can range from very short (in the case of OSINT bulletins) or quite long (for long-form reporting ΓÇô especially when Microsoft has augmented the report with content). The longer descriptions may contain images, links to the underlying content, links to searches within Defender TI, attacker code snippets, and firewall rules to block the attack:

-

-## Public indicators

-The public indicators section of the screen shows the previously published indicators related to the article. The links in the public indicators take one to the underlying Defender TI data or relevant external sources.

-

-## Defender TI indicators

-The Defender TI indicators section covers the indicators that Defender TIΓÇÖs research team has found and added to the articles.

-These links also pivot into the relevant Defender TI data or the corresponding external source.

-

-## Vulnerability articles

-Defender TI offers CVE-ID searches to help users identify critical information about the CVE. CVE-ID searches result in Vulnerability Articles.

-Vulnerability Articles provide key context behind CVEs of interest. Each article contains a description of the CVE, a list of affected components, tailored mitigation procedures and strategies, related intelligence articles, references in Deep & Dark Web chatter, and other key observations. These articles provide deeper context and actionable insights behind each CVE, enabling users to more quickly understand these vulnerabilities and quickly mitigate them.

-Vulnerability Articles also include a Defender TI Priority Score and severity indicator. The Defender TI Priority Score is a unique algorithm which reflects the priority of a CVE based on the CVSS score, exploits, chatter, and linkage to malware. Furthermore, the Defender TI Priority Score evaluates the recency of these components so users can understand which CVEs should be remediated first.

-## Reputation scoring

-Defender TI provides proprietary reputation scores for any Host, Domain, or IP Address. Whether validating the reputation of a known or unknown entity, this score helps users quickly understand any detected ties to malicious or suspicious infrastructure. The platform provides quick information about the activity of these entities, such as First and Last Seen timestamps, ASN, country/region, associated infrastructure, and a list of rules that impact the reputation score when applicable.

-

-IP reputation data is important to understanding the trustworthiness of your own attack surface and is also useful when assessing unknown hosts, domains or IP addresses that appear in investigations. These scores will uncover any prior malicious or suspicious activity that impacted the entity, or other known indicators of compromise that should be considered.

-For more information, see [Reputation scoring](reputation-scoring.md).

-## Analyst insights

-Analyst insights distill MicrosoftΓÇÖs vast data set into a handful of observations that simplify the investigation and make it more approachable to analysts of all levels.

-Insights are meant to be small facts or observations about a domain or IP address and provide Defender TI users with the ability to make an assessment about the indicator queried and improve a user's ability to determine if an indicator being investigated is malicious, suspicious, or benign.

-For more information, see [Analyst insights](analyst-insights.md).

-

-## Data sets

-Microsoft centralizes numerous data sets into a single platform, Defender TI, making it easier for MicrosoftΓÇÖs community and customers to conduct infrastructure analysis. MicrosoftΓÇÖs primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases.

-Microsoft collects, analyzes, and indexes Internet data via Passive DNS sensors, port scanning, URL and file detonation, and other sources to assist users in detecting threats, prioritizing incidents, and identifying infrastructure associated with threat actor groups. Users' URL searches may be used to automatically initiate detonations if there is no available detonation data for a URL at the time of the request. The data collected from such detonations is used to populate results for any future searches for that URL from the user who submitted the original search or any other users of the platform.

-Supported Internet datasets include Resolutions, WHOIS, SSL Certificates, Subdomains, DNS, Reverse DNS, and Detonation Analysis, as well as derived data sets collected from the Document Object Model (DOM) of detonated URLs, including Trackers, Components, Host Pairs, and Cookies. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific indicator type or time in history.

-For more information, see:

-

-## Tags

-Defender TI tags are used to provide quick insight about an indicator, whether derived by the system or generated by other users. Tags aid analysts in connecting the dots between current incidents and investigations and their historical context for improved analysis.

-The Defender TI platform offers two types of tags: system tags and custom tags.

-For more information, see [Using tags](using-tags.md).

-

-## Projects

-Microsoft Defender TI platform allows users to develop multiple project types for organizing indicators of interest and indicators of compromise from an investigation. Projects contain a listing of all associated indicators and a detailed history that retains the names, descriptions, and collaborators.

-When a user searches an IP address, domain, or host in Defender TI, if that indicator is listed within a project the user has access to, the user can see a link to the project from the Projects sections in the Summary tab as well as Data tab. From here, the user can navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information. This helps analysts to avoid reinventing the wheel of an investigation one of their Defender TI tenant users may have already started or add onto that investigation by adding new indicators (indicators of compromise) related to that project (if they have been added as a collaborator to the project).

-For more information, see [Using projects](using-projects.md).

-

-## Data residency, availability, and privacy

-Microsoft Defender Threat Intelligence contains both global data and customer-specific data. The underlying internet data is global Microsoft data; labels applied by customers are considered customer data. All customer data is stored in the region of the customerΓÇÖs choosing.

-For security purposes, Microsoft collects users' IP addresses when they log in. This data is stored for up to 30 days but may be stored longer if needed to investigate potential fraudulent or malicious use of the product.

-In the case of a region down scenario, customers should see no downtime as Defender TI uses technologies that replicate data to a backup regions.

-Defender TI processes customer data. By default, customer data is replicated to the paired region.

-## Next steps

-For more information, see:

-<!To set up pay-as-you-go billing, follow the steps in [Configure Microsoft Syntex for pay-as-you-go billing](../syntex-azure-billing.md).>

- :::image type="content" source="../security/defender-business/medib-hangon-provisioning.png" alt-text="Screenshot of the screen that indicates Defender for Business is provisioning.":::

-# Join or leave a multitenant organization in Microsoft 365 (Preview)

-> [!NOTE]

-> Multitenant organizations in Microsoft 365 is available in [targeted release](/microsoft-365/admin/manage/release-options-in-office-365).

-# Plan for multitenant organizations in Microsoft 365 (Preview)

-> Multitenant organizations in Microsoft 365 is available in [targeted release](/microsoft-365/admin/manage/release-options-in-office-365) in Microsoft 365 commercial cloud environments. Multitenant organizations is not available in Microsoft 365 GCC, GCC High, DoD, or Microsoft 365 China (operated by 21Vianet).

-When you configure user synchronization in the Microsoft 365 admin center, the same users and groups are synchronized to all tenants in the multitenant organization. Synchronizing different users to different tenants must be configured in Microsoft Entra ID.

-## Limitations for multitenant organizations in Microsoft 365 preview

-The following are limitations of the multitenant organizations in Microsoft 365 preview:

-If you want to add more than five tenants or 100,000 users per tenant, contact Microsoft support.

-# Set up a multitenant org in Microsoft 365 (Preview)

-> [!NOTE]

-> Multitenant organizations in Microsoft 365 is available in [targeted release](/microsoft-365/admin/manage/release-options-in-office-365).

-# Synchronize users in multitenant organizations in Microsoft 365 (Preview)

-> [!NOTE]

-> Multitenant organizations in Microsoft 365 is available in [targeted release](/microsoft-365/admin/manage/release-options-in-office-365).

-We recommend that you [set up security groups in Microsoft Entra ID](/azure/active-directory/fundamentals/how-to-manage-groups) and add the users that you want to synchronize. Note that users must be members of the security group - owners of the group aren't synchronized.

-If you want to synchronize different users to different tenants, then you must configure cross-tenant synchronization directly in Microsoft Entra ID.

-1. Select **Select users and groups to share**.

-1. Select **Edit shared users and groups**.

-<!-- Watch the following video to learn more about using the healthcare collection to enhance health team collaboration in Teams.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Hqan]-->

-[Overview of Delegated Access in Microsoft 365 Lighthouse](m365-lighthouse-delegated-access-overview.md) (article)

-description: Find out how to get Microsoft Defender for Business, endpoint protection for small and medium sized businesses.

-# Get Microsoft Defender for Business

-[Microsoft Defender for Business](mdb-overview.md) is an endpoint security solution designed especially for small and medium-sized businesses (up to 300 employees). This article describes how to get Defender for Business.

-Sections include:

-> [!IMPORTANT]

-> You should be a global administrator to complete the tasks described in this article. The person who signs your company up for Microsoft 365 is a global administrator. [Learn more about admin roles in the Microsoft 365 admin center](../../admin/add-users/about-admin-roles.md).

-## How to get Microsoft Defender for Business

-To get Defender for Business, you can choose from several options:

-Use the following tabs to learn more about each option.

-## [Get Defender for Business (standalone)](#tab/getmdb)

-Defender for Business provides advanced security protection for your company's devices. For more information, see [What is Microsoft Defender for Business](mdb-overview.md)?

-1. Go to the [Microsoft Defender for Business](https://www.microsoft.com/security/business/threat-protection/microsoft-defender-business) web page, and select an option to try or buy Defender for Business. Fill in the requested information.

- If you're starting a trial, look for your acceptance email, which contains your promo code and a link to sign in. And be sure to see the [Trial user guide for Defender for Business](trial-playbook-defender-business.md).

-2. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and either sign in using your existing work or school account, or follow the prompts to create a new account.

-3. In the [Microsoft Defender portal](https://security.microsoft.com), in the navigation bar, go to **Assets** > **Devices**. This action initiates the provisioning of Defender for Business for your tenant. You know this process has started when you see a message like what's displayed in the following screenshot:

- :::image type="content" source="media/mdb-hangon-provisioning.png" alt-text="Screenshot of provisioning message in Defender for Business.":::

- It might take a few hours for your tenant to finish provisioning before you can onboard devices or complete the setup and configuration process.

-> [!NOTE]

-> If you have Microsoft 365 Business Premium and you haven't set it up yet, see [Microsoft 365 Business Premium ΓÇô productivity and cybersecurity for small business](../../business-premium/m365bp-overview.md). This guidance walks you through how to set up and configure all of your productivity and security capabilities, including Defender for Business.

-## [Get Microsoft 365 Business Premium](#tab/getpremium)

-Microsoft 365 Business Premium includes Defender for Business, Microsoft Defender for Office 365 Plan 1, and Microsoft 365 Apps (formerly referred to as Office apps). For more information, see [Productivity and security for small and medium-sized businesses](../../business-premium/why-choose-microsoft-365-business-premium.md).

-1. Visit the [Microsoft 365 Business Premium product page](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium?activetab=pivot%3aoverviewtab).

-2. Choose to try or buy your subscription. See [Try or buy a Microsoft 365 for business subscription](../../commerce/try-or-buy-microsoft-365.md). On the [Microsoft 365 Products site](https://www.aka.ms/office365signup), choose **Microsoft 365 Business Premium**.

-3. After you've signed up for Microsoft 365 Business Premium, you'll receive an email with a link to sign in and get started. Proceed to [Set up Microsoft 365 Business Premium](../../business-premium/m365-business-premium-setup.md).

-4. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), where you view and manage security settings and devices for your organization. In the navigation bar, go to **Assets** > **Devices**. This action initiates the provisioning of Defender for Business for your tenant.

-5. Follow the guidance in [Boost your security protection](../../business-premium/m365bp-security-overview.md) to set up your security capabilities.

-> [!IMPORTANT]

-> Make sure to complete all the steps described in [Microsoft 365 Business Premium ΓÇô productivity and cybersecurity for small business](../../business-premium/m365bp-overview.md).

-## [Work with a Microsoft partner](#tab/findpartner)

-Microsoft has a list of solution providers who are authorized to sell offerings, including Microsoft 365 Business Premium and Microsoft Defender for Business. If you'd prefer to work with a Microsoft partner, you can follow these steps to find a solution provider in your area:

-1. Go to the [Browse Partners](https://appsource.microsoft.com/marketplace/partner-dir).

-2. In the **Filters** pane, specify search criteria, such as:

- - Your location

- - Your organization's size

- - **Focus areas**, such as **Security** and/or **Threat Protection**

- - **Services**, such as **Licensing** or **Managed Services (MSP)**

- As soon as you select one or more criteria, the list of partners updates.

-3. Review the list of results. Select a provider to learn more about their expertise and the services they provide.

-## How to get Microsoft Defender for Business servers

-Microsoft Defender for Business servers is an add-on to Defender for Business that enables you to secure your server operating systems with the same protection that you get for client devices in Defender for Business.

-1. Go to the Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)), and sign in.

-2. In the navigation pane, choose **Billing** > **Purchase services**.

-3. In the list of results, select the **Details** box for **Microsoft Defender for Business servers**.

-4. Review the information, and complete the purchase process. You need one Microsoft Defender for Business servers license for each instance of Windows Server or Linux, and you don't assign that license to users or devices.

-> [!IMPORTANT]

-> - In order to add on Microsoft Defender for Business servers, you'll need at least one paid license for [Defender for Business](mdb-overview.md) (standalone) or [Microsoft 365 Business Premium](../../business-premium/m365bp-overview.md).

-> - There's a limit of 60 Microsoft Defender for Business servers licenses per subscription to Microsoft 365 Business Premium or Defender for Business.

-> - If preferred, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) instead to onboard your servers. To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?

-

-## Portals you use for setup and management

-When you use Defender for Business, you work with two main portals:

-If your subscription also includes Microsoft Intune, you use the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) as well. The following table summarizes these portals and how you use them.

-|Portal |Description |

-|||

-| The Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) | Use the Microsoft 365 admin center to activate your trial and sign in for the first time. You can also use the Microsoft 365 admin center to: <br/>- Add or remove users.<br/>- Assign user licenses.<br/>- View your products and services.<br/>- Complete setup tasks for your Microsoft 365 subscription.<br/><br/>To learn more, see [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md). |

-| The Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Use the Microsoft Defender portal to set up and configure Defender for Business, and to monitor your devices and threat detections. You use the Microsoft Defender portal to: <br/>- View your devices and device protection policies.<br/>- View detected threats and take action.<br/>- View security recommendations and manage your security settings.<br/><br/>To learn more, see [Get started using the Microsoft Defender portal](mdb-get-started.md). |

-| The Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com/)) | Use the Intune admin center to set up multifactor authentication (MFA), onboard iOS and Android devices, and configure certain capabilities, such as [attack surface reduction rules](mdb-asr.md).<br/><br/>To learn more about Intune, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune). |

-## Next step

-description: Add users and assign Defender for Business licenses to protect their devices

-# Add users and assign licenses in Microsoft Defender for Business

-As soon as you have signed up for Defender for Business, your first step is to add users and assign licenses. This article describes how to add users and assign licenses, and how to make sure multifactor authentication (MFA) is enabled.

-## Add users and assign licenses

-> [!IMPORTANT]

-> You must be a global administrator to perform this task. The person who signed up your company for Microsoft 365 or for Defender for Business is a global administrator by default.

-1. Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://admin.microsoft.com) and sign in.

-2. Go to **Users** > **Active users**, and then select **Add a user**.

-3. In the **Set up the basics** pane, fill in the basic user information, and then select **Next**.

- - **Name**: Fill in the first and last name, display name, and username.

- - **Domain** Choose the domain for the user's account. For example, if the user's username is `Pat`, and the domain is `contoso.com`, they'll sign in by using `pat@contoso.com`.

- - **Password settings**: Choose whether to use the autogenerated password or to create your own strong password for the user. The user must change their password after 90 days. Or you can choose the option to **Require this user to change their password when they first sign in**. You can also choose whether you want to send the user's password in email when the user is added.

-4. On the **Assign product licenses** page, select Defender for Business (or Microsoft 365 Business Premium). Then choose **Next**.

- If you don't have any licenses available, you can still add a user and buy additional licenses. For more information about adding users, see [Add users and assign licenses at the same time](../../admin/add-users/add-users.md).

-5. On the **Optional settings** page, you can expand **Profile info** and fill in details, such as the user's job title, department, location, and so forth. Then choose **Next**.

-6. On the **Review and finish** page, review the details, and then select **Finish adding** to add the user. If you need to make any changes, choose **Back** to go back to a previous page.

-## Make sure MFA is enabled

-One good way to make sure MFA is enabled for all users is by using [security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). If your tenant was created on or after October 22, 2019, security defaults might be enabled automatically in your tenant. Use the following procedure to confirm or enable security defaults.

-> [!IMPORTANT]

-> You must be a security administrator, Conditional Access administrator, or Global Administrator to perform this task.

-1. Go to the Azure portal ([https://portal.azure.com/](https://portal.azure.com/)) and sign in.

-2. Under **Manage Microsoft Entra ID**, select **View**.

- :::image type="content" source="medib-manage-azuread.png":::

-3. In the navigation pane, select **Properties**, and then select **Manage security defaults**.

- :::image type="content" source="medib-azuread-properties.png":::

-4. On the right side of the screen, in the **Security defaults** pane, see whether security defaults are turned on (**Enabled**) or off (**Disabled**). To turn security defaults on, use the drop-down menu to select **Enabled**.

- > [!CAUTION]

- > If your organization is using Conditional Access policies, you won't be able to enable security defaults. You'll see a message that indicates you're using classic policies instead. You can use *either* security defaults *or* Conditional Access, but not both. For most organizations, security defaults offer a good level of sign-in security. But if your organization must meet more stringent requirements, you can use Conditional Access policies instead. To learn more, see the following articles:

- > - [Multi-factor authentication](../../business-premium/m365bp-turn-on-mfa.md) (in the Microsoft 365 Business Premium documentation)

- > - [Security defaults in Microsoft Entra ID](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)

-5. Save your changes.

-## Next steps

-description: Get an overview of attack surface reduction capabilities, including attack surface reduction rules, in Microsoft Defender for Business

-# Enable your attack surface reduction rules in Microsoft Defender for Business

-Your attack surfaces are all the places and ways that your organization's network and devices are vulnerable to cyberthreats and attacks. Unsecured devices, unrestricted access to any URL on a company device, and allowing any type of app or script to run on company devices are all examples of attack surfaces. They leave your company vulnerable to cyberattacks.

-To help protect your network and devices, Microsoft Defender for Business includes several attack surface reduction capabilities, including attack surface reduction rules. This article describes how to set up your attack surface reduction rules and describes attack surface reduction capabilities.

-> [!NOTE]

-> Intune is not included in the standalone version of Defender for Business, but it can be added on.

-## Standard protection ASR rules

-There are lots of attack surface reduction rules available. You don't have to set them all up at once. And, you can set up some rules in audit mode just to see how they work for your organization, and change them to work in block mode later. That said, we recommend enabling the following standard protection rules as soon as possible:

-These rules help protect your network and devices but shouldn't cause disruption for users. Use Intune to set up your attack surface reduction rules.

-## Set up ASR rules using Intune

-1. As a global administrator, in the Microsoft Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com/)), go to **Endpoint security** > **Attack surface reduction**.

-2. Choose **Create policy** to create a new policy.

- - For **Platform**, choose **Windows 10, Windows 11, and Windows Server**.

- - For Profile, select **Attack Surface Reduction Rules**, and then choose **Create**.

-3. Set up your policy as follows:

- 1. Specify a name and description, and then choose **Next**.

-

- 2. For at least the following three rules, set each one to **Block**:

- - **Block credential stealing from the Windows local security authority subsystem**

- - **Block persistence through WMI event subscription**

- - **Block abuse of exploited vulnerable signed drivers**

- Then choose **Next**.

- 3. On the **Scope tags** step, choose **Next**.

- 4. On the **Assignments** step, choose the users or devices to receive the rules, and then choose **Next**. (We recommend selecting **Add all devices**.)

- 5. On the **Review + create** step, review the information, and then choose **Create**.

-> [!TIP]

-> If you prefer, you can set up your attack surface reduction rules in audit mode at first to see detections before files or processes are actually blocked. For more detailed information about attack surface reduction rules, see [Attack surface reduction rules deployment overview](../defender-endpoint/attack-surface-reduction-rules-deployment.md).

-## View your attack surface reduction report

-Defender for Business includes an attack surface reduction report that shows how attack surface reduction rules are working for you.

-1. As a global administrator, in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Reports**.

-2. Under **Endpoints**, choose **Attack surface reduction rules**. The report opens and includes three tabs:

- - **Detections**, where you can view detections that occurred as a result of attack surface reduction rules

- - **Configuration**, where you can view data for standard protection rules or other attack surface reduction rules

- - **Add exclusions**, where you can add items to be excluded from attack surface reduction rules (use exclusions sparingly; every exclusion reduces your level of security protection)

-To learn more about attack surface reduction rules, see the following articles:

-## Attack surface reduction capabilities in Defender for Business

-Attack surface reduction rules are available in Defender for Business. The following table summarizes attack surface reduction capabilities in Defender for Business. Notice how other capabilities, such as next-generation protection and web content filtering, work together with your attack surface reduction capabilities.

-| Capability | How to set it up |

-|:|:|

-| **Attack surface reduction rules** <br/> Prevent specific actions that are commonly associated with malicious activity to run on Windows devices. | [Enable your standard protection attack surface reduction rules](#standard-protection-asr-rules) (section in this article). |

-| **Controlled folder access** <br/>Controlled folder access allows only trusted apps to access protected folders on Windows devices. Think of this capability as ransomware mitigation. | [Set up controlled folder access policy in Microsoft Defender for Business](mdb-controlled-folder-access.md). |

-| **Network protection** <br/>Network protection prevents people from accessing dangerous domains through applications on their Windows and Mac devices. Network protection is also a key component of [Web content filtering in Microsoft Defender for Business](mdb-web-content-filtering.md). | Network protection is already enabled by default when devices are onboarded to Defender for Business and [next-generation protection policies in Defender for Business](mdb-next-generation-protection.md) are applied. Your default policies are configured to use recommended security settings. |

-| **Web protection** <br/>Web protection integrates with web browsers and works with network protection to protect against web threats and unwanted content. Web protection includes web content filtering and web threat reports. | [Set up Web content filtering in Microsoft Defender for Business](mdb-web-content-filtering.md). |

-| **Firewall protection** <br/>Firewall protection determines what network traffic is permitted to flow to or from your organization's devices. | Firewall protection is already enabled by default when devices are onboarded to Defender for Business and [firewall policies in Defender for Business](mdb-firewall.md) are applied. |

-## Next steps

-description: Learn about automatic attack disruption in Microsoft Defender for Business

-# Automatic attack disruption in Microsoft Defender for Business

-A human-operated attack is an active attack by cybercriminals who infiltrate an organization, elevate their privileges, navigate the network, and deploy ransomware or steal information. These types of attacks can be catastrophic to business operations, tend to be difficult to address, and sometimes continue to threaten business operations after the initial encounter. For more information, see [Human-operated ransomware attacks](/security/ransomware/human-operated-ransomware#human-operated-ransomware-attacks).

-To help protect against human-operated or other advanced attacks, Microsoft Defender XDR added [automatic attack disruption](../defender/automatic-attack-disruption.md) in November 2022 for enterprise customers. Now, these capabilities are coming to Defender for Business! This article describes how automatic attack disruption works, how to view details about an attack, and how to get these capabilities.

-## How automatic attack disruption works

-Automatic attack disruption is designed to:

-Automatic attack disruption uses insights from Microsoft security researchers and advanced AI models to counteract the complexities of advanced attacks. It limits a threat actor's progress early on and dramatically reduces the overall impact of an attack, from associated costs to loss of productivity. See some examples at the [Microsoft Security Blog](https://aka.ms/ContainUserSecBlog).

-With automatic attack disruption, as soon as a human-operated attack is detected on a device, steps are taken immediately to contain the affected device and user accounts on the device. An incident is created in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). There, your IT/security team can view details about the risk and containment status of compromised assets during and after the process. An **Incident** page provides details about the attack and up-to-date status of affected assets.

-Automated response actions include:

-> [!IMPORTANT]

-> - To view information about a detected advanced attack, you must have the Security Reader, Security Administrator, or Global Administrator role assigned.

-> - To take remediation actions, release a contained device/user, or re-enable a user account, you must have either the Security Administrator or Global Administrator role assigned.

-> - See [Security roles and permissions in Defender for Business](mdb-roles-permissions.md).

-<a name='view-details-about-an-attack-in-the-microsoft-365-defender-portal'></a>

-## View details about an attack in the Microsoft Defender portal

-1. In the Microsoft Defender portal, go to **Incidents**.

-2. Select an incident that is tagged with *Attack Disruption*.

-3. Review the incident graph, which enables you to get the entire attack story and assess the attack disruption impact and status.

-4. When you're ready to release a contained device or user account, or re-enable a user account, take one of the following steps:

- - To release a contained device, select the device, and then choose **Release from containment**.

- - To release a contained user, select the user account, and then, in the side pane, select **Undo**.

-Disrupted incidents include a tag for `Attack Disruption` and the specific threat type identified (such as ransomware). If your IT/security team receives [incident email notifications](mdb-email-notifications.md), these tags also appear in the emails.

-When an incident is disrupted, highlighted text appears below the incident title. Contained devices or user accounts are listed with a label that indicates their status.

-## Track attack disruption actions in the Action center

-The [Action center](mdb-review-remediation-actions.md) brings together all remediation and response actions, whether those actions were taken automatically or manually. You can view all automatic attack disruption actions in the Action center. And, after your IT/security team has mitigated the risk and completed the investigation of an incident, they can release contained assets.

-1. In the Microsoft Defender portal, go to **Actions & submissions** > **Action center**.

-2. Select the **History** tab.

-3. Select an action, such as **Contain user** or **Contain device**, and then choose **Undo**.

-For more information, see [Review remediation actions in the Action center](mdb-review-remediation-actions.md).

-## How to get automatic attack disruption

-Automatic attack disruption is built into Defender for Business; you don't have to explicitly turn on these capabilities. It's important to [onboard all your organization's devices](mdb-onboard-devices.md) (computers, phones, and tablets) to Defender for Business so that they're protected as soon as possible.

-Additionally, sign up to receive [preview features](mdb-preview.md) so that you get the latest and greatest capabilities as soon as they're available.

-description: View and edit security policies and settings in Defender for Business

-# Set up, review, and edit your security policies and settings in Microsoft Defender for Business

-This article walks you through how to review, create, or edit your security policies, and how to navigate advanced settings in Defender for Business.

-## Default policies

-When you're setting up (or maintaining) Defender for Business, an important part of the process includes reviewing your default policies, such as:

-## Additional policies

-In addition to your default security policies, you can add other policies, such as:

-## Advanced features and settings

-You can view and edit settings for advanced features, such as:

-## Choose where to manage security policies and devices

-Before you begin setting up your security policies, you'll need to choose which portal you want to use. You can choose to use either the Microsoft Defender portal or the Microsoft Intune admin center to onboard devices and create or edit security policies. The following table explains both options.

-| Option | Description |

-|:|:|

-| **Microsoft Defender portal** | The Microsoft Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) is a one-stop shop for managing your company's devices, security policies, and security settings in Defender for Business. With a simplified configuration process, you can use the Microsoft Defender portal to onboard devices, access your security policies and settings, use the [Microsoft Defender Vulnerability Management dashboard](mdb-view-tvm-dashboard.md), and [view and manage incidents](mdb-view-manage-incidents.md) in one place. <br/><br/>Note that currently, controlled folder access and attack surface reduction rules are set up and configured in the Microsoft Intune admin center. |

-| **Microsoft Intune admin center** | The Microsoft Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com/)) lets you manage your workforce's devices and apps, including how they access your company data. You can onboard devices and access your security policies and settings in Intune. You can also use Intune to set up and configure attack surface reduction rules in Defender for Business. Intune is not included in the standalone version of Defender for Business, but it can be added on. <br/><br/>If your company has been using Intune, you can choose to continue using it to manage your devices and security policies. To learn more, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) |

-If you're using Intune, and you attempt to view or edit security policies in the Microsoft Defender portal by going to **Configuration management** > **Device configuration**, you'll be prompted to choose whether to continue using Intune, or switch to using the Microsoft Defender portal instead, as shown in the following screenshot:

-In the preceding image, **Use Defender for Business configuration instead** refers to using the Microsoft Defender portal, which provides a simplified configuration experience designed for small and medium-sized businesses. If you opt to use the Microsoft Defender portal, you must delete any existing security policies in Intune to avoid policy conflicts. For more details, see [I need to resolve a policy conflict](/microsoft-365/security/defender-business/mdb-troubleshooting#i-need-to-resolve-a-policy-conflict).

-> [!NOTE]

-> If you're managing your security policies in the Microsoft Defender portal, you can view those policies in the Intune admin center, where they're listed as **Antivirus** or **Firewall** policies. When you view your firewall policies in the Intune admin center, you'll see two policies listed: one policy for firewall protection and another for custom rules.

->

-> You can export your list of policies through the [Microsoft Intune admin center](https://intune.microsoft.com/).

-## Next steps

-1. [Review or edit your next-generation protection policies](mdb-next-generation-protection.md) to apply antivirus/antimalware protection, and enable network protection.

-2. [Review or edit your firewall policies](mdb-firewall.md).

-3. [Set up your web content filtering policy](mdb-web-content-filtering.md) and enable web protection automatically.

-4. [Set up your controlled folder access policy](mdb-controlled-folder-access.md) for ransomware protection.

-5. [Enable your attack surface reduction rules](mdb-asr.md).

-6. [Review settings for advanced features and the Microsoft Defender portal](mdb-portal-advanced-feature-settings.md).

-description: Get an overview of attack surface reduction capabilities in Microsoft Defender for Business

-# Set up or edit your controlled folder access policy in Microsoft Defender for Business

-Controlled folder access allows only trusted apps to access protected folders on Windows devices. Think of this capability as ransomware mitigation. You can set up or edit your controlled folder access policy using Microsoft Intune.

-## Set up controlled folder access

-1. As a global administrator, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Attack surface reduction**.

-2. Select an existing policy, or choose **Create policy** to create a new policy.

- - For **Platform**, choose **Windows 10 and later**.

- - For Profile, select **Attack Surface Reduction Rules**, and then choose **Create**.

-3. Set up your policy as follows:

- 1. Specify a name and description, and then choose **Next**.

-

- 2. Scroll down, and set **Enable Controlled Folder Access** to **Enabled**. Then choose **Next**.

- 3. On the **Scope tags** step, choose **Next**.

- 4. On the **Assignments** step, choose the users or devices to receive the rules, and then choose **Next**. (We recommend selecting **Add all devices**.)

- 5. On the **Review + create** step, review the information, and then choose **Create**.

-To learn more about controlled folder access, see [Protect important folders with controlled folder access](../defender-endpoint/controlled-folders.md).

-## Next steps

-description: Security policies are applied to devices through device groups in Defender for Business.

-# Device groups in Microsoft Defender for Business

-In Defender for Business, policies are applied to devices through certain collections that are called device groups.

-**This article describes**:

-## What is a device group?

-A device group is a collection of devices that are grouped together because of certain specified criteria, such as operating system version. Devices that meet the criteria are included in that device group, unless you exclude them. In Defender for Business, policies are applied to devices by using device groups.

-Defender for Business includes default device groups that you can use. The default device groups include all the devices that are onboarded to Defender for Business. For example, there's a default device group for Windows devices. Whenever you onboard Windows devices, they're added to the default device group automatically.

-You can also create new device groups to assign policies with specific settings to certain devices. For example, you might have a firewall policy assigned to one set of Windows devices, and a different firewall policy assigned to another set of Windows devices. You can define specific device groups to use with your policies.

-> [!NOTE]

-> As you create policies in Defender for Business, an order of priority is assigned. If you apply multiple policies to a given set of devices, those devices will receive the first applied policy only. For more information, see [Understand policy order in Defender for Business](mdb-policy-order.md).

-All device groups, including your default device groups and any custom device groups that you define, are stored in [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) (Microsoft Entra ID).

-## Create a new device group

-Currently, in Defender for Business, you can create a new device group while you are in the process of creating or editing a policy, as described in the following procedure:

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. In the navigation pane, choose **Configuration management** and select **Device configuration**.

-3. Take one of the following actions:

- 1. Select an existing policy, and then choose **Edit**.

- 2. Choose **+ Add** to create a new policy.

- > [!TIP]

- > To get help creating or editing a policy, see [View or edit policies in Defender for Business](mdb-view-edit-policies.md).

-4. On the **General information** step, review the information, edit if necessary, and then choose **Next**.

-5. Choose **+ Create new group**.

-6. Specify a name and description for the device group, and then choose **Next**.

-7. Select the devices to include in the group, and then choose **Create group**.

-8. On the **Device groups** step, review the list of device groups for the policy. If needed, remove a group from the list. Then choose **Next**.

-9. On the **Configuration settings** page, review and edit settings as needed, and then choose **Next**. For more information about these settings, see [Configuration settings](mdb-next-generation-protection.md).

-10. On the **Review your policy** step, review all the settings, make any needed edits, and then choose **Create policy** or **Update policy**.

-## View an existing device group

-Currently, in Defender for Business, you can view your existing device groups while you are in the process of creating or editing a policy, as described in the following procedure:

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. In the navigation pane, choose **Device configuration**.

-3. Take one of the following actions:

- 1. Select an existing policy, and then choose **Edit**.

- 2. Choose **+ Add** to create a new policy.

- > [!TIP]

- > To get help creating or editing a policy, see [View or edit policies in Defender for Business](mdb-view-edit-policies.md).

-4. On the **General information** step, review the information, edit if necessary, and then choose **Next**.

-5. Choose **Use existing group**. A flyout opens and displays device groups. If you don't have any device groups yet, you'll be prompted to create a new device group.

-## What does the Add All Devices option do?

-When you are creating or editing a policy, you might see the **Add all devices** option.

-If you select this option, all devices that are enrolled in Microsoft Intune will receive the policy that you are creating or editing by default.

-## Next steps

-Choose one or more of the following tasks:

-description: Set up email notifications to tell your security team about alerts and vulnerabilities in Defender for Business.

-# Set up email notifications

-This article describes how to set up email notifications for your security team.

-When you can set up email notifications for your security team, they can be notified via email whenever any alerts are generated, or new vulnerabilities are discovered.

-## What to do

-1. [Learn about types of email notifications](#types-of-email-notifications).

-2. [View and edit email notification settings](#view-and-edit-email-notifications).

-3. [Proceed to your next steps](#next-steps).

-## Types of email notifications

-When you set up email notifications, you can choose from two types, as described in the following table:

-| Notification type | Description |

-|||

-| Vulnerabilities | Whenever any new exploits or vulnerability events are detected, recipients receive an email. |

-| Alerts & vulnerabilities | When alerts are generated because threats are detected on devices, or when any new exploits or vulnerability events are detected, recipients receive an email. |

-> [!TIP]

-> **Email notifications are not the only way your security team can find out about new alerts or vulnerabilities**.

->

-> Email notifications are a convenient way to help keep your security team informed, in real time. But there are others! For example, whenever your security team signs into the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), they'll see cards highlighting new threats, alerts, and vulnerabilities. Defender for Business is designed to highlight important information that your security team cares about as soon as they sign in.

->

-> Your security team can also choose **Incidents** in the navigation pane to view information. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md).

-## View and edit email notifications

-To view or edit email notification settings for your company, follow these steps:

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. In the navigation pane, select **Settings**, and then select **Endpoints**. Then, under **General**, select **Email notifications**.

-3. Review the information on the **Alerts** and **Vulnerabilities** tabs.

- - If you don't see any items listed on the **Alerts** tab, you can create a rule for people to be notified when alerts are generated. To get help with this task, see [Create rules for alert notifications](../defender-endpoint/configure-email-notifications.md).

- - If you don't see any items listed on the **Vulnerabilities** tab, you can create a rule for people to be notified whenever a new vulnerability is discovered. To get help with this task, see [Create rules for vulnerability events](../defender-endpoint/configure-vulnerability-email-notifications.md).

- - If you do have rules created, select a rule to edit it. You can also delete a rule.

-> [!IMPORTANT]

-> When you set up email notifications in Defender for Business, you must assign the notification rules to specific users. Defender for Business doesn't use [role-based access control like Defender for Endpoint does](../defender-endpoint/rbac.md). Also, email notifications cannot be applied to device groups in Defender for Business.

-## Next steps

-Proceed to:

-description: Learn about Windows Defender Firewall settings in Defender for Business. Firewall can help prevent unwanted network traffic from flowing to your company devices.

-# Firewall in Microsoft Defender for Business

-Defender for Business includes firewall capabilities through [Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). Firewall protection helps secure devices by establishing rules that determine what network traffic is permitted to flow to and from devices.

-You can use firewall protection to specify whether to allow or to block connections on devices in various locations. For example, your firewall settings can allow inbound connections on devices that are connected to your company's internal network but prevent connections when the device is on a network with untrusted devices.

-**This article describes**:

-## View or edit your firewall policies and custom rules

-Depending on whether you're using the Microsoft Defender portal or Intune to manage your firewall protection, use one of the following procedures.

-| Portal | Procedure |

-|:|:|

-| Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) |1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.<br/>2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system and policy type.<br/>3. Select an operating system tab (such as **Windows clients**).<br/>4. Expand **Firewall** to view your list of policies.<br/>5. Select a policy to view the details. <br/><br/>To make changes or to learn more about policy settings, see the following articles:<br/>- [View or edit device policies](mdb-view-edit-policies.md)<br/>- [Firewall settings](mdb-firewall.md)<br/>- [Manage your custom rules for firewall policies](mdb-firewall.md) |

-| Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) |1. Go to [https://intune.microsoft.com](https://intune.microsoft.com) and sign in. You're now in the Intune admin center.<br/>2. Select **Endpoint security**.<br/>3. Select **Firewall** to view your policies in that category. Custom rules that are defined for firewall protection are listed as separate policies. <br/><br/>For help with managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).|

-## Manage your custom rules for firewall policies in Microsoft Defender for Business

-You can use custom rules to define exceptions for your firewall policies. That is, you can use custom rules to block or allow specific connections.

-### Create a custom rule for a firewall policy

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. Go to **Endpoints** > **Device configuration**, and review the list of policies.

-3. In the **Firewall** section, select an existing policy, or add a new policy.

-4. On the **Configuration settings** step, review the settings. Make any needed changes to **Domain network**, **Public network**, and **Private network**.

-5. To create a custom rule, follow these steps:

- 1. Under **Custom rules**, choose **+ Add rule**. (You can have up to 150 custom rules.)

- 2. On the **Create new rule** flyout, specify a name and description for the rule.

- 3. Select a profile. (Your options include **Domain network**, **Public network**, or **Private network**.)

- 4. In the **Remote address type** list, select either **IP** or **Application file path**.

- 5. In the **Value** box, specify an appropriate value. Depending on what you selected in step 6d, you might specify an IP address, an IP address range, or an application file path. (See [Firewall settings](mdb-firewall.md).)

- 6. On the **Create new rule** flyout, select **Create rule**.

-6. On the **Configuration settings** screen, choose **Next**.

-7. On the **Review your policy** screen, review the changes that were made to firewall policy settings. Make any needed changes, and then choose **Create policy**.

-### Edit a custom rule for a firewall policy

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. Go to **Endpoints** > **Device configuration**, and review the list of policies.

-3. In the **Firewall** section, select an existing policy, or add a new policy.

-4. Under **Custom rules**, review the list of rules.

-5. Select a rule, and then choose **Edit**. Its flyout opens.

-6. To edit your custom rule, follow these steps:

- 1. On the **Edit rule** flyout, review and edit the rule's name and description.

- 2. Review and if necessary, edit the rule's profile. (Your options include **Domain network**, **Public network**, or **Private network**.)

- 3. In the **Remote address type** list, select either **IP** or **Application file path**.

- 4. In the **Value** box, specify an appropriate value. Depending on what you selected in step 6c, you might specify an IP address, an IP address range, or an application file path. (See [Firewall settings](mdb-firewall.md).)

- 5. Set **Enable rule** to **On** to make the rule active. Or, to disable the rule, set the switch to **Off**.

- 6. On the **Edit rule** flyout, select **Update rule**.

-7. On the **Configuration settings** screen, choose **Next**.

-8. On the **Review your policy** screen, review the changes that were made to firewall policy settings. Make any needed changes, and then choose **Create policy**.

-### Delete a custom rule

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. Go to **Endpoints** > **Device configuration**, and review the list of policies.

-3. In the **Firewall** section, select an existing policy, or add a new policy.

-4. Under **Custom rules**, review the list of rules.

-5. Select a rule, and then choose **Delete**. Its flyout opens.

-6. On the confirmation screen, choose **Delete**.

-## Default firewall settings in Defender for Business

-Defender for Business includes default firewall policies and settings to help protect your company's devices from day one. As soon as your company's devices are onboarded to Defender for Business, your default firewall policy works as follows:

-In Defender for Business, you can define exceptions to block or allow incoming connections. You define these exceptions by creating [custom rules](#manage-your-custom-rules-for-firewall-policies-in-microsoft-defender-for-business).

-## Firewall settings you can configure in Defender for Business

-Defender for Business includes firewall protection through Windows Defender Firewall. The following table lists settings that can be configured in Defender for Business.

-| Setting | Description |

-|--|--|

-| **Domain network** | The domain network profile applies to your company's network. Firewall settings for your domain network apply to inbound connections that are initiated on other devices on the same network. By default, incoming connections is set to **Block all**. |

-| **Public network** | The public network profile applies to networks that you can use in a public location, such as a coffee shop or airport. Firewall settings for public networks apply to inbound connections that are initiated on other devices on the same network. Because a public network can include devices that you don't know or don't trust, incoming connections is set to **Block all** by default. |

-| **Private network** | The private network profile applies to networks in a private location, such as your home. Firewall settings for private networks apply to inbound connections that are initiated on other devices on the same network. In general, on a private network, it's assumed that all other devices on the same network are trusted devices. However, by default, incoming connections is set to **Block all**. |

-| **Custom rules** | [Custom rules](mdb-firewall.md) let you block or allow specific connections. For example, suppose that you want to block all incoming connections on devices that are connected to a private network except for connections through a specific app on a device. In this case, you'd set **Private network** to block all incoming connections, and then add a custom rule to define the exception. <p>You can use custom rules to define exceptions for specific files or apps, an Internet protocol (IP) address, or a range of IP addresses. Depending on the type of custom rule you're creating, here are some examples of values you could use: <br/>- Application file path: `C:\Windows\System\Notepad.exe or %WINDIR%\Notepad.exe` <br/>- IP: A valid IPv4/IPv6 address, such as `192.168.11.0` or `192.168.1.0/24` <br/>- IP: A valid IPv4/IPv6 address range, formatted like `192.168.1.0-192.168.1.9` (with no spaces included) |

-## Next steps

-description: Your security center in Defender for Business is the Microsoft Defender portal. Learn how to navigate the portal, and see your next steps.

-# Visit the Microsoft Defender portal

-The Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is your one-stop shop for using and managing Microsoft Defender for Business. It includes callouts to help you get started, cards that surface relevant information, and a navigation bar to give you easy access to various features and capabilities.

-## The navigation bar

-Use the navigation bar on the left side of the screen to access your incidents, view reports, and manage your security policies. The following table describes items you'll see in your navigation bar.

-| Item | Description |

-|:|:|

-| **Home** | Takes you to your home page in the Microsoft Defender portal. The home page highlights any active threats that are detected, along with recommendations to help secure your company's data and devices. Recommendations are included in Defender for Business to save your security team time and effort. The recommendations are based on industry best practices. To learn more, see [Security recommendations - Microsoft Defender Vulnerability Management](../defender-endpoint/tvm-security-recommendation.md). |

-| **Incidents & alerts** > **Incidents** | Takes you to your list of recent incidents. As alerts are triggered, incidents are created. An incident can include multiple alerts. Make sure to review your incidents regularly. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md).|

-| **Actions & submissions** > **Action center** | Takes you to your list of response actions, including completed and pending actions.<br/>- Select the **Pending** tab to view actions that require approval to proceed.<br/>- Select the **History** tab to see the actions that were taken. Some actions are taken automatically; others are taken manually or complete after they're approved.<br/><br/>To learn more, see [Review remediation actions in the Action center](mdb-review-remediation-actions.md). |

-| **Actions & submissions** > **Submissions** | Takes you to the unified submissions portal, where you can submit files to Microsoft for analysis. To learn more, see [Submit files in Microsoft Defender for Endpoint](../defender-endpoint/admin-submissions-mde.md) (the process is similar for Defender for Business). |

-| **Secure score** | Provides a representation of your company's security position and offers suggestions to improve it. To learn more, see [Microsoft Secure Score for Devices](../defender-endpoint/tvm-microsoft-secure-score-devices.md). |

-| **Learning hub** | Provides access to security training and other resources through learning paths that are included with your subscription. You can filter by product, skill level, role, and more. The Learning hub can help your security team ramp up on security features and capabilities in Defender for Business and more Microsoft offerings, such as [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md) and [Microsoft Defender for Office 365](../office-365-security/defender-for-office-365.md). |

-| **Trials** | Try additional security and compliance capabilities by adding on a trial subscription. If you do not see **Trials** in your navigation bar, and you want to add on another trial, you can take one of the following steps: <br/>- Visit the [Small Business Solutions page](https://www.microsoft.com/en-us/store/b/business?icid=CNavBusinessStore), and choose **Questions? Talk to an expert** to get some help adding on a trial subscription. <br/>- Go to the [Microsoft 365 admin center](https://admin.microsoft.com/?auth_upn=admin%40M365B614031.onmicrosoft.com&source=applauncher#/catalog), and choose **Billing** > **Purchase services**. If you need help, choose **Help & support**. |

-| **Partner catalog** | Lists Microsoft partners who provide technical and professional services. |

-| **Assets** > **Devices** | Enables you to view devices, such as computers and mobile devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). |

-| **Endpoints** > **Vulnerability management** | Enables you to access your [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/defender-vulnerability-management.md) capabilities. Provides a dashboard, recommendations, remediation activities, a software inventory, and a list of potential weaknesses within your company. |

-| **Endpoints** > **Tutorials** | Provides access to walkthroughs and simulations to help you learn more about how your threat protection features work. Select the **Read the walkthrough** link before attempting to get the simulation file for each tutorial. Some simulations require Office apps, such as Microsoft Word, to read the walkthrough. |

-| **Endpoints** > **Configuration management** > **Device configuration** | Lists your security policies by operating system and by type. To learn more about your security policies, see [View or edit policies in Defender for Business](mdb-view-edit-policies.md). |

-| **Endpoints** > **Configuration management** > **Device management reporting** | Lists devices that are onboarded to Defender for Business, along with their operating system version, sensor health state, and when they were last updated. |

-| **Email & collaboration** > **Policies & rules** | If your subscription includes Exchange Online Protection or Microsoft Defender for Office 365, this section is where you'll manage your security policies and settings for email and collaboration services. [Learn more about Office 365 security](/microsoft-365/security/office-365-security/defender-for-office-365). *The standalone version of Defender for Business does not include email & collaboration policies, but Microsoft 365 Business Premium does include Exchange Online Protection and Defender for Office 365 Plan 1*. |

-| **Cloud apps** > **App governance** | If your subscription includes [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps), you can add on [app governance](/defender-cloud-apps/app-governance-manage-app-governance), and this section is where you'll view and access those capabilities. *Defender for Business and Microsoft 365 Business Premium do not include Defender for Cloud Apps*. |

-| **Reports** | Lists available security reports. These reports enable you to see your security trends, view details about threat detections and alerts, and learn more about your company's vulnerable devices. |

-| **Health** | Enables you to view your service health status and plan for upcoming changes. <br/>- Select **Service health** to view the health status of the Microsoft 365 services that are included in your company's subscription.<br/>- Select **Message center** to learn about planned changes and what to expect. |

-| **Permissions** | Enables you to assign permissions to the people in your company who manage your security and to view incidents and reports in the Microsoft Defender portal. Also enables you to set up and manage device groups to onboard your company's devices and assign threat protection policies. |

-| **Settings** | Enables you to edit settings for the Microsoft Defender portal and Defender for Business. For example, you can onboard (or offboard) your company's devices (also referred to as endpoints). You can also define rules, such as alert-suppression rules, and set up indicators to block or allow certain files or processes. |

-| **More resources** | Navigate to other portals, such as Microsoft Entra ID. But keep in mind that the Microsoft Defender portal should meet your needs without requiring you to navigate to other portals. |

-| **Customize your navigation pane** | Select this option to hide or display options in your navigation bar. |

-## Next steps

-description: See how Microsoft Defender for Business integrates with Microsoft 365 Lighthouse, a security solution for Microsoft partners.

-# Microsoft 365 Lighthouse and Microsoft Defender for Business

-## Microsoft Defender for Business integrates with Microsoft 365 Lighthouse

-If you're a Microsoft Cloud Solution Provider (CSP) or Managed Service Provider (MSP), you can use [Microsoft 365 Lighthouse](../../lighthouse/m365-lighthouse-overview.md) to manage security for your customers. Microsoft Defender for Business and Defender for Endpoint integrate with Microsoft 365 Lighthouse, an admin portal that CSPs and MSPs can use to secure and manage their customers' data and devices.

- You can use the Microsoft 365 Lighthouse portal ([https://lighthouse.microsoft.com](https://lighthouse.microsoft.com)) to:

-## Learn more about Microsoft 365 Lighthouse

-Microsoft 365 Lighthouse enables Microsoft CSPs and MSPs to secure and manage devices, data, and users at scale.

-To learn more, see:

-## See also

-[Microsoft Defender for Business and managed service provider resources](mdb-partners.md) (provides information about RMM and PSA integration for MSPs)

-description: Learn how to add, remove, and manage devices in Defender for Business, endpoint protection for small and medium sized businesses.

-# Manage devices in Microsoft Defender for Business

-In Defender for Business, you can manage devices as follows:

-## View the list of onboarded devices

-> [!IMPORTANT]

-> In order to view the list of onboarded devices, you must have one of the following [roles](mdb-roles-permissions.md) assigned:

->

-> - Global Administrator

-> - Security Administrator

-> - Security Reader

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. In the navigation pane, go to **Assets** > **Devices**.

-3. Select a device to open its flyout panel, where you can learn more about its status and take action.

- If you don't have any devices listed yet, [Onboard devices to Defender for Business](mdb-onboard-devices.md)

-## Take action on a device that has threat detections

-> [!IMPORTANT]

-> In order to take action on a device with detected threats, you must have one of the following [roles](mdb-roles-permissions.md) assigned:

->

-> - Global Administrator

-> - Security Administrator

-1. In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Assets** > **Devices**.

-2. Select a device to open its flyout panel, and review the information that is displayed.

-3. Select the ellipsis (**...**) to open the actions menu.

-4. Select an action, such as **Run antivirus scan** or **Initiate Automated Investigation**.

-## View the state of Microsoft Defender Antivirus

-Microsoft Defender Antivirus is a key component of next-generation protection in Defender for Business. When devices are onboarded to Defender for Business, Microsoft Defender Antivirus can have one of the following states:

-To view the state of Microsoft Defender Antivirus, you can choose from several options, such as:

-The following table describes each state and what it means.

-| Microsoft Defender Antivirus state | What it means |

-|:|:|

-| **Active mode** <br/>(*recommended*) | Microsoft Defender Antivirus is used as the antivirus app on the machine. Files are scanned, threats are remediated, and detection information is reported in the Microsoft Defender portal and in the Windows Security app on a device running Windows.<br/><br/>We recommend running Microsoft Defender Antivirus in active mode so that devices onboarded to Defender for Business will get all of the following types of protection: <br/>- **Real-time protection**, which locates and stops malware from running on devices. <br/> - **Cloud protection**, which works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected.<br/> - **Network protection**, which helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet.<br/> - **Web content filtering**, which regulates access to websites based on content categories (such as adult content, high bandwidth, and legal liability) across all browsers.<br/> - **Protection from potentially unwanted applications**, such as advertising software, bundling software that offers to install other, unsigned software, and evasion software that attempts to evade security features. |

-| **Passive mode** | A non-Microsoft antivirus/antimalware product is installed on the device, and even though the device has been onboarded to Defender for Business, Microsoft Defender Antivirus can detect threats but doesn't remediate them. Devices with Microsoft Defender Antivirus can still receive security intelligence and platform updates. <br/><br/>You can switch Microsoft Defender Antivirus to active mode automatically by uninstalling the non-Microsoft antivirus/antimalware product. |

-| **Disabled mode** | A non-Microsoft antivirus/antimalware product is installed on the device, and the device hasn't been onboarded to Defender for Business. Whether Microsoft Defender Antivirus went into disabled mode automatically or was set manually, it's not currently running on the device. In this case, Microsoft Defender Antivirus neither detects nor remediates threats on the device.<br/><br/>You can switch Microsoft Defender Antivirus to active mode by uninstalling the non-Microsoft antivirus/antimalware solution and onboarding the device to Defender for Business. |

-## Onboard a device

-See [Onboard devices to Defender for Business](mdb-onboard-devices.md).

-## Offboard a device

-See [Offboarding a device](mdb-offboard-devices.md).

-## Next steps

-description: Learn about your options for managing your Defender for Business or Defender for Endpoint subscription settings. Choose between Defender for Endpoint or Defender for Business.

-# Change your endpoint security subscription

-[Microsoft Defender for Business](mdb-overview.md) and [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md) are endpoint security subscriptions that your organization can use to protect devices, such as computers, tablets, and phones. As your organization grows, you might have a mix of subscriptions and licenses. For example, you might have some Defender for Business licenses, and some Defender for Endpoint licenses.

-This article describes how to apply either Defender for Business or Defender for Endpoint Plan 2 features and capabilities across all your organization's devices. (To learn more about mixed-licensing scenarios with Defender for Endpoint Plan 1 and Plan 2, see [Manage Microsoft Defender for Endpoint subscription settings across client devices](../defender-endpoint/defender-endpoint-subscription-settings.md).)

-## Before you begin

-

- - Global Admin

- - Security Admin

-## View and manage your endpoint security subscription settings

-1. As an admin, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. Go to **Settings** > **Endpoints** > **Licenses**. Your usage report opens and displays information about your organization's Defender for Business and Defender for Endpoint licenses.

-3. To change your subscription, under **Subscriptions applied to your devices**, select **Change subscription settings**.

- > [!NOTE]

- > If you don't see **Change subscription settings**, at least one of the following conditions is true:

- > - You have Defender for Business or Defender for Endpoint (but not both)

- > - You don't have enough Defender for Endpoint Plan 2 licenses for all users in your organization

- > - The ability to change your subscription settings hasn't rolled out to your organization yet

-4. On the **Subscription settings** flyout, choose whether to use only Defender for Business or Defender for Endpoint Plan 2 across your organization's devices.

- > [!IMPORTANT]

- > Keep the following important points in mind before you save your changes:

- >

- > - Make sure you have enough licenses for the subscription you're using for all users in your organization.

- > - If you select **Only Microsoft Defender for Endpoint Plan 2**, the simplified configuration experience for Defender for Business is replaced with advanced settings that you can configure in Defender for Endpoint. If this change is applied, you can't undo it.

- > - It can take up to three hours for your changes to be applied.

- > - Make sure to review your security policies and settings. To get help with Defender for Endpoint policies and settings, see [Configure Defender for Endpoint capabilities](../defender-endpoint/onboard-configure.md). To get help with Defender for Business policies and settings, see [Review and edit your security policies and settings in Defender for Business](mdb-configure-security-settings.md).

-## Review license usage

-The license usage report is estimated based on sign-in activities on the device. Defender for Endpoint Plan 2 licenses are assigned to users, and each user can have up to five concurrent, onboarded devices. To learn more about license terms, see [Microsoft Licensing](https://www.microsoft.com/en-us/licensing/default).

-To reduce management overhead, there's no requirement for device-to-user mapping and assignment. Instead, the license report provides a utilization estimation that is calculated based on device usage seen across your organization. It might take up to one day for your usage report to reflect the active usage of your devices.

-> [!IMPORTANT]

-> To access license information, you must have one of the following roles assigned in Microsoft Entra ID:

-> - Security Admin

-> - Global Admin

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. Choose **Settings** > **Endpoints** > **Licenses**.

-3. Review your available and assigned licenses. The calculation is based on detected users who have accessed devices that are onboarded to Defender for Business (or Defender for Endpoint).

-## More information

-description: Get an overview of mobile threat defense in Defender for Business. Learn about what's included and how to onboard devices.

-# Mobile threat defense capabilities in Microsoft Defender for Business

-Microsoft Defender for Business provides advanced threat protection capabilities for devices, such as Windows and Mac clients. **Defender for Business capabilities now include mobile threat defense**! Mobile threat defense capabilities help protect Android and iOS devices, without requiring you to use Microsoft Intune to onboard mobile devices.

-In addition, mobile threat defense capabilities integrate with [Microsoft 365 Lighthouse](../../lighthouse/m365-lighthouse-overview.md), where Cloud Solution Providers (CSPs) can view information about vulnerable devices and help mitigate detected threats.

-## What's included in mobile threat defense?

-The following table summarizes the capabilities that are included in mobile threat defense in Defender for Business:

-| Capability | Android | iOS |

-|:|:|:|

-| **Web Protection** <br/>Anti-phishing, blocking unsafe network connections, and support for custom indicators. <br/>Web protection is turned on by default with [web content filtering](mdb-web-content-filtering.md). | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: |

-| **Malware protection** (Android-only) <br/>Scanning for malicious apps. | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: | No |

-| **Jailbreak detection** (iOS-only) <br/>Detection of jailbroken devices. | No | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: |

-| **Microsoft Defender Vulnerability Management**<br/>Vulnerability assessment of onboarded mobile devices. Includes vulnerability assessments for operating systems and apps for Android and iOS. <br/>See [Use your vulnerability management dashboard in Microsoft Defender for Business](mdb-view-tvm-dashboard.md). | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: | See note 1 (below) |

-| **Network Protection** <br/>Protection against rogue Wi-Fi related threats and rogue certificates. <br/>Network protection is turned on by default with [next-generation protection](mdb-next-generation-protection.md). <br/>As part of mobile threat defense, network protection also includes the ability to allow root certification authority and private root certification authority certificates in Intune. It also establishes trust with endpoints. | See note 2 (below) | See note 2 (below) |

-| **Unified alerting** <br/>Alerts from all platforms are listed in the unified Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, choose **Incidents**). <br/>See [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md) | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: |

-| **Conditional Access** and **conditional launch** <br/>[Conditional Access](/mem/intune/protect/conditional-access) and [conditional launch](/mem/intune/apps/app-protection-policies-access-actions) block risky devices from accessing corporate resources.<br/>- Conditional Access policies require certain criteria to be met before a user can access company data on their mobile device. <br/>- Conditional launch policies enable your security team to block access or wipe devices that don't meet certain criteria.<br/>Defender for Business risk signals can also be added to app protection policies. | Requires Intune <br/>(see note 3 below) | Requires Intune <br/>(see note 3 below) |

-| **Privacy controls** <br/>Configure privacy in threat reports by controlling the data sent by Defender for Business. Privacy controls are available for admin and end users, and for both enrolled and unenrolled devices. | Requires Intune (see note 3 below) | Requires Intune (see note 3 below) |

-| **Integration with Microsoft Tunnel** <br/>Integration with [Microsoft Tunnel](/mem/intune/protect/microsoft-tunnel-overview), a VPN gateway solution for Intune. | Requires Intune VPN Tunnel <br/>(see note 4 below) | Requires Intune VPN Tunnel <br/>(see note 4 below) |

-> [!NOTE]

-> 1. Intune is required for software/app vulnerabilities to be reported. Operating system vulnerabilities are included by default.

->

-> 2. Intune is required to configure or manage an allow list of root certification authority and private root certification authority certificates.

->

-> 3. Intune is included in [Microsoft 365 Business Premium](../../business-premium/m365bp-overview.md). Intune can be added on to Defender for Business.

->

-> 4. See [Prerequisites for the Microsoft Tunnel in Intune](/mem/intune/protect/microsoft-tunnel-prerequisites).

->

-## How to get mobile threat defense capabilities

-Mobile threat defense capabilities are now generally available to [Defender for Business](get-defender-business.md) customers. Here's how to get these capabilities for your organization:

-1. Make sure that Defender for Business has finished provisioning. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Assets** > **Devices**.

- - If you see a message that says, "Hang on! We're preparing new spaces for your data and connecting them," it means that Defender for Business hasn't finished provisioning. This process is happening now, and can take up to 24 hours to complete.

- - If you see a list of devices, or you're prompted to onboard devices, it means Defender for Business provisioning has completed.

-2. Review, and if necessary, edit your [next-generation protection policies](mdb-next-generation-protection.md).

-3. Review, and if necessary, edit your [firewall policies and custom rules](mdb-firewall.md).

-4. Review, and if necessary, edit your [web content filtering](mdb-web-content-filtering.md) policy.

-5. To onboard mobile devices, see the "Use the Microsoft Defender app" procedures in [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

-## See also

-description: Learn how to view and edit your next-generation protection policies in Defender for Business. These policies pertain to antivirus and anti-malware protection.

-# Review or edit your next-generation protection policies in Microsoft Defender for Business

-In Defender for Business, next-generation protection includes robust antivirus and antimalware protection for computers and mobile devices. Default policies with recommended settings are included in Defender for Business. The default policies are designed to protect your devices and users without hindering productivity. However, you can customize your policies to suit your business needs.

-You can choose from several options for managing your next-generation protection policies:

-<a name='microsoft-365-defender-portal'></a>

-## [**Microsoft Defender portal**](#tab/M365D)

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, go to **Configuration management** > **Device configuration**. Policies are organized by operating system and policy type.

-3. Select an operating system tab (such as **Windows**).

-4. Expand **Next-generation protection** to view your list of policies. At a minimum, a default policy using recommended settings is listed. This default policy is assigned to all onboarded devices running operating system you selected in the previous step (such as **Windows**). You can:

- - Keep your default policy as currently configured.

- - Edit your default policy to make any needed adjustments.

- - Create a new policy.

-5. Use one of the procedures in the following table:

- | Task | Procedure |

- |||

- | Edit your default policy | 1. In the **Next-generation protection** section, select your default policy, and then choose **Edit**.<br/><br/>2. On the **General information** step, review the information. If necessary, edit the description, and then select **Next**.<br/><br/>3. On the **Device groups** step, either use an existing group, or set up a new group. Then choose **Next**.<br/><br/>4. On the **Configuration settings** step, review and if necessary, edit your security settings, and then choose **Next**. For more information about the settings, see [Next-generation protection settings and options](#next-generation-protection-settings-and-options) (in this article).<br/><br/>5. On the **Review your policy** step, review your current settings. Select **Edit** to make any needed changes. Then select **Update policy**. |

- | Create a new policy | 1. In the **Next-generation protection** section, select **Add**.<br/><br/>2. On the **General information** step, specify a name and description for your policy. You can also keep or change a policy order (see [Understand policy order in Microsoft Defender for Business](mdb-policy-order.md)). Then select **Next**.<br/><br/>3. On the **Device groups** step, you can either use an existing group, or create up a new group (see [Device groups in Microsoft Defender for Business](mdb-create-edit-device-groups.md)). Then choose **Next**.<br/><br/>4. On the **Configuration settings** step, review and edit your security settings, and then choose **Next**. For more information about the settings, see [Next-generation protection settings and options](#next-generation-protection-settings-and-options) (in this article).<br/><br/>5. On the **Review your policy** step, review your current settings. Select **Edit** to make any needed changes. Then select **Create policy**. |

-## [**Intune admin center**](#tab/Intune)

-1. Go to the Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) and sign in.

-2. Select **Endpoint security**.

-3. Select **Antivirus** to view your policies in that category.

-4. Select an individual policy to edit it.

- For help with managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).

-## Next-generation protection settings and options

-The following table lists settings and options for next-generation protection in Defender for Business.

-| Setting | Description |

-|:|:|

-| **Real-time protection** | |

-| **Turn on real-time protection** | Enabled by default, real-time protection locates and stops malware from running on devices. *We recommend keeping real-time protection turned on.* When real-time protection is turned on, it configures the following settings: <br/>- Behavior monitoring is turned on ([AllowBehaviorMonitoring](/windows/client-management/mdm/policy-csp-defender#defender-allowbehaviormonitoring)).<br/> - All downloaded files and attachments are scanned ([AllowIOAVProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowioavprotection)).<br/> - Scripts that are used in Microsoft browsers are scanned ([AllowScriptScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowscriptscanning)). |

-| **Block at first sight** | Enabled by default, block at first sight blocks malware within seconds of detection, increases the time (in seconds) allowed to submit sample files for analysis, and sets your detection level to High. *We recommend keeping block at first sight turned on.*<br/><br/>When block at first sight is turned on, it configures the following settings for Microsoft Defender Antivirus: <br/>- Blocking and scanning of suspicious files is set to the High blocking level ([CloudBlockLevel](/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel)).<br/> - The number of seconds for a file to be blocked and checked is set to 50 seconds ([CloudExtendedTimeout](/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout)). <br/>**Important** If block at first sight is turned off, it affects `CloudBlockLevel` and `CloudExtendedTimeout` for Microsoft Defender Antivirus. |

-| **Turn on network protection** | Enabled in Block mode by default, network protection helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet. It also prevents users from turning network protection off.<br/><br/>Network protection can be set to the following modes: <br/>- **Block mode** is the default setting. It prevents users from visiting sites that are considered unsafe. *We recommend keeping network protection set to Block mode.*<br/> - **Audit mode** allows users to visit sites that might be unsafe and tracks network activity to/from such sites.<br/> - **Disabled mode** neither blocks users from visiting sites that might be unsafe nor tracks network activity to/from such sites. |

-| **Remediation** | |

-| **Action to take on potentially unwanted apps (PUA)** | Enabled by default, PUA protection blocks items that are detected as PUA. PUA can include advertising software; bundling software that offers to install other, unsigned software; and evasion software that attempts to evade security features. Although PUA isn't necessarily a virus, malware, or other type of threat, it can affect device performance. You can set PUA protection to the following modes: <br/>- **Enabled** is the default setting. It blocks items detected as PUA on devices. *We recommend keeping PUA protection enabled.*<br/> - **Audit mode** takes no action on items detected as PUA.<br/> - **Disabled** doesn't detect or take action on items that might be PUA. |

-| **Scan** | |

-| **Scheduled scan type** | Enabled in Quickscan mode by default, you can specify a day and time to run weekly antivirus scans. The following scan type options are available: <br/>- **Quickscan** checks locations, such as registry keys and startup folders, where malware could be registered to start along with a device. *We recommend using the quickscan option.* <br/> - **Fullscan** checks all files and folders on a device.<br/> - **Disabled** means no scheduled scans will take place. Users can still run scans on their own devices. (In general, we don't recommend disabling scheduled scans.) <br/> [Learn more about scan types](../defender-endpoint/schedule-antivirus-scans.md). |

-| **Day of week to run a scheduled scan** | Select a day for your regular, weekly antivirus scans to run. |

-| **Time of day to run a scheduled scan** | Select a time to run your regularly scheduled antivirus scans to run. |

-| **Use low performance** | This setting is turned off by default. *We recommend keeping this setting turned off.* However, you can turn on this setting to limit the device memory and resources that are used during scheduled scans. **Important** If you turn on **Use low performance**, it configures the following settings for Microsoft Defender Antivirus: <br/>- Archive files aren't scanned ([AllowArchiveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowarchivescanning)).<br/> - Scans are assigned a low CPU priority ([EnableLowCPUPriority](/windows/client-management/mdm/policy-csp-defender#defender-enablelowcpupriority)).<br/> - If a full antivirus scan is missed, no catch-up scan will run ([DisableCatchupFullScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan)).<br/> - If a quick antivirus scan is missed, no catch-up scan will run ([DisableCatchupQuickScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan)).<br/> - Reduces the average CPU load factor during an antivirus scan from 50 percent to 20 percent ([AvgCPULoadFactor](/windows/client-management/mdm/policy-csp-defender#defender-avgcpuloadfactor)). |

-| **User experience** | |

-| **Allow users to access the Windows Security app** | Turn on this setting to enable users to open the Windows Security app on their devices. Users won't be able to override settings that you configure in Defender for Business, but they'll be able to run a quick scan or view any detected threats. |

-| **Antivirus exclusions** | Exclusions are processes, files, or folders that are skipped by Microsoft Defender Antivirus scans. *In general, you shouldn't need to define exclusions.* Microsoft Defender Antivirus includes many automatic exclusions that are based on known operating system behavior and typical management files. Every exclusion reduces your level of protection, so it's important to consider carefully what exclusions to define. Before you add any exclusions, see [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](../defender-endpoint/defender-endpoint-antivirus-exclusions.md). |

-| **Process exclusions** | Process exclusions prevent files that are opened by specific processes from being scanned by Microsoft Defender Antivirus. When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files that are opened by that process, no matter where the files are located. The process itself is scanned unless it is added to the file exclusion list. See [Configure exclusions for files opened by processes](../defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). |

-| **File extension exclusions** | File extension exclusions prevent files with specific extensions from being scanned by Microsoft Defender Antivirus. See [Configure and validate exclusions based on file extension and folder location](../defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md). |

-| **File and folder exclusions** | File and folder exclusions prevent files that are in specific folders from being scanned by Microsoft Defender Antivirus. See [Contextual file and folder exclusions](../defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md). |

-## Other preconfigured settings in Defender for Business

-The following security settings are preconfigured in Defender for Business:

-## How default settings in Defender for Business correspond to settings in Microsoft Intune

-The following table describes settings that are preconfigured for Defender for Business and how those settings correspond to what you might see in Intune. If you're using the [simplified configuration process in Defender for Business](mdb-setup-configuration.md), you don't need to edit these settings.

-| Setting | Description |

-|||

-| [Cloud protection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Sometimes referred to as cloud-delivered protection or Microsoft Advanced Protection Service (MAPS), cloud protection works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected. By default, [AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) is turned on. [Learn more about cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md). |

-| [Monitoring for incoming and outgoing files](/windows/client-management/mdm/policy-csp-defender#defender-realtimescandirection) | To monitor incoming and outgoing files, [RealTimeScanDirection](/windows/client-management/mdm/policy-csp-defender#defender-realtimescandirection) is set to monitor all files. |

-| [Scan network files](/windows/client-management/mdm/policy-csp-defender#defender-allowscanningnetworkfiles) | By default, [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-csp-defender#defender-allowscanningnetworkfiles) isn't enabled, and network files aren't scanned. |

-| [Scan email messages](/windows/client-management/mdm/policy-csp-defender#defender-allowemailscanning) | By default, [AllowEmailScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowemailscanning) isn't enabled, and email messages aren't scanned. |

-| [Number of days (0-90) to keep quarantined malware](/windows/client-management/mdm/policy-csp-defender#defender-daystoretaincleanedmalware) | By default, the [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-csp-defender#defender-daystoretaincleanedmalware) setting is set to zero (0) days. Artifacts that are in quarantine aren't removed automatically. |

-| [Submit samples consent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | By default, [SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) is set to send safe samples automatically. Examples of safe samples include `.bat`, `.scr`, `.dll`, and `.exe` files that don't contain personally identifiable information (PII). If a file does contain PII, the user receives a request to allow the sample submission to proceed. [Learn more about cloud protection and sample submission](../defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md). |

-| [Scan removable drives](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) | By default, [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) is configured to scan removable drives, such as USB thumb drives on devices. [Learn more about antimalware policy settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#list-of-antimalware-policy-settings). |

-| [Run daily quick scan time](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime) | By default, [ScheduleQuickScanTime](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime) is set to 2:00 AM. [Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings). |

-| [Check for signature updates before running scan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan) | By default, [CheckForSignaturesBeforeRunningScan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan) is configured to check for security intelligence updates prior to running antivirus/antimalware scans. [Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) and [Security intelligence updates](../defender-endpoint/microsoft-defender-antivirus-updates.md#security-intelligence-updates). |

-| [How often (0-24 hours) to check for security intelligence updates](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval) | By default, [SignatureUpdateInterval](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval) is configured to check for security intelligence updates every four hours. [Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) and [Security intelligence updates](../defender-endpoint/microsoft-defender-antivirus-updates.md#security-intelligence-updates). |

-## Next steps

-description: Learn about how to remove or offboard a device from Microsoft Defender for Business.

-# Offboard a device from Microsoft Defender for Business

-As devices are replaced or retired, or your business needs change, you can offboard devices from Defender for Business. Offboarding a device causes the device to stop sending data to Defender for Business. However, data received prior to offboarding is retained for up to six (6) months.

-> [!IMPORTANT]

-> The procedures in this article describe how to remove a device from monitoring by Defender for Business. If you're using Microsoft Intune to manage devices, and you prefer to remove the device from Intune, see [Remove devices by using wipe, retire, or manually unenrolling the device](/mem/intune/remote-actions/devices-wipe).

-## What to do

-1. Select a tab:

- - **Windows 10 or 11**

- - **Mac**

- - **Servers** (Windows Server or Linux Server)

- - **Mobile** (for iOS/iPadOS or Android devices)

-2. Follow the guidance on the selected tab.

-3. Proceed to your next steps.

-## [**Windows 10 or 11**](#tab/Windows1011)

-## Windows 10 or 11

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. In the navigation pane, choose **Settings**, and then choose **Endpoints**.

-3. Under **Device management**, choose **Offboarding**.

-4. Select an operating system, such as **Windows 10 and 11**, and then, under **Offboard a device**, in the **Deployment method** section, choose **Local script**.

-5. In the confirmation screen, review the information, and then choose **Download** to proceed.

-6. Select **Download offboarding package**. We recommend saving the offboarding package to a removable drive.

-7. Run the script on each device that you want to offboard.

-## [**Mac**](#tab/mac)

-## Mac

-1. Go to **Finder** > **Applications**.

-2. Right click on **Microsoft Defender for Business**, and then choose **Move to Trash**. <br/> or <br/> Use the following command: `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`.

-## [**Servers**](#tab/Servers)

-## Servers

-Choose the operating system for your server:

-### Windows Server

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Offboarding**.

-3. Select an operating system, such as **Windows Server 1803, 2019, and 2022**, and then in the **Deployment method** section, choose **Local script**.

-4. Select **Download package**. We recommend that you save the offboarding package to a removable drive. The zipped folder will be called `WindowsDefenderATPOffboardingPackage_valid_until_YYYY-MM-DD.zip` (where `YYYY-MM-DD` is the expiry date of the package).

-5. On your Windows Server device, extract the contents of the zipped folder to a location such as the Desktop folder.

-6. Open a command prompt as an administrator.

-7. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type `%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_2022-11-11.cmd` (where `YYYY-MM-DD` is the expiry date of the package), and then press Enter (or select **OK**).

-### Linux Server

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Offboarding**.

-3. Select **Linux Server** for the operating system, and then in the **Deployment method** section, choose **Local script**.

-4. Select **Download package**. We recommend that you save the offboarding package to a removable drive. The zipped folder will be called `WindowsDefenderATPOffboardingPackage_valid_until_YYYY-MM-DD.zip` (where `YYYY-MM-DD` is the expiry date of the package).

-5. On your Linux Server device, extract the contents of the zipped folder to a location such as the Desktop folder.

-6. Open a terminal, and navigate to the directory where the `MicrosoftDefenderATPOffboardingLinuxServer_valid_until_YYYY-MM-DD` file (where `YYYY-MM-DD` is the expiry date of the file) is located.

-7. Type `python MicrosoftDefenderATPOffboardingLinuxServer_valid_until_YYYY-MM-DD.py` in the terminal.

-> [!TIP]

-> For more information, see [Uninstall](../defender-endpoint/linux-resources.md) in the Microsoft Defender for Endpoint on Linux guidance.

-## [**Mobile devices**](#tab/mobiles)

-## Mobile devices

-You can use Microsoft Intune to manage mobile devices, such as iOS, iPadOS, and Android devices.

-See [Microsoft Intune device management](/mem/intune/remote-actions/device-management).

-## Next steps

-description: See how to get devices onboarded to Defender for Business to protect your devices from day one.

-# Onboard devices to Microsoft Defender for Business

-This article describes how to onboard devices to Defender for Business.

-Onboard your business devices to protect them right away. You can choose from several options to onboard your company's devices. This article walks you through your options and describes how onboarding works.

-## What to do

-1. Select a tab:

- - **Windows 10 and 11**

- - **Mac**

- - **Mobile** (new capabilities are available for iOS and Android devices!)

- - **Servers** (Windows Server or Linux Server)

-2. View your onboarding options, and follow the guidance on the selected tab.

-3. [View a list of onboarded devices](#view-a-list-of-onboarded-devices).

-4. [Run a phishing test on a device](#run-a-phishing-test-on-a-device).

-5. Proceed to your [next steps](#next-steps).

-## [**Windows 10 and 11**](#tab/Windows10and11)

-## Windows 10 and 11

-> [!NOTE]

-> Windows devices must be running one of the following operating systems:

-> - Windows 10 or 11 Business

-> - Windows 10 or 11 Professional

-> - Windows 10 or 11 Enterprise

->

-> For more information, see [Microsoft Defender for Business requirements](mdb-requirements.md).

->

-Choose one of the following options to onboard Windows client devices to Defender for Business:

-### Local script for Windows 10 and 11

-You can use a local script to onboard Windows client devices. When you run the onboarding script on a device, it creates a trust with Microsoft Entra ID (if that trust doesn't already exist), enrolls the device in Microsoft Intune (if it isn't already enrolled), and then onboards the device to Defender for Business. If you're not currently using Intune, the local script method is the recommended onboarding method for Defender for Business customers.

-> [!TIP]

-> We recommend that you onboard up to 10 devices at a time when you use the local script method.

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.

-3. Select **Windows 10 and 11**, and then, in the **Deployment method** section, choose **Local script**.

-4. Select **Download onboarding package**. We recommend that you save the onboarding package to a removable drive.

-5. On a Windows device, extract the contents of the configuration package to a location, such as the Desktop folder. You should have a file named `WindowsDefenderATPLocalOnboardingScript.cmd`.

-6. Open a command prompt as an administrator.

-7. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type `%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd`, and then press the Enter key (or select **OK**).

-8. After the script runs, [Run a detection test](#run-a-detection-test-on-a-windows-10-or-11-device).

-### Group Policy for Windows 10 and 11

-If you prefer to use Group Policy to onboard Windows clients, follow the guidance in [Onboard Windows devices using Group Policy](../defender-endpoint/configure-endpoints-gp.md). This article describes the steps for onboarding to Microsoft Defender for Endpoint. The steps for onboarding to Defender for Business are similar.

-### Intune for Windows 10 and 11

-You can onboard Windows clients and other devices in Intune by using the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)). There are several methods available for enrolling devices in Intune. We recommend using one of the following methods:

-#### Enable automatic enrollment for Windows 10 and 11

-When you set up automatic enrollment, users add their work account to the device. In the background, the device registers and joins Microsoft Entra ID and is enrolled in Intune.

-1. Go to the Azure portal ([https://portal.azure.com/](https://portal.azure.com/)) and sign in.

-2. Select **Microsoft Entra ID** > **Mobility (MDM and MAM)** > **Microsoft Intune**.

-3. Configure the **MDM User scope** and the **MAM user scope**.

- :::image type="content" source="mediM user scope and MAM user scope in Intune.":::

- - For MDM User scope, we recommend that you select **All** so that all users can automatically enroll their Windows devices.

- - In the MAM user scope section, we recommend the following default values for the URLs:

- - **MDM Terms of use URL**

- - **MDM Discovery URL**

- - **MDM Compliance URL**

-4. Select **Save**.

-5. After a device is enrolled in Intune, you can add it to a device group in Defender for Business. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

-> [!TIP]

-> To learn more, see [Enable Windows automatic enrollment](/mem/intune/enrollment/windows-enroll).

-#### Ask users to enroll their Windows 10 and 11 devices

-1. Watch the following video to see how enrollment works:<br/><br/>

- > [!VIDEO https://www.youtube.com/embed/TKQxEckBHiE?rel=0]

-2. Share this article with users in your organization: [Enroll Windows 10/11 devices in Intune](/mem/intune/user-help/enroll-windows-10-device).

-3. After a device is enrolled in Intune, you can add it to a device group in Defender for Business. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

-### Run a detection test on a Windows 10 or 11 device

-After you've onboarded Windows devices to Defender for Business, you can run a detection test on the device to make sure that everything is working correctly.

-1. On the Windows device, create a folder: `C:\test-MDATP-test`.

-2. Open Command Prompt as an administrator.

-3. In the Command Prompt window, run the following PowerShell command:

- ```powershell

- powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'

- ```

-After the command runs, the Command Prompt window closes automatically. If successful, the detection test is marked as completed, and a new alert appears in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device within about 10 minutes.

-## [**Mac**](#tab/mac)

-## Mac

-> [!NOTE]

-> We recommend that you use a [local script to onboard Mac](#local-script-for-mac). Although you can [set up enrollment for Mac using Intune](/mem/intune/enrollment/macos-enroll), the local script is the simplest method for onboarding Mac to Defender for Business.

-Choose one of the following options to onboard Mac:

-### Local script for Mac

-When you run the local script on Mac, it creates a trust with Microsoft Entra ID (if that trust doesn't already exist), enrolls the Mac in Microsoft Intune (if it isn't already enrolled), and then onboards the Mac to Defender for Business. We recommend that you onboard up to 10 devices at a time using this method.

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.

-3. Select **macOS**. In the **Deployment method** section, choose **Local script**.

-4. Select **Download onboarding package**, and save it to a removable drive. Also select **Download installation package**, and save it to your removable device.

-5. On Mac, save the installation package as `wdav.pkg` to a local directory.

-6. Save the onboarding package as `WindowsDefenderATPOnboardingPackage.zip` to the same directory you used for the installation package.

-7. Use Finder to navigate to `wdav.pkg` you saved, and then open it.

-8. Select **Continue**, agree with the license terms, and then enter your password when prompted.

-9. You're prompted to allow installation of a driver from Microsoft (either *System Extension Blocked* or *Installation is on hold*, or both). You must allow the driver installation. Select **Open Security Preferences** or **Open System Preferences** > **Security & Privacy**, and then select **Allow**.

-10. Use the following Bash command to run the onboarding package:

- ```bash

- /usr/bin/unzip WindowsDefenderATPOnboardingPackage.zip \

- && /bin/chmod +x MicrosoftDefenderATPOnboardingMacOs.sh \

- && /bin/bash -c MicrosoftDefenderATPOnboardingMacOs.sh

- ```

-After Mac is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

-### Intune for Mac

-If you already have Intune, you can enroll Mac computers by using the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)). There are several methods available for enrolling Mac in Intune. We recommend one of the following methods:

-#### Options for company-owned Mac

-Choose one of the following options to enroll company-managed Mac devices in Intune:

-| Option | Description |

-|||

-| Apple Automated Device Enrollment | Use this method to automate enrollment on devices purchased through Apple Business Manager or Apple School Manager. Automated device enrollment deploys the enrollment profile "over the air," so you don't need to have physical access to devices. <br/><br/>See [Automatically enroll Mac with the Apple Business Manager or Apple School Manager](/mem/intune/enrollment/device-enrollment-program-enroll-macos). |

-| Device enrollment manager (DEM) | Use this method for large-scale deployments and when there are multiple people in your organization who can help with enrollment setup. Someone with device enrollment manager (DEM) permissions can enroll up to 1,000 devices with a single Microsoft Entra account. This method uses the Company Portal app or Microsoft Intune app to enroll devices. You can't use a DEM account to enroll devices via Automated Device Enrollment.<br/><br/> See [Enroll devices in Intune by using a device enrollment manager account](/mem/intune/enrollment/device-enrollment-manager-enroll). |

-| Direct enrollment | Direct enrollment enrolls devices with no user affinity, so this method is best for devices that aren't associated with a single user. This method requires you to have physical access to the Macs you're enrolling. <br/><br/>See [Use Direct Enrollment for Mac](/mem/intune/enrollment/device-enrollment-direct-enroll-macos). |

-#### Ask users to enroll their own Mac in Intune

-If your business prefers to have people enroll their own devices in Intune, direct users to follow these steps:

-1. Go to the Company Portal website ([https://portal.manage.microsoft.com/](https://portal.manage.microsoft.com/)) and sign in.

-2. Follow the instructions on the Company Portal website to add their device.

-3. Install the Company Portal app at [https://aka.ms/EnrollMyMac](https://aka.ms/EnrollMyMac), and follow the instructions in the app.

-### Confirm that a Mac is onboarded

-1. To confirm that the device is associated with your company, use the following Python command in Bash:

- `mdatp health --field org_id`.

-2. If you're using macOS 10.15 (Catalina) or later, grant Defender for Business consent to protect your device. Go to **System Preferences** > **Security & Privacy** > **Privacy** > **Full Disk Access**. Select the lock icon at the bottom of the dialog to make changes, and then select **Microsoft Defender for Business** (or **Defender for Endpoint**, if that's what you see).

-3. To verify that the device is onboarded, use the following command in Bash:

- `mdatp health --field real_time_protection_enabled`

-After a device is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

-## [**Mobile devices**](#tab/mobiles)

-## Mobile devices

-You can use the following methods to onboard mobile devices, such as Android and iOS devices:

-### Use the Microsoft Defender app

-[Mobile threat defense capabilities](mdb-mtd.md) are now generally available to Defender for Business customers. With these capabilities, you can now onboard mobile devices (such as Android and iOS) by using the Microsoft Defender app. With this method, users download the app from Google Play or the Apple App Store, sign in, and complete onboarding steps.

-> [!IMPORTANT]

-> Make sure that all of the following requirements are met before onboarding mobile devices:

-> 1. Defender for Business has finished provisioning. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Assets** > **Devices**.<br/>- If you see a message that says, "Hang on! We're preparing new spaces for your data and connecting them," then Defender for Business hasn't finished provisioning. This process is happening now, and it can take up to 24 hours to complete. <br/>- If you see a list of devices, or you're prompted to onboard devices, it means Defender for Business provisioning has completed.

-> 2. Users have downloaded the Microsoft Authenticator app on their device, and have registered their device using their work or school account for Microsoft 365.

-| Device | Procedure |

-|:|:|

-| Android | 1. On the device, go to the Google Play store.<br/><br/>2. If you haven't already done so, download and install the Microsoft Authenticator app. Sign in, and register your device in the Microsoft Authenticator app. <br/><br/>3. In the Google Play store, search for the Microsoft Defender app, and install it. <br/><br/>4. Open the Microsoft Defender app, sign in, and complete the onboarding process. |

-| iOS | 1. On the device, go to the Apple App Store. <br/><br/>2. If you haven't already done so, download and install the Microsoft Authenticator app. Sign in, and register your device in the Microsoft Authenticator app.<br/><br/>3. In the Apple App Store, search for the Microsoft Defender app.<br/><br/>4. Sign in and install the app. <br/><br/>5. Agree to the terms of use to continue. <br/><br/>6. Allow the Microsoft Defender app to set up a VPN connection and add VPN configurations. <br/><br/>7. Choose whether to allow notifications (such as alerts). |

-> [!TIP]

-> After you have onboarded mobile devices using the Microsoft Defender app, proceed to [run a phishing test on a device](#run-a-phishing-test-on-a-device).

-### Use Microsoft Intune

-If your subscription includes Microsoft Intune, you can use it to onboard mobile devices, such as Android and iOS/iPadOS devices. See the following resources to get help enrolling these devices into Intune:

-After a device is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

-## [**Servers**](#tab/Servers)

-## Servers

-> [!NOTE]

-> If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?

-Choose the operating system for your server:

-## Windows Server

-> [!IMPORTANT]

-> Make sure that you meet the following requirements before you onboard a Windows Server endpoint:

-> - You have a Microsoft Defender for Business servers license. (See [How to get Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).)

-> - The enforcement scope for Windows Server is turned on. Go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**, and then select **Save**.

-You can onboard an instance of Windows Server to Defender for Business by using a local script.

-### Local script for Windows Server

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.

-3. Select an operating system, such as **Windows Server 1803, 2019, and 2022**, and then in the **Deployment method** section, choose **Local script**.

- If you select **Windows Server 2012 R2 and 2016**, you have two packages to download and run: an installation package and an onboarding package. The installation package contains an MSI file that installs the Defender for Business agent. The onboarding package contains the script to onboard your Windows Server endpoint to Defender for Business.

-4. Select **Download onboarding package**. We recommend that you save the onboarding package to a removable drive.

- If you selected **Windows Server 2012 R2 and 2016**, also select **Download installation package**, and save the package to a removable drive

-5. On your Windows Server endpoint, extract the contents of the installation/onboarding package to a location such as the Desktop folder. You should have a file named `WindowsDefenderATPLocalOnboardingScript.cmd`.

- If you're onboarding Windows Server 2012 R2 or Windows Server 2016, extract the installation package first.

-6. Open a command prompt as an administrator.

-7. If you're onboarding Windows Server 2012R2 or Windows Server 2016, run the following command:

- `Msiexec /i md4ws.msi /quiet`

- If you're onboarding Windows Server 1803, 2019, or 2022, skip this step, and go to step 8.

-8. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type `%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd`, and then press Enter (or select **OK**).

-9. Go to [Run a detection test on Windows Server](#run-a-detection-test-on-windows-server).

-### Run a detection test on Windows Server

-After you onboard your Windows Server endpoint to Defender for Business, you can run a detection test to make sure that everything is working correctly:

-1. On the Windows Server device, create a folder: `C:\test-MDATP-test`.

-2. Open Command Prompt as an administrator.

-3. In the Command Prompt window, run the following PowerShell command:

- ```powershell

- powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'

- ```

-After the command runs, the Command Prompt window will close automatically. If successful, the detection test is marked as completed, and a new alert appears in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device within about 10 minutes.

-## Linux Server

-> [!IMPORTANT]

-> Make sure that you meet the following requirements before you onboard a Linux Server endpoint:

-> - You have a Microsoft Defender for Business servers license. (See [How to get Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).)

-> - You meet the [prerequisites for Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md#prerequisites).

-### Onboard Linux Server endpoints

-You can use the following methods to onboard an instance of Linux Server to Defender for Business:

-> [!NOTE]

-> Onboarding an instance of Linux Server to Defender for Business is the same as onboarding to [Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md).

-## View a list of onboarded devices

-> [!IMPORTANT]

-> You must be assigned an appropriate role, such as Global Administrator, Security Administrator, or Security Reader to perform the following procedure. For more information, see [Roles in Defender for Business](mdb-roles-permissions.md#roles-in-defender-for-business).

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, go to **Assets** > **Devices**. The **Device inventory** view opens.

-## Run a phishing test on a device

-After you've onboarded a device, you can run a quick phishing test to make sure the device is connected and that alerts are generated as expected.

-1. On a device, go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net). Defender for Business should block that URL on the user's device.

-2. As a member of your organization's security team, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-3. In the navigation pane, go to **Incidents**. You should see an informational alert that indicates a device tried to access a phishing site.

-## Next steps

-description: Microsoft Defender for Business is a cybersecurity solution for small and medium sized businesses. Defender for Business protects against threats across your devices.

-# What is Microsoft Defender for Business?

-Defender for Business is an endpoint security solution that was designed especially for the small- and medium-sized business (up to 300 employees). With this endpoint security solution, your company's devices are better protected from ransomware, malware, phishing, and other threats. Defender for Business is available as a standalone subscription and is included in [Microsoft 365 Business Premium](../../business-premium/m365bp-overview.md).

-This article describes what's included in Defender for Business and provides links to learn more about these features and capabilities.

-> [!TIP]

-> To learn more about Microsoft 365 Business Premium, see [Microsoft 365 Business Premium ΓÇô productivity and cybersecurity for small business](../../business-premium/m365bp-overview.md).

-## Video: Enterprise-grade protection for small- and medium-sized businesses

-Watch the following video to learn more about Defender for Business: <br/><br/>

-> [!VIDEO https://www.youtube.com/embed/umhUNzMqZto]

-## What's included with Defender for Business?

-Defender for Business includes a full range of device protection capabilities, as shown in the following diagram:

-With Defender for Business, you can help protect the devices and data your business uses with:

-## How does Defender for Business compare to Microsoft 365 Business Premium?

-Defender for Business provides advanced security protection for your devices, with next-generation protection, endpoint detection and response, and threat & vulnerability management. Microsoft 365 Business Premium includes Defender for Business and provides more cybersecurity and productivity capabilities.

-For more detailed information about what's included in each subscription, see the following resources:

-## Next steps

-description: Download our new security guide or integrate your remote monitoring and management (RMM) tools and professional service automation (PSA) software with Defender for Business, Microsoft 365 Business Premium, Defender for Endpoint, and Microsoft 365 Lighthouse.

-# Resources for Microsoft partners working with small and medium-sized businesses

-> [!TIP]

-> **Read all about exciting, new capabilities releasing in July 2023 in the [Tech Community blog: New SMB security innovations from Microsoft Inspire 2023](https://aka.ms/SMBSecurityJulyBlog)**.

-Small and medium-sized businesses recognize that security is important, but they often don't have the capacity or expertise to have a dedicated security operations team. These customers often need help with setup and configuration, managing security for their devices and network, and addressing alerts or detected threats. Microsoft partners can help!

-If you're a Microsoft partner, and you're working with customers who have or need [Microsoft Defender for Business](mdb-overview.md), [Microsoft 365 Business Premium](../../business-premium/m365bp-overview.md), [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md), or [Microsoft 365 E3](../../enterprise/microsoft-365-overview.md), this article is for you!

-## Download our security guide and checklist (NEW!)

-The [practical guide to security using Microsoft 365 Business (Basic, Standard, and Premium)](https://aka.ms/smbsecurityguide) guide is intended to start discussion around your customers' security and compliance options with Microsoft 365 for business. One of the first and most important things that IT leaders and business leaders can do is talk through the possibilities. This guide can help facilitate those discussions. You can also download a [summary checklist](https://aka.ms/smbsecuritychecklist) to use as a companion to the guide.

-Use this guidance to:

-Use the links in the following table to access the guide and summary checklist:

-| Resource | Description |

-|:|:|

-| [Practical guide to security using Microsoft 365 Business (Basic, Standard, and Premium)](https://aka.ms/smbsecurityguide) | This Word document summarizes Microsoft's recommendations for enabling employees at small and medium-sized businesses to securely work from anywhere- whether from home, in the office or on the go, using the features included in Microsoft 365 Business Premium. |

-| [Checklist for security with Microsoft 365 Business Premium](https://aka.ms/smbsecuritychecklist) | This checklist includes all the planning and configuration steps covered in the guide, from getting started to configuring security and compliance capabilities, and provides general recommendations for each step. |

-## Integrate Microsoft endpoint security with your RMM tools and PSA software

-If you're a Microsoft Managed Service Provider (MSP), you can integrate Microsoft endpoint security with your remote monitoring and management (RMM) tools and your professional service automation (PSA) software so that you can:

-Integration can be done by using the [Defender for Endpoint APIs](../defender-endpoint/management-apis.md). Use the following resources to learn more:

-| Resource | Description |

-|:|:|

-| [Overview of management and APIs](../defender-endpoint/management-apis.md) | Defender for Business is built on Microsoft Defender for Endpoint, and is an integration-ready platform. This article describes how to automate workflows and innovate using the Defender for Endpoint APIs. |

-| [Configure managed security service provider integration](../defender-endpoint/configure-mssp-support.md) | Provides an overview of steps to take to successfully integrate a customer's tenant with your MSP solution. |

-## Use Microsoft 365 Lighthouse to secure and manage your customers' devices and data

-If you're a Microsoft Cloud Solution Provider (CSP) or MSP, you can use Microsoft 365 Lighthouse to help your customers manage their security settings and capabilities, and protect their data and devices. You can use Microsoft 365 Lighthouse to:

-| Resource | Description |

-|:|:|

-| [Microsoft 365 Lighthouse](../../lighthouse/m365-lighthouse-overview.md) | Provides an overview of Microsoft 365 Lighthouse, an admin portal that helps MSPs and CSPs secure and manage devices, data, and users for small and medium-sized businesses. |

-| [Microsoft 365 Lighthouse and Microsoft Defender for Business](mdb-lighthouse-integration.md) | Describes how Defender for Business integrates with Microsoft 365 Lighthouse and includes links to additional information. |

-## Learn more about Defender for Business and Microsoft 365 Business Premium

-| Resource | Description |

-|:|:|

-| [Microsoft Partner Network](https://partner.microsoft.com) | Visit the Microsoft Partner Network to learn how to become a Microsoft partner and join the Microsoft Partner Network. |

-| [Microsoft 365 Business Premium and Defender for Business partner webinar series](https://aka.ms/M365MDBseries) | This webinar series provides: <br/>- Practical guidance about how to have conversations with your customers about security and drive upsell to Microsoft 365 Business Premium. <br/>- Demos and deep dive walkthroughs for Microsoft 365 Lighthouse and Defender for Business. <br/>- A panel of experts to help answer your questions. |

-| [Microsoft 365 Business Premium partner playbook and readiness series](https://aka.ms/M365BPPartnerPlaybook) | Practical guidance on building a profitable managed services practice, with: <br/>- Examples of successful managed service offerings from industry experts and peers. <br/>- Technical enablement and checklists from Microsoft experts. <br/>- Sales enablement and customer conversation aids to help you market your solution. |

-| [Defender for Business partner kit](https://aka.ms/MDBPartnerKit) | The Defender for Business partner kit provides you with practical guidance, technical information, and customer-ready resources to market and sell Defender for Business to small and medium-sized businesses. |

-description: Learn about order of priority with cybersecurity policies to protect your company devices with Defender for Business.

-# Understand policy order in Microsoft Defender for Business

-Defender for Business includes [predefined policies](mdb-view-edit-create-policies.md#default-policies-in-defender-for-business) to help ensure the devices your employees use are protected. Your security team can [add new policies](mdb-view-edit-create-policies.md#create-a-new-policy) as well.

-For example, suppose that your security team wants to apply certain settings to some devices, and different settings to other devices. You can do that by adding policies, such as additional next-generation protection policies or firewall policies. As policies are added, policy order comes into play.

-## Policy order in Defender for Business

-When policies are added, an order of priority is assigned to all of the policies in the group, as shown in the following screenshot:

-The **Order** column lists the priority for each policy. Predefined policies move down in the order of priority when new policies are added. You can edit the order of priority for the policies that you define (select a policy, and then choose **Change order**). You can't change the order of priority for default policies.

-For example, suppose that for your Windows client devices, you have three next-generation protection policies. In this case, your default policy is number 3 in priority. You can change the order of your policies that are numbered 1 and 2, but the default policy will remain number 3 in your list.

-**The important thing to remember about multiple policies is that devices will receive the first applied policy only.** Referring to our earlier example of three next-generation policies, suppose that you have devices that are targeted by all three policies. In this case, those devices receive policy number 1, but won't receive policies numbered 2 and 3.

-## Key points to remember about policy order

-## See also

-description: View and edit settings for the Microsoft Defender portal and advanced features in Defender for Business

-# Review and edit settings in Microsoft Defender for Business

-You can view and edit settings, such as portal settings and advanced features, in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Use this article to get an overview of the various settings that are available and how to edit your Defender for Business settings.

-## View settings for advanced features

-In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **General** > **Advanced features**.

-The following table describes advanced feature settings.

-| Setting | Description |

-|:|:|

-| **Automated Investigation** <br/>(turned on by default) | As alerts are generated, automated investigations can occur. Each automated investigation determines whether a detected threat requires action and then takes or recommends remediation actions, such as sending a file to quarantine, stopping a process, isolating a device, or blocking a URL. While an investigation is running, any related alerts that arise are added to the investigation until it's completed. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.<br/><br/>You can view investigations on the **Incidents** page. Select an incident, and then select the **Investigations** tab.<br/><br/>By default, automated investigation and response capabilities are turned on, tenant wide. **We recommend keeping automated investigation turned on**. If you turn it off, real-time protection in Microsoft Defender Antivirus will be affected, and your overall level of protection will be reduced. <br/><br/>[Learn more about automated investigations](../defender-endpoint/automated-investigations.md). |

-| **Live Response** | Defender for Business includes the following types of manual response actions: <br/>- Run antivirus scan<br/>- Isolate device<br/>- Stop and quarantine a file<br/>- Add an indicator to block or allow a file <br/><br/>[Learn more about response actions](../defender-endpoint/respond-machine-alerts.md). |

-| **Live Response for Servers** | (This setting is currently not available in Defender for Business.) |

-| **Live Response unsigned script execution** | (This setting is currently not available in Defender for Business.) |

-| **Enable EDR in block mode**<br/>(turned on by default) | Provides added protection from malicious artifacts when Microsoft Defender Antivirus isn't the primary antivirus product and is running in passive mode on a device. Endpoint detection and response (EDR) in block mode works behind the scenes to remediate malicious artifacts detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product.<br/><br/>[Learn more about EDR in block mode](../defender-endpoint/edr-in-block-mode.md). |

-| **Allow or block a file** <br/>(turned on by default) | Enables you to allow or block a file by using [indicators](../defender-endpoint/indicator-file.md). This capability requires Microsoft Defender Antivirus to be in active mode and [cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md) turned on.<br/><br/>Blocking a file prevents it from being read, written, or executed on devices in your organization. <br/><br/>[Learn more about indicators for files](../defender-endpoint/indicator-file.md). |

-| **Custom network indicators**<br/>(turned on by default) | Enables you to allow or block an IP address, URL, or domain by using [network indicators](../defender-endpoint/indicator-ip-domain.md). This capability requires Microsoft Defender Antivirus to be in active mode and [network protection](../defender-endpoint/enable-network-protection.md) turned on.<br/><br/>You can allow or block IPs, URLs, or domains based on your threat intelligence. You can also prompt users if they open a risky app, but the prompt won't stop them from using the app.<br/><br/>[Learn more about network protection](../defender-endpoint/network-protection.md). |

-| **Tamper protection**<br/>(we recommend you turn on this setting) | Tamper protection prevents malicious apps from doing actions such as:<br/>- Disable virus and threat protection<br/>- Disable real-time protection<br/>- Turn off behavior monitoring<br/>- Disable cloud protection<br/>- Remove security intelligence updates<br/>- Disable automatic actions on detected threats<br/><br/>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values and prevents your security settings from being changed by apps and unauthorized methods. <br/><br/>[Learn more about tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md). |

-| **Show user details**<br/>(turned on by default) | Enables people in your organization to see details, such as employees' pictures, names, titles, and departments. These details are stored in Microsoft Entra ID.<br/><br/>[Learn more about user profiles in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). |

-| **Skype for Business integration**<br/>(turned on by default) | Skype for Business was retired in July 2021. If you haven't already moved to Microsoft Teams, see [Set up Microsoft Teams in your small business](/microsoftteams/deploy-small-business). <br/><br/>Integration with Microsoft Teams (or the former Skype for Business) enables one-click communication between people in your business. |

-| **Web content filtering**<br/>(turned on by default) | Blocks access to websites that contain unwanted content and tracks web activity across all domains. See [Set up web content filtering](mdb-web-content-filtering.md). |

-| **Microsoft Intune connection**<br/>(we recommend you turn on this setting if you have Intune) | If your organization's subscription includes Microsoft Intune (included in [Microsoft 365 Business Premium resources](../../business-premium/index.yml)), this setting enables Defender for Business to share information about devices with Intune. |

-| **Device discovery**<br/>(turned on by default) | Enables your security team to find unmanaged devices that are connected to your company network. Unknown and unmanaged devices introduce significant risks to your network, whether it's an unpatched printer, a network device with a weak security configuration, or a server with no security controls.<br/><br/>Device discovery uses onboarded devices to discover unmanaged devices, so your security team can onboard the unmanaged devices and reduce your vulnerability. <br/><br/>[Learn more about device discovery](../defender-endpoint/device-discovery.md). |

-| **Preview features** | Microsoft is continually updating services such as Defender for Business to include new feature enhancements and capabilities. If you opt in to receive preview features, you'll be among the first to try upcoming features in the preview experience. <br/><br/>[Learn more about preview features](../defender-endpoint/preview.md). |

-<a name='view-and-edit-other-settings-in-the-microsoft-365-defender-portal'></a>

-## View and edit other settings in the Microsoft Defender portal

-In addition to security policies applied to devices, there are other settings you can view and edit in Defender for Business. For example, you specify the time zone to use, and you can onboard (or offboard) devices.

-> [!NOTE]

-> You might see more settings in your tenant than are listed in this article. This article highlights the most important settings that you should review in Defender for Business.

-### Settings to review for Defender for Business

-The following table describes settings you can view and edit in Defender for Business:

-| Category | Setting | Description |

-|:|:|:|

-| **Security center** | **Time zone** | Select the time zone to use for the dates and times displayed in incidents, detected threats, and automated investigation and remediation. You can either use UTC or your local time zone (*recommended*). |

-| **Microsoft Defender XDR** | **Account** | View details such where your data is stored, your tenant ID, and your organization (org) ID. |

-| **Microsoft Defender XDR** | **Preview features** | Turn on preview features to try upcoming features and new capabilities. You can be among the first to preview new features and provide feedback. |

-| **Endpoints** | **Email notifications** | Set up or edit your email notification rules. When vulnerabilities are detected or an alert is created, the recipients specified in your email notification rules will receive an email. [Learn more about email notifications](mdb-email-notifications.md). |

-| **Endpoints** | **Device management** > **Onboarding** | Onboard devices to Defender for Business by using a downloadable script. To learn more, see [Onboard devices to Defender for Business](mdb-onboard-devices.md). |

-| **Endpoints** | **Device management** > **Offboarding** | Offboard (remove) devices from Defender for Business. When you offboard a device, it no longer sends data to Defender for Business, but data received prior to offboarding is retained. To learn more, see [Offboarding a device](mdb-offboard-devices.md). |

-<a name='access-your-settings-in-the-microsoft-365-defender-portal'></a>

-### Access your settings in the Microsoft Defender portal

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)), and sign in.

-2. Select **Settings**, and then select a category (such as **Security center**, **Microsoft Defender XDR**, or **Endpoints**).

-3. In the list of settings, select an item to view or edit.

-description: Learn how to access Microsoft Defender for Business preview features.

-keywords: preview, preview experience, Microsoft Defender for Business, features, updates

-ms.sitesec: library

-ms.pagetype: security

-# Microsoft Defender for Business preview features

-**Applies to:**

-Defender for Business is constantly being updated to include new feature enhancements and capabilities.

-Learn about new features in Defender for Business preview releases, and be among the first to try upcoming features by turning on the preview experience.

-## What you need to know

-When working with features in public preview, these features:

-## Turn on preview features

-If you turn on preview features, you'll have access to upcoming features, enabling you to provide feedback and help improve the overall experience before these features are generally available.

-Turn on the preview experience setting to be among the first to try upcoming features.

-1. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features** \> **Preview features**.

-2. Turn the setting to **On**, and then select **Save preferences**.

-## See also

-description: Get an overview of security reports in Defender for Business. Reports will show detected threats, alerts, vulnerabilities, and device status.

-# Reports in Microsoft Defender for Business

-Several reports are available in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). These reports enable your security team to view information about detected threats, device status, and more.

-This article describes these reports, how you can use them, and how to find them.

-## Monthly security summary (preview)

-The monthly security summary report (currently in preview) shows:

-To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Monthly Security Summary**.

-## License report

-The license report provides information about licenses your organization has purchased and is using.

-To access this report, in the navigation pane, choose **Settings** > **Endpoints** > **Licenses**.

-## Security report

-The security report provides information about your company's identities, devices, and apps.

-To access this report, in the navigation pane, choose **Reports** > **General** > **Security report**.

-> [!TIP]

-> You can view similar information on the home page of your Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).

-## Threat protection report

-The threat protection report provides information about alerts and alert trends.

-To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Threat protection**.

-## Incidents view

-You can use the **Incidents** list to view information about alerts. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md).

-To access this report, in the navigation pane, choose **Incidents** to view and manage current incidents.

-## Device health report

-The device health report provides information about device health and trends. You can use this report to determine whether Defender for Business sensors are working correctly on devices and the current status of Microsoft Defender Antivirus.

-To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Device health**.

-## Device inventory list

-You can use the **Devices** list to view information about your company's devices. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md).

-To access this report, in the navigation pane, go to **Assets** > **Devices**.

-## Vulnerable devices report

-The vulnerable devices report provides information about devices and trends.

-To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Vulnerable devices**.

-## Web protection report

-The web protection report shows attempts to access phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that are explicitly blocked. Categories of blocked sites include adult content, leisure sites, legal liability sites, and more.

-To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Web protection**.

-> [!NOTE]

-> If you haven't yet configured web protection for your company, choose the **Settings** button in a report view. Then, under **Rules**, choose **Web content filtering**. To learn more about web content filtering, see [Web content filtering](../defender-endpoint/web-content-filtering.md).

-## Firewall report

-When firewall protection is configured, the firewall report shows blocked inbound, outbound, and app connections. This report also shows remote IPs connected by multiple devices, and remote IPs with the most connection attempts.

-To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Firewall**.

-> [!NOTE]

-> If your firewall report has no data, it might be because you haven't configured your firewall protection yet. In the navigation pane, choose **Endpoints** > **Configuration management** > **Device configuration**. To learn more, see [Firewall in Defender for Business](mdb-firewall.md).

-## Device control report

-The device control report shows information about media usage, such as the use of removable storage devices in your organization.

-To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Device control**.

-## Attack surface reduction rules report

-The attack surface reduction rules report has three tabs:

-To learn more, see [Attack surface reduction capabilities in Microsoft Defender for Business](mdb-asr.md).

-To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Attack surface reduction rules**.

-## See also

-description: Microsoft Defender for Business license, hardware, and software requirements

-# Microsoft Defender for Business requirements

-This article describes the requirements for Defender for Business.

-## What to do

-1. [Review the requirements and make sure you meet them](#review-the-requirements).

-2. [Proceed to your next steps](#next-steps).

-## Review the requirements

-The following table lists the basic requirements you need to configure and use Defender for Business.

-| Requirement | Description |

-|:|:|

-| Subscription | Microsoft 365 Business Premium or Defender for Business (standalone). <br/>See [How to get Defender for Business](get-defender-business.md). |

-| Datacenter | One of the following datacenter locations: <br/>- European Union <br/>- United Kingdom <br/>- United States <br/>- Australia |

-| User accounts | - User accounts are created in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)). <br/>- Licenses for Defender for Business (or Microsoft 365 Business Premium) are assigned in the Microsoft 365 admin center.<br/><br/>To get help with this task, see [Add users and assign licenses](mdb-add-users.md). |

-| Permissions | To sign up for Defender for Business, you must be a Global Admin.<br/><br/>To access the Microsoft Defender portal, users must have one of the following [roles in Microsoft Entra ID](mdb-roles-permissions.md) assigned: <br/>- Security Reader <br/>- Security Admin <br/>- Global Admin<br/><br/>To learn more, see [Roles and permissions in Defender for Business](mdb-roles-permissions.md). |

-| Browser | Microsoft Edge or Google Chrome |

-| Client computer operating system | To manage devices in the Microsoft Defender portal, your devices must be running one of the following operating systems: <br/>- Windows 10 or 11 Business <br/>- Windows 10 or 11 Professional <br/>- Windows 10 or 11 Enterprise <br/>- Mac (the three most-current releases are supported) <br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed on the Windows devices. |

-| Mobile devices | To onboard mobile devices, such as iOS or Android OS, you can use [Mobile threat defense capabilities](mdb-mtd.md) or Microsoft Intune (see note 1 below).<br/><br/>For more details about onboarding devices, including requirements for mobile threat defense, see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md). |

-| Server license | To onboard a device running Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers) (see note 2 below). |

-| Additional server requirements | Windows Server endpoints must meet the [requirements for Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements#hardware-and-software-requirements), and enforcement scope must be turned on.<br/>1. In the Microsoft Defender portal, go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**. <br/>2. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**. <br/>3. Select **Save**.<br/><br/>Linux Server endpoints must meet the [prerequisites for Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md#prerequisites). |

-> [!NOTE]

-> 1. Microsoft Intune is not included in the standalone version of Defender for Business, but Intune can be added on. Intune is included in Microsoft 365 Business Premium.

->

-> 2. To onboard servers, we recommend using [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions?](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions) and [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

->

-> 3. [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) is used to manage user permissions and device groups. Microsoft Entra ID is included in your Defender for Business subscription.

-> - If you don't have a Microsoft 365 subscription before you start your trial, Microsoft Entra ID will be provisioned for you during the activation process.

-> - If you do have another Microsoft 365 subscription when you start your Defender for Business trial, you can use your existing Microsoft Entra service.

->

-> 4. Security defaults are included in Defender for Business. If you prefer to use Conditional Access policies instead, you'll need Microsoft Entra ID P1 or P2 Plan 1 (included in [Microsoft 365 Business Premium](../../business-premium/m365bp-overview.md)). To learn more, see [Multi-factor authentication](../../business-premium/m365bp-turn-on-mfa.md).

-## Next steps

-description: As threats are detected in Defender for Business, you can take actions to respond to those threats. See how to use the device inventory view.

-# Respond to and mitigate threats in Microsoft Defender for Business

-The Microsoft Defender portal enables your security team to respond to and mitigate detected threats. This article walks you through an example of how you can use Defender for Business.

-## View detected threats

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. Notice cards on the Home page. These cards were designed to tell you at a glance how many threats were detected, how many user accounts, and what endpoints (devices) or other assets were affected. The following image is an example of cards you might see:

- :::image type="content" source="../../medib-examplecards.png" alt-text="Screenshot of cards in the Microsoft Defender portal":::

-3. Select a button or link on the card to view more information and take action. As an example, our **Devices at risk** card includes a **View details** button. Selecting that button takes us to the **Devices** list, as shown in the following image:

- :::image type="content" source="../../medib-device-inventory.png" alt-text="Screenshot of device inventory":::

- The **Devices** page lists company devices, along with their risk level and exposure level.

-4. Select an item, such as a device. A flyout pane opens and displays more information about alerts and incidents generated for that item, as shown in the following image:

- :::image type="content" source="../../medib-deviceinventory-selecteddeviceflyout.png" alt-text="Screenshot of the flyout pane for a selected device":::

-5. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions, as shown in the following image:

- :::image type="content" source="../../medib-deviceinventory-selecteddeviceflyout-menu.png" alt-text="Screenshot of available actions for a selected device":::

-6. Select an available action. For example, you might choose **Run antivirus scan**, which starts a quick scan with Microsoft Defender Antivirus on the device. Or, you could select **Initiate Automated Investigation** to trigger an automated investigation on the device.

-## Next steps

-description: View remediations that were taken on detected threats or suspected attacks with Defender for Business.

-# Review remediation actions in the Action center

-As threats are detected, remediation actions come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval. Examples of remediation actions include stopping a process from running or removing a scheduled task.

-All remediation actions are tracked in the Action center.

-**This article describes**:

-## How to use the Action center

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. In the navigation pane, choose **Action center**.

-3. Select the **Pending** tab to view and approve (or reject) any pending actions. Actions can arise from antivirus/antimalware protection, automated investigations, manual response activities, or live response sessions.

-4. Select the **History** tab to view a list of completed actions.

-## Remediation actions

-Defender for Business includes several remediation actions. These actions include manual response actions, actions following automated investigation, and live response actions.

-The following table lists remediation actions that are available.

-| Source | Actions |

-|||

-| [Automatic attack disruption](mdb-attack-disruption.md) | - Contain a device <br/>- Contain a user <br/>- Disable a user account |

-| [Automated investigations](../defender-endpoint/automated-investigations.md) |- Quarantine a file<br/> - Remove a registry key<br/> - Kill a process<br/> - Stop a service<br/> - Disable a driver<br/> - Remove a scheduled task |

-| [Manual response actions](../defender-endpoint/respond-machine-alerts.md) |- Run antivirus scan<br/> - Isolate a device<br/> - Add an indicator to block or allow a file |

-| [Live response](../defender-endpoint/live-response.md) |- Collect forensic data<br/> - Analyze a file<br/> - Run a script<br/> - Send a suspicious entity to Microsoft for analysis<br/> - Remediate a file <br/> - Proactively hunt for threats|

-## Next steps

-description: Assign roles to your cybersecurity team. Learn about these roles and permissions in Defender for Business.

-# Assign security roles and permissions in Microsoft Defender for Business

-This article describes how to assign security roles and permissions in Defender for Business.

-Your organization's security team needs certain permissions to perform tasks, such as

-Permissions are granted through certain roles in the [Microsoft Entra ID](/azure/active-directory/roles/manage-roles-portal). These roles can be assigned in the Microsoft 365 admin center or in the Microsoft Entra admin center.

-## What to do

-1. [Learn about roles in Defender for Business](#roles-in-defender-for-business).

-2. [View or edit role assignments for your security team](#view-and-edit-role-assignments).

-3. [Proceed to your next steps](#next-steps).

-## Roles in Defender for Business

-The following table describes the three roles that can be assigned in Defender for Business. [Learn more about admin roles](../../admin/add-users/about-admin-roles.md).

-| Permission level | Description |

-|:|:|

-| **Global administrators** (also referred to as global admins) <br/><br/> *As a best practice, limit the number of global admins. See [Security guidelines for assigning roles](/microsoft-365/admin/add-users/about-admin-roles#security-guidelines-for-assigning-roles).* | Global admins can perform all kinds of tasks. The person who signed up your company for Microsoft 365 or for Defender for Business is a global administrator by default. Global admins typically complete the setup and configuration process in Defender for Business, including onboarding devices.<br/><br/> Global admins are able to modify settings across all Microsoft 365 portals, such as: <br/>- The Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/>- Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) |

-| **Security administrators** (also referred to as security admins) | Security admins can perform the following tasks: <br/>- View and manage security policies<br/>- View, respond to, and manage alerts <br/>- Take response actions on devices with detected threats<br/>- View security information and reports <br/><br/>In general, security admins use the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) to perform security tasks. |

-| **Security reader** | Security readers can perform the following tasks:<br/>- View a list of onboarded devices<br/>- View security policies<br/>- View alerts and detected threats<br/>- View security information and reports <br/><br/>Security readers can't add or edit security policies, nor can they onboard devices. |

-## View and edit role assignments

-> [!IMPORTANT]

-> Microsoft recommends that you grant people access to only what they need to perform their tasks. We call this concept *least privilege* for permissions. To learn more, see [Best practices for least-privileged access for applications](/azure/active-directory/develop/secure-least-privileged-access).

-You can use the Microsoft 365 admin center or the Microsoft Entra admin center to view and edit role assignments.

-## [**Microsoft 365 admin center**](#tab/M365Admin)

-1. Go to the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) and sign in.

-2. In the navigation pane, go to **Users** > **Active users**.

-3. Select a user account to open their flyout pane.

-4. On the **Account** tab, under **Roles**, select **Manage roles**.

-5. To add or remove a role, use one of the following procedures:

- | Task | Procedure |

- |||

- | Add a role to a user account | 1. Select **Admin center access**, scroll down, and then expand **Show all by category**.<br/><br/>2. Select one of the following roles:<br/><br/>- Global Administrator (listed under **Global**)<br/>- Security Administrator (listed under **Security & Compliance**)<br/>- Security Reader (listed under **Read-only**)<br/><br/>3. Select **Save changes**. |

- | Remove a role from a user account | 1. Either select **User (no admin center access)** to remove *all* admin roles, or clear the checkbox next to one or more of the assigned roles. <br/><br/>2. Select **Save changes**. |

-## [**Microsoft Entra admin center**](#tab/Entra)

-1. Go to the Microsoft Entra admin center ([https://entra.microsoft.com](https://entra.microsoft.com/)) and sign in.

-2. In the navigation pane, go to **Users** > **All users**.

-3. Select a user account to open their profile.

-4. To add or remove a role, use one of the following procedures:

- | Task | Procedure |

- |||

- | Add a role to a user account | 1. Under **Manage**, select **Assigned roles**, and then choose **+ Add assignments**.<br/><br/>2. Search for one of the following roles, select it, and then choose **Add** to assign that role to the user account.<br/><br/>- Global Administrator<br/>- Security Administrator<br/>- Security Reader |

- | Remove a role from a user account | 1. Under **Manage**, select **Assigned roles**.<br/><br/>2. Select one or more administrative roles, and then select **X Remove assignments**. |

-## Next steps

-description: See how to set up your Defender for Business cybersecurity solution. Onboard devices, review your policies, and edit your settings as needed.

-# Set up and configure Microsoft Defender for Business

-This article describes the overall setup process for Defender for Business.

-The process includes:

-1. [Getting Defender for Business](get-defender-business.md).

-2. [Adding users and assigning licenses](mdb-add-users.md).

-3. [Assigning security roles and permissions for your security team](mdb-roles-permissions.md).

-4. [Setting up email notifications for your security team](mdb-email-notifications.md).

-5. [Onboarding devices so they're protected as soon as possible](mdb-onboard-devices.md).

-6. [Setting up and reviewing your security policies and settings](mdb-configure-security-settings.md).

-## Setup options

-When you're ready to set up and configure Defender for Business, you can choose from several options:

-> [!NOTE]

-> Using the setup wizard is optional. If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own.

-## [**Setup wizard**](#tab/Wizard)

-> [!IMPORTANT]

-> You must be a global administrator to complete setup tasks, including running the setup wizard. See [Security roles and permissions in Defender for Business](mdb-roles-permissions.md).

-1. **Get Defender for Business**. Start a trial or paid subscription today. You can choose from the standalone version of Defender for Business, or get it as part of Microsoft 365 Business Premium. See [Get Microsoft Defender for Business](get-defender-business.md). And, if you're planning to onboard servers, see [How to get Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).

- In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Assets** > **Devices**. If Defender for Business isn't provisioned yet, that process begins now.

-2. **Add users and assign Defender for Business licenses**. You'll want to do this task before you run the setup wizard. See [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md).

- While you're adding users, make sure to create a list of your security team's names and email addresses. This list will come in handy while you are using the setup wizard. To view a list of users, in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)), go to **Users** > **Active users**.

-3. In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Assets** > **Devices**. You should see the setup wizard home screen, as shown in the following image:

- :::image type="content" source="medib-wizard-start.png":::

- Select **Get started** to begin using the wizard.

-4. **Assign user permissions**. In this first step of the setup wizard, you grant your security team access to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This portal is where you and your security team will manage your security capabilities, view alerts, and take any needed actions on detected threats. Portal access is granted through roles that imply certain permissions. [Learn more about roles and permissions](mdb-roles-permissions.md).

- In Defender for Business, members of your security team can be assigned one of the following three roles:<br/>

-

- - **Global Admin**: A global admin can view and edit all settings across your Microsoft 365 tenant. The global admin does the initial setup and configuration for your company's Microsoft 365 subscription.

- - **Security Administrator**: A security administrator can view and edit security settings, and take action when threats are detected.

- - **Security Reader**: A security reader can view information in reports, but can't change any security settings.

-5. **Set up email notifications**. In this step of the setup wizard, you can set up email notifications for your security team using the list you created in step 2. Then, when an alert is generated or a new vulnerability is discovered, your security team won't miss it even if they're away from their desk. [Learn more about email notifications](mdb-email-notifications.md).

-6. **Onboard and configure Windows devices**. In this step of the setup wizard, you can onboard Windows devices to Defender for Business. Onboarding devices right away helps to protect those devices from day one. Note that this step of the wizard applies to Windows devices only. You can onboard other devices later. See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

- > [!NOTE]

- > If your organization is using Microsoft Intune, and devices are already enrolled in Intune, Defender for Business prompts you to either continue using Intune, or switch to using the simplified configuration process in the Microsoft Defender portal. See [Choose where to manage security policies and devices](mdb-configure-security-settings.md#choose-where-to-manage-security-policies-and-devices).

- >

- > Defender for Business also offers automatic onboarding for Windows devices enrolled in Intune. Automatic onboarding is a simplified way to onboard Windows devices to Defender for Business. We recommend selecting the "all devices enrolled" option so that as Windows devices are enrolled in Intune, they're onboarded to Defender for Business automatically.

-

-7. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. You can start with your default policies and add more later. See [Set up, review, and edit your security policies and settings](mdb-configure-security-settings.md).

-8. **Select your next step**. After the setup wizard has completed, you're prompted to choose a next step. For example, you can onboard devices, view your security dashboard, or view your security policies.

-## [**Manual setup**](#tab/Manual)

-> [!IMPORTANT]

-> You must be a global administrator to complete setup tasks. See [Security roles and permissions in Defender for Business](mdb-roles-permissions.md).

-1. **Get Defender for Business**. Start a trial or paid subscription today. You can choose from the standalone version of Defender for Business, or get it as part of Microsoft 365 Business Premium. See [Get Microsoft Defender for Business](get-defender-business.md). And, if you're planning to onboard servers, see [How to get Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).

-2. **Add users and assign licenses**. Assign a license for Defender for Business (or Microsoft 365 Business Premium, if that's your subscription) to each member of your organization to protect their devices. You'll also want to make sure multifactor authentication is enabled for all users. See [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md).

-3. **Assign roles and permissions to your security team**. People on your security team need certain permissions to perform tasks such as reviewing detected threats & remediation actions, viewing & editing policies, onboarding devices, and using reports. You can grant these permissions through roles. See [Assign roles and permissions](mdb-roles-permissions.md).

-4. **Set up email notifications for your security team**. As alerts are generated, or new vulnerabilities are discovered, people on your security team can be notified automatically, via email messages. See [Set up email notifications](mdb-email-notifications.md).

-5. **Onboard devices to Defender for Business**. The sooner you get your devices onboarded to Defender for Business, the sooner they're protected. You can onboard devices in the Microsoft Defender portal. Or, if your organization is already using Microsoft Intune, you can use it to enroll devices. See [Onboard devices to Defender for Business](mdb-onboard-devices.md).

-6. **Set up and review your security policies and settings**. Some security policies and settings are preconfigured with default settings in Defender for Business. Other policies, such as web content filtering and attack surface reduction rules, must be set up. See [Configure your security settings and policies](mdb-configure-security-settings.md).

-> [!IMPORTANT]

-> If you have Microsoft 365 Business Premium, you have additional capabilities to set up and configure. See [Microsoft 365 Business Premium ΓÇô productivity and cybersecurity for small business](../../business-premium/m365bp-overview.md).

-

-## Next steps

-After reading this article, proceed to:

-1. [Get Microsoft Defender for Business](get-defender-business.md) and [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).

-2. [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md).

-After you have set up and configured Defender for Business, your next steps are to:

-description: The Defender for Endpoint streaming API is available for Defender for Business and Microsoft 365 Business Premium. Stream of device file, registry, network, sign-in events, and other data to Azure Event Hub, Azure Storage, and Microsoft Sentinel to support advanced hunting and attack detection.

-# Use the streaming API with Microsoft Defender for Business

-If your organization has a Security Operations Center (SOC), the ability to use the [Microsoft Defender for Endpoint streaming API](../defender-endpoint/raw-data-export.md) is available for [Defender for Business](mdb-overview.md) and [Microsoft 365 Business Premium](../../business-premium/m365bp-overview.md). The API enables you to stream data, such as device file, registry, network, sign-in events, and more to one of the following

-With the streaming API, you can use [advanced hunting](../defender/advanced-hunting-overview.md) and [attack detection](../defender-endpoint/overview-endpoint-detection-response.md) with Defender for Business and Microsoft 365 Business Premium. The streaming API enables SOCs to view more data about devices, understand better how an attack occurred, and take steps to improve device security.

-## Use the streaming API with Microsoft Sentinel

-> [!NOTE]

-> [Microsoft Sentinel](/azure/sentinel/overview) is a paid service. Several plans and pricing options are available. See [Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).

-1. Make sure that Defender for Business is set up and configured, and that devices are already onboarded. See [Set up and configure Microsoft Defender for Business](mdb-setup-configuration.md).

-2. Create a Log Analytics workspace that you'll use with Sentinel. See [Create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal).

-3. Onboard to Microsoft Sentinel. See [Quickstart: Onboard Microsoft Sentinel](/azure/sentinel/quickstart-onboard).

-4. Enable the Microsoft Defender XDR connector. See [Connect data from Microsoft Defender XDR to Microsoft Sentinel](/azure/sentinel/connect-microsoft-365-defender?tabs=MDE).

-## Use the streaming API with Event Hubs

-> [!NOTE]

-> [Azure Event Hubs](/azure/event-hubs/event-hubs-about) requires an Azure subscription. Before you begin, make sure to create an [event hub](/azure/event-hubs/) in your tenant. Then, sign in to the [Azure portal](https://ms.portal.azure.com/), go to **Subscriptions** > **Your subscription** > **Resource Providers** > **Register to Microsoft.insights**.

->

-1. Go to the [Microsoft Defender portal](https://security.microsoft.com) and sign in as a ***Global Administrator*** or ***Security Administrator***.

-2. Go to the [Data export settings page](https://security.microsoft.com/interoperability/dataexport).

-3. Select **Add data export settings**.

-4. Choose a name for your new settings.

-5. Choose **Forward events to Azure Event Hubs**.

-6. Type your **Event Hubs name** and your **Event Hubs ID**.

- > [!NOTE]

- > Leaving the Event Hubs name field empty creates an event hub for each category in the selected namespace. If you're not using a Dedicated Event Hubs Cluster, keep in mind that there's a limit of 10 Event Hubs namespaces.

- To get your **Event Hubs ID**, go to your Azure Event Hubs namespace page in the [Azure portal](https://ms.portal.azure.com/). On the **Properties** tab, copy the text under **ID**.

-7. Choose the events you want to stream and then select **Save**.

-### The schema of events in Azure Event Hubs

-Here's what the schema of events in Azure Event Hubs looks like:

-```json

-{

- "records": [

- {

- "time": "<The time WDATP received the event>"

- "tenantId": "<The Id of the tenant that the event belongs to>"

- "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"

- "properties": { <WDATP Advanced Hunting event as Json> }

- }

- ...

- ]

-}

-```

-Each event hub message in Azure Event Hubs contains a list of records. Each record contains the event name, the time Defender for Business received the event, the tenant to which it belongs (you get events from your tenant only), and the event in JSON format in a property called "**properties**". For more information about the schema, see [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](../defender/advanced-hunting-overview.md).

-## Use the streaming API with Azure Storage

-Azure Storage requires an Azure subscription. Before you begin, make sure to create a [Storage account](/azure/storage/common/storage-account-overview) in your tenant. Then, sign in to your [Azure tenant](https://ms.portal.azure.com/), and go to **Subscriptions** > **Your subscription** > **Resource Providers** > **Register to Microsoft.insights**.

-### Enable raw data streaming

-1. Go to the [Microsoft Defender portal](https://security.microsoft.com) and sign in as a ***Global Administrator*** or ***Security Administrator***.

-2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender XDR.

-3. Select **Add data export settings**.

-4. Choose a name for your new settings.

-5. Choose **Forward events to Azure Storage**.

-6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page in the [Azure portal](https://ms.portal.azure.com/). Then, on the **Properties** tab, copy the text under **Storage account resource ID**.

-7. Choose the events you want to stream and then select **Save**.

-### The schema of events in Azure Storage account

-A blob container is created for each event type. The schema of each row in a blob is the following JSON file:

- ```json

- {

- "time": "<The time WDATP received the event>"

- "tenantId": "<Your tenant ID>"

- "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"

- "properties": { <WDATP Advanced Hunting event as Json> }

- }

- ```

-Each blob contains multiple rows. Each row contains the event name, the time Defender for Business received the event, the tenant to which it belongs (you get events from your tenant only), and the event in JSON format properties. For more information about the schema of Microsoft Defender for Endpoint events, see [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](../defender/advanced-hunting-overview.md).

-## See also

-description: Learn about several tutorials to help you get started using Defender for Business.

-# Tutorials and simulations in Microsoft Defender for Business

-This article describes some scenarios to try and several tutorials and simulations that are available for Defender for Business. These resources show how Defender for Business can work for your company.

-## Try these scenarios

-The following table summarizes several scenarios to try with Defender for Business.

-| Scenario | Description |

-|||

-| Onboard devices using a local script | In Defender for Business, you can onboard Windows and Mac devices by using a script that you download and run on each device. The script creates a trust with Microsoft Entra ID, if that trust doesn't already exist; enrolls the device with Microsoft Intune, if you have Intune; and onboards the device to Defender for Business. To learn more, see [Onboard devices to Defender for Business](mdb-onboard-devices.md). |

-| Onboard devices using Intune | If you were already using Intune before getting Defender for Business, you can continue to use Intune admin center to onboard devices. Try onboarding your Windows, Mac, iOS, and Android devices with Microsoft Intune. To learn more, see [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enrollment). |

-| Edit security policies | If you're managing your security policies in Defender for Business, use the **Device configuration** page to view and edit your policies. Defender for Business comes with default policies that use recommended settings to secure your company's devices as soon as they're onboarded. You can keep the default policies, edit them, and define your own policies to suit your business needs. To learn more, see [View or edit policies in Defender for Business](mdb-view-edit-policies.md). |

-| Run a simulated attack | Several tutorials and simulations are available in Defender for Business. These tutorials and simulations show how the threat-protection features of Defender for Business can work for your company. You can also use a simulated attack as a training exercise for your team. To try the tutorials, see [Recommended tutorials for Defender for Business](#recommended-tutorials-for-defender-for-business). |

-| View incidents in Microsoft 365 Lighthouse | If you're a [Microsoft Cloud Solution Provider](/partner-center/enrolling-in-the-csp-program) using Microsoft 365 Lighthouse, you can view incidents across your customers' tenants in your Microsoft 365 Lighthouse portal. To learn more, see [Microsoft 365 Lighthouse and Defender for Business](mdb-lighthouse-integration.md). |

-## Recommended tutorials for Defender for Business

-The following table describes the recommended tutorials for Defender for Business customers.

-| Tutorial | Description |

-|||

-| **Document Drops Backdoor** | Simulate an attack that introduces file-based malware on a test device. The tutorial describes how to use the simulation file and what to watch for in the Microsoft Defender portal. <p>This tutorial requires that Microsoft Word is installed on your test device. |

-| **Live Response** | Learn how to use basic and advanced commands with Live Response. Learn how to locate a suspicious file, remediate the file, and gather information on a device. |

-| **Microsoft Defender Vulnerability Management(core scenarios)** | Learn about Defender Vulnerability Management through three scenarios:<br/>1. Reduce your company's threat and vulnerability exposure.<br/>2. Request a remediation.<br/>3. Create an exception for security recommendations.<br/><br/>Defender Vulnerability Management uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. |

-Each tutorial includes a walkthrough document that explains the scenario, how it works, and what to do.

-> [!TIP]

-> You'll see references to Microsoft Defender for Endpoint in the walkthrough documents. The tutorials listed in this article can be used with either Defender for Endpoint or Defender for Business.

-## How to access the tutorials

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. In the navigation pane, under **Endpoints**, choose **Tutorials**.

-3. Choose one of the following tutorials:

- - **Document Drops Backdoor**

- - **Live Response**

- - **Microsoft Defender Vulnerability Management (core scenarios)**

-## Next steps

-description: Learn how to view, edit, create, and delete cybersecurity policies in Defender for Business. Protect your devices with security policies.

-# View or edit policies in Microsoft Defender for Business

-In Defender for Business, security settings are configured through policies that are applied to devices. To help simplify your setup and configuration experience, Defender for Business includes several preconfigured policies to help protect your company's devices as soon as they are onboarded. There are other types of policies you can create as well (see [Set up, review, and edit your security policies and settings in Microsoft Defender for Business](mdb-configure-security-settings.md)).

-This article describes how to view, edit, and create security policies in Defender for Business.

-**This article includes**:

-## Default policies in Defender for Business

-In Defender for Business, there are two main types of default policies that are designed to protect your company's devices as soon as they're onboarded:

-[Next-generation protection](mdb-next-generation-protection.md) includes robust antivirus and antimalware protection for computers and mobile devices. The default policies are designed to protect your devices and users without hindering productivity. However, you can customize your policies to suit your business needs. For more details, see [Review or edit your next-generation protection policies](mdb-next-generation-protection.md).

-[Firewall policies](mdb-firewall.md) help secure devices by establishing rules that determine what network traffic is permitted to flow to and from devices. You can use firewall protection to specify whether to allow or to block connections on devices in various locations. For example, your firewall settings can allow inbound connections on devices that are connected to your company's internal network, but prevent connections when the device is on a network with untrusted devices. For more details, see [Firewall](mdb-firewall.md).

-## Policies to set up in Defender for Business

-In addition to next-generation protection and firewall policies, there are three other types of policies to configure for the best protection with Defender for Business:

-[Web content filtering](mdb-web-content-filtering.md), which enables your security team to track and regulate access to websites based on content categories. Examples of categories include adult content, high bandwidth content, and legal liability content. When you set up your web content filtering policy, you enable web protection for your organization. For more information, see [Web content filtering](mdb-web-content-filtering.md).

-[Controlled folder access](mdb-controlled-folder-access.md) allows only trusted apps to access protected folders on Windows devices. Think of this capability as ransomware mitigation. You can set up or edit your controlled folder access policy in Microsoft Intune. For more information, see [Set up or edit your controlled folder access policy](mdb-controlled-folder-access.md).

-[Attack surface reduction rules](mdb-asr.md) target certain software behaviors that are often considered risky because they're commonly abused by attackers through malware. Examples of such behaviors include launching executable files and scripts that attempt to download or run files. Attack surface reduction rules can constrain software-based risky behaviors, and help keep your organization safe. At a minimum, we recommend configuring standard protection rules to help protect your network without causing disruption for users. For more information, see [Enable your attack surface reduction rules in Microsoft Defender for Business](mdb-asr.md).

-> [!NOTE]

-> Intune is required to configure [controlled folder access](mdb-controlled-folder-access.md) and [attack surface reduction rules](mdb-asr.md). Intune is not included in the standalone version of Defender for Business, but can be added on to your subscription.

-## View your existing policies

-You can view your existing policies in either Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) (if you're using Intune).

-<a name='microsoft-365-defender-portal'></a>

-## [**Microsoft Defender portal**](#tab/M365D)

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, choose **Configuration management** > **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).

-3. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under each category (such as **Next-generation protection** and **Firewall**).

-4. To view more details about a policy, select its name. A side pane will open that provides more information about that policy, such as which devices are protected by that policy.

-## [**Intune admin center**](#tab/intune)

-1. Go to the Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com)) and sign in.

-2. In the navigation pane, select **Endpoint security**, and then choose a category, such as **Antivirus**, **Firewall**. or **Attack surface reduction**.

-3. Any existing policies are listed for the category you selected. To view more details about a policy, select its name.

-## Edit an existing policy

-You can view your existing policies in either Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) (if you're using Intune).

-<a name='microsoft-365-defender-portal'></a>

-## [**Microsoft Defender portal**](#tab/M365D)

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).

-3. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under the **Next-generation protection** and **Firewall** categories.

-4. To edit a policy, select its name, and then choose **Edit**.

-5. On the **General information** tab, review the information. If necessary, you can edit the description. Then choose **Next**.

-6. On the **Device groups** tab, determine which device groups should receive this policy.

- - To keep the selected device group as it is, choose **Next**.

- - To remove a device group from the policy, select **Remove**.

- - To set up a new device group, select **Create new group**, and then set up your device group. (To get help with this task, see [Device groups](mdb-create-edit-device-groups.md).)

- - To apply the policy to another device group, select **Use existing group**.

- After you have specified which device groups should receive the policy, choose **Next**.

-7. On the **Configuration settings** tab, review the settings. If necessary, you can edit the settings for your policy. To get help with this task, see the following articles:

- - [Understand next-generation configuration settings](mdb-next-generation-protection.md)

- - [Firewall settings](mdb-firewall.md)

- After you have specified your next-generation protection settings, choose **Next**.

-8. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.

- - Make any needed changes by selecting **Edit**.

- - When you're ready to proceed, choose **Update policy**.

-## [**Intune admin center**](#tab/intune)

-1. Go to the Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com)) and sign in.

-2. In the navigation pane, select **Endpoint security**, and then choose a category, such as **Antivirus**, **Firewall**. or **Attack surface reduction**.

-3. Existing policies are listed. Select a policy to view more details about it.

-4. Next to **Configuration settings**, choose **Edit**.

- To get help with this task, see [Edit a policy in Intune](/mem/intune/protect/endpoint-security-policy#to-edit-a-policy).

-## Create a new policy

-<a name='microsoft-365-defender-portal'></a>

-## [**Microsoft Defender portal**](#tab/M365D)

-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).

-3. Select an operating system tab (for example, **Windows clients**), and then review the list of **Next-generation protection** policies.

-4. Under **Next-generation protection** or **Firewall**, select **+ Add**.

-5. On the **General information** tab, take the following steps:

- 1. Specify a name and description. This information will help you and your team identify the policy later on.

- 2. Review the policy order, and edit it if necessary. (For more information, see [Policy order](mdb-policy-order.md).)

- 3. Choose **Next**.

-7. On the **Device groups** tab, either create a new device group, or use an existing group. Policies are assigned to devices through device groups. Here are some things to keep in mind:

- - Initially, you might only have your default device group, which includes the devices people in your company are using to access company data and email. You can keep and use your default device group.

- - Create a new device group to apply a policy with specific settings that are different from the default policy.

- - When you set up your device group, you specify certain criteria, such as the operating system version. Devices that meet the criteria are included in that device group, unless you exclude them.

- - All device groups, including the default and custom device groups that you define, are stored in Microsoft Entra ID.

- To learn more about device groups, see [Device groups](mdb-create-edit-device-groups.md).

-8. On the **Configuration settings** tab, specify the settings for your policy, and then choose **Next**. For more information about the individual settings, see [Configuration settings for Defender for Business](mdb-next-generation-protection.md).

-9. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.

- - Make any needed changes by selecting **Edit**.

- - When you're ready to proceed, choose **Create policy**.

-## [**Intune admin center**](#tab/intune)

-1. Go to the Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com)) and sign in.

-2. In the navigation pane, select **Endpoint security**, and then choose a category, such as **Antivirus**, **Firewall**. or **Attack surface reduction**.

-3. Select **+ Create Policy**.

- - If your policy is for Windows devices, in the **Platform** list, choose **Windows 10, Windows 11, and Windows Server**.

- - If your policy is for Mac, in the **Platform** list, choose **macOS**.

-4. In the **Profile** list, select a profile, and then choose **Create**.

- The **Profile** list varies depending on what you selected for **Platform**, as summarized in the following table:

- | Platform | Profile | Description |

- ||||

- | Windows 10, Windows 11, and Windows Server | Microsoft Defender Antivirus exclusions | Select this template to define [exclusions for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions#microsoft-defender-antivirus-exclusions). |

- | Windows 10, Windows 11, and Windows Server | Microsoft Defender Antivirus | Select this template to set up your [next-generation protection policy](mdb-next-generation-protection.md). |

- | Windows 10, Windows 11, and Windows Server | Windows Security Experience | Select this template to turn on [tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md) and to configure what users can see or do with the Windows Security app on their computer. |

- | macOS | Antivirus | Select this template to set up your [next-generation protection policy](mdb-next-generation-protection.md) for devices running macOS. |

- | Windows 10, Windows 11, and Windows Server | Microsoft Defender Firewall | Select this template to set up your [firewall protection policy](mdb-firewall.md). |

- | Windows 10, Windows 11, and Windows Server | Microsoft Defender Firewall Rules | Select this template to set up exceptions to your firewall policy. These exceptions are defined through [custom rules](mdb-firewall.md#manage-your-custom-rules-for-firewall-policies-in-microsoft-defender-for-business). |

- | Windows 10, Windows 11, and Windows Server | Attack Surface Reduction Rules | Select this template to set up [attack surface reduction rules](mdb-asr.md) or [controlled folder access](mdb-controlled-folder-access.md). |

-5. Use the wizard to set up your policy. To get help, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy).

-## See also

-description: View and manage alerts, respond to threats, manage devices, and review remediation actions on detected threats in Defender for Business.

-# View and manage incidents in Microsoft Defender for Business

-As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft Defender portal. You must have appropriate permissions assigned to perform the tasks in this article. See [Security roles and permissions in Microsoft Defender for Business](mdb-roles-permissions.md).

-**This article includes**:

-## Monitor your incidents & alerts

-1. In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Incidents & alerts**, and then select **Incidents**. Any incidents that were created are listed on the page.

- > [!IMPORTANT]

- > If you see an incident tagged with `Attack disruption`, it means an advanced attack has been detected. See [Automatic attack disruption](mdb-attack-disruption.md).

-2. Select an alert to open its flyout pane, where you can learn more about the alert.

- :::image type="content" source="../../medib-incident-flyout.png" alt-text="Screenshot of incident selected with flyout open":::

-3. In the flyout pane, you can see the alert title, view a list of assets (such as devices or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert.

-> [!TIP]

-> Defender for Business is designed to help you address detected threats by recommending actions you can take. When you view an alert, look for these suggestions. Also notice the alert severity, which is determined not only on the basis of the detected threat severity, but also on the level of risk to your company.

-## Alert severity

-When a threat is detected, a severity level is assigned to each alert that is generated.

-The following table lists a few examples of alerts and their severity levels:

-| Scenario | Alert severity and reason |

-|:|:|

-| [Automated attack disruption](mdb-attack-disruption.md) detects an advanced attack, and contains devices or user accounts to help prevent the attack from proceeding. | **High**. Attack disruption capabilities help contain an attack so your IT/security team can address it. |

-| Microsoft Defender Antivirus detects and stops a threat before it does any damage. | **Informational**. The threat was stopped before any damage was done. |

-| Microsoft Defender Antivirus detects malware that was executing within your company. The malware is stopped and remediated. | **Low**. Although some damage might have been done to an individual device, the malware now poses no threat to your company. |

-| Malware that is executing is detected by Defender for Business. The malware is blocked almost immediately. | **Medium** or **High**. The malware poses a threat to individual devices and to your company. |

-| Suspicious behavior is detected but no remediation actions are taken yet. | **Low**, **Medium**, or **High**. The severity depends on the degree to which the behavior poses a threat to your company. |

-## Next steps

-description: Use your Microsoft Defender Vulnerability Management dashboard to see important items to address in Defender for Business.

-# Use your vulnerability management dashboard in Microsoft Defender for Business

-Defender for Business includes a vulnerability management dashboard that is designed to save your security team time and effort. In addition to providing an exposure score, that dashboard enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to:

-## Vulnerability management features and capabilities

-Vulnerability management features and capabilities in Microsoft Defender for Business include:

- :::image type="content" source="medivm-dashboard.png":::

- :::image type="content" source="medivm-remediation.png":::

- :::image type="content" source="medivm-weakness-details.png":::

-[Learn more about Microsoft Defender Vulnerability Management](../defender-vulnerability-management/defender-vulnerability-management.md).

-## Next steps

-description: Learn how to set up, view, and edit your web content filtering policy in Microsoft Defender for Business.

-# Web content filtering in Microsoft Defender for Business

-Web content filtering enables your security team to track and regulate access to websites based on content categories. When you set up your web content filtering policy, you enable web protection for your organization.

-Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave, and Opera). For more information, see [Prerequisites for web content filtering](../defender-endpoint/web-content-filtering.md#prerequisites).

-In Defender for Business, you can have one web content filtering policy and it's applied to all users.

-## Set up web content filtering

-1. In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **Rules** > **Web content filtering**, and then select **+ Add policy**.

-2. Specify a name and description for your policy.

-3. Select the [categories](#categories-for-web-content-filtering) to block (do not select **Uncategorized**). Use the expand icon to fully expand each parent category, and then select specific web content categories.

- To set up an audit-only policy that doesn't block any websites, don't select any categories.

-4. Apply the policy to all users. (Scoping to specific devices is not available in Defender for Business.)

-5. Review the summary and save the policy. The policy refresh might take up to two hours to apply to your selected devices.

-> [!TIP]

-> To learn more about web content filtering, see [Web content filtering](../defender-endpoint/web-content-filtering.md).

-## Categories for web content filtering

-Not all websites in the categories that are listed below are malicious; however, these websites could be problematic for your company because of compliance regulations, bandwidth usage, or other concerns.

-You can start with an audit-only policy to get a better understanding of whether your security team should block any website categories, and edit your policy later.

-The following table describes web content categories you can choose for your web content filtering policy:

-| Category | Description |

-|:|:|

-| **Adult content** | Sites that are related to cults, gambling, nudity, pornography, sexually explicit material, or violence |

-| **High bandwidth** | Download sites, image sharing sites, or peer-to-peer hosts |

-| **Legal liability** | Sites that include child abuse images, promote illegal activities, foster plagiarism or school cheating, or that promote harmful activities |

-| **Leisure** | Sites that provide web-based chat rooms, online gaming, web-based email, or social networking |

-| **Uncategorized** | Sites that have no content or that are newly registered. <br/><br/>*As a best practice, do not select **Uncategorized**.* |

-## Next steps

-description: "Make the most of your Defender for Business trial with this guide. Get set up quickly and get started using your new security capabilities."

-# Trial user guide: Microsoft Defender for Business

-**Welcome to the Defender for Business trial user guide!**

-This guide will help you set up and use key features of your free trial. Using recommendations in this article from the Microsoft Defender team, learn how Defender for Business can help elevate your security from traditional antivirus protection to next-generation protection, endpoint detection and response, and vulnerability management.

-## What is Defender for Business?

-Defender for Business is a new endpoint security solution designed especially for small and medium-sized businesses with up to 300 employees. With this endpoint security solution, your organization's devices are well-protected from ransomware, malware, phishing, and other threats.

-**Let's get started!**

-## Set up your trial

-Here's how to set up your trial subscription:

-1. [Add users and assign licenses](#step-1-add-users-and-assign-licenses).

-2. [Visit the Microsoft Defender portal](#step-2-visit-the-microsoft-365-defender-portal).

-3. [Use the setup wizard](#step-3-use-the-setup-wizard-in-defender-for-business-recommended).

-4. [Set up and configure Defender for Business](#step-4-set-up-and-configure-defender-for-business).

-### Step 1: Add users and assign licenses

-After you sign up for Defender for Business, the first step is to **[add users and assign licenses](mdb-add-users.md)**.

-> [!NOTE]

-> You must be a global administrator to perform this task. The person who signed your company up for Microsoft 365 or Defender for Business is the global administrator by default. [Learn more about roles and permissions](mdb-roles-permissions.md).

-<a name='step-2-visit-the-microsoft-365-defender-portal'></a>

-### Step 2: Visit the Microsoft Defender portal

-The Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is the one-stop shop where you use and manage Defender for Business. It includes callouts to help you get started, cards that surface relevant information, and a navigation bar that provides easy access to the various features and capabilities.

-### Step 3: Use the setup wizard in Defender for Business (recommended)

-Defender for Business was designed to save small and medium-sized businesses time and effort. You can do initial setup and configuration through a setup wizard. The setup wizard helps you grant access to your security team, set up email notifications for your security team, and onboard your company's Windows devices. **[Use the setup wizard](mdb-setup-configuration.md)**.

-> [!NOTE]

-> You can only use the setup wizard once.

-#### Setup wizard flow: what to expect

-> [!TIP]

-> **Using the setup wizard is optional.** If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own. See [Step 4: Set up and configure Defender for Business](#step-4-set-up-and-configure-defender-for-business).

-1. **[Assign user permissions](mdb-roles-permissions.md#view-and-edit-role-assignments)**. Grant your security team access to the Microsoft Defender portal.

-2. **[Set up email notifications](mdb-email-notifications.md#view-and-edit-email-notifications)** for your security team.

-3. **[Onboard and configure Windows devices](mdb-onboard-devices.md)**. Onboarding devices right away helps protect those devices from day one.

- > [!NOTE]

- > When you use the setup wizard, the system detects if you have Windows devices that are already enrolled in Intune. You'll be asked if you want to use automatic onboarding for all or some of those devices. You can onboard all Windows devices at once or select specific devices at first and then add more devices later.

- To onboard other devices, see [Step 4: Set up and configure Defender for Business](#step-4-set-up-and-configure-defender-for-business).

-4. **[View and edit your security policies](mdb-configure-security-settings.md)**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These preconfigured security policies use recommended settings, so you're protected as soon as your devices are onboarded to Defender for Business. And you can edit the policies or create new ones.

-### Step 4: Set up and configure Defender for Business

-If you choose not to use the setup wizard, see the following diagram that depicts the [overall setup and configuration process](mdb-setup-configuration.md) for Defender for Business.

-[:::image type="content" source="medi)

-If you used the setup wizard but you need to onboard more devices, such as non-Windows devices, go directly to [step 4](mdb-onboard-devices.md) in the following procedure:

-1. **[Review the requirements](mdb-requirements.md)** to configure and use Defender for Business.

-2. **[Assign roles and permissions](mdb-roles-permissions.md)** in the Microsoft Defender portal.

- - [Learn about roles in Defender for Business](mdb-roles-permissions.md#roles-in-defender-for-business).

- - [View or edit role assignments for your security team](mdb-roles-permissions.md#view-and-edit-role-assignments).

-3. **[Set up email notifications](mdb-email-notifications.md)** for your security team.

- - [Learn about types of email notifications](mdb-email-notifications.md#types-of-email-notifications).

- - [View and edit email notification settings](mdb-email-notifications.md#view-and-edit-email-notifications).

-4. **[Onboard devices](mdb-onboard-devices.md)**. To onboard Windows and Mac clients, you can use a local script.

-5. **[View and configure your security policies](mdb-configure-security-settings.md)**. After you onboard your company's devices to Defender for Business, the next step is to view and edit your security policies and settings.

-Defender for Business includes pre-configured security policies that use recommended settings. But you can edit the settings to suit your business needs.

-Security policies to review and configure include:

-## Start using Defender for Business

-For the next 30 days, here's guidance from the product team on key features to try:

-1. [Use your Microsoft Defender Vulnerability Management dashboard](#1-use-the-defender-vulnerability-management-dashboard).

-2. [View and respond to detected threats](#2-view-and-respond-to-detected-threats).

-3. [Review security policies](#3-review-security-policies).

-4. [Prepare for ongoing security management](#4-prepare-for-ongoing-security-management).

-5. [Try the Document Drops Backdoor tutorial](#5-try-the-document-drops-backdoor-tutorial).

-### 1. Use the Defender Vulnerability Management dashboard

-Defender for Business includes a Defender Vulnerability Management dashboard that's designed to save your security team time and effort. Learn how to [use your Defender Vulnerability Management dashboard](mdb-view-tvm-dashboard.md).

-### 2. View and respond to detected threats

-As threats are detected and alerts are triggered, incidents are created. Your organization's security team can view and manage incidents in the Microsoft Defender portal. Learn how to [view and respond to detected threats](mdb-view-manage-incidents.md).

-### 3. Review security policies

-In Defender for Business, security settings are configured through policies that are applied to devices. Defender for Business includes pre-configured policies to help protect your company's devices as soon as they are onboarded, safeguarding your organization against identity, device, application, and document security threats.

-Learn how to [review security policies](mdb-view-edit-create-policies.md).

-### 4. Prepare for ongoing security management

-New security events, such as threat detection on a device, adding new devices, and employees joining or leaving the organization, will require you to manage security. In Defender for Business, there are many ways for you to manage device security.

-### 5. Try the Document Drops Backdoor tutorial

-Quickly see how Defender for Business works by trying a tutorial.

-Simulate an attack that introduces file-based malware on a test device. The tutorial describes how to use the simulation file and what to watch for in the Microsoft Defender portal.

-> [!NOTE]

-> This tutorial requires Microsoft Word to be installed on your test device.

-To access the tutorial, do the following:

-1. Go to the [Microsoft Defender portal](https://security.microsoft.com) and sign in.

-2. In the navigation pane, under **Endpoints**, choose **Tutorials**.

-3. Choose **Document Drops Backdoor**.

-## Additional resources

-description: Access the Microsoft Defender XDR MSSP customer portal

-# Access the Microsoft Defender XDR MSSP customer portal

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-mssp-support-abovefoldlink)

-> [!IMPORTANT]

-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-> [!NOTE]

-> These set of steps are directed towards the MSSP.

-By default, MSSP customers access their Microsoft Defender XDR tenant through the following URL: `https://security.microsoft.com/`.

-MSSPs however, will need to use a tenant-specific URL in the following format: `https://security.microsoft.com?tid=customer_tenant_id` to access the MSSP customer portal.

-In general, MSSPs will need to be added to each of the MSSP customer's Microsoft Entra ID that they intend to manage.

-Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:

-1. As an MSSP, log in to Microsoft Entra ID with your credentials.

-2. Switch directory to the MSSP customer's tenant.

-3. Select **Microsoft Entra ID > Properties**. You'll find the tenant ID in the Tenant ID field.

-4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://security.microsoft.com/?tid=customer_tenant_id`.

-5. Access a Unified View for MSSP (Preview) in `https://mto.security.microsoft.com/`

-## Related topics

-description: Learn how to use the unified submissions feature in Microsoft Defender XDR to submit suspicious emails, URLs, email attachments, and files to Microsoft for scanning.

-localization_priority: Normal

-# Submit files in Microsoft Defender for Endpoint

-**Applies to**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-usewdatp-abovefoldlink).

-In Microsoft Defender for Endpoint, admins can use the unified submissions feature to submit files and file hashes (SHAs) to Microsoft for review. The unified submissions experience is a one-stop shop for submitting emails, URLs, email attachments, and files in one, easy-to-use submission experience. Admins can use the Microsoft Defender portal or the Microsoft Defender for Endpoint Alert page to submit suspicious files.

-## What do you need to know before you begin?

-The new unified submissions experience is available only in subscriptions that include Microsoft Defender for Endpoint Plan 2.

-You need to assign permissions before you can perform the procedures in this article. Use one of the following options:

-**Microsoft Defender for Endpoint** permissions:

-

-**Microsoft Defender XDR** unified RBAC permissions:

-

-For more information about how you can submit spam, phish, URLs, and email attachments to Microsoft, see [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](../office-365-security/submissions-admin.md).

-## Submit a file or file hash to Microsoft from the Defender portal

-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Actions & submissions** \> **Submissions**. Or, to go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

-2. On the **Submissions** page, select the **Files** tab.

-3. On the **Files** tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add new submission**.

- :::image type="content" source="../../media/unified-admin-submission-new.png" alt-text="Screenshot showing how to add a new submission.":::

-2. In the **Submit items to Microsoft for review** flyout that opens, select **Files** or **File hash** from the **Select the submission type** dropdown list.

- - If you selected **Files**, configure the following options:

- - Select **Browse files**. In the dialog that opens, find and select the file, and then select **Open**. Repeat this step as many times as necessary. To remove an entry from the flyout, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: next to the entry.

- - The maximum total size of all files is 500 MB.

- - Use the password 'infected' to encrypt archive files.

- - **The file should have been categorized as**: Select one of the following values:

- - **Malware** (false negative)

- - **Unwanted software**

- - **Clean** (false positive)

- - **Choose the priority**: Select one of the following values:

- - **Low - bulk file or file hash submission**

- - **Medium - standard submission**

- - **High - needs immediate attention** (max three per day)

- - **Notes for Microsoft (optional)**: Enter an optional note.

- - **Share feedback and relevant content with Microsoft**: Read the privacy statement and then select this option.

- :::image type="content" source="../../media/unified-admin-submission-file.png" alt-text="Screenshot showing how to submit files.":::

- - If you selected **File hash**, configure the following options:

- - In the empty box, enter the file hash value (for example, `2725eb73741e23a254404cc6b5a54d9511b9923be2045056075542ca1bfbf3fe`) and then press the ENTER key. Repeat this step as many times as necessary. To remove an entry from the flyout, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: next to the entry.

- - **The file should have been categorized as**: Select one of the following values:

- - **Malware** (false negative)

- - **Unwanted software**

- - **Clean** (false positive)

- - **Notes for Microsoft (optional)**: Enter an optional note.

- - **Share feedback and relevant content with Microsoft**: Read the privacy statement and then select this option.

- :::image type="content" source="../../media/unified-admin-submission-file-hash.png" alt-text="Screenshot showing how to submit files hashes.":::

- When you're finished in the **Submit items to Microsoft for review** flyout, select **Submit**.

-Back on the **Files** tab of the **Submissions** page, the submission is shown.

-To view the details of the submission, select the submission by clicking anywhere in the row other than the check box next to the **Submission name**. The details of the submission are in the details flyout that opens.

-## Report items to Microsoft from the Alerts page in the Defender portal

-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Incidents & alerts** \> **Alerts**. Or, to go directly to the **Alerts** page, use <https://security.microsoft.com/alerts>.

-2. On the **Alerts** page, find the alert that contains the file you want to report. For example, you can select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**, and then select **Service sources** \> **Microsoft Defender for Endpoint**.

-3. Select the alert from the list by clicking anywhere in the row other than the check box next to the **Alert name** value.

-4. In the details flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: \> **Submit items to Microsoft for review**.

- :::image type="content" source="../../media/unified-admin-submission-alerts-queue.png" alt-text="Screenshot showing how to submit items from an alerts queue.":::

-5. The options that are available in the **Submit items to Microsoft for review** flyout that opens are basically same as described in the previous section.

- The only difference is an **Include alert story** option that you can select to attach a JSON file that helps Microsoft investigate the submission.

- :::image type="content" source="../../media/unified-admin-submission-alert-queue-flyout.png" alt-text="Screenshot showing how to specify a submission type and fill in required fields.":::

- When you're finished in the **Submit items to Microsoft for review** flyout, select **Submit**.

-The submission is available on the **Files** tab of the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=file>.

-## Related information

-description: Microsoft Defender Antivirus engines and advanced technologies

-f1.keyboards: NOSCH

-# Advanced technologies at the core of Microsoft Defender Antivirus

-**Applies to:**

-Microsoft Defender Antivirus and the multiple engines that lead to the advanced detection and prevention technologies under the hood to detect and stop a wide range of threats and attacker techniques at multiple points, as depicted in the following diagram:

-Many of these engines are built into the client and provide advanced protection against most threats in real time.

-These next-generation protection engines provide [industry-best](/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) detection and blocking capabilities and ensure that protection is:

-## Hybrid detection and protection

-Microsoft Defender Antivirus does hybrid detection and protection. What this means is, detection and protection occur on the client device first, and works with the cloud for newly developing threats, which results in faster, more effective detection and protection.

-When the client encounters unknown threats, it sends metadata or the file itself to the cloud protection service, where more advanced protections examine new threats on the fly and integrate signals from multiple sources.

-|On the client|In the cloud|

-|||

-|**Machine learning (ML) engine** <br/> A set of light-weight machine learning models make a verdict within milliseconds. These models include specialized models and features that are built for specific file types commonly abused by attackers. Examples include models built for portable executable (PE) files, PowerShell, Office macros, JavaScript, PDF files, and more.|**Metadata-based ML engine** <br/> Specialized ML models, which include file type-specific models, feature-specific models, and adversary-hardened [monotonic models](https://www.microsoft.com/security/blog/2019/07/25/new-machine-learning-model-sifts-through-the-good-to-unearth-the-bad-in-evasive-malware/), analyze a featurized description of suspicious files sent by the client. Stacked ensemble classifiers combine results from these models to make a real-time verdict to allow or block files pre-execution.|

-|**Behavior monitoring engine** <br/> The behavior monitoring engine monitors for potential attacks post-execution. It observes process behaviors, including behavior sequence at runtime, to identify and block certain types of activities based on predetermined rules.|**Behavior-based ML engine** <br/> Suspicious behavior sequences and advanced attack techniques are monitored on the client as triggers to analyze the process tree behavior using real-time cloud ML models. Monitored attack techniques span the attack chain, from exploits, elevation, and persistence all the way through to lateral movement and exfiltration.|

-|**Memory scanning engine** <br/> This engine scans the memory space used by a running process to expose malicious behavior that could be hiding through code obfuscation.|**Antimalware Scan Interface (AMSI)-paired ML engine** <br/> Pairs of client-side and cloud-side models perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks. These models include a pair of models for each of the scripting engines covered, including PowerShell, JavaScript, VBScript, and Office VBA macros. Integrations include both dynamic content calls and/or behavior instrumentation on the scripting engines.|

-|**AMSI integration engine** <br/> Deep in-app integration engine enables detection of fileless and in-memory attacks through [AMSI](/windows/desktop/AMSI/antimalware-scan-interface-portal), defeating code obfuscation. This integration blocks malicious behavior of scripts client-side.|**File classification ML engine** <br/> Multi-class, deep neural network classifiers examine full file contents, provides an extra layer of defense against attacks that require more analysis. Suspicious files are held from running and submitted to the cloud protection service for classification. Within seconds, full-content deep learning models produce a classification and reply to the client to allow or block the file.|

-|**Heuristics engine** <br/> Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats.|**Detonation-based ML engine** <br/> Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks.|

-|**Emulation engine** <br/> The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware.|**Reputation ML engine** <br/> Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Defender for Office 365 for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph.|

-|**Network engine** <br/> Network activities are inspected to identify and stop malicious activities from threats.|**Smart rules engine** <br/> Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats.|

-For more information, see [Microsoft 365 Defender demonstrates 100 percent protection coverage in the 2023 MITRE Engenuity ATT&CK&reg; Evaluations: Enterprise](https://www.microsoft.com/security/blog/2023/09/20/microsoft-365-defender-demonstrates-100-percent-protection-coverage-in-the-2023-mitre-engenuity-attck-evaluations-enterprise/).

-## How next-generation protection works with other Defender for Endpoint capabilities

-Together with [attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction), which includes advanced capabilities like hardware-based isolation, application control, exploit protection, network protection, controlled folder access, attack surface reduction rules, and network firewall, [next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) engines deliver Microsoft Defender for Endpoint's prebreach capabilities, stopping attacks before they can infiltrate devices and compromise networks.

-As part of Microsoft's defense-in-depth solution, the superior performance of these engines accrues to the [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint) unified endpoint protection, where antivirus detections and other next-generation protection capabilities enrich endpoint detection and response, automated investigation and remediation, advanced hunting, threat and vulnerability management, managed threat hunting service, and other capabilities.

-These protections are further amplified through [Microsoft Defender XDR](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-xdr), Microsoft's comprehensive, end-to-end security solution for the modern workplace. Through [signal-sharing and orchestration of remediation across Microsoft's security technologies](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783), Microsoft Defender XDR secures identities, endpoints, email and data, apps, and infrastructure.

-## Memory protection and memory scanning

-Microsoft Defender Antivirus (MDAV) provides memory protection with different engines:

-|Client|Cloud|

-|:|:|

-|Behavior Monitoring|Behavior-based Machine Learning|

-|Antimalware Scan Interface(AMSI) integration|AMSI-paired Machine Learning|

-|Emulation|Detonation-based Machine Learning|

-|Memory scanning|N/A|

-An additional layer to help prevent memory-based attacks is to use the Attack Surface Reduction (ASR) rule ΓÇô **Block Office applications from injecting code into other processes**. For more information see, [Block Office applications from injecting code into other processes](attack-surface-reduction-rules-reference.md#block-office-applications-from-injecting-code-into-other-processes).

-## Frequently asked questions

-### How many malware threats does Microsoft Defender Antivirus block per month?

-[Five billion threats on devices every month](https://www.microsoft.com/en-us/security/blog/2019/05/14/executing-vision-microsoft-threat-protection/).

-### How does Microsoft Defender Antivirus memory protection help?

-See [Detecting reflective DLL loading with Windows Defender for Endpoint](https://www.microsoft.com/security/blog/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/) to learn about one way Microsoft Defender Antivirus memory attack protection helps.

-### Do you all focus your detections/preventions in one specific geographic area?

-No, we are in all the geographical regions (Americas, EMEA, and APAC).

-### Do you all focus on specific industries?

-We focus on every industry.

-### Do your detection/protection require a human analyst?

-When you're pen-testing, you should demand where no human analysts are engaged on detect/protect, to see how the actual antivirus engine (prebreach) efficacy truly is, and a separate one where human analysts are engaged.You can add [Microsoft Defender Experts for XDR](/microsoft-365/security/defender/dex-xdr-overview) a managed extended detection and response service to augment your SOC.

-The ***continuous iterative enhancement*** each of these engines to be increasingly effective at catching the latest strains of malware and attack methods. These enhancements show up in consistent [top scores in industry tests](/microsoft-365/security/defender/top-scoring-industry-tests), but more importantly, translate to [threats and malware outbreaks](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) stopped and [more customers protected](https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/).

-description: Turn on advanced features such as block file in Microsoft Defender for Endpoint.

-# Configure advanced features in Defender for Endpoint

-**Applies to:**

-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-advancedfeats-abovefoldlink)

-Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with.

-## Enable advanced features

-1. Log in to [Microsoft Defender XDR](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned.

-2. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features**.

-3. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.

-4. Select **Save preferences**.

-Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations.

-## Live response

-Turn on this feature so that users with the appropriate permissions can start a live response session on devices.

-For more information about role assignments, see [Create and manage roles](user-roles.md).

-## Live response for servers

-Turn on this feature so that users with the appropriate permissions can start a live response session on servers.

-For more information about role assignments, see [Create and manage roles](user-roles.md).

-## Live response unsigned script execution

-Enabling this feature allows you to run unsigned scripts in a live response session.

-## Restrict correlation to within scoped device groups

-This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross-device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization.

-> [!NOTE]

-> - Changing this setting impacts future alert correlations only.

->

-> - Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-## Enable EDR in block mode

-Endpoint detection and response (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.

-## Autoresolve remediated alerts

-For tenants created on or after Windows 10, version 1809, the automated investigation, and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto resolved, you'll need to manually turn off the feature.

-> [!TIP]

-> For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://security.microsoft.com//preferences2/integration) page.

-> [!NOTE]

->

-> - The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device.

-> - If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.

-## Allow or block file

-Blocking is only available if your organization fulfills these requirements:

-This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on devices in your organization.

-To turn **Allow or block** files on:

-1. In the navigation pane, select **Settings** \> **Endpoints** \> **General** \> **Advanced features** \> **Allow or block file**.

-1. Toggle the setting between **On** and **Off**.

-

- :::image type="content" source="../../media/alloworblockfile.png" alt-text="The Endpoints screen" lightbox="../../media/alloworblockfile.png":::

-1. Select **Save preferences** at the bottom of the page.

-After turning on this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.

-## Hide potential duplicate device records

-By enabling this feature, you can ensure that you're seeing the most accurate information about your devices by hiding potential duplicate device records. There are different reasons duplicate device records might occur, for example, the device discovery capability in Microsoft Defender for Endpoint might scan your network and discover a device that's already onboarded or has recently been offboarded.

-This feature will identify potential duplicate devices based on their hostname and last seen time. The duplicate devices will be hidden from multiple experiences in the portal, such as, the Device Inventory, Microsoft Defender Vulnerability Management pages, and Public APIs for machine data, leaving the most accurate device record visible. However, the duplicates will still be visible in global search, advanced hunting, alerts, and incidents pages.

-This setting is turned on by default and is applied tenant wide. If you don't want to hide potential duplicate device records, you'll need to manually turn off the feature.

-## Custom network indicators

-Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they'll be allowed or blocked based on your custom indicator list.

-To use this feature, devices must be running Windows 10 version 1709 or later, or Windows 11. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).

-For more information, see [Manage indicators](manage-indicators.md).

-> [!NOTE]

-> Network protection leverages reputation services that process requests in locations that might be outside of the location you've selected for your Defender for Endpoint data.

-## Tamper protection

-During some kinds of cyber attacks, bad actors try to disable security features, such as antivirus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods.

-For more information, including how to configure tamper protection, see [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md).

-## Show user details

-Turn on this feature so that you can see user details stored in Microsoft Entra ID. Details include a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:

-For more information, see [Investigate a user account](investigate-user.md).

-## Skype for Business integration

-Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This activation can be handy when you need to communicate with the user and mitigate risks.

-> [!NOTE]

-> When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode.

-## Office 365 Threat Intelligence connection

-> [!IMPORTANT]

-> This setting was used when Microsoft Defender for Office 365 and Microsoft Defender for Endpoint were in different portals previously. After the convergence of security experiences into a unified portal that is now called Microsoft Defender XDR, these settings are irrelevant and don't have any functionality associated with them. You can safely ignore the status of the control until it is removed from the portal.

-This feature is only available if you have an active subscription for Office 365 E5 or the Threat Intelligence add-on. For more information, see the [Office 365 E5 product page](https://www.microsoft.com/microsoft-365/enterprise/office-365-e5?activetab=pivot:overviewtab).

-This feature enables you to incorporate data from Microsoft Defender for Office 365 into Microsoft Defender XDR to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.

-> [!NOTE]

-> You'll need to have the appropriate license to enable this feature.

-To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Threat investigation and response](/microsoft-365/security/office-365-security/office-365-ti).

-## Endpoint Attack Notifications

-[Endpoint Attack Notifications](/microsoft-365/security/defender-endpoint/endpoint-attack-notifications) enable Microsoft to actively hunt for critical threats to be prioritized based on urgency and impact over your endpoint data.

-For proactive hunting across the full scope of Microsoft Defender XDR, including threats that span email, collaboration, identity, cloud applications, and endpoints, [learn more](https://aka.ms/DefenderExpertsForHuntingGetStarted) about Microsoft Defender Experts.

-## Microsoft Defender for Cloud Apps

-Enabling this setting forwards Defender for Endpoint signals to Microsoft Defender for Cloud Apps to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Defender for Cloud Apps data.

-> [!NOTE]

-> This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)), later Windows 10 versions, or Windows 11.

-### Enable the Microsoft Defender for Endpoint integration from the Microsoft Defender for Identity portal

-To receive contextual device integration in Microsoft Defender for Identity, you'll also need to enable the feature in the Microsoft Defender for Identity portal.

-1. Sign in to the [Microsoft Defender for Identity portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.

-2. Select **Create your instance**.

-3. Toggle the Integration setting to **On** and select **Save**.

-After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.

-## Web content filtering

-Block access to websites containing unwanted content and track web activity across all domains. To specify the web content categories you want to block, create a [web content filtering policy](https://security.microsoft.com/preferences2/web_content_filtering_policy). Ensure you've network protection in block mode when deploying the [Microsoft Defender for Endpoint security baseline](https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityBaselineSummaryMenu/overview/templateType/2).

-## Share endpoint alerts with Microsoft Purview compliance portal

-Forwards endpoint security alerts and their triage status to Microsoft Purview compliance portal, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.

-After configuring the [Security policy violation indicators](/microsoft-365/compliance/insider-risk-management-settings#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users.

-## Authenticated telemetry

-You can **Turn on** Authenticated telemetry to prevent spoofing telemetry into your dashboard.

-## Microsoft Intune connection

-Defender for Endpoint can be integrated with [Microsoft Intune](/intune/what-is-intune) to [enable device risk-based conditional access](/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement.

-> [!IMPORTANT]

-> You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md).

-This feature is only available if you've the following prerequisites:

-### Conditional Access policy

-When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It shouldn't be deleted.

-> [!NOTE]

-> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.

-## Device discovery

-Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. For more information, see [Device discovery](device-discovery.md).

-> [!NOTE]

-> You can always apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices.

-## Preview features

-Learn about new features in the Defender for Endpoint preview release. Try upcoming features by turning on the preview experience.

-You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.

-## Download quarantined files

-Backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. The **Download file** button will always be available in the file page. This setting is turned on by default. [Learn more about requirements](respond-file-alerts.md#download-quarantined-files)

-## Streamlined connectivity during device onboarding (Preview)

-This setting will set the default onboarding package to 'streamlined' for applicable operating systems.

-You will still have the option to use the standard onboarding package within the onboarding page but you will need to specifically select it in the drop-down.

-## Related topics

-description: View and manage the alerts surfaced in Microsoft Defender XDR

-keywords:

-# Alerts queue in Microsoft Defender XDR

-**Applies to:**

-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.

-## In this section

-Topic|Description

-:|:

-[View and organize the Alerts queue](alerts-queue.md)|Shows a list of alerts that were flagged in your network.

-[Manage alerts](manage-alerts.md)|Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert.

-[Investigate alerts](investigate-alerts.md)|Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.

-[Investigate files](investigate-files.md)|Investigate the details of a file associated with a specific alert, behavior, or event.

-[Investigate devices](investigate-machines.md)|Investigate the details of a device associated with a specific alert, behavior, or event.

-[Investigate an IP address](investigate-ip.md)|Examine possible communication between devices in your network and external internet protocol (IP) addresses.

-[Investigate a domain](investigate-domain.md)|Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain.

-[Investigate a user account](investigate-user.md)|Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.

-description: Learn about how the Microsoft Defender for Endpoint alerts queues work, and how to sort and filter lists of alerts.

-# View and organize the Microsoft Defender for Endpoint Alerts queue

-**Applies to:**

-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-alertsq-abovefoldlink)

-The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 7 days in a grouped view. The most recent alerts are shown at the top of the list helping you see the most recent alerts first.

-> [!NOTE]

-> The alerts are significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).

-There are several options you can choose from to customize the alerts view.

-On the top navigation you can:

-## Sort and filter alerts

-You can apply the following filters to limit the list of alerts and get a more focused view of the alerts.

-### Severity

-Alert severity|Description

-|

-High <br> (Red)|Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.

-Medium <br> (Orange)|Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). These behaviors include observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.

-Low <br> (Yellow)|Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.

-Informational <br> (Grey)|Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.

-#### Understanding alert severity

-Microsoft Defender Antivirus and Defender for Endpoint alert severities are different because they represent different scopes.

-The Microsoft Defender Antivirus threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected.

-The Defender for Endpoint alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization.

-So, for example:

-### Status

-You can choose to filter the list of alerts based on their Status.

-> [!NOTE]

-> If you see an *Unsupported alert type* alert status, it means that automated investigation capabilities cannot pick up that alert to run an automated investigation. However, you can [investigate these alerts manually](../defender/investigate-incidents.md#alerts).

-### Categories

-We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will keep the previous category names.

-### Service sources

-You can filter the alerts based on the following Service sources:

-Microsoft Endpoint Notification customers can now filter and see detections from the service by filtering by _Microsoft Defender Experts_ nested under the _Microsoft Defender for Endpoint_ service source.

-> [!NOTE]

-> The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.

-### Tags

-You can filter the alerts based on Tags assigned to alerts.

-### Policy

-You can filter the alerts based on the following policies:

-|Detection source|API value|

-|||

-|Third-party sensors|ThirdPartySensors|

-|Antivirus|WindowsDefenderAv|

-|Automated investigation|AutomatedInvestigation|

-|Custom detection|CustomDetection|

-|Custom TI|CustomerTI|

-|EDR|WindowsDefenderAtp|

-|Microsoft Defender XDR|MTP|

-|Microsoft Defender for Office 365|OfficeATP|

-|Microsoft Defender Experts|ThreatExperts|

-|SmartScreen|WindowsDefenderSmartScreen|

-### Entities

-You can filter the alerts based on Entity name or ID.

-### Automated investigation state

-You can choose to filter the alerts based on their Automated investigation state.

-## Related topics

-description: Describes fileless malware and how Microsoft Defender Antivirus uses AMSI to protect against hidden threats.

-ai-usage:

-# Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus

-__Applies to:__

-__Platforms:__

-Microsoft Defender for Endpoint utilizes the anti-malware Scan Interface (AMSI) to enhance protection against fileless malware, dynamic script-based attacks, and other nontraditional cyber threats. This article describes the benefits of AMSI integration, the types of scripting languages it supports, and how to enable AMSI for improved security.

-## What is Fileless malware?

-Fileless malware plays a critical role in modern cyberattacks, using stealthy techniques to avoid detection. Several major ransomware outbreaks used fileless methods as part of their kill chains.

-Fileless malware uses existing tools that are already present on a compromised device, such as PowerShell.exe or wmic.exe. Malware can infiltrate a process, executing code within its memory space, and invoking these built-in tools. Attackers significantly reduce their footprint and evade traditional detection mechanisms.

-Because memory is volatile, and fileless malware doesn't place files on disk, establishing persistence by using fileless malware can be tricky. One example of how fileless malware achieved persistence was to create a registry run key that launches a ΓÇ£one-linerΓÇ¥ PowerShell cmdlet. This command launched an obfuscated PowerShell script that was stored in the registry BLOB. The obfuscated PowerShell script contained a reflective portable executable (PE) loader that loaded a Base64-encoded PE from the registry. The script stored in the registry ensured the malware persisted.

-Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:

-> [!NOTE]

-> Do not disable PowerShell as a means to block fileless malware. PowerShell is a powerful and secure management tool and is important for many system and IT functions. Attackers use malicious PowerShell scripts as post-exploitation technique that can only take place after an initial compromise has already occurred. Its misuse is a symptom of an attack that begins with other malicious actions like software exploitation, social engineering, or credential theft. The key is to prevent an attacker from getting into the position where they can misuse PowerShell.

-Microsoft Defender Antivirus blocks most malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Microsoft Defender Antivirus protects against fileless malware through these capabilities:

-## Why AMSI?

-AMSI provides a deeper level of inspection for malicious software that employs obfuscation and evasion techniques on Windows' built-in scripting hosts. By integrating AMSI, Microsoft Defender for Endpoint offers extra layers of protection against advanced threats.

-### Supported Scripting Languages

-If you use Microsoft Office 365, AMSI also supports JavaScript, VBA, and XLM.

-AMSI doesn't currently support Python or Perl.

-### Enabling AMSI

-To enable AMSI, you need to enable Script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)

-Also see [Defender Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-csp-defender)

-### AMSI resources

-[Anti-malware Scan Interface (AMSI) APIs](/windows/win32/amsi/antimalware-scan-interface-portal) are available for developers and antivirus vendors to implement.

-Other Microsoft products such as [Exchange](https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371) and [Sharepoint](https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/cyberattack-protection-by-default-and-other-enhancements-to/ba-p/3925641) also use AMSI

-integration.

-## More resources to protect against fileless attacks

-description: Provide feedback on the Microsoft Defender for Endpoint client analyzer tool

-# Provide feedback on the Microsoft Defender for Endpoint client analyzer tool

-**Applies to:**

-If you have feedback or suggestions that would help us improve the Microsoft Defender for Endpoint client analyzer, use either of these options to submit feedback:

-1. Microsoft Defender portal (security.microsoft.com):

-2. Microsoft Defender portal (security.microsoft.com):

-description: Learn how to analyze the Microsoft Defender for Endpoint Client Analyzer HTML report

-# Understand the client analyzer HTML report

-**Applies to:**

-The client analyzer produces a report in HTML format. Learn how to review the report to identify potential sensor issues so that you can troubleshoot them.

-Use the following example to understand the report.

- Example output from the analyzer on a machine onboarded to expired Org ID and failing to reach one of the required Microsoft Defender for Endpoint URLs:

- :::image type="content" source="media/85f56004dc6bd1679c3d2c063e36cb80.png" alt-text="The Check Results Summary page" lightbox="media/85f56004dc6bd1679c3d2c063e36cb80.png":::

- warning, or informational events detected by the analyzer.

- the results and the guidance based on the observations made by the analyzer.

-## Open a support ticket to Microsoft and include the Analyzer results

-To include analyzer result files [when opening a support ticket](contact-support.md#open-a-service-request), make sure you use the **Attachments** section and include the

-`MDEClientAnalyzerResult.zip` file:

-> [!NOTE]

-> If the file size is larger than 25 MB, the support engineer assigned to your case will provide a dedicated secure workspace to upload large files for analysis.

-description: Describes how to configure Microsoft Defender for Endpoint risk signals using App Protection policies

-# Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM)

-**Applies to:**

-Microsoft Defender for Endpoint on Android, which already protects enterprise users on Mobile Device Management (MDM) scenarios, now extends support to Mobile App Management (MAM), for devices that aren't enrolled using Intune mobile device management (MDM). It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for mobile application management (MAM). This capability allows you to manage and protect your organization's data within an application.

-Microsoft Defender for Endpoint on Android threat information is applied by Intune App Protection Policies to protect these apps. App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A managed application has app protection policies applied to it and can be managed by Intune.

-Microsoft Defender for Endpoint on Android supports both the configurations of MAM.

-To manage apps in both these configurations customers should use Intune in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).

-To enable this capability an administrator needs to configure the connection between Microsoft Defender for Endpoint and Intune, create the app protection policy, and apply the policy on targeted devices and applications.

-End users also need to take steps to install Microsoft Defender for Endpoint on their device and activate the onboarding flow.

-## Admin prerequisites

- a. Go to security.microsoft.com.

- b. Select **Settings > Endpoints > Advanced Features > Microsoft Intune Connection** is turned on.

- c. If the connection isn't turned on, select the toggle to turn it on and then select **Save Preferences**.

- :::image type="content" source="media/enable-intune-connection.png" alt-text="The Advanced features section in the Microsoft Defender portal." lightbox="media/enable-intune-connection.png":::

- d. Go to the **Microsoft Intune admin center** and Validate whether Microsoft Defender for Endpoint-Intune connector is enabled.

- :::image type="content" source="media/validate-intune-connector.png" alt-text="The intune-connector status pane in the Microsoft Defender portal." lightbox="media/validate-intune-connector.png":::

- Configure the connector on Microsoft Intune for App protection policies:

- a. Go to **Tenant Administration > Connectors and Tokens > Microsoft Defender for Endpoint**.

- b. Turn on the toggle for the app protection policy for Android (as seen in the following screenshot).

- c. Select **Save**.

- :::image type="content" source="media/app-settings.png" alt-text="The application settings pane in the Microsoft Defender portal." lightbox="media/app-settings.png":::

- Block access or wipe data of a managed app based on Microsoft Defender for Endpoint risk signals by creating an app protection policy.

- Microsoft Defender for Endpoint can be configured to send threat signals to be used in app protection policies (APP, also known as MAM). With this capability, you can use Microsoft Defender for Endpoint to protect managed apps.

- 1. Create a policy.

- App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.

- :::image type="content" source="media/create-policy.png" alt-text="The Create policy tab in the App protection policies page in the Microsoft Defender portal." lightbox="media/create-policy.png":::

- 2. Add apps.

- a. Choose how you want to apply this policy to apps on different devices. Then add at least one app.

- Use this option to specify whether this policy applies to unmanaged devices. In Android, you can specify the policy applies to Android Enterprise, Device Admin, or Unmanaged devices. You can also choose to target your policy to apps on devices of any management state.

- Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management. Companies can use app protection policies with or without MDM at the same time. For example, consider an employee that uses both a phone issued by the company, and their own personal tablet. The company phone is enrolled in MDM and protected by app protection policies while the personal device is protected by app protection policies only.

- b. Select Apps.

- A managed app is an app that has app protection policies applied to it, and can be managed by Intune. Any app that has been integrated with the [Intune SDK](/mem/intune/developer/app-sdk) or wrapped by the [Intune App Wrapping Tool](/mem/intune/developer/apps-prepare-mobile-application-management) can be managed using Intune app protection Policies. See the official list of [Microsoft Intune protected apps](/mem/intune/apps/apps-supported-intune-apps) that have been built using these tools and are available for public use.

- *Example: Outlook as a managed app*

- :::image type="content" source="media/managed-app.png" alt-text="The Public apps pane in the Microsoft Defender portal." lightbox="media/managed-app.png":::

- 3. Set sign-in security requirements for your protection policy.

- Select **Setting > Max allowed device threat level** in **Device Conditions** and enter a value. Then select **Action: "Block Access"**. Microsoft Defender for Endpoint on Android shares this Device Threat Level.

- :::image type="content" source="media/conditional-launch.png" alt-text="The Device conditions pane in the Microsoft Defender portal" lightbox="media/conditional-launch.png":::

- Select **Included groups**. Then add the relevant groups.

- :::image type="content" source="media/assignment.png" alt-text="The Included groups pane in the Microsoft Defender portal." lightbox="media/assignment.png":::

->[!NOTE]

->If a config policy is to be targeted at unenrolled devices (MAM), the recommendation is to deploy the general app configuration settings in Managed Apps instead of using Managed Devices.

->When deploying app configuration policies to devices, issues can occur when multiple policies have different values for the same configuration key and are targeted for the same app and user. These issues are due to the lack of a conflict resolution mechanism for resolving the differing values. You can prevent these issues by ensuring that only a single app configuration policy for devices is defined and targeted for the same app and user.

-## End-user prerequisites

- - Intune Company Portal

-### End-user onboarding

-1. Sign in to a managed application, for example, Outlook. The device is registered and the application protection policy is synchronized to the device. The application protection policy recognizes the device's health state.

-2. Select **Continue**. A screen is presented which recommends downloading and setting up of Microsoft Defender for Endpoint on Android app.

-3. Select **Download**. You'll be redirected to the app store (Google play).

-4. Install the Microsoft Defender for Endpoint (Mobile) app and launch back Managed app onboarding screen.

- :::image type="content" source="medie.png":::

-5. Click **Continue > Launch**. The Microsoft Defender for Endpoint app onboarding/activation flow is initiated. Follow the steps to complete onboarding. You'll automatically be redirected back to Managed app onboarding screen, which now indicates that the device is healthy.

-6. Select **Continue** to log into the managed application.

-## Configure Web protection

-Defender for Endpoint on Android allows IT Administrators to configure web protection. Web protection is available within the [Microsoft Intune admin center](https://endpoint.microsoft.com).

-Web protection helps to secure devices against web threats and protect users from phishing attacks. Note that anti-phishing and custom indicators (URL and IP addresses) are supported as part of web protection. Web content filtering is currently not supported on mobile platforms.

-1. In the Microsoft Intune admin center, go to **Apps > App configuration policies > Add > Managed apps**.

-2. Give the policy a **name**.

-3. Under **Select Public Apps**, choose **Microsoft Defender for Endpoint** as the target app.

-4. In the **Settings** page, under the **General Configuration Settings**, add the following keys and set their value as required.

- - **antiphishing**

- - **vpn**

- To disable web protection, enter 0 for the antiphishing and VPN values.

- To disable only the use of VPN by web protection, enter these values:

- - 0 for vpn

- - 1 for antiphishing

- Add **DefenderMAMConfigs** key and set the value as 1.

-5. Assign this policy to users. By default, this value is set to false.

-6. Review and create the policy.

-## Configure Network Protection

-1. In Microsoft Intune admin center, navigate to **Apps** \> **App configuration policies**. Create a new App configuration policy. Click Managed Apps.

-2. Provide a name and description to uniquely identify the policy. Target the policy to **'Selected apps'** and search for **'Microsoft Defender Endpoint for Android'**. Click the entry and then click **Select** and then **Next**.

-1. Add the key and value from the following table. Ensure that the **"DefenderMAMConfigs"** key is present in every policy that you create using Managed Apps route. For Managed Devices route, this key shouldn't exist. When you're done, click **Next**.

- | Key | Value Type | Default (true-enable, false-disable) | Description |

- | | | | |

- | `DefenderNetworkProtectionEnable` | Integer | 0 | 1 - Enable, 0 - Disable; This setting is used by IT admins to enable or disable the network protection capabilities in the defender app.|

- |`DefenderAllowlistedCACertificates`| String | None | None-Disable; This setting is used by IT admins to establish trust for root CA and self-signed certificates.|

- |`DefenderCertificateDetection`|Integer| 0 |2-Enable, 1 - Audit mode, 0 - Disable; When this feature is enabled with value as 2, end user notifications are sent to the user when Defender detects a bad certificate. Alerts are also sent to SOC Admins. In audit mode (1), notification alerts are sent to SOC admins, but no end user notifications are displayed to the user when Defender detects a bad certificate. Admins can disable this detection with 0 as the value and enable full feature functionality by setting 2 as the value. |

- | `DefenderOpenNetworkDetection` | Integer | 0 |2-Enable, 1 - Audit mode, 0 - Disable; This setting is used by IT Admins to enable or disable open network detection. By default, the open network detection is disabled with value as 0 and defender does not send end user notifications or alerts to SOC admins in security portal. If switched to audit mode with value 1, notification alert is sent to SOC admin, but no end user notification is displayed to the user when defender detects an open network. If it's enabled with value 2, then end user notification is displayed and also alerts to SOC admins is sent.|

- | `DefenderEndUserTrustFlowEnable` | Integer | 0 | 1 - Enable, 0 - Disable; This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks. |

- | `DefenderNetworkProtectionAutoRemediation` | Integer | 1 | 1 - Enable, 0 - Disable; This setting is used by IT admins to enable or disable the remediation alerts that are sent when a user performs remediation activities like switching to safer Wi-Fi access points or deleting suspicious certificates detected by Defender. |

- | `DefenderNetworkProtectionPrivacy` | Integer | 1 | 1 - Enable, 0 - Disable; This setting is used by IT admins to enable or disable privacy in network protection. If privacy is disabled with value 0, then user consent is shown to share the malicious wifi or certs data. If its in enabled state with value 1, then no user consent is shown and no app data is collected.|

-

-4. Include or exclude the groups you want the policy to apply to. Proceed to review and submit the policy.

-> [!NOTE]

-> Users need to enable location permission (which is an optional permission); this enables Defender for Endpoint to scan their networks and alert them when there are WiFi-related threats. If the location permission is denied by the user, Defender for Endpoint will only be able to provide limited protection against network threats and will only protect the users from rogue certificates.

-## Configure privacy controls

-Admins can use the following steps to enable privacy and not collect the domain name, app details and network information as part of the alert report for corresponding threats.

-1. In Microsoft Intune admin center, go to **Apps > App configuration policies > Add > Managed apps**.

-1. Give the policy a **name**.

-1. Under the Select Public Apps, choose **Microsoft Defender for Endpoint** as the target app.

-4. On the Settings page, under General Configuration Settings, add **DefenderExcludeURLInReport** and **DefenderExcludeAppInReport** as the keys and value as 1.

-1. Add **DefenderMAMConfigs** key and set the value as 1.

-5. Assign this policy to users. By default, this value is set to 0.

-1. In Settings page, under the General Configuration Settings add **DefenderExcludeURLInReport**, **DefenderExcludeAppInReport** as the keys and value as true.

-1. Add **DefenderMAMConfigs** key and set the value as 1.

-1. Assign this policy to users. By default, this value is set to false.

-1. Review and create the policy.

-## Optional permissions

-Microsoft Defender for Endpoint on Android enables Optional Permissions in the onboarding flow. Currently the permissions required by MDE are mandatory in the onboarding flow. With this feature, admin can deploy MDE on Android devices with MAM policies without enforcing the mandatory VPN and Accessibility Permissions during onboarding. End Users can onboard the app without the mandatory permissions and can later review these permissions.

-### Configure optional permission

-Use the following steps to enable Optional permissions for devices.

-1. In Microsoft Intune admin center, go to **Apps > App configuration policies > Add > Managed apps**.

-1. Give the policy a **name**.

-1. Select **Microsoft Defender for Endpoint** in public apps.

-4. On the Settings page, select **Use configuration designer** and **DefenderOptionalVPN** or **DefenderOptionalAccessibility** or **both** as the key.

-1. Add **DefenderMAMConfigs** key and set the value as 1.

-5. To enable Optional permissions, enter the value as **1** and assign this policy to users. By default, this value is set to 0.

-For users with key set as 1, they will be able to onboard the app without giving these permissions.

-1. In Settings page, select **Use configuration designer** and **DefenderOptionalVPN** or **DefenderOptionalAccessibility** or **both** as the key and value type as Boolean.

-1. Add **DefenderMAMConfigs** key and set the value as 1.

-1. To enable Optional permissions, enter value as **true** and assign this policy to users. By default, this value is set to false.

-For users with key set as true, the users are able to onboard the app without giving these permissions.

-1. Select **Next** and assign this profile to targeted devices/users.

-### User flow

-Users can install and open the app to start the onboarding process.

-1. If an admin has setup Optional permissions, then users can choose to skip the VPN or accessibility permission or both and complete onboarding.

-2. Even if the user has skipped these permissions, the device is able to onboard, and a heartbeat will be sent.

-3. Since permissions are disabled, Web protection won't be active. It will be partially active if one of the permissions is given.

-4. Later, users can enable Web protection from within the app. This will install the VPN configuration on the device.

-> [!NOTE]

-> The Optional permissions setting is different from the Disable Web protection setting. Optional permissions only help to skip the permissions during onboarding but it's available for the end user to later review and enable while Disable Web protection allows users to onboard the Microsoft Defender for Endpoint app without the Web Protection. It cannot be enabled later.

-## Disable sign out

-Defender for Endpoint allows you to deploy the app and disabling the sign out button. By hiding the sign out button, users are prevented from signing out of the Defender app. This action helps prevent tampering with the device when Defender for Endpoint isn't running.

-Use the following steps to configure the Disable sign out:

-1. In the Microsoft Intune admin center, go to **Apps > App configuration policies > Add > Managed apps**.

-2. Provide the policy a **name**.

-3. Under **Select Public Apps**, choose **Microsoft Defender for Endpoint** as the target app.

-4. In the **Settings** page, under the **General Configuration Settings**, add **DisableSignOut** as the key and set the value as 1.

- - By default, Disable Sign Out = 0.

- - Admin needs to make Disable Sign Out = 1 to disable the sign-out button in the app. Users will not see the sign out button once the policy is pushed to the device.

-5. Select **Next** and assign this profile to targeted devices and users.

-> [!IMPORTANT]

-> This feature is in Public Preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-## Device Tagging

-Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to user's devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory.

-Use the following steps to configure the Device tags:

-1. In the Microsoft Intune admin center, go to **Apps > App configuration policies > Add > Managed apps**.

-2. Provide the policy a **name**.

-3. Under **Select Public Apps**, choose **Microsoft Defender for Endpoint** as the target app.

-4. In Settings page, select Use configuration designer and add **DefenderDeviceTag** as the key and value type as **String**.

- - Admin can assign a new tag by adding the key **DefenderDeviceTag** and setting a value for device tag.

- - Admin can edit an existing tag by modifying the value of the key **DefenderDeviceTag**.

- - Admin can delete an existing tag by removing the key **DefenderDeviceTag**.

-5. Click Next and assign this policy to targeted devices and users.

-> [!NOTE]

-> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take up to 18 hours for tags to reflect in the portal.

-## Related topics

-description: Describes how to configure Microsoft Defender for Endpoint on Android

-# Configure Defender for Endpoint on Android features

-**Applies to:**

-## Conditional Access with Defender for Endpoint on Android

-Microsoft Defender for Endpoint on Android, along with Microsoft Intune and Microsoft Entra ID, enables enforcing Device compliance and Conditional Access policies based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy through Intune.

-For more information about how to set up Defender for Endpoint on Android and Conditional Access, see [Defender for Endpoint and Intune](/mem/intune/protect/advanced-threat-protection).

-## Configure custom indicators

-> [!NOTE]

-> Defender for Endpoint on Android only supports creating custom indicators for IP addresses and URLs/domains.

-Defender for Endpoint on Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md).

-## Configure web protection

-Defender for Endpoint on Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Intune admin center.

-[Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Anti-phishing and custom indicators (URL and IP addresses) are supported as part of web protection. Web content filtering is currently not supported on mobile platforms.

-> [!NOTE]

-> Defender for Endpoint on Android would use a VPN in order to provide the Web Protection feature. This VPN is not a regular VPN. Instead, it's a local/self-looping VPN that does not take traffic outside the device.

->

-> For more information, see [Configure web protection on devices that run Android](/mem/intune/protect/advanced-threat-protection-manage-android).

-## Network Protection

-This feature provides protection against rogue Wi-Fi related threats and rogue certificates, which are the primary attack vector for Wi-Fi networks. Admins can list the root Certificate Authority (CA) and private root CA certificates in Microsoft Intune admin center and establish trust with endpoints. It provides the user a guided experience to connect to secure networks and also notifies them if a related threat is detected.

-It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center and add trusted certificates. Admins can enable [privacy controls](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) to configure the data sent to Defender for Endpoint from Android devices.

-Network protection in Microsoft Defender for endpoint is disabled by default. Admins can use the following steps to **configure Network protection in Android devices.**

-1. In the Microsoft Intune admin center, navigate to Apps > App configuration policies. Create a new App configuration policy.

- > [!div class="mx-imgBorder"]

- > 

-1. Provide a name and description to uniquely identify the policy. Select **'Android Enterprise'** as the platform and **'Personally-owned work profile only'** as the profile type and **'Microsoft Defender'** as the Targeted app.

- > [!div class="mx-imgBorder"]

- > 

-1. In Settings page, select **'Use configuration designer'** and add **'Enable Network Protection in Microsoft Defender'** as the key and value as **'1'** to enable Network Protection. (Network protection is disabled by default)

- > [!div class="mx-imgBorder"]

- > 

- > [!div class="mx-imgBorder"]

- > 

-1. If your organization uses root CAs that are private, you must establish explicit trust between Intune (MDM solution) and user devices. Establishing trust helps prevent Defender from flagging root CAs as rogue certificates.

- To establish trust for the root CAs, use **'Trusted CA certificate list for Network Protection'** as the key. In the value, add the **'comma separated list of certificate thumbprints (SHA 1)'**.

- **Example of Thumbprint format to add**: `50 30 06 09 1d 97 d4 f5 ae 39 f7 cb e7 92 7d 7d 65 2d 34 31, 503006091d97d4f5ae39f7cbe7927d7d652d3431`

- > [!IMPORTANT]

- > Certificate SHA-1 Thumbprint characters should be with either white space separated, or non separated.

- >

- > This format is invalid: `50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31`

- Any other separation characters are invalid.

- > 

-1. For other configurations related to Network protection, add the following keys and appropriate corresponding value.

- | Configuration Key| Description|

- |||

- |Trusted CA certificate list for Network Protection|Security admins manage this setting to establish trust for root CA and self-signed certificates.|

- |Enable Network protection in Microsoft Defender|1 - Enable, 0- Disable (default). This setting is used by the IT admin to enable or disable the network protection capabilities in the Defender app.|

- |Enable Network Protection Privacy|1 - Enable (default), 0 - Disable. Security admins manage this setting to enable or disable privacy in network protection.|

- |Enable Users to Trust Networks and Certificates|1 - Enable, 0 - Disable (default). Security admins manage this setting to enable or disable the end user's in-app experience to trust and untrust unsecure and suspicious networks and malicious certificates.|

- |Automatic Remediation of Network Protection Alerts|1 - Enable (default), 0 - Disable. Security admins manage this setting to enable or disable the remediation alerts that are sent when a user performs remediation activities, such as switching to a safer Wi-Fi access point or deleting suspicious certificates detected by Defender.|

- |Manage Network Protection detection for Open Networks|0 - Disable (default), 1 - Audit Mode, 2 - Enable. Security admins manage this setting to disable, audit, or enable open network detection, respectively. In 'Audit' mode, alerts are sent only to the ATP portal with no end user experience. For user experience, set the config to 'Enable' mode.|

- |Manage Network protection Detection for Certificates|0 - Disable, 1 - Audit mode (default), 2 - Enable. When network protection is enabled, Audit mode for certificate detection is enabled by default. In Audit mode, notification alerts are sent to SOC admins, but no end-user notifications are displayed to the user when Defender detects a bad certificate. Admins can, however, disable this detection with 0 as the value and enable full feature functionality by setting 2 as the value. When the feature is enabled with the value of 2, end-user notifications are sent to the user when Defender detects a bad certificate, and alerts are also sent to the SOC Admin.|

-6. Add the required groups to which the policy will have to be applied. Review and create the policy.

- | Configuration Key| Description|

- |||

- |Enable Network protection in Microsoft Defender|1: Enable <br/> 0: Disable (default) <br/><br/> This setting is used by the IT admin to enable or disable the network protection capabilities in the Defender app.|

- |Enable Network Protection Privacy|1: Enable (default) <br/> 0: Disable <br/><br/> Security admins manage this setting to enable or disable privacy in network protection.|

- |Enable Users to Trust Networks and Certificates|1 <br/> Enable <br/> 0:Disable (default) <br/><br/> This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks and malicious certificates.|

- |Automatic Remediation of Network Protection Alerts|1: Enable (default) <br/> 0: Disable <br/><br/> This setting is used by IT admins to enable or disable the remediation alerts that are sent when a user does remediation activities. For example, the user switches to a safer Wi-Fi access point or deletes suspicious certificates that were detected by Defender.|

- |Manage Network Protection detection for Open Networks|0: Disable (default) <br/> 1: Audit Mode <br/><br/> Security admins manage this setting to enable or disable open network detection.|

- |Manage Network protection Detection for Certificates|0: Disable <br/> 1: Audit mode (default) <br/> 2: Enable <br/><br/> When network protection is enabled, Audit mode for certificate detection is enabled by default. In audit mode, notification alerts are sent to SOC admins, but no end user notifications are shown when Defender detects a bad certificate. Admins can disable this detection with the value 0 or enable full feature functionality by setting the value 2. When the value is 2, end user notifications are sent to users and alerts are sent to SOC admins when Defender detects a bad certificate.|

-1. Add the required groups to which the policy has to be applied. Review and create the policy.

-> [!NOTE]

-> Users need to enable location permission (which is an optional permission); this enables Defender for Endpoint to scan their networks and alert them when there are WIFI-related threats. If the location permission is denied by the user, Defender for Endpoint will only be able to provide limited protection against network threats and will only protect the users from rogue certificates.

-## Privacy Controls

-Following privacy controls are available for configuring the data that is sent by Defender for Endpoint from Android devices:

-|Threat Report |Details |

-|--|-|

-|Malware report |Admins can set up privacy control for malware report. If privacy is enabled, then Defender for Endpoint won't send the malware app name and other app details as part of the malware alert report. |

-|Phish report |Admins can set up privacy control for phishing reports. If privacy is enabled, then Defender for Endpoint won't send the domain name and details of the unsafe website as part of the phishing alert report. |

-|Vulnerability assessment of apps |By default only information about apps installed in the work profile is sent for vulnerability assessment. Admins can disable privacy to include personal apps|

-|Network Protection (preview)| Admins can enable or disable privacy in network protection. If enabled, then Defender won't send network details.|

-### Configure privacy alert report

-Admins can now enable privacy control for the phishing report, malware report, and network report sent by Microsoft Defender for Endpoint on Android. This configuration ensures that the domain name, app details, and network details, respectively, aren't sent as part of the alert whenever a corresponding threat is detected.

-Admin Privacy Controls (MDM) Use the following steps to enable privacy.

-1. In Microsoft Intune admin center, go to **Apps > App configuration policies > Add > Managed devices**.

-2. Give the policy a **name, Platform > Android enterprise, select the profile type**.

-3. Select **Microsoft Defender for Endpoint** as the target app.

-4. On the Settings page, select **Use configuration designer** and then select **Add**.

-5. Select the required privacy setting -

- - Hide URLs in report

- - Hide URLs in report for personal profile

- - Hide app details in report

- - Hide app details in report for personal profile

- - Enable Network Protection Privacy

-6. To enable privacy, enter integer value as 1 and assign this policy to users. By default, this value is set to 0 for MDE in work profile and 1 for MDE on personal profile.

-7. Review and assign this profile to targeted devices/users.

-### End user privacy controls

-These controls help the end user to configure the information shared to their organization.

-1. For **Android Enterprise work profile**, end user controls won't be visible. Admins control these settings.

-2. For **Android Enterprise personal profile**, the control is displayed under **Settings> Privacy**.

-3. Users see a toggle for Unsafe Site Info, malicious application, and network protection.

-These toggles will only be visible if enabled by the admin. Users can decide if they want to send the information to their organization or not.

-Enabling/disabling the above privacy controls won't impact the device compliance check or conditional access.

-## Configure vulnerability assessment of apps for BYOD devices

-From version 1.0.3425.0303 of Microsoft Defender for Endpoint on Android, you're able to run vulnerability assessments of the OS and apps installed on the onboarded mobile devices.

-> [!NOTE]

-> Vulnerability assessment is part of [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/defender-vulnerability-management.md) in Microsoft Defender for Endpoint.

-**Notes about privacy related to apps from personal devices (BYOD):**

-### Configure privacy for device administrator mode

-Use the following steps to **enable vulnerability assessment of apps** from devices in **device administrator** mode for targeted users.

-> [!NOTE]

-> By default, this is turned off for devices enrolled with device admin mode.

-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Devices** > **Configuration profiles** > **Create profile** and enter the following settings:

- - **Platform**: Select Android device administrator

- - **Profile**: Select "Custom" and select Create.

-2. In the **Basics** section, specify a name and description of the profile.

-3. In the **Configuration settings**, select Add **OMA-URI** setting:

- - **Name**: Enter a unique name and description for this OMA-URI setting so you can find it easily later.

- - OMA-URI: **./Vendor/MSFT/DefenderATP/DefenderTVMPrivacyMode**

- - Data type: Select Integer in the drop-down list.

- - Value: Enter 0 to disable privacy setting (By default, the value is 1)

-4. Select **Next** and assign this profile to targeted devices/users.

-### Configure privacy for Android Enterprise work profile

-Defender for Endpoint supports vulnerability assessment of apps in the work profile. However, in case you want to turn off this feature for targeted users, you can use the following steps:

-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** \> **App configuration policies** \\> **Add** > **Managed devices**.

-2. Give the policy a name; **Platform \> Android Enterprise**; select the profile type.

-3. Select **Microsoft Defender for Endpoint** as the target app.

-4. In Settings page, select **Use configuration designer** and add **DefenderTVMPrivacyMode** as the key and value type as **Integer**

- - To disable vulnerability of apps in the work profile, enter value as `1` and assign this policy to users. By default, this value is set to `0`.

- - For users with key set as `0`, Defender for Endpoint sends the list of apps from the work profile to the backend service for vulnerability assessment.

-5. Select **Next** and assign this profile to targeted devices/users.

-Turning the above privacy controls on or off won't impact the device compliance check or conditional access.

-## Configure privacy for phishing alert report

-Privacy control for phish report can be used to disable the collection of domain name or website information in the phish threat report. This setting gives organizations the flexibility to choose whether they want to collect the domain name when a malicious or phish website is detected and blocked by Defender for Endpoint.

-### Configure privacy for phishing alert report on Android Device Administrator enrolled devices:

-Use the following steps to turn it on for targeted users:

-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Devices** > **Configuration profiles** > **Create profile** and enter the following settings:

- - **Platform**: Select Android device administrator.

- - **Profile**: Select "Custom" and select **Create**.

-2. In the **Basics** section, specify a name and description of the profile.

-3. In the **Configuration settings**, select Add **OMA-URI** setting:

- - **Name**: Enter a unique name and description for this OMA-URI setting so you can find it easily later.

- - OMA-URI: **./Vendor/MSFT/DefenderATP/DefenderExcludeURLInReport**

- - Data type: Select Integer in the drop-down list.

- - Value: Enter 1 to enable privacy setting. The default value is 0.

-4. Select **Next** and assign this profile to targeted devices/users.

-Using this privacy control won't impact the device compliance check or conditional access.

-### Configure privacy for phishing alert report on Android Enterprise work profile

-Use the following steps to turn on privacy for targeted users in the work profile:

-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** > **App configuration policies** > **Add** > **Managed devices**.

-2. Give the policy a name, **Platform > Android Enterprise**, select the profile type.

-3. Select **Microsoft Defender for Endpoint** as the target app.

-4. In Settings page, select **Use configuration designer** and add **DefenderExcludeURLInReport** as the key and value type as **Integer**.

- - Enter **1 to enable privacy**. The default value is 0.

-5. Select **Next** and assign this profile to targeted devices/users.

-Turning the above privacy controls on or off won't impact the device compliance check or conditional access.

-## Configure privacy for malware threat report

-Privacy control for malware threat report can be used to disable the collection of app details (name and package information) from the malware threat report. This setting gives organizations the flexibility to choose whether they want to collect the app name when a malicious app is detected.

-### Configure privacy for malware alert report on Android Device Administrator enrolled devices:

-Use the following steps to turn it on for targeted users:

-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Devices** > **Configuration profiles** > **Create profile** and enter the following settings:

- - **Platform**: Select Android device administrator.

- - **Profile**: Select "Custom" and select **Create**.

-2. In the **Basics** section, specify a name and description of the profile.

-3. In the **Configuration settings**, select Add **OMA-URI** setting:

- - **Name**: Enter a unique name and description for this OMA-URI setting so you can find it easily later.

- - OMA-URI: **./Vendor/MSFT/DefenderATP/DefenderExcludeAppInReport**

- - Data type: Select Integer in the drop-down list.

- - Value: Enter 1 to enable privacy setting. The default value is 0.

-4. Select **Next** and assign this profile to targeted devices/users.

-Using this privacy control won't impact the device compliance check or conditional access. For example, devices with a malicious app will always have a risk level of "Medium".

-### Configure privacy for malware alert report on Android Enterprise work profile

-Use the following steps to turn on privacy for targeted users in the work profile:

-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** > **App configuration policies** > **Add** > **Managed devices**.

-2. Give the policy a name, **Platform > Android Enterprise**, select the profile type.

-3. Select **Microsoft Defender for Endpoint** as the target app.

-4. In Settings page, select **Use configuration designer** and add **DefenderExcludeAppInReport** as the key and value type as **Integer**

- - Enter **1 to enable privacy**. The default value is 0.

-5. Select **Next** and assign this profile to targeted devices/users.

-Using this privacy control won't impact the device compliance check or conditional access. For example, devices with a malicious app will always have a risk level of "Medium".

-## Disable sign-out

-Defender for Endpoint supports deployment without the sign-out button in the app to prevent users from signing out of the Defender app. This is important to prevent users from tampering with the device.

-Use the following steps to configure Disable sign-out:

-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** > **App configuration policies** > **Add** > **Managed devices**.

-2. Give the policy a name, select **Platform > Android Enterprise**, and select the profile type.

-3. Select **Microsoft Defender for Endpoint** as the target app.

-4. In the Settings page, select **Use configuration designer** and add **Disable Sign Out** as the key and **Integer** as the value type.

- - By default, Disable Sign Out = 1 for Android Enterprise personally owned work profiles, fully managed, company owned personally enabled profiles and 0 for device administrator mode.

- - Admins need to make Disable Sign Out = 0 to enable the sign-out button in the app. Users will be able to see the sign-out button once the policy is pushed.

-5. Select **Next** and assign this profile to targeted devices and users.

-> [!IMPORTANT]

-> This feature is in Public Preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-## Device Tagging

-Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to user's devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory.

-Use the following steps to configure the Device tags:

-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** > **App configuration policies** > **Add** > **Managed devices**.

-2. Give the policy a name, select **Platform > Android Enterprise**, and select the profile type.

-3. Select **Microsoft Defender for Endpoint** as the target app.

-4. In Settings page, select Use configuration designer and add **DefenderDeviceTag** as the key and value type as **String**.

- - Admin can assign a new tag by adding the key **DefenderDeviceTag** and setting a value for device tag.

- - Admin can edit an existing tag by modifying the value of the key **DefenderDeviceTag**.

- - Admin can delete an existing tag by removing the key **DefenderDeviceTag**.

-5. Click Next and assign this policy to targeted devices and users.

-> [!NOTE]

-> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take up to 18 hours for tags to reflect in the portal.

-## Related articles

-description: Describes how to deploy Microsoft Defender for Endpoint on Android with Microsoft Intune

-# Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-Learn how to deploy Defender for Endpoint on Android on Microsoft Intune Company Portal enrolled devices. For more information about Microsoft Intune device enrollment, see [Enroll your device](/mem/intune/user-help/enroll-device-android-company-portal).

-> [!NOTE]

-> **Defender for Endpoint on Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)**

->

-> You can connect to Google Play from Microsoft Intune to deploy Defender for Endpoint app across Device Administrator and Android Enterprise enrollment modes.

->

-> Updates to the app are automatic via Google Play.

-## Deploy on Device Administrator enrolled devices

-Learn how to deploy Defender for Endpoint on Android with Microsoft Intune Company Portal - Device Administrator enrolled devices.

-### Add as Android store app

-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>

-**Android Apps** \> **Add** \> **Android store app** and choose **Select**.

- :::image type="content" source="media-addandroidstoreapp.png":::

-2. On the **Add app** page and in the *App Information* section enter:

- - **Name**

- - **Description**

- - **Publisher** as Microsoft.

- - **App store URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL)

- Other fields are optional. Select **Next**.

- :::image type="content" source="media-addappinfo.png":::

-3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint on Android app. Choose **Select** and then **Next**.

- > [!NOTE]

- > The selected user group should consist of Intune enrolled users.

- >

- > :::image type="content" source="media/363bf30f7d69a94db578e8af0ddd044b.png" alt-text="The Add group pane in the Add App page in the Microsoft Intune admin center portal" lightbox="media/363bf30f7d69a94db578e8af0ddd044b.png":::

-4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.

- In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page.

- :::image type="content" source="media/86cbe56f88bb6e93e9c63303397fc24f.png" alt-text="The application status pane in the Microsoft Intune admin center portal" lightbox="media/86cbe56f88bb6e93e9c63303397fc24f.png":::

-5. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully.

- :::image type="content" source="media/513cf5d59eaaef5d2b5bc122715b5844.png" alt-text="The Device install status page in the Microsoft Defender 365 portal" lightbox="media/513cf5d59eaaef5d2b5bc122715b5844.png":::

-### Complete onboarding and check status

-1. Once Defender for Endpoint on Android has been installed on the device, you'll see the app icon.

- :::image type="content" source="media/7cf9311ad676ec5142002a4d0c2323ca.jpg" alt-text="The Microsoft Defender ATP icon listed in the Search pane" lightbox="media/7cf9311ad676ec5142002a4d0c2323ca.jpg":::

-2. Tap the Microsoft Defender for Endpoint app icon and follow the on-screen instructions to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint on Android.

-3. Upon successful onboarding, the device will start showing up on the Devices list in the Microsoft Defender portal.

- :::image type="content" source="media/9fe378a1dce0f143005c3aa53d8c4f51.png" alt-text="A device in the Microsoft Defender for Endpoint portal" lightbox="media/9fe378a1dce0f143005c3aa53d8c4f51.png":::

-## Deploy on Android Enterprise enrolled devices

-Defender for Endpoint on Android supports Android Enterprise enrolled devices.

-For more information on the enrollment options supported by Microsoft Intune, see [Enrollment Options](/mem/intune/enrollment/android-enroll).

-**Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.**

-## Add Microsoft Defender for Endpoint on Android as a Managed Google Play app

-Follow the steps below to add Microsoft Defender for Endpoint app into your managed Google Play.

-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> **Android Apps** \> **Add** and select **Managed Google Play app**.

- :::image type="content" source="media/579ff59f31f599414cedf63051628b2e.png" alt-text="The application-adding pane in the Microsoft Intune admin center portal" lightbox="media/579ff59f31f599414cedf63051628b2e.png":::

-2. On your managed Google Play page that loads subsequently, go to the search box and enter `Microsoft Defender`. Your search should display the Microsoft Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result.

- :::image type="content" source="media/0f79cb37900b57c3e2bb0effad1c19cb.png" alt-text="The Managed Google Play page in the Microsoft Intune admin center portal" lightbox="media/0f79cb37900b57c3e2bb0effad1c19cb.png":::

-3. In the App description page that comes up next, you should be able to see app details on Defender for Endpoint. Review the information on the page and then select **Approve**.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="media/07e6d4119f265037e3b80a20a73b856f.png" alt-text="The page of Managed Google Play in the Microsoft Intune admin center portal" lightbox="media/07e6d4119f265037e3b80a20a73b856f.png":::

-4. You'll be presented with the permissions that Defender for Endpoint obtains for it to work. Review them and then select **Approve**.

- :::image type="content" source="media/206b3d954f06cc58b3466fb7a0bd9f74.png" alt-text="The permissions approval page in the Microsoft Defender 365 portal" lightbox="media/206b3d954f06cc58b3466fb7a0bd9f74.png":::

-5. You'll be presented with the Approval settings page. The page confirms your preference to handle new app permissions that Defender for Endpoint on Android might ask. Review the choices and select your preferred option. Select **Done**.

- By default, managed Google Play selects **Keep approved when app requests new permissions**.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="media/ffecfdda1c4df14148f1526c22cc0236.png" alt-text=" The approval settings configuration completion page in the in the Microsoft Defender 365 portal" lightbox="media/ffecfdda1c4df14148f1526c22cc0236.png":::

-6. After the permissions handling selection is made, select **Sync** to sync Microsoft Defender for Endpoint to your apps list.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="media/34e6b9a0dae125d085c84593140180ed.png" alt-text="The Sync pane in the Microsoft Defender 365 portal" lightbox="media/34e6b9a0dae125d085c84593140180ed.png":::

-7. The sync will complete in a few minutes.

- :::image type="content" source="media/9fc07ffc150171f169dc6e57fe6f1c74.png" alt-text="The application sync status pane in the Android apps page in the Microsoft Defender 365 portal" lightbox="media/9fc07ffc150171f169dc6e57fe6f1c74.png":::

-8. Select the **Refresh** button in the Android apps screen and Microsoft Defender for Endpoint should be visible in the apps list.

- :::image type="content" source="media/fa4ac18a6333335db3775630b8e6b353.png" alt-text="The page displaying the synced application" lightbox="media/fa4ac18a6333335db3775630b8e6b353.png":::

-9. Defender for Endpoint supports App configuration policies for managed devices via Microsoft Intune. This capability can be leveraged to select different configurations for Defender.

- 1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.

- :::image type="content" source="media/android-mem.png" alt-text="The App configuration policies pane in the Microsoft Intune admin center portal" lightbox="media/android-mem.png":::

- 1. In the **Create app configuration policy** page, enter the following details:

- - Name: Microsoft Defender for Endpoint.

- - Choose **Android Enterprise** as platform.

- - Choose **Personally-owned Work Profile only** or **Fully Managed, Dedicated, and Corporate-owned work profile only** as Profile Type.

- - Click **Select App**, choose **Microsoft Defender**, select **OK** and then **Next**.

- :::image type="content" source="media/android-create-app.png" alt-text=" Screenshot of the Associated app details pane." lightbox="media/android-create-app.png":::

- 1. Select **Permissions** \> **Add**. From the list, select the available app permissions \> **OK**.

- 1. Select an option for each permission to grant with this policy:

- - **Prompt** - Prompts the user to accept or deny.

- - **Auto grant** - Automatically approves without notifying the user.

- - **Auto deny** - Automatically denies without notifying the user.

- 1. Go to the **Configuration settings** section and choose **'Use configuration designer'** in Configuration settings format.

- :::image type="content" alt-text="Image of android create app configuration policy." source="media/configurationformat.png" lightbox="media/configurationformat.png":::

- 1. Click on **Add** to view a list of supported configurations. Select the required configuration and click on **Ok**.

- :::image type="content" alt-text="Image of selecting configuration policies for android." source="media/selectconfigurations.png" lightbox="media/selectconfigurations.png":::

- 1. You should see all the selected configurations listed. You can change the configuration value as required and then select **Next**.

- :::image type="content" alt-text="Image of selected configuration policies." source="media/listedconfigurations.png" lightbox="media/listedconfigurations.png":::

- 1. In the **Assignments** page, select the user group to which this app config policy would be assigned. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.

- :::image type="content" source="media/android-select-group.png" alt-text="The Selected groups pane" lightbox="media/android-select-group.png":::

- 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.

- The app configuration policy for Defender for Endpoint is now assigned to the selected user group.

-10. Select **Microsoft Defender** app in the list \> **Properties** \>

-**Assignments** \> **Edit**.

- :::image type="content" source="media-properties.png":::

-11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of the device via Company Portal app. This assignment can be done by navigating to the *Required* section \> **Add group,** selecting the user group and click **Select**.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="media/ea06643280075f16265a596fb9a96042.png" alt-text="The Edit application page" lightbox="media/ea06643280075f16265a596fb9a96042.png":::

-12. In the **Edit Application** page, review all the information that was entered above. Then select **Review + Save** and then **Save** again to commence assignment.

-### Auto Setup of Always-on VPN

-Defender for Endpoint supports Device configuration policies for managed devices via Microsoft Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding.

-1. On **Devices**, select **Configuration Profiles** \> **Create Profile** \> **Platform** \> **Android Enterprise**

- Select **Device restrictions** under one of the following, based on your device enrollment type:

- - **Fully Managed, Dedicated, and Corporate-Owned Work Profile**

- - **Personally owned Work Profile**

- Select **Create**.

- :::image type="content" source="media/1autosetupofvpn.png" alt-text="The Configuration profiles menu item in the Policy pane" lightbox="media/1autosetupofvpn.png":::

-2. **Configuration Settings**

- Provide a **Name** and a **Description** to uniquely identify the configuration profile.

- :::image type="content" source="media/2autosetupofvpn.png" alt-text="The devices configuration profile Name and Description fields in the Basics pane" lightbox="media/2autosetupofvpn.png":::

-3. Select **Connectivity** and configure VPN:

- - Enable **Always-on VPN**

- Set up a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device.

- - Select **Custom** in VPN client dropdown list

- Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature.

- > [!NOTE]

- > Microsoft Defender for Endpoint app must be installed on user's device, in order to functioning of auto setup of this VPN.

- - Enter **Package ID** of the Microsoft Defender for Endpoint app in Google Play store. For the Defender app URL <https://play.google.com/store/apps/details?id=com.microsoft.scmx>, Package ID is **com.microsoft.scmx**

- - **Lockdown mode** Not configured (Default)

- :::image type="content" source="media/3autosetupofvpn.png" alt-text="The Connectivity pane under the Configuration settings tab" lightbox="media/3autosetupofvpn.png":::

-4. **Assignment**

- In the **Assignments** page, select the user group to which this app config policy would be assigned. Choose **Select groups** to include and selecting the applicable group and then select **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.

- :::image type="content" source="media/4autosetupofvpn.png" alt-text="Screenshot of the devices configuration profile Assignment pane in the Device restrictions." lightbox="media/4autosetupofvpn.png":::

-5. In the **Review + Create** page that comes up next, review all the information and then select **Create**.

-The device configuration profile is now assigned to the selected user group.

- :::image type="content" source="media/5autosetupofvpn.png" alt-text="A devices configuration profile 's provision for Review + create" lightbox="media/5autosetupofvpn.png":::

-## Check status and complete onboarding

-1. Confirm the installation status of Microsoft Defender for Endpoint on Android by clicking on the **Device Install Status**. Verify that the device is displayed here.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="media/900c0197aa59f9b7abd762ab2b32e80c.png" alt-text="The device installation status pane" lightbox="media/900c0197aa59f9b7abd762ab2b32e80c.png":::

-2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.

- :::image type="content" source="media/c2e647fc8fa31c4f2349c76f2497bc0e.png" alt-text="The application display pane" lightbox="media/c2e647fc8fa31c4f2349c76f2497bc0e.png":::

-3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful.

- :::image type="content" source="mediE-new.png":::

-4. At this stage the device is successfully onboarded onto Defender for Endpoint on Android. You can verify this on the [Microsoft Defender portal](https://security.microsoft.com) by navigating to the **Device Inventory** page.

- :::image type="content" source="media/9fe378a1dce0f143005c3aa53d8c4f51.png" alt-text="The Microsoft Defender for Endpoint portal" lightbox="media/9fe378a1dce0f143005c3aa53d8c4f51.png":::

-## Set up Microsoft Defender in Personal Profile on Android Enterprise in BYOD mode

-### Set up Microsoft Defender in Personal Profile

-Admins can go to the [Microsoft Endpoint Management admin center](https://endpoint.microsoft.com) to set up and configure Microsoft Defender support in personal profiles by following these steps:

-1. Go to **Apps> App configuration policies** and click on **Add**. Select **Managed Devices**.

- > [!div class="mx-imgBorder"]

- > 

-1. Enter **Name** and **Description** to uniquely identify the configuration policy. Select platform as **'Android Enterprise'**, Profile type as **'Personally-owned work profile only'** and Targeted app as **'Microsoft Defender'**.

- > [!div class="mx-imgBorder"]

- > 

-1. On the settings page, in **'Configuration settings format'**, select **'Use configuration designer'** and click on **Add**. From the list of configurations that are displayed, select **'Microsoft Defender in Personal profile'**.

- > [!div class="mx-imgBorder"]

- > 

-1. The selected configuration will be listed. Change the **configuration value to 1** to enable Microsoft Defender support personal profiles. A notification will appear informing the admin about the same. Click on **Next**.

- > [!div class="mx-imgBorder"]

- > 

-1. **Assign** the configuration policy to a group of users. **Review and create** the policy.

- > [!div class="mx-imgBorder"]

- > 

-Admins also can set up **privacy controls** from the Microsoft Intune admin center to control what data can be sent by the Defender mobile client to the security portal. For more information, see [configuring privacy controls](android-configure.md).

-Organizations can communicate to their users to protect Personal profile with Microsoft Defender on their enrolled BYOD devices.

-### To complete onboarding a device

-1. Install the Microsoft Defender application in a personal profile with a personal Google Play store account.

-2. Install the Company portal application on personal profile. No sign-in is required.

-3. When a user launches the application, they'll see the sign-in screen. **Login using corporate account only**.

-4. On a successful login, users will see the following screens:

- 1. **EULA screen**: Presented only if the user has not consented already in the Work profile.

- 2. **Notice screen**: Users need to provide consent on this screen to move forward with onboarding the application. This is required only during the first run of the app.

-5. Provide the required permissions to complete onboarding.

-> [!NOTE]

-> **Pre-requisite:**

->

-> 1. The Company portal needs to be enabled on personal profile.

-> 2. Microsoft Defender needs to be already installed and active in work profile.

-## Related topics

-description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender for Endpoint on Android.

-# Microsoft Defender for Endpoint on Android - Privacy information

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-Defender for Endpoint on Android collects information from your configured Android devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for Android secure, up to date, performing as expected, and to support the service.

-For more information about data storage, see [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md).

-Information is collected to help keep Defender for Endpoint for Android secure, up to date, performing as expected and to support the service.

-For more information on most common privacy questions about Microsoft Defender for Endpoint on Android and iOS mobile devices, see [Microsoft Defender for Endpoint and your privacy on Android and iOS mobile devices](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-and-your-privacy-on-android-and-ios-mobile-devices-4109bc54-8ec5-4433-9c33-d359b75ac22a).

-## Required Data

-Required data consists of data that is necessary to make Defender for Endpoint for Android work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected:

-### App information

-Information about **malicious** Android application packages (APKs) on the device including

-For Android Enterprise Fully managed devices - Information about Android application packages (APKs) installed on the device including

-For Android Enterprise with a work profile - Information about Android application packages (APKs) installed on the Work profile of the device including

-*Your organization can also choose to configure Defender for Endpoint to send information about all apps installed on the device. By default, this information is not sent to your organization.*

-### Web page / Network information

-### Device and account information

- - Wi-Fi adapter MAC address

- - [Android ID](https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID) (as generated by Android at the time of first boot of the device).

- - Randomly generated globally unique identifier (GUID).

- - Microsoft Entra Device ID and Azure User ID: Uniquely identifies the device, User respectively at Microsoft Entra ID.

- - Azure tenant ID: GUID that identifies your organization within Microsoft Entra ID.

- - Microsoft Defender for Endpoint org ID: Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted.

- - User Principal Name: Email ID of the user

-### Product and service usage data

-The following information is collected only for Microsoft Defender for Endpoint app installed on the device.

-## Optional Data

-Optional data includes diagnostic data and feedback data. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. Optional diagnostic data includes:

-**Feedback Data** is collected through in-app feedback provided by the user

-description: Troubleshoot issues for Microsoft Defender for Endpoint on Android

-# Troubleshooting issues on Microsoft Defender for Endpoint on Android

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-When onboarding a device, you might see sign in issues after the app is installed.

-During onboarding, you might encounter sign in issues after the app is installed on your device.

-This article provides solutions to help address the sign-on issues.

-## Sign in failed - unexpected error

-**Sign in failed:** *Unexpected error, try later*

-**Message:**

-Unexpected error, try later

-**Cause:**

-You have an older version of "Microsoft Authenticator" app installed on your device.

-**Solution:**

-Install latest version and of [Microsoft Authenticator](https://play.google.com/store/apps/details?id=com.azure.authenticator)

-from Google Play Store and try again.

-## Sign in failed - invalid license

-**Sign in failed:** *Invalid license, contact administrator*

-**Message:** *Invalid license, contact administrator*

-**Cause:**

-You don't have Microsoft 365 license assigned, or your organization doesn't have a license for Microsoft 365 Enterprise subscription.

-**Solution:**

-Contact your administrator for help.

-## Report unsafe site

-Phishing websites impersonate trustworthy websites for obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.

-## Phishing pages aren't blocked on some OEM devices

-**Applies to:** Specific OEMs only

-Phishing and harmful web threats detected by Defender for Endpoint

-for Android aren't blocked on some Xiaomi devices. The following functionality doesn't work on these devices.

-**Cause:**

-Xiaomi devices include a new permission model. This permission model prevents Defender for Endpoint for Android from displaying pop-up windows while it runs in the background.

-Xiaomi devices permission: "Display pop-up windows while running in the background."

-**Solution:**

-Enable the required permission on Xiaomi devices.

-## Unable to allow permission for 'Permanent protection' during onboarding on some OEM devices

-**Applies to:** Specific OEM devices only.

-Defender App asks for Battery Optimization/Permanent Protection permission on devices as part of app onboarding, and selecting **Allow** returns an error that the permission couldn't be set. It only affects the last permission called "Permanent Protection."

-**Cause:**

-Xiaomi changed the battery optimization permissions in Android 11. Defender for Endpoint isn't allowed to configure this setting to ignore battery optimizations.

-**Solution:**

- 1. Install MDE app in personal profile. (Sign-in isn't required.)

- 2. Open the Company Portal and tap on Settings.

- 3. Go to the Battery Optimization section, tap on the **Turn Off** button, and then select on **Allow** to turn off Battery Optimization for the Company Portal.

- 4. Again, go to the Battery Optimization section and tap on the **Turn On** button. The battery saver section opens.

- 5. Find the Defender app and tap on it.

- 6. Select **No Restriction**. Go back to the Defender app in work profile and tap on **Allow** button.

- 7. The application shouldn't be uninstalled from personal profile for this to work.

->[!NOTE]

->This is a temporary workaround. This can be used to unblock onboarding on Xiaomi devices. The Defender team is working on a permanent fix. As the MDE app is not onboarded in the personal profile, it will not have any visibility there.

-## Unable to use banking applications with MDE app

-**Applies to:** Banking apps like iMobile Pay (ICICI), PNB ONE.

-**Cause:** Android allows apps in the personal profile to check if there's a VPN active on the device, even outside of the personal profile. The banking app checks that and blocks it in VPN work profiles only. The banking app doesn't work with any other VPN product.

-**Solution:**

-Users need to disable MDE VPN from the Settings page. The following steps can be used:

-1. Go to Settings on the mobile device.

-2. Search for VPN or open 'Network and Internet' and select on VPN.

-3. Select on Microsoft Defender and select Disconnect.

-Users should enable VPN when they're no longer using the banking app to ensure that their devices are protected.

->[!NOTE]

-> This a temporary workaround. We are working on other alternatives to provide users more control over the VPN settings from within the app.

-## Send in-app feedback

-If a user faces an issue, which isn't already addressed in the above sections or is unable to resolve using the listed steps, the user can provide **in-app feedback** along with **diagnostic data**. Our team can then investigate the logs to provide the right solution. Users can follow these steps to do the same:

-1. Open the **MDE application** on your device and select on the **profile icon** in the top-left corner.

- :::image type="content" source="media/select-profile-icon-1.jpg" alt-text="The profile icon in the Microsoft Defender for Endpoint portal" lightbox="media/select-profile-icon-1.jpg":::

-2. Select "Help & feedback".

- :::image type="content" source="media/selecthelpandfeedback2.png" alt-text="The Help & feedback option that can be selected in the Microsoft Defender for Endpoint portal" lightbox="media/selecthelpandfeedback2.png":::

-3. Select "Send feedback to Microsoft".

- :::image type="content" alt-text="Select send feedback to Microsoft" source="media/send-feedback-to-microsoft-3.jpg":::

-4. Choose from the given options. To report an issue, select "I want to report an issue".

- :::image type="content" source="media/report-issue-4.jpg" alt-text="The I want to report an issue option" lightbox="media/report-issue-4.jpg":::

-5. Provide details of the issue that you're facing and check "Send diagnostic data". We recommend checking "Include your email address" so that the team can reach back to you with a solution or a follow-up.

- :::image type="content" source="media/finalsubmit5.png" alt-text="The pane on which you can add details and attach diagnostic data" lightbox="media/finalsubmit5.png":::

-6. Select on "Submit" to successfully send the feedback.

-description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on Android.

-# What's new in Microsoft Defender for Endpoint on Android

-**Applies to:**

-Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-> [!IMPORTANT]

-> ## Network Protection ΓÇô Update

-> Network protection feature will soon be enabled by default for all users. The update will be rolled out in a phased manner. As a result, users will be able to see Network Protection Card in the Defender app along with App Protection and Web Protection. Users are also required to provide Location permission to complete the set up. For more information, see [Network Protection](/microsoft-365/security/defender-endpoint/android-configure#network-protection).

-## Device Tagging

-Mobile Device Tagging is now generally available. This feature enables bulk tagging the mobile devices by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to user's devices. Once the user installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory.

-This configuration is available for both the enrolled (MDM) devices and unenrolled (MAM) devices. For more information, see [Device Tagging (MDM)](/microsoft-365/security/defender-endpoint/android-configure#device-tagging) and [Device Tagging (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam#device-tagging).

-## Microsoft Defender for Endpoint on Company-owned personally enabled devices

-MDE is now generally available on AE COPE devices. Enterprises can onboard devices on COPE mode and push MDE to user's devices through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). With this support, Android Enterprise COPE devices get the full capabilities of our offering on Android, including:

-Read the announcement [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-is-now-available-on-android/ba-p/3626100).

-## Privacy Controls

-Microsoft Defender for Endpoint on Android enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) and unenrolled (MAM) devices. Admins can configure the privacy in the alert report while End Users can configure the information shared to their organization. For more information, see [privacy controls(MDM)](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) and [privacy controls (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam#configure-privacy-controls).

-## Optional Permissions and Disable Web Protection

-Microsoft Defender for Endpoint on Android enables **Optional Permissions** in the onboarding flow. Currently the permissions required by MDE are mandatory in the onboarding flow. With this feature, admin can deploy MDE on devices without enforcing the mandatory **VPN** and **Accessibility** permissions during onboarding. End Users can onboard the app without the mandatory permissions and can later review these permissions. This feature is currently present only for unenrolled devices (MAM). For more information, see [optional permissions](/microsoft-365/security/defender-endpoint/android-configure-mam#optional-permissions).

-## Microsoft Defender on Android enterprise BYOD personal profile

-Microsoft Defender for Endpoint is now supported on Android Enterprise personal profile (BYOD only) with all the key features including malware scanning, protection from phishing links, network protection and vulnerability management. This support is coupled with [privacy controls](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) to ensure user privacy on personal profile. For more information, read the [announcement](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-the-public-preview-of-defender-for-endpoint-personal/ba-p/3370979) and the [deployment guide](/microsoft-365/security/defender-endpoint/android-intune#set-up-microsoft-defender-in-personal-profile-on-android-enterprise-in-byod-mode).

-## Network protection

-Network Protection on Microsoft Defender for Endpoint is now available. Network protection provides protection against rogue Wi-Fi related threats, rogue hardware like pineapple devices and notifies the user if a related threat is detected. Users also see a guided experience to connect to secure networks and change networks when they're connected to an unsecure connection.

-It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center. Admins can also enable privacy controls to configure the data that's sent by Defender for Endpoint from Android devices. For more information, see [network protection](/microsoft-365/security/defender-endpoint/android-configure).

-> [!NOTE]

-> Microsoft Defender is no longer supported for versions 1.0.3011.0302 or earlier. Users are requested to upgrade to latest versions to keep their devices secure.

-To update, users can use the following steps:

-> 1. On your work profile, go to Managed Play Store.

-> 2. Tap on the profile icon on the top right corner and select "Manage apps and device".

-> 3. Locate MDE under updates available and select update.

-> If you encounter any issues, [submit in-app feedback](/microsoft-365/security/defender-endpoint/android-support-signin#send-in-app-feedback).

-## Microsoft Defender for Endpoint is now Microsoft Defender in the Play store

-Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the play store. With this update, the app is available as preview for **Consumers in the US region**. Based on how you log into the app with your work or personal account, you have access to features for Microsoft Defender for Endpoint or for Microsoft Defender for individuals. For more information, see [this blog](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals).

-## Vulnerability Management

-On January 25, 2022, we announced the general availability of Vulnerability management on Android and iOS. For more information, see [the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-general-availability-of-vulnerability-management/ba-p/3071663).

-## Upcoming permission changes for Microsoft Defender for Endpoint running Android 11 or later (Nov 2021)

-Release Build: 1.0.3501.0301

-Release month: Nov 2021

-Microsoft Defender for Endpoint has released this update required by [Google](https://developer.android.com/distribute/play-policies#APILevel30) to upgrade to Android API 30. This change prompts users seeking access to [new storage permission](https://developer.android.com/training/data-storage/manage-all-files#all-files-access-google-play), for devices running Android 11 or later. Users need to accept this new storage permission once they update Defender app with the release build 1.0.3501.0301 or later. This update ensures that Defender for Endpoint's app security feature to function without any disruption. For more information, review the following sections.

-**How will this affect your organization:** These changes take effect if you're using Microsoft Defender for Endpoint on devices running Android 11 or later and updated Defender for Endpoint to release build 1.0.3501.0301 or later.

-> [!NOTE]

-> The new storage permissions cannot be configured by admin to 'Auto Approve' through Microsoft Intune. User will need to take action to provide access to this permission.

-> [!NOTE]

-> If your organization is previewing 'Tamper protection' feature and if the new storage permissions are not granted by the user within 7 days of updating to the latest version, the user might lose access to corporate resources.

-**What you need to do to prepare:**

-Notify your users and helpdesk (as applicable) that users will need to accept the new permissions when prompted after they have updated Defender for Endpoint to build 1.0.3501.0301 or later version. To accept the permissions, users should:

-1. Tap on the Defender for Endpoint in-app notification or open the Defender for Endpoint app. Users see a screen that lists the permissions needed. A green check mark is missing next to the Storage permission.

-2. Tap **Begin**.

-3. Tap the toggle for **Allow access to manage all files.**

-4. The device is now protected.

- > [!NOTE]

- > This permission allows Microsoft Defender for Endpoint to access storage on user's device, which helps detect and remove malicious and unwanted apps. Microsoft Defender for Endpoint accesses/scans Android app package file (.apk) only. On devices with a Work Profile, Defender for Endpoint only scans work-related files.

-description: Use Microsoft Defender for Endpoint Flow connector to create a flow that will be triggered anytime a new event occurs on your tenant.

-# How to use Power Automate Connector to set up a Flow for events

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-Automating security procedures is a standard requirement for every modern Security Operations Center (SOC). For SOC teams to operate in the most efficient way, automation is a must. Use Microsoft Power Automate to help you create automated workflows and build an end-to-end procedure automation within a few minutes. Microsoft Power Automate supports different connectors that were built exactly for that.

-Use this article to guide you in creating automations that are triggered by an event, such as when a new alert is created in your tenant. Microsoft Defender API has an official Power Automate Connector with many capabilities.

-> [!NOTE]

-> For more information about premium connectors licensing prerequisites, see [Licensing for premium connectors](/power-automate/triggers-introduction#licensing-for-premium-connectors).

-## Usage example

-The following example demonstrates how to create a Flow that is triggered anytime a new Alert occurs on your tenant. You'll be guided on defining what event starts the flow and what next action will be taken when that trigger occurs.

-1. Log in to [Microsoft Power Automate](https://make.powerautomate.com).

-2. Go to **My flows** \> **New** \> **Automated-from blank**.

- :::image type="content" source="media/api-flow-1.png" alt-text="The New flow pane under My flows menu item in the Microsoft Defender 365 portal" lightbox="media/api-flow-1.png":::

-3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger.

- :::image type="content" source="media/api-flow-2.png" alt-text=" The Choose your flow's trigger section in the Microsoft Defender 365 portal" lightbox="media/api-flow-2.png" :::

-Now you have a Flow that is triggered every time a new Alert occurs.

-All you need to do now is choose your next steps.

-For example, you can isolate the device if the Severity of the Alert is High and send an email about it.

-The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities.

-### Get the Alert entity using the connector

-1. Choose **Microsoft Defender ATP** for the new step.

-2. Choose **Alerts - Get single alert API**.

-3. Set the **Alert ID** from the last step as **Input**.

- :::image type="content" source="media/api-flow-4.png" alt-text="The Alerts pane" lightbox="media/api-flow-4.png":::

-### Isolate the device if the Alert's severity is High

-1. Add **Condition** as a new step.

-2. Check if the Alert severity **is equal to** High.

- If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment.

- :::image type="content" source="media/api-flow-5.png" alt-text="The Actions pane" lightbox="media/api-flow-5.png":::

-3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are easy to use, such as Outlook or Gmail.

-4. Save your flow.

-You can also create a **scheduled** flow that runs Advanced Hunting queries and much more!

-## Related topic

-description: Learn how to use the "Get-Agent-Details" api.

-keywords: apis, graph api, supported apis, agent details, definition

-# Get scan agent ID

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-> Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../../defender-vulnerability-management/get-defender-vulnerability-management.md).

-## API description

-Retrieves the details for a specified agent by its ID.

-## Limitations

-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).

-Permission type|Permission|Permission display name

-:|:|:

-Application|Machine.Read.All| Read all scan information.

-Delegated (work or school account)|Machine.Read.All|Read all scan information.

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - To view data the user needs to have at least the following role permission: 'ViewData' or 'TvmViewData' (See [Create and manage roles](../user-roles.md) for more information)

-## HTTP request

-```http

-GET /api/DeviceAuthenticatedScanAgents

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-## Request body

-Empty

-## Response

-If successful, this method returns 200 - OK response code with the details of the specified agent.

-## Example request

-Here's an example of the request.

-```http

-GET https://api.security.microsoft.com/api/DeviceAuthenticatedScanAgents/7f3d76a6976818553e996875dc91f55df6b26625

-```

-## Response example

-```json

-{

-"@odata.context": "https://api.security.microsoft.com/api/$metadata#DeviceAuthenticatedScanAgents/$entity",

- "value": [

- {

- "id": "47df41a0c-asad-4fd6d3-bbea-a93dbc0bfcaa_4edd75b2407a5b64d704b4e53d74f15",

- "machineId": "4ejh675b240118fbehiuiy5b64d704b4e53d15",

- "lastSeen": "2022-05-08T12:18:41.538203Z",

- "computerDnsName": "TEST_DOMAIN",

- "AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571",

- "ScannerSoftwareVersion": "7.1.1",

- "LastCommandExecutionTimestamp": "2022-05-08T12:18:41.538203Z",

- "mdeClientVersion": "10.8295.22621.1195"

- },

- ]

-}

-```

-description: Learn how to use the get scan history by definition api

-# Get scan history by definition

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-> Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../../defender-vulnerability-management/get-defender-vulnerability-management.md).

-## API description

-Retrieves a list of the scan history by definitions.

- - $top with max value of 4096. Returns the number of sessions specified in the request.

- - $skip with a default value of 0. Skips the number of sessions specified in the request.

-

-For an example of OData operation usage, see [example $top request](#example-top-request).

-## Limitations

-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).

-|Permission type|Permission|Permission display name|

-|:|:|:|

-|Application|Machine.Read.All| Read all scan information.|

-|Delegated (work or school account)|Machine.Read.All|Read all scan information.|

-> [!NOTE]

-> When obtaining a token using user credentials:

-> - To view data the user needs to have at least the following role permission: 'ViewData' or 'TvmViewData' (See [Create and manage roles](../user-roles.md) for more information)

->

-## HTTP request

-```http

-POST api/DeviceAuthenticatedScanDefinitions/GetScanHistoryByScanDefinitionId

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-Content-Type|string|application/json. **Required**.

-## Request body

-In the request body, supply a JSON object with the following parameters:

-Parameter|Type|Description

-:|:|:

-ScanDefinitionIds |String|The scan Id. **Required**.

-## Response

-If successful, this method returns 200 - OK response code with a list of the scan history by definition.

-## Example request

-Here's an example of the request.

-```http

-POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryByScanDefinitionId

-```

-```json

-{

- "ScanDefinitionIds": ["4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae", "60c4aa57-c573-4488-8d18-230914792a92", "c6220f67-2cad-4ba3-a2fa-7ded6384da56"]

-}

-```

-## Response example

-```json

-{

-"@odata.context": "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryByScanDefinitionId",

- "value": [

- {

- "ScanDefinitionIds": "4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae",

- "LastScanned": "2022-12-20T11:14:24.5561791Z",

- "ScanStatus": "Partial Success",

- "ScannerId": "625431694b7d2ca9d07e77ca1b029ef216bebb6d"

- },

- {

- "ScanDefinitionIds": "60c4aa57-c573-4488-8d18-230914792a92",

- "LastScanned": "2022-11-17T15:13:24.5561791Z",

- "ScanStatus": "Partial Success",

- "ScannerId": "625431694b7d2ca9d07e77ca1b029ef216bebb6d"

- },

- {

- "ScanDefinitionIds": "c6220f67-2cad-4ba3-a2fa-7ded6384da56",

- "LastScanned": "2022-11-10T18:15:24.5561791Z",

- "ScanStatus": "Partial Success",

- "ScannerId": "625431694b7d2ca9d07e77ca1b029ef216bebb6d"

- },

- ]

-}

-```

-## Example $top request

-Here's an example of a request that returns only 1 session.

-```http

-POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryByScanDefinitionId?$top=1

-```

-## $top Response example

-```json

-{

-"@odata.context": "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryByScanDefinitionId",

- "value": [

- {

- "ScanDefinitionIds": "4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae",

- "LastScanned": "2022-12-20T11:14:24.5561791Z",

- "ScanStatus": "Partial Success",

- "ScannerId": "625431694b7d2ca9d07e77ca1b029ef216bebb6d"

- },

- ]

-}

-```

-description: Learn how to use the get scan history by session api.

-# Get scan history by session

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../../defender-vulnerability-management/get-defender-vulnerability-management.md).

-## API description

-Retrieves a list of the scan history by session.

-## Limitations

-1. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).

-Permission type|Permission|Permission display name

-:|:|:

-Application|Machine.Read.All| Read all scan information.

-Delegated (work or school account)|Machine.Read.All|Read all scan information.

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - To view data the user needs to have at least the following role permission: `ViewData` or `TvmViewData`. For more information, see [Create and manage roles](../user-roles.md).

-## HTTP request

-```http

-POST /api/DeviceAuthenticatedScanDefinitions/GetScanHistoryBySessionId

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|string|Bearer {token}. **Required**.

-Content-Type|string|application/json. **Required**.

-## Request body

-In the request body, supply a JSON object with the following parameters:

-Parameter|Type|Description

-:|:|:

-SessionIds |String|The session Id. **Required**.

-## Response

-If successful, this method returns 200 - OK response code with a list of the scan history for a session.

-## Example request

-Here's an example of the request.

-```http

-POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryBySessionId

-```

-```json

-{

- "SessionIds": ["01decc497f4b4ec49a5fc4e12597f8c8"]

-}

-```

-## Response example

-```json

-{

- "@odata.context": "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryBySessionId",

- "value": [

- {

- "orgId": "asdf781a0c-792d-46d3-bbea-a93dbc0bfcaa",

- "ScanDefinitionIds": "4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae",

- "SessionIds": "01decc497f4b4ec49a5fc4e12597f8c8",

- "NumberOfSuccessfullyScannedTargets": 3,

- "NumberOfTargets": 3,

- "ScanStatus": "Success",

- "LastScanned": "2022-12-19T15:14:24.5561791Z",

- "ListScannedTargets": {

- "Ip": "127.0.0.1",

- "Hostname": "DESKTOP-Test",

- "ScannedDeviceDescription": "Network device",

- "ErrorMessage": "",

- "ScanStatus": "Success",

- "ScanDuration": "00:08:30",

- },

- {

- "Ip": "127.0.0.2",

- "Hostname": "DESKTOP-Test2",

- "ScannedDeviceDescription": "Network device 2",

- "ErrorMessage": "",

- "ScanStatus": "Success",

- "ScanDuration": "00:08:00",

- },

-{

- "Ip": "127.0.0.3",

- "Hostname": "DESKTOP-Test3",

- "ScannedDeviceDescription": "Network device 3",

- "ErrorMessage": "",

- "ScanStatus": "Success",

- "ScanDuration": "00:08:50",

- },

- }

- ]

-}

-```

-description: Learn how to use the Add, update, or delete scan definitions.

-# Add, update, or delete a scan definition

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../../defender-vulnerability-management/get-defender-vulnerability-management.md).

-## API description

-API to add, update, or delete an authenticated scan.

-## Limitations

-Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.

-You can post on machines last seen according to your configured retention period.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md).

-Permission type|Permission|Permission display name

-:|:|:

-Application|Machine.ReadWrite.All| Read and write all scan information.

-Delegated (work or school account)|Machine.Read.Write|Read and write all scan information.

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - To view data the user needs to have at least the following role permission: `ViewData` or `TvmViewData` (See [Create and manage roles](../user-roles.md) for more information)

-> - To edit data the user needs to have at least the following role permission: `ManageSecurity` (See [Create and manage roles](../user-roles.md) for more information)

-## HTTP request

-```http

-POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-Content-Type|string|application/json. **Required**.

-## Request body

-In the request body, supply a JSON object with the following parameters:

-Parameter|Type|Description

-:|:|:

-scanType|Enum|The type of scan. Possible values are: "Windows", "Network". **Required**.

-scanName|String|Name of the scan. **Required**.

-isActive|Boolean|Status of whether the scan actively running. **Required**.

-target|String| A comma separated list of targets to scan, either IP addresses or hostnames. **Required**.

-intervalInHours|Int|The interval at which the scan runs. **Required**.

-targetType|String|The target type in the target field. Possible types are "IP Address" or "Hostname". Default value is IP Address. **Required**.

-scannerAgent|Object|machine Id. **Required**.

-scanAuthenticationParams|Object|An object representing the authentication parameters, see [Authentication parameters object properties](./get-authenticated-scan-properties.md#authentication-parameters-object-properties) for expected fields. This property is mandatory when creating a new scan and is optional when updating a scan.

-## Response

-If successful, this method returns 200 - Ok response code and the new or updated scan definition in the response body.

-## Example request to add a new scan

-Here's an example of a request that adds a new scan.

-```http

-POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions

-```

-```json

- {

-"scanType": "Windows",

-"scanName": "Test Windows scan",

-"isActive": true,

-"target": "127.0.0.1",

-"intervalInHours": 1,

-"targetType": "Ip",

-"scannerAgent": {

- "machineId": "eb663a27ae9d032f61bc268a79eedf14c4b90f77",

-},

-"scanAuthenticationParams": {

- "@odata.type": "#microsoft.windowsDefenderATP.api.WindowsAuthParams",

- "type": "Kerberos",

- "username": "username",

- "domain": "password",

- "isGmsaUser": true

- }

-}

-```

-## Example response

-Here's an example of the response.

-```json

- {

-"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#DeviceAuthenticatedScanDefinitions/$entity",

- "id": "289224fb-1686-472c-9751-5555960854ca",

- "scanType": "Windows",

- "scanName": "Test Windows scan",

- "isActive": true,

- "target": "127.0.0.1",

- "orgId": "0335a792-18d2-424b-aeed-559567054570",

- "intervalInHours": 1,

- "createdBy": "username@test.com",

- "targetType": "Ip",

- "scanAuthenticationParams": null,

- "scannerAgent": {

- "id": "0335a792-18d2-424b-aeed-559567054570_ eb663a27ae9d032f61bc268a79eedf14c4b90f77",

- "machineId": "eb663a27ae9d032f61bc268a79eedf14c4b90f77",

- "machineName": "DESKTOP-TEST",

- "lastSeen": "2023-01-04T09:40:03.2787058Z",

- "assignedApplicationId": "ae4a5cde-b4a1-4b76-8635-458b2cf15752",

- "scannerSoftwareVersion": "7.6.0.0",

- "lastCommandExecutionTimestamp": "2023-01-04T09:33:16Z",

- "mdeClientVersion": "10.8295.22621.1010"

- },

- "latestScan": {

- "status": null,

- "failureReason": null,

- "executionDateTime": null

- }

-}

-```

-## Example request to update a scan

-Here's an example of a request that updates a scan.

-```http

-PATCH https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/289224fb-1686-472c-9751-5555960854ca

-```

-```json

-{

-"scanName": "Test Update Windows scan",

-"isActive": false,

-"target": "127.0.0.2,127.0.0.3",

-"intervalInHours": 1,

-"targetType": "Ip",

-"scanAuthenticationParams": {

- "@odata.type": "#microsoft.windowsDefenderATP.api.WindowsAuthParams",

- "type": "Kerberos",

- "username": "username",

- "domain": "password",

- "isGmsaUser": true

- }

- }

-```

-## Response example

-Here's an example of the response.

-```json

-{

- "@odata.context": "https://localhost:1059/api/$metadata#DeviceAuthenticatedScanDefinitions/$entity",

- "id": "289224fb-1686-472c-9751-5555960854ca",

- "scanType": "Windows",

- "scanName": "Test Update Windows scan",

- "isActive": false,

- "target": "127.0.0.2,127.0.0.3",

- "orgId": "0335a792-18d2-424b-aeed-559567054570",

- "intervalInHours": 1,

- "createdBy": "userName@microsoft.com",

- "targetType": "Ip",

- "scanAuthenticationParams": null,

- "scannerAgent": {

- "id": "0335a792-18d2-424b-aeed-559567054570_eb663a27ae9d032f61bc268a79eedf14c4b90f77",

- "machineId": "eb663a27ae9d032f61bc268a79eedf14c4b90f77",

- "machineName": "DESKTOP-TEST",

- "lastSeen": "2023-01-04T09:40:03.2787058Z",

- "assignedApplicationId": "ae4a5cde-b4a1-4b76-8635-458b2cf15752",

- "scannerSoftwareVersion": "7.6.0.0",

- "lastCommandExecutionTimestamp": "2023-01-04T09:33:16Z",

- "mdeClientVersion": "10.8295.22621.1010"

- },

- "latestScan": {

- "status": null,

- "failureReason": null,

- "executionDateTime": null

- }

-}

-```

-## Example request to delete scans

-Here's an example of a request that deletes scans.

-```http

-POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/BatchDelete

-```

-```json

-{

- "ScanDefinitionIds": ["td32f17af-5cc2-4e4e-964a-4c4ef7d216e2", "ab32g20af-5dd2-4a5e-954a-4c4ef7d216e2"],

-}

-```

-description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender for Endpoint.

-# Add or remove a tag for a machine

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Adds or removes a tag for a specific [Machine](machine.md).

-## Limitations

-1. You can post on machines last seen according to your configured retention period.

-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md).

-Permission type|Permission|Permission display name

-:|:|:

-Application|Machine.ReadWrite.All|'Read and write all machine information'

-Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](../user-roles.md) for more information).

-> - The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](../machine-groups.md) for more information).

-## HTTP request

-```http

-POST https://api.securitycenter.microsoft.com/api/machines/{id}/tags

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-Content-Type|string|application/json. **Required**.

-## Request body

-In the request body, supply a JSON object with the following parameters:

-Parameter|Type|Description

-:|:|:

-Value|String|The tag name. **Required**.

-Action|Enum|Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.

-## Response

-If successful, this method returns 200 - Ok response code and the updated Machine in the response body.

-## Example Request

-Here is an example of a request that adds a machine tag.

-```http

-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags

-```

-```json

-{

- "Value" : "test Tag 2",

- "Action": "Add"

-}

-```

-To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

-description: Learn how to use the Add or Remove machine tags API to add or remove a tag for multiple devices in Microsoft Defender for Endpoint.

-# Add or remove a tag for multiple machines

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Adds or removes a tag for the specified set of machines.

-## Limitations

-1. You can post on machines last seen according to your configured retention period.

-2. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.

-3. We can add or remove a tag for up to 500 machines per API call.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md).

-Permission type|Permission|Permission display name

-:|:|:

-Application|Machine.ReadWrite.All|'Read and write all machine information'

-Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - The user needs to have at least the following role permission: 'Manage security setting'. For more information, see [Create and manage roles](../user-roles.md).

-> - The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](../machine-groups.md) for more information).

-## HTTP request

-```http

-POST https://api.securitycenter.microsoft.com/api/machines/AddOrRemoveTagForMultipleMachines

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-Content-Type|string|application/json. **Required**.

-## Request body

-In the request body, supply a JSON object with the following parameters:

-Parameter|Type|Description

-:|:|:

-Value|String|The tag name. **Required**.

-Action|Enum|Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.

-MachineIds|List (String)|List of machine IDs to update. Required.|

-## Response

-If successful, this method returns 200 - Ok response code and the updated machines in the response body.

-## Example Request

-Here's an example of a request that adds a tag to multiple machines.

-```http

-POST https://api.securitycenter.microsoft.com/api/machines/AddOrRemoveTagForMultipleMachines

-```

-```json

-{

- "Value" : "Tag",

- "Action": "Add",

- "MachineIds": ["34e83ca3feea4dae2353006ba389262c033a025e",

- "2a398439b4975924e87a65943972bc702469b329",

- "a610c00c65fdf79960cc0077d9d8c569d23f09a5"]

-}

-```

-To remove machine tags, set the Action to 'Remove' instead of 'Add' in the request body.

-description: Learn about the methods and properties of the Alert resource type in Microsoft Defender for Endpoint.

-# Alert resource type

-**Applies to:**

-> [!NOTE]

-> For the full available Alerts API experience across all Microsoft Defenders' products, visit: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview).

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## Methods

-|Method|Return Type|Description|

-||||

-|[Get alert](get-alert-info-by-id.md)|[Alert](alerts.md)|Get a single [alert](alerts.md) object|

-|[List alerts](get-alerts.md)|[Alert](alerts.md) collection|List [alert](alerts.md) collection|

-|[Update alert](update-alert.md)|[Alert](alerts.md)|Update specific [alert](alerts.md)|

-|[Batch update alerts](batch-update-alerts.md)||Update a batch of [alerts](alerts.md)|

-|[Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md)|

-|[List related domains](get-alert-related-domain-info.md)|Domain collection|List URLs associated with the alert|

-|[List related files](get-alert-related-files-info.md)|[File](files.md) collection|List the [file](files.md) entities that are associated with the [alert](alerts.md)|

-|[List related IPs](get-alert-related-ip-info.md)|IP collection|List IPs that are associated with the alert|

-|[Get related machines](get-alert-related-machine-info.md)|[Machine](machine.md)|The [machine](machine.md) that is associated with the [alert](alerts.md)|

-|[Get related users](get-alert-related-user-info.md)|[User](user.md)|The [user](user.md) that is associated with the [alert](alerts.md)|

-## Properties

-|Property|Type|Description|

-||||

-|ID|String|Alert ID.|

-|title|String|Alert title.|

-|description|String|Alert description.|

-|alertCreationTime|Nullable DateTimeOffset|The date and time (in UTC) the alert was created.|

-|lastEventTime|Nullable DateTimeOffset|The last occurrence of the event that triggered the alert on the same device.|

-|firstEventTime|Nullable DateTimeOffset|The first occurrence of the event that triggered the alert on that device.|

-|lastUpdateTime|Nullable DateTimeOffset|The date and time (in UTC) the alert was last updated.|

-|resolvedTime|Nullable DateTimeOffset|The date and time in which the status of the alert was changed to *Resolved*.|

-|incidentId|Nullable Long|The [Incident](../view-incidents-queue.md) ID of the Alert.|

-|investigationId|Nullable Long|The [Investigation](../automated-investigations.md) ID related to the Alert.|

-|investigationState|Nullable Enum|The current state of the [Investigation](../automated-investigations.md). Possible values are: *Unknown*, *Terminated*, *SuccessfullyRemediated*, *Benign*, *Failed*, *PartiallyRemediated*, *Running*, *PendingApproval*, *PendingResource*, *PartiallyInvestigated*, *TerminatedByUser*, *TerminatedBySystem*, *Queued*, *InnerFailure*, *PreexistingAlert*, *UnsupportedOs*, *UnsupportedAlertType*, *SuppressedAlert*.|

-|assignedTo|String|Owner of the alert.|

-|rbacGroupName|String|Role-based access control device group name.|

-|mitreTechniques|String|Mitre Enterprise technique ID.|

-|relatedUser|String|Details of user related to a specific alert.|

-|severity|Enum|Severity of the alert. Possible values are: *UnSpecified*, *Informational*, *Low*, *Medium*, and *High*.|

-|status|Enum|Specifies the current status of the alert. Possible values are: *Unknown*, *New*, *InProgress* and *Resolved*.|

-|classification|Nullable Enum|Specification of the alert. Possible values are: `TruePositive`, `Informational, expected activity`, and `FalsePositive`.|

-|determination|Nullable Enum|Specifies the determination of the alert. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `Multistage attack` (MultiStagedAttack), `Malicious user activity` (MaliciousUserActivity), `Compromised account` (CompromisedUser) ΓÇô consider changing the enum name in public API accordingly, `Malware` (Malware), `Phishing` (Phishing), `Unwanted software` (UnwantedSoftware), and `Other` (Other). <li> <b>Informational, expected activity:</b> `Security test` (SecurityTesting), `Line-of-business application` (LineOfBusinessApplication), `Confirmed activity` (ConfirmedUserActivity) - consider changing the enum name in public API accordingly, and `Other` (Other). <li> <b>False positive:</b> `Not malicious` (Clean) - consider changing the enum name in public API accordingly, `Not enough data to validate` (InsufficientData), and `Other` (Other).|

-|category|String|Category of the alert.|

-|detectionSource|String|Detection source.|

-|threatFamilyName|String|Threat family.|

-|threatName|String|Threat name.|

-|machineId|String|ID of a [machine](machine.md) entity that is associated with the alert.|

-|computerDnsName|String|[machine](machine.md) fully qualified name.|

-|aadTenantId|String|The Microsoft Entra ID.|

-|detectorId|String|The ID of the detector that triggered the alert.|

-|comments|List of Alert comments|Alert Comment object contains: comment string, createdBy string, and createTime date time.|

-|Evidence|List of Alert evidence|Evidence related to the alert. See the following example.|

-> [!NOTE]

-> Around August 29, 2022, previously supported alert determination values (*Apt* and *SecurityPersonnel*) will be deprecated and no longer available via the API.

-### Response example for getting single alert:

-```http

-GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609

-```

-```json

-{

- "id": "da637472900382838869_1364969609",

- "incidentId": 1126093,

- "investigationId": null,

- "assignedTo": null,

- "severity": "Low",

- "status": "New",

- "classification": null,

- "determination": null,

- "investigationState": "Queued",

- "detectionSource": "WindowsDefenderAtp",

- "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",

- "category": "Execution",

- "threatFamilyName": null,

- "title": "Low-reputation arbitrary code executed by signed executable",

- "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",

- "alertCreationTime": "2021-01-26T20:33:57.7220239Z",

- "firstEventTime": "2021-01-26T20:31:32.9562661Z",

- "lastEventTime": "2021-01-26T20:31:33.0577322Z",

- "lastUpdateTime": "2021-01-26T20:33:59.2Z",

- "resolvedTime": null,

- "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",

- "computerDnsName": "temp123.middleeast.corp.microsoft.com",

- "rbacGroupName": "A",

- "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",

- "threatName": null,

- "mitreTechniques": [

- "T1064",

- "T1085",

- "T1220"

- ],

- "relatedUser": {

- "userName": "temp123",

- "domainName": "DOMAIN"

- },

- "comments": [

- {

- "comment": "test comment for docs",

- "createdBy": "secop123@contoso.com",

- "createdTime": "2021-01-26T01:00:37.8404534Z"

- }

- ],

- "evidence": [

- {

- "entityType": "User",

- "evidenceCreationTime": "2021-01-26T20:33:58.42Z",

- "sha1": null,

- "sha256": null,

- "fileName": null,

- "filePath": null,

- "processId": null,

- "processCommandLine": null,

- "processCreationTime": null,

- "parentProcessId": null,

- "parentProcessCreationTime": null,

- "parentProcessFileName": null,

- "parentProcessFilePath": null,

- "ipAddress": null,

- "url": null,

- "registryKey": null,

- "registryHive": null,

- "registryValueType": null,

- "registryValue": null,

- "accountName": "name",

- "domainName": "DOMAIN",

- "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",

- "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",

- "userPrincipalName": "temp123@microsoft.com",

- "detectionStatus": null

- },

- {

- "entityType": "Process",

- "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",

- "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",

- "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",

- "fileName": "rundll32.exe",

- "filePath": "C:\\Windows\\SysWOW64",

- "processId": 3276,

- "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",

- "processCreationTime": "2021-01-26T20:31:32.9581596Z",

- "parentProcessId": 8420,

- "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",

- "parentProcessFileName": "rundll32.exe",

- "parentProcessFilePath": "C:\\Windows\\System32",

- "ipAddress": null,

- "url": null,

- "registryKey": null,

- "registryHive": null,

- "registryValueType": null,

- "registryValue": null,

- "accountName": null,

- "domainName": null,

- "userSid": null,

- "aadUserId": null,

- "userPrincipalName": null,

- "detectionStatus": "Detected"

- },

- {

- "entityType": "File",

- "evidenceCreationTime": "2021-01-26T20:33:58.42Z",

- "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",

- "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",

- "fileName": "suspicious.dll",

- "filePath": "c:\\temp",

- "processId": null,

- "processCommandLine": null,

- "processCreationTime": null,

- "parentProcessId": null,

- "parentProcessCreationTime": null,

- "parentProcessFileName": null,

- "parentProcessFilePath": null,

- "ipAddress": null,

- "url": null,

- "registryKey": null,

- "registryHive": null,

- "registryValueType": null,

- "registryValue": null,

- "accountName": null,

- "domainName": null,

- "userSid": null,

- "aadUserId": null,

- "userPrincipalName": null,

- "detectionStatus": "Detected"

- }

- ]

-}

-```

-## Related articles

-[Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview)

-description: Use the API Explorer to construct and do API queries, test, and send requests for any available API

-# API Explorer

-**Applies to:**

-The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively.

-The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Defender for Endpoint API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface.

-The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens.

-You can also use the tool to explore the gallery of sample queries, copy result code samples, and generate debug information.

-With the API Explorer, you can:

-## Access API Explorer

-From the left navigation menu, select **Partners & APIs** \> **[API Explorer](https://security.microsoft.com/interoperability/api-explorer)**.

-## Supported APIs

-API Explorer supports all the APIs offered by Defender for Endpoint.

-The list of supported APIs is available in the [APIs documentation](apis-intro.md).

-## Get started with the API Explorer

-1. In the left pane, there's a list of sample requests that you can use.

-2. Follow the links and click **Run query**.

-Some of the samples may require specifying a parameter in the URL, for example, {machine- ID}.

-## FAQ

-**Do I need to have an API token to use the API Explorer?** <br>

-Credentials to access an API aren't needed. The API Explorer uses the Defender for Endpoint management portal token whenever it makes a request.

-The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf.

-Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role.

-description: Create a practice 'Hello world'-style API call to the Microsoft Defender for Endpoint API.

-# Microsoft Defender for Endpoint API - Hello World

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## Get Alerts using a simple PowerShell script

-### How long it takes to go through this example?

-It only takes 5 minutes done in two steps:

-### Do I need a permission to connect?

-For the Application registration stage, you must have a **Global administrator** role in your Microsoft Entra tenant.

-<a name='step-1create-an-app-in-azure-active-directory'></a>

-### Step 1 - Create an App in Microsoft Entra ID

-1. Log on to [Azure](https://portal.azure.com) with your **Global administrator** user.

-2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.

- :::image type="content" source="../media/atp-azure-new-app2.png" alt-text="The App registrations option under the Manage pane in the Microsoft Entra admin center" lightbox="../media/atp-azure-new-app2.png":::

-3. In the registration form, choose a name for your application and then click **Register**.

-4. Allow your Application to access Defender for Endpoint and assign it **'Read all alerts'** permission:

- - On your application page, click **API Permissions** \> **Add permission** \> **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.

- > [!NOTE]

- > WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.

- :::image type="content" source="../media/add-permission.png" alt-text="The API permissions option under the Manage pane in the Microsoft Entra admin center" lightbox="../media/add-permission.png":::

- - Choose **Application permissions** \> **Alert.Read.All** > Click on **Add permissions**.

- :::image type="content" source="../media/application-permissions.png" alt-text="The permission type and settings panes in the Request API permissions page" lightbox="../media/application-permissions.png":::

- > [!IMPORTANT]

- > You need to select the relevant permissions. 'Read All Alerts' is only an example!

- For example:

- - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission.

- - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission.

- - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.

-5. Click **Grant consent**.

- > [!NOTE]

- > Every time you add permission, you must click on **Grant consent** for the new permission to take effect.

- :::image type="content" source="../media/grant-consent.png" alt-text="The grant permission consent option in the Microsoft Entra admin center" lightbox="../media/grant-consent.png":::

-6. Add a secret to the application.

- Click **Certificates & secrets**, add description to the secret and click **Add**.

- > [!IMPORTANT]

- > After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!

- :::image type="content" source="../media/webapp-create-key2.png" alt-text="The Certificates & secrets menu item in the Manage pane in the Microsoft Entra admin center" lightbox="../media/webapp-create-key2.png":::

-7. Write down your application ID and your tenant ID.

- On your application page, go to **Overview** and copy the following:

- :::image type="content" source="../media/app-and-tenant-ids.png" alt-text="The application details pane under the Overview menu item in the Microsoft Entra admin center" lightbox="../media/app-and-tenant-ids.png":::

-Done! You have successfully registered an application!

-### Step 2 - Get a token using the App and use this token to access the API.

- ```powershell

- # That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory

- # Paste below your Tenant ID, App ID and App Secret (App key).

- $tenantId = '' ### Paste your tenant ID here

- $appId = '' ### Paste your Application ID here

- $appSecret = '' ### Paste your Application secret here

- $resourceAppIdUri = 'https://api.securitycenter.microsoft.com'

- $oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"

- $authBody = [Ordered] @{

- resource = "$resourceAppIdUri"

- client_id = "$appId"

- client_secret = "$appSecret"

- grant_type = 'client_credentials'

- }

- $authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop

- $token = $authResponse.access_token

- Out-File -FilePath "./Latest-token.txt" -InputObject $token

- return $token

- ```

- - Run the script.

- - In your browser go to: <https://jwt.ms/>.

- - Copy the token (the content of the Latest-token.txt file).

- - Paste in the top box.

- - Look for the "roles" section. Find the _Alert.Read.All_ role.

- :::image type="content" source="../media/api-jwt-ms.png" alt-text="The Decoded Token pane for jwt.ms" lightbox="../media/api-jwt-ms.png":::

-### Let's get the Alerts!

- ```powershell

- # Returns Alerts created in the past 48 hours.

- $token = ./Get-Token.ps1 #run the script Get-Token.ps1 - make sure you are running this script from the same folder of Get-Token.ps1

- # Get Alert from the last 48 hours. Make sure you have alerts in that time frame.

- $dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")

- # The URL contains the type of query and the time filter we create above

- # Read more about [other query options and filters](get-alerts.md).

- $url = "https://api.securitycenter.microsoft.com/api/alerts?`$filter=alertCreationTime ge $dateTime"

- # Set the WebRequest headers

- $headers = @{

- 'Content-Type' = 'application/json'

- Accept = 'application/json'

- Authorization = "Bearer $token"

- }

- # Send the webrequest and get the results.

- $response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop

- # Extract the alerts from the results.

- $alerts = ($response | ConvertFrom-Json).value | ConvertTo-Json

- # Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file

- $dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}

- # Save the result as json and as csv

- $outputJsonPath = "./Latest Alerts $dateTimeForFileName.json"

- $outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv"

- Out-File -FilePath $outputJsonPath -InputObject $alerts

- ($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation

- ```

-You're all done! You have just successfully:

-## Related topic

-description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender for Endpoint APIs.

-# Create custom reports using Power BI

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-In this section, you learn to create a Power BI report on top of Defender for Endpoint APIs.

-The first example demonstrates how to connect Power BI to Advanced Hunting API, and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts.

-## Connect Power BI to Advanced Hunting API

-1. Open Microsoft Power BI.

-2. Select **Get Data** \> **Blank Query**.

- :::image type="content" source="../media/power-bi-create-blank-query.png" alt-text="The Blank Query option under the Get Data menu item" lightbox="../media/power-bi-create-blank-query.png":::

-3. Select **Advanced Editor**.

- :::image type="content" source="../media/power-bi-open-advanced-editor.png" alt-text="The Advanced Editor menu item" lightbox="../media/power-bi-open-advanced-editor.png":::

-4. Copy the below and paste it in the editor:

- ```

- let

- AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti' | limit 20",

-

- HuntingUrl = "https://api.securitycenter.microsoft.com/api/advancedqueries",

-

- Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),

-

- TypeMap = #table(

- { "Type", "PowerBiType" },

- {

- { "Double", Double.Type },

- { "Int64", Int64.Type },

- { "Int32", Int32.Type },

- { "Int16", Int16.Type },

- { "UInt64", Number.Type },

- { "UInt32", Number.Type },

- { "UInt16", Number.Type },

- { "Byte", Byte.Type },

- { "Single", Single.Type },

- { "Decimal", Decimal.Type },

- { "TimeSpan", Duration.Type },

- { "DateTime", DateTimeZone.Type },

- { "String", Text.Type },

- { "Boolean", Logical.Type },

- { "SByte", Logical.Type },

- { "Guid", Text.Type }

- }),

-

- Schema = Table.FromRecords(Response[Schema]),

- TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),

- Results = Response[Results],

- Rows = Table.FromRecords(Results, Schema[Name]),

- Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))

-

- in Table

- ```

-5. Select **Done**.

-6. Select **Edit Credentials**.

- :::image type="content" source="../media/power-bi-edit-credentials.png" alt-text="The Edit Credentials menu item" lightbox="../media/power-bi-edit-credentials.png":::

-7. Select **Organizational account** \> **Sign in**.

- :::image type="content" source="../media/power-bi-set-credentials-organizational.png" alt-text="The Sign in option in the Organizational account menu item" lightbox="../media/power-bi-set-credentials-organizational.png":::

-8. Enter your credentials and wait to be signed in.

-9. Select **Connect**.

- :::image type="content" source="../media/power-bi-set-credentials-organizational-cont.png" alt-text="The sign-in confirmation message in the Organizational account menu item" lightbox="../media/power-bi-set-credentials-organizational-cont.png":::

-Now the results of your query appear as a table and you can start to build visualizations on top of it!

-You can duplicate this table, rename it, and edit the Advanced Hunting query inside to get any data you would like.

-## Connect Power BI to OData APIs

-The only difference from the previous example is the query inside the editor. Follow steps 1-3 above.

-At step 4, instead of the code in that example, copy the following code, and paste it in the editor to pull all **Machine Actions** from your organization:

-```

- let

- Query = "MachineActions",

- Source = OData.Feed("https://api.securitycenter.microsoft.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true])

- in

- Source

-```

-You can do the same for **Alerts** and **Machines**.

-You also can use OData queries for queries filters. See [Using OData Queries](exposed-apis-odata-samples.md).

-## Power BI dashboard samples in GitHub

-For more information, see the [Power BI report templates](https://github.com/microsoft/MicrosoftDefenderATP-PowerBI).

-## Sample reports

-View the Microsoft Defender for Endpoint Power BI report samples. For more information, see [Browse code samples](/samples/browse/?products=mdatp).

-## Related articles

-description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs.

-# Microsoft Defender for Endpoint API release notes

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made.

-## Release notes - newest to oldest (dd.mm.yyyy)

-### 08.08.2022

-### 06.10.2021

-### 25.05.2021

-### 03.05.2021

-### 10.02.2021

-### 25.01.2021

-### 21.01.2021

-### 03.01.2021

-### 15.12.2020

-### 04.11.2020

-### 01.09.2020

-description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities

-# Access the Microsoft Defender for Endpoint APIs

-**Applies to:**

-> [!IMPORTANT]

-> Advanced hunting capabilities are not included in Defender for Business.

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).

-Watch this video for a quick overview of Defender for Endpoint's APIs.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4d73M]

-In general, you'll need to take the following steps to use the APIs:

-You can access Defender for Endpoint API with **Application Context** or **User Context**.

- Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons.

- Steps that need to be taken to access Defender for Endpoint API with application context:

- 1. Create a Microsoft Entra Web-Application.

- 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.

- 3. Create a key for this Application.

- 4. Get token using the application with its key.

- 5. Use the token to access the Microsoft Defender for Endpoint API

- For more information, see [Get access with application context](exposed-apis-create-app-webapp.md).

- Used to perform actions in the API on behalf of a user.

- Steps to take to access Defender for Endpoint API with user context:

- 1. Create Microsoft Entra Native-Application.

- 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.

- 3. Get token using the application with user credentials.

- 4. Use the token to access the Microsoft Defender for Endpoint API

- For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md).

->[!TIP]

->When more than one query request is required to retrieve all the results, Microsoft Graph returns an `@odata.nextLink` property in the response that contains a URL to the next page of results. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).

-## Related topics

-description: Learn how to use the Batch Delete Indicators API to delete indicator entities by ID in Microsoft Defender for Endpoint.

-# Batch Delete Indicators

-**Applies to:**

-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Deletes [Indicator](ti-indicator.md) entities by ID.

-## Limitations

-Rate limitations for this API are 30 calls per minute and 1,500 calls per hour.

-Batch size limit of up to 500 [Indicator](ti-indicator.md) IDs.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md).

-| Permission type | Permission | Permission display name |

-||||

-| Application | Ti.ReadWrite | 'Read and write TI Indicators' |

-| Application | Ti.ReadWrite.All | 'Read and write Indicators' |

-## HTTP request

-```http

-POST https://api.securitycenter.microsoft.com/api/indicators/BatchDelete

-```

-## Request headers

-|Name|Type|Description|

-|:|:|:|

-|Authorization | String | Bearer {token}. **Required**.|

-## Request body

-In the request body, supply a JSON object with the following parameters:

-|Parameter|Type|Description|

-|:|:|:|

-|IndicatorIds|List *String* |A list of the IDs of the indicators to be removed. **Required**|

-## Response

-If Indicators all existed and were deleted successfully - 204 OK without content.

-If indicator IDs list is empty or exceeds size limit - 400 Bad Request.

-If any indicator ID is invalid - 400 Bad Request.

-If requestor isn't exposed to any indicator's device groups - 403 Forbidden.

-If any Indicator ID wasn't found - 404 Not Found.

-## Example

-### Request

-Here's an example of the request.

-```http

-POST https://api.securitycenter.microsoft.com/api/indicators/BatchDelete

-```

-```json

-{

- "IndicatorIds": [ "1", "2", "5" ]

-}

-```

-description: Learn how to update Microsoft Defender for Endpoint alerts in a batch by using this API. You can update the status, determination, classification, and assignedTo properties.

-# Batch update alerts

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Updates properties of a batch of existing [Alerts](alerts.md).

-Submission of **comment** is available with or without updating properties.

-Updatable properties are: `status`, `determination`, `classification` and `assignedTo`.

-## Limitations

-1. You can update alerts that are available in the API. For more information, see [List Alerts](get-alerts.md).

-2. Rate limitations for this API are 10 calls per minute and 500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)

-Permission type | Permission | Permission display name

-:|:|:

-Application | Alert.ReadWrite.All | 'Read and write all alerts'

-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - The user needs to have at least the following role permission: 'Alerts investigation'. For more information, see [Create and manage roles](../user-roles.md).

-> - The user needs to have access to the device associated with the alert, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md).

->

-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-## HTTP request

-```http

-POST /api/alerts/batchUpdate

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization | String | Bearer {token}. **Required**.

-Content-Type | String | application/json. **Required**.

-## Request body

-In the request body, supply the IDs of the alerts to be updated and the values of the relevant fields that you wish to update for these alerts.

-Existing properties that aren't included in the request body will maintain their previous values or be recalculated based on changes to other property values.

-For best performance you shouldn't include existing values that haven't changed.

-Property | Type | Description

-:|:|:

-alertIds | List&lt;String&gt;| A list of the IDs of the alerts to be updated. **Required**

-status | String | Specifies the updated status of the specified alerts. The property values are: 'New', 'InProgress' and 'Resolved'.

-assignedTo | String | Owner of the specified alerts

-classification | String | Specifies the specification of the specified alerts. The property values are: `TruePositive`, `Informational, expected activity`, and `FalsePositive`.

-determination | String | Specifies the determination of the specified alerts. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `Multistage attack` (MultiStagedAttack), `Malicious user activity` (MaliciousUserActivity), `Compromised account` (CompromisedUser) ΓÇô consider changing the enum name in public api accordingly, `Malware` (Malware), `Phishing` (Phishing), `Unwanted software` (UnwantedSoftware), and `Other` (Other). <li> <b>Informational, expected activity:</b> `Security test` (SecurityTesting), `Line-of-business application` (LineOfBusinessApplication), `Confirmed activity` (ConfirmedUserActivity) - consider changing the enum name in public api accordingly, and `Other` (Other). <li> <b>False positive:</b> `Not malicious` (Clean) - consider changing the enum name in public api accordingly, `Not enough data to validate` (InsufficientData), and `Other` (Other).

-comment | String | Comment to be added to the specified alerts.

-> [!NOTE]

-> Around August 29, 2022, previously supported alert determination values ('Apt' and 'SecurityPersonnel') will be deprecated and no longer available via the API.

-## Response

-If successful, this method returns 200 OK, with an empty response body.

-## Example

-### Request

-Here's an example of the request.

-```http

-POST https://api.securitycenter.microsoft.com/api/alerts/batchUpdate

-```

-```json

-{

- "alertIds": ["da637399794050273582_760707377", "da637399989469816469_51697947354"],

- "status": "Resolved",

- "assignedTo": "secop2@contoso.com",

- "classification": "FalsePositive",

- "determination": "Malware",

- "comment": "Resolve my alert and assign to secop2"

-}

-```

-description: Learn how to cancel an already launched machine action

-# Cancel machine action API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Cancel an already launched machine action that isn't yet in final state (completed, canceled, failed).

-## Limitations

-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more,

-including how to choose permissions, see [Get started](apis-intro.md).

-|Permission type|Permission|Permission display name|

-||||

-|Application|Machine.CollectForensics <br> Machine.Isolate <br> Machine.RestrictExecution <br> Machine.Scan <br> Machine.Offboard <br> Machine.StopAndQuarantine <br> Machine.LiveResponse|Collect forensics <br>Isolate machine<br>Restrict code execution<br> Scan machine<br> Offboard machine<br> Stop And Quarantine<br> Run live response on a specific machine|

-|Delegated (work or school account)|Machine.CollectForensics<br> Machine.Isolate <br>Machine.RestrictExecution<br> Machine.Scan<br> Machine.Offboard<br> Machine.StopAndQuarantineMachine.LiveResponse|Collect forensics<br> Isolate machine<br> Restrict code execution<br> Scan machine<br>Offboard machine<br> Stop And Quarantine<br> Run live response on a specific machine|

-## HTTP request

-```http

-POST https://api.securitycenter.microsoft.com/api/machineactions/<machineactionid>/cancel

-```

-## Request headers

-|Name|Type|Description|

-||||

-|Authorization|String|Bearer {token}. Required.|

-|Content-Type|string|application/json. Required.|

-## Request body

-|Parameter|Type|Description|

-||||

-|Comment|String|Comment to associate with the cancellation action.|

-## Response

-If successful, this method returns 200, OK response code with a Machine Action entity. If machine action entity with the specified id wasn't found - 404 Not Found.

-## Example

-### Request

-Here's an example of the request.

-```HTTP

-POST

-https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-7a8f-4b28-ab65-54970c5d5018/cancel

-```

-```JSON

-{

- "Comment": "Machine action was canceled by automation"

-}

-```

-## Related article

-description: Use this API to create calls related to the collecting an investigation package from a device.

-# Collect investigation package API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Collect investigation package from a device.

-## Limitations

-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-> [!IMPORTANT]

->

-> - These response actions are only available for devices on Windows 10, version 1703 or later, and on Windows 11.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|Machine.CollectForensics|'Collect forensics'

-Delegated (work or school account)|Machine.CollectForensics|'Collect forensics'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](../user-roles.md) for more information)

-> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information)

->

-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-## HTTP request

-```http

-POST https://api.securitycenter.microsoft.com/api/machines/{id}/collectInvestigationPackage

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-Content-Type|string|application/json. **Required**.

-## Request body

-In the request body, supply a JSON object with the following parameters:

-Parameter|Type|Description

-:|:|:

-Comment|String|Comment to associate with the action. **Required**.

-## Response

-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body. If a collection is already running, this returns 400 Bad Request.

-## Example

-### Request

-Here is an example of the request.

-```http

-POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage

-```

-```json

-{

- "Comment": "Collect forensics due to alert 1234"

-}

-```

-description: List of common Microsoft Defender for Endpoint API errors with descriptions.

-# Handling REST API errors

-HTTP error responses are divided into two categories:

-* Client error (400-code level) ΓÇô the client sent an invalid request or the request isn't in accordance with definitions.

-* Server error (500-level) ΓÇô the server temporarily failed to fulfill the request or a server error occurred. Try sending the HTTP request again.

-The error codes listed in the following table may be returned by an operation on any of Microsoft Defender for Endpoint APIs.

-* In addition to the error code, every error response contains an error message, which can help resolve the problem.

-* The message is a free text that can be changed.

-* At the bottom of the page, you can find response examples.

-**Applies to:**

-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)

-Error code|HTTP status code|Message

-||

-BadRequest|BadRequest (400)|General Bad Request error message.

-ODataError|BadRequest (400)|Invalid OData URI query (the specific error is specified).

-InvalidInput|BadRequest (400)|Invalid input {the invalid input}.

-InvalidRequestBody|BadRequest (400)|Invalid request body.

-InvalidHashValue|BadRequest (400)|Hash value {the invalid hash} is invalid.

-InvalidDomainName|BadRequest (400)|Domain name {the invalid domain} is invalid.

-InvalidIpAddress|BadRequest (400)|IP address {the invalid IP} is invalid.

-InvalidUrl|BadRequest (400)|URL {the invalid URL} is invalid.

-MaximumBatchSizeExceeded|BadRequest (400)|Maximum batch size exceeded. Received: {batch size received}, allowed: {batch size allowed}.

-MissingRequiredParameter|BadRequest (400)|Parameter {the missing parameter} is missing.

-OsPlatformNotSupported|BadRequest (400)|OS Platform {the client OS Platform} isn't supported for this action.

-ClientVersionNotSupported|BadRequest (400)|{The requested action} is supported on client version {supported client version} and above.

-Unauthorized|Unauthorized (401)|Unauthorized (invalid or expired authorization header).

-Forbidden|Forbidden (403)|Forbidden (valid token but insufficient permission for the action).

-DisabledFeature|Forbidden (403)|Tenant feature isn't enabled.

-DisallowedOperation|Forbidden (403)|{the disallowed operation and the reason}.

-NotFound|Not Found (404)|General Not Found error message.

-ResourceNotFound|Not Found (404)|Resource {the requested resource} wasn't found.

-TooManyRequests|Too Many Requests (429)|Response represents reaching quota limit either by number of requests or by CPU.

-InternalServerError|Internal Server Error (500)|(No error message, retry the operation.)

-## Throttling

-The HTTP client may receive a 'Too Many Requests error (429)' when the number of HTTP requests in a given time frame exceeds the allowed number of calls per API.

-The HTTP client should delay resubmitting further HTTPS requests and then submit them in a way that complies with the rate limitations. A Retry-After in the response header indicating how long to wait (in seconds) before making a new request

-Ignoring the 429 response or trying to resubmit HTTP requests in a shorter time frame gives a return of the 429 error code.

-## Body parameters are case-sensitive

-The submitted body parameters are currently case-sensitive.

-If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter.

-Review the API documentation page and check that the submitted parameters match the relevant example.

-## Correlation request ID

-Each error response contains a unique ID parameter for tracking.

-The property name of this parameter is "target".

-When contacting us about an error, attaching this ID helps find the root cause of the problem.

-## Examples

-```json

-{

- "error": {

- "code": "ResourceNotFound",

- "message": "Machine 123123123 was not found",

- "target": "43f4cb08-8fac-4b65-9db1-745c2ae65f3a"

- }

-}

-```

-```json

-{

- "error": {

- "code": "InvalidRequestBody",

- "message": "Request body is incorrect",

- "target": "1fa66c0f-18bd-4133-b378-36d76f3a2ba0"

- }

-}

-```

-description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender for Endpoint.

-# Create alert API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Creates new [Alert](alerts.md) on top of **Event**.

-## Limitations

-1. Rate limitations for this API are 15 calls per minute.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).

-Permission type | Permission | Permission display name

-:|:|:

-Application | Alert.ReadWrite.All | 'Read and write all alerts'

-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - The user needs to have at least the following role permission: *Alerts investigation*. For more information, see [Create and manage roles](../user-roles.md).

-> - The user needs to have access to the device associated with the alert, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md).

->

-> Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2

-## HTTP request

-```http

-POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization | String | Bearer {token}. **Required**.

-Content-Type | String | application/json. **Required**.

-## Request body

-In the request body, supply the following values (all are required):

-Property | Type | Description

-:|:|:

-eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. For example, ```2018-08-03T16:45:21.7115183Z``` **Required**.

-reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.

-machineId | String | Id of the device on which the event was identified. **Required**.

-severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.

-title | String | Title for the alert. **Required**.

-description | String | Description of the alert. **Required**.

-recommendedAction| String | Security officer needs to take this action when analyzing the alert. **Required**.

-category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**.

-## Response

-If successful, this method returns 200 OK, and a new [alert](alerts.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) wasn't found - 404 Not Found.

-## Example

-### Request

-Here's an example of the request.

-```http

-POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference

-```

-```json

-{

- "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",

- "severity": "Low",

- "title": "example",

- "description": "example alert",

- "recommendedAction": "nothing",

- "eventTime": "2018-08-03T16:45:21.7115183Z",

- "reportId": "20776",

- "category": "Exploit"

-}

-```

-description: Learn how to delete a file from the live response library.

-# Delete a file from the live response library

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Delete a file from live response library.

-## Limitations

-1. Rate limitations for this API are 100 calls per minute and 1500 calls per

- hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more,

-including how to choose permissions, see [Get started](apis-intro.md).

-| Permission type | Permission | Permission display name |

-||-|--|

-| Application | Library.Manage | Manage live response library |

-| Delegated (work or school account) | Library.Manage | Manage live response library |

-## HTTP request

-DELETE https://api.security.microsoft.com/api/libraryfiles/{fileName}

-## Request headers

-| Name | Type | Description |

-|--|--||

-| Authorization | String | Bearer\<token>\. Required. |

-## Request body

-Empty

-## Response

-## Example

-Request

-Here is an example of the request.

-```HTTP

-DELETE https://api.security.microsoft.com/api/libraryfiles/script1.ps1

-```

-## Related topic

-description: Learn how to use the Delete Indicator API to delete an Indicator entity by ID in Microsoft Defender for Endpoint.

-# Delete Indicator API

-**Applies to:**

-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Deletes an [Indicator](ti-indicator.md) entity by ID.

-## Limitations

-Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md).

-| Permission type | Permission | Permission display name |

-| :|:|:|

-| Application | Ti.ReadWrite | 'Read and write TI Indicators' |

-| Application | Ti.ReadWrite.All | 'Read and write Indicators' |

-## HTTP request

-```http

-Delete https://api.securitycenter.microsoft.com/api/indicators/{id}

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization | String | Bearer {token}. **Required**.

-## Request body

-Empty

-## Response

-If Indicator exists and deleted successfully - 204 OK without content.

-If Indicator with the specified ID wasn't found - 404 Not Found.

-## Example

-### Request

-Here's an example of the request.

-```http

-DELETE https://api.securitycenter.microsoft.com/api/indicators/995

-```

-description: "Learn how to export a list of Microsoft Defender Antivirus device health details."

-ms.reviewr: mkaminska

-# Export device antivirus health details API methods and properties

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## Export device antivirus health details API description

-Retrieves a list of Microsoft Defender Antivirus device health details. This API has different API calls (methods) to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:

- - Call the API to get a list of download URLs with all your organization data.

- - Download all the files using the download URLs and process the data as you like.

-Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages.

-> [!IMPORTANT]

-> For Windows Server 2012 R2 and Windows Server 2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution).

->

-> For information about using the **Device health and antivirus compliance** reporting tool in the Microsoft 365 Security dashboard, see: [Device health and antivirus report in Microsoft Defender for Endpoint](../device-health-reports.md).

-### 1.1 Export device antivirus health details API methods

-Method|Data type|Description

-:|:|:

-**(JSON response)**|Microsoft Defender Antivirus health per device collection. See: [1.2 Export device antivirus health details API properties (JSON response)](#13-export-device-antivirus-health-details-api-properties-json-response)|Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. | The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.

-**(via files)**|Microsoft Defender Antivirus health per device collection. See: [1.3 Export device antivirus health details API properties \(via files\)](#14-export-device-antivirus-health-details-api-properties-via-files)|Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. |This API solution enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: <ol><li>Call the API to get a list of download URLs with all your organization data.</li><li>Download all the files using the download URLs and process the data as you like.</li></ol>

-### 1.2 Limitations

-### 1.3 Export device antivirus health details API properties (JSON response)

-> [!NOTE]

->

-> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.

-> - Note that **rbacgroupname** and **Id** are not supported filter operators.

-> - Some additional columns might be returned in the response. These columns can be temporary and might be removed; use only the documented columns.

-| Property (ID) | Data type | Description | Example of a returned value |

-|:-|:-|:-|:-|

-| avEngineUpdateTime | DateTimeOffset | Datetime when AV engine was last updated on device | "2022-08-04T12:44:02Z" |

-| avEngineVersion | String | Antivirus engine version | "1.1.19400.3" |

-| avIsEngineUpToDate | String | Up-to-date status of AV engine | "True", "False", "Unknown" |

-| avIsPlatformUpToDate | String | Up-to-date status of AV platform | "True", "False", "Unknown" |

-| avIsSignatureUpToDate | String | Up-to-date status of AV signature | "True", "False", "Unknown" |

-| avMode | String | Antivirus mode. | Each mode will be a string typed integer value ranging from 0 to 5. Refer to the mapping below to see its value's meaning: <ul><li>'' = Other</li><li> '0' = Active</li><li> '1' = Passive</li><li> '2' = Disabled</li><li> '3' = Other</li><li> '4' = EDRBlocked</li><li>'5' = PassiveAudit</li></ul> |

-| avPlatformUpdateTime | DateTimeOffset | Datetime when AV platform was last updated on device | "2022-08-04T12:44:02Z" |

-| avPlatformVersion | String | Antivirus platform version | "4.18.2203.5" |

-| avSignaturePublishTime | DateTimeOffset | Datetime when AV security intelligence build was released | "2022-08-04T12:44:02Z" |

-| avSignatureUpdateTime | DateTimeOffset | Datetime when AV security intelligence was last updated on device | "2022-08-04T12:44:02Z" |

-| avSignatureVersion | String | Antivirus security intelligence version | "1.371.1323.0" |

-| computerDnsName | String | DNS name | "SampleDns" |

-| dataRefreshTimestamp | DateTimeOffset | Datetime when data is refreshed for this report | "2022-08-04T12:44:02Z" |

-| fullScanError | String | Error codes from full scan | "0x80508023" |

-| fullScanResult | String | Full scan result of this device | "Completed" <br> "Canceled" <br>"Failed" |

-| fullScanTime | DateTimeOffset | Datetime when full scan has completed | "2022-08-04T12:44:02Z" |

-| id | String | Machine GUID | "30a8fa2826abf24d24379b23f8a44d471f00feab" |

-| lastSeenTime | DateTimeOffset | Last seen datetime of this machine | "2022-08-04T12:44:02Z" |

-| machineId | String | Machine GUID | "30a8fa2826abf24d24379b23f8a44d471f00feab" |

-| osKind | String | Operating system kind | "windows", "mac", "linux" |

-| osPlatform | String | Operating system major version name | Windows 10, macOs |

-| osVersion | String | Operating system version | 10.0.18363.1440, 12.4.0.0 |

-| quickScanError | String | Error codes from quick scan | "0x80508023" |

-| quickScanResult | String | Quick scan result of this device | "Completed" <br>"Canceled" <br>"Failed" |

-| quickScanTime | DateTimeOffset | Datetime when quick scan has completed | "2022-08-04T12:44:02Z" |

-| rbacGroupId | Long | Device group ID that this machine belongs to | 712 |

-| rbacGroupName | String | Name of device group that this machine belongs to | "SampleGroup" |

-### 1.4 Export device antivirus health details API properties (via files)

-> [!IMPORTANT]

-> Information in this section relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-> [!NOTE]

->

-> - The files are gzip compressed & in multiline Json format.

-> - The download URLs are only valid for 3 hours; otherwise you can use the parameter.

-> - For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.

-> - Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.

-> - Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.

-| Property (ID) | Data type | Description | Example of a returned value |

-|:-|:-|:-|:-|

-| Export files | array[string] | A list of download URLs for files holding the current snapshot of the organization. | ["https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1", "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"] |

-| GeneratedTime | String | The time that the export was generated. | 2022-05-20T08:00:00Z |

-> [!NOTE]

-> In each of the Export files a property "DeviceGatheredInfo" containing the data about Antivirus information can be found. Each of its attributes can provide you with information on the device's health and its status.

-## See also

-[Export device antivirus health report](../device-health-export-antivirus-health-report-api.md)

-[Device health and compliance reporting](../device-health-reports.md)

-description: Presents methods to retrieve Microsoft Defender Antivirus device health details.

-# Export device antivirus health report

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-This API has two methods to retrieve Microsoft Defender Antivirus device antivirus health details:

- - Call the API to get a list of download URLs with all your organization data.

- - Download all the files using the download URLs and process the data as you like.

-Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages. See [Export device health details API methods and properties](device-health-api-methods-properties.md).

-> [!IMPORTANT]

->

-> Currently, only the **Antivirus Health JSON Response** is generally available. **Antivirus Health API via files** is currently only available in public preview.

->

-> **Advanced Hunting custom query** is currently only available in public preview, even if the queries are still visible.

-> [!IMPORTANT]

->

-> For Windows&nbsp;Server&nbsp;2012&nbsp;R2 and Windows&nbsp;Server&nbsp;2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution).

-> [!NOTE]

->

-> For information about using the **Device health and antivirus compliance** reporting tool in the Microsoft 365 Security dashboard, see: [Device health and antivirus compliance report in Microsoft Defender for Endpoint](../machine-reports.md).

->

-## 1 Export health reporting (JSON response)

-### 1.1 API method description

-This API retrieves a list of Microsoft Defender Antivirus device antivirus health details. Returns a table with an entry for every unique combination of:

-#### 1.1.1 Limitations

-#### OData supported operators

-> [!IMPORTANT]

-> Note that **rbacgroupname** and **Id** are not supported filter operators.

-### 1.2 Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Microsoft Defender for Endpoint APIs for details.

-| Permission type | Permission | Permission display name |

-|:|:|:|

-| Application | Machine.Read.All | 'Read all machine profiles' |

-|Delegated (work or school account) | Machine.Read | 'Read machine information' |

-### 1.3 URL (HTTP request)

-```http

-URL: GET: /api/deviceavinfo

-```

-#### 1.3.1 Request headers

-| Name | Type | Description |

-|:|:|:|

-| Authorization | String | Bearer {token}. Required. |

-#### 1.3.2 Request body

-Empty

-#### 1.3.3 Response

-If successful, this method returns 200 OK with a list of device health details.

-### 1.4 Parameters

-### 1.5 Properties

-See: [1.3 Export device antivirus health details API properties (JSON response)](device-health-api-methods-properties.md#13-export-device-antivirus-health-details-api-properties-json-response)

-Supports [OData V4 queries](https://www.odata.org/documentation/).

-### 1.6 Example

-#### Request example

-Here's an example request:

-```http

-GET https://api.securitycenter.microsoft.com/api/deviceavinfo

-```

-#### Response example

-Here's an example response:

-```json

-{

- @odata.context: "https://api.securitycenter.microsoft.com/api/$metadata#DeviceAvInfo",

-"value": [{

- "id": "Sample Guid",

- "machineId": "Sample Machine Guid",

- "computerDnsName": "appblockstg1",

- "osKind": "windows",

- "osPlatform": "Windows10",

- "osVersion": "10.0.19044.1865",

- "avMode": "0",

- "avSignatureVersion": "1.371.1279.0",

- "avEngineVersion": "1.1.19428.0",

- "avPlatformVersion": "4.18.2206.108",

- "lastSeenTime": "2022-08-02T19:40:45Z",

- "quickScanResult": "Completed",

- "quickScanError": "",

- "quickScanTime": "2022-08-02T18:40:15.882Z",

- "fullScanResult": "",

- "fullScanError": "",

- "fullScanTime": null,

- "dataRefreshTimestamp": "2022-08-02T21:16:23Z",

- "avEngineUpdateTime": "2022-08-02T00:03:39Z",

- "avSignatureUpdateTime": "2022-08-02T00:03:39Z",

- "avPlatformUpdateTime": "2022-06-20T16:59:35Z",

- "avIsSignatureUpToDate": "True",

- "avIsEngineUpToDate": "True",

- "avIsPlatformUpToDate": "True",

- "avSignaturePublishTime": "2022-08-02T00:03:39Z",

- "rbacGroupName": "TVM1",

- "rbacGroupId": 4415

- },

- ...

- ]

-}

-```

-## 2 Export health reporting (via files)

-> [!IMPORTANT]

-> Information in this section relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-### 2.1 API method description

-This API response contains all the data of Antivirus health and status per device. Returns a table with an entry for every unique combination of:

-#### 2.1.2 Limitations

-### 2.2 Permissions

-One of the following permissions is required to call this API.

-| Permission type | Permission | Permission display name |

-|:|:|:|

-| Application | Vulnerability.Read.All | 'Read "threat and vulnerability management" vulnerability information' |

-| Delegated (work or school account) | Vulnerability.Read | 'Read "threat and vulnerability management" vulnerability information' |

-To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details](apis-intro.md).

-### 2.3 URL

-```http

-GET /api/machines/InfoGatheringExport

-```

-### 2.4 Parameters

-### 2.5 Properties

-See: [1.4 Export device antivirus health details API properties \(via files\)](device-health-api-methods-properties.md#14-export-device-antivirus-health-details-api-properties-via-files).

-### 2.6 Examples

-#### 2.6.1 Request example

-Here's an example request:

-```HTTP

-GET https://api-us.securitycenter.contoso.com/api/machines/InfoGatheringExport

-```

-#### 2.6.2 Response example

-Here's an example response:

-```json

-{

- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",

- "exportFiles": [

- "https://tvmexportexternalprdeus.blob.core.windows.net/temp-../2022-08-02/2201/InfoGatheringExport/json/OrgId=../_RbacGroupId=../part-00055-12fc2fcd-8f56-4e09-934f-e8efe7ce74a0.c000.json.gz?sv=2020-08-04&st=2022-08-02T22%3A47%3A11Z&se=2022-08-03T01%3A47%3A11Z&sr=b&sp=r&sig=..",

- "https://tvmexportexternalprdeus.blob.core.windows.net/temp-../2022-08-02/2201/InfoGatheringExport/json/OrgId=../_RbacGroupId=../part-00055-12fc2fcd-8f56-4e09-934f-e8efe7ce74a0.c000.json.gz?sv=2020-08-04&st=2022-08-02T22%3A47%3A11Z&se=2022-08-03T01%3A47%3A11Z&sr=b&sp=r&sig=.."

- ],

- "generatedTime": "2022-08-02T22:01:00Z"

-}

-```

-> [!TIP]

-> **Performance tip** Due to a variety of factors (examples listed below) Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's **Performance analyzer** is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues; some examples are:

->

-> - Top paths that impact scan time

-> - Top files that impact scan time

-> - Top processes that impact scan time

-> - Top file extensions that impact scan time

-> - Combinations ΓÇô for example:

-> - top files per extension

-> - top paths per extension

-> - top processes per path

-> - top scans per file

-> - top scans per file per process

->

-> You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions.

-> See: [Performance analyzer for Microsoft Defender Antivirus](../tune-performance-defender-antivirus.md).

->

-## See also

-[Export device health methods and properties](device-health-api-methods-properties.md)

-[Device health and compliance reporting](../device-health-reports.md)

-description: Provides information about the certificates APIs that pull "Microsoft Defender Vulnerability Management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

-# Export certificate inventory per device

-**Applies to:**

-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../../defender-vulnerability-management/get-defender-vulnerability-management.md).

-There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

- - Call the API to get a list of download URLs with all your organization data.

- - Download all the files using the download URLs and process the data as you like.

-Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages.

-> [!NOTE]

-> Unless indicated otherwise, all export security baseline assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**)

-## 1. Export certificate assessment (JSON response)

-### 1.1 API method description

-Returns all certificate assessments for all devices, on a per-device basis. It returns a table with a separate entry for every unique combination of DeviceId, Thumbprint and Path.

-#### 1.1.1 Limitations

-### 1.2 Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|Vulnerability.Read.All|'Read Threat and Vulnerability Management software information'

-Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management software information'

-### 1.3 URL

-```http

-GET /api/machines/certificateAssessmentByMachine

-```

-### 1.4 Parameters

-### 1.5 Properties (JSON response)

-> [!NOTE]

-> Each record is approximately 1 KB of data. You should take this into account when choosing the correct pageSize parameter.

->

-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

->

-> The properties defined in the following table are listed alphabetically by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.

-Property (ID)|Data type|Description

-:|:|:

-|DeviceId|String|Unique identifier for the device in the service.

-|DeviceName|String|Fully qualified domain name (FQDN) of the device.

-|Thumbprint|Boolean|Unique identifier for the certificate.

-|Path|String|The location of the certificate.

-|SignatureAlgorithm|String|Hashing algorithm and encryption algorithm used.

-|KeySize|String|Size of the key used in the signature algorithm.

-|ExpirationDate|String|The date and time beyond which the certificate is no longer valid.

-|IssueDate|String|The earliest date and time when the certificate became valid.

-|SubjectType|String|Indicates if the holder of the certificate is a CA or end entity.

-|SerialNumber|String|Unique identifier for the certificate within a certificate authority's systems.

-|IssuedTo|Object|Entity that a certificate belongs to; can be a device, an individual, or an organization.

-|IssuedBy|Object|Entity that verified the information and signed the certificate.

-|KeyUsage|String|The valid cryptographic uses of the certificate's public key.

-|ExtendedKeyUsage|String|Other valid uses for the certificate.

-|RbacGroupId|String|The role-based access control (RBAC) group id.

-|RbacGroupName|String|The role-based access control (RBAC) group. If this device isn't assigned to any RBAC groups, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."

-## 1.6 Example

-### 1.6.1 Request example

-```http

-GET https://api.securitycenter.microsoft.com/api/machines/CertificateAssessmentByMachine

-```

-### 1.6.2 Response example

-```json

- {

- "@odata.context":"https://127.0.0.1/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetCertificateAssessment)",

- "value":[

- {

- "deviceId":"49126b9e4a5473b5229c73799e9e55c48668101b",

- "deviceName":"testmachine5",

- "thumbprint":"A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90",

- "path":"LocalMachine\\TestSignRoot\\A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90",

- "signatureAlgorithm":"sha384ECDSA",

- "keyLength":0,"notAfter":"0001-01-01T00:00:00Z",

- "notBefore":"0001-01-01T00:00:00Z",

- "subjectType":"CA",

- "serialNumber":"6086A185EAFA2B9943B4671603F40323",

- "subjectObject":null,

- "issuerObject":null,

- "keyUsageArray":null,

- "extendedKeyUsageArray":null,

- "isSelfSigned":false,

- "rbacGroupId":4226,

- "rbacGroupName":"testO6343398Gq31"}],

- "@odata.nextLink":"https://127.0.0.1/api/machines/CertificateAssessmentByMachine?pagesize=1&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMi0wMy0yMS8wNTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjF9"

- }

-```

-## 2. Export certificate assessment (via files)

-### 2.1 API method description

-Returns all certificate assessments for all devices, on a per-device basis. It returns a table with a separate entry for every unique combination of DeviceId, Thumbprint and Path.

-#### 2.1.1 Limitations

-### 2.2 Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|Vulnerability.Read.All|'Read Threat and Vulnerability Management software information'

-Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management software information'

-### 2.3 URL

-```http

-GET /api/machines/certificateAssessmentExport

-```

-### 2.4 Parameters

-### 2.5 Properties (JSON response)

-> [!NOTE]

-> The files are gzip compressed & in multiline Json format.

->

-> The download URLs are only valid for 3 hours; otherwise, you can use the parameter.

->

-> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.

->

-> Each record is approximately 1KB of data. You should take this into account when choosing the pageSize parameter that works for you.

->

-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

-Property (ID)|Data type|Description

-:|:|:

-|Export files|String[array]|A list of download URLs for files holding the current snapshot of the organization.

-|GeneratedTime|DateTime|The time the export was generated.

-## 2.6 Example

-### 2.6.1 Request example

-```http

-GET https://api.securitycenter.contoso.com/api/machines/certificateAssessmentExport

-```

-### 2.6.2 Response example

-```json

- {

- "@odata.context":"https://127.0.0.1/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",

- "exportFiles":["https://tvmexportexternalstgeus.blob.core.windows.net/temp-5c080622-f613-42bb-9fee-e17ccdff90d3/2022-03-20/1318/CertificateAssessmentExport/json/OrgId=47d41a0c-188d-46d3-bbea-a93dbc0bfcaPMwaD3G0RJTZkS4R9J8oN8I3tu%2FOcG35c%3D"],

- "generatedTime":"2022-03-20T13:18:00Z"

- }

-```

-description: Provides information about the Firmware and Hardware APIs that pull "Microsoft Defender Vulnerability Management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

-# Export Hardware and firmware assessment inventory per device

-**Applies to:**

-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../../defender-vulnerability-management/get-defender-vulnerability-management.md).

-There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

- - Call the API to get a list of download URLs with all your organization data.

- - Download all the files using the download URLs and process the data as you like.

-Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages.

-> [!NOTE]

-> Unless indicated otherwise, all export hardware and firmware assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**)

-## 1. Export hardware and firmware assessment (JSON response)

-### 1.1 API method description

-Returns all hardware and firmware assessments for all devices, on a per-device basis. It returns a table with a separate entry for every unique combination of deviceId and componentType.

-#### 1.1.1 Limitations

-### 1.2 Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|Software.Read.All|'Read Threat and Vulnerability Management software information'

-Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability Management software information'

-### 1.3 URL

-```http

-GET api/machines/HardwareFirmwareInventoryByMachine

-```

-### 1.4 Parameters

-### 1.5 Properties (JSON response)

-> [!NOTE]

-> Each record is approximately 1 KB of data. You should take this into account when choosing the correct pageSize parameter.

->

-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

->

-> The properties defined in the following table are listed alphabetically by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.

-Property (ID)|Data type|Description

-:|:|:

-deviceId|String|Unique identifier for the device in the service.

-|rbacGroupId|Int|The role-based access control (RBAC) group Id. If the device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."

-|rbacGroupName|String|The role-based access control (RBAC) group. If the device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."

-|deviceName|String|Fully qualified domain name (FQDN) of the device.

-|componentType|String|Type of hardware or firmware component.

-|manufacturer|String|Manufacturer of a specific hardware or firmware component.

-|componentName|String|Name of a specific hardware or firmware component.

-|componentVersion|String|Version of a specific hardware or firmware component.

-|additionalFields|String|Additional information about the components in JSON array format.

-## 1.6 Example

-### 1.6.1 Request example

-```http

-GET https://api.security.microsoft.com/api/machines/HardwareFirmwareInventoryByMachine

-```

-### 1.6.2 Response example

-```json

- {

- "@odata.context": "https://api-df.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetHardwareFirmware)",

- "value":[

- {

- "deviceId": "49126b9e4a5473b5229c73799e9e55c48668101b",

- "rbacGroupId": 39,

- "rbacGroupName": "testO6343398Gq31",

- "deviceName": "testmachine5",

- "componentType": "Hardware",

- "manufacturer": "razer",

- "componentName": "blade_15_advanced_model_(mid_2021)_-_rz09-0409",

- "componentVersion": "7.04",

- "additionalFields": "{\"SystemSKU\":\"RZ09-0409CE53\",\"BaseBoardManufacturer\":\"Razer\",\"BaseBoardProduct\":\"CH570\",\"BaseBoardVersion\":\"4\",\"DeviceFamily\":\"Workstation\"}"

- }

- ]

- },

-

-```

-## 2. Export hardware and firmware assessment (via files)

-### 2.1 API method description

-Returns all hardware and firmware assessments for all devices, on a per-device basis. It returns a table with a separate entry for every unique combination of DeviceId, ComponentType and ComponentName.

-#### 2.1.1 Limitations

-### 2.2 Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|Software.Read.All|'Read Threat and Vulnerability Management software information'

-Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability Management software information'

-### 2.3 URL

-```http

-GET /api/machines/HardwareFirmwareInventoryExport

-```

-### 2.4 Parameters

-### 2.5 Properties (JSON response)

-> [!NOTE]

-> The files are gzip compressed & in multiline Json format.

->

-> The download URLs are only valid for 3 hours; otherwise, you can use the parameter.

->

-> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.

->

-> Each record is approximately 1KB of data. You should take this into account when choosing the pageSize parameter that works for you.

->

-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

-Property (ID)|Data type|Description

-:|:|:

-|Export files|String[array]|A list of download URLs for files holding the current snapshot of the organization.

-|GeneratedTime|DateTime|The time the export was generated.

-## 2.6 Example

-### 2.6.1 Request example

-```http

-GET https://api.security.microsoft.com/api/machines/HardwareFirmwareInventoryExport

-```

-### 2.6.2 Response example

-```json

- {

- "@odata.context":"https://api-df.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",

- "exportFiles": [

- "https://tvmexportstrprdcane.blob.core.windows.net/tvm-firmware-export/2022-07-11/1101/FirmwareHardwareExport/json/OrgId=d7c7c745-195f-4223-9c7a-99fb420fd000/_RbacGroupId=39/part-00999-71eea973-1bb1-4d0a-829d-80cb07aff5d8.c000.json.gz?sv=2020-08-04&st=2022-07-11T13%3A10%3A06Z&se=2022-07-11T16%3A10%3A06Z&sr=b&sp=r&sig=muN8Sq6rVN6bFMtR0u3S5Wzh3D9qNPgN5vpU7lWvULg%3D",

- "https://tvmexportstrprdcane.blob.core.windows.net/tvm-firmware-export/2022-07-11/1101/FirmwareHardwareExport/json/OrgId=d7c7c745-195f-4223-9c7a-99fb420fd000/_RbacGroupId=9/part-00968-71eea973-1bb1-4d0a-829d-80cb07aff5d8.c000.json.gz?sv=2020-08-04&st=2022-07-11T13%3A10%3A06Z&se=2022-07-11T16%3A10%3A06Z&sr=b&sp=r&sig=%2BA0%2B4qOOBCS5E4UenJPbMdLM%2FkbXHnz%2F1pvfSOCq%2F2s%3D",

- "https://tvmexportstrprdcane.blob.core.windows.net/tvm-firmware-export/2022-07-11/1101/FirmwareHardwareExport/json/OrgId=d7c7c745-195f-4223-9c7a-99fb420fd000/_RbacGroupId=9/part-00969-71eea973-1bb1-4d0a-829d-80cb07aff5d8.c000.json.gz?sv=2020-08-04&st=2022-07-11T13%3A10%3A06Z&se=2022-07-11T16%3A10%3A06Z&sr=b&sp=r&sig=sZUgYMwSr5zk6BZvS%2BoYIWlHJWk2oJ7YjiC8R26S1X4%3D"

- ],

- "generatedTime": "2022-07-11T11:01:00Z"

- }

-```

-description: Provides information about the security baselines APIs that pull "Microsoft Defender Vulnerability Management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

-# Export security baselines assessment per device

-**Applies to:**

-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../../defender-vulnerability-management/get-defender-vulnerability-management.md).

-There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

- - Call the API to get a list of download URLs with all your organization data.

- - Download all the files using the download URLs and process the data as you like.

-Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages.

-> [!NOTE]

-> Unless indicated otherwise, all export security baseline assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**)

-## 1. Export security baselines assessment (JSON response)

-### 1.1 API method description

-Returns all security baselines assessments for all devices, on a per-device basis. It returns a table with a separate entry for every unique combination of DeviceId, ProfileId, ConfigurationId.

-### 1.2 Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.

-Permission type|Permission|Permission display name

-:|:|:

-Application|SecurityBaselinesAssessment.Read.All |'Read all security baselines assessments information'

-Delegated (work or school account)|SecurityBaselinesAssessment.Read|'Read security baselines assessments information'

-### 1.3 Limitations

-### 1.4 Parameters

-### 1.5 HTTP request

-```http

-GET /api/machines/baselineComplianceAssessmentByMachine

-```

-### 1.6 Properties (JSON response)

-> [!NOTE]

-> Each record is approximately 1 KB of data. You should take this into account when choosing the correct pageSize parameter.

->

-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

->

-> The properties defined in the following table are listed alphabetically by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.

-Property (ID)|Data type|Description

-:|:|:

-|configurationId|String|Unique identifier for a specific configuration in the baseline benchmark.

-|profileId|String|Unique identifier for the profile assessed.

-|deviceId|String|Unique identifier for the device in the service.

-|deviceName|String|Fully qualified domain name (FQDN) of the device.

-|isApplicable|Boolean|Indicates whether the configuration is applicable to this device.

-|isCompliant|Boolean|Indicates whether the device is compliant with configuration.

-|id|String|Unique identifier for the record, which is a combination of DeviceId, ProfileId, and ConfigurationId.

-|osVersion|String|Specific version of the operating system running on the device.

-|osPlatform|String|Operating system platform running on the device. Specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See [MDVM supported operating systems and platforms](../tvm-supported-os.md) for details.

-|rbacGroupId|Int|The role-based access control (RBAC) group Id. If the device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."

-|rbacGroupName|String|The role-based access control (RBAC) group. If the device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."

-|DataCollectionTimeOffset|DateTime|The time the data was collected from the device. This field may not appear if no data was collected.

-|ComplianceCalculationTimeOffset|DateTime|The time the assessment calculation was made.

-|RecommendedValue|String|Set of expected values for the current device setting to be complaint.

-|CurrentValue|String|Set of detected values found on the device.

-|Source|String|The registry path or other location used to determine the current device setting.

-## 1.7 Example

-### 1.7.1 Request example

-```http

-GET https://api.securitycenter.microsoft.com/api/machines/BaselineComplianceAssessmentByMachine

-```

-### 1.7.2 Response example

-```json

-{

-"@odata.context": " https://api.securitycenter.microsoft.com /api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetBaselineAssessment)",

-"value": [

-{

- "id": "0000682575d5d473e82ed4d8680425d152411251_9e1b90be-e83e-485b-a5ec-4a429412e734_1.1.1",

- "configurationId": "1.1.1",

- "deviceId": "0000682575d5d473242222425d152411251",

- "deviceName": " ComputerPII_365f5c0bb7202c163937dad3d017969b2d760eb4.DomainPII_29596 ",

- "profileId": "9e1b90be-e83e-485b-a5ec-4a429412e734",

- "osPlatform": "WindowsServer2019",

- "osVersion": "10.0.17763.2330",

- "rbacGroupId": 86,

- "rbacGroupName": "UnassignedGroup",

- "isApplicable": true,

- "isCompliant": false,

- "dataCollectionTimeOffset": "2021-12-22T00:08:02.478Z",

- "recommendedValue": [

- "Greater than or equal '24'"

- ],

- "currentValue": [

- "24"

- ],

- "source": [

- "password_hist_len"

- ],

-}

-```

-## 2. Export security baselines assessment (via files)

-### 2.1 API method description

-Returns all security baselines assessments for all devices, on a per-device basis. It returns a table with a separate entry for every unique combination of DeviceId, ProfileId, ConfigurationId.

-### 2.2 Limitations

-### 2.3 URL

-```http

-GET /api/machines/BaselineComplianceAssessmentExport

-```

-### 2.4 Parameters

-### 2.5 Properties (via files)

-> [!NOTE]

-> The files are gzip compressed & in multiline Json format.

->

-> The download URLs are only valid for 3 hours; otherwise you can use the parameter.

->

-> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.

->

-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

-Property (ID)|Data type|Description

-:|:|:

-|Export files|array[string]|A list of download URLs for files holding the current snapshot of the organization.

-|GeneratedTime|String|The time that the export was generated.

-## 2.6 Example

-### 2.6.1 Request example

-```http

-GET https://api.securitycenter.microsoft.com/api/machines/BaselineComplianceAssessmentExport

-```

-### 2.6.2 Response example

-```json

-{

- "@odata.context": "https://api.securitycenter. contoso.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",

- "exportFiles":

- [

- "https://tvmexportexternalstgeus.blob.core.windows.net/temp-1ebd3d09-d06a-4aad-ab80-ebc536cec61c/2021-12-22/0500/BaselineAssessmentExport/json/OrgId= OrgId=<Org Id>/_RbacGroupId=<Rbac Group Id>/part-00000-c09dfd00-2278-4735-b23a-71733751fcbc.c000.json.gz?sv=ABCD",

- "https://tvmexportexternalstgeus.blob.core.windows.net/temp-1ebd3d09-d06a-4aad-ab80-ebc536cec61c/2021-12-22/0500/BaselineAssessmentExport/json/OrgId=<Org Id>/_RbacGroupId=<Rbac Group Id>/part-00001-c09dfd00-2278-4735-b23a-71733751fcbc.c000.json.gz?sv= ABCD",

- ],

- "generatedTime": "2021-01-11T11:01:00Z"

-}

-```

-## See also

-description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender for Endpoint without a user.

-# Use Microsoft Defender for Endpoint APIs

-**Applies to:**

-> [!IMPORTANT]

-> Advanced hunting capabilities are not included in Defender for Business.

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-This page describes how to create an application to get programmatic access to Defender for Endpoint on behalf of a user.

-If you need programmatic access Microsoft Defender for Endpoint without a user, refer to [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md).

-If you are not sure which access you need, read the [Introduction page](apis-intro.md).

-Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).

-In general, you'll need to take the following steps to use the APIs:

-This page explains how to create a Microsoft Entra application, get an access token to Microsoft Defender for Endpoint and validate the token.

-> [!NOTE]

-> When accessing Microsoft Defender for Endpoint API on behalf of a user, you will need the correct Application permission and user permission.

-> If you are not familiar with user permissions on Microsoft Defender for Endpoint, see [Manage portal access using role-based access control](../rbac.md).

-> [!TIP]

-> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API.

-## Create an app

-1. Log on to [Azure](https://portal.azure.com) with a user account that has the **Global Administrator** role.

-2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.

- :::image type="content" source="../media/atp-azure-new-app2.png" alt-text="The App registrations page in the Microsoft Azure portal" lightbox="../media/atp-azure-new-app2.png":::

-3. When the **Register an application** page appears, enter your application's registration information:

- - **Name** - Enter a meaningful application name that will be displayed to users of the app.

- - **Supported account types** - Select which accounts you would like your application to support.

- <br>

- |Supported account types|Description|

- |||

- |**Accounts in this organizational directory only**|Select this option if you're building a line-of-business (LOB) application. This option is not available if you're not registering the application in a directory. <p> This option maps to Microsoft Entra-only single-tenant. <p> This is the default option unless you're registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Microsoft Entra multi-tenant and personal Microsoft accounts.|

- |**Accounts in any organizational directory**|Select this option if you would like to target all business and educational customers. <p> This option maps to a Microsoft Entra-only multi-tenant. <p> If you registered the app as Microsoft Entra-only single-tenant, you can update it to be Microsoft Entra multi-tenant and back to single-tenant through the **Authentication** blade.|

- |**Accounts in any organizational directory and personal Microsoft accounts**|Select this option to target the widest set of customers. <p> This option maps to Microsoft Entra multi-tenant and personal Microsoft accounts. <p> If you registered the app as Microsoft Entra multi-tenant and personal Microsoft accounts, you cannot change this in the UI. Instead, you must use the application manifest editor to change the supported account types.|

- - **Redirect URI (optional)** - Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application.

- - For web applications, provide the base URL of your app. For example, `http://localhost:31544` might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application.

- - For public client applications, provide the URI used by Microsoft Entra ID to return token responses. Enter a value specific to your application, such as `myapp://auth`.

- To see specific examples for web applications or native applications, check out our [quickstarts](/azure/active-directory/develop/#quickstarts).

- When finished, select **Register**.

-4. Allow your Application to access Microsoft Defender for Endpoint and assign it 'Read alerts' permission:

- - On your application page, select **API Permissions** \> **Add permission** \> **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**.

- > [!NOTE]

- > *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear.

- :::image type="content" alt-text="add permission." source="../media/add-permission.png" lightbox="../media/add-permission.png":::

- - Choose **Delegated permissions** \> **Alert.Read** > select **Add permissions**.

- :::image type="content" source="../media/application-permissions-public-client.png" alt-text="The application type and permissions panes" lightbox="../media/application-permissions-public-client.png":::

- > [!IMPORTANT]

- > Select the relevant permissions. Read alerts is only an example.

- For example:

- - To [run advanced queries](run-advanced-query-api.md), select **Run advanced queries** permission.

- - To [isolate a device](isolate-machine.md), select **Isolate machine** permission.

- - To determine which permission you need, view the **Permissions** section in the API you are interested to call.

- - Select **Grant consent**.

- > [!NOTE]

- > Every time you add permission you must select on **Grant consent** for the new permission to take effect.

- :::image type="content" source="../media/grant-consent.png" alt-text="The Grand admin consent option" lightbox="../media/grant-consent.png":::

-5. Write down your application ID and your tenant ID.

- On your application page, go to **Overview** and copy the following information:

- :::image type="content" source="../media/app-and-tenant-ids.png" alt-text="The created app ID" lightbox="../media/app-and-tenant-ids.png":::

-## Get an access token

-For more information on Microsoft Entra tokens, see [Microsoft Entra tutorial](/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds).

-### Using C\#

- ```csharp

- namespace WindowsDefenderATP

- {

- using System.Net.Http;

- using System.Text;

- using System.Threading.Tasks;

- using Newtonsoft.Json.Linq;

- public static class WindowsDefenderATPUtils

- {

- private const string Authority = "https://login.microsoftonline.com";

- private const string WdatpResourceId = "https://api.securitycenter.microsoft.com";

- public static async Task<string> AcquireUserTokenAsync(string username, string password, string appId, string tenantId)

- {

- using (var httpClient = new HttpClient())

- {

- var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}";

- var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded");

- using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))

- {

- response.EnsureSuccessStatusCode();

- var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);

- var jObject = JObject.Parse(json);

- return jObject["access_token"].Value<string>();

- }

- }

- }

- }

- }

- ```

-## Validate the token

-Verify to make sure you got a correct token:

- :::image type="content" source="../media/nativeapp-decoded-token.png" alt-text="The token validation page" lightbox="../media/nativeapp-decoded-token.png":::

-## Use the token to access Microsoft Defender for Endpoint API

- ```csharp

- var httpClient = new HttpClient();

- var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.microsoft.com/api/alerts");

- request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);

- var response = httpClient.SendAsync(request).GetAwaiter().GetResult();

- // Do something useful with the response

- ```

-## See also

-description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint on behalf of your users.

-# Partner access through Microsoft Defender for Endpoint APIs

-**Applies to:**

-> [!IMPORTANT]

-> Advanced hunting capabilities are not included in Defender for Business.

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-This page describes how to create a Microsoft Entra application to get programmatic access to Microsoft Defender for Endpoint on behalf of your customers.

-Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs help you automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).

-In general, you need to take the following steps to use the APIs:

-The following steps guide you how to create a Microsoft Entra application, get an access token to Microsoft Defender for Endpoint and validate the token.

-## Create the multitenant app

-1. Sign in to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role.

-2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.

- :::image type="content" source="../media/atp-azure-new-app2.png" alt-text="The navigation to application registration pane" lightbox="../media/atp-azure-new-app2.png":::

-3. In the registration form:

- - Choose a name for your application.

- - Supported account types - accounts in any organizational directory.

- - Redirect URI - type: Web, URI: https://portal.azure.com

- :::image type="content" source="../media/atp-api-new-app-partner.png" alt-text="The Microsoft Azure partner application registration page" lightbox="../media/atp-api-new-app-partner.png":::

-4. Allow your Application to access Microsoft Defender for Endpoint and assign it with the minimal set of permissions required to complete the integration.

- - On your application page, select **API Permissions** \> **Add permission** \> **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**.

- - Note that *WindowsDefenderATP* doesn't appear in the original list. Start writing its name in the text box to see it appear.

- :::image type="content" source="../media/add-permission.png" alt-text="The Add a permission option" lightbox="../media/add-permission.png":::

-### Request API permissions

-To determine which permission you need, review the **Permissions** section in the API you're interested to call. For instance:

-In the following example we use **'Read all alerts'** permission:

-1. Choose **Application permissions** \> **Alert.Read.All** > select on **Add permissions**

- :::image type="content" source="../media/application-permissions.png" alt-text="The option that allows to add a permission" lightbox="../media/application-permissions.png":::

-2. Select **Grant consent**

- - **Note**: Every time you add permission you must select on **Grant consent** for the new permission to take effect.

- :::image type="content" source="../media/grant-consent.png" alt-text="The option that allows consent to be granted" lightbox="../media/grant-consent.png":::

-3. Add a secret to the application.

- - Select **Certificates & secrets**, add description to the secret and select **Add**.

- **Important**: After you select **Add**, make sure to copy the generated secret value. You won't be able to retrieve it after you leave!

- :::image type="content" source="../media/webapp-create-key2.png" alt-text="The create app key" lightbox="../media/webapp-create-key2.png":::

-4. Write down your application ID:

- - On your application page, go to **Overview** and copy the following information:

- :::image type="content" source="../media/app-id.png" alt-text="The create application's ID" lightbox="../media/app-id.png":::

-5. Add the application to your customer's tenant.

- You need your application to be approved in each customer tenant where you intend to use it. This approval is necessary because your application interacts with Microsoft Defender for Endpoint application on behalf of your customer.

- A user with **Global Administrator** from your customer's tenant need to select the consent link and approve your application.

- Consent link is of the form:

- ```http

- https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true

- ```

- Where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID

- After clicking on the consent link, sign in with the Global Administrator of the customer's tenant and consent the application.

- :::image type="content" source="../media/app-consent-partner.png" alt-text="The Accept button" lightbox="../media/app-consent-partner.png":::

- In addition, you'll need to ask your customer for their tenant ID and save it for future use when acquiring the token.

-6. **Done!** You successfully registered an application! See the following examples for token acquisition and validation.

-## Get an access token example

-**Note:** To get access token on behalf of your customer, use the customer's tenant ID on the following token acquisitions.

-For more information on Microsoft Entra token, see [Microsoft Entra tutorial](/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds).

-### Using PowerShell

-```powershell

-# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory

-# Paste below your Tenant ID, App ID and App Secret (App key).

-$tenantId = '' ### Paste your tenant ID here

-$appId = '' ### Paste your Application ID here

-$appSecret = '' ### Paste your Application key here

-$resourceAppIdUri = 'https://api.securitycenter.microsoft.com'

-$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"

-$authBody = [Ordered] @{

- resource = "$resourceAppIdUri"

- client_id = "$appId"

- client_secret = "$appSecret"

- grant_type = 'client_credentials'

-}

-$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop

-$token = $authResponse.access_token

-Out-File -FilePath "./Latest-token.txt" -InputObject $token

-return $token

-```

-### Using C#

-> The below code was tested with Nuget Microsoft.Identity.Client

-> [!IMPORTANT]

-> The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020. We strongly encourage you to upgrade, see the [migration guide](/azure/active-directory/develop/msal-migration) for more details.

- ```console

- using Microsoft.Identity.Client;

- ```

- ```csharp

- string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here

- string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here

- string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place!

- const string authority = https://login.microsoftonline.com;

- const string audience = https://api.securitycenter.microsoft.com;

- IConfidentialClientApplication myApp = ConfidentialClientApplicationBuilder.Create(appId).WithClientSecret(appSecret).WithAuthority($"{authority}/{tenantId}").Build();

- List<string> scopes = new List<string>() { $"{audience}/.default" };

- AuthenticationResult authResult = myApp.AcquireTokenForClient(scopes).ExecuteAsync().GetAwaiter().GetResult();

- string token = authResult.AccessToken;

- ```

-### Using Python

-Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token).

-### Using Curl

-> [!NOTE]

-> The below procedure supposed Curl for Windows is already installed on your computer

-1. Open a command window.

-2. Set CLIENT_ID to your Azure application ID.

-3. Set CLIENT_SECRET to your Azure application secret.

-4. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender for Endpoint application.

-5. Run the following command:

- ```curl

- curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k

- ```

- You get an answer of the form:

- ```console

- {"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}

- ```

-## Validate the token

-Confirm you received a correct token.

-1. Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it.

-2. Confirm you get a 'roles' claim with the desired permissions.

- In the following screenshot, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender for Endpoint:

- The "tid" claim is the tenant ID the token belongs to.

- :::image type="content" source="../media/webapp-decoded-token.png" alt-text="The token validation page" lightbox="../media/webapp-decoded-token.png":::

-## Use the token to access Microsoft Defender for Endpoint API

-1. Choose the API you want to use. For more information, see [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md).

-2. Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme). The Expiration time of the token is 1 hour (you can send more than one request with the same token).

- Here's an example of sending a request to get a list of alerts **using C#**

- ```csharp

- var httpClient = new HttpClient();

- var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.microsoft.com/api/alerts");

- request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);

- var response = httpClient.SendAsync(request).GetAwaiter().GetResult();

- // Do something useful with the response

- ```

-## See also

-description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user.

-# Create an app to access Microsoft Defender for Endpoint without a user

-**Applies to:**

-> [!IMPORTANT]

-> Advanced hunting capabilities are not included in Defender for Business.

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-This page describes how to create an application to get programmatic access to Defender for Endpoint without a user. If you need programmatic access to Defender for Endpoint on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md). If you are not sure which access you need, see [Get started](apis-intro.md).

-Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).

-In general, you'll need to take the following steps to use the APIs:

-This article explains how to create a Microsoft Entra application, get an access token to Microsoft Defender for Endpoint, and validate the token.

-## Create an app

-1. Log on to [Azure](https://portal.azure.com) with a user that has the **Global Administrator** role.

-2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.

- :::image type="content" source="../media/atp-azure-new-app2.png" alt-text="The application registration pane" lightbox="../media/atp-azure-new-app2.png":::

-3. In the registration form, choose a name for your application, and then select **Register**.

-4. To enable your app to access Defender for Endpoint and assign it **'Read all alerts'** permission, on your application page, select **API Permissions** \> **Add permission** \> **APIs my organization uses** >, type **WindowsDefenderATP**, and then select **WindowsDefenderATP**.

- > [!NOTE]

- > *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear.

- :::image type="content" source="../media/add-permission.png" alt-text="The API permissions pane" lightbox="../media/add-permission.png":::

- Select **Application permissions** \> **Alert.Read.All**, and then select **Add permissions**.

- :::image type="content" source="../media/application-permissions.png" alt-text="The application permission information pane" lightbox="../media/application-permissions.png":::

- You need to select the relevant permissions. 'Read All Alerts' is only an example. For example:

- - To [run advanced queries](run-advanced-query-api.md), select the 'Run advanced queries' permission.

- - To [isolate a device](isolate-machine.md), select the 'Isolate machine' permission.

- - To determine which permission you need, look at the **Permissions** section in the API you are interested to call.

-5. Select **Grant consent**.

- > [!NOTE]

- > Every time you add a permission, you must select **Grant consent** for the new permission to take effect.

- :::image type="content" source="../media/grant-consent.png" alt-text="The grant permissions page" lightbox="../media/grant-consent.png":::

-6. To add a secret to the application, select **Certificates & secrets**, add a description to the secret, and then select **Add**.

- > [!NOTE]

- > After you select **Add**, select **copy the generated secret value**. You won't be able to retrieve this value after you leave.

- :::image type="content" source="../media/webapp-create-key2.png" alt-text="The create application option" lightbox="../media/webapp-create-key2.png":::

-7. Write down your application ID and your tenant ID. On your application page, go to **Overview** and copy the following.

- :::image type="content" source="../media/app-and-tenant-ids.png" alt-text="The created app and tenant IDs" lightbox="../media/app-and-tenant-ids.png":::

-8. **For Microsoft Defender for Endpoint Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted:

- - Go to **Authentication**, and add `https://portal.azure.com` as the **Redirect URI**.

- - On the bottom of the page, under **Supported account types**, select the **Accounts in any organizational directory** application consent for your multi-tenant app.

- You need your application to be approved in each tenant where you intend to use it. This is because your application interacts Defender for Endpoint on behalf of your customer.

- You (or your customer if you are writing a third-party app) need to select the consent link and approve your app. The consent should be done with a user who has administrative privileges in Active Directory.

- The consent link is formed as follows:

- ```https

- https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true

- ```

- Where 00000000-0000-0000-0000-000000000000 is replaced with your application ID.

-**Done!** You have successfully registered an application! See examples below for token acquisition and validation.

-## Get an access token

-For more information on Microsoft Entra tokens, see the [Microsoft Entra tutorial](/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds).

-### Use PowerShell

-```powershell

-# This script acquires the App Context Token and stores it in the variable $token for later use in the script.

-# Paste your Tenant ID, App ID, and App Secret (App key) into the indicated quotes below.

-$tenantId = '' ### Paste your tenant ID here

-$appId = '' ### Paste your Application ID here

-$appSecret = '' ### Paste your Application key here

-$sourceAppIdUri = 'https://api.securitycenter.microsoft.com/.default'

-$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"

-$authBody = [Ordered] @{

- scope = "$sourceAppIdUri"

- client_id = "$appId"

- client_secret = "$appSecret"

- grant_type = 'client_credentials'

-}

-$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop

-$token = $authResponse.access_token

-$token

-```

-### Use C#:

-The following code was tested with NuGet Microsoft.Identity.Client 3.19.8.

-> [!IMPORTANT]

-> The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020. We strongly encourage you to upgrade, see the [migration guide](/azure/active-directory/develop/msal-migration) for more details.

-1. Create a new console application.

-1. Install NuGet [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client/).

-1. Add the following:

- ```csharp

- using Microsoft.Identity.Client;

- ```

-1. Copy and paste the following code in your app (don't forget to update the three variables: ```tenantId, appId, appSecret```):

- ```csharp

- string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here

- string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here

- string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place!

- const string authority = "https://login.microsoftonline.com";

- const string audience = "https://api.securitycenter.microsoft.com";

- IConfidentialClientApplication myApp = ConfidentialClientApplicationBuilder.Create(appId).WithClientSecret(appSecret).WithAuthority($"{authority}/{tenantId}").Build();

- List<string> scopes = new List<string>() { $"{audience}/.default" };

- AuthenticationResult authResult = myApp.AcquireTokenForClient(scopes).ExecuteAsync().GetAwaiter().GetResult();

- string token = authResult.AccessToken;

- ```

-### Use Python

-See [Get token using Python](run-advanced-query-sample-python.md#get-token).

-### Use Curl

-> [!NOTE]

-> The following procedure assumes that Curl for Windows is already installed on your computer.

-1. Open a command prompt, and set CLIENT_ID to your Azure application ID.

-1. Set CLIENT_SECRET to your Azure application secret.

-1. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your app to access Defender for Endpoint.

-1. Run the following command:

- ```console

- curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k

- ```

-

- You will get an answer in the following form:

-

- ```console

- {"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}

- ```

-

-## Validate the token

-Ensure that you got the correct token:

-1. Copy and paste the token you got in the previous step into [JWT](https://jwt.ms) in order to decode it.

-1. Validate that you get a 'roles' claim with the desired permissions.

- In the following image, you can see a decoded token acquired from an app with permissions to all of Microsoft Defender for Endpoint's roles:

- :::image type="content" source="../media/webapp-decoded-token.png" alt-text="The token details portion" lightbox="../media/webapp-decoded-token.png":::

-## Use the token to access Microsoft Defender for Endpoint API

-1. Choose the API you want to use. For more information, see [Supported Defender for Endpoint APIs](exposed-apis-list.md).

-1. Set the authorization header in the http request you send to "Bearer {token}" (Bearer is the authorization scheme).

-1. The expiration time of the token is one hour. You can send more than one request with the same token.

-The following is an example of sending a request to get a list of alerts **using C#**:

-```csharp

-var httpClient = new HttpClient();

-var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.microsoft.com/api/alerts");

-request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);

-var response = httpClient.SendAsync(request).GetAwaiter().GetResult();

-// Do something useful with the response

-```

-## See also

-description: Use these code samples, querying several Microsoft Defender for Endpoint APIs.

-# Microsoft Defender for Endpoint APIs using PowerShell

-**Applies to:**

-> [!IMPORTANT]

-> Advanced hunting capabilities are not included in Defender for Business.

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-enablesiem-abovefoldlink)

-Full scenario using multiple APIs from Microsoft Defender for Endpoint.

-In this section, we share PowerShell samples to

-**Prerequisite**: You first need to [create an app](apis-intro.md).

-## Preparation instructions

- ```

- Set-ExecutionPolicy -ExecutionPolicy Bypass

- ```

-For more information, see [PowerShell documentation](/powershell/module/microsoft.powershell.security/set-executionpolicy)

-## Get token

-Run the below:

-```

-$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here

-$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here

-$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here

-$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here

-$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'

-$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"

-$authBody = [Ordered] @{

- resource = "$resourceAppIdUri"

- client_id = "$appId"

- client_secret = "$appSecret"

- grant_type = 'client_credentials'

-}

-$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop

-$aadToken = $authResponse.access_token

-#Get latest alert

-$alertUrl = "https://api.securitycenter.microsoft.com/api/alerts?`$top=10"

-$headers = @{

- 'Content-Type' = 'application/json'

- Accept = 'application/json'

- Authorization = "Bearer $aadToken"

-}

-$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop

-$alerts = ($alertResponse | ConvertFrom-Json).value

-$machinesToInvestigate = New-Object System.Collections.ArrayList

-Foreach($alert in $alerts)

-{

- #echo $alert.id $alert.machineId $alert.severity $alert.status

- $isSevereAlert = $alert.severity -in 'Medium', 'High'

- $isOpenAlert = $alert.status -in 'InProgress', 'New'

- if($isOpenAlert -and $isSevereAlert)

- {

- if (-not $machinesToInvestigate.Contains($alert.machineId))

- {

- $machinesToInvestigate.Add($alert.machineId) > $null

- }

- }

-}

-$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')

-$query = "NetworkCommunicationEvents

-| where MachineId in ($commaSeparatedMachines)

-| where RemoteUrl == `"$suspiciousUrl`"

-| summarize ConnectionsCount = count() by MachineId"

-$queryUrl = "https://api.securitycenter.microsoft.com/api/advancedqueries/run"

-$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }

-$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop

-$response = ($queryResponse | ConvertFrom-Json).Results

-$response

-```

-## See also

-description: Learn about the specific supported Microsoft Defender for Endpoint entities where you can create API calls to.

-# Supported Microsoft Defender for Endpoint APIs

-**Applies to:**

-> [!IMPORTANT]

-> Advanced hunting capabilities are not included in Defender for Business.

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## Endpoint URI and versioning

-### Endpoint URI

-> The service base URI is: [https://api.security.microsoft.com](https://api.security.microsoft.com)

->

-> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to [https://api.security.microsoft.com/api/alerts](https://api.security.microsoft.com/api/alerts)

-### Versioning

-> The API supports versioning.

-> > The current version is **V1.0**.

-> > To use a specific version, use this format: `https://api.security.microsoft.com/api/{Version}`. For example: `https://api.security.microsoft.com/api/v1.0/alerts`

->

-> If you don't specify any version (e.g. `https://api.security.microsoft.com/api/alerts`) you will get to the latest version.

-Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.

-## In this section

-Topic | Description

-:|:

-[**Advanced Hunting** methods](run-advanced-query-api.md) | Run queries from API.

-[**Alert** methods and properties](alerts.md) | Run API calls such as \- get alerts, create alert, update alert and more.

-[Export **Assessment** per-device methods and properties](get-assessment-methods-properties.md) | Run API calls to gather vulnerability assessments on a per-device basis, such as: \- export secure configuration assessment, export software inventory assessment, export software vulnerabilities assessment, and delta export software vulnerabilities assessment.

-[**Automated investigation** methods and properties](investigation.md) | Run API calls such as \- get collection of Investigation.

-[Export device health methods and properties](device-health-api-methods-properties.md) | Run API Calls such as \- GET /api/public/avdeviceshealth.

-[**Domain**-related alerts](get-domain-related-alerts.md) | Run API calls such as \- get domain-related devices, domain statistics and more.

-[**File** methods and properties](files.md) | Run API calls such as \- get file information, file related alerts, file related devices, and file statistics.

-[**Indicators** methods and properties](ti-indicator.md) | Run API call such as \- get Indicators, create Indicator, and delete Indicators.

-[**IP**-related alerts](get-ip-related-alerts.md) | Run API calls such as \- get IP-related alerts and get IP statistics.

-[**Machine** methods and properties](machine.md) | Run API calls such as \- get devices, get devices by ID, information about logged on users, edit tags and more.

-[**Machine Action** methods and properties](machineaction.md) | Run API call such as \- Isolation, Run anti-virus scan and more.

-[**Recommendation** methods and properties](recommendation.md) | Run API calls such as \- get recommendation by ID.

-[**Remediation activity** methods and properties](get-remediation-methods-properties.md) | Run API call such as \- get all remediation tasks, get exposed devices remediation task and get one remediation task by id.

-[**Score** methods and properties](score.md) | Run API calls such as \- get exposure score or get device secure score.

-[**Software** methods and properties](software.md) | Run API calls such as \- list vulnerabilities by software.

-[**User** methods and properties](user.md) | Run API calls such as \- get user-related alerts and user-related devices.

-[**Vulnerability** methods and properties](vulnerability.md) | Run API calls such as \- list devices by vulnerability.

-## See also

-description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender for Endpoint.

-# OData queries with Microsoft Defender for Endpoint

-**Applies to:**

-> [!IMPORTANT]

-> Advanced hunting capabilities are not included in Defender for Business.

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-If you aren't familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)

-Not all properties are filterable.

-## Properties that support $filter

-### Example 1

-Get 10 latest Alerts with related Evidence:

-```http

-HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence

-```

-#### Response

-```json

-{

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",

- "value": [

- {

- "id": "da637472900382838869_1364969609",

- "incidentId": 1126093,

- "investigationId": null,

- "assignedTo": null,

- "severity": "Low",

- "status": "New",

- "classification": null,

- "determination": null,

- "investigationState": "Queued",

- "detectionSource": "WindowsDefenderAtp",

- "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",

- "category": "Execution",

- "threatFamilyName": null,

- "title": "Low-reputation arbitrary code executed by signed executable",

- "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",

- "alertCreationTime": "2021-01-26T20:33:57.7220239Z",

- "firstEventTime": "2021-01-26T20:31:32.9562661Z",

- "lastEventTime": "2021-01-26T20:31:33.0577322Z",

- "lastUpdateTime": "2021-01-26T20:33:59.2Z",

- "resolvedTime": null,

- "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",

- "computerDnsName": "temp123.middleeast.corp.microsoft.com",

- "rbacGroupName": "A",

- "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",

- "threatName": null,

- "mitreTechniques": [

- "T1064",

- "T1085",

- "T1220"

- ],

- "relatedUser": {

- "userName": "temp123",

- "domainName": "DOMAIN"

- },

- "comments": [

- {

- "comment": "test comment for docs",

- "createdBy": "secop123@contoso.com",

- "createdTime": "2021-01-26T01:00:37.8404534Z"

- }

- ],

- "evidence": [

- {

- "entityType": "User",

- "evidenceCreationTime": "2021-01-26T20:33:58.42Z",

- "sha1": null,

- "sha256": null,

- "fileName": null,

- "filePath": null,

- "processId": null,

- "processCommandLine": null,

- "processCreationTime": null,

- "parentProcessId": null,

- "parentProcessCreationTime": null,

- "parentProcessFileName": null,

- "parentProcessFilePath": null,

- "ipAddress": null,

- "url": null,

- "registryKey": null,

- "registryHive": null,

- "registryValueType": null,

- "registryValue": null,

- "accountName": "name",

- "domainName": "DOMAIN",

- "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",

- "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",

- "userPrincipalName": "temp123@microsoft.com",

- "detectionStatus": null

- },

- {

- "entityType": "Process",

- "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",

- "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",

- "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",

- "fileName": "rundll32.exe",

- "filePath": "C:\\Windows\\SysWOW64",

- "processId": 3276,

- "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",

- "processCreationTime": "2021-01-26T20:31:32.9581596Z",

- "parentProcessId": 8420,

- "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",

- "parentProcessFileName": "rundll32.exe",

- "parentProcessFilePath": "C:\\Windows\\System32",

- "ipAddress": null,

- "url": null,

- "registryKey": null,

- "registryHive": null,

- "registryValueType": null,

- "registryValue": null,

- "accountName": null,

- "domainName": null,

- "userSid": null,

- "aadUserId": null,

- "userPrincipalName": null,

- "detectionStatus": "Detected"

- },

- {

- "entityType": "File",

- "evidenceCreationTime": "2021-01-26T20:33:58.42Z",

- "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",

- "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",

- "fileName": "suspicious.dll",

- "filePath": "c:\\temp",

- "processId": null,

- "processCommandLine": null,

- "processCreationTime": null,

- "parentProcessId": null,

- "parentProcessCreationTime": null,

- "parentProcessFileName": null,

- "parentProcessFilePath": null,

- "ipAddress": null,

- "url": null,

- "registryKey": null,

- "registryHive": null,

- "registryValueType": null,

- "registryValue": null,

- "accountName": null,

- "domainName": null,

- "userSid": null,

- "aadUserId": null,

- "userPrincipalName": null,

- "detectionStatus": "Detected"

- }

- ]

- },

- ...

- ]

-}

-```

-### Example 2

-Get all the alerts last updated after 2019-11-22 00:00:00:

-```http

-HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z

-```

-#### Response

-```json

-{

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",

- "value": [

- {

- "id": "da637308392288907382_-880718168",

- "incidentId": 7587,

- "investigationId": 723156,

- "assignedTo": "secop123@contoso.com",

- "severity": "Low",

- "status": "New",

- "classification": "TruePositive",

- "determination": null,

- "investigationState": "Queued",

- "detectionSource": "WindowsDefenderAv",

- "category": "SuspiciousActivity",

- "threatFamilyName": "Meterpreter",

- "title": "Suspicious 'Meterpreter' behavior was detected",

- "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",

- "alertCreationTime": "2020-07-20T10:53:48.7657932Z",

- "firstEventTime": "2020-07-20T10:52:17.6654369Z",

- "lastEventTime": "2020-07-20T10:52:18.1362905Z",

- "lastUpdateTime": "2020-07-20T10:53:50.19Z",

- "resolvedTime": null,

- "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",

- "computerDnsName": "temp123.middleeast.corp.microsoft.com",

- "rbacGroupName": "MiddleEast",

- "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",

- "threatName": null,

- "mitreTechniques": [

- "T1064",

- "T1085",

- "T1220"

- ],

- "relatedUser": {

- "userName": "temp123",

- "domainName": "DOMAIN"

- },

- "comments": [

- {

- "comment": "test comment for docs",

- "createdBy": "secop123@contoso.com",

- "createdTime": "2020-07-21T01:00:37.8404534Z"

- }

- ],

- "evidence": []

- }

- ...

- ]

-}

-```

-### Example 3

-Get all the devices with 'High' 'RiskScore':

-```http

-HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScore+eq+'High'

-```

-#### Response

-```json

-{

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",

- "value": [

- {

- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",

- "computerDnsName": "mymachine1.contoso.com",

- "firstSeen": "2018-08-02T14:55:03.7791856Z",

- "lastSeen": "2021-01-25T07:27:36.052313Z",

- "osPlatform": "Windows10" "Windows11",

- "osProcessor": "x64",

- "version": "1901",

- "lastIpAddress": "10.166.113.46",

- "lastExternalIpAddress": "167.220.203.175",

- "osBuild": 19042,

- "healthStatus": "Active",

- "deviceValue": "Normal",

- "rbacGroupName": "The-A-Team",

- "riskScore": "High",

- "exposureLevel": "Low",

- "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",

- "machineTags": [

- "Tag1",

- "Tag2"

- ],

- "ipAddresses": [

- {

- "ipAddress": "10.166.113.47",

- "macAddress": "8CEC4B897E73",

- "operationalStatus": "Up"

- },

- {

- "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",

- "macAddress": "8CEC4B897E73",

- "operationalStatus": "Up"

- }

- ]

- },

- ...

- ]

-}

-```

-### Example 4

-Get top 100 devices with 'HealthStatus' not equals to 'Active':

-```http

-HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100

-```

-#### Response

-```json

-{

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",

- "value": [

- {

- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",

- "computerDnsName": "mymachine1.contoso.com",

- "firstSeen": "2018-08-02T14:55:03.7791856Z",

- "lastSeen": "2021-01-25T07:27:36.052313Z",

- "osPlatform": "Windows10",

- "osProcessor": "x64",

- "version": "1901",

- "lastIpAddress": "10.166.113.46",

- "lastExternalIpAddress": "167.220.203.175",

- "osBuild": 19042,

- "healthStatus": "Active",

- "deviceValue": "Normal",

- "rbacGroupName": "The-A-Team",

- "riskScore": "Low",

- "exposureLevel": "Low",

- "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",

- "machineTags": [

- "Tag1",

- "Tag2"

- ],

- "ipAddresses": [

- {

- "ipAddress": "10.166.113.47",

- "macAddress": "8CEC4B897E73",

- "operationalStatus": "Up"

- },

- {

- "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",

- "macAddress": "8CEC4B897E73",

- "operationalStatus": "Up"

- }

- ]

- },

- ...

- ]

-}

-```

-### Example 5

-Get all the devices that last seen after 2018-10-20:

-```http

-HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen gt 2018-08-01Z

-```

-#### Response

-```json

-{

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",

- "value": [

- {

- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",

- "computerDnsName": "mymachine1.contoso.com",

- "firstSeen": "2018-08-02T14:55:03.7791856Z",

- "lastSeen": "2021-01-25T07:27:36.052313Z",

- "osPlatform": "Windows10",

- "osProcessor": "x64",

- "version": "1901",

- "lastIpAddress": "10.166.113.46",

- "lastExternalIpAddress": "167.220.203.175",

- "osBuild": 19042,

- "healthStatus": "Active",

- "deviceValue": "Normal",

- "rbacGroupName": "The-A-Team",

- "riskScore": "Low",

- "exposureLevel": "Low",

- "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",

- "machineTags": [

- "Tag1",

- "Tag2"

- ],

- "ipAddresses": [

- {

- "ipAddress": "10.166.113.47",

- "macAddress": "8CEC4B897E73",

- "operationalStatus": "Up"

- },

- {

- "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",

- "macAddress": "8CEC4B897E73",

- "operationalStatus": "Up"

- }

- ]

- },

- ...

- ]

-}

-```

-### Example 6

-Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint:

-```http

-HTTP GET https://api.securitycenter.microsoft.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'

-```

-#### Response

-```json

-json{

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions",

- "value": [

- {

- "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",

- "type": "RunAntiVirusScan",

- "scope": "Full",

- "requestor": "Analyst@contoso.com",

- "requestorComment": "Check machine for viruses due to alert 3212",

- "status": "Succeeded",

- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",

- "computerDnsName": "desktop-39g9tgl",

- "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",

- "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",

- "relatedFileInfo": null

- },

- ...

- ]

-}

-```

-### Example 7

-Get the count of open alerts for a specific device:

-```http

-HTTP GET https://api.securitycenter.microsoft.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'

-```

-#### Response

-```json

-4

-```

-### Example 8

-Get all the devices with 'computerDnsName' starting with 'mymachine':

-```http

-HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=startswith(computerDnsName,'mymachine')

-```

-#### Response

-```json

-json{

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",

- "value": [

- {

- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",

- "computerDnsName": "mymachine1.contoso.com",

- "firstSeen": "2018-08-02T14:55:03.7791856Z",

- "lastSeen": "2021-01-25T07:27:36.052313Z",

- "osPlatform": "Windows10",

- "osProcessor": "x64",

- "version": "1901",

- "lastIpAddress": "10.166.113.46",

- "lastExternalIpAddress": "167.220.203.175",

- "osBuild": 19042,

- "healthStatus": "Active",

- "deviceValue": "Normal",

- "rbacGroupName": "The-A-Team",

- "riskScore": "Low",

- "exposureLevel": "Low",

- "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",

- "machineTags": [

- "Tag1",

- "Tag2"

- ],

- "ipAddresses": [

- {

- "ipAddress": "10.166.113.47",

- "macAddress": "8CEC4B897E73",

- "operationalStatus": "Up"

- },

- {

- "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",

- "macAddress": "8CEC4B897E73",

- "operationalStatus": "Up"

- }

- ]

- },

- ...

- ]

-}

-```

-## See also

-[Microsoft Defender for Endpoint APIs](apis-intro.md)

-description: Learn how to fetch alerts from a customer tenant

-# Fetch alerts from MSSP customer tenant

-**Applies to:**

-> [!NOTE]

-> This action is taken by the MSSP.

-There are two ways you can fetch alerts:

-## Fetch alerts into your SIEM

-To fetch alerts into your SIEM system, you'll need to take the following steps:

-<a name='step-1-create-an-application-in-azure-active-directory-azure-ad'></a>

-### Step 1: Create an application in Microsoft Entra ID

-You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender XDR tenant.

-1. Sign in to the [Microsoft Entra admin center](https://aad.portal.azure.com/).

-2. Select **Microsoft Entra ID** \> **App registrations**.

-3. Click **New registration**.

-4. Specify the following values:

- - Name: \<Tenant_name\> SIEM MSSP Connector (replace Tenant_name with the tenant display name)

- - Supported account types: Account in this organizational directory only

- - Redirect URI: Select Web and type `https://<domain_name>/SiemMsspConnector`(replace <domain_name> with the tenant name)

-5. Click **Register**. The application is displayed in the list of applications you own.

-6. Select the application, then click **Overview**.

-7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.

-8. Select **Certificate & secrets** in the new application panel.

-9. Click **New client secret**.

- - Description: Enter a description for the key.

- - Expires: Select **In 1 year**

-10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.

-### Step 2: Get access and refresh tokens from your customer's tenant

-This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.

-After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.

-1. Create a new folder and name it: `MsspTokensAcquisition`.

-2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.

- > [!NOTE]

- > In line 30, replace `authorzationUrl` with `authorizationUrl`.

-3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:

- ```powershell

- param (

- [Parameter(Mandatory=$true)][string]$clientId,

- [Parameter(Mandatory=$true)][string]$secret,

- [Parameter(Mandatory=$true)][string]$tenantId

- )

- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

- # Load our Login Browser Function

- Import-Module .\LoginBrowser.psm1

- # Configuration parameters

- $login = "https://login.microsoftonline.com"

- $redirectUri = "https://SiemMsspConnector"

- $resourceId = "https://graph.windows.net"

- Write-Host 'Prompt the user for his credentials, to get an authorization code'

- $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f

- $login, $tenantId, $clientId, $redirectUri, $resourceId)

- Write-Host "authorzationUrl: $authorizationUrl"

- # Fake a proper endpoint for the Redirect URI

- $code = LoginBrowser $authorizationUrl $redirectUri

- # Acquire token using the authorization code

- $Body = @{

- grant_type = 'authorization_code'

- client_id = $clientId

- code = $code

- redirect_uri = $redirectUri

- resource = $resourceId

- client_secret = $secret

- }

- $tokenEndpoint = "$login/$tenantId/oauth2/token?"

- $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body

- $token = $Response.access_token

- $refreshToken= $Response.refresh_token

- Write-Host " -- TOKEN - "

- Write-Host $token

- Write-Host " -- REFRESH TOKEN - "

- Write-Host $refreshToken

- ```

-4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.

-5. Run the following command:

- `Set-ExecutionPolicy -ExecutionPolicy Bypass`

-6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>`

- - Replace \<client_id\> with the **Application (client) ID** you got from the previous step.

- - Replace \<app_key\> with the **Client Secret** you created from the previous step.

- - Replace \<customer_tenant_id\> with your customer's **Tenant ID**.

-7. You'll be asked to provide your credentials and consent. Ignore the page redirect.

-8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.

-<a name='step-3-allow-your-application-on-microsoft-365-defender'></a>

-### Step 3: Allow your application on Microsoft Defender XDR

-You'll need to allow the application you created in Microsoft Defender XDR.

-You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.

-1. Go to `https://security.microsoft.com?tid=<customer_tenant_id>` (replace \<customer_tenant_id\> with the customer's tenant ID.

-2. Click **Settings** \> **Endpoints** \> **APIs** \> **SIEM**.

-3. Select the **MSSP** tab.

-4. Enter the **Application ID** from the first step and your **Tenant ID**.

-5. Click **Authorize application**.

-You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender XDR API. For more information, see, [Pull alerts to your SIEM tools](../configure-siem.md).

-## Fetch alerts from MSSP customer's tenant using APIs

-For information on how to fetch alerts using REST API, see [Fetch alerts from MSSP customer tenant](fetch-alerts-mssp.md).

-## See also

-description: Retrieve recent Microsoft Defender for Endpoint alerts related to files.

-# File resource type

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-Represent a file entity in Defender for Endpoint.

-## Methods

-|Method|Return Type |Description|

-|:|:|:|

-|[Get file](get-file-information.md) | [file](files.md) | Get a single file |

-|[List file related alerts](get-file-related-alerts.md) | [alert](alerts.md) collection | Get the [alert](alerts.md) entities that are associated with the file.|

-|[List file related machines](get-file-related-machines.md) | [machine](machine.md) collection | Get the [machine](machine.md) entities associated with the alert.|

-|[file statistics](get-file-statistics.md) | Statistics summary | Retrieves the prevalence for the given file.|

-## Properties

-|Property | Type | Description |

-|:|:|:|

-|sha1 | String | Sha1 hash of the file content |

-|sha256 | String | Sha256 hash of the file content |

-|globalPrevalence | Nullable long | File prevalence across organization |

-|globalFirstObserved | DateTimeOffset | First time the file was observed |

-|globalLastObserved | DateTimeOffset | Last time the file was observed |

-|size | Nullable long | Size of the file |

-|fileType | String | Type of the file |

-|isPeFile | Boolean | true if the file is portable executable (for example `DLL`, `EXE`, etc.) |

-|filePublisher | String | File publisher |

-|fileProductName | String | Product name |

-|signer | String | File signer |

-|issuer | String | File issuer |

-|signerHash | String | Hash of the signing certificate |

-|isValidCertificate | Boolean | Was signing certificate successfully verified by Microsoft Defender for Endpoint agent |

-|determinationType | String | The determination type of the file |

-|determinationValue | String | Determination value |

-## Json representation

-```json

-{

- "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",

- "sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",

- "globalPrevalence": 180022,

- "globalFirstObserved": "2017-09-19T03:51:27.6785431Z",

- "globalLastObserved": "2020-01-06T03:59:21.3229314Z",

- "size": 22139496,

- "fileType": "APP",

- "isPeFile": true,

- "filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",

- "fileProductName": "EaseUS MobiSaver for Android",

- "signer": "CHENGDU YIWO Tech Development Co., Ltd.",

- "issuer": "VeriSign Class 3 Code Signing 2010 CA",

- "signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",

- "isValidCertificate": false,

- "determinationType": "Pua",

- "determinationValue": "PUA:Win32/FusionCore"

-}

-```

-description: Use this API to create calls related to finding a device entry around a specific timestamp by internal IP.

-# Find device information by internal IP API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-Find a device by internal IP.

-> [!NOTE]

-> The timestamp must be within the last 30 days.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|Machine.Read.All|'Read all machine profiles'

-Application|Machine.ReadWrite.All|'Read and write all machine information'

-## HTTP request

-```http

-GET /api/machines/find(timestamp={time},key={IP})

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-## Request body

-Empty

-## Response

-If successful and machine exists - 200 OK.

-If no machine found - 404 Not Found.

-## Example

-### Request example

-Here's an example of the request.

-```http

-GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61')

-Content-type: application/json

-```

-### Response example

-Here's an example of the response.

-The response will return a list of all devices that reported this IP address within 16 minutes prior and after the timestamp.

-```json

-HTTP/1.1 200 OK

-Content-type: application/json

-{

- "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",

- "value": [

- {

- "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",

- "computerDnsName": "",

- "firstSeen": "2017-07-06T01:25:04.9480498Z",

- "osPlatform": "Windows10",

-...

-}

-```

-description: Find devices seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp

-# Find devices by internal IP API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Find [Machines](machine.md) seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.

-## Limitations

-1. The given timestamp must be in the past 30 days.

-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|Machine.Read.All|'Read all machine profiles'

-Application|Machine.ReadWrite.All|'Read and write all machine information'

-Delegated (work or school account)|Machine.Read|'Read machine information'

-Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - Response will include only devices that the user have access to based on device group settings (For more information, see [Create and manage device groups](../machine-groups.md))

-> - The user needs to have at least the following role permission: 'View Data' (For more information, see [Create and manage roles](../user-roles.md))

-> - Response will include only devices that the user have access to based on device group settings (For more information, see [Create and manage device groups](../machine-groups.md))

->

-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-## HTTP request

-```http

-GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-## Request body

-Empty

-## Response

-If successful - 200 OK with list of the machines in the response body.

-If the timestamp isn't in the past 30 days - 400 Bad Request.

-## Example

-### Request

-Here's an example of the request.

-```http

-GET https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z)

-```

-description: Find all devices that contain specific tag

-# Find devices by tag API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Find [Machines](machine.md) by [Tag](../machine-tags.md).

-`startswith` query is supported.

-## Limitations

-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|Machine.Read.All|'Read all machine profiles'

-Application|Machine.ReadWrite.All|'Read and write all machine information'

-Delegated (work or school account)|Machine.Read|'Read machine information'

-Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - Response will include only devices that the user have access to based on device group settings (For more information, see [Create and manage device groups](../machine-groups.md))

-> - The user needs to have at least the following role permission: 'View Data' (For more information, see [Create and manage roles](../user-roles.md))

-> - Response will include only devices that the user have access to based on device group settings (For more information, see [Create and manage device groups](../machine-groups.md))

->

-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-## HTTP request

-```http

-GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false}

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-## Request URI parameters

-Name|Type|Description

-:|:|:

-tag|String|The tag name. **Required**.

-useStartsWithFilter|Boolean|When set to true, the search finds all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**.

-## Request body

-Empty

-## Response

-If successful - 200 OK with list of the machines in the response body.

-## Example

-### Request

-Here's an example of the request.

-```http

-GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true

-```

-description: Learn how to use the Get alert information by ID API to retrieve a specific alert by its ID in Microsoft Defender for Endpoint.

-# Get alert information by ID API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Retrieves specific [Alert](alerts.md) by its ID.

-## Limitations

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).

-Permission type|Permission|Permission display name

-:|:|:

-Application|Alert.Read.All|'Read all alerts'

-Application|Alert.ReadWrite.All|'Read and write all alerts'

-Delegated (work or school account)|Alert.Read|'Read alerts'

-Delegated (work or school account)|Alert.ReadWrite|'Read and write alerts'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - The user needs to have at least the following role permission: 'View Data' (For more information, see [Create and manage roles](../user-roles.md))

-> - The user needs to have access to the device associated with the alert, based on device group settings (For more information, see [Create and manage device groups](../machine-groups.md))

->

-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-## HTTP request

-```http

-GET /api/alerts/{id}

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-## Request body

-Empty

-## Response

-If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body. If an alert with the specified ID wasn't found - 404 Not Found.

-description: Retrieve all domains related to a specific alert using Microsoft Defender for Endpoint.

-# Get alert related domain information API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Retrieves all domains related to a specific alert.

-## Limitations

-1. You can query on alerts last updated according to your configured retention period.

-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|URL.Read.All|'Read URLs'

-Delegated (work or school account)|URL.Read.All|'Read URLs'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - The user needs to have at least the following role permission: 'View Data' (For more information, see [Create and manage roles](../user-roles.md))

-> - The user needs to have access to the device associated with the alert, based on device group settings (For more information, see [Create and manage device groups](../machine-groups.md))

->

-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-## HTTP request

-```http

-GET /api/alerts/{id}/domains

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-## Request body

-Empty

-## Response

-If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found.

-## Example

-### Request

-Here's an example of the request.

-```http

-GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains

-```

-### Response example

-Here's an example of the response.

-```json

-{

- "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Domains",

- "value": [

- {

- "host": "www.example.com"

- },

- {

- "host": "www.example2.com"

- }

- ...

- ]

-}

-```

-description: Retrieve all files related to a specific alert using Microsoft Defender for Endpoint.

-# Get alert related files information API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Retrieves all files related to a specific alert.

-## Limitations

-1. You can query on alerts last updated according to your configured retention period.

-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|File.Read.All|'Read file profiles'

-Delegated (work or school account)|File.Read.All|'Read file profiles'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](../user-roles.md) for more information)

-> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information)

->

-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-## HTTP request

-```http

-GET /api/alerts/{id}/files

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-## Request body

-Empty

-## Response

-If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.

-## Example

-### Request example

-Here is an example of the request.

-```http

-GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files

-```

-### Response example

-Here is an example of the response.

-```json

-{

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files",

- "value": [

- {

- "sha1": "f2a00fd2f2de1be0214b8529f1e9f67096c1aa70",

- "sha256": "dcd71ef5fff4362a9f64cf3f96f14f2b11d6f428f3badbedcb9ff3361e7079aa",

- "md5": "8d5b7cc9a832e21d22503057e1fec8e9",

- "globalPrevalence": 29,

- "globalFirstObserved": "2019-03-23T23:54:06.0135204Z",

- "globalLastObserved": "2019-04-23T00:43:20.0489831Z",

- "size": 113984,

- "fileType": null,

- "isPeFile": true,

- "filePublisher": "Microsoft Corporation",

- "fileProductName": "Microsoft© Windows© Operating System",

- "signer": "Microsoft Corporation",

- "issuer": "Microsoft Code Signing PCA",

- "signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675",

- "isValidCertificate": true,

- "determinationType": "Unknown",

- "determinationValue": null

- }

- ...

- ]

-}

-```

-description: Retrieve all IPs related to a specific alert using Microsoft Defender for Endpoint.

-# Get alert-related IPs' information API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Retrieves all IPs related to a specific alert.

-## Limitations

-1. You can query on alerts last updated according to your configured retention period.

-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|Ip.Read.All|'Read IP address profiles'

-Delegated (work or school account)|Ip.Read.All|'Read IP address profiles'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - The user needs to have at least the following role permission: 'View Data' (For more information, see [Create and manage roles](../user-roles.md)

-> - The user needs to have access to the device associated with the alert, based on device group settings (For more information, see [Create and manage device groups](../machine-groups.md)

->

-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-## HTTP request

-```http

-GET /api/alerts/{id}/ips

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-## Request body

-Empty

-## Response

-If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.

-## Example

-### Request example

-Here's an example of the request.

-```http

-GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips

-```

-### Response example

-Here's an example of the response.

-```json

-{

- "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips",

- "value": [

- {

- "id": "104.80.104.128"

- },

- {

- "id": "23.203.232.228

- }

- ...

- ]

-}

-```

-description: Retrieve all devices related to a specific alert using Microsoft Defender for Endpoint.

-# Get alert related machine information API

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-## API description

-Retrieves [Device](machine.md) related to a specific alert.

-## Limitations

-1. You can query on alerts last updated according to your configured retention period.

-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

-## Permissions

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)

-Permission type|Permission|Permission display name

-:|:|:

-Application|Machine.Read.All|'Read all machine information'

-Application|Machine.ReadWrite.All|'Read and write all machine information'

-Delegated (work or school account)|Machine.Read|'Read machine information'

-Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'

-> [!NOTE]

-> When obtaining a token using user credentials:

->

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](../user-roles.md) for more information)

-> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information)

->

-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-## HTTP request

-```http

-GET /api/alerts/{id}/machine

-```

-## Request headers

-Name|Type|Description

-:|:|:

-Authorization|String|Bearer {token}. **Required**.

-## Request body

-Empty

-## Response

-If successful and alert and device exist - 200 OK. If alert not found or device not found - 404 Not Found.

-## Example

-### Request example

-Here is an example of the request.

-```http

-GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine

-```

-### Response example

-Here is an example of the response.

-```json

-{

- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",

- "computerDnsName": "mymachine1.contoso.com",

- "firstSeen": "2018-08-02T14:55:03.7791856Z",

- "lastSeen": "2021-01-25T07:27:36.052313Z",