Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
commerce | Manage Third Party App Licenses | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-third-party-app-licenses.md | |
enterprise | Why You Need To Use Microsoft 365 Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/why-you-need-to-use-microsoft-365-powershell.md | f1.keywords: - admindeeplinkEXCHANGE - has-azure-ad-ps-ref- - azure-ad-ref-level-one-done ms.assetid: b3209b1a-40c7-4ede-8e78-8a88bb2adc8a description: "Summary: Understand why you must use PowerShell to manage Microsoft 365, in some cases more efficiently and in other cases by necessity." |
includes | Unified Soc Preview No Alert | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/unified-soc-preview-no-alert.md | + + Title: "include file" +description: "include file" Last updated : 03/27/2024+++++++++Microsoft Sentinel is available as part of the public preview for the unified security operations platform in the Microsoft Defender portal. For more information, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690). |
includes | Unified Soc Preview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/unified-soc-preview.md | + + Title: "include file" +description: "include file" Last updated : 03/27/2024+++++++++> [!IMPORTANT] +> Microsoft Sentinel is available as part of the public preview for the unified security operations platform in the Microsoft Defender portal. For more information, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690). |
security | Android Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md | Network protection in Microsoft Defender for endpoint is disabled by default. Ad 1. In Settings page, select **'Use configuration designer'** and add **'Enable Network Protection in Microsoft Defender'** as the key and value as **'1'** to enable Network Protection. (Network protection is disabled by default) > [!div class="mx-imgBorder"]- > ![Image of how to select enable network protection policy](images/selectnp.png) + > ![Image of how to select enable network protection policy](media/selectnp.png) > [!div class="mx-imgBorder"] > ![Image of add configuration policy.](media/npvalue.png) |
security | Android Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md | Follow the steps below to add Microsoft Defender for Endpoint app into your mana 1. Click on **Add** to view a list of supported configurations. Select the required configuration and click on **Ok**. - :::image type="content" alt-text="Image of selecting configuration policies for android." source="images/selectconfigurations.png" lightbox="images/selectconfigurations.png"::: + :::image type="content" alt-text="Image of selecting configuration policies for android." source="media/selectconfigurations.png" lightbox="media/selectconfigurations.png"::: 1. You should see all the selected configurations listed. You can change the configuration value as required and then select **Next**. Admins can go to the [Microsoft Endpoint Management admin center](https://endpoi 1. Enter **Name** and **Description** to uniquely identify the configuration policy. Select platform as **'Android Enterprise'**, Profile type as **'Personally-owned work profile only'** and Targeted app as **'Microsoft Defender'**. > [!div class="mx-imgBorder"]- > ![Image of naming configuration policy.](images/selectapp.png) + > ![Image of naming configuration policy.](media/selectapp.png) 1. On the settings page, in **'Configuration settings format'**, select **'Use configuration designer'** and click on **Add**. From the list of configurations that are displayed, select **'Microsoft Defender in Personal profile'**. Admins can go to the [Microsoft Endpoint Management admin center](https://endpoi 1. **Assign** the configuration policy to a group of users. **Review and create** the policy. > [!div class="mx-imgBorder"]- > ![Image of reviewing and creating policy.](images/savepolicy.png) + > ![Image of reviewing and creating policy.](media/savepolicy.png) Admins also can set up **privacy controls** from the Microsoft Intune admin center to control what data can be sent by the Defender mobile client to the security portal. For more information, see [configuring privacy controls](android-configure.md). |
security | Android Support Signin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md | If a user faces an issue, which isn't already addressed in the above sections or 1. Open the **MDE application** on your device and select on the **profile icon** in the top-left corner. - :::image type="content" source="images/select-profile-icon-1.jpg" alt-text="The profile icon in the Microsoft Defender for Endpoint portal" lightbox="images/select-profile-icon-1.jpg"::: + :::image type="content" source="media/select-profile-icon-1.jpg" alt-text="The profile icon in the Microsoft Defender for Endpoint portal" lightbox="media/select-profile-icon-1.jpg"::: 2. Select "Help & feedback". - :::image type="content" source="images/selecthelpandfeedback2.png" alt-text="The Help & feedback option that can be selected in the Microsoft Defender for Endpoint portal" lightbox="images/selecthelpandfeedback2.png"::: + :::image type="content" source="media/selecthelpandfeedback2.png" alt-text="The Help & feedback option that can be selected in the Microsoft Defender for Endpoint portal" lightbox="media/selecthelpandfeedback2.png"::: 3. Select "Send feedback to Microsoft". - :::image type="content" alt-text="Select send feedback to Microsoft" source="images/send-feedback-to-microsoft-3.jpg"::: + :::image type="content" alt-text="Select send feedback to Microsoft" source="media/send-feedback-to-microsoft-3.jpg"::: 4. Choose from the given options. To report an issue, select "I want to report an issue". |
security | Exposed Apis Create App Nativeapp | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-nativeapp.md | Verify to make sure you got a correct token: - Validate you get a 'scp' claim with the desired app permissions. - In the screenshot below you can see a decoded token acquired from the app in the tutorial: - :::image type="content" source="../images/nativeapp-decoded-token.png" alt-text="The token validation page" lightbox="../images/nativeapp-decoded-token.png"::: + :::image type="content" source="../media/nativeapp-decoded-token.png" alt-text="The token validation page" lightbox="../media/nativeapp-decoded-token.png"::: ## Use the token to access Microsoft Defender for Endpoint API |
security | Configure Endpoints Gp | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md | Browse to **Computer Configuration** \> **Policies** \> **Administrative Templat :::image type="content" source="media/gpo-maps-join-ms-maps.png" alt-text="Join microsoft maps" lightbox="media/gpo-maps-join-ms-maps.png"::: > [!NOTE] > The **Send all samples** option will provide the most analysis of binaries/scripts/docs which increases security posture. For more information, see [Turn on cloud protection in Microsoft Defender Antivi Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**. :::image type="content" source="images/signature-update-2.png" alt-text="Signature definition update" lightbox="images/signature-update-2.png"::: |
security | Configure Endpoints Sccm | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md | If you're using System Center 2012 R2 Configuration Manager, monitoring consists If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). - :::image type="content" source="images/sccm-deployment.png" alt-text="The Configuration Manager showing successful deployment with no errors" lightbox="images/sccm-deployment.png"::: + :::image type="content" source="media/sccm-deployment.png" alt-text="The Configuration Manager showing successful deployment with no errors" lightbox="media/sccm-deployment.png"::: ### Check that the devices are compliant with the Microsoft Defender for Endpoint service |
security | Configure Endpoints Script | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md | Check out [Identify Defender for Endpoint architecture and deployment method](de 2. Right-click **Command prompt** and select **Run as administrator**. - :::image type="content" source="images/run-as-admin.png" alt-text="The Window Start menu pointing to Run as administrator" lightbox="images/run-as-admin.png"::: + :::image type="content" source="media/run-as-admin.png" alt-text="The Window Start menu pointing to Run as administrator" lightbox="media/run-as-admin.png"::: 4. Type the location of the script file. If you copied the file to the desktop, type: `%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd` For security reasons, the package used to offboard devices expires three days af 2. Right-click **Command prompt** and select **Run as administrator**. - :::image type="content" source="images/run-as-admin.png" alt-text="The Windows Start menu pointing to the Run as administrator option" lightbox="images/run-as-admin.png"::: + :::image type="content" source="media/run-as-admin.png" alt-text="The Windows Start menu pointing to the Run as administrator option" lightbox="media/run-as-admin.png"::: 4. Type the location of the script file. If you copied the file to the desktop, type: `%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd` |
security | Configure Extension File Exclusions Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md | description: Exclude files from Microsoft Defender Antivirus scans based on thei ms.localizationpriority: medium Previously updated : 06/06/2023 Last updated : 04/03/2024 The following table lists some examples of exclusions based on file extension an |Exclusion|Examples|Exclusion list| ||||-|Any file with a specific extension|All files with the specified extension, anywhere on the machine. <p> Valid syntax: `.test` and `test`|Extension exclusions| +|Any file with a specific extension|All files with the specified extension, anywhere on the machine. <br/><br/> Valid syntax: `.test` and `test`|Extension exclusions| |Any file under a specific folder|All files under the `c:\test\sample` folder|File and folder exclusions| |A specific file in a specific folder|The file `c:\sample\sample.test` only|File and folder exclusions| |A specific process|The executable file `c:\test\process.exe`|File and folder exclusions| The following table lists some examples of exclusions based on file extension an ## Characteristics of exclusion lists - Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.-- File extensions apply to any file name with the defined extension if a path or folder is not defined.+- File extensions apply to any file name with the defined extension if a path or folder isn't defined. ## Important notes about exclusions based on file extensions and folder locations -- Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.+- Using wildcards such as the asterisk (\*) alters how exclusion rules are interpreted. See the section, [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for important information about how wildcards work. - Don't exclude mapped network drives. Specify the actual network path. -- Folders that are reparse points are created after the Microsoft Defender Antivirus service starts, and those that have been added to the exclusion list will not be included. Restart the service by restarting Windows for new reparse points to be recognized as a valid exclusion target.+- Folders that are reparse points are created after the Microsoft Defender Antivirus service starts, and those that were added to the exclusion list aren't included. Restart the service by restarting Windows for new reparse points to be recognized as a valid exclusion target. - Exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), but not across all Defender for Endpoint capabilities. To define exclusions across Defender for Endpoint, use [custom indicators](manage-indicators.md). -- By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts. In addition, exclusion list changes made with Group Policy are visible in the [Windows Security app](microsoft-defender-security-center-antivirus.md).+- By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) are merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts. In addition, exclusion list changes made with Group Policy are visible in the [Windows Security app](microsoft-defender-security-center-antivirus.md). - To allow local changes to override managed deployment settings, [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists). The following table lists values that you can use in the `<exclusion list>` port |All files under a folder (including files in sub-directories), or a specific file|`-ExclusionPath`| > [!IMPORTANT]-> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. +> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again overwrites the existing list. For example, the following code snippet would cause Microsoft Defender Antivirus scans to exclude any file with the `.test` file extension: The following table describes how the wildcards can be used and provides some ex |Wildcard|Examples| |||-|`*` (asterisk) <p> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\*.txt` includes `C:\MyData\notes.txt` <p> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <p> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders, and `C:\Serv\Secondary\Allowed\Backup` and its subfolders| -|`?` (question mark) <p> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <p> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders <p> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders| -|Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated.|`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt`| +|`*` (asterisk) <br/><br/> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\*.txt` includes `C:\MyData\notes.txt` <br/><br/> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <br/><br/> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders, and `C:\Serv\Secondary\Allowed\Backup` and its subfolders| +|`?` (question mark) <br/><br/> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <br/><br/> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders <br/><br/> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders| +|Environment variables <br/><br/> The defined variable is populated as a path when the exclusion is evaluated.|`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt`| > [!IMPORTANT]-> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. +> If you mix a file exclusion argument with a folder exclusion argument, the rules stop at the file argument match in the matched folder, and don't look for file matches in any subfolders. > For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.-> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. +> This argument doesn't match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. <a id="review"></a> MpCmdRun.exe -CheckExclusion -path <path> ``` > [!NOTE]-> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.2111-5.0 (released in December 2021) or later. +> Checking exclusions with `MpCmdRun` requires Microsoft Defender Antivirus [version 4.18.2111-5.0 (released in December 2021)](/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support#november-2021-platform-41821115--engine-11188004) or later. ### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell For more information, see [Use PowerShell cmdlets to configure and run Microsoft You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. -In the following PowerShell snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path. +In the following PowerShell snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you're testing a path, make sure that you run the cmdlet within that path. ```PowerShell Invoke-WebRequest "https://secure.eicar.org/eicar.com.txt" -OutFile "test.txt" |
security | Configure Machines Asr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md | The *Attack surface management card* is an entry point to tools in <a href="http Select **Go to attack surface management** \> **Reports** \> **Attack surface reduction rules** \> **Add exclusions**. From there, you can navigate to other sections of Microsoft Defender portal. > *The **Add exclusions** tab in the Attack surface reduction rules page in Microsoft Defender portal* |
security | Configure Machines Onboarding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-onboarding.md | Watch this video to learn how to easily onboard clients with Microsoft Defender The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows devices that have actually onboarded to Defender for Endpoint against the total number of Intune-managed Windows devices. *Card showing onboarded devices compared to the total number of Intune-managed Windows devices* Defender for Endpoint provides several convenient options for [onboarding Window From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state. *Microsoft Defender for Endpoint device compliance page on Intune device management* |
security | Configure Machines Security Baseline | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-security-baseline.md | Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 and Windows 11 devices that have been assigned the Defender for Endpoint security baseline. *Card showing compliance to the Defender for Endpoint security baseline* Device configuration management monitors baseline compliance only of Windows 10 2. Create a new profile. - :::image type="content" source="images/secconmgmt_baseline_intuneprofile1.png" alt-text="The Create profile tab in the Microsoft Defender for Endpoint security baseline overview on Intune" lightbox="images/secconmgmt_baseline_intuneprofile1.png":::<br> + :::image type="content" source="media/secconmgmt_baseline_intuneprofile1.png" alt-text="The Create profile tab in the Microsoft Defender for Endpoint security baseline overview on Intune" lightbox="media/secconmgmt_baseline_intuneprofile1.png":::<br> *Microsoft Defender for Endpoint security baseline overview on Intune* 3. During profile creation, you can review and adjust specific settings on the baseline. - :::image type="content" source="images/secconmgmt_baseline_intuneprofile2.png" alt-text="The Security baseline options during profile creation on Intune" lightbox="images/secconmgmt_baseline_intuneprofile2.png":::<br> + :::image type="content" source="media/secconmgmt_baseline_intuneprofile2.png" alt-text="The Security baseline options during profile creation on Intune" lightbox="media/secconmgmt_baseline_intuneprofile2.png":::<br> *Security baseline options during profile creation on Intune* 4. Assign the profile to the appropriate device group. - :::image type="content" source="images/secconmgmt_baseline_intuneprofile3.png" alt-text="The Security baseline profiles on Intune" lightbox="images/secconmgmt_baseline_intuneprofile3.png":::<br> + :::image type="content" source="media/secconmgmt_baseline_intuneprofile3.png" alt-text="The Security baseline profiles on Intune" lightbox="media/secconmgmt_baseline_intuneprofile3.png":::<br> *Assigning the security baseline profile on Intune* 5. Create the profile to save it and deploy it to the assigned device group. - :::image type="content" source="images/secconmgmt_baseline_intuneprofile4.png" alt-text="Assigning the security baseline on Intune" lightbox="images/secconmgmt_baseline_intuneprofile4.png":::<br> + :::image type="content" source="media/secconmgmt_baseline_intuneprofile4.png" alt-text="Assigning the security baseline on Intune" lightbox="media/secconmgmt_baseline_intuneprofile4.png":::<br> *Creating the security baseline profile on Intune* > [!TIP] |
security | Configure Machines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines.md | With properly configured devices, you can boost overall resilience against threa Click **Configuration management** from the navigation menu to open the Device configuration management page. *Device configuration management page* If you have been assigned other roles, ensure you have the necessary permissions - Read permissions to device compliance policies - Read permissions to the organization *Device configuration permissions on Intune* |
security | Configure Microsoft Threat Experts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts.md | If you're already a Defender for Endpoint customer, you can apply through the Mi 2. Click **Apply**. - :::image type="content" source="images/mte-collaboratewithmte.png" alt-text="The Microsoft Defender Experts settings" lightbox="images/mte-collaboratewithmte.png"::: + :::image type="content" source="media/mte-collaboratewithmte.png" alt-text="The Microsoft Defender Experts settings" lightbox="media/mte-collaboratewithmte.png"::: 3. Enter your name and email address so that Microsoft can get back to you on your application. - :::image type="content" source="images/mte-apply.png" alt-text="The Name field on the Microsoft Defender Experts application page" lightbox="images/mte-apply.png"::: + :::image type="content" source="media/mte-apply.png" alt-text="The Name field on the Microsoft Defender Experts application page" lightbox="media/mte-apply.png"::: 4. Read the [privacy statement](https://privacy.microsoft.com/privacystatement), then click **Submit** when you're done. You'll receive a welcome email once your application is approved. - :::image type="content" source="images/mte-applicationconfirmation.png" alt-text="The Microsoft Defender Experts application confirmation message" lightbox="images/mte-applicationconfirmation.png"::: + :::image type="content" source="media/mte-applicationconfirmation.png" alt-text="The Microsoft Defender Experts application confirmation message" lightbox="media/mte-applicationconfirmation.png"::: When accepted, you'll receive a welcome email and you'll see the **Apply** button change to a toggle that is "on". In case you want to take yourself out of the Endpoint Attack Notifications service, slide the toggle "off" and click **Save preferences** at the bottom of the page. |
security | Configure Real Time Protection Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md | Title: Enable and configure Microsoft Defender Antivirus always-on protection -description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine learning +description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine learning. ms.localizationpriority: medium Previously updated : 05/24/2023 Last updated : 04/03/2024 You can use Intune to configure antivirus policies, and then apply those policie > [!IMPORTANT] > We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage Microsoft Defender Antivirus settings for your organization. With Intune, you can control where tamper protection is enabled (or disabled) through policies. You can also protect Microsoft Defender Antivirus exclusions. For more information, see [Protect Microsoft Defender Antivirus exclusions from tampering](prevent-changes-to-security-settings-with-tamper-protection.md#protect-microsoft-defender-antivirus-exclusions). -You can use Group Policy to manage some Microsoft Defender Antivirus settings. Note that if [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled in your organization, any changes made to [tamper-protected settings](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-happens-when-tamper-protection-is-turned-on) are ignored. You can't turn off tamper protection by using Group Policy. +You can use Group Policy to manage some Microsoft Defender Antivirus settings. If [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled in your organization, any changes made to [tamper-protected settings](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-happens-when-tamper-protection-is-turned-on) are ignored. You can't turn off tamper protection by using Group Policy. -If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state. +If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. After troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state. You can use **Local Group Policy Editor** to enable and configure Microsoft Defender Antivirus always-on protection settings. For the most current settings, get the latest ADMX files in your central store. 1. Open **Local Group Policy Editor**. - 1. In your Windows 10 or Windows 11 taskbar search box, type **gpedit**. + 1. In your Windows 10 or Windows 11 taskbar search box, type `gpedit`. + 2. Under **Best match**, select **Edit group policy** to launch **Local Group Policy Editor**. 2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Real-time Protection**. If you're looking for antivirus-related information for other platforms, see: - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) - [Configure Defender for Endpoint on Android features](android-configure.md) - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Configure Server Endpoints | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md | For guidance on how to download and use Windows Security Baselines for Windows s You'll need to complete the following general steps to successfully onboard servers. > [!NOTE] > Windows Hyper-V Server editions are not supported. |
security | Contact Support | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md | Accessing the new support widget can be done in one of two ways: 2. Clicking on the **Need help?** button in the bottom right of the Microsoft Defender portal: - :::image type="content" source="images/need-help-option.png" alt-text="The Need help button" lightbox="images/need-help-option.png"::: + :::image type="content" source="media/need-help-option.png" alt-text="The Need help button" lightbox="media/need-help-option.png"::: In the widget you'll be offered two options: |
security | Defender Endpoint Trial User Guide | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-trial-user-guide.md | This playbook is a simple guide to help you make the most of your free trial. Us <td><center><a href="microsoft-defender-endpoint.md#ngp"><img src="media/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td> <td><center><a href="microsoft-defender-endpoint.md#edr"><img src="media/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td> <td><center><a href="microsoft-defender-endpoint.md#ai"><img src="media/air-icon.png" alt="Automated investigation and remediation"><br> <b>Automated investigation and remediation</b></a></center></td>-<td><center><a href="microsoft-defender-endpoint.md#mte"><img src="images/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td> +<td><center><a href="microsoft-defender-endpoint.md#mte"><img src="media/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td> </tr> <tr> <td colspan="7"> |
security | Deployment Strategy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md | Title: Identify Defender for Endpoint architecture and deployment method -description: Select the best Microsoft Defender for Endpoint deployment strategy for your environment +description: Select the best Microsoft Defender for Endpoint deployment strategy for your environment. Last updated 12/18/2020 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-secopsdashboard-abovefoldlink) -You've already completed steps to set up your Microsoft Defender for Endpoint deployment and assigned roles and permissions for Defender for Endpoint. Next, plan for onboarding your devices by identifying your architecture and choosing your deployment method. +If you're already completed the steps to set up your Microsoft Defender for Endpoint deployment, and you have assigned roles and permissions for Defender for Endpoint, your next step is to create a plan for onboarding. Your plan begins with identifying your architecture and choosing your deployment method. We understand that every enterprise environment is unique, so we've provided several options to give you the flexibility in choosing how to deploy the service. Deciding how to onboard endpoints to the Defender for Endpoint service comes down to two important steps: We understand that every enterprise environment is unique, so we've provided sev ## Step 1: Identify your architecture -Depending on your environment, some tools are better suited for certain architectures. Use the table below to decide which Defender for Endpoint architecture best suits your organization. +Depending on your environment, some tools are better suited for certain architectures. Use the following table to decide which Defender for Endpoint architecture best suits your organization. |Architecture |Description | |||-|**Cloud-native**| We recommend using Microsoft Intune to onboard, configure, and remediate endpoints from the cloud for enterprises that don't have an on-premises configuration management solution or are looking to reduce their on-premises infrastructure. | -|**Co-management**| For organizations that host both on-premises and cloud-based workloads we recommend using Microsoft's ConfigMgr and Intune for their management needs. These tools provide a comprehensive suite of cloud-powered management features, as well as unique co-management options to provision, deploy, manage, and secure endpoints and applications across an organization. | -|**On-premises**|For enterprises that want to take advantage of the cloud-based capabilities of Microsoft Defender for Endpoint while also maximizing their investments in Configuration Manager or Active Directory Domain Services, we recommend this architecture.| -|**Evaluation and local onboarding**|We recommend this architecture for SOCs (Security Operations Centers) that are looking to evaluate or run a Microsoft Defender for Endpoint pilot, but don't have existing management or deployment tools. This architecture can also be used to onboard devices in small environments without management infrastructure, such as a DMZ (Demilitarized Zone).| +|**Cloud-native**| We recommend using Microsoft Intune to onboard, configure, and remediate endpoints from the cloud for enterprises who don't have an on-premises configuration management solution or are looking to reduce their on-premises infrastructure. | +|**Co-management**| For organizations who host both on-premises and cloud-based workloads we recommend using Microsoft's ConfigMgr and Intune for their management needs. These tools provide a comprehensive suite of cloud-powered management features, and unique co-management options to provision, deploy, manage, and secure endpoints and applications across an organization. | +|**On-premises**|For enterprises who want to take advantage of the cloud-based capabilities of Microsoft Defender for Endpoint while also maximizing their investments in Configuration Manager or Active Directory Domain Services, we recommend this architecture.| +|**Evaluation and local onboarding**|We recommend this architecture for SOCs (Security Operations Centers) who are looking to evaluate or run a Microsoft Defender for Endpoint pilot, but don't have existing management or deployment tools. This architecture can also be used to onboard devices in small environments without management infrastructure, such as a DMZ (Demilitarized Zone).| ## Step 2: Select deployment method |
security | Device Control Deploy Manage Gpo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-deploy-manage-gpo.md | If you're using Group Policy to manage Defender for Endpoint settings, you can u You can set default access such as, `Deny` or `Allow` for all device control features, such as `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, and `PrinterDevices`. For example, you can have either a `Deny` or an `Allow` policy for `RemovableMediaDevices`, but not for `CdRomDevices` or `WpdDevices`. If you set `Default Deny` through this policy, then Read/Write/Execute access to `CdRomDevices` or `WpdDevices` is blocked. If you only want to manage storage, make sure to create `Allow` policy for printers. Otherwise, default enforcement (Deny) is applied to printers, too. |
security | Device Discovery | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md | Title: Device discovery overview -description: Learn how to leverage endpoint discovery in Microsoft Defender XDR to find unmanaged devices in your network +description: Learn how to use endpoint discovery in Microsoft Defender XDR to find unmanaged devices in your network. f1.keywords: - NOCSH Protecting your environment requires taking inventory of the devices that are in Microsoft Defender for Endpoint provides a device discovery capability that helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Device discovery uses onboarded endpoints, in your network to collect, probe, or scan your network to discover unmanaged devices. The device discovery capability allows you to discover: -- Enterprise endpoints (workstations, servers and mobile devices) that aren't yet onboarded to Microsoft Defender for Endpoint+- Enterprise endpoints (workstations, servers, and mobile devices) that aren't yet onboarded to Defender for Endpoint - Network devices like routers and switches - IoT devices like printers and cameras Unknown and unmanaged devices introduce significant risks to your network - whet - Onboard unmanaged endpoints to the service, increasing the security visibility on them. - Reduce the attack surface by identifying and assessing vulnerabilities, and detecting configuration gaps. -Watch this video for a quick overview of how to assess and onboard unmanaged devices that Microsoft Defender for Endpoint discovered. +Watch this video for a quick overview of how to assess and onboard unmanaged devices that Defender for Endpoint discovered. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4RwQz] -In conjunction with this capability, a security recommendation to onboard devices to Microsoft Defender for Endpoint is available as part of the existing Microsoft Defender Vulnerability Management experience. +With this capability, a security recommendation to onboard devices to Defender for Endpoint is available as part of the existing Microsoft Defender Vulnerability Management experience. ## Discovery methods You can choose the discovery mode to be used by your onboarded devices. The mode There are two modes of discovery available: -- **Basic discovery**: In this mode, endpoints passively collect events in your network and extract device information from them. Basic discovery uses the SenseNDR.exe binary for passive network data collection and no network traffic is initiated. Endpoints extract data from every network traffic that is seen by an onboarded device. With basic discovery, you'll only gain limited visibility of unmanaged endpoints in your network.+- **Basic discovery**: In this mode, endpoints passively collect events in your network and extract device information from them. Basic discovery uses the SenseNDR.exe binary for passive network data collection and no network traffic is initiated. Endpoints extract data from all network traffic seen by an onboarded device. With basic discovery, you only gain limited visibility of unmanaged endpoints in your network. -- **Standard discovery** (recommended): This mode allows endpoints to actively find devices in your network to enrich collected data and discover more devices - helping you build a reliable and coherent device inventory. In addition to devices that were observed using the passive method, standard mode also leverages common discovery protocols that use multicast queries in the network to find even more devices. Standard mode uses smart, active probing to discover additional information about observed devices to enrich existing device information. When Standard mode is enabled, minimal, and negligible network activity generated by the discovery sensor might be observed by network monitoring tools in your organization.+- **Standard discovery** (recommended): This mode allows endpoints to actively find devices in your network to enrich collected data and discover more devices - helping you build a reliable and coherent device inventory. In addition to devices that were observed using the passive method, standard mode also uses common discovery protocols that use multicast queries in the network to find even more devices. Standard mode uses smart, active probing to discover additional information about observed devices to enrich existing device information. When Standard mode is enabled, minimal and negligible network activity generated by the discovery sensor might be observed by network monitoring tools in your organization. You can change and customize your discovery settings, for more information, see [Configure device discovery](configure-device-discovery.md). > [!IMPORTANT] > Standard discovery is the default mode for all customers starting July 19, 2021. You can choose to change this configuration to basic through the settings page. If you choose basic mode, you'll only gain limited visibility of unmanaged endpoints in your network. -> [!NOTE] -> The discovery engine distinguishes between network events that are received in the corporate network versus outside of the corporate network. Devices that are not connected to corporate networks will not be discovered or listed in the device inventory. +The discovery engine distinguishes between network events that are received in the corporate network versus outside of the corporate network. Devices that aren't connected to corporate networks won't be discovered or listed in the device inventory. ## Device inventory -Devices that have been discovered but haven't yet been onboarded and secured by Microsoft Defender for Endpoint are listed in the device inventory within the Computers and Mobile tab. +Devices that were discovered but aren't onboarded to and secured by Defender for Endpoint are listed in the device inventory. -To assess these devices, you can use a filter in the device inventory list called Onboarding status, which can have any of the following values: +To assess these devices, you can use a filter in the device inventory list called **Onboarding status**, which can have any of the following values: -- Onboarded: The endpoint is onboarded to Microsoft Defender for Endpoint.-- Can be onboarded: The endpoint was discovered in the network and the Operating System was identified as one that is supported by Microsoft Defender for Endpoint, but it isn't currently onboarded. We highly recommend onboarding these devices.-- Unsupported: The endpoint was discovered in the network but isn't supported by Microsoft Defender for Endpoint.-- Insufficient info: The system couldn't determine the supportability of the device. Enabling standard discovery on more devices in the network can enrich the discovered attributes.+- **Onboarded**: The endpoint is onboarded to Defender for Endpoint. +- **Can be onboarded**: The endpoint was discovered in the network and the Operating System was identified as one that is supported by Defender for Endpoint, but it isn't currently onboarded. We highly recommend onboarding these devices. +- **Unsupported**: The endpoint was discovered in the network but isn't supported by Defender for Endpoint. +- **Insufficient info**: The system couldn't determine the supportability of the device. Enabling standard discovery on more devices in the network can enrich the discovered attributes. :::image type="content" source="media/2b62255cd3a9dd42f3219e437b956fb9.png" alt-text="The device inventory dashboard" lightbox="media/2b62255cd3a9dd42f3219e437b956fb9.png"::: For more information, see [Device inventory](machines-view-overview.md). ## Network device discovery -The large number of unmanaged network devices deployed in an organization creates a large surface area of attack, and represents a significant risk to the entire enterprise. Microsoft Defender for Endpoint network discovery capabilities helps you ensure network devices are discovered, accurately classified, and added to the asset inventory. +The large number of unmanaged network devices deployed in an organization creates a large surface area of attack, and represents a significant risk to the entire enterprise. Defender for Endpoint network discovery capabilities helps you ensure network devices are discovered, accurately classified, and added to the asset inventory. -Network devices aren't managed as standard endpoints, as Defender for Endpoint doesn't have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan obtains the necessary information from the devices. To do this, a designated Microsoft Defender for Endpoint device is used on each network segment to perform periodic authenticated scans of preconfigured network devices. Defender for Endpoint's vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways. +Network devices aren't managed as standard endpoints, as Defender for Endpoint doesn't have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan obtains the necessary information from the devices. To do this, a designated Defender for Endpoint device is used on each network segment to perform periodic authenticated scans of preconfigured network devices. Defender for Endpoint's vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways. For more information, see [Network devices](network-devices.md). ## Device discovery Integration -To address the challenge of gaining enough visibility to locate, identify, and secure your complete OT/IOT asset inventory Microsoft Defender for Endpoint now supports the following integration: +To address the challenge of gaining enough visibility to locate, identify, and secure your complete OT/IOT asset inventory Defender for Endpoint now supports the following integration: -- **Microsoft Defender for IoT**: This integration combines Microsoft Defender for Endpoint's device discovery capabilities, with the agentless monitoring capabilities of Microsoft Defender for IoT, to secure enterprise IoT devices connected to an IT network (for example, Voice over Internet Protocol (VoIP), printers, and smart TVs). For more information, see [Enable Enterprise IoT security with Defender for Endpoint](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/).+- **Microsoft Defender for IoT**: This integration combines Defender for Endpoint's device discovery capabilities, with the agentless monitoring capabilities of Microsoft Defender for IoT, to secure enterprise IoT devices connected to an IT network (for example, Voice over Internet Protocol (VoIP), printers, and smart TVs). For more information, see [Enable Enterprise IoT security with Defender for Endpoint](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/). ## Vulnerability assessment on discovered devices For more information, see the [SeenBy()](/microsoft-365/security/defender/advanc ### Query network related information -Device discovery leverages Microsoft Defender for Endpoint onboarded devices as a network data source to attribute activities to non-onboarded devices. The network sensor on the Microsoft Defender for Endpoint onboarded device identifies two new connection types: +Device discovery leverages Defender for Endpoint onboarded devices as a network data source to attribute activities to non-onboarded devices. The network sensor on the Defender for Endpoint onboarded device identifies two new connection types: - ConnectionAttempt - An attempt to establish a TCP connection (syn) - ConnectionAcknowledged - An acknowledgment that a TCP connection was accepted (syn\ack) -This means that when a non-onboarded device attempts to communicate with an onboarded Microsoft Defender for Endpoint device, the attempt generates a DeviceNetworkEvent and the non-onboarded device activities can be seen on the onboarded device timeline, and through the Advanced hunting DeviceNetworkEvents table. +This means that when a non-onboarded device attempts to communicate with an onboarded Defender for Endpoint device, the attempt generates a DeviceNetworkEvent and the non-onboarded device activities can be seen on the onboarded device timeline, and through the Advanced hunting DeviceNetworkEvents table. You can try this example query: DeviceNetworkEvents - [Configure device discovery](configure-device-discovery.md) - [Device discovery FAQs](device-discovery-faq.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Device Timeline Event Flag | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md | You can copy an entity's details when you see a blue icon on the right. For inst You can do the same for command lines. ### Investigate related events To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected Technique, select **Hunt for related events**. This leads to the advanced hunting page with a query to find events related to the Technique. > [!NOTE] > Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results. |
security | Enable Cloud Protection Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md | ms.localizationpriority: medium Previously updated : 05/24/2023- Last updated : 04/03/2024+ The following table summarizes the features and capabilities that depend on clou | **Checking against metadata in the cloud**. The Microsoft Defender Antivirus cloud service uses machine learning models as an extra layer of defense. These machine learning models include metadata, so when a suspicious or malicious file is detected, its metadata is checked. <br/><br/>To learn more, see [Blog: Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) | | **[Cloud protection and sample submission](cloud-protection-microsoft-antivirus-sample-submission.md)**. Files and executables can be sent to the Microsoft Defender Antivirus cloud service for detonation and analysis. Automatic sample submission relies on cloud protection, although it can also be configured as a standalone setting.<br/><br/>To learn more, see [Cloud protection and sample submission in Microsoft Defender Antivirus](cloud-protection-microsoft-antivirus-sample-submission.md). | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) | | **[Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)**. Tamper protection helps protect against unwanted changes to your organization's security settings. <br/><br/>To learn more, see [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md). | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) | -| **[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)** <br/>Block at first sight detects new malware and blocks it within seconds. When a suspicious or malicious file is detected, block at first sight capabilities queries the cloud protection backend and applies heuristics, machine learning, and automated analysis of the file to determine whether it is a threat.<br/><br/>To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight) | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) | +| **[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)** <br/>Block at first sight detects new malware and blocks it within seconds. When a suspicious or malicious file is detected, block at first sight capabilities queries the cloud protection backend and applies heuristics, machine learning, and automated analysis of the file to determine whether it's a threat.<br/><br/>To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight) | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) | | **[Emergency signature updates](microsoft-defender-antivirus-updates.md#security-intelligence-updates)**. When malicious content is detected, emergency signature updates and fixes are deployed. Rather than wait for the next regular update, you can receive these fixes and updates within minutes. <br/><br/>To learn more about updates, see [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md). | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) | | **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. EDR in block mode provides extra protection when Microsoft Defender Antivirus isn't the primary antivirus product on a device. EDR in block mode remediates artifacts found during EDR-generated scans that the non-Microsoft, primary antivirus solution might have missed. When enabled for devices with Microsoft Defender Antivirus as the primary antivirus solution, EDR in block mode provides the added benefit of automatically remediating artifacts identified during EDR-generated scans. <br/><br/>To learn more, see [EDR in block mode](edr-in-block-mode.md). | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) | | **[Attack surface reduction rules](attack-surface-reduction.md)**. ASR rules are intelligent rules that you can configure to help stop malware. Certain rules require cloud protection to be turned on in order to function fully. These rules include: <br/>- Block executable files from running unless they meet a prevalence, age, or trusted list criteria <br/>- Use advanced protection against ransomware <br/>- Block untrusted programs from running from removable drives <br/><br/>To learn more, see [Use attack surface reduction rules to prevent malware infection](attack-surface-reduction.md). | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) | MAPSReporting SubmitSamplesConsent ``` -For more information about allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) +For more information about allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal). ## Turn on cloud protection on individual clients with the Windows Security app For more information about allowed parameters, see [Windows Defender WMIv2 APIs] > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Enable Network Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-network-protection.md | Title: Turn on network protection description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager. ms.localizationpriority: medium Previously updated : 10/18/2022 Last updated : 04/03/2024 -+ search.appverid: met150 > [!TIP] > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink) -[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before enabling network protection. +[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before enabling network protection. [Learn more about network filtering configuration options.](/mem/intune/protect/endpoint-protection-windows-10#network-filtering) ## Check if network protection is enabled -Check if network protection has been enabled on a local device by using Registry editor. +Check to see if network protection is enabled on a local device by using Registry editor. 1. Select the **Start** button in the task bar and type **regedit** to open Registry editor. Enable network protection by using any of these methods: Set-MpPreference -EnableNetworkProtection AuditMode ``` - Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature. + To turn off the feature, use `Disabled` instead of `AuditMode` or `Enabled`. ### Mobile device management (MDM) Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](/windows/ #### Microsoft Defender for Endpoint Baseline method -1. Sign into the Microsoft Intune admin center (https://endpoint.microsoft.com). +1. Sign into the [Microsoft Intune admin center](https://endpoint.microsoft.com). + 2. Go to **Endpoint security** > **Security baselines** > **Microsoft Defender for Endpoint Baseline**.+ 3. Select **Create a profile**, then provide a name for your profile, and then select **Next**.-4. In the **Configuration settings** section, go to **Attack Surface Reduction Rules** > set **Block**, **Enable** or **Audit** for **Enable network protection**. Select **Next**. ++4. In the **Configuration settings** section, go to **Attack Surface Reduction Rules** > set **Block**, **Enable**, or **Audit** for **Enable network protection**. Select **Next**. + 5. Select the appropriate **Scope tags** and **Assignments** as required by your organization.+ 7. Review all the information, and then select **Create**. #### Antivirus policy method-1. Sign into the Microsoft Intune admin center (https://endpoint.microsoft.com). -2. Go to **Endpoint security** > **Antivirus** -3. Select **Create a policy** ++1. Sign into the [Microsoft Intune admin center](https://endpoint.microsoft.com). ++2. Go to **Endpoint security** > **Antivirus**. ++3. Select **Create a policy**. + 4. In the **Create a policy** flyout, choose **Windows 10, Windows 11, and Windows Server** from the **Platform** list.-5. Choose **Microsoft Defender Antivirus** from the **Profile** list then choose **Create** ++5. Choose **Microsoft Defender Antivirus** from the **Profile** list then choose **Create**. + 6. Provide a name for your profile, and then select **Next**.+ 7. In the **Configuration settings** section, select **Disabled**, **Enabled (block mode)** or **Enabled (audit mode)** for **Enable Network Protection**, then select **Next**.+ 8. Select the appropriate **Assignments** and **Scope tags** as required by your organization.+ 9. Review all the information, and then select **Create**. #### Configuration profile method Use the following procedure to enable network protection on domain-joined comput > On older versions of Windows, the group policy path may say "Windows Defender Antivirus" instead of "Microsoft Defender Antivirus." 4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:+ - **Block** - Users can't access malicious IP addresses and domains.- - **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains. + - **Disable (Default)** - The Network protection feature won't work. Users aren't blocked from accessing malicious domains. - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log. However, the user won't be blocked from visiting the address. > [!IMPORTANT] Use the following procedure to enable network protection on domain-joined comput 4. On the **General** page, specify a name for the new policy and verify the **Network protection** option is enabled. 5. On the **Network protection** page, select one of the following settings for the **Configure network protection** option:+ - **Block** - **Audit** - **Disabled** Use the following procedure to enable network protection on domain-joined comput - [Evaluate network protection](evaluate-network-protection.md) - [Troubleshoot network protection](troubleshoot-np.md)++ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Evaluation Lab | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md | When all existing devices are used and deleted, you can request for more devices 1. From the evaluation lab dashboard, select **Request for more devices**. - :::image type="content" source="images/request-more-devices.png" alt-text="The request for more devices option" lightbox="images/request-more-devices.png"::: + :::image type="content" source="media/request-more-devices.png" alt-text="The request for more devices option" lightbox="media/request-more-devices.png"::: 2. Choose your configuration. 3. Submit the request. If you are looking for a pre-made simulation, you can use our ["Do It Yourself" 1. Connect to your device and run an attack simulation by selecting **Connect**. - :::image type="content" source="images/test-machine-table.png" alt-text="The Connect button for the test devices" lightbox="images/test-machine-table.png"::: + :::image type="content" source="media/test-machine-table.png" alt-text="The Connect button for the test devices" lightbox="media/test-machine-table.png"::: :::image type="content" source="media/remote-connection.png" alt-text="The remote desktop connection screen" lightbox="media/remote-connection.png"::: If you are looking for a pre-made simulation, you can use our ["Do It Yourself" > [!NOTE] > If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting **Reset password** from the menu: >- > :::image type="content" source="images/reset-password-test-machine.png" alt-text="The Reset password option" lightbox="images/reset-password-test-machine.png"::: + > :::image type="content" source="media/reset-password-test-machine.png" alt-text="The Reset password option" lightbox="media/reset-password-test-machine.png"::: > > The device will change it's state to "Executing password reset", then you'll be presented with your new password in a few minutes. Running threat simulations using third-party platforms is a good way to evaluate 2. Select a threat simulator. - :::image type="content" source="images/select-simulator.png" alt-text="The threat simulator selection" lightbox="images/select-simulator.png"::: + :::image type="content" source="media/select-simulator.png" alt-text="The threat simulator selection" lightbox="media/select-simulator.png"::: 3. Choose a simulation or look through the simulation gallery to browse through the available simulations. Your feedback helps us get better in protecting your environment from advanced a Let us know what you think, by selecting **Provide feedback**. [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Fix Unhealthy Sensors | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors.md | An inactive device isn't necessarily flagged because of an issue. The following Any device that isn't in use for more than seven days retains 'Inactive' status in the portal. ### Device was reinstalled or renamed+ A new device entity is generated in Microsoft Defender XDR for reinstalled or renamed devices. The previous device entity remains, with an 'Inactive' status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally. ### Device was off-boarded+ If the device was off-boarded, it still appears in devices list. After seven days, the device health state should change to inactive. ### Device isn't sending signals-If the device isn't sending any signals to any Microsoft Defender for Endpoint channels for more than seven days for any reason, a device can be considered inactive; this includes conditions that fall under misconfigured devices classification. -Do you expect a device to be in 'Active' status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). +If the device isn't sending any signals to any Microsoft Defender for Endpoint channels for more than seven days for any reason, a device can be considered inactive. Misconfigured devices can also be considered inactive. ## Misconfigured devices+ Misconfigured devices can further be classified to:+ - Impaired communications - No sensor data ### Impaired communications+ This status indicates that there's limited communication between the device and the service. The following suggested actions can help fix issues related to a misconfigured device with impaired communications: -- [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)</br>- The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. +- [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device). The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. -- [Verify client connectivity to Microsoft Defender for Endpoint service URLs](verify-connectivity.md)</br>- Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs. +- [Verify client connectivity to Microsoft Defender for Endpoint service URLs](verify-connectivity.md). Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs. If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). ### No sensor data+ A misconfigured device with status 'No sensor data' has communication with the service but can only report partial sensor data. Follow theses actions to correct known issues related to a misconfigured device with status 'No sensor data': -- [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)</br>- The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. +- [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device). The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. -- [Verify client connectivity to Microsoft Defender for Endpoint service URLs](verify-connectivity.md)</br>- Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs. +- [Verify client connectivity to Microsoft Defender for Endpoint service URLs](verify-connectivity.md). Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs. -- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)</br>-If the devices aren't reporting correctly, you should verify that the Windows diagnostic data service is set to automatically start. Also verify that the Windows diagnostic data service is running on the endpoint. +- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled). If the devices aren't reporting correctly, you should verify that the Windows diagnostic data service is set to automatically start. Also verify that the Windows diagnostic data service is running on the endpoint. -- [Ensure that Microsoft Defender Antivirus isn't disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)</br>-If your devices are running a third-party anti-malware client, Defender for Endpoint agent requires that the Microsoft Defender Antivirus Early Launch anti-malware (ELAM) driver is enabled. +- [Ensure that Microsoft Defender Antivirus isn't disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). If your devices are running a third-party anti-malware client, Defender for Endpoint agent requires that the Microsoft Defender Antivirus Early Launch anti-malware (ELAM) driver is enabled. -- For macOS devices that 'sleep' for more than approximately 48 hours (a weekend), Microsoft Defender for Endpoint on macOS still sends Command and Control (CnC) channel data, but doesn't send any Cyber channel data. After the devices are turned on and used on the first business day, the devices will show up as active.+- For macOS devices that sleep for more than approximately 48 hours (a weekend), Microsoft Defender for Endpoint on macOS still sends Command and Control (CnC) channel data, but doesn't send any Cyber channel data. After the devices are turned on and used on the first business day, the devices will show up as active. If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). ## See also+ - [Check sensor health state in Microsoft Defender for Endpoint](check-sensor-status.md) - [Client analyzer overview](overview-client-analyzer.md) - [Download and run the client analyzer](download-client-analyzer.md) |
security | Investigate Machines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md | The timeline also enables you to selectively drill down into events that occurre > - [5031](/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network > - [5157](/windows/security/threat-protection/auditing/event-5157) - blocked connection Some of the functionality includes: To further inspect the event and related events, you can quickly run an [advance The **Security policies** tab shows the endpoint security policies that are applied on the device. You see a list of policies, type, status, and last check-in time. Selecting the name of a policy takes you to the policy details page where you can see the policy settings status, applied devices, and assigned groups. ### Software inventory The **Missing KBs** tab lists the missing security updates for the device. The **Azure Advanced Threat Protection** card displays a high-level overview of alerts related to the device and their risk level, if you're using the Microsoft Defender for Identity feature, and there are any active alerts. More information is available in the **Alerts** drill down. > [!NOTE] > You'll need to enable the integration on both Microsoft Defender for Identity and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md). The **Logged on users** card shows how many users logged on in the past 30 days, The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A device's exposure level is determined by the cumulative impact of its pending security recommendations. ### Device health status |
security | Ios Configure Features | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md | Follow the below steps for setting up MAM config for unenrolled devices for Netw 2. Provide a name and description to uniquely identify the policy. Then select **Select Public apps**, and choose **Microsoft Defender for Platform iOS/iPadOS**. - :::image type="content" source="images/nameiosconfig.png" alt-text="Name the configuration." lightbox="images/nameiosconfig.png"::: + :::image type="content" source="media/nameiosconfig.png" alt-text="Name the configuration." lightbox="media/nameiosconfig.png"::: 3. On the Settings page, add **DefenderNetworkProtectionEnable** as the key and the value as `true` to enable network protection. (Network protection is disabled by default.) |
security | Linux Support Offline Security Intelligence Update | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-offline-security-intelligence-update.md | Fig. 2: Process flow diagram on the Linux endpoint for security intelligence upd ## Prerequisites -- Defender for Endpoint version "101.24022.0001" or higher in InsiderSlow ring needs to be installed on the Linux endpoints. +- Defender for Endpoint version "101.24022.0001" or higher needs to be installed on the Linux endpoints. > [!NOTE] > This version of Defender for Endpoint on Linux will be rolled out to the Production ring soon. - The Linux endpoints need to have connectivity to the Mirror Server. definitions_version : "1.407.417.0" definitions_status : "up_to_date" definitions_update_source_uri : "https://go.microsoft.com/fwlink/?linkid=2144709" definitions_update_fail_reason : ""-offline_definition_url_configured : "http://172.22.199.67:8000/linux/production/" [managed] +offline_definition_url_configured : "http://172.XX.XXX.XX:8000/linux/production/" [managed] offline_definition_update : "enabled" [managed] offline_definition_update_verify_sig : "enabled" offline_definition_update_fallback_to_cloud : false[managed] |
security | Live Response Command Examples | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response-command-examples.md | Last updated 04/24/2023 **Applies to:**+ - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) run get-process-by-name.ps1 -parameters "-processName Registry" > > For long running commands such as '**run**' or '**getfile**', you may want to use the '**&**' symbol at the end of the command to perform that action in the background. > This will allow you to continue investigating the machine and return to the background command when done using '**fg**' [basic command](live-response.md#basic-commands).--> [!NOTE] -> +> > When passing parameters to a live response script, do not include the following forbidden characters: **';'**, **'&'**, **'|'**, **'!'**, and **'$'**. ## `scheduledtask` undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition # Restore remediated file undo file c:\Users\user\Desktop\malware.exe ```++ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Live Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md | Last updated 05/02/2023 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) -Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time. +Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. Live response gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time. Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. Before you can initiate a session on a device, make sure you fulfill the followi - **Enable live response from the advanced settings page**. - You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. + You need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. > [!NOTE] > Only admins and users who have "Manage Portal Settings" permissions can enable live response. Before you can initiate a session on a device, make sure you fulfill the followi > [!WARNING] > Allowing the use of unsigned scripts may increase your exposure to threats. - Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. + Running unsigned scripts isn't recommended as it can increase your exposure to threats. If you must use them however, you need to enable the setting in the [Advanced features settings](advanced-features.md) page. - **Ensure that you have the appropriate permissions**. - Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md). + Only users who are provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md). > [!IMPORTANT] > The option to upload a file to the library is only available to users with "Manage Security Settings" permission. The following commands are available for user roles that are granted the ability | Command | Description | Windows and Windows Server | macOS | Linux | ||||||-| cd | Changes the current directory. | Y | Y | Y | -| cls | Clears the console screen. | Y | Y | Y | -| connect | Initiates a live response session to the device. | Y | Y | Y | -| connections | Shows all the active connections. | Y | N | N | -| dir | Shows a list of files and subdirectories in a directory. | Y | Y | Y | -| drivers | Shows all drivers installed on the device. | Y | N | N | -| fg `<command ID>` | Place the specified job in the foreground, making it the current job. NOTE: fg takes a 'command ID` available from jobs, not a PID. | Y | Y | Y | -| fileinfo | Get information about a file. | Y | Y | Y | -| findfile | Locates files by a given name on the device. | Y | Y | Y | -| getfile <file_path> | Downloads a file. | Y | Y | Y | -| help | Provides help information for live response commands. | Y | Y | Y | -| jobs | Shows currently running jobs, their ID and status. | Y | Y | Y | -| persistence | Shows all known persistence methods on the device. | Y | N | N | -| processes | Shows all processes running on the device. | Y | Y | Y | -| registry | Shows registry values. | Y | N | N | -| scheduledtasks | Shows all scheduled tasks on the device. | Y | N | N | -| services | Shows all services on the device. | Y | N | N | -| startupfolders | Shows all known files in startup folders on the device. | Y | N | N | -| status | Shows the status and output of specific command. | Y | Y | Y | -| trace | Sets the terminal's logging mode to debug. | Y | Y | Y | +| `cd` | Changes the current directory. | Y | Y | Y | +| `cls` | Clears the console screen. | Y | Y | Y | +| `connect` | Initiates a live response session to the device. | Y | Y | Y | +| `connections` | Shows all the active connections. | Y | N | N | +| `dir` | Shows a list of files and subdirectories in a directory. | Y | Y | Y | +| `drivers` | Shows all drivers installed on the device. | Y | N | N | +| `fg <command ID>` | Place the specified job in the foreground, making it the current job. Note that `fg` takes a `command ID` available from jobs, not a PID. | Y | Y | Y | +| `fileinfo` | Get information about a file. | Y | Y | Y | +| `findfile` | Locates files by a given name on the device. | Y | Y | Y | +| `getfile <file_path>` | Downloads a file. | Y | Y | Y | +| `help` | Provides help information for live response commands. | Y | Y | Y | +| `jobs` | Shows currently running jobs, their ID and status. | Y | Y | Y | +| `persistence` | Shows all known persistence methods on the device. | Y | N | N | +| `processes` | Shows all processes running on the device. | Y | Y | Y | +| `registry` | Shows registry values. | Y | N | N | +| `scheduledtasks` | Shows all scheduled tasks on the device. | Y | N | N | +| `services` | Shows all services on the device. | Y | N | N | +| `startupfolders` | Shows all known files in startup folders on the device. | Y | N | N | +| `status` | Shows the status and output of specific command. | Y | Y | Y | +| `trace` | Sets the terminal's logging mode to debug. | Y | Y | Y | ### Advanced commands The following commands are available for user roles that are granted the ability | Command | Description | Windows and Windows Server | macOS | Linux | ||||||-| analyze | Analyses the entity with various incrimination engines to reach a verdict. | Y | N | N | -| collect | Collects forensics package from device. | N | Y | Y | -| isolate | Disconnects the device from the network while retaining connectivity to the Defender for Endpoint service. | N | Y | N | -| release | Releases a device from network isolation. | N | Y | N | -| run | Runs a PowerShell script from the library on the device. | Y | Y | Y | -| library | Lists files that were uploaded to the live response library. | Y | Y | Y | -| putfile | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. | Y | Y | Y | -| remediate | Remediates an entity on the device. The remediation action will vary depending on the entity type: File: delete Process: stop, delete image file Service: stop, delete image file Registry entry: delete Scheduled task: remove Startup folder item: delete file NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with remediate to automatically run the prerequisite command. | Y | Y | Y | -| scan | Runs a Quick antivirus scan to help identify and remediate malware. | N | Y | Y | -| undo | Restores an entity that was remediated. | Y | N | N | +| `analyze` | Analyses the entity with various incrimination engines to reach a verdict. | Y | N | N | +| `collect` | Collects forensics package from device. | N | Y | Y | +| `isolate` | Disconnects the device from the network while retaining connectivity to the Defender for Endpoint service. | N | Y | N | +| `release` | Releases a device from network isolation. | N | Y | N | +| `run` | Runs a PowerShell script from the library on the device. | Y | Y | Y | +| `library` | Lists files that were uploaded to the live response library. | Y | Y | Y | +| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. | Y | Y | Y | +| `remediate` | Remediates an entity on the device. The remediation action varies, depending on the entity type: <br/>- File: delete<br/>- Process: stop, delete image file<br/>- Service: stop, delete image file<br/>- Registry entry: delete<br/>- Scheduled task: remove<br/>- Startup folder item: delete file<br/><br/>This command has a prerequisite command. You can use the `-auto` command in conjunction with remediate to automatically run the prerequisite command. | Y | Y | Y | +| `scan` | Runs a quick antivirus scan to help identify and remediate malware. | N | Y | Y | +| `undo` | Restores an entity that was remediated. | Y | N | N | ## Use live response commands Select the **Command log** tab to see the commands used on the device during a s ## Related article - [Live response command examples](live-response-command-examples.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Mac Install Manually | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md | Download the installation and onboarding packages from Microsoft Defender portal 5. From a command prompt, verify that you have the two files. - Type *cd Downloads* and press **Enter**. - Type *ls* and press **Enter**.- :::image type="content" source="images/Terminal-image-step5.png" alt-text="Screenshot that displays the two download files."::: + :::image type="content" source="media/Terminal-image-step5.png" alt-text="Screenshot that displays the two download files."::: 6. Copy the *wdav.pkg* and *MicrosoftDefenderATPOnboardingMacOs.sh* to the device where you want to deploy the Microsoft Defender for Endpoint on macOS. ## Application installation (macOS 11 and newer versions) To complete this process, you must have admin privileges on the device. sudo installer -store -pkg /Users/admin/Downloads/wdav.pkg -target / ``` - :::image type="content" source="images/monterey-install-1.png" alt-text="Screenshot that shows the installation process for the application"::: + :::image type="content" source="media/monterey-install-1.png" alt-text="Screenshot that shows the installation process for the application"::: 2. Select **Continue**. To complete this process, you must have admin privileges on the device. 10. At the end of the installation process, for macOS Big Sur (11.0) or latest version, you're prompted to approve the system extensions used by the product. Select **Open Security Preferences**. - :::image type="content" source="images/monterey-install-2.png" alt-text="Screenshot that shows the system extension approval"::: + :::image type="content" source="media/monterey-install-2.png" alt-text="Screenshot that shows the system extension approval"::: 11. To enable system extention, select **Details**. - :::image type="content" source="images/system-extention-image.png" alt-text="Screenshot that shows the system extention."::: + :::image type="content" source="media/system-extention-image.png" alt-text="Screenshot that shows the system extention."::: 12. From the **Security & Privacy** window, select the checkboxes next to **Microsoft Defender** and select **OK**. - :::image type="content" source="images/security-privacy-window-updated.png" alt-text="Screenshot that shows the security and privacy window."::: + :::image type="content" source="media/security-privacy-window-updated.png" alt-text="Screenshot that shows the security and privacy window."::: 13. Repeat steps 11 and 12 for all system extensions distributed with Microsoft Defender for Endpoint on Mac. 14. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on Mac inspects socket traffic and reports this information to the Microsoft Defender portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**. - :::image type="content" source="images/monterey-install-4.png" alt-text="Screenshot that shows the system extension security preferences2"::: + :::image type="content" source="media/monterey-install-4.png" alt-text="Screenshot that shows the system extension security preferences2"::: To troubleshoot System Extension issues, refer [Troubleshoot System Extension](mac-support-sys-ext.md). To grant full disk access: 1. Select **General** \> **Restart** for the new system extensions to take effect. - :::image type="content" source="images/restart-fulldisk.png" alt-text="Screenshot that allows you to restart the system for new system extensions to be enabled."::: + :::image type="content" source="media/restart-fulldisk.png" alt-text="Screenshot that allows you to restart the system for new system extensions to be enabled."::: 1. Enable *Potentially Unwanted Application* (PUA) in block mode. |
security | Mac Jamfpro Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md | These steps are applicable on macOS 11 (Big Sur) or later. 8. Click the `+` sign next to **App Access** to add a new entry. - :::image type="content" source="images/tcc-add-entry.png" alt-text="The save operation relating to the configuration setting." lightbox="images/tcc-add-entry.png"::: + :::image type="content" source="media/tcc-add-entry.png" alt-text="The save operation relating to the configuration setting." lightbox="media/tcc-add-entry.png"::: 9. Enter the following details: These steps are applicable on macOS 11 (Big Sur) or later. 10. Select **+ Add**. - :::image type="content" source="images/tcc-epsext-entry.png" alt-text="The configuration setting tcc epsext entry." lightbox="images/tcc-epsext-entry.png"::: + :::image type="content" source="media/tcc-epsext-entry.png" alt-text="The configuration setting tcc epsext entry." lightbox="media/tcc-epsext-entry.png"::: - Under App or service: Set to **SystemPolicyAllFiles** These steps are applicable on macOS 11 (Big Sur) or later. 11. Select **Save** (not the one at the bottom right). - :::image type="content" source="images/tcc-epsext-entry2.png" alt-text="The other instance of configuration setting tcc epsext." lightbox="images/tcc-epsext-entry2.png"::: + :::image type="content" source="media/tcc-epsext-entry2.png" alt-text="The other instance of configuration setting tcc epsext." lightbox="media/tcc-epsext-entry2.png"::: 12. Select the **Scope** tab. |
security | Mac Schedule Scan | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-schedule-scan.md | search.appverid: met150 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -> [!IMPORTANT] -> Some information relates to a pre-released product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. --> [!NOTE] ->The built-in Scheduled Scan is currently in public preview. Review the prerequisites carefully. - ## Schedule a scan *built-in to* Microsoft Defender for Endpoint on macOS While you can start a threat scan at any time with Microsoft Defender for Endpoint, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. |
security | Mac Support License | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md | If the file exists, it will prevent the macOS from being onboarded again. Delet 2. Select **Licenses**. - :::image type="content" source="images/selecting-licenses-option-from-endpoints-screen.png" alt-text="Screenshot of the Endpoints page from which the Licenses options can be selected." lightbox="images/selecting-licenses-option-from-endpoints-screen.png"::: + :::image type="content" source="media/selecting-licenses-option-from-endpoints-screen.png" alt-text="Screenshot of the Endpoints page from which the Licenses options can be selected." lightbox="media/selecting-licenses-option-from-endpoints-screen.png"::: 3. Select **View and purchase licenses in the Microsoft 365 admin center**. The following screen in the Microsoft 365 admin center portal appears: If the file exists, it will prevent the macOS from being onboarded again. Delet 4. Check the checkbox of the license you want to purchase from Microsoft, and select it. The screen displaying detail of the chosen license appears: - :::image type="content" source="images/resultant-screen-of-selecting-preferred-license.png" alt-text="Screenshot of the product page from which you can select the option of assigning the purchased license."::: + :::image type="content" source="media/resultant-screen-of-selecting-preferred-license.png" alt-text="Screenshot of the product page from which you can select the option of assigning the purchased license."::: 5. Select the **Assign licenses** link. If the file exists, it will prevent the macOS from being onboarded again. Delet The following screen appears: - :::image type="content" source="images/screen-containing-option-to-assign-licenses.png" alt-text="Screenshot of the page containing the + Assign licenses option." lightbox="images/screen-containing-option-to-assign-licenses.png"::: + :::image type="content" source="media/screen-containing-option-to-assign-licenses.png" alt-text="Screenshot of the page containing the + Assign licenses option." lightbox="media/screen-containing-option-to-assign-licenses.png"::: 6. Select **+ Assign licenses**. If the file exists, it will prevent the macOS from being onboarded again. Delet On implementing these solution-options (either of them), if the licensing issues have been resolved, and then you run **mdatp health**, you should see the following results: ## Sign in with your Microsoft account |
security | Mac Support Sys Ext | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-sys-ext.md | Click **Action needed**. The screen as shown in the following screenshot appears: You can also run **mdatp health**: It reports if real-time protection is enabled but not available. This report indicates that the system extension isn't approved to run on your device. full_disk_access_enabled : false ``` The output report displayed on running **mdatp health** is shown in the following screenshot: ## Cause If you're using Intune, see [Manage macOS software update policies in Intune](/m 1. Click the ellipses (three dots). 1. Select **Refresh devices**. The screen as shown in the following screenshot appears: - :::image type="content" source="images/screen-on-clicking-refresh-devices.png" alt-text="The screen that appears on clicking Refresh devices." lightbox="images/screen-on-clicking-refresh-devices.png"::: + :::image type="content" source="media/screen-on-clicking-refresh-devices.png" alt-text="The screen that appears on clicking Refresh devices." lightbox="media/screen-on-clicking-refresh-devices.png"::: 1. In Launchpad, type **System Preferences**. 1. Double-click **Profiles**. |
security | Mac Troubleshoot Mode | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode.md | Last updated 02/06/2024 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -> [!IMPORTANT] -> Some information relates to a pre-released product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This article describes how to enable the troubleshooting mode in Microsoft Defender for Endpoint on macOS so admins can troubleshoot various Microsoft Defender Antivirus features temporarily, even if organizational policies manage the devices. For example, if the tamper protection is enabled, certain settings can't be modified or turned off, but you can use troubleshooting mode on the device to edit those settings temporarily. During troubleshooting mode, you can't: ### Prerequisites -> [!NOTE] -> Troubleshooting mode on macOS is currently in public preview. Review the prerequisites carefully. - - Supported version of macOS for Microsoft Defender for Endpoint. - Microsoft Defender for Endpoint must be tenant-enrolled and active on the device. - Permissions for "Manage security settings in Security Center" in Microsoft Defender for Endpoint. - Platform Update version: [101.23122.0005]( mac-whatsnew.md#jan-2024-build-101231220005release-version-2012312250) or newer. -- [Beta Channel (formerly Insiders-Fast), or Current Channel (Preview) (formerly Insiders-Slow)](/microsoft-365/security/defender-endpoint/mac-updates) ## Enable troubleshooting mode on macOS 1. Go to the [Microsoft Defender XDR portal](https://security.microsoft.com/), and sign in. 2. Navigate to the device page you would like to turn on troubleshooting mode. Then, select the ellipses(...) and select **Turn on troubleshooting mode**. - :::image type="content" source="images/troubleshooting-mode-on-mac.png" alt-text="Screenshot displaying the screenshot of the troubleshooting mode on mac."::: + :::image type="content" source="media/troubleshooting-mode-on-mac.png" alt-text="Screenshot displaying the screenshot of the troubleshooting mode on mac."::: > [!NOTE] > The **Turn on troubleshooting mode** option is available on all devices, even if the device does not meet the prerequisites for troubleshooting mode. |
security | Mac Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md | -**Built-in Scheduled Scan for macOS** (preview) --Scheduled Scan built-in for Microsoft Defender for Endpoint on macOS is now available in Public Preview. To learn more, see [How to schedule scans with Microsoft Defender for Endpoint on macOS](mac-schedule-scan.md). -**Troubleshooting mode for macOS** (preview) +**Troubleshooting mode for macOS** -Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. Troubleshooting mode for macOS is now available in Public Preview. To learn more, see [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](mac-troubleshoot-mode.md). +Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. To learn more, see [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](mac-troubleshoot-mode.md). **Mac devices receive built-in protection** Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **macOS Deprecation** Microsoft Defender for Endpoint no longer supports Big Sur (11) -### Mar-2024 (Build: 101.24012.0010 | Release version: 20.124012.10.0) +### Apr-2024 (Build: 101.24012.0010 | Release version: 20.124012.10.0) | Build: | **101.24012.0010** | |--|--| Microsoft Defender for Endpoint no longer supports Big Sur (11) ##### What's new - Bug and performance fixes+- **(GA) Built-in Scheduled Scan for macOS**: For information on Scheduled Scan built-in for Microsoft Defender for Endpoint on macOS, see [How to schedule scans with Microsoft Defender for Endpoint on macOS](mac-schedule-scan.md). ### Jan-2024 (Build: 101.23122.0005 | Release version: 20.123122.5.0) |
security | Manage Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-security-policies.md | The policy page displays details that summarize the status of the policy. You ca During an investigation, you can also view the **Security policies** tab in the device page to view the list of policies that are being applied to a particular device. For more information, see [Investigating devices](investigate-machines.md#security-policies). |
security | Manage Sys Extensions Manual Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-manual-deployment.md | This article describes the procedures involved when deploying Microsoft Defender You might see the prompt that's shown in the following screenshot: 1. Select **OK**. You might get a second prompt as shown in the following screenshot: - :::image type="content" source="images/system-extension-blocked-second-prompt.png" alt-text="The second prompt regarding system extensions being blocked." lightbox="images/system-extension-blocked-second-prompt.png"::: + :::image type="content" source="media/system-extension-blocked-second-prompt.png" alt-text="The second prompt regarding system extensions being blocked." lightbox="media/system-extension-blocked-second-prompt.png"::: 1. From this second-prompt screen, select **OK**. You'll receive a notification message that reads **Installation succeeded**, as shown in the following screenshot: You might see the prompt that's shown in the following screenshot: 1. Enter your password and select **OK**. 1. Click - :::image type="content" source="images/system-preferences-icon.png" alt-text="The System Preferences icon." lightbox="images/system-preferences-icon.png"::: + :::image type="content" source="media/system-preferences-icon.png" alt-text="The System Preferences icon." lightbox="media/system-preferences-icon.png"::: The **System Preferences** screen appears. - :::image type="content" source="images/system-preferences-screen.png" alt-text="The System Preferences screen." lightbox="images/system-preferences-screen.png"::: + :::image type="content" source="media/system-preferences-screen.png" alt-text="The System Preferences screen." lightbox="media/system-preferences-screen.png"::: 1. Click **Security & Privacy**. The **Security & Privacy** screen appears. - :::image type="content" source="images/security-and-privacy-screen.png" alt-text="The Security & Privacy screen." lightbox="images/security-and-privacy-screen.png"::: + :::image type="content" source="media/security-and-privacy-screen.png" alt-text="The Security & Privacy screen." lightbox="media/security-and-privacy-screen.png"::: 1. Select **Click the lock to make changes**. You'll get a prompt as shown in the following screenshot: You might see the prompt that's shown in the following screenshot: 1. Enter your password and click **Unlock**. The following screen appears: - :::image type="content" source="images/screen-on-clicking-unlock.png" alt-text="The screen that is displayed on clicking Unlock." lightbox="images/screen-on-clicking-unlock.png"::: + :::image type="content" source="media/screen-on-clicking-unlock.png" alt-text="The screen that is displayed on clicking Unlock." lightbox="media/screen-on-clicking-unlock.png"::: 1. Select **Details**, next to **Some software system requires your attention before it can be used**. - :::image type="content" source="images/screen-on-clicking-details.png" alt-text="The screen that is displayed on clicking Details." lightbox="images/screen-on-clicking-details.png"::: + :::image type="content" source="media/screen-on-clicking-details.png" alt-text="The screen that is displayed on clicking Details." lightbox="media/screen-on-clicking-details.png"::: 1. Check both the **Microsoft Defender** checkboxes, and select **OK**. You'll get two pop-up screens, as shown in the following screenshot: You might see the prompt that's shown in the following screenshot: If you run systemextensionsctl list, the following screen appears: ### Accessibility |
security | Manage Tamper Protection Individual Device | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device.md | If you're a home user, or you aren't subject to settings managed by a security t Here's what you see in the Windows Security app: > [!NOTE] |
security | Mde Sec Ops Guide | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-sec-ops-guide.md | The Microsoft Defender Endpoint should be set up to support your regular securit - Device management - Configure Microsoft Defender Security Center time zone settings -- **Set up Microsoft Defender XDR incident notifications** <p> To get email notifications on defined Microsoft Defender XDR incidents, it's recommended that you configure email notifications. See [Get incident notifications by email](../defender/incidents-overview.md#get-incident-notifications-by-email).+- **Set up Microsoft Defender XDR incident notifications** <p> To get email notifications on defined Microsoft Defender XDR incidents, it's recommended that you configure email notifications. See [Incident notifications by email](../defender/incidents-overview.md#incident-notifications-by-email). - **Connect to SIEM (Sentinel)** <p> If you have existing security information and event management (SIEM) tools, you can integrate them with Microsoft Defender XDR. See [Integrate your SIEM tools with Microsoft Defender XDR](../defender/configure-siem-defender.md) and [Microsoft Defender XDR integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration). The Microsoft Defender Endpoint should be set up to support your regular securit When Microsoft Defender for Endpoint identifies Indicators of compromise (IOCs) or Indicators of attack (IOAs) and generates an alert, the alert is included in an incident and displayed in the **Incidents** queue in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). - Review these incidents to respond to any Microsoft Defender for Endpoint alerts and resolve once the incident has been remediated. See [Get incident notifications by email](../defender/incidents-overview.md#get-incident-notifications-by-email) and [View and organize the Microsoft Defender for Endpoint Incidents queue](view-incidents-queue.md). + Review these incidents to respond to any Microsoft Defender for Endpoint alerts and resolve once the incident has been remediated. See [Incident notifications by email](../defender/incidents-overview.md#incident-notifications-by-email) and [View and organize the Microsoft Defender for Endpoint Incidents queue](view-incidents-queue.md). - **Manage false positive and false negative detections** |
security | Microsoft Defender Antivirus On Windows Server | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md | The following table lists the services for Microsoft Defender Antivirus and the |||| | Windows Defender Service (WinDefend) | `C:\Program Files\Windows Defender\MsMpEng.exe` | This service is the main Microsoft Defender Antivirus service that needs to be running always.| | Windows Error Reporting Service (Wersvc) | `C:\WINDOWS\System32\svchost.exe -k WerSvcGroup` | This service sends error reports back to Microsoft. |-| Windows Defender Firewall (MpsSvc) | `C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork` | We recommend keeping the Windows Defender Firewall service enabled. | +| Windows Firewall (MpsSvc) | `C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork` | We recommend keeping the Windows Firewall service enabled. | | Windows Update (Wuauserv) | `C:\WINDOWS\system32\svchost.exe -k netsvcs`| Windows Update is needed to get Security intelligence updates and antimalware engine updates | ## Submit samples To enable automatic sample submission, start a Windows PowerShell console as an |Setting|Description| |||-| **0** - **Always prompt** | The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but isn't recommended for installations on Windows Server 2016 or 2019, or Windows Server 2022 without a GUI. | +| **0** - **Always prompt** | The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This setting is the default for Microsoft Defender Antivirus, but isn't recommended for installations on Windows Server 2016 or 2019, or Windows Server 2022 without a GUI. | | **1** - **Send safe samples automatically** | The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | | **2** - **Never send** | The Microsoft Defender Antivirus service doesn't prompt and doesn't send any files. | | **3** - **Send all samples automatically** | The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. | The following table describes methods to set Microsoft Defender Antivirus to pas ||| | Set Microsoft Defender Antivirus to passive mode by using a registry key | Set the `ForceDefenderPassiveMode` registry key as follows: <br/>- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` <br/>- Name: `ForceDefenderPassiveMode` <br/>- Type: `REG_DWORD` <br/>- Value: `1` | | Turn off the Microsoft Defender Antivirus user interface using PowerShell | Open Windows PowerShell as an administrator, and run the following PowerShell cmdlet: `Uninstall-WindowsFeature -Name Windows-Defender-GUI`-| Disable Microsoft Defender Antivirus Realtime Protection using PowerShell | Use the following PowerShell cmdlet: `Set-MpPreference -DisableRealtimeMonitoring $true` | +| Disable Microsoft Defender Antivirus real-time protection using PowerShell | Use the following PowerShell cmdlet: `Set-MpPreference -DisableRealtimeMonitoring $true` | | Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard | See [Install or Uninstall Roles, Role Services, or Features](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. <br/><br/>When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option. <br/><br/> If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you're prompted to remove the interface option **GUI for Windows Defender**.<br/><br/>Microsoft Defender Antivirus runs normally without the user interface, but the user interface can't be enabled if you disable the core **Windows Defender** feature. | | Uninstall Microsoft Defender Antivirus using PowerShell | Use the following PowerShell cmdlet: `Uninstall-WindowsFeature -Name Windows-Defender` | | Disable Microsoft Defender Antivirus using Group Policy | In your Local Group Policy Editor, navigate to **Administrative Template** > **Windows Component** > **Endpoint Protection** > **Disable Endpoint Protection**, and then select **Enabled** > **OK**. | If a non-Microsoft antivirus product was installed on Windows Server, Microsoft - [Microsoft Defender Antivirus in Windows](microsoft-defender-antivirus-windows.md) - [Microsoft Defender Antivirus compatibility with other security products](microsoft-defender-antivirus-compatibility.md) - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Microsoft Defender Antivirus Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md | Title: Microsoft Defender Antivirus security intelligence and product updates description: Manage how Microsoft Defender Antivirus receives protection and product updates. ms.localizationpriority: high Previously updated : 03/20/2024 Last updated : 04/03/2024 audience: ITPro All our updates contain - Serviceability improvements - Integration improvements (Cloud, [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender)) +### March-2024 (Engine: 1.1.24030.4 | Platform: Coming soon) ++- Security intelligence update version: **1.409.1.0** +- Release date: **April 2, 2024** (Engine) / **Coming soon** (Platform) +- Engine: **1.1.24030.4** +- Platform: **Coming soon** +- Support phase: **Security and Critical Updates** ++#### What's new ++- Added manageability settings to opt-out for One Collector telemetry channel and Experimentation and Configuration Service (ECS). +- Microsoft Defender Core Service will be disabled when 3rd party Antivirus is installed (except when Defender for Endpoint is running in Passive mode). +- The known issue in [4.18.24020.7](#february-2024-engine-11240209--platform-418240207) where enforcement of device level access policies wasn't working as expected no longer occurs. +- Fixed high CPU issue caused by redetection done during Sense originating scans. +- Fixed an issue with Security Intelligence Update disk cleanup. +- Fixed an issue where the Signature date information on the Security Health report wasn't accurate. +- Introducted performance improvements when processing paths for exclusions. +- Added improvements to allow recovering from erroneously added [Indicators of compromise (IoC)](manage-indicators.md). +- Improved resilience in processing [attack surface reduction](attack-surface-reduction.md) exclusions for Anti Malware Scan Interface (AMSI) scans. +- Fixed a high memory issue related to the [Behavior Monitoring](behavior-monitor.md) queue that occured when MAPS is disabled. +- A possible deadlock when receiving a [Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) configuration change from the [Microsoft Defender portal](https://security.microsoft.com) no longer occurs. + ### February-2024 (Engine: 1.1.24020.9 | Platform: 4.18.24020.7) - Security intelligence update version: **1.407.46.0** All our updates contain - Fixed an onboarding issue in the Unified Agent installation script [install.ps1](https://github.com/microsoft/mdefordownlevelserver). - Fixed a memory leak that impacted some devices that received platform update `4.18.24010.7` -### November-2023 (Platform: 4.18.23110.3 | Engine: 1.1.23110.2) --- Security intelligence update version: **1.403.7.0**-- Release date:ΓÇ»**December 5, 2023 (Platform)** / **December 6, 2023 (Engine)**-- Platform: **4.18.23110.3**-- Engine: **1.1.23110.2**-- Support phase: **Security and Critical Updates**--#### What's new --- Fixed PowerShell cmdlet [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) to show the correct date/time for `AntivirusSignatureLastUpdated`-- Resolved deadlock issue that occurred on systems with multiple filter drivers reading a file when the file is copied -- Added the `InitializationProgress` field to [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) output -- Fixed installation failure on Windows Server 2016 due to existing Defender EventLog registry key -- Added the ability to have [quick scans](schedule-antivirus-scans.md) ignore Microsoft Defender Antivirus exclusions -- Fixed remediation for long running [on-demand scans](run-scan-microsoft-defender-antivirus.md) where the service may have been restarted -- Fixed an issue with Microsoft Defender Vulnerability Management to allow the execution of a [blocked application](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps) when the [warn option](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps#block-or-warn-mitigation-action) is selected -- Added support for managing schedule day/time for [signature updates in Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#updates) and [Defender for Endpoint security settings management](/mem/intune/protect/mde-security-integration) -- Fixed non-standard signature path loading across platforms ([Windows](microsoft-defender-antivirus-windows.md), [Mac](microsoft-defender-endpoint-mac.md), [Linux](microsoft-defender-endpoint-linux.md), [Android](microsoft-defender-endpoint-android.md), and [iOS](microsoft-defender-endpoint-ios.md))-- Improved handling of cached detections in [attack surface reduction](overview-attack-surface-reduction.md) capabilities-- Improved performance for enumerating virtual memory ranges--#### Known issues --- None- ### Previous version updates: Technical upgrade support only After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md). |
security | Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md | Defender for Endpoint uses the following combination of technology built into Wi <td><center><a href="#ngp"><img src="media/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td> <td><center><a href="#edr"><img src="media/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td> <td><center><a href="#ai"><img src="media/air-icon.png" alt="Automated investigation and remediation"><br> <b>Automated investigation and remediation</b></a></center></td>-<td><center><a href="#mte"><img src="images/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td> +<td><center><a href="#mte"><img src="media/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td> </tr> <tr> <td colspan="7"> |
security | Microsoft Defender Offline | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md | Title: Microsoft Defender Offline scan in Windows description: You can use Microsoft Defender Offline Scan straight from the Microsoft Defender Antivirus app. You can also manage how it's deployed in your network. ms.localizationpriority: medium Previously updated : 08/30/2022 Last updated : 04/03/2024 search.appverid: met150 ||| |**Platform**| Windows| |**Protection type** | Hardware|-|**Firmware/ Rootkit**| <li> Operating system <li> Driver <li> Memory (Heap) <li> Application <li> Identity <li> Cloud| +|**Firmware/ Rootkit**| Operating system <br/> Driver <br/> Memory (Heap) <br/> Application <br/> Identity <br/> Cloud| ->[!NOTE] +> [NOTE] > The protection for this feature focuses on the Firmware/Rootkit. Microsoft Defender Offline is an anti-malware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). The following are the hardware requirements for Microsoft Defender Offline Scan > - ARM Windows 10 > - Windows Server Stock Keeping Units (SKU's) -For more information about Windows 10 and Windows 11 requirements, see the following topics: +For more information about Windows 10 and Windows 11 requirements, see the following articles: - [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) - [Hardware component guidelines](/windows-hardware/design/component-guidelines/components) For more information about Windows 10 and Windows 11 requirements, see the follo To receive Microsoft Defender Offline Scan updates: -- Microsoft Defender Antivirus must be primary AV (not in passive mode).-- Update MDAV, with however you normally deploy updates to endpoints, a supported version of the: +- Microsoft Defender Antivirus must be your primary antivirus software (not in passive mode). ++- Update Microsoft Defender Antivirus how you normally deploy updates to endpoints. Use a supported version of the: + - [Platform Update](https://www.microsoft.com/security/portal/definitions/adl.aspx)+ - [Engine Update](microsoft-defender-antivirus-updates.md)- - Security Intelligence Update ++ - Security Intelligence Updates - You can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx) - - See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information. -- User must be logged in with local administrator privileges.+ - See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) article for more information. ++- Users must be signed in with local administrator privileges. + - Windows Recovery Environment (WinRE) needs to be enabled. ->[!NOTE] -> If WinRE is disabled, the WDO scan won't run and no error message is displayed. -Nothing happens even if the machine is restarted manually. -> To fix this, you only have to enable WinRE. +> [!NOTE] +> If WinRE is disabled, the Windows Defender Offline scan doesn't run and no error messages are displayed. Nothing happens even if the machine is restarted manually. To fix this, you only have to enable WinRE. > > - To check the WinRE status, you can execute this command-line: `reagentc /info`. > - If the status is Disabled, you can enable it by executing this command-line: `reagentc /enable`. Nothing happens even if the machine is restarted manually. The need to run Microsoft Defender Offline Scan: -If Microsoft Defender Antivirus determines that need to run: --- It prompts the user on the endpoint. The prompt can occur via a notification, similar to the following:+If Microsoft Defender Antivirus determines that you need to run Microsoft Defender Offline, it prompts the user on the device. The prompt can occur via a notification, similar to the following: - :::image type="content" source="../../media/notification.png" alt-text="Notification to run Microsoft Defender Offline" lightbox="../../media/notification.png"::: + :::image type="content" source="../../media/notification.png" alt-text="Notification to run Microsoft Defender Offline" lightbox="../../media/notification.png"::: - The user will also be notified within the Microsoft Defender Antivirus client or it can be revealed in Microsoft Intune, if you're using it to manage your Windows endpoints. + The user is also notified within the Microsoft Defender Antivirus client. If you're using Intune to manage devices, you can see the notification in Intune. -- You can manually force an offline scan which is built-in Windows 10, version 1607 or newer, and Windows 11. Or, you can scan through a bootable media for the older Windows OS'es as described [here](#use-the-windows-defender-security-app-to-run-an-offline-scan).+- You can manually force an offline scan that is built-in Windows 10, version 1607 or newer, and Windows 11. Or, you can scan through a bootable media for the older Windows OS'es as described [here](#use-the-windows-defender-security-app-to-run-an-offline-scan). In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. For more information about notifications in Windows Defender, see [Configure the > [!IMPORTANT] > Before you use Microsoft Defender Offline Scan, **make sure you save any files** and shut down running programs. The Microsoft Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. -You can run a Microsoft Defender Offline scan with the following: +You can run a Microsoft Defender Offline scan with the following methods: - The Windows Security app - PowerShell Starting with Windows 10, version 1607 or newer, and Windows 11, Microsoft Defen > [!NOTE] > In Windows 10, version 1607, the offline scan can be run from **Windows Settings > Update & security > Windows Defender** or from the Windows Defender client. -1. Open the Windows Security app: - - In the Start menu, select **App apps**, then select **Windows Security**, or - - In the Start menu, select **Settings**, then select **Privacy & security**, and then select **Windows Security**, or - - In the Search, search for **Windows Security**, or - - In the task bar, select the hidden icons (chevron icon pointing up), click the Microsoft Defender Antivirus Shield icon. -2. Select **Scan options**. -3. Select the radio button **Microsoft Defender Offline scan** and click **Scan now**. - > [!NOTE] - > The process starts from C:\ProgramData\Microsoft\Windows Defender\Offline Scanner. -4. You'll get a prompt to save your work before continuing, similar to the following image: +1. On your Windows device, open the Windows Security app, and then **Scan options**. ++2. Select the radio button **Microsoft Defender Offline scan** and select **Scan now**. ++ The process starts from `C:\ProgramData\Microsoft\Windows Defender\Offline Scanner`. ++3. You get a prompt to save your work before continuing, similar to the following image: :::image type="content" source="../../media/defender-offline-save-work.png" alt-text="Screenshot of screen prompt to save all work before continuing."::: After you saved your work, select **Scan**.-5. Once you clicked on **Scan**, you'll get another prompt requesting your permission to make changes to your device, similar to the following image: ++4. After you select **Scan**, you get another prompt requesting your permission to make changes to your device, similar to the following image: :::image type="content" source="../../media/defender-offline-apply-change.png" alt-text="Screenshot of a screen prompt requesting permission to apply."::: Select **Yes**.-6. Another prompt will appear informing you that you'll be signed out and windows will shut down in less than a minute, similar to the following image: ++5. Another prompt appears and informs you that you'll be signed out and Windows will shut down in less than a minute, similar to the following image: :::image type="content" source="../../media/defender-offline-sign-out-notification.png" alt-text="Screenshot of a screen prompt informing about the sign out."::: -7. You'll see that the Microsoft Defender Antivirus scan (offline scan) is in progress. +6. You see that the Microsoft Defender Antivirus scan (offline scan) is in progress. :::image type="content" source="../../media/defender-offline-antivirus-run.png" alt-text="Screenshot of the Microsoft Defender Antivirus scan."::: For more information, see [Windows Defender WMIv2 APIs](/previous-versions/windo - [Download the 32-bit version (msstool32.exe)](https://go.microsoft.com/fwlink/?LinkID=234123) If you're not sure which version to download, see [Is my PC running the 32-bit or 64-bit version of Windows?](https://support.microsoft.com/windows/32-bit-and-64-bit-windows-frequently-asked-questions-c6ca9541-8dce-4d48-0415-94a3faa2e13d).-2. To get started, find a blank CD, DVD, or USB flash drive with at least 250 MB of free space, and then run the tool. You'll be guided through the steps to create the removable media. ++2. To get started, find a blank CD, DVD, or USB flash drive with at least 250 MB of free space, and then run the tool. You are guided through the steps to create the removable media. > [!TIP] > We recommend you to do the following when downloading Windows Defender Offline: For more information, see [Windows Defender WMIv2 APIs](/previous-versions/windo 3. Scan your PC for viruses and other malware. - 1. Once you've created the USB drive, CD, or DVD, you'll need to remove it from your current computer and take it to the computer you want to scan. Insert the USB drive or disc into the other computer and restart the computer. + 1. Once you've created the USB drive, CD, or DVD, remove it from your current computer and take it to the computer you want to scan. Insert the USB drive or disc into the other computer and restart the computer. + 2. Boot from the USB drive, CD, or DVD to run the scan. Depending on the computer's settings, it may automatically boot from the media after you restart it, or you may have to press a key to enter a "boot devices" menu or modify the boot order in the computer's UEFI firmware or BIOS.- 3. Once you've booted from the device, you'll see a Microsoft Defender tool that will automatically scan your computer and remove malware. ++ 3. After you boot the device, you see a Microsoft Defender tool that will automatically scan your computer and remove malware. + 4. After the scan is complete and you're done with the tool, you can reboot your computer and remove the Microsoft Defender Offline media to boot back into Windows.+ 4. Remove any malware that's found from your PC. - 1. If you experience a Stop error on a blue screen when you run the offline scan, restart your device and try running a Microsoft Defender Offline scan again. If the blue-screen error happens again, contact [Microsoft Support](https://support.microsoft.com/). + If you experience a Stop error on a blue screen when you run the offline scan, restart your device and try running a Microsoft Defender Offline scan again. If the blue-screen error happens again, contact [Microsoft Support](https://support.microsoft.com/). ### Where can I find the scan results? On older versions than Windows 10, 2004, you'll see: Windows Defender Antivirus downloaded and configured Windows Defender Offline to run on the next reboot. -- Log Name: Microsoft-Windows-Windows Defender/Operational-- Source: Microsoft-Windows-Windows Defender-- Event ID: 5007-- Level: Information-- Description: Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.-- Old value: N/A\Scan\OfflineScanRun =-- New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun = 0x0+- Log Name: `Microsoft-Windows-Windows Defender/Operational` +- Source: `Microsoft-Windows-Windows Defender` +- Event ID: `5007` +- Level: `Information` +- Description: `Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.` +- Old value: `N/A\Scan\OfflineScanRun =` +- New value: `HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun = 0x0` ## Related articles |
security | Migrating Mde Server To Cloud | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud.md | Once all prerequisites are met, [connect](/azure/defender-for-cloud/quickstart-o 3. Enable autoprovisioning on the multicloud connector for the Azure Arc agent, Microsoft Defender for Endpoint extension, Vulnerability Assessment and, optionally, Log Analytics extension. - :::image type="content" source="images/select-plans-aws-gcp.png" alt-text="Screenshot that shows how to enable autoprovisioning for Azure Arc agent." lightbox="images/select-plans-aws-gcp.png"::: + :::image type="content" source="media/select-plans-aws-gcp.png" alt-text="Screenshot that shows how to enable autoprovisioning for Azure Arc agent." lightbox="media/select-plans-aws-gcp.png"::: For more information, see [Defender for Cloud's multicloud capabilities](https://aka.ms/mdcmc). |
security | Msda Updates Previous Versions Technical Upgrade Support | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md | search.appverid: met150 Microsoft regularly releases [security intelligence updates and product updates for Microsoft Defender Antivirus](microsoft-defender-antivirus-updates.md). It's important to keep Microsoft Defender Antivirus up to date. When a new package version is released, support for the previous two versions is reduced to technical support only. Versions that are older than the previous two versions are listed in this article and are provided for technical upgrade support only. +## November-2023 (Platform: 4.18.23110.3 | Engine: 1.1.23110.2) ++- Security intelligence update version: **1.403.7.0** +- Release date:ΓÇ»**December 5, 2023 (Platform)** / **December 6, 2023 (Engine)** +- Platform: **4.18.23110.3** +- Engine: **1.1.23110.2** +- Support phase: **Technical upgrade support (only)** ++### What's new ++- Fixed PowerShell cmdlet [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) to show the correct date/time for `AntivirusSignatureLastUpdated` +- Resolved deadlock issue that occurred on systems with multiple filter drivers reading a file when the file is copied +- Added the `InitializationProgress` field to [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) output +- Fixed installation failure on Windows Server 2016 due to existing Defender EventLog registry key +- Added the ability to have [quick scans](schedule-antivirus-scans.md) ignore Microsoft Defender Antivirus exclusions +- Fixed remediation for long running [on-demand scans](run-scan-microsoft-defender-antivirus.md) where the service may have been restarted +- Fixed an issue with Microsoft Defender Vulnerability Management to allow the execution of a [blocked application](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps) when the [warn option](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps#block-or-warn-mitigation-action) is selected +- Added support for managing schedule day/time for [signature updates in Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#updates) and [Defender for Endpoint security settings management](/mem/intune/protect/mde-security-integration) +- Fixed non-standard signature path loading across platforms ([Windows](microsoft-defender-antivirus-windows.md), [Mac](microsoft-defender-endpoint-mac.md), [Linux](microsoft-defender-endpoint-linux.md), [Android](microsoft-defender-endpoint-android.md), and [iOS](microsoft-defender-endpoint-ios.md)) +- Improved handling of cached detections in [attack surface reduction](overview-attack-surface-reduction.md) capabilities +- Improved performance for enumerating virtual memory ranges ++### Known issues ++- None + ## October-2023 (Platform: 4.18.23100.2009 | Engine: 1.1.23100.2009) - Security intelligence update version: **1.401.3.0** - Release date: **November 3, 2023 (Engine) / November 6, 2023 (Platform)** - Platform: **4.18.23100.2009** - Engine: **1.1.23100.2009**-- Support phase: **Security and Critical Updates**+- Support phase: **Technical upgrade support (only)** ### What's new |
security | Network Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md | Last updated 03/30/2021 Network discovery capabilities are available in the **Device inventory** section of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> and Microsoft Defender XDR consoles. -A designated Microsoft Defender for Endpoint device is used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for Endpoint's Vulnerability Management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways. +A designated Microsoft Defender for Endpoint device is used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, vulnerability management capabilities in Defender for Endpoint provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways. Once the network devices are discovered and classified, security administrators are able to receive the latest security recommendations and review recently discovered vulnerabilities on network devices deployed across their organizations. Your first step is to select a device that performs the authenticated network sc 2. SNMP traffic between the Defender for Endpoint scanning device and the targeted network devices must be allowed (for example, by the Firewall). -3. Decide which network devices will be assessed for vulnerabilities (for example: a Cisco switch or a Palo Alto Networks firewall). +3. Decide which network devices are assessed for vulnerabilities (for example: a Cisco switch or a Palo Alto Networks firewall). 4. Make sure SNMP read-only is enabled on all configured network devices to allow the Defender for Endpoint scanning device to query the configured network devices. 'SNMP write' isn't needed for the proper functionality of this feature. To complete the scanner registration process: The scanner has a scheduled task that, by default, is configured to look for updates regularly. When the task runs, it compares the version of the scanner on the client device to the version of the agent on the update location. The update location is where Windows looks for updates, such as on a network share or from the internet. -If there's a difference between the two versions, the update process determines which files are different and need to be updated on the local computer. Once the required updates are determined, the downloading of the updates will start. --It's possible to disable automatic updates of the scanner by going to the **MDATP Network Scanner Updater** inside the Windows Task Scheduler. To do this: --- In Windows, go to **Computer Management** \> **Task Scheduler** \> **Task Scheduler Library**.-- Select **MDATP Network Scanner Updater** \> right-click \> and select **Disable**.-- To re-enable, right-click on **MDATP Network Scanner Updater** and select **Enable**.+If there's a difference between the two versions, the update process determines which files are different and need to be updated on the local computer. Once the required updates are determined, the downloading of the updates start. ## Configure a new network device authenticated scan 1. Go to **Settings** \> **Device discovery** \> **Authenticated scans** in the [Microsoft Defender portal](https://security.microsoft.com).+ 2. Select **Add new scan** and choose **Network device authenticated scan** and select **Next**. :::image type="content" source="../../media/defender-endpoint/network-authenticated-scan.png" alt-text="Screenshot of the add new network device authenticated scan screen" lightbox="../../media/defender-endpoint/network-authenticated-scan.png"::: 3. Choose whether to **Activate scan**.+ 4. Enter a **Scan name**.+ 5. Select the **Scanning device:** The onboarded device you use to scan the network devices.+ 6. Enter the **Target (range):** The IP address ranges or hostnames you want to scan. You can either enter the addresses or import a CSV file. Importing a file overrides any manually added addresses.-7. Select the **Scan interval:** By default, the scan runs every four hours, you can change the scan interval or have it only run once, by selecting 'Don't repeat'. ++7. Select the **Scan interval:** By default, the scan runs every four hours, you can change the scan interval or have it only run once, by selecting **Don't repeat**. + 8. Choose your **Authentication method**.- - You can select to **Use azure KeyVault for providing credentials:** If you manage your credentials in Azure KeyVault, you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials. The secret value is dependent on the Authenticated Method you choose: - |Authentication Method|Azure KeyVault secret value| - |:-|:-:| - |AuthPriv|Username;AuthPassword;PrivPassword| - |AuthNoPriv|Username;AuthPassword| - |CommunityString |CommunityString| + You can select to **Use azure KeyVault for providing credentials:** If you manage your credentials in Azure KeyVault, you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials. The secret value is dependent on the Authenticated Method you choose, as described in the following table: ++ |Authentication Method|Azure KeyVault secret value| + |:-|:-:| + |AuthPriv|Username;AuthPassword;PrivPassword| + |AuthNoPriv|Username;AuthPassword| + |CommunityString |CommunityString| 9. Select **Next** to run or skip the test scan.+ 10. Select **Next** to review the settings and the select **Submit** to create your new network device authenticated scan. > [!NOTE] Change command-line settings on your device to allow copying and change text siz - [Device inventory](machines-view-overview.md) - [Windows authenticated scan](../defender-vulnerability-management/windows-authenticated-scan.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Offboard Machines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machines.md | Last updated 12/18/2020 Follow the corresponding instructions depending on your preferred deployment method. -> [!NOTE] -> The status of a device will be switched to [Inactive](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding. -> -> Offboarded devices' data (such as Timeline, Alerts, Vulnerabilities, etc.) will remain in the portal until the configured [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) expires. -> -> The device's profile (without data) will remain in the [Devices List](machines-view-overview.md) for no longer than 180 days. -> -> In addition, devices that are not active in the last 30 days are not factored in on the data that reflects your organization's Defender Vulnerability Management [exposure score](tvm-exposure-score.md) and Microsoft Secure Score for Devices. -> -> To view only active devices, you can filter by [sensor health state](machines-view-overview.md#use-filters-to-customize-the-device-inventory-views), [device tags](machine-tags.md) or [machine groups](machine-groups.md). +The status of a device switches to [Inactive](fix-unhealthy-sensors.md#inactive-devices) seven (7) days after offboarding. ++Data, such as Timeline, Alerts, Vulnerabilities, etc., from devices that were offboarded remains in the Microsoft Defender portal until the configured [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) expires. ++The device's profile (without data) remains in the [Device inventory](machines-view-overview.md) for no longer than 180 days. ++Devices that weren't active in the last 30 days aren't factored in on the data that reflects your organization's Defender Vulnerability Management [exposure score](tvm-exposure-score.md) and Microsoft Secure Score for Devices. ++To view only active devices, you can filter by [sensor health state](machines-view-overview.md#use-filters-to-customize-the-device-inventory-views), [device tags](machine-tags.md), or [machine groups](machine-groups.md). ## Offboard Windows devices |
security | Onboard Downlevel | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md | C:\windows\MMA\filename - **so the installation files are local to the server**: Repeat the process but create item level targeting on the COMMON tab, so the file only gets copied to the appropriate platform/Operating system version in scope: For Windows Server 2008 R2 you'll need (and it will only copy down) the following: This could be done in two phases. First create **the files and the folder in** G As the Script has an exit method and wont re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to a Configuration Manager compliance policy it will check daily to ensure the MMA is present. :::image type="content" source="media/newtaskprops.png" alt-text="The new task properties" lightbox="media/newtaskprops.png"::: :::image type="content" source="media/deploymmadowmload.png" alt-text="The deploy mma download properties" lightbox="media/deploymmadowmload.png"::: As mentioned in the onboarding documentation for Server specifically around Server 2008 R2 please see below: For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: |
security | Onboard Windows Client | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-client.md | Title: Defender for Endpoint onboarding Windows Client -description: Onboard Windows Client. +description: Onboard Windows Client devices to Microsoft Defender for Endpoint. -# Defender for Endpoint onboarding Windows Client +# Defender for Endpoint onboarding Windows client devices [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)] Last updated 05/19/2022 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https:%2F%2Faka.ms%2FMDEp2OpenTrial) -You'll need to go through onboarding steps of the [Microsoft Defender portal](https://security.microsoft.com) (Go to **Settings** > **Endpoints** > **Onboarding**) to onboard any of the supported devices. Depending on the device, you're guided with appropriate steps and provided management and deployment tool options suitable for the device. +To onboard Windows client devices, follow the onboarding steps in the [Microsoft Defender portal](https://security.microsoft.com) (Go to **Settings** > **Endpoints** > **Onboarding**). You can onboard any of the supported devices. Depending on the particular device, you're guided ny appropriate steps and are provided with management and deployment tool options suitable for the device. -Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. --In general, you identify the client you're onboarding, then follow the corresponding tool appropriate to the device or your environment. +Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. In general, you identify the client you're onboarding, then follow the corresponding tool appropriate to the device or your environment. :::image type="content" source="media/onboarddevices.png" alt-text="Onboard devices" lightbox="media/onboarddevices.png"::: [!INCLUDE [Defender for Endpoint repackaging warning](../../includes/repackaging-warning.md)] -## Related topics +## Related articles - [Onboard Windows devices using Microsoft Intune](configure-endpoints-mdm.md) - [Onboard Windows devices using Group Policy](configure-endpoints-gp.md) |
security | Onboard Windows Server | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-server.md | For guidance on how to download and use Windows Security Baselines for Windows s You'll need to complete the following general steps to successfully onboard servers 2008 R2, 2012 R2, 2016, 2019, 2022. ### Windows Server 2012 R2 and Windows Server 2016 - Download installation and onboarding packages. |
security | Onboarding Endpoint Configuration Manager | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md | Below are more steps to verify whether attack surface reduction rules are correc 3. Select **Go to attack surface management** in the Attack surface management panel. - :::image type="content" source="images/security-center-attack-surface-mgnt-tile.png" alt-text="The attack surface management" lightbox="images/security-center-attack-surface-mgnt-tile.png"::: + :::image type="content" source="media/security-center-attack-surface-mgnt-tile.png" alt-text="The attack surface management" lightbox="media/security-center-attack-surface-mgnt-tile.png"::: 4. Select **Configuration** tab in Attack surface reduction rules reports. It shows attack surface reduction rules configuration overview and attack surface reduction rules status on each device. |
security | Onboarding Notification | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md | You need to have access to: :::image type="content" source="media/apply-to-each-value.png" alt-text="The application of the flow to each condition" lightbox="media/apply-to-each-value.png"::: :::image type="content" source="media/conditions-2.png" alt-text="The condition-1" lightbox="media/conditions-2.png"::: :::image type="content" source="media/condition3.png" alt-text="The condition-2" lightbox="media/condition3.png":::- :::image type="content" source="images/send-email.png" alt-text="The Send an email section" lightbox="images/send-email.png"::: + :::image type="content" source="media/send-email.png" alt-text="The Send an email section" lightbox="media/send-email.png"::: ## Alert notification |
security | Onboarding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md | Title: Onboard to Microsoft Defender for Endpoint -description: Learn how to onboard endpoints to Microsoft Defender for Endpoint service +description: Learn how to onboard endpoints to Microsoft Defender for Endpoint service. In order to preview new features and provide early feedback, it's recommended th ## Example deployments -To provide some guidance on your deployments, in this section we'll guide you through using two deployment tools to onboard endpoints. +To provide some guidance on your deployments, in this section we guide you through using two deployment tools to onboard endpoints. The tools in the example deployments are: The example deployments will guide you on configuring some of the Defender for E After onboarding the endpoints move on to the next step where you'll configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction. - [Step 5 - Configure capabilities](onboard-configure.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Overview Attack Surface Reduction | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md | As part of your organization's security team, you can configure attack surface r - Controlled folder access - Device control -Audit mode lets you see a record of what *would* have happened if you had enabled the feature. +Audit mode lets you see a record of what *would* have happened if the feature were enabled. You can enable audit mode when testing how the features work. Enabling audit mode only for testing helps to prevent audit mode from affecting your line-of-business apps. You can also get an idea of how many suspicious file modification attempts occur over a certain period of time. You can enable audit mode using Group Policy, PowerShell, and configuration serv | Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) | | Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer) | -For example, you can test attack surface reduction rules in audit mode prior to enabling (block mode) them. Attack surface reduction rules are predefined to harden common, known attack surfaces. There are several methods you can use to implement attack surface reduction rules. The preferred method is documented in the following attack surface reduction rules deployment articles: +For example, you can test attack surface reduction rules in audit mode before you enable them in block mode. Attack surface reduction rules are predefined to harden common, known attack surfaces. There are several methods you can use to implement attack surface reduction rules. The preferred method is documented in the following attack surface reduction rules deployment articles: - [Attack surface reduction rules deployment overview](attack-surface-reduction-rules-deployment.md) - [Plan attack surface reduction rules deployment](attack-surface-reduction-rules-deployment-plan.md) As mentioned in the video, Defender for Endpoint includes several attack surface | [Network protection](network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus). | | [Test attack surface reduction rules](attack-surface-reduction-rules-deployment-test.md) | Provides steps to use audit mode to test attack surface reduction rules. | | [Web protection](web-protection-overview.md) | Web protection lets you secure your devices against web threats and helps you regulate unwanted content. |+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Partner Applications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md | Microsoft Defender for Endpoint seamlessly integrates with existing security sol Logo|Partner name|Description :|:|: ![Logo for AttackIQ.](media/attackiq-logo.png)|[AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502)|AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets-![Logo for Microsoft Sentinel.](images/sentinel-logo.png)|[AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705)|Stream alerts from Microsoft Defender for Endpoint into Microsoft Sentinel +![Logo for Microsoft Sentinel.](media/sentinel-logo.png)|[AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705)|Stream alerts from Microsoft Defender for Endpoint into Microsoft Sentinel ![Logo for Cymulate.](media/cymulate-logo.png)|[Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)|Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions ![Logo for Elastic security.](media/elastic-security-logo.png)|[Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303)|Elastic Security is a free and open solution for preventing, detecting, and responding to threats ![Logo for IBM QRadar.](media/ibm-qradar-logo.png)|[IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903)|Configure IBM QRadar to collect detections from Defender for Endpoint ![Logo for Micro Focus ArcSight.](media/arcsight-logo.png)|[Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548)|Use Micro Focus ArcSight to pull Defender for Endpoint detections-![Logo for RSA NetWitness.](images/rsa-netwitness-logo.png)|[RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566)|Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API -![Logo for SafeBreach.](images/safebreach-logo.png)|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)|Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations +![Logo for RSA NetWitness.](media/rsa-netwitness-logo.png)|[RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566)|Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API +![Logo for SafeBreach.](media/safebreach-logo.png)|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)|Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations ![Logo for Skybox Vulnerability Control.](images/skybox-logo.png)|[Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467)|Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities ![Logo for Splunk.](images/splunk-logo.png)|[Splunk](https://go.microsoft.com/fwlink/?linkid=2129805)|The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk ![Logo for XM Cyber.](images/xmcyber-logo.png)|[XM Cyber](/microsoft-365/compliance/insider-risk-management-configure)|Prioritize your response to an alert based on risk factors and high value assets Logo|Partner name|Description ![Logo for Fortinet.](media/fortinet-logo.jpg)|[Fortinet FortiSOAR](https://www.fortinet.com/products/fortisoar)|Fortinet FortiSOAR is a holistic Security Orchestration, Automation and Response (SOAR) workbench, designed for SOC teams to efficiently respond to the ever-increasing influx of alerts, repetitive manual processes, and shortage of resources. It pulls together all of organization's tools, helps unify operations and reduces alert fatigue, context switching, and the mean time to respond to incidents. ![Logo for Delta Risk ActiveEye.](media/delta-risk-activeeye-logo.png)|[Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468)|Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye. ![Logo for Demisto, a Palo Alto Networks Company.](media/demisto-logo.png)|[Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414)|Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response-![Logo for Microsoft Flow & Azure Functions.](images/ms-flow-logo.png)|[Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures +![Logo for Microsoft Flow & Azure Functions.](media/ms-flow-logo.png)|[Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures ![Logo for Rapid7 InsightConnect.](media/rapid7-logo.png)|[Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040)|InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes-![Logo for ServiceNow.](images/servicenow-logo.png)|[ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621)|Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration +![Logo for ServiceNow.](media/servicenow-logo.png)|[ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621)|Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration ![Logo for Swimlane.](images/swimlane-logo.png)|[Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902)|Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together ### Threat intelligence Logo|Partner name|Description :|:|: ![Logo for MISP Malware Information Sharing Platform)logo.](media/misp-logo.png)|[MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543)|Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Defender for Endpoint environment ![Logo for Palo Alto Networks.](media/paloalto-logo.png)|[Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582)|Enrich your endpoint protection by extending Autofocus and other threat feeds to Defender for Endpoint using MineMeld-![Logo for ThreatConnect.](images/threatconnect-logo.png)|[ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115)|Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Defender for Endpoint indicators +![Logo for ThreatConnect.](media/threatconnect-logo.png)|[ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115)|Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Defender for Endpoint indicators ### Network security Logo|Partner name|Description Logo|Partner name|Description :|:|: ![Logo for Cyren Web Filter.](media/cyren-logo.png)|[Cyren Web Filter](https://www.cyren.com/security-center/url-category-check)|Enhance your Defender for Endpoint with advanced Web Filtering-![Logo for Morphisec.](images/morphisec-logo.png)|[Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)|Provides Moving Target Defense-powered advanced threat prevention. Integrates forensics data directly into WD Defender for Cloud dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information +![Logo for Morphisec.](media/morphisec-logo.png)|[Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)|Provides Moving Target Defense-powered advanced threat prevention. Integrates forensics data directly into WD Defender for Cloud dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information ![Logo for THOR Cloud.](media/nextron-thor-logo.png)|[THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)|Provides on-demand live forensics scans using a signature base with focus on persistent threats ## SIEM integration |
security | Rbac | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/rbac.md | Large geo-distributed security operations teams typically adopt a tier-based mod |Tier|Description| |||-|Tier 1|**Local security operations team / IT team** <br> This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.| -|Tier 2|**Regional security operations team** <br> This team can see all the devices for their region and perform remediation actions.| -|Tier 3|**Global security operations team** <br> This team consists of security experts and are authorized to see and perform all actions from the portal.| +|Tier 1|**Local security operations team / IT team** <br/> This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.| +|Tier 2|**Regional security operations team** <br/>This team can see all the devices for their region and perform remediation actions.| +|Tier 3|**Global security operations team** <br/>This team consists of security experts and are authorized to see and perform all actions from the portal.| > [!NOTE] > For Tier 0 assets, refer to [Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-configure) for security admins to provide more granular control of Microsoft Defender for Endpoint and Microsoft Defender XDR. Someone with a Defender for Endpoint Global administrator role has unrestricted - [RBAC roles](../office-365-security/migrate-to-defender-for-office-365-onboard.md#rbac-roles) - [Create and manage device groups in Microsoft Defender for Endpoint](machine-groups.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Respond Machine Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md | Response actions run along the top of a specific device page and include: - Consult a threat expert - Action center -[![Image of response actions.](images/response-actions.png)](images/response-actions.png#lightbox) +[![Image of response actions.](media/response-actions.png)](media/response-actions.png#lightbox) > [!IMPORTANT] > [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) includes only the following manual response actions: As part of the investigation or response process, you can remotely initiate an a One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan. The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender Antivirus alerts will reflect any detections that surfaced during the scan. To restrict an application from running, a code integrity policy is applied that Once you have selected **Restrict app execution** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event. ### Notification on device user |
security | Run Analyzer Macos Linux | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md | If you're using a terminal, download the tool by entering the following command: 2. Verify the download. > [!NOTE]- > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from this link is: '0A8E32B618F278BED60AB6763E9458BA2CD02C99D718E50DCCE51A7DBAC69863' + > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from this link is: '00E314DD1C1F90F0DF177189E67D0BCBF03CAF7515D4F10BD509A4BFD1889253' ++ + - Linux ```console- echo '0A8E32B618F278BED60AB6763E9458BA2CD02C99D718E50DCCE51A7DBAC69863 XMDEClientAnalyzerBinary.zip' | sha256sum -c + echo '00E314DD1C1F90F0DF177189E67D0BCBF03CAF7515D4F10BD509A4BFD1889253 XMDEClientAnalyzerBinary.zip' | sha256sum -c ``` + - macOS ++ ```console + echo '00E314DD1C1F90F0DF177189E67D0BCBF03CAF7515D4F10BD509A4BFD1889253 XMDEClientAnalyzerBinary.zip' | shasum -a 256 -c + ``` ++ 3. Extract the contents of _XMDEClientAnalyzerBinary.zip_ on the machine. If you're using a terminal, extract the files by entering the following command: When using a terminal, unzip the file by entering one of the following commands 2. Verify the download + - Linux ++ ```console + echo '2F33B35ABA3B5B9161E7CCD88CDC0ADACD7D27173768DD68632651950ADF77B8 XMDEClientAnalyzer.zip' | sha256sum -c + ``` ++ - macOS + ```console- echo '926DEF4C6857641E205E7978126F7C2CE541D52AEA1C0E194DDB85F7BCFDE3D9 XMDEClientAnalyzer.zip' | sha256sum -c + echo '2F33B35ABA3B5B9161E7CCD88CDC0ADACD7D27173768DD68632651950ADF77B8 XMDEClientAnalyzer.zip' | shasum -a 256 -c ``` 3. Extract the contents of XMDEClientAnalyzer.zip on the machine.\ |
security | Run Analyzer Windows | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-windows.md | In addition to the previous procedure, you can also [collect the analyzer suppor All the PowerShell scripts and modules included with the analyzer are Microsoft-signed. If files were modified in any way, then the analyzer is expected to exit with the following error: If you see this error, the issuerInfo.txt output contains detailed information about why this happened and the affected file: If you see this error, the issuerInfo.txt output contains detailed information a Example contents after MDEClientAnalyzer.ps1 is modified: ## Result package contents on Windows |
security | Run Detection Test | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-detection-test.md | Verifying that a device is added to the service successfully is a critical step Run the following PowerShell script on a newly onboarded device to verify that it's properly reporting to the Defender for Endpoint service. -1. Open an elevated command-line prompt on the device and run the script: +1. On the device, open Command Prompt as an administrator. - 1. Go to **Start** and type **cmd**. -- 1. Right-click **Command Prompt** and select **Run as administrator**. -- :::image type="content" source="images/run-as-admin.png" alt-text="The Start menu pointing to Run as administrator" lightbox="images/run-as-admin.png"::: - 2. At the prompt, copy and run the following command: ```powershell The Command Prompt window closes automatically. If successful, a new alert appea - [Onboard Windows devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Tamperprotection Macos | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tamperprotection-macos.md | Check the tamper protection status by running the following command: The result shows "block" if tamper protection is on: -![Image of tamper protection in block mode](images/tp-block-mode.png) +![Image of tamper protection in block mode](media/tp-block-mode.png) You can also run full `mdatp health` and look for the "tamper_protection" in the output. You can verify that tamper protection is on through various ways. Tampering alert is raised in the Microsoft Defender portal ### Verify block mode and audit modes - Using Advanced hunting, you see tampering alerts appear - Tampering events can be found in the local device logs: `sudo grep -F '[{tamperProtection}]' /Library/Logs/Microsoft/mdatp/microsoft_defender_core.log` -![Screenshot of tamper protection log.](images/tamper-protection-log.png) +![Screenshot of tamper protection log.](media/tamper-protection-log.png) ### DIY scenarios |
security | Techniques Device Timeline | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/techniques-device-timeline.md | Select the specific *Attack technique* to open the related ATT&CK technique page You can copy an entity's details when you see a blue icon on the right. For instance, to copy a related file's SHA1, select the blue page icon. You can do the same for command lines. ## Investigate related events To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected Technique, select **Hunt for related events**. This leads to the advanced hunting page with a query to find events related to the Technique. > [!NOTE] > Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results. |
security | Threat Analytics Analyst Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports.md | Last updated 12/18/2020 Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_. To access this section, open the report about the tracked threat and select the **Analyst report** tab. _Analyst report section of a threat analytics report_ |
security | Threat Analytics | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics.md | The threat analytics dashboard is a great jump off point for getting to the repo Select a threat from the dashboard to view the report for that threat. ## View a threat analytics report Each threat analytics report provides information in three sections: **Overview* The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices. _Overview section of a threat analytics report_ #### Assess the impact to your organization In the **Mitigations** section, review the list of specific actionable recommend Mitigation information in this section incorporates data from [Microsoft Defender Vulnerability Management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report. _Mitigations section of a threat analytics report_ |
security | Use Group Policy Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md | ms.localizationpriority: medium Previously updated : 05/24/2023 Last updated : 04/03/2024 We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) t In general, you can use the following procedure to configure or change some settings for Microsoft Defender Antivirus. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object (GPO) you want to configure and select **Edit**. 2. Using the **Group Policy Management Editor** go to **Computer configuration**. -3. Click **Administrative templates**. +3. Select **Administrative templates**. 4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus**. -5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes. +5. Expand the section (referred to as **Location** in the table in this article) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes. 6. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). The following table lists commonly used Group Policy settings that are available |Location|Setting|Article| |||| |Client interface|Enable headless UI mode|[Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)|-|Client interface|Display additional text to clients when they need to perform an action|[Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)| +|Client interface|Display more text to clients when they need to perform an action|[Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)| |Client interface|Suppress all notifications|[Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)| |Client interface|Suppresses reboot notifications|[Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)| |Exclusions|Extension Exclusions|[Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)| The following table lists commonly used Group Policy settings that are available |MAPS|Configure local setting override for reporting to Microsoft MAPS|[Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)| |MpEngine|Configure extended cloud check|[Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)| |MpEngine|Select cloud protection level|[Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md)|-|Network inspection system|Specify additional definition sets for network traffic inspection| Not used (deprecated) | +|Network inspection system|Specify more definition sets for network traffic inspection| Not used (deprecated) | |Network inspection system|Turn on definition retirement| Not used (deprecated)| |Network inspection system|Turn on protocol recognition| Not used (deprecated)| |Quarantine|Configure local setting override for the removal of items from Quarantine folder|[Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)| The following table lists commonly used Group Policy settings that are available |Real-time protection|Configure local setting override for monitoring file and program activity on your computer|[Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)| |Real-time protection|Configure local setting override for monitoring for incoming and outgoing file activity|[Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)| |Real-time protection|Configure local setting override for scanning all downloaded files and attachments|[Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)|-|Real-time protection|Configure local setting override for turn on behavior monitoring|[Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)| +|Real-time protection|Configure local setting override to turn on behavior monitoring|[Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)| |Real-time protection|Configure local setting override to turn on real-time protection|[Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)| |Real-time protection|Define the maximum size of downloaded files and attachments to be scanned|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)| |Real-time protection|Monitor file and program activity on your computer|[Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)| The following table lists commonly used Group Policy settings that are available - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md) - [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Web Protection Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-overview.md | Title: Web protection -description: Learn about the web protection in Microsoft Defender for Endpoint and how it can protect your organization +description: Learn about the web protection in Microsoft Defender for Endpoint and how it can protect your organization. search.appverid: met150 ms.localizationpriority: medium Previously updated : 12/16/2022 Last updated : 04/03/2024 audience: ITPro - m365-security - tier2 - mde-asr+ Web content filtering includes **Web activity by category**, **Web content filte Web content filtering includes: -- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away.+- Users are prevented from accessing websites in blocked categories, whether they're browsing on-premises or away. - You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender for Endpoint role-based access control settings](/microsoft-365/security/defender-endpoint/rbac). > [!NOTE] > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. Web protection is made up of the following components, listed in order of preced The order of precedence relates to the order of operations by which a URL or IP is evaluated. For example, if you have a web content filtering policy you can create exclusions through custom IP/URL indicators. Custom Indicators of compromise (IoC) are higher in the order of precedence than WCF blocks. -Similarly, during a conflict between indicators, allows always take precedence over blocks (override logic). That means that an allow indicator will win over any block indicator that is present. +Similarly, during a conflict between indicators, allows always take precedence over blocks (override logic). That means that an allow indicator takes precedence over any block indicator that is present. -The table below summarizes some common configurations that would present conflicts within the web protection stack. It also identifies the resulting determinations based on the precedence listed above. --<br> --**** +The following table summarizes some common configurations that would present conflicts within the web protection stack. It also identifies the resulting determinations based on the precedence described earlier in this article. |Custom Indicator policy|Web threat policy|WCF policy|Defender for Cloud Apps policy|Result| |||||| |Allow|Block|Block|Block|Allow (Web protection override)| |Allow|Allow|Block|Block|Allow (WCF exception)| |Warn|Block|Block|Block|Warn (override)|-| -Internal IP addresses are not supported by custom indicators. For a warn policy when bypassed by the end user, the site will be unblocked for 24 hours for that user by default. This time frame can be modified by the Admin and is passed down by the SmartScreen cloud service. The ability to bypass a warning can also be disabled in Microsoft Edge using CSP for web threat blocks (malware/phishing). For more information, see [Microsoft Edge SmartScreen Settings](/DeployEdge/microsoft-edge-policies#smartscreen-settings-policies). +Internal IP addresses aren't supported by custom indicators. For a warn policy when bypassed by the end user, the site is unblocked for 24 hours for that user by default. This time frame can be modified by the Admin and is passed down by the SmartScreen cloud service. The ability to bypass a warning can also be disabled in Microsoft Edge using CSP for web threat blocks (malware/phishing). For more information, see [Microsoft Edge SmartScreen Settings](/DeployEdge/microsoft-edge-policies#smartscreen-settings-policies). ## Protect browsers -In all web protection scenarios, SmartScreen and Network Protection can be used together to ensure protection across both first and third-party browsers and processes. SmartScreen is built directly into Microsoft Edge, while Network Protection monitors traffic in third-party browsers and processes. The diagram below illustrates this concept. This diagram of the two clients working together to provide multiple browser/app coverages is accurate for all features of Web Protection (Indicators, Web Threats, Content Filtering). +In all web protection scenarios, SmartScreen and Network Protection can be used together to ensure protection across both Microsoft and non-Microsoft browsers and processes. SmartScreen is built directly into Microsoft Edge, while Network Protection monitors traffic in non-Microsoft browsers and processes. The following diagram illustrates this concept. This diagram of the two clients working together to provide multiple browser/app coverages is accurate for all features of Web Protection (Indicators, Web Threats, Content Filtering). :::image type="content" source="../../media/web-protection-protect-browsers.png" alt-text="The usage of smartScreen and Network Protection together" lightbox="../../media/web-protection-protect-browsers.png"::: ## Troubleshoot endpoint blocks -Responses from the SmartScreen cloud are standardized. Tools like Fiddler can be used to inspect the response from the cloud service, which will help determine the source of the block. +Responses from the SmartScreen cloud are standardized. Tools like Fiddler can be used to inspect the response from the cloud service, which helps determine the source of the block. When the SmartScreen cloud service responds with an allow, block, or warn response, a response category and server context is relayed back to the client. In Microsoft Edge, the response category is what is used to determine the appropriate block page to show (malicious, phishing, organizational policy). -The table below shows the responses and their correlated features. --<br> --**** +The following table shows the responses and their correlated features. |ResponseCategory|Feature responsible for the block| ||| The table below shows the responses and their correlated features. |CasbPolicy|Defender for Cloud Apps| |Malicious|Web threats| |Phishing|Web threats|-||| ## Advanced hunting for web protection -Kusto queries in advanced hunting can be used to summarize web protection blocks in your organization for up to 30 days. These queries use the information listed above to distinguish between the various sources of blocks and summarize them in a user-friendly manner. For example, the query below lists all WCF blocks originating from Microsoft Edge. +Kusto queries in advanced hunting can be used to summarize web protection blocks in your organization for up to 30 days. These queries use the information listed above to distinguish between the various sources of blocks and summarize them in a user-friendly manner. For example, the following query lists all WCF blocks originating from Microsoft Edge. ```kusto DeviceEvents DeviceEvents | where Experience == "CustomPolicy" ``` -Similarly, you can use the query below to list all WCF blocks originating from Network Protection (for example, a WCF block in a third-party browser). Note that the ActionType has been updated and 'Experience' has been changed to 'ResponseCategory'. +Similarly, you can use the following query to list all WCF blocks originating from Network Protection (for example, a WCF block in a non-Microsoft browser). The `ActionType` is updated and `Experience` changed to `ResponseCategory`. ```kusto DeviceEvents DeviceEvents | where ResponseCategory == "CustomPolicy" ``` -To list blocks that are due to other features (like Custom Indicators), refer to the table above outlining each feature and their respective response category. These queries may also be modified to search for telemetry related to specific machines in your organization. Note that the ActionType shown in each query above will show only those connections that were blocked by a Web Protection feature, and not all network traffic. +To list blocks that are due to other features (like Custom Indicators), refer to the table listed earlier in this article. The table outlines each feature and their respective response category. These queries can be modified to search for telemetry related to specific machines in your organization. The ActionType shown in each query shows only those connections that were blocked by a Web Protection feature, and not all network traffic. ## User experience -If a user visits a web page that poses a risk of malware, phishing, or other web threats, Microsoft Edge will trigger a block page that reads 'This site has been reported as unsafe' along with information related to the threat. +If a user visits a web page that poses a risk of malware, phishing, or other web threats, Microsoft Edge triggers a block page that resembles the following image: -> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/web-protection-malicious-block.png" alt-text="The page blocked by Microsoft Edge" lightbox="../../media/web-protection-malicious-block.png"::: -If blocked by WCF or a custom indicator, a block page shows in Microsoft Edge that tells the user this site is blocked by their organization. +Beginning with Microsoft Edge 124, the following block page is shown for all Web Content Filtering category blocks. -> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/web-protection-indicator-blockpage.png" alt-text="The page blocked by your organization" lightbox="../../media/web-protection-indicator-blockpage.png"::: -In any case, no block pages are shown in third-party browsers, and the user sees a "Secure Connection Failed' page along with a toast notification. Depending on the policy responsible for the block, a user will see a different message in the toast notification. For example, web content filtering will display the message 'This content is blocked'. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/web-protection-np-block.png" alt-text="The page blocked by WCF" lightbox="../../media/web-protection-np-block.png"::: +In any case, no block pages are shown in non-Microsoft browsers, and the user sees a "Secure Connection Failed" page along with a toast notification. Depending on the policy responsible for the block, a user sees a different message in the toast notification. For example, web content filtering displays the message, "This content is blocked." ## Report false positives -To report a false positive for sites that have been deemed dangerous by SmartScreen, use the link that appears on the block page in Microsoft Edge (as shown above). +To report a false positive for sites that have been deemed dangerous by SmartScreen, use the link that appears on the block page in Microsoft Edge (as shown earlier in this article). -For WCF, you can dispute the category of a domain. Navigate to the **Domains** tab of the WCF reports. You will see an ellipsis beside each of the domains. Hover over this ellipsis and select **Dispute Category**. A flyout will open. Set the priority of the incident and provide some additional details, such as the suggested category. For more information on how to turn on WCF and how to dispute categories, see [Web content filtering](web-content-filtering.md). +For WCF, you can dispute the category of a domain. Navigate to the **Domains** tab of the WCF reports. You see an ellipsis beside each of the domains. Hover over this ellipsis and select **Dispute Category**. A flyout opens. Set the priority of the incident and provide some other details, such as the suggested category. For more information on how to turn on WCF and how to dispute categories, see [Web content filtering](web-content-filtering.md). For more information on how to submit false positives/negatives, see [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md). ## Related information -<br> --**** --|Topic|Description| +|Article|Description| |||-|[Web threat protection](web-threat-protection.md) | Stop access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you have blocked.| +|[Web threat protection](web-threat-protection.md) | Prevent access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that are blocked.| |[Web content filtering](web-content-filtering.md) | Track and regulate access to websites based on their content categories.|-| + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Whats New In Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md | For more information on Microsoft Defender for Endpoint on specific operating sy > > (/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=) +## April 2024 ++**Microsoft Defender for Endpoint on macOS** feature now in GA: ++- **Troubleshooting mode for macOS** : Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. To learn more, see [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](mac-troubleshoot-mode.md). ++## (GA) March 2024 ++**Built-in Scheduled scan for macOS**: For information on Scheduled Scan built-in for Microsoft Defender for Endpoint on macOS, see [How to schedule scans with Microsoft Defender for Endpoint on macOS](mac-schedule-scan.md) + ## February 2024 **Attack Surface Reduction (ASR) Rules** |
security | Defender Vulnerability Management | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management.md | -Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Leveraging Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk. +Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Using Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk. Watch the following video to learn more about Defender Vulnerability Management. Advanced vulnerability and configuration assessment tools help you understand an ## Risk-based intelligent prioritization -Defender Vulnerability Management leverage Microsoft's threat intelligence, breach likelihood predictions, business contexts, and device assessments to quickly prioritize the biggest vulnerabilities in your organization. A single view of prioritized recommendations from multiple security feeds, along with critical details including related CVEs and exposed devices, helps you quickly remediate the biggest vulnerabilities on your most critical assets. Risk-based intelligent prioritization: +Defender Vulnerability Management uses Microsoft's threat intelligence, breach likelihood predictions, business contexts, and device assessments to quickly prioritize the biggest vulnerabilities in your organization. A single view of prioritized recommendations from multiple security feeds, along with critical details including related CVEs and exposed devices, helps you quickly remediate the biggest vulnerabilities on your most critical assets. Risk-based intelligent prioritization: - **Focuses on emerging threats** - Dynamically aligns the prioritization of security recommendations with vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk. - **Pinpoints active breaches** - Correlates vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization. |
security | Advanced Hunting Aadsignineventsbeta Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadsignineventsbeta-table.md | Title: AADSignInEventsBeta table in the advanced hunting schema description: Learn about the Microsoft Entra sign-in events table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, file, IP address, device, machine, user, account, identity, AAD -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Aadspnsignineventsbeta Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadspnsignineventsbeta-table.md | Title: AADSpnSignInEventsBeta table in the advanced hunting schema description: Learn about information associated with Microsoft Entra service principal and managed identity sign-in events table. -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Alertevidence Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-alertevidence-table.md | Title: AlertEvidence table in the advanced hunting schema description: Learn about information associated with alerts in the AlertEvidence table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, entities, evidence, file, IP address, device, machine, user, account -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Alertinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-alertinfo-table.md | Title: AlertInfo table in the advanced hunting schema description: Learn about alert generation events in the AlertInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, severity, category, MITRE, ATT&CK, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Assignedipaddresses Function | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-assignedipaddresses-function.md | Title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender XDR description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Behaviorentities Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-behaviorentities-table.md | Title: BehaviorEntities table in the advanced hunting schema description: Learn about behaviors in the BehaviorEntities table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, severity, category, MITRE, ATT&CK, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Behaviorinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-behaviorinfo-table.md | Title: BehaviorInfo table in the advanced hunting schema description: Learn about alert generation events in the BehaviorInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, severity, category, MITRE, ATT&CK, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Best Practices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-best-practices.md | description: Learn how to construct fast, efficient, and error-free threat hunti search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Cloudappevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-cloudappevents-table.md | Title: CloudAppEvents table in the advanced hunting schema description: Learn about events from cloud apps and services in the CloudAppEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, CloudAppEvents, Defender for Cloud Apps -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Custom Functions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-custom-functions.md | Title: Custom functions in the advanced hunting schema description: Learn about writing your own custom functions for hunting -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, functions -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Deviceevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceevents-table.md | Title: DeviceEvents table in the advanced hunting schema description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, DeviceEvents -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicefilecertificateinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefilecertificateinfo-table.md | Title: DeviceFileCertificateInfo table in the advanced hunting schema description: Learn about file signing information in the DeviceFileCertificateInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, digital signature, certificate, file signing, DeviceFileCertificateInfo -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicefileevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefileevents-table.md | Title: DeviceFileEvents table in the advanced hunting schema description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, DeviceFileEvents, files, path, hash, sha1, sha256, md5 -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicefromip Function | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefromip-function.md | Title: DeviceFromIP() function in advanced hunting for Microsoft Defender XDR description: Learn how to use the DeviceFromIP() function to get the devices that have been assigned a specific IP address -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, device, devicefromIP, function, enrichment -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Deviceimageloadevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceimageloadevents-table.md | Title: DeviceImageLoadEvents table in the advanced hunting schema description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DeviceImageLoadEvents, DLL loading, library, file image -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Deviceinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceinfo-table.md | Title: DeviceInfo table in the advanced hunting schema description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, DeviceInfo, device, machine, OS, platform, users -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicelogonevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicelogonevents-table.md | Title: DeviceLogonEvents table in the advanced hunting schema description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, DeviceLogonEvents, authentication, logon, sign in -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicenetworkevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table.md | Title: DeviceNetworkEvents table in the advanced hunting schema description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, NetworkCommunicationEvents, network connection, remote ip, local ip -search.product: eADQiWindows 10XVcnh search.appverid: met150 --ms.sitesec: library ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicenetworkinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkinfo-table.md | Title: DeviceNetworkInfo table in the advanced hunting schema description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, DeviceNetworkInfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Deviceprocessevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table.md | Title: DeviceProcessEvents table in the advanced hunting schema description: Learn about the process spawning or creation events in the DeviceProcessEventstable of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, DeviceProcessEvents, process id, command line, DeviceProcessEvents -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Deviceregistryevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceregistryevents-table.md | Title: DeviceRegistryEvents table in the advanced hunting schema description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, DeviceRegistryEvents, key, subkey, value -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicetvmhardwarefirmware Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmhardwarefirmware-table.md | Title: DeviceTvmHardwareFirmware table in the advanced hunting schema description: Learn about the DeviceTvmHardwareFirmware table in the advanced hunting schema, which includes information on devices like processor, BIOS, and others, as checked in threat and vulnerability management in Microsoft Defender XDR. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmHardwareFirmware -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicetvminfogathering Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvminfogathering-table.md | Title: DeviceTvmInfoGathering table in the advanced hunting schema description: Learn about the assessment events including the status of various configurations and attack surface area states of devices in the DeviceTvmInfoGathering table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities, Microsoft Defender Vulnerability Management -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicetvminfogatheringkb Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvminfogatheringkb-table.md | Title: DeviceTvmInfoGatheringKB table in the advanced hunting schema description: Learn about the metadata for assessment events in the DeviceTvmInfoGathering table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities, MDVM -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicetvmsecureconfigurationassessment Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsecureconfigurationassessment-table.md | Title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema description: Learn about security assessment events in the DeviceTvmSecureConfigurationAssessment table of the advanced hunting schema. These events provide device information, security configuration details, impact, and compliance information. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicetvmsecureconfigurationassessmentkb Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md | Title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema description: Learn about the various secure configurations assessed by Microsoft Defender Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB, MDVM, Microsoft Defender Vulnerability Management -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicetvmsoftwareevidencebeta Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwareevidencebeta-table.md | Title: DeviceTvmSoftwareEvidenceBeta table in the advanced hunting schema description: Learn how to use the DeviceTvmSoftwareEvidenceBeta table in the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, evidence, software evidence, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareEvidenceBeta -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicetvmsoftwareinventory Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwareinventory-table.md | Title: DeviceTvmSoftwareInventory table in the advanced hunting schema description: Learn about the inventory of software in your devices in the DeviceTvmSoftwareInventory table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicetvmsoftwarevulnerabilities Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md | Title: DeviceTvmSoftwareVulnerabilities table in the advanced hunting schema description: Learn about the software vulnerabilities found on devices and the list of available security updates that address each vulnerability in the DeviceTvmSoftwareVulnerabilities table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Devicetvmsoftwarevulnerabilitieskb Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md | Title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema description: Learn about the software vulnerabilities tracked by Microsoft Defender Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema, reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Emailattachmentinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailattachmentinfo-table.md | Title: EmailAttachmentInfo table in the advanced hunting schema description: Learn about email attachment information in the EmailAttachmentInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailAttachmentInfo, network message id, sender, recipient, attachment id, attachment name, malware verdict -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Emailevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailevents-table.md | Title: EmailEvents table in the advanced hunting schema description: Learn about events associated with Microsoft 365 emails in the EmailEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailEvents, network message id, sender, recipient, attachment id, attachment name, malware verdict, phishing verdict, attachment count, link count, url count -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Emailpostdeliveryevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table.md | Title: EmailPostDeliveryEvents table in the advanced hunting schema description: Learn about post-delivery actions taken on Microsoft 365 emails in the EmailPostDeliveryEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailPostDeliveryEvents, network message id, sender, recipient, attachment id, attachment name, malware verdict, phishing verdict, attachment count, link count, url count -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Emailurlinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailurlinfo-table.md | Title: EmailUrlInfo table in the advanced hunting schema description: Learn about URL or link information in the EmailUrlInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailUrlInfo, network message id, url, link -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Errors | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-errors.md | Title: Handle errors in advanced hunting for Microsoft Defender XDR description: Understand errors displayed when using advanced hunting -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error, limits, quota, parameter, allocation -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Example | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-example.md | Title: Advanced hunting example for Microsoft Defender for Office 365 description: Get started searching for email threats using advanced hunting -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security + f1.keywords: - NOCSH |
security | Advanced Hunting Expert Training | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-expert-training.md | Title: Get expert training on advanced hunting description: Free training and guidance from advanced hunting experts -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, language, training, scenarios, basic to advanced, videos, step-by-step -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Exposuregraphedges Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-exposuregraphedges-table.md | Title: ExposureGraphEdges table in the advanced hunting schema description: Learn about the ExposureGraphEdges table of the advanced hunting schema, which provides attack surface information, to help you understand how potential threats might reach, and compromise, valuable assets. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, ExposureGraphEdges, EdgeId, EdgeLabel, SourceNodeName, SourceNodeLabel, TargetNodeName, TargetNodeLabel, SourceNodeCategories, TargetNodeCategories, EdgeProperties -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH Last updated 03/13/2024 - Microsoft Defender XDR - Microsoft Security Exposure Management (public preview) ++> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The `ExposureGraphEdges` table in the [advanced hunting](advanced-hunting-overview.md) schema provides visibility into relationships between entities and assets in the enterprise exposure graph. This visibility can help uncover critical organizational assets and explore entity relationships and attack paths. Use this reference to construct queries that return information from this table. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md). For information on other tables in the advanced hunting schema, [see the advance | `SourceNodeId` | `string` | Node ID of the edge's source | | `SourceNodeName` | `string` | Source node display name | | `SourceNodeLabel` | `string` | Source node label |-| `SourceNodeCategories` | `Dynamic` | Categories list of the source node in JSON format | +| `SourceNodeCategories` | `dynamic` | Categories list of the source node in JSON format | | `TargetNodeId` | `string` | Node ID of the edge's target | | `TargetNodeName` | `string` | Display name of the target node | | `TargetNodeLabel` | `string` | Target node label |-| `TargetNodeCategories` | `Dynamic` | The categories list of the target node in JSON format | -| `EdgeProperties` | `Dynamic` | Optional data relevant for the relationship between the nodes in JSON format | +| `TargetNodeCategories` | `dynamic` | The categories list of the target node in JSON format | +| `EdgeProperties` | `dynamic` | Optional data relevant for the relationship between the nodes in JSON format | ## Related articles |
security | Advanced Hunting Exposuregraphnodes Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-exposuregraphnodes-table.md | Title: ExposureGraphNodes table in the advanced hunting schema description: Learn about the ExposureGraphNodes table of the advanced hunting schema, which provides attack surface information, to help you understand how potential threats might reach, and compromise, valuable assets. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, ExposureGraphNodes, NodeId, NodeLabel, NodeName, NodeProperties, EntityIds -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH Last updated 03/12/2024 - Microsoft Defender XDR - Microsoft Security Exposure Management (public preview) +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The `ExposureGraphNodes` table in the [advanced hunting](advanced-hunting-overview.md) schema contains organizational entities and their properties. These include entities like devices, identities, user groups, and cloud assets such as virtual machines (VMs), storage, and containers. Each node corresponds to an individual entity and encapsulates information about its characteristics, attributes, and security related insights within the organizational structure. Use this reference to construct queries that return information from this table. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md). For information on other tables in the advanced hunting schema, [see the advance | `NodeId` | `string` | Unique node identifier | | `NodeLabel` | `string` | Node label | | `NodeName` |`string` | Node display name |-| `Categories` |`Dynamic` | Categories of the node in JSON format | -| `NodeProperties` |`Dynamic` | Properties of the node, including insights related to the resource, such as whether the resource is exposed to the internet, or vulnerable to remote code execution. Values are JSON formatted raw data (unstructured). | -| `EntityIds` | `Dynamic` | All known node identifiers in JSON format | +| `Categories` |`dynamic` | Categories of the node in JSON format | +| `NodeProperties` |`dynamic` | Properties of the node, including insights related to the resource, such as whether the resource is exposed to the internet, or vulnerable to remote code execution. Values are JSON formatted raw data (unstructured). | +| `EntityIds` | `dynamic` | All known node identifiers in JSON format | ## Related articles |
security | Advanced Hunting Extend Data | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-extend-data.md | Title: Extend advanced hunting coverage with the right settings description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting -keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Defender XDR -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Fileprofile Function | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-fileprofile-function.md | Title: FileProfile() function in advanced hunting for Microsoft Defender XDR description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Find Ransomware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-find-ransomware.md | Title: Find ransomware with advanced hunting description: Use advanced hunting to locate devices potentially affected by ransomware. -keywords: advanced hunting, ransomware, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Defender XDR -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH Last updated 02/16/2021 **Applies to:** - Microsoft Defender XDR -Ransomware has rapidly evolved from being simple commodity malware affecting individual computer users to an enterprise threat that is severely impacting industries and government institutions. While [Microsoft Defender XDR](microsoft-365-defender.md) provides many capabilities that detect and block ransomware and associated intrusion activities, performing proactive checks for signs of compromise can help keep your network protected. +Ransomware evolved rapidly from being simple commodity malware affecting individual computer users to an enterprise threat that is severely impacting industries and government institutions. While [Microsoft Defender XDR](microsoft-365-defender.md) provides many capabilities that detect and block ransomware and associated intrusion activities, performing proactive checks for signs of compromise can help keep your network protected. > [Read about human-operated ransomware](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) With [advanced hunting](advanced-hunting-overview.md) in Microsoft Defender XDR, you can create queries that locate individual artifacts associated with ransomware activity. You can also run more sophisticated queries that can look for signs of activity and weigh those signs to find devices that require immediate attention. ## Signs of ransomware activity+ Microsoft security researchers have observed various common yet subtle artifacts in many ransomware campaigns launched by sophisticated intruders. These signs mostly involve use of system tools to prepare for encryption, prevent detection, and clear forensic evidence. | Ransomware activity | Common tools | Intent | |--|--|--|-| Stop processes | _taskkill.exe_, _net stop_ | Ensure files targeted for encryption are not locked by various applications. | -| Turn off services | _sc.exe_ | - Ensure files targeted for encryption are not locked by various applications.<br>- Prevent security software from disrupting encryption and other ransomware activity.<br>- Stop backup software from creating recoverable copies. | +| Stop processes | _taskkill.exe_, _net stop_ | Ensure files targeted for encryption aren't locked by various applications. | +| Turn off services | _sc.exe_ | - Ensure files targeted for encryption aren't locked by various applications.<br>- Prevent security software from disrupting encryption and other ransomware activity.<br>- Stop backup software from creating recoverable copies. | | Delete logs and files | _cipher.exe_, _wevtutil_, _fsutil.exe_ | Remove forensic evidence. | | Delete shadow copies | _vsadmin.exe_, _wmic.exe_ | Remove drive shadow copies that can be used to recover encrypted files. | | Delete and stop backups | _wbadmin.exe_ | Delete existing backups and stop scheduled backup tasks, preventing recovery after encryption. | Microsoft security researchers have observed various common yet subtle artifacts | Turn off recovery tools | _schtasks.exe_, _regedit.exe_, | Turn off System Restore and other system recovery options. | ## Check for individual signs of ransomware activity+ Many activities that constitute ransomware behavior, including the activities described in the preceding section, can be benign. When using the following queries to locate ransomware, run more than one query to check whether the same devices are exhibiting various signs of possible ransomware activity. ### Stopping multiple processes using _taskkill.exe_+ This query checks for attempts to stop at least 10 separate processes using the _taskkill.exe_ utility. [Run query](https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAI2RS2vCUBCFz7rgfwiuIkit3eumVSgtpYvuS9SLDTY2eLUvxN_eb8YHKlFkyNzJzDkn505aailRX7mmGlFlmhNBhUrOSGeuT3L0s6QqNaMagolEcMyCbApjx2e8TYhcH8Q1mB-emq50z_lF39gvBzo9-gEF-6Yhlyh9653ejCfRK6zCsaZfuJOu-x2jkqqN-0Yls-8-gp6dZ52OVuT6Sad1plulyN0KIkMt15_zt7zHDe8OBwv3btoJToa7Tnp0T8Ou9WzfT761gPOm3_FQ16Zxp2qcCdg33_rlyokG-iXv7_4BRNMnhkortmvTW6rqnZ7bgP2Vtm70D3d9wcFaAgAA&runQuery=true&timeRangeId=week) ```kusto DeviceProcessEvents ``` ### Stopping processes using _net stop_+ This query checks for attempts to stop at least 10 separate processes using the _net stop_ command. [Run query](https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAI2RQUvDUBCE5yz0P4ScUijWereXVkGQIti7aA1pqakhL7VVxN_ebzc1NBChPLJv2Z2ZN5sdaqhId1ppozeyF1WcVLkK7kCl0gcx-F2QFSrJFmACJ3XMlmgKGfmGWnXC6OlCU2qfIIz12OLfUk_h2FuG_IG505JayRdpDit3bIW33B2M3WeGSqIRrvudTJvpnWzmPKvc6JcYHx1eEvd8savV07e9TchzTt198AlNZ0kluNLfjHHjIPAvak4J_tvx9XtPR6ypbn1icxShvGgqyVkO-hrAm7VUrRcaTWOs6T_7hs7XjfSqL-Lpvu5BDLxjqKRjI9a9Juvew__T2x5HutIB3T1qt4QCAAA&runQuery=true&timeRangeId=week) ```kusto CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) ``` ### Clearing of forensic evidence from event logs using _wevtutil_+ This query checks for attempts to clear at least 10 log entries from event logs using _wevtutil_. [Run query](https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRTU_CQBCG37OJ_2HDqSQkwMGjXgoHEg4cUI-m2hUaqGu6BaPxx_vsEFCTxmA225nOvB_tzFBDOc0VOBuyZ2JD3CnKEwMVpzfyPbVWlba8t9Sdnsi9CsPXdLfWf7Wq4xm0QuVSF5oYv4LhtQAfLIucKXWvF5gH5Ke5rak1prKEVRu2xalG3emGW6AdlGmsUv1O5m-fnLzmFHiV_G9FTKg1lUjs6Z5vucPvljsD0TOXhP6_Vm7841dFZnPAN2A_DDu36eSnCSbNnc3B6Zpb4nasZGf59zWA963orZdcEiKelBNvQ_fBNny-utOj3nn-3OUMxMA6CZV1bCt1r8i6d_TXFNKWxxrpC48hm8miAgAA&runQuery=true&timeRangeId=week) ```kusto DeviceProcessEvents ``` ### Turning off services using _sc.exe_+ This query checks for attempts to turn off at least 10 existing services using _sc.exe_. [Run query](https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWST2vCQBDF31nodwg5RZCqhx7bi3ooeCjovaQxraIxxfU_fvj-ZoiiEIqlhM3Ozrz3ZnZm22or0lAl3xzrk33FHpTpUbn2rEgTzfCk-tACa6kvR-Qgt5wzrKAHNdTHOnveiJZVLGiAP4e5rpAnFHaauoZlGMMqHLsmT6FvfC-slFylEnWpoVnLvM3Twy74UnJNuJdVa6gpnsAe-81iVzbE3_kZiCV9mlHZf3Sue5pzii-3C9pU3BWYo_NGKPdvGJZh4x2N9Owzyi6e5K5qmmrVKg_9dNY11hzvu0_8fu0ItQP_6zfxCqLlEUMlNVO36BNW_ax_74K9l646-gFts39I1AIAAA&runQuery=true&timeRangeId=week) ```kusto DeviceProcessEvents ``` ### Turning off System Restore+ This query identifies attempts to stop System Restore and prevent the system from creating restore points, which can be used to recover data encrypted by ransomware. [Run query](https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAK2S3UrDQBCFz7XgO6y9id4o6HWvrIVCkaJPENOYFNumZGO1ID673w4xJA1isbJMZnZ-zpzM7EiptlooQc9UqjDLc-7wp1qrwj7Via44MzK35FTotTI5PXMr0aVe8cy15NzoGo-zqg_0m3KQSsRpQtbC6uMGpdt3jHeJfU_GymqG-uQb9XpcEn1HIuvmGpZT0Aq99Dim4G3ousNO8K04sSE6EEN22kL6jvzO-LaDNW2QzqxLmGBsPo9vUMt_oA8Na3DQv3vwcmPiifpmds48jkhut8T2FLikxm_T4bI_m_6uQt-wrXO28lPPSBcdziOqPFlP9RYy47tDKtuZM07hVtSvaJ_HYRPL63-NyMgtmtWv5684jy2WDx2O0ZEM562ZBLQvURxur6gDAAA&runQuery=true&timeRangeId=week) ```kusto and ProcessCommandLine has 'disable' ``` ### Backup deletion+ This query identifies use of _wmic.exe_ to delete shadow copy snapshots prior to encryption. [Run query](https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWS2wqCQBCG_-ugd5CupTfoqgMIEV70AqFLGp5QyYLo2fsavEjxwlhWZ7-df2Z2dndyuitVxD9UrdKshrGHOxVqsZda6CVPnRJYzfR0QJVhnXRRbmSjN98VXrlFXEMfzNWkfphti50zLmSMdURfmFcCaSxqY3aMX4eqVKUn1OsV_8eLWX_rbwcVVhblBovY8bT76U-AxoedWeeWp7WzV0YDMqSQFNZavuuopnHH_Iku-lbJnLPMyxnYDTp4bZ5P9M5uNpsZIWSn7l_CuNoPSggb4z4CAAA&runQuery=true&timeRangeId=week) ```kusto ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFile ``` ## Check for multiple signs of ransomware activity+ Instead of running several queries separately, you can also use a comprehensive query that checks for multiple signs of ransomware activity to identify affected devices. The following consolidated query: - Looks for both relatively concrete and subtle signs of ransomware activity - Weighs the presence of these signs ScDisable = iff(make_set(ScDisableUse) contains "1", 1, 0), TotalEvidenceCount = | where UniqueEvidenceCount > 2 ``` ### Understand and tweak the query results+ The consolidated query returns the following results: - **DeviceId**ΓÇöidentifies the affected device By default, the query result lists only devices that have more than two types of | where UniqueEvidenceCount > 2 ``` -## Related topics -- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Work with query results](advanced-hunting-query-results.md)-- [Use shared queries](advanced-hunting-shared-queries.md)-- [Understand the schema](advanced-hunting-schema-tables.md)-- [Apply query best practices](advanced-hunting-best-practices.md)- ## More ransomware resources Key information from Microsoft: Microsoft Security team blog posts: - [Ransomware responseΓÇöto pay or not to pay? (December 2019)](https://www.microsoft.com/security/blog/2019/12/16/ransomware-response-to-pay-or-not-to-pay/) - [Norsk Hydro responds to ransomware attack with transparency (December 2019)](https://www.microsoft.com/security/blog/2019/12/17/norsk-hydro-ransomware-attack-transparency/)++ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]+++## Related articles ++- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Use shared queries](advanced-hunting-shared-queries.md) +- [Understand the schema](advanced-hunting-schema-tables.md) +- [Apply query best practices](advanced-hunting-best-practices.md) |
security | Advanced Hunting Go Hunt | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-go-hunt.md | Title: Get relevant info about an entity with go hunt description: Learn how to use the go hunt tool on to quickly query for relevant information about an entity or event using advanced hunting. -keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Defender XDR -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Identitydirectoryevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table.md | Title: IdentityDirectoryEvents table in the advanced hunting schema description: Learn about domain controller and Active Directory events in the IdentityDirectoryEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityDirectoryEvents, domain controller, Active Directory, Microsoft Defender for Identity, identities -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Identityinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identityinfo-table.md | Title: IdentityInfo table in the advanced hunting schema description: Learn about user account information in the IdentityInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AccountInfo, IdentityInfo, account -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH +- usx-security - tier3 Previously updated : 01/16/2024 Last updated : 03/29/2024+appliesto: +- Microsoft Defender XDR +- Microsoft Sentinel in the Microsoft Defender portal # IdentityInfo ---**Applies to:** -- Microsoft Defender XDR- The `IdentityInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user accounts obtained from various services, including Microsoft Entra ID. Use this reference to construct queries that return information from this table. -> [!NOTE] -> This table was renamed from `AccountInfo`. During renames, all queries saved in the portal are automatically updated. Check queries you have saved elsewhere. +This table was renamed from `AccountInfo`. During renames, all queries saved in the portal are automatically updated. Check queries you have saved elsewhere. ++Microsoft Sentinel uses a slightly expanded version of this table in Log Analytics. For more information, see [Microsoft Sentinel UEBA reference | IdentityInfo table](/azure/sentinel/ueba-reference) For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md). |
security | Advanced Hunting Identitylogonevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table.md | Title: IdentityLogonEvents table in the advanced hunting schema description: Learn about authentication events recorded by Active Directory in the IdentityLogonEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityLogonEvents, Azure AD, Active Directory, Microsoft Defender for Identity, identities -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Identityqueryevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identityqueryevents-table.md | Title: IdentityQueryEvents table in the advanced hunting schema description: Learn about Active Directory query events in the IdentityQueryEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityQueryEvents, Azure AD, Active Directory, Microsoft Defender for Identity, identities, LDAP queries -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Limits | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-limits.md | Title: Use the advanced hunting query resource report description: Understand various quotas and usage parameters (service limits) that keep the advanced hunting service responsive -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results, quota, parameters, allocation -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH Refer to the following table to understand existing quotas and usage parameters. | Quota or parameter | Size | Refresh cycle | Description | |--|--|--|--| | Data range | 30 days | Every query | Each query can look up data from up to the past 30 days. |-| Result set | 10,000 rows | Every query | Each query can return up to 10,000 records. | +| Result set | 30,000 rows | Every query | Each query can return up to 30,000 records. | | Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error. | CPU resources | Based on tenant size | Every 15 minutes | The [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next 15-minute cycle. | |
security | Advanced Hunting Link To Incident | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-link-to-incident.md | Title: Link query results to an incident description: Link query results to an incident -keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Defender XDR -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Microsoft Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-microsoft-defender.md | + + Title: Advanced hunting in Microsoft Defender +description: Advanced hunting in the portal unifying Defender XDR and Sentinel data +search.appverid: met150 +++f1.keywords: + - NOCSH +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - m365initiative-m365-defender + - tier1 + - usx-security ++appliesto: + - Microsoft Defender XDR + - Microsoft Sentinel in the Microsoft Defender portal Last updated : 03/27/2024+++# Advanced hunting in the Microsoft Defender portal ++Advanced hunting in the unified portal allows you to view and query all data from Microsoft Defender XDR. This includes data from various Microsoft security services and Microsoft Sentinel, which includes data from non-Microsoft products, in a single platform. You can also access and use all your existing Microsoft Sentinel workspace content, including queries and functions. ++Querying from a single portal across different data sets makes hunting more efficient and removes the need for context-switching. +++## How to access ++### Required roles and permissions +To query across Microsoft Sentinel and Microsoft Defender XDR data in the unified advanced hunting page, you must have access to Microsoft Defender XDR advanced hunting (see [Required roles and permissions](custom-roles.md#required-roles-and-permissions)) and at least Microsoft Sentinel Reader (see [Microsoft Sentinel-specific roles](/azure/sentinel/roles#microsoft-sentinel-specific-roles)). ++In the unified portal, you can query any data in any workload that you can currently access based on the roles and permissions you have. ++### Connect a workspace ++In Microsoft Defender, you can connect workspaces by selecting **Connect a workspace** in the top banner. This button appears if you're eligible to onboard a Microsoft Sentinel workspace onto the unified Microsoft Defender portal. Follow the steps in: **[Onboarding a workspace](https://aka.ms/onboard-microsoft-sentinel)**. ++## Unified advanced hunting ++After connecting your Microsoft Sentinel workspace and Microsoft Defender XDR advanced hunting data, you can start querying Microsoft Sentinel data from the advanced hunting page. For an overview of advanced hunting features, read [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md). ++### What to expect for Defender XDR tables streamed to Microsoft Sentinel +- **Use tables with longer data retention period in queries** ΓÇô Advanced hunting follows the maximum data retention period configured for the Defender XDR tables. If you stream Defender XDR tables to Microsoft Sentinel and have a data retention period longer than 30 days for said tables, you can query for the longer period in advanced hunting. +- **Use Kusto operators you've used in Microsoft Sentinel** ΓÇô In general, queries from Microsoft Sentinel work in advanced hunting, including queries that use the `adx()` operator. There might be cases where IntelliSense warns you that the operators in your query don't match the schema, however, you can still run the query and it should still be executed successfully. +- **Use the time filter dropdown instead of *Set in query*** ΓÇô If you're filtering ingestion of Defender XDR tables to Microsoft Sentinel instead of streaming the tables as is, don't use the **Set in query** option for filtering time as doing this might result in incomplete results. If the **Set in query** option is used, the streamed, filtered data from Microsoft Sentinel is the one queried because it usually has the longer data retention period. If you would like to make sure you're querying all Defender XDR data for up to 30 days, use the time filter dropdown provided in the query editor instead. +- **View `SourceSystem` and `MachineGroup` columns for Defender XDR data that have been streamed from Microsoft Sentinel** ΓÇô Since the columns `SourceSystem` and `MachineGroup` are added to Defender XDR tables once they're streamed to Microsoft Sentinel, they also appear in results in advanced hunting in Defender. However, they remain blank for Defender XDR tables that weren't streamed (tables that follow the default 30-day data retention period). ++++### Where to find your Microsoft Sentinel data +You can use advanced hunting KQL (Kusto Query Language) queries to hunt through Microsoft Defender XDR and Microsoft Sentinel data. ++When you open the advanced hunting page for the first time after connecting a workspace, you can find many of that workspace's tables organized by solution after the Microsoft Defender XDR tables under the **Schema** tab. +++++Likewise, you can find the functions from Microsoft Sentinel in the **Functions** tab, and your shared and sample queries from Microsoft Sentinel can be found in the **Queries** tab inside folders marked **Sentinel**. ++### View schema information +To learn more about a schema table, select the vertical ellipses ( ![kebab icon](../../media/ah-kebab.png) ) to the right of any schema table name under the **Schema** tab, then select **View schema**. ++In the unified portal, in addition to viewing the schema column names and descriptions, you can also view: ++- Sample data ΓÇô select **See preview data**, which loads a simple query like `TableName | take 5` +- **Schema type** ΓÇô whether the table supports full query capabilities (advanced table) or not (basic logs table) +- **Data retention period** ΓÇô how long the data is set to be kept +- **Tags** ΓÇô available for Sentinel data tables +++### Use functions ++To use a function from Microsoft Sentinel, go to the **Functions** tab and scroll until you find the function that you want. Double-click the function name to insert the function in the query editor. ++You can also select the vertical ellipses ( ![kebab icon](../../media/ah-kebab.png) ) to the right of the function and select **Insert to query** to insert the function into a query in the query editor. ++Other options include: +- **View details** ΓÇô opens the function side pane containing its details +- **Load function code** ΓÇô opens a new tab containing the function code ++For editable functions, more options are available when you select the vertical ellipses: +- **Edit details** ΓÇô opens the function side pane to allow you to edit details about the function (except folder names for Sentinel functions) +- **Delete** ΓÇô deletes the function +++### Use saved queries ++To use a saved query from Microsoft Sentinel, go to the **Queries** tab and scroll until you find the query that you want. Double-click the query name to load the query in the query editor. For more options, select the vertical ellipses ( ![kebab icon](../../media/ah-kebab.png) ) to the right of the query. From here, you can perform the following actions: ++- **Run query** ΓÇô loads the query in the query editor and runs it automatically +- **Open in query editor** ΓÇô loads the query in the query editor +- **View details** ΓÇô opens the query details side pane where you can inspect the query, run the query, or open the query in the editor ++ :::image type="content" source="../../media/advanced-hunting-unified-view-details.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="../../media/advanced-hunting-unified-view-details.png"::: +++For editable queries, more options are available: ++- **Edit details** ΓÇô opens the query details side pane with the option to edit the details like description (if applicable) and the query itself; only the folder names (location) of Microsoft Sentinel queries can't be edited +- **Delete** ΓÇô deletes the query +- **Rename** ΓÇô allows you to modify the query name ++## Create custom analytics and detection rules ++To help discover threats and anomalous behaviors in your environment, you can create custom detection policies. ++For analytics rules that apply to data ingested through the connected Microsoft Sentinel workspace, select **Manage rules > Create analytics rule**. +++The **Analytics rule wizard** appears. Fill up the required details as described in [Analytics rule wizardΓÇöGeneral tab](/azure/sentinel/detect-threats-custom#analytics-rule-wizardgeneral-tab). ++For custom detection rules that apply to Microsoft Defender XDR data, select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information. ++## Explore results ++Results of queries that were run appear in the **Results** tab. You can export the results to a CSV file by selecting **Export**. +++You can also explore the results in-line with the following features: ++- Expand a result by selecting the dropdown arrow at the left of each result +- Where applicable, expand details for results that are in JSON or array format by selecting the dropdown arrow at the left of applicable result row for added readability +- Open the side pane to see a record's details (concurrent with expanded rows) ++You can also right-click on any result value in a row so that you can use it to: +- Add more filters to the existing query +- Copy the value for use in further investigation +- Update the query to extend a JSON field to a new column ++For Microsoft Defender XDR data, you can take further action by selecting the checkboxes to the left of each result row. Select **Link to incident** to link the selected results to an incident (read [Link query results to an incident](advanced-hunting-link-to-incident.md)) or **Take actions** to open the Take actions wizard (read [Take action on advanced hunting query results](advanced-hunting-take-action.md)). ++## Known issues ++- The `IdentityInfo table` from [Microsoft Sentinel](/azure/sentinel/ueba-reference#identityinfo-table) isn't available, as the `IdentityInfo` table remains as is in Defender XDR. Microsoft Sentinel features like analytics rules that query this table aren't impacted as they're querying the Log Analytics workspace directly. +- The Microsoft Sentinel `SecurityAlert` table is replaced by `AlertInfo` and `AlertEvidence` tables, which both contain all the data on alerts. While SecurityAlert isn't available in the schema tab, you can still use it in queries using the advanced hunting editor. This provision is made so as not to break existing queries from Microsoft Sentinel that use this table. +- Guided hunting mode is supported for Defender XDR data only. +- Custom detections, links to incidents, and take actions capabilities are supported for Defender XDR data only. +- Bookmarks aren't supported in the advanced hunting experience. They are supported in the **Microsoft Sentinel > Threat management > Hunting** feature. +- If you're streaming Defender XDR tables to Log Analytics, there might be a difference between the`Timestamp` and `TimeGenerated` columns. In case the data arrives to Log Analytics after 48 hours, it's being overridden upon ingestion to `now()`. Therefore, to get the actual time the event happened, we recommend relying on the `Timestamp` column. +- The Microsoft Graph API for running an advanced hunting query does not support querying data from Microsoft Sentinel yet. +++ |
security | Advanced Hunting Migrate From Mde | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-migrate-from-mde.md | Title: Migrate advanced hunting queries from Microsoft Defender for Endpoint description: Learn how to adjust your Microsoft Defender for Endpoint queries so you can use them in Microsoft Defender XDR -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, Microsoft Defender for Endpoint, search, query, telemetry, custom detections, schema, kusto, mapping -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Modes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-modes.md | Title: Choose between guided and advanced modes for hunting in Microsoft Defender XDR description: Guided hunting in Microsoft Defender XDR does not require KQL knowledge while advanced hunting allows you to write a query from scratch. -keywords: guided mode, advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Query Builder Details | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-builder-details.md | Title: Supported data types and filters in guided mode for hunting in Microsoft Defender XDR description: Refine your query by using the different guided mode capabilities in advanced hunting in Microsoft Defender XDR. -keywords: guided mode, advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Query Builder Results | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-builder-results.md | Title: Work with query results in guided mode for hunting in Microsoft Defender XDR description: Use and customize query results in guided mode for advanced hunting in Microsoft Defender XDR -keywords: guided mode, advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Query Builder | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-builder.md | Title: Build queries using guided mode in Microsoft Defender XDR advanced hunting description: Learn how to build queries in guided mode by combining different available filters and conditions. -keywords: guided mode, advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Query Emails Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-emails-devices.md | Title: Hunt for threats across devices, emails, apps, and identities with advanced hunting description: Study common hunting scenarios and sample queries that cover devices, emails, apps, and identities. -keywords: advanced hunting, Office365 data, Windows devices, Office365 emails normalize, emails, apps, identities, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Defender XDR -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Query History | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-history.md | Title: Rerun queries in query history description: Learn about the query history tab in advanced hunting -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, query history, features -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Query Results | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-results.md | Title: Work with advanced hunting query results in Microsoft Defender XDR description: Make the most of the query results returned by advanced hunting in Microsoft Defender XDR -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill-down -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH After running a query, select **Export** to save the results to local file. Your You can also explore the results in-line with the following features: - Expand a result by selecting the dropdown arrow at the left of each result - Where applicable, expand details for results that are in JSON and array formats by selecting the dropdown arrow at the left of applicable column names for added readability-- Open the side pane to see a recordΓÇÖs details (concurrent with expanded rows)+- Open the side pane to see a record's details (concurrent with expanded rows) + :::image type="content" source="../../media/advanced-hunting-query-results-expand.png" alt-text="Screenshot of expanding results to drill down" lightbox="../../media/advanced-hunting-query-results-expand.png"::: -You can also right-click on any result value in a row so that you can use it to add more filters to the existing query or copy the value for use in further investigation. +You can also right-click on any result value in a row so that you can use it to add more filters to the existing query or copy the value for use in further investigation. :::image type="content" source="../../media/advanced-hunting-query-results-rightclick.png" alt-text="Screenshot of options upon right-clicking an option" lightbox="../../media/advanced-hunting-query-results-rightclick.png"::: +Furthermore, for JSON and array fields, you can right-click and update the existing query to include or exclude the field, or to extend the field to a new column. + To quickly inspect a record in your query results, select the corresponding row to open the **Inspect record** panel. The panel provides the following information based on the selected record: |
security | Advanced Hunting Schema Changes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-schema-changes.md | Title: Naming changes in the Microsoft Defender XDR advanced hunting schema description: Track and review naming changes tables and columns in the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, data, naming changes, rename -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Schema Tables | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-schema-tables.md | Title: Data tables in the Microsoft Defender XDR advanced hunting schema description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, data -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Security Copilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-security-copilot.md | Title: Microsoft Copilot for Security in advanced hunting description: Learn how Microsoft Copilot for Security advanced hunting (NL2KQL) plugin can generate a KQL query for you. -keywords: advanced hunting, threat hunting, cyber threat hunting, Security Copilot, AI, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill-down, copilot for security advanced hunting, Microsoft Copilot for Security -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Seenby Function | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-seenby-function.md | Title: SeenBy() function in advanced hunting for Microsoft Defender XDR description: Learn how to use the SeenBy() function to look for which onboarded devices discovered a certain device -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, SeenBy, device discovery, function, enrichment -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Shared Queries | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-shared-queries.md | Title: Use shared queries in Microsoft Defender XDR advanced hunting description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Take Action | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-take-action.md | Title: Take action on advanced hunting query results in Microsoft Defender XDR description: Quickly address threats and affected assets in your advanced hunting query results -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, take action -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Advanced Hunting Urlclickevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-urlclickevents-table.md | Title: UrlClickEvents table in the advanced hunting schema description: Learn how to hunt for phishing campaigns and suspicious clicks using the UrlClickEvents table in the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, UrlClickEvents, SafeLinks, phishing, malware, malicious clicks, outlook, teams, email, office365 -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Alert Classification Malicious Exchange Connectors | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-classification-malicious-exchange-connectors.md | |
security | Alert Classification Password Spray Attack | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-classification-password-spray-attack.md | |
security | Alert Classification Playbooks | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-classification-playbooks.md | |
security | Alert Classification Suspicious Ip Password Spray | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-classification-suspicious-ip-password-spray.md | |
security | Alert Grading Playbook Email Forwarding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-playbook-email-forwarding.md | |
security | Alert Grading Playbook Inbox Forwarding Rules | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-playbook-inbox-forwarding-rules.md | |
security | Api Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-access.md | search.appverid: - MOE150 - MET150 Previously updated : 02/08/2023 Last updated : 02/08/2024 # Access the Microsoft Defender XDR APIs |
security | Api Articles | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-articles.md | search.appverid: - MOE150 - MET150 Previously updated : 02/08/2023 Last updated : 02/08/2024 # Other security and threat protection APIs |
security | Api Create App User Context | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-create-app-user-context.md | search.appverid: - MOE150 - MET150 Previously updated : 02/16/2021 Last updated : 02/16/2024 # Create an app to access Microsoft Defender XDR APIs on behalf of a user |
security | Api Create App Web | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-create-app-web.md | search.appverid: - MOE150 - MET150 Previously updated : 02/16/2021 Last updated : 02/16/2024 # Create an app to access Microsoft Defender XDR without a user |
security | Api Error Codes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-error-codes.md | search.appverid: - MOE150 - MET150 Previously updated : 02/08/2023 Last updated : 02/08/2024 # Common Microsoft Defender XDR REST API error codes |
security | Api Get Incident | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-get-incident.md | |
security | Api Hello World | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-hello-world.md | search.appverid: - MOE150 - MET150 Previously updated : 02/16/2021 Last updated : 02/16/2024 # Hello World for Microsoft Defender XDR REST API |
security | Api Incident | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-incident.md | search.appverid: - MOE150 - MET150 Previously updated : 02/08/2023 Last updated : 02/08/2024 # Microsoft Defender XDR incidents API and the incidents resource type |
security | Api List Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-list-incidents.md | search.appverid: - MOE150 - MET150 Previously updated : 02/08/2023 Last updated : 02/08/2024 # List incidents API in Microsoft Defender XDR |
security | Api Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-overview.md | search.appverid: - MOE150 - MET150 Previously updated : 02/08/2023 Last updated : 02/08/2024 # Overview of Microsoft Defender XDR APIs |
security | Api Partner Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-partner-access.md | search.appverid: - MOE150 - MET150 Previously updated : 02/16/2021 Last updated : 02/16/2024 # Create an app with partner access to Microsoft Defender XDR APIs |
security | Api Supported | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-supported.md | search.appverid: - MOE150 - MET150 Previously updated : 02/08/2023 Last updated : 02/08/2024 # Supported Microsoft Defender XDR APIs |
security | Api Update Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-update-incidents.md | search.appverid: - MOE150 - MET150 Previously updated : 02/08/2023 Last updated : 02/08/2024 # Update incidents API |
security | Device Profile | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/device-profile.md | - Title: Device profile in Microsoft 365 security portal -description: View risk and exposure levels for a device in your organization. Analyze past and present threats, and protect the device with the latest updates. ------- m365-security-- tier3- Previously updated : 02/16/2021---# Device profile page ----The Microsoft 365 security portal provides you with device profile pages, so you can quickly assess the health and status of devices on your network. --> [!IMPORTANT] -> The device profile page may appear slightly different, depending on whether the device is enrolled in Microsoft Defender for Endpoint, Microsoft Defender for Identity, or both. --If the device is enrolled in Microsoft Defender for Endpoint, you can also use the device profile page to perform some common security tasks. --## Navigating the device profile page --The profile page is broken up into several broad sections. ---The sidebar (1) lists basic details about the device. --The main content area (2) contains tabs that you can toggle through to view different kinds of information about the device. --If the device is enrolled in Microsoft Defender for Endpoint, you'll also see a list of response actions (3). Response actions allow you to perform common security-related tasks. --## Sidebar --Beside the main content area of the device profile page is the sidebar. ---The sidebar lists the device's full name and exposure level. It also provides some important basic information in small subsections, which can be toggled open or closed, such as: --* **Tags** - Any Microsoft Defender for Endpoint, Microsoft Defender for Identity, or custom tags associated with the device. Tags from Microsoft Defender for Identity aren't editable. -* **Security info** - Open incidents and active alerts. Devices enrolled in Microsoft Defender for Endpoint display exposure level and risk level. --> [!TIP] -> Exposure level relates to how much the device is complying with security recommendations, while risk level is calculated based on a number of factors, including the types and severity of active alerts. --* **Device details** - Domain, OS, timestamp for when the device was first seen, IP addresses, resources. Devices enrolled in Microsoft Defender for Endpoint also display health state. Devices enrolled in Microsoft Defender for Identity display SAM name and a timestamp for when the device was first created. -* **Network activity** - Timestamps for the first time and last time the device was seen on the network. -* **Directory data** (*only for devices enrolled in Microsoft Defender for Identity*) - [UAC](/windows/security/identity-protection/user-account-control/user-account-control-overview) flags, [SPNs](/windows/win32/ad/service-principal-names), and group memberships. --## Response actions --Response actions offer a quick way to defend against and analyze threats. ---> [!IMPORTANT] -> * [Response actions](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts) are only available if the device is enrolled in Microsoft Defender for Endpoint. -> * Devices that are enrolled in Microsoft Defender for Endpoint may display different numbers of response actions, based on the device's OS and version number. --Actions available on the device profile page include: --* **Manage tags** - Updates custom tags you've applied to this device. -* **Isolate device** - Isolates the device from your organization's network while keeping it connected to Microsoft Defender for Endpoint. You can choose to allow Outlook, Teams, and Skype for Business to run while the device is isolated, for communication purposes. -* **Action center** - View the status of submitted actions. Only available if another action has already been selected. -* **Restrict app execution** - Prevents applications that aren't signed by Microsoft from running. -* **Run antivirus scan** - Updates Microsoft Defender Antivirus definitions and immediately runs an antivirus scan. Choose between Quick scan or Full scan. -* **Collect investigation package** - Gathers information about the device. When the investigation is completed, you can download it. -* **Initiate Live Response Session** - Loads a remote shell on the device for [in-depth security investigations](/microsoft-365/security/defender-endpoint/live-response). -* **Initiate automated investigation** - Automatically [investigates and remediates threats](../office-365-security/air-about.md). Although you can manually trigger automated investigations to run from this page, [certain alert policies](../../compliance/alert-policies.md#default-alert-policies) trigger automatic investigations on their own. -* **Action center** - Displays information about any response actions that are currently running. --## Tabs section --The device profile tabs allow you to toggle through an overview of security details about the device, and tables containing a list of alerts. --Devices enrolled in Microsoft Defender for Endpoint display tabs that feature a timeline, a list of security recommendations, a software inventory, a list of discovered vulnerabilities, and missing KBs (security updates). --### Overview tab --The default tab is **Overview**. It provides a quick look at the most important security fact about the device. ---Here, you can get a quick look at the device's active alerts, and any currently logged on users. --If the device is enrolled in Microsoft Defender for Endpoint, you'll also see the device's risk level and any available data on security assessments. The security assessments describe the device's exposure level, provide security recommendations, and list affected software and discovered vulnerabilities. --### Alerts tab --The **Alerts** tab contains a list of alerts that have been raised on the device, from both Microsoft Defender for Identity and Microsoft Defender for Endpoint. ---You can customize the number of items displayed and which columns are displayed for each item. The default behavior is to list 30 items per page. --The columns in this tab include information on the severity of the threat that triggered the alert and status, investigation state, and who the alert has been assigned to. --The *impacted entities* column refers to the device (entity) whose profile you're currently viewing, plus any other devices in your network that are affected. --Selecting an item from this list opens a flyout containing even more information about the selected alert. --This list can be filtered by severity, status, or who the alert has been assigned to. --### Timeline tab --The **Timeline** tab includes an interactive, chronological chart of all events raised on the device. By moving the highlighted area of the chart left or right, you can view events over different periods of time. You can also choose a custom range of dates from the dropdown menu in between the interactive chart and the list of events. --Below the chart is a list of events for the selected range of dates. ---The number of items displayed and the columns on the list can both be customized. The default columns list the event time, active user, action type, entities (processes), and additional information about the event. --Selecting an item from this list opens a flyout displaying an Event entities graph, showing the parent and child processes involved in the event. --The list can be filtered by the specific event; for example, Registry events or Smart Screen Events. --The list can also be exported to a CSV file, for download. Although the file isn't limited by number of events, the maximum time range you can choose to export is seven days. --### Security recommendations tab --The **Security recommendations** tab lists actions you can take to protect the device. Selecting an item on this list opens a flyout where you can get instructions on how to apply the recommendation. ---As with the previous tabs, the number of items displayed per page and which columns are visible, can be customized. --The default view includes columns that detail the security weaknesses addressed, the associated threat, the related component or software affected by the threat, and more. Items can be filtered by the recommendation's status. --### Software inventory --The **Software inventory** tab lists software installed on the device. ---The default view displays the software vendor, installed version number, number of known software weaknesses, threat insights, product code, and tags. The number of items displayed and which columns are displayed can both be customized. --Selecting an item from this list opens a flyout containing more details about the selected software, and the path and timestamp for the last time the software was found. --This list can be filtered by product code. --### Discovered vulnerabilities tab --The **Discovered vulnerabilities** tab lists any Common Vulnerabilities and Exploits (CVEs) that may affect the device. ---The default view lists the severity of the CVE, the Common Vulnerability Score (CVS), the software related to the CVE, when the CVE was published, when the CVE was last updated, and threats associated with the CVE. --As with the previous tabs, the number of items displayed and which columns are visible can be customized. --Selecting an item from this list opens a flyout that describes the CVE. --### Missing KBs --The **Missing KBs** tab lists any Microsoft Updates that have yet to be applied to the device. The "KBs" in question are [Knowledge Base articles](https://support.microsoft.com/help/242450/how-to-query-the-microsoft-knowledge-base-by-using-keywords-and-query), which describe these updates; for example, [KB4551762](https://support.microsoft.com/help/4551762/windows-10-update-kb4551762). ---The default view lists the bulletin containing the updates, OS version, products affected, CVEs addressed, the KB number, and tags. --The number of items displayed per page and which columns are displayed can be customized. --Selecting an item opens a flyout that links to the update. --## Related topics --* [Microsoft Defender XDR overview](microsoft-365-defender.md) -* [Turn on Microsoft Defender XDR](m365d-enable.md) -* [Investigate entities on devices, using live response](../defender-endpoint/live-response.md) -* [Automated investigation and response (AIR) in Office 365](../office-365-security/air-about.md) |
security | Entity Page Device | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/entity-page-device.md | + + Title: Device entity page in Microsoft Defender +description: The device entity page in the Microsoft Defender portal helps you in your investigation of device entities. The page has all the important information about each entity. If an alert or incident indicates that a device might be compromised or is behaving suspiciously, check and investigate the device entity. ++ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier3 +- usx-security ++search.appverid: met150 Last updated : 03/27/2024+appliesto: + - Microsoft Defender XDR + - Microsoft Sentinel in the Microsoft Defender portal +++<!-- redirected from device-profile.md --> ++# Device entity page in Microsoft Defender +++The device entity page in the Microsoft Defender portal helps you in your investigation of device entities. The page contains all the important information about a given device entity. If an alert or incident indicates that a device is behaving suspiciously or might be compromised, investigate the details of the device to identify other behaviors or events that might be related to the alert or incident, and discover the potential scope of the breach. You can also use the device entity page to perform some common security tasks, as well as some response actions to mitigate or remediate security threats. ++> [!IMPORTANT] +> The content set displayed on the device entity page may differ slightly, depending on the device's enrollment in Microsoft Defender for Endpoint and Microsoft Defender for Identity. +> +> If your organization onboarded Microsoft Sentinel to the Defender portal, additional information will appear. +> +> In Microsoft Sentinel, device entities are also known as **host** entities. [Learn more](/azure/sentinel/entities-reference). +> +> [!INCLUDE [unified-soc-preview-no-alert](../../includes/unified-soc-preview-no-alert.md)] ++Device entities can be found in the following areas: ++- Devices list, under **Assets** +- Alerts queue +- Any individual alert/incident +- Any individual user entity page +- Any individual file details view +- Any IP address or domain details view +- Activity log +- Advanced hunting queries +- Action center ++You can select devices whenever you see them in the portal to open the device's entity page, which displays more details about the device. For example, you can see the details of devices listed in the alerts of an incident in the Microsoft Defender portal at **Incidents & alerts > Incidents > *incident* > Assets > Devices**. +++The device entity page presents its information in a tabbed format. This article lays out the types of information available in each tab, and also the actions you can take on a given device. ++The following tabs are displayed on the device entity page: ++- [Overview](#overview-tab) +- [Incidents and alerts](#incidents-and-alerts-tab) +- [Timeline](#timeline-tab) +- [Security recommendations](#security-recommendations-tab) +- [Inventories](#inventories-tab) +- [Discovered vulnerabilities](#discovered-vulnerabilities-tab) +- [Missing KBs](#missing-kbs-tab) +- [Security baselines](#missing-kbs-tab) +- [Security policies](#missing-kbs-tab) +- [Sentinel events](#sentinel-events-tab) ++## Entity page header ++The topmost section of the entity page includes the following details: ++- **Entity name** +- **Risk severity**, **criticality**, and **device value** indicators +- **Tags** by which the device can be classified. Can be added by Defender for Endpoint, Defender for Identity, or by users. Tags from Microsoft Defender for Identity aren't editable. +- **[Response actions](#response-actions)** are also located here. Read more about them below. ++## *Overview* tab ++The default tab is **Overview**. It provides a quick look at the most important security facts about the device. +The **Overview** tab contains the [device details](#device-details) sidebar and a [dashboard](#dashboard) with some cards displaying high-level information. ++### Device details ++The sidebar lists the device's full name and exposure level. It also provides some important basic information in small subsections, which can be expanded or collapsed, such as: ++| Section | Included information | +| - | -- | +| **VM details** | Machine and domain names and IDs, health and onboarding statuses, timestamps for first and last seen, IP addresses, and more | +| **DLP policy sync details** | If relevant | +| **Configuration status** | Details regarding Microsoft Defender for Endpoint configuration | +| **Cloud resource details** | Cloud platform, resource ID, subscription information, and more | +| **Hardware and firmware** | VM, processor, and BIOS information, and more | +| **Device management** | Microsoft Defender for Endpoint enrollment status and management info | +| **Directory data** | [UAC](/windows/security/identity-protection/user-account-control/user-account-control-overview) flags, [SPNs](/windows/win32/ad/service-principal-names), and group memberships. | ++### Dashboard ++The main part of the **Overview** tab shows several dashboard-type display cards: ++- **Active alerts** and risk level involving the device over the last six months, grouped by severity +- **Security assessments** and exposure level of the device +- **Logged on users** on the device over the last 30 days +- **Device health status** and other information on the most recent scans of the device. ++ > [!TIP] + > Exposure level relates to how much the device is complying with security recommendations, while risk level is calculated based on a number of factors, including the types and severity of active alerts. +++## *Incidents and alerts* tab ++The **Incidents and alerts** tab contains a list of incidents that contain alerts that have been raised on the device, from any of a number of Microsoft Defender detection sources, including, if onboarded, Microsoft Sentinel. This list is a filtered version of the [incidents queue](incidents-overview.md), and shows a short description of the incident or alert, its severity (high, medium, low, informational), its status in the queue (new, in progress, resolved), its classification (not set, false alert, true alert), investigation state, category, who is assigned to address it, and last activity observed. ++You can customize which columns are displayed for each item. You can also filter the alerts by severity, status, or any other column in the display. ++The *impacted entities* column refers to all the device and user entities referenced in the incident or alert. ++When an incident or alert is selected, a fly-out appears. From this panel you can manage the incident or alert and view more details such as incident/alert number and related devices. Multiple alerts can be selected at a time. ++To see a full page view of an incident or alert, select its title. +++## *Timeline* tab ++The **Timeline** tab displays a chronological view of all events that have been observed on the device. This can help you correlate any events, files, and IP addresses in relation to the device. ++The choice of columns displayed on the list can both be customized. The default columns list the event time, active user, action type, associated entities (processes, files, IP addresses), and additional information about the event. ++You can govern the time period for which events are displayed by sliding the borders of the time period along the overall timeline graph at the top of the page. You can also pick a time period from the drop-down at the top of the list (the default is 30 days). To further control your view, you can filter by event groups or customize the columns. ++You can export up to seven days' worth of events to a CSV file, for download. ++Drill down into the details of individual events by selecting and event and viewing its details in the resulting flyout panel. See [Event details](#event-details) below. ++> [!NOTE] +> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](/windows/security/threat-protection/auditing/audit-filtering-platform-connection). +> +> Firewall covers the following events: +> +> - [5025](/windows/security/threat-protection/auditing/event-5025) - firewall service stopped +> - [5031](/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network +> - [5157](/windows/security/threat-protection/auditing/event-5157) - blocked connection +++#### Event details ++Select an event to view relevant details about that event. A flyout panel displays to show much more information about the event. The types of information displayed depends on the type of event. When applicable and data is available, you might see a graph showing related entities and their relationships, like a chain of files or processes. You might also see a summary description of the MITRE ATT&CK tactics and techniques applicable to the event. ++To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query returns the selected event and the list of other events that occurred around the same time on the same endpoint. +++### *Security recommendations* tab ++The **Security recommendations** tab lists actions you can take to protect the device. Selecting an item on this list opens a flyout where you can get instructions on how to apply the recommendation. ++As with the previous tabs, the choice of displayed columns can be customized. ++The default view includes columns that detail the security weaknesses addressed, the associated threat, the related component or software affected by the threat, and more. Items can be filtered by the recommendation's status. ++Learn more about [security recommendations](../defender-vulnerability-management/tvm-security-recommendation.md). +++### *Inventories* tab ++This tab displays inventories of four types of components: Software, vulnerable components, browser extensions, and certificates. ++#### Software inventory ++This card lists software installed on the device. ++The default view displays the software vendor, installed version number, number of known software weaknesses, threat insights, product code, and tags. The number of items displayed and which columns are displayed can both be customized. ++Selecting an item from this list opens a flyout containing more details about the selected software, and the path and timestamp for the last time the software was found. ++This list can be filtered by product code, weaknesses, and the presence of threats. +++#### Vulnerable components ++This card lists software components that contain vulnerabilities. ++The default view and filtering options are the same as for software. ++Select an item to display more information in a flyout. ++#### Browser extensions ++This card shows the browser extensions installed on the device. The default fields displayed are the extension name, the browser for which it's installed, the version, the permission risk (based on the type of access to devices or sites requested by the extension), and the status. Optionally, the vendor can also be displayed. ++Select an item to display more information in a flyout. ++#### Certificates ++This card displays all the certificates installed on the device. ++The fields displayed by default are the certificate name, issue date, expiration date, key size, issuer, signature algorithm, key usage, and number of instances. ++The list can be filtered by status, self-signed or not, key size, signature hash, and key usage. ++Select a certificate to display more information in a flyout. ++### *Discovered vulnerabilities* tab ++This tab lists any Common Vulnerabilities and Exploits (CVEs) that may affect the device. ++The default view lists the severity of the CVE, the Common Vulnerability Score (CVSS), the software related to the CVE, when the CVE was published, when the CVE was first detected and last updated, and threats associated with the CVE. ++As with the previous tabs, the choice of columns to be displayed can be customized. The list can be filtered by severity, threat status, device exposure, and tags. ++Selecting an item from this list opens a flyout that describes the CVE. +++### *Missing KBs* tab ++The **Missing KBs** tab lists any Microsoft Updates that have yet to be applied to the device. The "KBs" in question are [Knowledge Base articles](https://support.microsoft.com/help/242450/how-to-query-the-microsoft-knowledge-base-by-using-keywords-and-query), which describe these updates; for example, [KB4551762](https://support.microsoft.com/help/4551762/windows-10-update-kb4551762). ++The default view lists the bulletin containing the updates, OS version, the KB ID number, products affected, CVEs addressed, and tags. ++The choice of columns to be displayed can be customized. ++Selecting an item opens a flyout that links to the update. ++### *Sentinel events* tab ++If your organization onboarded Microsoft Sentinel to the Defender portal, this additional tab is on the device entity page. This tab imports the [Host entity page from Microsoft Sentinel](/azure/sentinel/entity-pages). ++### Sentinel timeline ++This timeline shows alerts associated with the device entity, known in Microsoft Sentinel as the *host* entity. These alerts include those seen on the **Incidents and alerts** tab and those created by Microsoft Sentinel from third-party, non-Microsoft data sources. ++This timeline also shows [bookmarked hunts](/azure/sentinel/bookmarks) from other investigations that reference this user entity, user activity events from external data sources, and unusual behaviors detected by Microsoft Sentinel's [anomaly rules](/azure/sentinel/soc-ml-anomalies). ++### Insights ++Entity insights are queries defined by Microsoft security researchers to help you investigate more efficiently and effectively. These insights automatically ask the big questions about your device entity, providing valuable security information in the form of tabular data and charts. The insights include data regarding sign-ins, group additions, process executions, anomalous events and more, and include advanced machine learning algorithms to detect anomalous behavior. ++The following are some of the insights shown: ++- Screenshot taken on the host. +- Processes unsigned by Microsoft detected. +- Windows process execution info. +- Windows sign-in activity. +- Actions on accounts. +- Event logs cleared on host. +- Group additions. +- Enumeration of hosts, users, groups on host. +- Microsoft Defender Application Control. +- Process rarity via entropy calculation. +- Anomalously high number of a security event. +- Watchlist insights (Preview). +- Windows Defender Antivirus events. ++The insights are based on the following data sources: ++- Syslog (Linux) +- SecurityEvent (Windows) +- AuditLogs (Microsoft Entra ID) +- SigninLogs (Microsoft Entra ID) +- OfficeActivity (Office 365) +- BehaviorAnalytics (Microsoft Sentinel UEBA) +- Heartbeat (Azure Monitor Agent) +- CommonSecurityLog (Microsoft Sentinel) +++If you want to further explore any of the insights in this panel, select the link accompanying the insight. The link takes you to the **Advanced hunting** page, where it displays the query underlying the insight, along with its raw results. You can modify the query or drill down into the results to expand your investigation or just satisfy your curiosity. +++## Response actions ++Response actions offer shortcuts to analyze, investigate, and defend against threats. +++> [!IMPORTANT] +> - [Response actions](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts) are only available if the device is enrolled in Microsoft Defender for Endpoint. +> - Devices that are enrolled in Microsoft Defender for Endpoint may display different numbers of response actions, based on the device's OS and version number. ++Response actions run along the top of a specific device page and include: ++| Action | Description | +| | -- | +| **Device value** | | +| **Set criticality** | | +| **Manage tags** | Updates custom tags you've applied to this device. | +| **Report device inaccuracy** | | +| **Run Antivirus Scan** | Updates Microsoft Defender Antivirus definitions and immediately runs an antivirus scan. Choose between Quick scan or Full scan. | +| **Collect Investigation Package** | Gathers information about the device. When the investigation is completed, you can download it. | +| **Restrict app execution** | Prevents applications that aren't signed by Microsoft from running. | +| **Initiate automated investigation** | Automatically [investigates and remediates threats](../office-365-security/air-about.md). Although you can manually trigger automated investigations to run from this page, [certain alert policies](../../compliance/alert-policies.md#default-alert-policies) trigger automatic investigations on their own. | +| **Initiate Live Response Session** | Loads a remote shell on the device for [in-depth security investigations](/microsoft-365/security/defender-endpoint/live-response). | +| **Isolate device** | Isolates the device from your organization's network while keeping it connected to Microsoft Defender. You can choose to allow Outlook, Teams, and Skype for Business to run while the device is isolated, for communication purposes. | +| **Ask Defender Experts** | | +| **Action Center** | Displays information about any response actions that are currently running. Only available if another action has already been selected. | +| **Download force release from isolation script** | | +| **Exclude** | | +| **Go hunt** | | +| **Turn on troubleshooting mode** | | +| **Policy sync** | | ++## Related topics ++- [Microsoft Defender XDR overview](microsoft-365-defender.md) +- [Turn on Microsoft Defender XDR](m365d-enable.md) +- [User entity page in Microsoft Defender](investigate-users.md) +- [IP address entity page in Microsoft Defender](entity-page-ip.md) +- [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-integration-with-azure-sentinel.md) +- [Connect Microsoft Sentinel to Microsoft Defender XDR (preview)](microsoft-sentinel-onboard.md) + |
security | Entity Page Ip | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/entity-page-ip.md | + + Title: IP address entity page in Microsoft Defender +description: The IP address entity page in the Microsoft Defender portal helps you in your investigation of IP address entities that appear in incidents and alerts. The page has all the important information about each entity. If an alert or incident indicates that an IP address is the source or target of suspicious behavior, check and investigate the IP address. ++++ms.localizationpriority: medium ++audience: ITPro ++- m365-security +- tier2 +- usx-security + Last updated : 03/27/2024+search.appverid: met150 +appliesto: + - Microsoft Defender XDR + - Microsoft Sentinel in the Microsoft Defender portal +++# IP address entity page in Microsoft Defender +++The IP address entity page in the Microsoft Defender portal helps you examine possible communication between your devices and external internet protocol (IP) addresses. ++Identifying all devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected devices. ++You can find information from the following sections in the IP address entity page: ++- [Overview](#overview) +- [Incidents and alerts](#incidents-and-alerts) +- [Observed in organization](#observed-in-organization) +- [Sentinel events](#sentinel-events) ++++## Overview ++In the left pane, the **Overview** page provides a summary of IP details (if available). ++| Section | Details | +| - | - | +| Security info | <li>Open incidents<li>Active alerts | +| IP details | <li>Organization (ISP)<li>ASN<li>Country/Region, State, City<li>Carrier<li>Latitude and longitude<li>Postal code | ++The left side also has a panel showing Log activity (time first seen/last seen, data source) collected from several log sources, and another panel showing a list of logged hosts collected from Azure Monitoring Agent heartbeat tables. ++The main body of the **Overview** page contains dashboard cards showing a count of incidents and alerts (grouped by severity) containing the IP address, and a chart of the prevalence of the IP address in the organization over the indicated time period. ++## Incidents and alerts ++The **Incidents and alerts** page shows a list of incidents and alerts that include the IP address as part of their story. These incidents and alerts come from any of a number of Microsoft Defender detection sources, including, if onboarded, Microsoft Sentinel. This list is a filtered version of the [incidents queue](incidents-overview.md), and shows a short description of the incident or alert, its severity (high, medium, low, informational), its status in the queue (new, in progress, resolved), its classification (not set, false alert, true alert), investigation state, category, who is assigned to address it, and last activity observed. ++You can customize which columns are displayed for each item. You can also filter the alerts by severity, status, or any other column in the display. ++The *impacted assets* column refers to all the user, application, and other entities referenced in the incident or alert. ++When an incident or alert is selected, a fly-out appears. From this panel you can manage the incident or alert and view more details such as incident/alert number and related devices. Multiple alerts can be selected at a time. ++To see a full page view of an incident or alert, select its title. ++## Observed in organization ++The **Observed in organization** section provides a list of devices that have a connection with this IP and the last event details for each device (the list is limited to 100 devices). ++## Sentinel events ++If your organization onboarded Microsoft Sentinel to the Defender portal, this additional tab is on the IP address entity page. This tab imports the [IP entity page from Microsoft Sentinel](/azure/sentinel/entity-pages). ++### Sentinel timeline ++This timeline shows alerts associated with the IP address entity. These alerts include those seen on the **Incidents and alerts** tab and those created by Microsoft Sentinel from third-party, non-Microsoft data sources. ++This timeline also shows [bookmarked hunts](/azure/sentinel/bookmarks) from other investigations that reference this IP entity, IP activity events from external data sources, and unusual behaviors detected by Microsoft Sentinel's [anomaly rules](/azure/sentinel/soc-ml-anomalies). ++### Insights ++Entity insights are queries defined by Microsoft security researchers to help you investigate more efficiently and effectively. These insights automatically ask the big questions about your IP entity, providing valuable security information in the form of tabular data and charts. The insights include data from various IP threat intelligence sources, network traffic inspection, and more, and include advanced machine learning algorithms to detect anomalous behavior. ++The following are some of the insights shown: ++- Microsoft Defender Threat Intelligence reputation. +- Virus Total IP Address. +- Recorded Future IP Address. +- Anomali IP Address +- AbuseIPDB. +- Anomalies count by IP address. +- Network traffic inspection. +- IP address remote connections with TI match. +- IP address remote connections. +- This IP has a TI match. +- Watchlist insights (Preview). ++The insights are based on the following data sources: ++- Syslog (Linux) +- SecurityEvent (Windows) +- AuditLogs (Microsoft Entra ID) +- SigninLogs (Microsoft Entra ID) +- OfficeActivity (Office 365) +- BehaviorAnalytics (Microsoft Sentinel UEBA) +- Heartbeat (Azure Monitor Agent) +- CommonSecurityLog (Microsoft Sentinel) ++If you want to further explore any of the insights in this panel, select the link accompanying the insight. The link takes you to the **Advanced hunting** page, where it displays the query underlying the insight, along with its raw results. You can modify the query or drill down into the results to expand your investigation or just satisfy your curiosity. ++## Response actions ++Response actions offer shortcuts to analyze, investigate, and defend against threats. ++Response actions run along the top of a specific IP entity page and include: ++| Action | Description | +| | -- | +| **Add indicator** | Opens a wizard for you to add this IP address as an Indicator of Compromise (IoC) to your Threat Intelligence knowledgebase. | +| **Open cloud app IP settings** | Opens the IP address ranges configuration screen for you to add the IP address to it. | +| **Investigate in Activity log** | Opens the Microsoft 365 Activity log screen for you to look for the IP address in other logs. | +| **Go hunt** | Opens the **Advanced hunting** page, with a built-in hunting query to find instances of this IP address. | ++## Related topics ++- [Microsoft Defender XDR overview](microsoft-365-defender.md) +- [Turn on Microsoft Defender XDR](m365d-enable.md) +- [Device entity page in Microsoft Defender](entity-page-device.md) +- [User entity page in Microsoft Defender](investigate-users.md) +- [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-integration-with-azure-sentinel.md) +- [Connect Microsoft Sentinel to Microsoft Defender XDR (preview)](microsoft-sentinel-onboard.md) |
security | Incident Queue | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md | Title: Prioritize incidents in Microsoft Defender XDR -description: Learn how to filter incidents from the incident queue in Microsoft Defender XDR + Title: Prioritize incidents in the Microsoft Defender portal +description: Learn how to filter incidents from the incident queue in the unified security operations platform in the Microsoft Defender portal. f1.keywords: - NOCSH+ - usx-security - tier1 search.appverid: - MOE150 - MET150 Previously updated : 01/22/2024 Last updated : 03/29/2024+appliesto: +- Microsoft Defender XDR +- Microsoft Sentinel in the Microsoft Defender portal -# Prioritize incidents in Microsoft Defender XDR +# Prioritize incidents in the Microsoft Defender portal +The unified security operations platform in the Microsoft Defender portal applies correlation analytics and aggregates related alerts and automated investigations from different products into an incident. Microsoft Sentinel and Defender XDR also trigger unique alerts on activities that can only be identified as malicious given the end-to-end visibility in the unified platform across the entire suite of products. This view gives your security analysts the broader attack story, which helps them better understand and deal with complex threats across your organization. -**Applies to:** -- Microsoft Defender XDR+## Incident queue -Microsoft Defender XDR applies correlation analytics and aggregates related alerts and automated investigations from different products into an incident. Microsoft Defender XDR also triggers unique alerts on activities that can only be identified as malicious given the end-to-end visibility in Microsoft Defender XDR has across the entire suite of products. This view gives your security analysts the broader attack story, which helps them better understand and deal with complex threats across your organization. --The **Incident queue** shows a collection of incidents that were created across devices, users, and mailboxes. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision, a process known as incident triage. +The **Incident queue** shows a collection of incidents that were created across devices, users, mailboxes, and other resources. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision, a process known as incident triage. > [!TIP] > For a limited time during January 2024, when you visit the **Incidents** page, Defender Boxed appears. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. To reopen Defender Boxed, in the Microsoft Defender portal, go to **Incidents**, and then select **Your Defender Boxed**. You can get to the incident queue from **Incidents & alerts > Incidents** on the quick launch of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>. Here's an example. ++Select **Most recent incidents and alerts** to toggle the expansion of the top section, which shows a timeline graph of the number of alerts received and incidents created in the last 24 hours. + -The **Most recent incidents and alerts** section shows a graph of the number of alerts received and incidents created in the last 24 hours. +Below that, the incident queue in the Microsoft Defender portal displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first. You can choose a different time frame by selecting it from the drop-down at the top. -By default, the incident queue in the Microsoft Defender portal displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first. +The incident queue has customizable columns (select **Customize columns**) that give you visibility into different characteristics of the incident or the impacted entities. This filtering helps you make an informed decision regarding the prioritization of incidents for analysis. -The incident queue has customizable columns (select **Choose columns**) that give you visibility into different characteristics of the incident or the impacted entities. This filtering helps you make an informed decision regarding the prioritization of incidents for analysis. -For more visibility at a glance, automatic incident naming generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories. This allows you to quickly understand the scope of the incident. +### Incident names ++For more visibility at a glance, Microsoft Defender XDR generates incident names automatically, based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories. This specific naming allows you to quickly understand the scope of the incident. For example: *Multi-stage incident on multiple endpoints reported by multiple sources.* -> [!NOTE] -> Incidents that existed prior to the rollout of automatic incident naming will not have their name changed. +If you onboarded Microsoft Sentinel to the unified security operations platform, then any alerts and incidents coming from Microsoft Sentinel are likely to have their names changed (regardless of whether they were created before or since the onboarding). ++We recommend that you avoid using the incident name as a condition for triggering [automation rules](/azure/sentinel/automate-incident-handling-with-automation-rules). If the incident name is a condition, and the incident name changes, the rule will not be triggered. -The incident queue also provides multiple filtering options, that when applied, enable you to perform a broad sweep of all existing incidents in your environment, or decide to focus on a specific scenario or threat. Applying filters on the incident queue can help determine which incident requires immediate attention. +## Filters <a name="available-filters"></a> ++The incident queue also provides multiple filtering options, that when applied, enable you to perform a broad sweep of all existing incidents in your environment, or decide to focus on a specific scenario or threat. Applying filters on the incident queue can help determine which incident requires immediate attention. The **Filters** list above the list of incidents shows the currently applied filters. -## Available filters +From the default incident queue, you can select **Add filter** to see the **Add filter** drop-down, from which you specify filters to apply to the incidents queue to limit the set of incidents shown. Here's an example. + -From the default incident queue, you can select **Filter** to see a **Filter** pane, from which you specify a filtered set of incidents. Here's an example. +Select the filters you want to use, then select **Add** at the bottom of the list to make them available. +Now the filters you selected are shown along with the existing applied filters. Select the new filter to specify its conditions. For example, if you chose the "Service/detection sources" filter, select it to choose the sources by which to filter the list. You can also see the **Filter** pane by selecting any of the filters in the **Filters** list above the list of incidents. This table lists the filter names that are available. -| Filter name | Description | +| Filter name | Description/Conditions | |:-|:--|-| Status | Select **New**, **In progress**, or **Resolved**. | -| Severity | The severity of an incident is indicative of the impact it can have on your assets. The higher the severity, the bigger the impact and typically requires the most immediate attention. Select **High**, **Medium**, **Low**, or **Informational**. | -| Incident assignment | Select the assigned user or users. | -| Multiple service sources | Specify whether the filter is for more than one service source. | -| Service sources | Specify incidents that contain alerts from: App Governance, Microsoft Defender XDR, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps. | -| Tags | Select one or multiple tag names from the list. | -| Multiple categories | Specify whether the filter is for more than one category. | -| Categories | Choose categories to focus on specific tactics, techniques, or attack components seen. | -| Entities | Specify the name of an asset such as a user, device, mailbox, or application name. | -| Data sensitivity | Some attacks focus on targeting to exfiltrate sensitive or valuable data. By applying a filter for specific sensitivity labels, you can quickly determine if sensitive information has potentially been compromised and prioritize addressing those incidents. <br><br> This filter displays information only when you've applied [sensitivity labels from Microsoft Purview Information Protection](../../compliance/sensitivity-labels.md). | -| Device groups | Specify a [device group](/windows/security/threat-protection/microsoft-defender-atp/machine-groups) name. | -| OS platform | Specify device operating systems. | -| Classification | Specify the set of classifications of the related alerts. | -| Automated investigation state | Specify the status of automated investigation. | -| Associated threat | Specify a named threat. | -| Alert policies | Specify an alert policy title. | ---The default filter is to show all alerts and incidents with a status of **New** and **In progress** and with a severity of **Low**, **Medium**, or **High**. +| **Status** | Select **New**, **In progress**, or **Resolved**. | +| **Alert severity<br>Incident severity** | The severity of an alert or incident is indicative of the impact it can have on your assets. The higher the severity, the bigger the impact and typically requires the most immediate attention. Select **High**, **Medium**, **Low**, or **Informational**. | +| **Incident assignment** | Select the assigned user or users. | +| **Multiple service sources** | Specify whether the filter is for more than one service source. | +| **Service/detection sources** | Specify incidents that contain alerts from one or more of the following:<li>Microsoft Defender for Identity<li>Microsoft Defender for Cloud Apps<li>Microsoft Defender for Endpoint<li>Microsoft Defender XDR<li>Microsoft Defender for Office 365<li>App Governance<li>Microsoft Entra ID Protection<li>Microsoft Data Loss Prevention<li>Microsoft Defender for Cloud<li>Microsoft Sentinel<br><br>Many of these services can be expanded in the menu to reveal further choices of detection sources within a given service. | +| **Tags** | Select one or multiple tag names from the list. | +| **Multiple category** | Specify whether the filter is for more than one category. | +| **Categories** | Choose categories to focus on specific tactics, techniques, or attack components seen. | +| **Entities** | Specify the name of an asset such as a user, device, mailbox, or application name. | +| **Data sensitivity** | Some attacks focus on targeting to exfiltrate sensitive or valuable data. By applying a filter for specific sensitivity labels, you can quickly determine if sensitive information has potentially been compromised and prioritize addressing those incidents. <br><br> This filter displays information only when you've applied [sensitivity labels from Microsoft Purview Information Protection](../../compliance/sensitivity-labels.md). | +| **Device groups** | Specify a [device group](/windows/security/threat-protection/microsoft-defender-atp/machine-groups) name. | +| **OS platform** | Specify device operating systems. | +| **Classification** | Specify the set of classifications of the related alerts. | +| **Automated investigation state** | Specify the status of automated investigation. | +| **Associated threat** | Specify a named threat. | +| **Alert policies** | Specify an alert policy title. | ++The default filter is to show all alerts and incidents with a status of **New** and **In progress** and with a severity of **High**, **Medium**, or **Low**. You can quickly remove a filter by selecting the **X** in the name of a filter in the **Filters** list. -You can also create filter sets within the incidents page by selecting the **create filter sets**. +You can also create filter sets within the incidents page by selecting **Saved filter queries > Create filter set**. If no filter sets have been created, select **Save** to create one. :::image type="content" source="../../media/incidents-queue/fig2-newfilters.png" alt-text="The create filter sets option for the incident queue in the Microsoft Defender portal." lightbox="../../media/incidents-queue/fig2-newfilters.png"::: -## Save custom filters as URLs +### Save custom filters as URLs Once you've configured a useful filter in the incidents queue, you can bookmark the URL of the browser tab or otherwise save it as a link on a Web page, a Word document, or a place of your choice. Bookmarking gives you single-click access to key views of the incident queue, such as: Once you've configured a useful filter in the incidents queue, you can bookmark Once you have compiled and stored your list of useful filter views as URLs, use it to quickly process and prioritize the incidents in your queue and [manage](manage-incidents.md) them for subsequent assignment and analysis. -## Search for incidents +## Search ++From the **Search for name or ID** box above the list of incidents, you can search for incidents in a number of ways, to quickly find what you're looking for. -From the **Search for name or ID** box above the list of incidents, you can type the incident ID or the incident name. When you select an incident from the list of search results, the Microsoft Defender portal opens a new tab with the properties of the incident, from which you can start your [investigation](investigate-incidents.md). +### Search by incident name or ID -## Search for impacted assets +Search directly for an incident by typing the incident ID or the incident name. When you select an incident from the list of search results, the Microsoft Defender portal opens a new tab with the properties of the incident, from which you can start your [investigation](investigate-incidents.md). -You can name an asset—such as a user, device, mailbox, or application name—and find all the related incidents. +### Search by impacted assets ++You can name an asset—such as a user, device, mailbox, application name, or cloud resource—and find all the incidents related to that asset. ## Specify a time range The default list of incidents is for those that occurred in the last six months. You can specify a new time range from the drop-down box next to the calendar icon by selecting: +- One day +- Three days +- One week +- 30 days +- 30 days +- Six months +- A custom range in which you can specify both dates and times ## Next steps After you've determined which incident requires the highest priority, select it - Begin your [investigations](investigate-incidents.md). ## See also+ - [Incidents overview](incidents-overview.md) - [Manage incidents](manage-incidents.md) - [Investigate incidents](investigate-incidents.md) |
security | Incidents Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md | Title: Incident response with Microsoft Defender XDR -description: Investigate incidents seen across devices, users, and mailboxes in the Microsoft Defender portal. + Title: Incident response in the Microsoft Defender portal +description: Investigate incidents seen across devices, users, and mailboxes in the unified security operations platform in the Microsoft Defender portal. f1.keywords: - NOCSH audience: ITPro - m365-security - tier1+ - usx-security search.appverid: - MOE150 - MET150 Previously updated : 09/18/2023 Last updated : 03/29/2024+appliesto: +- Microsoft Defender XDR +- Microsoft Sentinel in the Microsoft Defender portal -# Incident response with Microsoft Defender XDR --+# Incident response in the Microsoft Defender portal -**Applies to:** -- Microsoft Defender XDR--An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. +An *incident* in the Microsoft Defender portal is a collection of related alerts and associated data that make up the story of an attack. It's also a case file that your SOC can use to investigate that attack and manage, implement, and document the response to it. -Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant. +The Microsoft Sentinel and Microsoft Defender services create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable evidence of a completed or ongoing attack. However, increasingly prevalent and sophisticated attacks typically employ a variety of techniques and vectors against different types of asset entities, such as devices, users, and mailboxes. The result is multiple alerts, from multiple sources, for multiple asset entities in your digital estate. -Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. +Because individual alerts each tell only part of the story, and because manually grouping individual alerts together to gain insight into an attack can be challenging and time-consuming, the unified security operations platform automatically identifies alerts that are related—from both Microsoft Sentinel and Microsoft Defender XDR—and aggregates them and their associated information into an incident. :::image type="content" source="../../media/incidents-overview/incidents.png" alt-text="How Microsoft Defender XDR correlates events from entities into an incident." lightbox="../../media/incidents-overview/incidents.png"::: Grouping related alerts into an incident gives you a comprehensive view of an at - Where the attack started. - What tactics were used.-- How far the attack has gone into your tenant.+- How far the attack has gone into your digital estate. - The scope of the attack, such as how many devices, users, and mailboxes were impacted. - All of the data associated with the attack. -If [enabled](m365d-enable.md), Microsoft Defender XDR can [automatically investigate and resolve](m365d-autoir.md) alerts through automation and artificial intelligence. You can also perform additional remediation steps to resolve the attack. +The unified security operations platform in the Microsoft Defender portal includes methods to automate and assist in the triage, investigation, and resolution of incidents. ++- [Microsoft Copilot in Defender](security-copilot-in-microsoft-365-defender.md) harnesses AI to support analysts with complex and time-consuming daily workflows, including end-to-end incident investigation and response with clearly described attack stories, step-by-step actionable remediation guidance and incident activity summarized reports, natural language KQL hunting, and expert code analysis—optimizing on SOC efficiency across Microsoft Sentinel and Defender XDR data. ++ This capability is in addition to the other AI-based functionality that Microsoft Sentinel brings to the unified platform, in the areas of user and entity behavior analytics, anomaly detection, multi-stage threat detection, and more. ++- Automated attack disruption uses high-confidence signals collected from Microsoft Defender XDR and Microsoft Sentinel to automatically disrupt active attacks at machine speed, containing the threat and limiting the impact. ++- If [enabled](m365d-enable.md), Microsoft Defender XDR can [automatically investigate and resolve](m365d-autoir.md) alerts from Microsoft 365 and Entra ID sources through automation and artificial intelligence. You can also perform additional remediation steps to resolve the attack. ++- Microsoft Sentinel [automation rules](/azure/sentinel/automate-incident-handling-with-automation-rules) can automate triage, assignment, and management of incidents, regardless of their source. They can apply tags to incidents based on their content, suppress noisy (false positive) incidents, and close resolved incidents that meet the appropriate criteria, specifying a reason and adding comments. <a name='incidents-and-alerts-in-the-microsoft-365-defender-portal'></a> + ## Incidents and alerts in the Microsoft Defender portal > [!TIP] > For a limited time during January 2024, when you visit the **Incidents** page, Defender Boxed appears. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. To reopen Defender Boxed, in the Microsoft Defender portal, go to **Incidents**, and then select **Your Defender Boxed**. -You manage incidents from **Incidents & alerts > Incidents** on the quick launch of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target=" blank">Microsoft Defender portal</a>. Here's an example. +You manage incidents from **Investigation & response > Incidents & alerts > Incidents** on the quick launch of the [Microsoft Defender portal](https://security.microsoft.com). Here's an example: + +Selecting an incident name displays the incident page, starting with the entire **attack story** of the incident, including: -Selecting an incident name displays the entire attack story of the incident, including: +- **Alert page within incident**: The scope of alerts related to the incident and their information on the same tab. -- Alert page within incident: The scope of alerts related to the incident and their information on the same tab.-- Graph: A visual representation of the attack that connects the different suspicious entities that are part of the attack with their related assets such as users, devices, and mailboxes. +- **Graph**: A visual representation of the attack that connects the different suspicious entities that are part of the attack with the asset entities that make up the attack's targets, such as users, devices, apps, and mailboxes. -You can view the entity details directly from the graph and act on them with response options like file delete or device isolation. +You can view the asset and other entity details directly from the graph and act on them with response options such as like disabling an account, deleting a file, or isolating a device. -The additional tabs for an incident are: +The incident page consists of the following tabs: -- Attack story+- **Attack story** - The full story of the attack, including all the alerts, assets, and remediation actions taken. + Mentioned above, this tab includes the timeline of the attack, including all the alerts, asset entities, and remediation actions taken. -- Alerts+- **Alerts** - All the alerts related to the incident and their information. + All the alerts related to the incident, their sources, and information. -- Assets+- **Assets** - All the assets (devices, users, mailboxes, and apps) that have been identified to be part of or related to the incident. + All the assets (protected entities such as devices, users, mailboxes, apps, and cloud resources) that have been identified to be part of or related to the incident. -- Investigations+- **Investigations** - All the [automated investigations](m365d-autoir.md) triggered by alerts in the incident. + All the [automated investigations](m365d-autoir.md) triggered by alerts in the incident, including the status of the investigations and their results. -- Evidence and Response+- **Evidence and Response** - All the supported events and suspicious entities in the alerts of the incident. + All the suspicious entities in the alerts of the incident, which constitute evidence supporting the attack story. These entities can include IP addresses, files, processes, URLs, registry keys and values, and more. -- Summary+- **Summary** A quick overview of the impacted assets associated with alerts. The additional tabs for an incident are: <a name='example-incident-response-workflow-for-microsoft-365-defender'></a> -## Example incident response workflow for Microsoft Defender XDR +## Incident response workflow example in the Microsoft Defender portal -Here's an example workflow for responding to incidents in Microsoft 365 with the Microsoft Defender portal. +Here's a workflow example for responding to incidents in Microsoft 365 with the Microsoft Defender portal. :::image type="content" source="../../media/incidents-overview/incidents-example-workflow.png" alt-text="An example of an incident response workflow for the Microsoft Defender portal." lightbox="../../media/incidents-overview/incidents-example-workflow.png"::: On an ongoing basis, identify the highest priority incidents for analysis and re - [Triaging](incident-queue.md) to determining the highest priority incidents through filtering and sorting of the incident queue. - [Managing](manage-incidents.md) incidents by modifying their title, assigning them to an analyst, and adding tags and comments. -Consider these steps for your own incident response workflow: --1. For each incident, begin an [attack and alert investigation and analysis](investigate-incidents.md): -- 1. View the attack story of the incident to understand its scope, severity, detection source, and what entities are affected. -- 1. Begin analyzing the alerts to understand their origin, scope, and severity with the alert story within the incident. -- 1. As needed, gather information on impacted devices, users, and mailboxes with the graph. Right click on any entity to open a flyout with all the details. -- 1. See how Microsoft Defender XDR has [automatically resolved some alerts](m365d-autoir.md) with the **Investigations** tab. +You can use Microsoft Sentinel automation rules to automatically triage and manage (and even respond to) some incidents as they're created, removing the easiest-to-handle incidents from taking up space in your queue. - 1. As needed, use information in the data set for the incident for more information with the **Evidence and Response** tab. --2. After or during your analysis, perform containment to reduce any additional impact of the attack and eradication of the security threat. --3. As much as possible, recover from the attack by restoring your tenant resources to the state they were in before the incident. --4. [Resolve](manage-incidents.md#resolve-an-incident) the incident and take time for post-incident learning to: +Consider these steps for your own incident response workflow: - - Understand the type of the attack and its impact. - - Research the attack in [Threat Analytics](threat-analytics.md) and the security community for a security attack trend. - - Recall the workflow you used to resolve the incident and update your standard workflows, processes, policies, and playbooks as needed. - - Determine whether changes in your security configuration are needed and implement them. +| Stage | Steps | +| -- | -- | +| For each incident, begin an [attack and alert investigation and analysis](investigate-incidents.md). | <ol><li> View the attack story of the incident to understand its scope, severity, detection source, and which asset entities are affected.<li>Begin analyzing the alerts to understand their origin, scope, and severity with the alert story within the incident.<li>As needed, gather information on impacted devices, users, and mailboxes with the graph. Select any entity to open a flyout with all the details. Follow through to the entity page for more insights.<li>See how Microsoft Defender XDR has [automatically resolved some alerts](m365d-autoir.md) with the **Investigations** tab.<li>As needed, use information in the data set for the incident for more information with the **Evidence and Response** tab. | +| After or during your analysis, perform containment to reduce any additional impact of the attack and eradication of the security threat. | For example,<li>Disable compromised users<li>Isolate impacted devices<li>Block hostile IP addresses. | +| As much as possible, recover from the attack by restoring your tenant resources to the state they were in before the incident.|| +| [Resolve](manage-incidents.md#resolve-an-incident) the incident and document your findings. | Take time for post-incident learning to: <li>Understand the type of the attack and its impact.<li>Research the attack in [Threat Analytics](threat-analytics.md) and the security community for a security attack trend.<li>Recall the workflow you used to resolve the incident and update your standard workflows, processes, policies, and playbooks as needed.<li>Determine whether changes in your security configuration are needed and implement them. | If you're new to security analysis, see the [introduction to responding to your first incident](incidents-overview.md) for additional information and to step through an example incident. For more information about incident response across Microsoft products, see [thi <a name='example-security-operations-for-microsoft-365-defender'></a> -## Example security operations for Microsoft Defender XDR +## Integrating security operations in the Microsoft Defender portal -Here's an example of security operations (SecOps) for Microsoft Defender XDR. +Here's an example of integrating security operations (SecOps) processes in the Microsoft Defender portal. :::image type="content" source="../../media/incidents-overview/incidents-example-operations.png" alt-text="An example of security operations for Microsoft Defender XDR" lightbox="../../media/incidents-overview/incidents-example-operations.png"::: For more information about SecOps across Microsoft's products, see these resourc - [Best practices](/azure/cloud-adoption-framework/secure/security-operations) - [Videos and slides](/security/operations/security-operations-videos-and-decks) -## Get incident notifications by email +## Incident notifications by email -You can set up Microsoft Defender XDR to notify your staff with an email about new incidents or updates to existing incidents. You can choose to get notifications based on: +You can set up the Microsoft Defender portal to notify your staff with an email about new incidents or updates to existing incidents. You can choose to get notifications based on: - Alert severity-- Alert sources +- Alert sources - Device group To set up email notifications for incidents, see [get email notifications on incidents](m365d-notifications-incidents.md). Follow this table based on your security team role. | Security investigator or analyst (Tier 2) | <ol><li> Perform [investigations](investigate-incidents.md) of incidents from the **Incidents** page of the Microsoft Defender portal. </li><li> See these [incident response playbooks](/security/operations/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. </li></ol> | | Advanced security analyst or threat hunter (Tier 3) | <ol><li>Perform [investigations](investigate-incidents.md) of incidents from the **Incidents** page of the Microsoft Defender portal. </li><li> Track and respond to emerging threats with [threat analytics](threat-analytics.md). </li><li> Proactively hunt for threats with [advanced threat hunting](advanced-hunting-overview.md). </li><li> See these [incident response playbooks](/security/operations/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. | | SOC manager | See how to [integrate Microsoft Defender XDR into your Security Operations Center (SOC)](integrate-microsoft-365-defender-secops.md). |+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Investigate Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md | Title: Investigate users in Microsoft Defender XDR description: Investigate users for an incident in the Microsoft Defender portal. ms.localizationpriority: medium+f1.keywords: - NOCSH audience: ITPro - m365-security - tier2+ - usx-security search.appverid: met150 Previously updated : 08/04/2023 Last updated : 03/29/2024+appliesto: + - Microsoft Defender XDR + - Microsoft Sentinel in the Microsoft Defender portal -# Investigate users in Microsoft Defender XDR +# User entity page in Microsoft Defender +The user entity page in the Microsoft Defender portal helps you in your investigation of user entities. The page contains all the important information about a given user entity. If an alert or incident indicates that a user might be compromised or is suspicious, check and investigate the user entity. -**Applies to:** +You can find user entity information in the following views: -- Microsoft Defender XDR--The user entity page in Microsoft Defender XDR helps you in your investigation of user identities. The page has all the important information about each identity. If an alert or incident indicates that a user might be compromised or is suspicious, check and investigate the user profile. --You can find identity information in the following views: --- Identities page+- Identities page, under **Assets** - Alerts queue - Any individual alert/incident-- Device page+- Devices page +- Any individual device entity page - Activity log - Advanced hunting queries - Action center -A clickable identity link is available in these views that will take you to the **User** page where more details about the user are shown. For example, you can see the details of user accounts identified in the alerts of an incident in the Microsoft Defender portal at **Incidents & alerts** \> ***incident*** \> **Assets** > **Users**. +Wherever user entities appear in these views, select the entity to view the **User** page, which displays more details about the user. For example, you can see the details of user accounts identified in the alerts of an incident in the Microsoft Defender portal at **Incidents & alerts > Incidents > *incident* > Assets > Users**. -When you investigate a specific identity, you'll see the: +When you investigate a specific user entity, you see the following tabs on its entity page: -- [Overview](#overview), including identity details, incident and alerts visual view, investigation priority, and scored timeline+- [Overview](#overview), including entity details, incidents and alerts visual view, investigation priority, and scored timeline - [Incidents and alerts](#incidents-and-alerts) tab - [Observed in organization](#observed-in-organization) tab-- [Identity timeline](#timeline) tab-- [Remediation actions](#remediation-actions)-+- [Timeline](#timeline) tab +- [Sentinel events](#sentinel-events) tab -> [!NOTE] -> The user page shows the Microsoft Entra organization as well as groups, helping you understand the groups and permissions associated with a user. +The user page shows the Microsoft Entra organization as well as groups, helping you understand the groups and permissions associated with a user. ## Overview ### Entity details -The **Entity details** on the left of the page provide information about the user, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts, groups that the user belongs to, contact information, and more. You'll see other details depending on the integration features you've enabled. +The **Entity details** panel on the left side of the page provides information about the user, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts, groups that the user belongs to, contact information, and more. You see other details depending on the integration features you enabled. ### Visual view of incidents and alerts -This card includes all incidents and alerts, grouped into severities, associated with an identity. +This card includes all incidents and alerts associated with the user entity, grouped by severity. ### Investigation priority -This card includes the calculated investigation priority score breakdown and a two-week trend for an identity, including whether the identity score is on the high percentile for that tenant. +This card includes the user entity's calculated investigation priority score breakdown, and a two-week trend for that score, including the percentile of the score in relation to the tenant. -### Active directory account control +### Active directory account controls -In this card, Defender for Identity surfaces security settings that may need your attentions. You can see important flags about the user, such as if the user can press enter to bypass the password, and if the user has a password that never expires, etc. +This card surfaces Microsoft Defender for Identity security settings that may need your attention. You can see important flags about the user's account settings, such as if the user can press enter to bypass the password, and if the user has a password that never expires, etc. For more information, see [User Account Control flags](/windows/win32/adschema/a-useraccountcontrol). ### Scored activities -This card includes all activities and alerts contributing to the overall Investigation priority score over the last seven days. +This card includes all activities and alerts contributing to the entity's investigation priority score over the last seven days. ### Organization tree -This section shows the hierarchy for the identity as reported by Microsoft Defender for Identity. +This section shows the user entity's place in the organizational hierarchy as reported by Microsoft Defender for Identity. ### Account tags -Defender for Identity pulls tags out of Active Directory to give you a single interface for monitoring your Active Directory users and entities. Tags provide you with details from Active Directory about the entity, and include: +Microsoft Defender for Identity pulls tags out of Active Directory to give you a single interface for monitoring your Active Directory users and entities. Tags provide you with details from Active Directory about the entity, and include: |Name | Description | |--|-| For more information, see [Defender for Identity entity tags in Microsoft Defend > [!NOTE] > The organization tree section and the account tags are available when a Microsoft Defender for Identity license is available. + ## Incidents and alerts -You can see all active incidents and alerts involving the user from the last 180 days in this tab. Information like alert severity and the time the alert was generated is available in this tab. Select the alert row to view more details about the alert. +You can see all active incidents and alerts involving the user from the last six months in this tab. All the information from the main incidents and alerts queues is shown here. This list is a filtered version of the [incidents queue](incidents-overview.md), and shows a short description of the incident or alert, its severity (high, medium, low, informational), its status in the queue (new, in progress, resolved), its classification (not set, false alert, true alert), investigation state, category, who is assigned to address it, and last activity observed. ++You can customize the number of items displayed and which columns are displayed for each item. The default behavior is to list 30 items per page. You can also filter the alerts by severity, status, or any other column in the display. ++The *impacted entities* column refers to all the device and user entities referenced in the incident or alert. +When an incident or alert is selected, a fly-out appears. From this panel you can manage the incident or alert and view more details such as incident/alert number and related devices. Multiple alerts can be selected at a time. ++To see a full page view of an incident or alert, select its title. + ## Observed in organization -- Devices - this section includes information on the devices the identity signed in to, including most and least used in the last 180 days.-- Locations - this section includes all the observed locations for the identity in the last 30 days.-- Groups - this section includes all observed on-premises groups for the identity, as reported by Defender for Identity.-- Lateral movement paths - this section includes all profiled lateral movement paths from the on-premises environment detected by Defender for Identity.+- **Devices**: this section shows all the devices the user entity signed into in the prior 180 days, indicating the most and least used. ++- **Locations**: this section shows all the observed locations for the user entity in the last 30 days. ++- **Groups**: this section shows all observed on-premises groups for the user entity, as reported by Microsoft Defender for Identity. ++- **Lateral movement paths**: this section shows all profiled lateral movement paths from the on-premises environment, as detected by Defender for Identity. > [!NOTE] > Groups and lateral movement paths are available when a Microsoft Defender for Identity license is available. The map provides a list of other devices or users an attacker can take advantage The lateral movement path report, which can be viewed by date, is always available to provide information about the potential lateral movement paths discovered and can be customized by time. Select a different date using **View a different date** to view previous lateral movement paths found for an entity. The graph only displays if a potential lateral movement path has been found for an entity in the past two days. ## Timeline -The timeline represents activities and alerts observed from a user's identity in the last 30 days. It unifies the user's identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint workloads. By using the timeline, you can focus on activities a user performed or were performed on them in specific timeframes. +The timeline displays user activities and alerts observed from a user's identity in the last 30 days. It unifies the user's identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint workloads. By using the timeline, you can focus on activities a user performed or were performed on them in specific timeframes. ++For users of the unified SOC platform to see alerts from Microsoft Sentinel based on data sources other than the ones in the previous paragraph, they can find these alerts and other information in the **Sentinel events** tab, [described below](#sentinel-events). - **Custom time range picker:** You can choose a timeframe to focus your investigation on the last 24 hours, the last 3 days and so on. Or you can choose a specific timeframe by clicking on **Custom range**. For example: The following data types are available in the timeline: The following information is displayed in the timeline: -- Activity/alert description - Date and time of the activity+- Activity/alert description - Application that performed the activity - Source device/IP address - [MITRE ATT&CK](https://attack.mitre.org/) techniques-- Alert status and severity+- Alert severity and status - Country/region where the client IP address is geolocated - Protocol used during the communication-- Target device (customized column)-- Number of times the activity happened (customized column)+- Target device (optional, viewable by customizing columns) +- Number of times the activity happened (optional, viewable by customizing columns) For example: > [!NOTE] > Microsoft Defender XDR can display date and time information using either your local time zone or UTC. The selected time zone will apply to all date and time information shown in the Identity timeline. > > To set the time zone for these features, go to **Settings** \> **Security center** \> **Time zone**. +## Sentinel events ++If your organization onboarded Microsoft Sentinel to the Defender portal, this additional tab is on the user entity page. This tab imports the [Account entity page from Microsoft Sentinel](/azure/sentinel/entity-pages). ++### Sentinel timeline ++This timeline shows alerts associated with the user entity. These alerts include those seen on the **Incidents and alerts** tab and those created by Microsoft Sentinel from third-party, non-Microsoft data sources. ++This timeline also shows [bookmarked hunts](/azure/sentinel/bookmarks) from other investigations that reference this user entity, user activity events from external data sources, and unusual behaviors detected by Microsoft Sentinel's [anomaly rules](/azure/sentinel/soc-ml-anomalies). ++### Insights ++Entity insights are queries defined by Microsoft security researchers to help you investigate more efficiently and effectively. These insights automatically ask the big questions about your user entity, providing valuable security information in the form of tabular data and charts. The insights include data regarding sign-ins, group additions, anomalous events and more, and include advanced machine learning algorithms to detect anomalous behavior. ++The following are some of the insights shown: ++- User peers based on security groups membership. +- Actions by account. +- Actions on account. +- Event logs cleared by user. +- Group additions. +- Anomalously high office operation count. +- Resource access. +- Anomalously high Azure sign-in result count. +- UEBA insights. +- User access permissions to Azure subscriptions. +- Threat indicators related to user. +- Watchlist insights (Preview). +- Windows sign-in activity. ++The insights are based on the following data sources: ++- Syslog (Linux) +- SecurityEvent (Windows) +- AuditLogs (Microsoft Entra ID) +- SigninLogs (Microsoft Entra ID) +- OfficeActivity (Office 365) +- BehaviorAnalytics (Microsoft Sentinel UEBA) +- Heartbeat (Azure Monitor Agent) +- CommonSecurityLog (Microsoft Sentinel) +++If you want to further explore any of the insights in this panel, select the link accompanying the insight. The link takes you to the **Advanced hunting** page, where it displays the query underlying the insight, along with its raw results. You can modify the query or drill down into the results to expand your investigation or just satisfy your curiosity. ++ ## Remediation actions From the Overview page, you can do these additional actions: From the Overview page, you can do these additional actions: - Reset investigation priority score for the user - View Microsoft Entra account settings, related governance, the user's owned files, or the user's shared files For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions). As needed for in-process incidents, continue your [investigation](investigate-in - [Incidents overview](incidents-overview.md) - [Prioritize incidents](incident-queue.md) - [Manage incidents](manage-incidents.md)+- [Microsoft Defender XDR overview](microsoft-365-defender.md) +- [Turn on Microsoft Defender XDR](m365d-enable.md) +- [Device entity page in Microsoft Defender](entity-page-device.md) +- [IP address entity page in Microsoft Defender](entity-page-ip.md) +- [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-integration-with-azure-sentinel.md) +- [Connect Microsoft Sentinel to Microsoft Defender XDR (preview)](microsoft-sentinel-onboard.md) + [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Microsoft 365 Defender Portal | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-portal.md | Title: Microsoft Defender portal -description: Learn about the Microsoft Defender portal as the central location for protection, detection, investigation, and response to email, collaboration, identity, device, and app threats,. -keywords: introduction to MMicrosoft Defender XDR, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting -search.product: eADQiWindows 10XVcnh +description: Learn about the Microsoft Defender portal as the central location for protection, detection, investigation, and response to email, collaboration, identity, device, and app threats. search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium audience: ITPro+ - usx-security - admindeeplinkDEFENDER - intro-overview -adobe-target: true Previously updated : 10/5/2023 Last updated : 03/26/2024 # Microsoft Defender portal -The Microsoft Defender portal at <https://security.microsoft.com> combines protection, detection, investigation, and response to email, collaboration, identity, device, and cloud app threats, in a central place. The Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. It includes: +The Microsoft Defender portal at <https://security.microsoft.com> combines protection, detection, investigation, and response to threats across your entire organization and all its components, in a central place. The Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. It includes: -- **[Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)** Microsoft Defender for Office 365 helps organizations secure their enterprise with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources.+- **[Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)** helps organizations secure their enterprise with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources. - **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-advanced-threat-protection)** delivers preventative protection, post-breach detection, automated investigation, and response for devices in your organization. - **[Microsoft Defender for Identity](/defender-for-identity/what-is)** is a cloud-based security solution that uses your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. - **[Microsoft Defender for Cloud Apps](/cloud-app-security/)** is a comprehensive cross-SaaS and PaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.+- **[Microsoft Sentinel](/azure/sentinel/)** is a cloud-native security information and event management (SIEM) solution that provides proactive threat detection, investigation, and response. + Watch this short video to learn about the Defender portal. Watch this short video to learn about the Defender portal. ## What to expect -The Defender portal helps security teams investigate and respond to attacks by bringing in signals from different workloads into a set of unified experiences for: +The Microsoft Defender portal helps security teams investigate and respond to attacks by bringing in signals from different workloads into a set of unified experiences for: - Incidents & alerts - Hunting The Defender portal helps security teams investigate and respond to attacks by b - Trials - Partner catalog -Microsoft Defender XDR emphasizes *unity, clarity, and common goals*. +The Microsoft Defender portal emphasizes *unity, clarity, and common goals*. > [!NOTE]-> The Defender portal is accessible without any need for customers to take migration steps or purchase a new license. For example, this new portal is accessible to administrators with an E3 subscription, just as it is to those with Microsoft Defender for Office 365 Plan 1 and Plan 2; however, Exchange Online Protection, or Defender for Office 365 Plan 1 customers see only the security features their subscription license supports. The goal of the portal is to centralize security. +> In the Microsoft Defender portal, customers see only the security features their subscription includes. For example, if you have Defender for Office 365 but not Defender for Endpoint, you see features and capabilities for Defender for Office 365, but not device protection. ## Incident and alert investigations -Centralizing security information creates a single place for investigating security incidents across Microsoft 365. A primary example is **Incidents** under **Incidents & alerts**. +Centralizing security information creates a single place to investigate security incidents across your entire organization and all its components including: ++- Hybrid identities +- Endpoints +- Cloud apps +- Business apps +- Email and docs +- IoT +- Network +- Business applications +- Operational technology (OT) +- Infrastructure and cloud workloads ++A primary example is **Incidents** under **Incidents & alerts**. :::image type="content" source="../../media/incidents-queue/incidents-ss-incidents.png" alt-text="The Incidents page in the Microsoft Defender portal." lightbox="../../media/incidents-queue/incidents-ss-incidents.png"::: Selecting an incident name displays a page that demonstrates the value of centra Take the time to review the incidents in your environment, drill down into each alert, and practice building an understanding of how to access the information and determine next steps in your analysis. -For more information, see [incidents in Microsoft Defender XDR](incidents-overview.md). +For more information, see [Incidents in the Microsoft Defender portal](incidents-overview.md). ## Hunting+ You can build custom detection rules and hunt for specific threats in your environment. **Hunting** uses a query-based threat hunting tool that lets you proactively inspect events in your organization to locate threat indicators and entities. These rules run automatically to check for, and then respond to, suspected breach activity, misconfigured machines, and other findings. For more information, see [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](advanced-hunting-overview.md). ## Improved processes -Common controls and content either appear in the same place, or are condensed into one feed of data making it easier to find. For example, unified settings. +Common controls and content either appear in the same place, or are condensed into one feed of data making it easier to find. For example, find unified settings under **Settings** and permissions under **Permissions**. ### Unified settings ### Permissions Access to Microsoft Defender XDR is configured with Microsoft Entra global roles or by using custom roles. - Learn more about how to [manage access to Microsoft Defender XDR](m365d-permissions.md) - Learn more about how to [create custom roles](custom-roles.md) in Microsoft Defender XDR +For Microsoft Sentinel, after you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to work with the Microsoft Sentinel features that you have access to. Continue to manage roles and permissions for your Microsoft Sentinel users from the Azure portal. Any Azure RBAC changes are reflected in the Defender portal. For more information about Microsoft Sentinel permissions, see: ++- [Roles and permissions in Microsoft Sentinel | Microsoft Learn](/azure/sentinel/roles) +- [Manage access to Microsoft Sentinel data by resource | Microsoft Learn](/azure/sentinel/resource-context-rbac) ++ ### Integrated reports Reports are also unified in Microsoft Defender XDR. Admins can start with a general security report, and branch into specific reports about endpoints, email & collaboration. The links here are dynamically generated based upon workload configuration. You can add and remove different cards depending on your needs. ### Search across entities (Preview) > [!IMPORTANT]-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The search bar is located at the top of the page. As you type, suggestions are provided so that it's easier to find entities. The enhanced search results page centralizes the results from all entities. +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The search bar is located at the top of the page. As you type, suggestions are provided so that it's easier to find entities. The enhanced search results page centralizes the results from all entities. You can search across the following entities in Defender for Endpoint and Defender for Identity: Microsoft Defender XDR supports two types of partners: ## Send us your feedback -We need your feedback. We're always looking to improve, so if there's something you'd like to see, [watch this video to find out how you can trust us to read your feedback](https://www.microsoft.com/videoplayer/embed/RE4K5Ci). +We need your feedback. If there's something you'd like to see, [watch this video to find out how you can trust us to read your feedback](https://www.microsoft.com/videoplayer/embed/RE4K5Ci). ## Explore what the Defender portal has to offer -Keep exploring the features and capabilities in Microsoft Defender XDR: +Keep exploring the features and capabilities in the Defender portal: - [Manage incidents and alerts](manage-incidents.md) - [Track and respond to emerging threats with threat analytics](threat-analytics.md) Keep exploring the features and capabilities in Microsoft Defender XDR: - [Email & collaboration alerts](../../compliance/alert-policies.md#default-alert-policies) - [Create a phishing attack simulation](../office-365-security/attack-simulation-training-simulations.md) and [create a payload for training your teams](/microsoft-365/security/office-365-security/attack-simulation-training-payloads) +To explore capabilities related to the Microsoft Sentinel integration with Microsoft Defender XDR in the unified security operations platform (preview), see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690). + ## Training for security analysts With this learning path from Microsoft Learn, you can understand Microsoft Defender XDR and how it can help identify, control, and remediate security threats. With this learning path from Microsoft Learn, you can understand Microsoft Defen ## See also - [What's new in Microsoft Defender XDR](whats-new.md)-- [Microsoft Defender for Office 365 in Microsoft Defender XDR](microsoft-365-security-center-mdo.md)-- [Microsoft Defender for Endpoint in Microsoft Defender XDR](microsoft-365-security-center-mde.md)+- [Microsoft Defender for Office 365 in the Microsoft Defender portal](microsoft-365-security-center-mdo.md) +- [Microsoft Defender for Endpoint in Microsoft Defender portal](microsoft-365-security-center-mde.md) +- [Microsoft Defender for Identity in the Microsoft Defender portal](microsoft-365-security-center-mdi.md) +- [Microsoft Defender for Cloud Apps in Microsoft Defender XDR](microsoft-365-security-center-defender-cloud-apps.md) +- [Microsoft Defender for Cloud in the Microsoft Defender portal](microsoft-365-security-center-defender-cloud.md) +- [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690) [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Microsoft Sentinel Onboard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-sentinel-onboard.md | Title: Connect Microsoft Sentinel to Microsoft Defender XDR (preview) description: Learn how to connect your Microsoft Sentinel environment to Microsoft Defender XDR to unify your security operations. -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH ms.localizationpriority: high audience: ITPro - - m365-security - - m365solution-getstarted - - highpri - - tier1 - - usx-security +- m365-security +- m365solution-getstarted +- highpri +- tier1 +- usx-security search.appverid: - - MOE150 - - MET150 Previously updated : 11/10/2023+- MOE150 +- MET150 appliesto:- - Microsoft Sentinel in the Microsoft Defender portal + - Microsoft Defender XDR + - Microsoft Sentinel in the Microsoft Defender portal Last updated : 04/03/2024 # Connect Microsoft Sentinel to Microsoft Defender XDR (preview) -Combine the power of Microsoft Sentinel with Microsoft Defender XDR into a single portal enhanced with the following features: +Microsoft Sentinel is available as part of the public preview for the unified security operations platform in the Microsoft Defender portal. When you onboard Microsoft Sentinel to the Microsoft Defender portal, you unify capabilities with Microsoft Defender XDR like incident management and advanced hunting. Reduce tool switching and build a more context-focused investigation that expedites incident response and stops breaches faster. For more information, see: -- Advanced hunting that spans Microsoft Sentinel and Microsoft Defender XDR -- Unified incidents-- AI-- Automation-- Guided experiences-- Curated threat intelligence+- [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690) +- [Unified security operations platform with Microsoft Sentinel and Defender XDR](https://aka.ms/unified-soc-announcement) > [!IMPORTANT] > Information in this article relates to a prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites -Before you begin, review the feature documentation to understand the product changes and limitations. The feature documentation is provided with your invitation to participate in the preview. +Before you begin, review the feature documentation to understand the product changes and limitations: + - [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal) + - [Advanced hunting in the Microsoft Defender portal](advanced-hunting-microsoft-defender.md) + - [Automation with the unified security operations platform](/azure/sentinel/automation#automation-with-the-unified-security-operations-platform) + - [Incident response in the Microsoft Defender portal](incidents-overview.md) + - [Prioritize incidents in the Microsoft Defender portal](incident-queue.md) -The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to one workspace at a time. In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled. +The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to one workspace at a time. In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled. To onboard and use Microsoft Sentinel in the Microsoft Defender portal, you must have the following resources and access: -- A Microsoft Entra tenant that's allow-listed by Microsoft to connect a workspace through the Defender portal - A Log Analytics workspace that has Microsoft Sentinel enabled - The data connector for Microsoft Defender XDR (formerly named Microsoft 365 Defender) enabled in Microsoft Sentinel for incidents and alerts - Microsoft Defender XDR onboarded to the Microsoft Entra tenant-- An Azure account with the appropriate roles to onboard and use Microsoft Sentinel in the Defender portal. The following table highlights some of the key roles needed.+- An Azure account with the appropriate roles to onboard, use, and create support requests for Microsoft Sentinel in the Defender portal. The following table highlights some of the key roles needed. - |Azure built-in role |Scope |Reason | + |Task |Azure built-in role required |Scope | ||||- |[Owner](/azure/role-based-access-control/built-in-roles#owner) or </br>[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) and [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) |- Subscription for Owner or User Access Administrator roles </br></br>- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor |To connect or disconnect a workspace with Microsoft Sentinel enabled| - |[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/Incidents/read</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/tasks/read|Subscription, resource group, or workspace resource |Query Sentinel data tables or view incidents | - |[Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/incidents/read</br>- Microsoft.SecurityInsights/incidents/write</br>- Microsoft.SecurityInsights/incidents/delete</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/comments/write</br>- Microsoft.SecurityInsights/incidents/comments/delete</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/relations/write</br>- Microsoft.SecurityInsights/incidents/relations/delete</br>- Microsoft.SecurityInsights/incidents/tasks/read</br>- Microsoft.SecurityInsights/incidents/tasks/write</br>- Microsoft.SecurityInsights/incidents/tasks/delete |Subscription, resource group, or workspace resource |Take investigative actions on incidents | + |Connect or disconnect a workspace with Microsoft Sentinel enabled|[Owner](/azure/role-based-access-control/built-in-roles#owner) or </br>[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) and [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) |- Subscription for Owner or User Access Administrator roles </br></br>- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor | + |Query Sentinel data tables or view incidents |[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/Incidents/read</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/tasks/read|Subscription, resource group, or workspace resource | + |Take investigative actions on incidents |[Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/incidents/read</br>- Microsoft.SecurityInsights/incidents/write</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/comments/write</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/relations/write</br>- Microsoft.SecurityInsights/incidents/tasks/read</br>- Microsoft.SecurityInsights/incidents/tasks/write |Subscription, resource group, or workspace resource | + |Create a support request |[Owner](/azure/role-based-access-control/built-in-roles#owner) or </br> [Contributor](/azure/role-based-access-control/built-in-roles#contributor) or </br> [Support request contributor](/azure/role-based-access-control/built-in-roles#support-request-contributor) or a custom role with Microsoft.Support/*|Subscription | After you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to work with the Microsoft Sentinel features that you have access to. Continue to manage roles and permissions for your Microsoft Sentinel users from the Azure portal. Any Azure RBAC changes are reflected in the Defender portal. For more information about Microsoft Sentinel permissions, see [Roles and permissions in Microsoft Sentinel | Microsoft Learn](/azure/sentinel/roles) and [Manage access to Microsoft Sentinel data by resource | Microsoft Learn](/azure/sentinel/resource-context-rbac). To connect a workspace that has Microsoft Sentinel enabled to Defender XDR, comp 1. Go to the [Microsoft Defender portal](https://security.microsoft.com/) and sign in. 1. In Microsoft Defender XDR, select **Overview**.-- If you're invited to participate in the preview, you'll see a banner with an option to connect a workspace. - 1. Select **Connect a workspace**. 1. Choose the workspace you want to connect and select **Next**. 1. Read and understand the product changes associated with connecting your workspace. These changes include: To connect a workspace that has Microsoft Sentinel enabled to Defender XDR, comp - Active [Microsoft security incident creation rules](/azure/sentinel/create-incidents-from-alerts#using-microsoft-security-incident-creation-analytics-rules) are deactivated to avoid duplicate incidents. This change only applies to incident creation rules for Microsoft alerts and not to other analytics rules. - All alerts related to Defender XDR products are streamed directly from the main Defender XDR data connector to ensure consistency. Make sure you have incidents and alerts from this connector turned on in the workspace. - Detailed changes and limitations are in the documentation shared with you as part of this private preview. - 1. Select **Connect**. -After your workspace is connected, the banner on the **Overview** page shows that your unified security information and event management (SIEM) and extended detection and response (XDR) is ready. You'll also see the **Overview** page updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules. +After your workspace is connected, the banner on the **Overview** page shows that your unified security information and event management (SIEM) and extended detection and response (XDR) is ready. The **Overview** page is updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules. ## Explore Microsoft Sentinel features in the Defender portal -After you connect your workspace to the Defender portal, you'll see **Microsoft Sentinel** on the left-hand side navigation pane. Pages like **Overview**, **Incidents**, and **Advanced Hunting** have unified data from Microsoft Sentinel and Defender XDR. +After you connect your workspace to the Defender portal, **Microsoft Sentinel** is on the left-hand side navigation pane. Pages like **Overview**, **Incidents**, and **Advanced Hunting** have unified data from Microsoft Sentinel and Defender XDR. For more information about the unified capabilities and differences between portals, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690). -You'll also see many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, you'll notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the [Defender portal](https://security.microsoft.com/) instead of the Azure portal. +Many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the [Defender portal](https://security.microsoft.com/) instead of the Azure portal. - Search- - [Search across long time spans in large datasets](/azure/sentinel/search-jobs) + - [Search across long time spans in large datasets](/azure/sentinel/search-jobs?tabs=defender-portal) - [Restore archived logs from search](/azure/sentinel/restore) - Threat management- - [Visualize and monitor your data by using workbooks](/azure/sentinel/monitor-your-data) + - [Visualize and monitor your data by using workbooks](/azure/sentinel/monitor-your-data?tabs=defender-portal) - [Conduct end-to-end threat hunting with Hunts](/azure/sentinel/hunts) - [Use hunting bookmarks for data investigations](/azure/sentinel/bookmarks) - [Use hunting Livestream in Microsoft Sentinel to detect threat](/azure/sentinel/livestream) - [Hunt for security threats with Jupyter notebooks](/azure/sentinel/notebooks-hunt)- - [Add indicators in bulk to Microsoft Sentinel threat intelligence from a CSV or JSON file](/azure/sentinel/indicators-bulk-file-import) - - [Work with threat indicators in Microsoft Sentinel](/azure/sentinel/work-with-threat-indicators) + - [Add indicators in bulk to Microsoft Sentinel threat intelligence from a CSV or JSON file](/azure/sentinel/indicators-bulk-file-import?tabs=defender-portal) + - [Work with threat indicators in Microsoft Sentinel](/azure/sentinel/work-with-threat-indicators?tabs=defender-portal) - [Understand security coverage by the MITRE ATT&CK framework](/azure/sentinel/mitre-coverage) - Content management- - [Discover and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy) + - [Discover and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy?tabs=defender-portal) - [Microsoft Sentinel content hub catalog](/azure/sentinel/sentinel-solutions-catalog) - [Deploy custom content from your repository](/azure/sentinel/ci-cd) - Configuration - [Find your Microsoft Sentinel data connector](/azure/sentinel/data-connectors-reference)- - [Create custom analytics rules to detect threats](/azure/sentinel/detect-threats-custom) - - [Work with near-real-time (NRT) detection analytics rules in Microsoft Sentinel](/azure/sentinel/create-nrt-rules) - - [Create watchlists](/azure/sentinel/watchlists-create) + - [Create custom analytics rules to detect threats](/azure/sentinel/detect-threats-custom?tabs=defender-portal) + - [Work with near-real-time (NRT) detection analytics rules in Microsoft Sentinel](/azure/sentinel/create-nrt-rules?tabs=defender-portal) + - [Create watchlists](/azure/sentinel/watchlists-create?tabs=defender-portal) - [Manage watchlists in Microsoft Sentinel](/azure/sentinel/watchlists-manage) - [Create automation rules](/azure/sentinel/create-manage-use-automation-rules) - [Create and customize Microsoft Sentinel playbooks from content templates](/azure/sentinel/use-playbook-templates) You can only have one workspace connected to the Defender portal at a time. If y If you want to connect to a different workspace, from the **Workspaces** page, select the workspace and **Connect a workspace**. -## Next steps +## Related content +- [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690) +- [Advanced hunting in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2264410) +- [Automatic attack disruption in Microsoft Defender XDR](automatic-attack-disruption.md) - [Investigate incidents in Microsoft Defender XDR](investigate-incidents.md) |
security | Portals | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/portals.md | Title: Microsoft security portals and admin centers -description: Find the right Microsoft admin center or portal for managing various services related to Microsoft 365 security -keywords: security, portals, Microsoft 365, M365, security center, admin center, URL, link, Microsoft Defender XDR, Microsoft Defender for Endpoint, Microsoft Defender Security Center, Microsoft Defender for Identity, Microsoft Defender for Office 365, MCAS, WDSI, SCC, Intune, MDM, MEM, ASC, Cloud App Security , Azure AD, security & compliance center +description: Find the right Microsoft admin center or portal for managing various services related to Microsoft 365 security. ms.localizationpriority: medium f1.keywords: - NOCSH-While [Microsoft Defender portal](microsoft-365-defender-portal.md) is the new home for monitoring and managing security across your identities, data, devices, and apps, you will need to access various portals for certain specialized tasks. +While [Microsoft Defender portal](microsoft-365-defender-portal.md) is the new home for monitoring and managing security across your identities, data, devices, and apps, you need to access various portals for certain specialized tasks. > [!TIP] > To access various relevant portals from Microsoft Defender portal, select **More resources** in the navigation pane. While [Microsoft Defender portal](microsoft-365-defender-portal.md) is the new h ## Security portals Security operators and admins can go to the following portals to manage security-specific settings, investigate possible threat activities, respond to active threats, and collaborate with IT admins to remediate issues.-<p></p> | Portal name | Description | Link | ||||-| Microsoft Defender portal | Monitor and respond to threat activity and strengthen security posture across your identities, email, data, endpoints, and apps with [Microsoft Defender XDR](microsoft-365-defender.md) | [security.microsoft.com](https://security.microsoft.com/) | -| Microsoft Defender Security Center | Monitor and respond to threat activity on your endpoints using capabilities provided with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint). **NOTE:** Most tenants should now be redirected to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com/). | [securitycenter.windows.com](https://securitycenter.windows.com) | -| Office 365 Security & Compliance Center | Manage [Exchange Online Protection](../office-365-security/eop-about.md) and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) to protect your email and collaboration services, and ensure compliance to various data-handling regulations. **NOTE:** Most tenants using the security sections of the Office 365 Security & Compliance Center should now be redirected to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com/). | [protection.office.com](https://protection.office.com) | +| Microsoft Defender portal | Monitor and respond to threat activity and strengthen security posture across your identities, email, data, endpoints, and apps with [Microsoft Defender XDR](microsoft-365-defender.md) | [security.microsoft.com](https://security.microsoft.com/) <br/><br/>The Microsoft Defender portal is where you view and manage alerts, incidents, settings, and more. | +| Microsoft Defender Security Center | Monitor and respond to threat activity on your endpoints using capabilities provided with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint). Most tenants should now be redirected to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com/). | [securitycenter.windows.com](https://securitycenter.windows.com) | +| Office 365 Security & Compliance Center | Manage [Exchange Online Protection](../office-365-security/eop-about.md) and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) to protect your email and collaboration services, and ensure compliance to various data-handling regulations. Most tenants using the security sections of the Office 365 Security & Compliance Center should now be redirected to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com/). | [protection.office.com](https://protection.office.com) | | Defender for Cloud portal | Use [Microsoft Defender for Cloud](/azure/security-center/security-center-intro) to strengthen the security posture of your data centers and your hybrid workloads in the cloud | [portal.azure.com/#blade/Microsoft_Azure_Security](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) | | Microsoft Defender for Identity portal | Identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions using Active Directory signals with [Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp) | [portal.atp.azure.com](https://portal.atp.azure.com/) | | Defender for Cloud Apps portal | Use [Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security) to get rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats on cloud services | [portal.cloudappsecurity.com](https://portal.cloudappsecurity.com/) | Security operators and admins can go to the following portals to manage security ## Portals for other workloads -While these portals are not specifically for managing security, they support various workloads and tasks that can impact your security. Visit these portals to manage identities, permissions, device settings, and data handling policies. -<p></p> +Although these portals aren't specifically for managing security, they support various workloads and tasks that can impact your security. Visit these portals to manage identities, permissions, device settings, and data handling policies. | Portal name | Description | Link | ||||-| Microsoft Entra admin center | Access and administer the [Microsoft Entra](/entra) family to protect your business with decentralized identity, identity protection, governance, and more, in a multi-cloud environment | [entra.microsoft.com](https://entra.microsoft.com/) | +| Microsoft Entra admin center | Access and administer the [Microsoft Entra](/entra) family to protect your business with decentralized identity, identity protection, governance, and more, in a multicloud environment | [entra.microsoft.com](https://entra.microsoft.com/) | | Azure portal | View and manage all your [Azure resources](/azure/azure-resource-manager/management/overview) | [portal.azure.com](https://portal.azure.com/) | | Microsoft Entra admin center | View and manage [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) | [aad.portal.azure.com](https://aad.portal.azure.com/) | | Microsoft Purview compliance portal | Manage data handling policies and ensure [compliance with regulations](/compliance/regulatory/offering-home) | [compliance.microsoft.com](https://compliance.microsoft.com/) | | Microsoft 365 admin center | Configure Microsoft 365 services; manage roles, licenses, and track updates to your Microsoft 365 services | [admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2166757) | | Microsoft Intune admin center | Use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage and secure devices. Can also combine Intune and Configuration Manager capabilities. | [endpoint.microsoft.com](https://endpoint.microsoft.com/) |-| Microsoft Intune portal | Use [Microsoft Intune](/intune/fundamentals/what-is-intune) to deploy device policies and monitor devices for compliance | [endpoint.microsoft.com](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/overview) +| Microsoft Intune portal | Use [Microsoft Intune](/intune/fundamentals/what-is-intune) to deploy device policies and monitor devices for compliance | [endpoint.microsoft.com](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/overview) | ++ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md | -For more information on what's new with other Microsoft Defender security products, see: +For more information on what's new with other Microsoft Defender security products and Microsoft Sentinel, see: - [What's new in Microsoft Defender for Office 365](../office-365-security/defender-for-office-365-whats-new.md) - [What's new in Microsoft Defender for Endpoint](../defender-endpoint/whats-new-in-microsoft-defender-endpoint.md) - [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new) - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)+- [What's new in Microsoft Sentinel](/azure/sentinel/whats-new) You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter). - ## April 2024 +- (Preview) The **unified security operations platform** in the Microsoft Defender portal is now available. This release brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot in Microsoft Defender. For more information, see the following resources: ++ - Blog announcement: [ΓÇïΓÇïUnified security operations platform ready to revolutionize protection and efficiency](https://aka.ms/unified-soc-announcement) + - [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690) + - [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md) + - [Microsoft Security Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md) + - (GA) **[Microsoft Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md)** is now generally available. Copilot in Defender helps you investigate and respond to incidents faster and more effectively. Copilot provides guided responses, incident summaries and reports, helps you build KQL queries to hunt for threats, provide file and script analyses, and enable you to summarize relevant and actionable threat intelligence. - Copilot in Defender customers can now export incident data to PDF. Use the exported data to easily share incident data, facilitating discussions with your security teams and other stakeholders. For details, see **[Export incident data to PDF](manage-incidents.md#export-incident-data-to-pdf)**. |
security | Defender For Office 365 Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md | For more information on what's new with other Microsoft Defender security produc - [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new) - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes) +## April 2024 ++- **Enhanced clarity in submissions results**: Admins and security operators now see enhanced results within submissions across email, Microsoft Teams messages, email attachments, URLs, and user-reported messages. These updates aim to eliminate any ambiguity associated with the current submission results. The results are refined to ensure clarity, consistency, and conciseness, making the submission results more actionable for you. [Learn more](submissions-admin.md). + ## March 2024 - **Copy simulation functionality in Attack simulation training**: Admins can now duplicate existing simulations and customize them to their specific requirements. This feature saves time and effort by using previously launched simulations as templates when creating new ones. [Learn more](attack-simulation-training-simulations.md#copy-simulations). |
security | Email Authentication Dkim Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-dkim-configure.md | To use the procedures in this section, the custom domain or subdomain must appea Proceed if the domain satisfies these requirements. -1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. +1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. 2. On the **Email authentication settings** page, select the **DKIM** tab. To use the procedures in this section, the \*.onmicrosoft.com domain must appear Proceed if the domain satisfies these requirements. -1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. +1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. 2. On the **Email authentication settings** page, select the **DKIM** tab. To confirm the corresponding public key that's used to verify the DKIM signature ### Use the Defender portal to rotate DKIM keys for a custom domain -1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. +1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. 2. On the **Email authentication settings** page, select the **DKIM** tab. When you disable DKIM signing using a custom domain, you aren't completely disab ### Use the Defender portal to disable DKIM signing of outbound messages using a custom domain -1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. +1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. 2. On the **Email authentication settings** page, select the **DKIM** tab. |
topics | Topics Lightweight Management | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/topics-lightweight-management.md | description: Learn how to use the lightweight management experience in Viva Enga # Topics lightweight management in Viva Engage +>[!NOTE] +>Viva Topics will be retired in 2025. As part of that change, Viva Engage will return to a simplified topics mode. During the transition, we will pause proactive topics migrations to use Viva Topics, but continue migrations that enable Viva Engage networks to use [Answers in Viva](/viva/engage/eac-answers-overview-set-up#technical-requirements) by request. Learn more about the [migration](/microsoft-365/topics/topic-experiences-viva-engage), [the Topics experience](https://support.microsoft.com/topic/viva-topics-experience-in-yammer-8e85bc0d-086e-49a2-974b-39f60129257d), and the [Topics retirement](/microsoft-365/topics/changes-coming-to-topics). + Topics lightweight management allows you to experience how Topics can enhance knowledge management in your organization without needing a license that includes Topics. Topics provides a central knowledge base for manually created topics and definitions inside apps like Viva Engage. These topics don't use Topics' AI, topic cards and pages but can be selected to classify conversations and posts in Viva Engage. Knowledge admins can edit, create, and delete these topics without Viva licensing as a way to make knowledge management more accessible to more users. |