- - azure-ad-ref-level-one-done

- > 

- :::image type="content" alt-text="Image of selecting configuration policies for android." source="images/selectconfigurations.png" lightbox="images/selectconfigurations.png":::

- > 

- > 

- :::image type="content" source="images/select-profile-icon-1.jpg" alt-text="The profile icon in the Microsoft Defender for Endpoint portal" lightbox="images/select-profile-icon-1.jpg":::

- :::image type="content" source="images/selecthelpandfeedback2.png" alt-text="The Help & feedback option that can be selected in the Microsoft Defender for Endpoint portal" lightbox="images/selecthelpandfeedback2.png":::

- :::image type="content" alt-text="Select send feedback to Microsoft" source="images/send-feedback-to-microsoft-3.jpg":::

- :::image type="content" source="../images/nativeapp-decoded-token.png" alt-text="The token validation page" lightbox="../images/nativeapp-decoded-token.png":::

- :::image type="content" source="images/sccm-deployment.png" alt-text="The Configuration Manager showing successful deployment with no errors" lightbox="images/sccm-deployment.png":::

- :::image type="content" source="images/run-as-admin.png" alt-text="The Window Start menu pointing to Run as administrator" lightbox="images/run-as-admin.png":::

- :::image type="content" source="images/run-as-admin.png" alt-text="The Windows Start menu pointing to the Run as administrator option" lightbox="images/run-as-admin.png":::

-|Any file with a specific extension|All files with the specified extension, anywhere on the machine. <p> Valid syntax: `.test` and `test`|Extension exclusions|

-> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.

-|`*` (asterisk) <p> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\*.txt` includes `C:\MyData\notes.txt` <p> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <p> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders, and `C:\Serv\Secondary\Allowed\Backup` and its subfolders|

-|`?` (question mark) <p> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <p> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders <p> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders|

-|Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated.|`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt`|

-> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.

-> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.

-> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.2111-5.0 (released in December 2021) or later.

-In the following PowerShell snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path.

- :::image type="content" source="images/secconmgmt_baseline_intuneprofile1.png" alt-text="The Create profile tab in the Microsoft Defender for Endpoint security baseline overview on Intune" lightbox="images/secconmgmt_baseline_intuneprofile1.png":::<br>

- :::image type="content" source="images/secconmgmt_baseline_intuneprofile2.png" alt-text="The Security baseline options during profile creation on Intune" lightbox="images/secconmgmt_baseline_intuneprofile2.png":::<br>

- :::image type="content" source="images/secconmgmt_baseline_intuneprofile3.png" alt-text="The Security baseline profiles on Intune" lightbox="images/secconmgmt_baseline_intuneprofile3.png":::<br>

- :::image type="content" source="images/secconmgmt_baseline_intuneprofile4.png" alt-text="Assigning the security baseline on Intune" lightbox="images/secconmgmt_baseline_intuneprofile4.png":::<br>

- :::image type="content" source="images/mte-collaboratewithmte.png" alt-text="The Microsoft Defender Experts settings" lightbox="images/mte-collaboratewithmte.png":::

- :::image type="content" source="images/mte-apply.png" alt-text="The Name field on the Microsoft Defender Experts application page" lightbox="images/mte-apply.png":::

- :::image type="content" source="images/mte-applicationconfirmation.png" alt-text="The Microsoft Defender Experts application confirmation message" lightbox="images/mte-applicationconfirmation.png":::

-description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine learning

-You can use Group Policy to manage some Microsoft Defender Antivirus settings. Note that if [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled in your organization, any changes made to [tamper-protected settings](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-happens-when-tamper-protection-is-turned-on) are ignored. You can't turn off tamper protection by using Group Policy.

-If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.

- 1. In your Windows 10 or Windows 11 taskbar search box, type **gpedit**.

- :::image type="content" source="images/need-help-option.png" alt-text="The Need help button" lightbox="images/need-help-option.png":::

-<td><center><a href="microsoft-defender-endpoint.md#mte"><img src="images/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td>

-description: Select the best Microsoft Defender for Endpoint deployment strategy for your environment

-You've already completed steps to set up your Microsoft Defender for Endpoint deployment and assigned roles and permissions for Defender for Endpoint. Next, plan for onboarding your devices by identifying your architecture and choosing your deployment method.

-Depending on your environment, some tools are better suited for certain architectures. Use the table below to decide which Defender for Endpoint architecture best suits your organization.

-|**Cloud-native**| We recommend using Microsoft Intune to onboard, configure, and remediate endpoints from the cloud for enterprises that don't have an on-premises configuration management solution or are looking to reduce their on-premises infrastructure. |

-|**Co-management**| For organizations that host both on-premises and cloud-based workloads we recommend using Microsoft's ConfigMgr and Intune for their management needs. These tools provide a comprehensive suite of cloud-powered management features, as well as unique co-management options to provision, deploy, manage, and secure endpoints and applications across an organization. |

-|**On-premises**|For enterprises that want to take advantage of the cloud-based capabilities of Microsoft Defender for Endpoint while also maximizing their investments in Configuration Manager or Active Directory Domain Services, we recommend this architecture.|

-|**Evaluation and local onboarding**|We recommend this architecture for SOCs (Security Operations Centers) that are looking to evaluate or run a Microsoft Defender for Endpoint pilot, but don't have existing management or deployment tools. This architecture can also be used to onboard devices in small environments without management infrastructure, such as a DMZ (Demilitarized Zone).|

-description: Learn how to leverage endpoint discovery in Microsoft Defender XDR to find unmanaged devices in your network

-Watch this video for a quick overview of how to assess and onboard unmanaged devices that Microsoft Defender for Endpoint discovered.

-In conjunction with this capability, a security recommendation to onboard devices to Microsoft Defender for Endpoint is available as part of the existing Microsoft Defender Vulnerability Management experience.

-> [!NOTE]

-> The discovery engine distinguishes between network events that are received in the corporate network versus outside of the corporate network. Devices that are not connected to corporate networks will not be discovered or listed in the device inventory.

-Devices that have been discovered but haven't yet been onboarded and secured by Microsoft Defender for Endpoint are listed in the device inventory within the Computers and Mobile tab.

-To assess these devices, you can use a filter in the device inventory list called Onboarding status, which can have any of the following values:

-The large number of unmanaged network devices deployed in an organization creates a large surface area of attack, and represents a significant risk to the entire enterprise. Microsoft Defender for Endpoint network discovery capabilities helps you ensure network devices are discovered, accurately classified, and added to the asset inventory.

-Network devices aren't managed as standard endpoints, as Defender for Endpoint doesn't have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan obtains the necessary information from the devices. To do this, a designated Microsoft Defender for Endpoint device is used on each network segment to perform periodic authenticated scans of preconfigured network devices. Defender for Endpoint's vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.

-To address the challenge of gaining enough visibility to locate, identify, and secure your complete OT/IOT asset inventory Microsoft Defender for Endpoint now supports the following integration:

-Device discovery leverages Microsoft Defender for Endpoint onboarded devices as a network data source to attribute activities to non-onboarded devices. The network sensor on the Microsoft Defender for Endpoint onboarded device identifies two new connection types:

-This means that when a non-onboarded device attempts to communicate with an onboarded Microsoft Defender for Endpoint device, the attempt generates a DeviceNetworkEvent and the non-onboarded device activities can be seen on the onboarded device timeline, and through the Advanced hunting DeviceNetworkEvents table.

-| **[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)** <br/>Block at first sight detects new malware and blocks it within seconds. When a suspicious or malicious file is detected, block at first sight capabilities queries the cloud protection backend and applies heuristics, machine learning, and automated analysis of the file to determine whether it is a threat.<br/><br/>To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight) | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) |

-For more information about allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)

-[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before enabling network protection.

-Check if network protection has been enabled on a local device by using Registry editor.

- Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature.

-1. Sign into the Microsoft Intune admin center (https://endpoint.microsoft.com).

-4. In the **Configuration settings** section, go to **Attack Surface Reduction Rules** > set **Block**, **Enable** or **Audit** for **Enable network protection**. Select **Next**.

-1. Sign into the Microsoft Intune admin center (https://endpoint.microsoft.com).

-2. Go to **Endpoint security** > **Antivirus**

-3. Select **Create a policy**

-5. Choose **Microsoft Defender Antivirus** from the **Profile** list then choose **Create**

- - **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains.

- :::image type="content" source="images/request-more-devices.png" alt-text="The request for more devices option" lightbox="images/request-more-devices.png":::

- :::image type="content" source="images/test-machine-table.png" alt-text="The Connect button for the test devices" lightbox="images/test-machine-table.png":::

- > :::image type="content" source="images/reset-password-test-machine.png" alt-text="The Reset password option" lightbox="images/reset-password-test-machine.png":::

- :::image type="content" source="images/select-simulator.png" alt-text="The threat simulator selection" lightbox="images/select-simulator.png":::

-If the device isn't sending any signals to any Microsoft Defender for Endpoint channels for more than seven days for any reason, a device can be considered inactive; this includes conditions that fall under misconfigured devices classification.

-Do you expect a device to be in 'Active' status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).

- The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.

- Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs.

- The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.

- Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs.

-If the devices aren't reporting correctly, you should verify that the Windows diagnostic data service is set to automatically start. Also verify that the Windows diagnostic data service is running on the endpoint.

-If your devices are running a third-party anti-malware client, Defender for Endpoint agent requires that the Microsoft Defender Antivirus Early Launch anti-malware (ELAM) driver is enabled.

- :::image type="content" source="images/nameiosconfig.png" alt-text="Name the configuration." lightbox="images/nameiosconfig.png":::

-offline_definition_url_configured : "http://172.22.199.67:8000/linux/production/" [managed]

-> [!NOTE]

->

-Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time.

- You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.

- Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.

- Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md).

-| cd | Changes the current directory. | Y | Y | Y |

-| cls | Clears the console screen. | Y | Y | Y |

-| connect | Initiates a live response session to the device. | Y | Y | Y |

-| connections | Shows all the active connections. | Y | N | N |

-| dir | Shows a list of files and subdirectories in a directory. | Y | Y | Y |

-| drivers | Shows all drivers installed on the device. | Y | N | N |

-| fg `<command ID>` | Place the specified job in the foreground, making it the current job. NOTE: fg takes a 'command ID` available from jobs, not a PID. | Y | Y | Y |

-| fileinfo | Get information about a file. | Y | Y | Y |

-| findfile | Locates files by a given name on the device. | Y | Y | Y |

-| getfile <file_path> | Downloads a file. | Y | Y | Y |

-| help | Provides help information for live response commands. | Y | Y | Y |

-| jobs | Shows currently running jobs, their ID and status. | Y | Y | Y |

-| persistence | Shows all known persistence methods on the device. | Y | N | N |

-| processes | Shows all processes running on the device. | Y | Y | Y |

-| registry | Shows registry values. | Y | N | N |

-| scheduledtasks | Shows all scheduled tasks on the device. | Y | N | N |

-| services | Shows all services on the device. | Y | N | N |

-| startupfolders | Shows all known files in startup folders on the device. | Y | N | N |

-| status | Shows the status and output of specific command. | Y | Y | Y |

-| trace | Sets the terminal's logging mode to debug. | Y | Y | Y |

-| analyze | Analyses the entity with various incrimination engines to reach a verdict. | Y | N | N |

-| collect | Collects forensics package from device. | N | Y | Y |

-| isolate | Disconnects the device from the network while retaining connectivity to the Defender for Endpoint service. | N | Y | N |

-| release | Releases a device from network isolation. | N | Y | N |

-| run | Runs a PowerShell script from the library on the device. | Y | Y | Y |

-| library | Lists files that were uploaded to the live response library. | Y | Y | Y |

-| putfile | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. | Y | Y | Y |

-| remediate | Remediates an entity on the device. The remediation action will vary depending on the entity type: File: delete Process: stop, delete image file Service: stop, delete image file Registry entry: delete Scheduled task: remove Startup folder item: delete file NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with remediate to automatically run the prerequisite command. | Y | Y | Y |

-| scan | Runs a Quick antivirus scan to help identify and remediate malware. | N | Y | Y |

-| undo | Restores an entity that was remediated. | Y | N | N |

- :::image type="content" source="images/Terminal-image-step5.png" alt-text="Screenshot that displays the two download files.":::

- :::image type="content" source="images/monterey-install-1.png" alt-text="Screenshot that shows the installation process for the application":::

- :::image type="content" source="images/monterey-install-2.png" alt-text="Screenshot that shows the system extension approval":::

- :::image type="content" source="images/system-extention-image.png" alt-text="Screenshot that shows the system extention.":::

- :::image type="content" source="images/security-privacy-window-updated.png" alt-text="Screenshot that shows the security and privacy window.":::

- :::image type="content" source="images/monterey-install-4.png" alt-text="Screenshot that shows the system extension security preferences2":::

- :::image type="content" source="images/restart-fulldisk.png" alt-text="Screenshot that allows you to restart the system for new system extensions to be enabled.":::

- :::image type="content" source="images/tcc-add-entry.png" alt-text="The save operation relating to the configuration setting." lightbox="images/tcc-add-entry.png":::

- :::image type="content" source="images/tcc-epsext-entry.png" alt-text="The configuration setting tcc epsext entry." lightbox="images/tcc-epsext-entry.png":::

- :::image type="content" source="images/tcc-epsext-entry2.png" alt-text="The other instance of configuration setting tcc epsext." lightbox="images/tcc-epsext-entry2.png":::

-> [!IMPORTANT]

-> Some information relates to a pre-released product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-> [!NOTE]

->The built-in Scheduled Scan is currently in public preview. Review the prerequisites carefully.

- :::image type="content" source="images/selecting-licenses-option-from-endpoints-screen.png" alt-text="Screenshot of the Endpoints page from which the Licenses options can be selected." lightbox="images/selecting-licenses-option-from-endpoints-screen.png":::

- :::image type="content" source="images/resultant-screen-of-selecting-preferred-license.png" alt-text="Screenshot of the product page from which you can select the option of assigning the purchased license.":::

- :::image type="content" source="images/screen-containing-option-to-assign-licenses.png" alt-text="Screenshot of the page containing the + Assign licenses option." lightbox="images/screen-containing-option-to-assign-licenses.png":::

- :::image type="content" source="images/screen-on-clicking-refresh-devices.png" alt-text="The screen that appears on clicking Refresh devices." lightbox="images/screen-on-clicking-refresh-devices.png":::

-> [!IMPORTANT]

-> Some information relates to a pre-released product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-> [!NOTE]

-> Troubleshooting mode on macOS is currently in public preview. Review the prerequisites carefully.

- :::image type="content" source="images/troubleshooting-mode-on-mac.png" alt-text="Screenshot displaying the screenshot of the troubleshooting mode on mac.":::

-**Built-in Scheduled Scan for macOS** (preview)

-Scheduled Scan built-in for Microsoft Defender for Endpoint on macOS is now available in Public Preview. To learn more, see [How to schedule scans with Microsoft Defender for Endpoint on macOS](mac-schedule-scan.md).

-**Troubleshooting mode for macOS** (preview)

-Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. Troubleshooting mode for macOS is now available in Public Preview. To learn more, see [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](mac-troubleshoot-mode.md).

-### Mar-2024 (Build: 101.24012.0010 | Release version: 20.124012.10.0)

- :::image type="content" source="images/system-extension-blocked-second-prompt.png" alt-text="The second prompt regarding system extensions being blocked." lightbox="images/system-extension-blocked-second-prompt.png":::

- :::image type="content" source="images/system-preferences-icon.png" alt-text="The System Preferences icon." lightbox="images/system-preferences-icon.png":::

- :::image type="content" source="images/system-preferences-screen.png" alt-text="The System Preferences screen." lightbox="images/system-preferences-screen.png":::

- :::image type="content" source="images/security-and-privacy-screen.png" alt-text="The Security & Privacy screen." lightbox="images/security-and-privacy-screen.png":::

- :::image type="content" source="images/screen-on-clicking-unlock.png" alt-text="The screen that is displayed on clicking Unlock." lightbox="images/screen-on-clicking-unlock.png":::

- :::image type="content" source="images/screen-on-clicking-details.png" alt-text="The screen that is displayed on clicking Details." lightbox="images/screen-on-clicking-details.png":::

- Review these incidents to respond to any Microsoft Defender for Endpoint alerts and resolve once the incident has been remediated. See [Get incident notifications by email](../defender/incidents-overview.md#get-incident-notifications-by-email) and [View and organize the Microsoft Defender for Endpoint Incidents queue](view-incidents-queue.md).

-| Windows Defender Firewall (MpsSvc) | `C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork` | We recommend keeping the Windows Defender Firewall service enabled. |

-| **0** - **Always prompt** | The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but isn't recommended for installations on Windows Server 2016 or 2019, or Windows Server 2022 without a GUI. |

-| Disable Microsoft Defender Antivirus Realtime Protection using PowerShell | Use the following PowerShell cmdlet: `Set-MpPreference -DisableRealtimeMonitoring $true` |

-### November-2023 (Platform: 4.18.23110.3 | Engine: 1.1.23110.2)

-#### What's new

-#### Known issues

-<td><center><a href="#mte"><img src="images/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td>

-|**Firmware/ Rootkit**| <li> Operating system <li> Driver <li> Memory (Heap) <li> Application <li> Identity <li> Cloud|

->[!NOTE]

-For more information about Windows 10 and Windows 11 requirements, see the following topics:

- - Security Intelligence Update

- - See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information.

->[!NOTE]

-> If WinRE is disabled, the WDO scan won't run and no error message is displayed.

-Nothing happens even if the machine is restarted manually.

-> To fix this, you only have to enable WinRE.

-If Microsoft Defender Antivirus determines that need to run:

- :::image type="content" source="../../media/notification.png" alt-text="Notification to run Microsoft Defender Offline" lightbox="../../media/notification.png":::

- The user will also be notified within the Microsoft Defender Antivirus client or it can be revealed in Microsoft Intune, if you're using it to manage your Windows endpoints.

-You can run a Microsoft Defender Offline scan with the following:

-1. Open the Windows Security app:

- - In the Start menu, select **App apps**, then select **Windows Security**, or

- - In the Start menu, select **Settings**, then select **Privacy & security**, and then select **Windows Security**, or

- - In the Search, search for **Windows Security**, or

- - In the task bar, select the hidden icons (chevron icon pointing up), click the Microsoft Defender Antivirus Shield icon.

-2. Select **Scan options**.

-3. Select the radio button **Microsoft Defender Offline scan** and click **Scan now**.

- > [!NOTE]

- > The process starts from C:\ProgramData\Microsoft\Windows Defender\Offline Scanner.

-4. You'll get a prompt to save your work before continuing, similar to the following image:

-5. Once you clicked on **Scan**, you'll get another prompt requesting your permission to make changes to your device, similar to the following image:

-6. Another prompt will appear informing you that you'll be signed out and windows will shut down in less than a minute, similar to the following image:

-7. You'll see that the Microsoft Defender Antivirus scan (offline scan) is in progress.

-2. To get started, find a blank CD, DVD, or USB flash drive with at least 250 MB of free space, and then run the tool. You'll be guided through the steps to create the removable media.

- 1. Once you've created the USB drive, CD, or DVD, you'll need to remove it from your current computer and take it to the computer you want to scan. Insert the USB drive or disc into the other computer and restart the computer.

- 3. Once you've booted from the device, you'll see a Microsoft Defender tool that will automatically scan your computer and remove malware.

- 1. If you experience a Stop error on a blue screen when you run the offline scan, restart your device and try running a Microsoft Defender Offline scan again. If the blue-screen error happens again, contact [Microsoft Support](https://support.microsoft.com/).

- :::image type="content" source="images/select-plans-aws-gcp.png" alt-text="Screenshot that shows how to enable autoprovisioning for Azure Arc agent." lightbox="images/select-plans-aws-gcp.png":::

-A designated Microsoft Defender for Endpoint device is used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for Endpoint's Vulnerability Management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.

-3. Decide which network devices will be assessed for vulnerabilities (for example: a Cisco switch or a Palo Alto Networks firewall).

-If there's a difference between the two versions, the update process determines which files are different and need to be updated on the local computer. Once the required updates are determined, the downloading of the updates will start.

-It's possible to disable automatic updates of the scanner by going to the **MDATP Network Scanner Updater** inside the Windows Task Scheduler. To do this:

-7. Select the **Scan interval:** By default, the scan runs every four hours, you can change the scan interval or have it only run once, by selecting 'Don't repeat'.

- - You can select to **Use azure KeyVault for providing credentials:** If you manage your credentials in Azure KeyVault, you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials. The secret value is dependent on the Authenticated Method you choose:

- |Authentication Method|Azure KeyVault secret value|

- |:-|:-:|

- |AuthPriv|Username;AuthPassword;PrivPassword|

- |AuthNoPriv|Username;AuthPassword|

- |CommunityString |CommunityString|

-> [!NOTE]

-> The status of a device will be switched to [Inactive](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding.

->

-> Offboarded devices' data (such as Timeline, Alerts, Vulnerabilities, etc.) will remain in the portal until the configured [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) expires.

->

-> The device's profile (without data) will remain in the [Devices List](machines-view-overview.md) for no longer than 180 days.

->

-> In addition, devices that are not active in the last 30 days are not factored in on the data that reflects your organization's Defender Vulnerability Management [exposure score](tvm-exposure-score.md) and Microsoft Secure Score for Devices.

->

-> To view only active devices, you can filter by [sensor health state](machines-view-overview.md#use-filters-to-customize-the-device-inventory-views), [device tags](machine-tags.md) or [machine groups](machine-groups.md).

-description: Onboard Windows Client.

-# Defender for Endpoint onboarding Windows Client

-You'll need to go through onboarding steps of the [Microsoft Defender portal](https://security.microsoft.com) (Go to **Settings** > **Endpoints** > **Onboarding**) to onboard any of the supported devices. Depending on the device, you're guided with appropriate steps and provided management and deployment tool options suitable for the device.

-Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization.

-In general, you identify the client you're onboarding, then follow the corresponding tool appropriate to the device or your environment.

-## Related topics

- :::image type="content" source="images/security-center-attack-surface-mgnt-tile.png" alt-text="The attack surface management" lightbox="images/security-center-attack-surface-mgnt-tile.png":::

- :::image type="content" source="images/send-email.png" alt-text="The Send an email section" lightbox="images/send-email.png":::

-description: Learn how to onboard endpoints to Microsoft Defender for Endpoint service

-To provide some guidance on your deployments, in this section we'll guide you through using two deployment tools to onboard endpoints.

-Audit mode lets you see a record of what *would* have happened if you had enabled the feature.

-For example, you can test attack surface reduction rules in audit mode prior to enabling (block mode) them. Attack surface reduction rules are predefined to harden common, known attack surfaces. There are several methods you can use to implement attack surface reduction rules. The preferred method is documented in the following attack surface reduction rules deployment articles:

-|[AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705)|Stream alerts from Microsoft Defender for Endpoint into Microsoft Sentinel

-|[RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566)|Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API

-|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)|Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations

-|[Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures

-|[ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621)|Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration

-|[ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115)|Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Defender for Endpoint indicators

-|[Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)|Provides Moving Target Defense-powered advanced threat prevention. Integrates forensics data directly into WD Defender for Cloud dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information

-|Tier 1|**Local security operations team / IT team** <br> This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.|

-|Tier 2|**Regional security operations team** <br> This team can see all the devices for their region and perform remediation actions.|

-|Tier 3|**Global security operations team** <br> This team consists of security experts and are authorized to see and perform all actions from the portal.|

-[](images/response-actions.png#lightbox)

- > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from this link is: '0A8E32B618F278BED60AB6763E9458BA2CD02C99D718E50DCCE51A7DBAC69863'

- echo '0A8E32B618F278BED60AB6763E9458BA2CD02C99D718E50DCCE51A7DBAC69863 XMDEClientAnalyzerBinary.zip' | sha256sum -c

- echo '926DEF4C6857641E205E7978126F7C2CE541D52AEA1C0E194DDB85F7BCFDE3D9 XMDEClientAnalyzer.zip' | sha256sum -c

-1. Open an elevated command-line prompt on the device and run the script:

- 1. Go to **Start** and type **cmd**.

- 1. Right-click **Command Prompt** and select **Run as administrator**.

- :::image type="content" source="images/run-as-admin.png" alt-text="The Start menu pointing to Run as administrator" lightbox="images/run-as-admin.png":::

-

-

-

-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.

-3. Click **Administrative templates**.

-5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.

-|Client interface|Display additional text to clients when they need to perform an action|[Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)|

-|Network inspection system|Specify additional definition sets for network traffic inspection| Not used (deprecated) |

-|Real-time protection|Configure local setting override for turn on behavior monitoring|[Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)|

-description: Learn about the web protection in Microsoft Defender for Endpoint and how it can protect your organization

-Similarly, during a conflict between indicators, allows always take precedence over blocks (override logic). That means that an allow indicator will win over any block indicator that is present.

-The table below summarizes some common configurations that would present conflicts within the web protection stack. It also identifies the resulting determinations based on the precedence listed above.

-<br>

-****

-|

-Internal IP addresses are not supported by custom indicators. For a warn policy when bypassed by the end user, the site will be unblocked for 24 hours for that user by default. This time frame can be modified by the Admin and is passed down by the SmartScreen cloud service. The ability to bypass a warning can also be disabled in Microsoft Edge using CSP for web threat blocks (malware/phishing). For more information, see [Microsoft Edge SmartScreen Settings](/DeployEdge/microsoft-edge-policies#smartscreen-settings-policies).

-In all web protection scenarios, SmartScreen and Network Protection can be used together to ensure protection across both first and third-party browsers and processes. SmartScreen is built directly into Microsoft Edge, while Network Protection monitors traffic in third-party browsers and processes. The diagram below illustrates this concept. This diagram of the two clients working together to provide multiple browser/app coverages is accurate for all features of Web Protection (Indicators, Web Threats, Content Filtering).

-Responses from the SmartScreen cloud are standardized. Tools like Fiddler can be used to inspect the response from the cloud service, which will help determine the source of the block.

-The table below shows the responses and their correlated features.

-<br>

-****

-|||

-Kusto queries in advanced hunting can be used to summarize web protection blocks in your organization for up to 30 days. These queries use the information listed above to distinguish between the various sources of blocks and summarize them in a user-friendly manner. For example, the query below lists all WCF blocks originating from Microsoft Edge.

-Similarly, you can use the query below to list all WCF blocks originating from Network Protection (for example, a WCF block in a third-party browser). Note that the ActionType has been updated and 'Experience' has been changed to 'ResponseCategory'.

-To list blocks that are due to other features (like Custom Indicators), refer to the table above outlining each feature and their respective response category. These queries may also be modified to search for telemetry related to specific machines in your organization. Note that the ActionType shown in each query above will show only those connections that were blocked by a Web Protection feature, and not all network traffic.

-If a user visits a web page that poses a risk of malware, phishing, or other web threats, Microsoft Edge will trigger a block page that reads 'This site has been reported as unsafe' along with information related to the threat.

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="../../media/web-protection-malicious-block.png" alt-text="The page blocked by Microsoft Edge" lightbox="../../media/web-protection-malicious-block.png":::

-If blocked by WCF or a custom indicator, a block page shows in Microsoft Edge that tells the user this site is blocked by their organization.

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="../../media/web-protection-indicator-blockpage.png" alt-text="The page blocked by your organization" lightbox="../../media/web-protection-indicator-blockpage.png":::

-In any case, no block pages are shown in third-party browsers, and the user sees a "Secure Connection Failed' page along with a toast notification. Depending on the policy responsible for the block, a user will see a different message in the toast notification. For example, web content filtering will display the message 'This content is blocked'.

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="../../media/web-protection-np-block.png" alt-text="The page blocked by WCF" lightbox="../../media/web-protection-np-block.png":::

-To report a false positive for sites that have been deemed dangerous by SmartScreen, use the link that appears on the block page in Microsoft Edge (as shown above).

-For WCF, you can dispute the category of a domain. Navigate to the **Domains** tab of the WCF reports. You will see an ellipsis beside each of the domains. Hover over this ellipsis and select **Dispute Category**. A flyout will open. Set the priority of the incident and provide some additional details, such as the suggested category. For more information on how to turn on WCF and how to dispute categories, see [Web content filtering](web-content-filtering.md).

-<br>

-****

-|Topic|Description|

-|[Web threat protection](web-threat-protection.md) | Stop access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you have blocked.|

-|

-Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Leveraging Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.

-Defender Vulnerability Management leverage Microsoft's threat intelligence, breach likelihood predictions, business contexts, and device assessments to quickly prioritize the biggest vulnerabilities in your organization. A single view of prioritized recommendations from multiple security feeds, along with critical details including related CVEs and exposed devices, helps you quickly remediate the biggest vulnerabilities on your most critical assets. Risk-based intelligent prioritization:

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, file, IP address, device, machine, user, account, identity, AAD

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, entities, evidence, file, IP address, device, machine, user, account

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, severity, category, MITRE, ATT&CK, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, severity, category, MITRE, ATT&CK, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, severity, category, MITRE, ATT&CK, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, CloudAppEvents, Defender for Cloud Apps

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, functions

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, DeviceEvents

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, digital signature, certificate, file signing, DeviceFileCertificateInfo

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, DeviceFileEvents, files, path, hash, sha1, sha256, md5

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, device, devicefromIP, function, enrichment

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DeviceImageLoadEvents, DLL loading, library, file image

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, DeviceInfo, device, machine, OS, platform, users

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, DeviceLogonEvents, authentication, logon, sign in

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, NetworkCommunicationEvents, network connection, remote ip, local ip

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, DeviceNetworkInfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, DeviceProcessEvents, process id, command line, DeviceProcessEvents

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, DeviceRegistryEvents, key, subkey, value

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmHardwareFirmware

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities, Microsoft Defender Vulnerability Management

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities, MDVM

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB, MDVM, Microsoft Defender Vulnerability Management

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, evidence, software evidence, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareEvidenceBeta

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema, reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailAttachmentInfo, network message id, sender, recipient, attachment id, attachment name, malware verdict

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailEvents, network message id, sender, recipient, attachment id, attachment name, malware verdict, phishing verdict, attachment count, link count, url count

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailPostDeliveryEvents, network message id, sender, recipient, attachment id, attachment name, malware verdict, phishing verdict, attachment count, link count, url count

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailUrlInfo, network message id, url, link

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error, limits, quota, parameter, allocation

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, language, training, scenarios, basic to advanced, videos, step-by-step

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, ExposureGraphEdges, EdgeId, EdgeLabel, SourceNodeName, SourceNodeLabel, TargetNodeName, TargetNodeLabel, SourceNodeCategories, TargetNodeCategories, EdgeProperties

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-| `SourceNodeCategories` | `Dynamic` | Categories list of the source node in JSON format |

-| `TargetNodeCategories` | `Dynamic` | The categories list of the target node in JSON format |

-| `EdgeProperties` | `Dynamic` | Optional data relevant for the relationship between the nodes in JSON format |

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, ExposureGraphNodes, NodeId, NodeLabel, NodeName, NodeProperties, EntityIds

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-| `Categories` |`Dynamic` | Categories of the node in JSON format |

-| `NodeProperties` |`Dynamic` | Properties of the node, including insights related to the resource, such as whether the resource is exposed to the internet, or vulnerable to remote code execution. Values are JSON formatted raw data (unstructured). |

-| `EntityIds` | `Dynamic` | All known node identifiers in JSON format |

-keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Defender XDR

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, ransomware, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Defender XDR

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-Ransomware has rapidly evolved from being simple commodity malware affecting individual computer users to an enterprise threat that is severely impacting industries and government institutions. While [Microsoft Defender XDR](microsoft-365-defender.md) provides many capabilities that detect and block ransomware and associated intrusion activities, performing proactive checks for signs of compromise can help keep your network protected.

-| Stop processes | _taskkill.exe_, _net stop_ | Ensure files targeted for encryption are not locked by various applications. |

-| Turn off services | _sc.exe_ | - Ensure files targeted for encryption are not locked by various applications.<br>- Prevent security software from disrupting encryption and other ransomware activity.<br>- Stop backup software from creating recoverable copies. |

-## Related topics

-keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Defender XDR

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityDirectoryEvents, domain controller, Active Directory, Microsoft Defender for Identity, identities

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AccountInfo, IdentityInfo, account

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-**Applies to:**

-> [!NOTE]

-> This table was renamed from `AccountInfo`. During renames, all queries saved in the portal are automatically updated. Check queries you have saved elsewhere.

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityLogonEvents, Azure AD, Active Directory, Microsoft Defender for Identity, identities

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityQueryEvents, Azure AD, Active Directory, Microsoft Defender for Identity, identities, LDAP queries

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results, quota, parameters, allocation

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-| Result set | 10,000 rows | Every query | Each query can return up to 10,000 records. |

-keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Defender XDR

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, Microsoft Defender for Endpoint, search, query, telemetry, custom detections, schema, kusto, mapping

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: guided mode, advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto

-ms.sitesec: library

-ms.pagetype: security

-keywords: guided mode, advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: guided mode, advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: guided mode, advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, Office365 data, Windows devices, Office365 emails normalize, emails, apps, identities, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Defender XDR

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, query history, features

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill-down

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-You can also right-click on any result value in a row so that you can use it to add more filters to the existing query or copy the value for use in further investigation.

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, data, naming changes, rename

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, data

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Security Copilot, AI, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill-down, copilot for security advanced hunting, Microsoft Copilot for Security

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, SeenBy, device discovery, function, enrichment

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, take action

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, UrlClickEvents, SafeLinks, phishing, malware, malicious clicks, outlook, teams, email, office365

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-description: View risk and exposure levels for a device in your organization. Analyze past and present threats, and protect the device with the latest updates.

-# Device profile page

-The Microsoft 365 security portal provides you with device profile pages, so you can quickly assess the health and status of devices on your network.

-> [!IMPORTANT]

-> The device profile page may appear slightly different, depending on whether the device is enrolled in Microsoft Defender for Endpoint, Microsoft Defender for Identity, or both.

-If the device is enrolled in Microsoft Defender for Endpoint, you can also use the device profile page to perform some common security tasks.

-## Navigating the device profile page

-The profile page is broken up into several broad sections.

-The sidebar (1) lists basic details about the device.

-The main content area (2) contains tabs that you can toggle through to view different kinds of information about the device.

-If the device is enrolled in Microsoft Defender for Endpoint, you'll also see a list of response actions (3). Response actions allow you to perform common security-related tasks.

-## Sidebar

-Beside the main content area of the device profile page is the sidebar.

-The sidebar lists the device's full name and exposure level. It also provides some important basic information in small subsections, which can be toggled open or closed, such as:

-* **Tags** - Any Microsoft Defender for Endpoint, Microsoft Defender for Identity, or custom tags associated with the device. Tags from Microsoft Defender for Identity aren't editable.

-* **Security info** - Open incidents and active alerts. Devices enrolled in Microsoft Defender for Endpoint display exposure level and risk level.

-> [!TIP]

-> Exposure level relates to how much the device is complying with security recommendations, while risk level is calculated based on a number of factors, including the types and severity of active alerts.

-* **Device details** - Domain, OS, timestamp for when the device was first seen, IP addresses, resources. Devices enrolled in Microsoft Defender for Endpoint also display health state. Devices enrolled in Microsoft Defender for Identity display SAM name and a timestamp for when the device was first created.

-* **Network activity** - Timestamps for the first time and last time the device was seen on the network.

-* **Directory data** (*only for devices enrolled in Microsoft Defender for Identity*) - [UAC](/windows/security/identity-protection/user-account-control/user-account-control-overview) flags, [SPNs](/windows/win32/ad/service-principal-names), and group memberships.

-## Response actions

-Response actions offer a quick way to defend against and analyze threats.

-> [!IMPORTANT]

-> * [Response actions](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts) are only available if the device is enrolled in Microsoft Defender for Endpoint.

-> * Devices that are enrolled in Microsoft Defender for Endpoint may display different numbers of response actions, based on the device's OS and version number.

-Actions available on the device profile page include:

-* **Manage tags** - Updates custom tags you've applied to this device.

-* **Isolate device** - Isolates the device from your organization's network while keeping it connected to Microsoft Defender for Endpoint. You can choose to allow Outlook, Teams, and Skype for Business to run while the device is isolated, for communication purposes.

-* **Action center** - View the status of submitted actions. Only available if another action has already been selected.

-* **Restrict app execution** - Prevents applications that aren't signed by Microsoft from running.

-* **Run antivirus scan** - Updates Microsoft Defender Antivirus definitions and immediately runs an antivirus scan. Choose between Quick scan or Full scan.

-* **Collect investigation package** - Gathers information about the device. When the investigation is completed, you can download it.

-* **Initiate Live Response Session** - Loads a remote shell on the device for [in-depth security investigations](/microsoft-365/security/defender-endpoint/live-response).

-* **Initiate automated investigation** - Automatically [investigates and remediates threats](../office-365-security/air-about.md). Although you can manually trigger automated investigations to run from this page, [certain alert policies](../../compliance/alert-policies.md#default-alert-policies) trigger automatic investigations on their own.

-* **Action center** - Displays information about any response actions that are currently running.

-## Tabs section

-The device profile tabs allow you to toggle through an overview of security details about the device, and tables containing a list of alerts.

-Devices enrolled in Microsoft Defender for Endpoint display tabs that feature a timeline, a list of security recommendations, a software inventory, a list of discovered vulnerabilities, and missing KBs (security updates).

-### Overview tab

-The default tab is **Overview**. It provides a quick look at the most important security fact about the device.

-Here, you can get a quick look at the device's active alerts, and any currently logged on users.

-If the device is enrolled in Microsoft Defender for Endpoint, you'll also see the device's risk level and any available data on security assessments. The security assessments describe the device's exposure level, provide security recommendations, and list affected software and discovered vulnerabilities.

-### Alerts tab

-The **Alerts** tab contains a list of alerts that have been raised on the device, from both Microsoft Defender for Identity and Microsoft Defender for Endpoint.

-You can customize the number of items displayed and which columns are displayed for each item. The default behavior is to list 30 items per page.

-The columns in this tab include information on the severity of the threat that triggered the alert and status, investigation state, and who the alert has been assigned to.

-The *impacted entities* column refers to the device (entity) whose profile you're currently viewing, plus any other devices in your network that are affected.

-Selecting an item from this list opens a flyout containing even more information about the selected alert.

-This list can be filtered by severity, status, or who the alert has been assigned to.

-### Timeline tab

-The **Timeline** tab includes an interactive, chronological chart of all events raised on the device. By moving the highlighted area of the chart left or right, you can view events over different periods of time. You can also choose a custom range of dates from the dropdown menu in between the interactive chart and the list of events.

-Below the chart is a list of events for the selected range of dates.

-The number of items displayed and the columns on the list can both be customized. The default columns list the event time, active user, action type, entities (processes), and additional information about the event.

-Selecting an item from this list opens a flyout displaying an Event entities graph, showing the parent and child processes involved in the event.

-The list can be filtered by the specific event; for example, Registry events or Smart Screen Events.

-The list can also be exported to a CSV file, for download. Although the file isn't limited by number of events, the maximum time range you can choose to export is seven days.

-### Security recommendations tab

-The **Security recommendations** tab lists actions you can take to protect the device. Selecting an item on this list opens a flyout where you can get instructions on how to apply the recommendation.

-As with the previous tabs, the number of items displayed per page and which columns are visible, can be customized.

-The default view includes columns that detail the security weaknesses addressed, the associated threat, the related component or software affected by the threat, and more. Items can be filtered by the recommendation's status.

-### Software inventory

-The **Software inventory** tab lists software installed on the device.

-The default view displays the software vendor, installed version number, number of known software weaknesses, threat insights, product code, and tags. The number of items displayed and which columns are displayed can both be customized.

-Selecting an item from this list opens a flyout containing more details about the selected software, and the path and timestamp for the last time the software was found.

-This list can be filtered by product code.

-### Discovered vulnerabilities tab

-The **Discovered vulnerabilities** tab lists any Common Vulnerabilities and Exploits (CVEs) that may affect the device.

-The default view lists the severity of the CVE, the Common Vulnerability Score (CVS), the software related to the CVE, when the CVE was published, when the CVE was last updated, and threats associated with the CVE.

-As with the previous tabs, the number of items displayed and which columns are visible can be customized.

-Selecting an item from this list opens a flyout that describes the CVE.

-### Missing KBs

-The **Missing KBs** tab lists any Microsoft Updates that have yet to be applied to the device. The "KBs" in question are [Knowledge Base articles](https://support.microsoft.com/help/242450/how-to-query-the-microsoft-knowledge-base-by-using-keywords-and-query), which describe these updates; for example, [KB4551762](https://support.microsoft.com/help/4551762/windows-10-update-kb4551762).

-The default view lists the bulletin containing the updates, OS version, products affected, CVEs addressed, the KB number, and tags.

-The number of items displayed per page and which columns are displayed can be customized.

-Selecting an item opens a flyout that links to the update.

-## Related topics

-* [Microsoft Defender XDR overview](microsoft-365-defender.md)

-* [Turn on Microsoft Defender XDR](m365d-enable.md)

-* [Investigate entities on devices, using live response](../defender-endpoint/live-response.md)

-* [Automated investigation and response (AIR) in Office 365](../office-365-security/air-about.md)

-description: Learn how to filter incidents from the incident queue in Microsoft Defender XDR

-# Prioritize incidents in Microsoft Defender XDR

-**Applies to:**

-Microsoft Defender XDR applies correlation analytics and aggregates related alerts and automated investigations from different products into an incident. Microsoft Defender XDR also triggers unique alerts on activities that can only be identified as malicious given the end-to-end visibility in Microsoft Defender XDR has across the entire suite of products. This view gives your security analysts the broader attack story, which helps them better understand and deal with complex threats across your organization.

-The **Incident queue** shows a collection of incidents that were created across devices, users, and mailboxes. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision, a process known as incident triage.

-The **Most recent incidents and alerts** section shows a graph of the number of alerts received and incidents created in the last 24 hours.

-By default, the incident queue in the Microsoft Defender portal displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first.

-The incident queue has customizable columns (select **Choose columns**) that give you visibility into different characteristics of the incident or the impacted entities. This filtering helps you make an informed decision regarding the prioritization of incidents for analysis.

-For more visibility at a glance, automatic incident naming generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories. This allows you to quickly understand the scope of the incident.

-> [!NOTE]

-> Incidents that existed prior to the rollout of automatic incident naming will not have their name changed.

-The incident queue also provides multiple filtering options, that when applied, enable you to perform a broad sweep of all existing incidents in your environment, or decide to focus on a specific scenario or threat. Applying filters on the incident queue can help determine which incident requires immediate attention.

-## Available filters

-From the default incident queue, you can select **Filter** to see a **Filter** pane, from which you specify a filtered set of incidents. Here's an example.

-| Filter name | Description |

-| Status | Select **New**, **In progress**, or **Resolved**. |

-| Severity | The severity of an incident is indicative of the impact it can have on your assets. The higher the severity, the bigger the impact and typically requires the most immediate attention. Select **High**, **Medium**, **Low**, or **Informational**. |

-| Incident assignment | Select the assigned user or users. |

-| Multiple service sources | Specify whether the filter is for more than one service source. |

-| Service sources | Specify incidents that contain alerts from: App Governance, Microsoft Defender XDR, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps. |

-| Tags | Select one or multiple tag names from the list. |

-| Multiple categories | Specify whether the filter is for more than one category. |

-| Categories | Choose categories to focus on specific tactics, techniques, or attack components seen. |

-| Entities | Specify the name of an asset such as a user, device, mailbox, or application name. |

-| Data sensitivity | Some attacks focus on targeting to exfiltrate sensitive or valuable data. By applying a filter for specific sensitivity labels, you can quickly determine if sensitive information has potentially been compromised and prioritize addressing those incidents. <br><br> This filter displays information only when you've applied [sensitivity labels from Microsoft Purview Information Protection](../../compliance/sensitivity-labels.md). |

-| Device groups | Specify a [device group](/windows/security/threat-protection/microsoft-defender-atp/machine-groups) name. |

-| OS platform | Specify device operating systems. |

-| Classification | Specify the set of classifications of the related alerts. |

-| Automated investigation state | Specify the status of automated investigation. |

-| Associated threat | Specify a named threat. |

-| Alert policies | Specify an alert policy title. |

-The default filter is to show all alerts and incidents with a status of **New** and **In progress** and with a severity of **Low**, **Medium**, or **High**.

-You can also create filter sets within the incidents page by selecting the **create filter sets**.

-## Save custom filters as URLs

-## Search for incidents

-From the **Search for name or ID** box above the list of incidents, you can type the incident ID or the incident name. When you select an incident from the list of search results, the Microsoft Defender portal opens a new tab with the properties of the incident, from which you can start your [investigation](investigate-incidents.md).

-## Search for impacted assets

-You can name an asset&mdash;such as a user, device, mailbox, or application name&mdash;and find all the related incidents.

-description: Investigate incidents seen across devices, users, and mailboxes in the Microsoft Defender portal.

-# Incident response with Microsoft Defender XDR

-**Applies to:**

-An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack.

-Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.

-Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident.

-If [enabled](m365d-enable.md), Microsoft Defender XDR can [automatically investigate and resolve](m365d-autoir.md) alerts through automation and artificial intelligence. You can also perform additional remediation steps to resolve the attack.

-You manage incidents from **Incidents & alerts > Incidents** on the quick launch of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target=" blank">Microsoft Defender portal</a>. Here's an example.

-Selecting an incident name displays the entire attack story of the incident, including:

-You can view the entity details directly from the graph and act on them with response options like file delete or device isolation.

-The additional tabs for an incident are:

- The full story of the attack, including all the alerts, assets, and remediation actions taken.

- All the alerts related to the incident and their information.

- All the assets (devices, users, mailboxes, and apps) that have been identified to be part of or related to the incident.

- All the [automated investigations](m365d-autoir.md) triggered by alerts in the incident.

- All the supported events and suspicious entities in the alerts of the incident.

-## Example incident response workflow for Microsoft Defender XDR

-Here's an example workflow for responding to incidents in Microsoft 365 with the Microsoft Defender portal.

-Consider these steps for your own incident response workflow:

-1. For each incident, begin an [attack and alert investigation and analysis](investigate-incidents.md):

- 1. View the attack story of the incident to understand its scope, severity, detection source, and what entities are affected.

- 1. Begin analyzing the alerts to understand their origin, scope, and severity with the alert story within the incident.

- 1. As needed, gather information on impacted devices, users, and mailboxes with the graph. Right click on any entity to open a flyout with all the details.

- 1. See how Microsoft Defender XDR has [automatically resolved some alerts](m365d-autoir.md) with the **Investigations** tab.

- 1. As needed, use information in the data set for the incident for more information with the **Evidence and Response** tab.

-2. After or during your analysis, perform containment to reduce any additional impact of the attack and eradication of the security threat.

-3. As much as possible, recover from the attack by restoring your tenant resources to the state they were in before the incident.

-4. [Resolve](manage-incidents.md#resolve-an-incident) the incident and take time for post-incident learning to:

- - Understand the type of the attack and its impact.

- - Research the attack in [Threat Analytics](threat-analytics.md) and the security community for a security attack trend.

- - Recall the workflow you used to resolve the incident and update your standard workflows, processes, policies, and playbooks as needed.

- - Determine whether changes in your security configuration are needed and implement them.

-## Example security operations for Microsoft Defender XDR

-Here's an example of security operations (SecOps) for Microsoft Defender XDR.

-## Get incident notifications by email

-You can set up Microsoft Defender XDR to notify your staff with an email about new incidents or updates to existing incidents. You can choose to get notifications based on:

-# Investigate users in Microsoft Defender XDR

-**Applies to:**

-The user entity page in Microsoft Defender XDR helps you in your investigation of user identities. The page has all the important information about each identity. If an alert or incident indicates that a user might be compromised or is suspicious, check and investigate the user profile.

-You can find identity information in the following views:

-A clickable identity link is available in these views that will take you to the **User** page where more details about the user are shown. For example, you can see the details of user accounts identified in the alerts of an incident in the Microsoft Defender portal at **Incidents & alerts** \> ***incident*** \> **Assets** > **Users**.

-When you investigate a specific identity, you'll see the:

-> [!NOTE]

-> The user page shows the Microsoft Entra organization as well as groups, helping you understand the groups and permissions associated with a user.

-The **Entity details** on the left of the page provide information about the user, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts, groups that the user belongs to, contact information, and more. You'll see other details depending on the integration features you've enabled.

-This card includes all incidents and alerts, grouped into severities, associated with an identity.

-This card includes the calculated investigation priority score breakdown and a two-week trend for an identity, including whether the identity score is on the high percentile for that tenant.

-### Active directory account control

-In this card, Defender for Identity surfaces security settings that may need your attentions. You can see important flags about the user, such as if the user can press enter to bypass the password, and if the user has a password that never expires, etc.

-This card includes all activities and alerts contributing to the overall Investigation priority score over the last seven days.

-This section shows the hierarchy for the identity as reported by Microsoft Defender for Identity.

-Defender for Identity pulls tags out of Active Directory to give you a single interface for monitoring your Active Directory users and entities. Tags provide you with details from Active Directory about the entity, and include:

-You can see all active incidents and alerts involving the user from the last 180 days in this tab. Information like alert severity and the time the alert was generated is available in this tab. Select the alert row to view more details about the alert.

-The timeline represents activities and alerts observed from a user's identity in the last 30 days. It unifies the user's identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint workloads. By using the timeline, you can focus on activities a user performed or were performed on them in specific timeframes.

-description: Learn about the Microsoft Defender portal as the central location for protection, detection, investigation, and response to email, collaboration, identity, device, and app threats,.

-keywords: introduction to MMicrosoft Defender XDR, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-adobe-target: true

-The Microsoft Defender portal at <https://security.microsoft.com> combines protection, detection, investigation, and response to email, collaboration, identity, device, and cloud app threats, in a central place. The Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. It includes:

-The Defender portal helps security teams investigate and respond to attacks by bringing in signals from different workloads into a set of unified experiences for:

-Microsoft Defender XDR emphasizes *unity, clarity, and common goals*.

-> The Defender portal is accessible without any need for customers to take migration steps or purchase a new license. For example, this new portal is accessible to administrators with an E3 subscription, just as it is to those with Microsoft Defender for Office 365 Plan 1 and Plan 2; however, Exchange Online Protection, or Defender for Office 365 Plan 1 customers see only the security features their subscription license supports. The goal of the portal is to centralize security.

-Centralizing security information creates a single place for investigating security incidents across Microsoft 365. A primary example is **Incidents** under **Incidents & alerts**.

-For more information, see [incidents in Microsoft Defender XDR](incidents-overview.md).

-Common controls and content either appear in the same place, or are condensed into one feed of data making it easier to find. For example, unified settings.

-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-The search bar is located at the top of the page. As you type, suggestions are provided so that it's easier to find entities. The enhanced search results page centralizes the results from all entities.

-We need your feedback. We're always looking to improve, so if there's something you'd like to see, [watch this video to find out how you can trust us to read your feedback](https://www.microsoft.com/videoplayer/embed/RE4K5Ci).

-Keep exploring the features and capabilities in Microsoft Defender XDR:

-ms.sitesec: library

-ms.pagetype: security

- - m365-security

- - m365solution-getstarted

- - highpri

- - tier1

- - usx-security

- - MOE150

- - MET150

- - Microsoft Sentinel in the Microsoft Defender portal

-Combine the power of Microsoft Sentinel with Microsoft Defender XDR into a single portal enhanced with the following features:

-Before you begin, review the feature documentation to understand the product changes and limitations. The feature documentation is provided with your invitation to participate in the preview.

-The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to one workspace at a time. In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled.

- |Azure built-in role |Scope |Reason |

- |[Owner](/azure/role-based-access-control/built-in-roles#owner) or </br>[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) and [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) |- Subscription for Owner or User Access Administrator roles </br></br>- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor |To connect or disconnect a workspace with Microsoft Sentinel enabled|

- |[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/Incidents/read</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/tasks/read|Subscription, resource group, or workspace resource |Query Sentinel data tables or view incidents |

- |[Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/incidents/read</br>- Microsoft.SecurityInsights/incidents/write</br>- Microsoft.SecurityInsights/incidents/delete</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/comments/write</br>- Microsoft.SecurityInsights/incidents/comments/delete</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/relations/write</br>- Microsoft.SecurityInsights/incidents/relations/delete</br>- Microsoft.SecurityInsights/incidents/tasks/read</br>- Microsoft.SecurityInsights/incidents/tasks/write</br>- Microsoft.SecurityInsights/incidents/tasks/delete |Subscription, resource group, or workspace resource |Take investigative actions on incidents |

- If you're invited to participate in the preview, you'll see a banner with an option to connect a workspace.

- Detailed changes and limitations are in the documentation shared with you as part of this private preview.

-After your workspace is connected, the banner on the **Overview** page shows that your unified security information and event management (SIEM) and extended detection and response (XDR) is ready. You'll also see the **Overview** page updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules.

-After you connect your workspace to the Defender portal, you'll see **Microsoft Sentinel** on the left-hand side navigation pane. Pages like **Overview**, **Incidents**, and **Advanced Hunting** have unified data from Microsoft Sentinel and Defender XDR.

-You'll also see many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, you'll notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the [Defender portal](https://security.microsoft.com/) instead of the Azure portal.

- - [Search across long time spans in large datasets](/azure/sentinel/search-jobs)

- - [Visualize and monitor your data by using workbooks](/azure/sentinel/monitor-your-data)

- - [Add indicators in bulk to Microsoft Sentinel threat intelligence from a CSV or JSON file](/azure/sentinel/indicators-bulk-file-import)

- - [Work with threat indicators in Microsoft Sentinel](/azure/sentinel/work-with-threat-indicators)

- - [Discover and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy)

- - [Create custom analytics rules to detect threats](/azure/sentinel/detect-threats-custom)

- - [Work with near-real-time (NRT) detection analytics rules in Microsoft Sentinel](/azure/sentinel/create-nrt-rules)

- - [Create watchlists](/azure/sentinel/watchlists-create)

-## Next steps

-description: Find the right Microsoft admin center or portal for managing various services related to Microsoft 365 security

-keywords: security, portals, Microsoft 365, M365, security center, admin center, URL, link, Microsoft Defender XDR, Microsoft Defender for Endpoint, Microsoft Defender Security Center, Microsoft Defender for Identity, Microsoft Defender for Office 365, MCAS, WDSI, SCC, Intune, MDM, MEM, ASC, Cloud App Security , Azure AD, security & compliance center

-While [Microsoft Defender portal](microsoft-365-defender-portal.md) is the new home for monitoring and managing security across your identities, data, devices, and apps, you will need to access various portals for certain specialized tasks.

-<p></p>

-| Microsoft Defender portal | Monitor and respond to threat activity and strengthen security posture across your identities, email, data, endpoints, and apps with [Microsoft Defender XDR](microsoft-365-defender.md) | [security.microsoft.com](https://security.microsoft.com/) |

-| Microsoft Defender Security Center | Monitor and respond to threat activity on your endpoints using capabilities provided with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint). **NOTE:** Most tenants should now be redirected to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com/). | [securitycenter.windows.com](https://securitycenter.windows.com) |

-| Office 365 Security & Compliance Center | Manage [Exchange Online Protection](../office-365-security/eop-about.md) and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) to protect your email and collaboration services, and ensure compliance to various data-handling regulations. **NOTE:** Most tenants using the security sections of the Office 365 Security & Compliance Center should now be redirected to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com/). | [protection.office.com](https://protection.office.com) |

-While these portals are not specifically for managing security, they support various workloads and tasks that can impact your security. Visit these portals to manage identities, permissions, device settings, and data handling policies.

-<p></p>

-| Microsoft Entra admin center | Access and administer the [Microsoft Entra](/entra) family to protect your business with decentralized identity, identity protection, governance, and more, in a multi-cloud environment | [entra.microsoft.com](https://entra.microsoft.com/) |

-| Microsoft Intune portal | Use [Microsoft Intune](/intune/fundamentals/what-is-intune) to deploy device policies and monitor devices for compliance | [endpoint.microsoft.com](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/overview)

-For more information on what's new with other Microsoft Defender security products, see:

-1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>.

-1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>.

-1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>.

-1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>.