Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
admin | Microsoft 365 Copilot Usage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md | The information captured in audit log records differs from that in [Microsoft 36 Not yet. [Roadmap ID #375760 Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=375760) states that feature Intelligent Recap in Teams has been available for Microsoft Copilot for Microsoft 365 users since January 2024. However, telemetry is not captured in Usage reports, Adoption Score, and Microsoft Copilot Dashboard. We are working on bringing this feature into those products and will announce in Message Center once itΓÇÖs available. -### WhatΓÇÖs the scope of user-level table? +### WhatΓÇÖs the scope of the user-level table? The user-level table in the report is configured to show all users who were licensed for Copilot for Microsoft 365 at any point over the past 180 days, even if the user has since had the license removed or never had any Copilot active usage. |
admin | Content Collaboration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/adoption/content-collaboration.md | Understand how many users are attaching physical files in email rather than link 3. **Visualization:** The breakdown in the visualization is meant to represent the extent to which people who are attaching content in emails are using different modes (files not saved to online files, links to online files): - **Attach files:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represents the percentage of people using attachments in emails. - Numerator: The number of people who attach files to email that weren't saved to online file within the last 28 days.- - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both within the last 28 days. + - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both, and sent at least one attachment within the last 28 days. - **Links to online files:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represent the percentage of people using attachments and attaching links to files in emails. - Numerator: The number of people attaching links to online files to emails within the last 28 days. - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both, and sent at least one attachment within the last 28 days. Understand how many users are attaching physical files in email rather than link 2. **Body:** Provides information about the admins' ability to change the file- sharing settings in the organization to enable the level of collaboration best suited to your organization. 3. **Visualization:** Represents the extent to which people who have access to OneDrive or SharePoint are sharing files internally or externally: - **Externally:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represent the percentage of people who have access to OneDrive or SharePoint and are sharing files externally.- - Numerator: The number of people who have shared files externally with in the last 28 days - - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both, and sent at least one attachment within the last 28 days. + - Numerator: The number of people who have shared files externally within the last 28 days. + - Denominator: The total number of people who have had access to OneDrive or SharePoint for at least 1 of the last 28 days. - **Internally only:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represent the percentage of people who have access to OneDrive or SharePoint and are sharing files internally only.- - Numerator: The number of people who have shared files internally only within the last 28 days + - Numerator: The number of people who have shared files internally only within the last 28 days. - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both, and sent at least one attachment within the last 28 days. 4. **Link to resources:** Select this link to view help content. |
enterprise | M365 Dr Workload Spo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-dr-workload-spo.md | The following search features are affected: As part of the migration, the _Primary Provisioned Geography_ changes and all new content will be stored at rest in the new _Primary Provisioned Geography_. Existing content will move in the background with no impact to you for up to 90 days after the first change to the SharePoint data location in the admin center. +### SharePoint 2013 workflow ++As part of our ongoing efforts to modernize SharePoint workflow capabilities, we have previously announced the [retirement plan of SharePoint 2013 workflow service](https://support.microsoft.com/office/sharepoint-2013-workflow-retirement-4613d9cf-69aa-40f7-b6bf-6e7831c9691e#:~:text=SharePoint%202013%20workflow%20will%20be%20turned%20off%20for,environments%20including%20Government%20Clouds%20and%20Department%20of%20Defense.). In alignment with this plan, SharePoint 2013 workflow will not be available in the new local regions of Mexico and Spain, or in any future local regions that we may launch. This means that if you migrate your SharePoint data to a new region, you will not be able to use SharePoint 2013 workflow for your business processes and scenarios. ++Refer to the link above for more information about the retirement plan and the alternatives for SharePoint workflow. If you have any questions or concerns, please contact Microsoft support. + ## **Multi-Geo Capabilities in SharePoint / OneDrive** Multi-Geo capabilities in OneDrive and SharePoint enable control of shared resources like SharePoint team sites and Microsoft 365 group mailboxes stored at rest in a specified _Macro Region Geography_ or _Local Region Geography_. |
security | Android Configure Mam | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md | End users also need to take steps to install Microsoft Defender for Endpoint on d. Go to the **Microsoft Intune admin center** and Validate whether Microsoft Defender for Endpoint-Intune connector is enabled. - :::image type="content" source="images/validate-intune-connector.png" alt-text="The intune-connector status pane in the Microsoft Defender portal." lightbox="images/validate-intune-connector.png"::: + :::image type="content" source="media/validate-intune-connector.png" alt-text="The intune-connector status pane in the Microsoft Defender portal." lightbox="media/validate-intune-connector.png"::: - **Enable Microsoft Defender for Endpoint on Android Connector for App Protection Policy (APP)**. |
security | Android Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md | Network protection in Microsoft Defender for endpoint is disabled by default. Ad Any other separation characters are invalid. - > ![Image of trusted CA certificate.](images/trustca.png) + > ![Image of trusted CA certificate.](media/trustca.png) 1. For other configurations related to Network protection, add the following keys and appropriate corresponding value. |
security | Android Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md | The device configuration profile is now assigned to the selected user group. 3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful. - :::image type="content" source="mediE_new.png"::: + :::image type="content" source="mediE-new.png"::: 4. At this stage the device is successfully onboarded onto Defender for Endpoint on Android. You can verify this on the [Microsoft Defender portal](https://security.microsoft.com) by navigating to the **Device Inventory** page. |
security | Api Hello World | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/api-hello-world.md | For the Application registration stage, you must have a **Global administrator** > [!IMPORTANT] > After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave! - :::image type="content" source="../images/webapp-create-key2.png" alt-text="The Certificates & secrets menu item in the Manage pane in the Microsoft Entra admin center" lightbox="../images/webapp-create-key2.png"::: + :::image type="content" source="../media/webapp-create-key2.png" alt-text="The Certificates & secrets menu item in the Manage pane in the Microsoft Entra admin center" lightbox="../media/webapp-create-key2.png"::: 7. Write down your application ID and your tenant ID. |
security | Exposed Apis Create App Partners | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-partners.md | In the following example we use **'Read all alerts'** permission: **Important**: After you select **Add**, make sure to copy the generated secret value. You won't be able to retrieve it after you leave! - :::image type="content" source="../images/webapp-create-key2.png" alt-text="The create app key" lightbox="../images/webapp-create-key2.png"::: + :::image type="content" source="../media/webapp-create-key2.png" alt-text="The create app key" lightbox="../media/webapp-create-key2.png"::: 4. Write down your application ID: Confirm you received a correct token. The "tid" claim is the tenant ID the token belongs to. - :::image type="content" source="../images/webapp-decoded-token.png" alt-text="The token validation page" lightbox="../images/webapp-decoded-token.png"::: + :::image type="content" source="../media/webapp-decoded-token.png" alt-text="The token validation page" lightbox="../media/webapp-decoded-token.png"::: ## Use the token to access Microsoft Defender for Endpoint API |
security | Exposed Apis Create App Webapp | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-webapp.md | This article explains how to create a Microsoft Entra application, get an access > [!NOTE] > After you select **Add**, select **copy the generated secret value**. You won't be able to retrieve this value after you leave. - :::image type="content" source="../images/webapp-create-key2.png" alt-text="The create application option" lightbox="../images/webapp-create-key2.png"::: + :::image type="content" source="../media/webapp-create-key2.png" alt-text="The create application option" lightbox="../media/webapp-create-key2.png"::: 7. Write down your application ID and your tenant ID. On your application page, go to **Overview** and copy the following. Ensure that you got the correct token: In the following image, you can see a decoded token acquired from an app with permissions to all of Microsoft Defender for Endpoint's roles: - :::image type="content" source="../images/webapp-decoded-token.png" alt-text="The token details portion" lightbox="../images/webapp-decoded-token.png"::: + :::image type="content" source="../media/webapp-decoded-token.png" alt-text="The token details portion" lightbox="../media/webapp-decoded-token.png"::: ## Use the token to access Microsoft Defender for Endpoint API |
security | Raw Data Export Storage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/raw-data-export-storage.md | Last updated 12/18/2020 6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) \> properties tab \> copy the text under **Storage account resource ID**: - :::image type="content" source="../images/storage-account-resource-id.png" alt-text="The Event Hubs with resource ID1" lightbox="../images/storage-account-resource-id.png"::: + :::image type="content" source="../media/storage-account-resource-id.png" alt-text="The Event Hubs with resource ID1" lightbox="../media/storage-account-resource-id.png"::: 7. Choose the events you want to stream and select **Save**. Last updated 12/18/2020 - A blob container is created for each event type: - :::image type="content" source="../images/storage-account-event-schema.png" alt-text="The Event Hubs with resource ID2" lightbox="../images/storage-account-event-schema.png"::: + :::image type="content" source="../media/storage-account-event-schema.png" alt-text="The Event Hubs with resource ID2" lightbox="../media/storage-account-event-schema.png"::: - The schema of each row in a blob is the following JSON: |
security | Application Deployment Via Mecm | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/application-deployment-via-mecm.md | Copy the unified solution package, onboarding script and migration script to the 2. Download the migration script from the document: [Server migration scenarios from the previous, MMA-based Microsoft Defender for Endpoint solution](server-migration.md). This script can also be found on GitHub: [GitHub - microsoft/mdefordownlevelserver](https://github.com/microsoft/mdefordownlevelserver). 3. Save all three files in a shared folder used by MECM as a Software Source. - :::image type="content" source="images/ua-migration.png" alt-text="Screenshot of saving the shared folder by MECM."::: + :::image type="content" source="media/ua-migration.png" alt-text="Screenshot of saving the shared folder by MECM."::: ## Create the package as an application Copy the unified solution package, onboarding script and migration script to the > [!TIP] > The maximum allowed runtime can be lowered from (default) 120 minutes to 60 minutes. - :::image type="content" source="images/user-experience-in-deployment-type-wizard.png" alt-text="Screenshot that shows user experience in deployment-type wizard."::: + :::image type="content" source="media/user-experience-in-deployment-type-wizard.png" alt-text="Screenshot that shows user experience in deployment-type wizard."::: 12. Add any additional requirements then select **Next**. 13. Under the Dependencies section, select **Next**. |
security | Comprehensive Guidance On Linux Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment.md | mdatp connectivity test The following image displays the expected output from the test: For more information, see [Connectivity validation](linux-support-connectivity.md#run-the-connectivity-test). Use the following table to troubleshoot high CPU utilization: |Process name|Component used|Microsoft Defender for Endpoint engine used| Steps | ||||| |wdavdaemon|FANotify | Antivirus & EDR|- Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support).-|wdavdaemon unprivileged|N/A|Antivirus engine| The following diagram shows the workflow and steps required in order to add Antivirus exclusions. <br/><br/> :::image type="content" source="images/unprivileged-plugins.png" alt-text="Screenshot that shows This is unprivileged sensors." lightbox="images/unprivileged-plugins.png"::: <br/><br/>**General troubleshooting guidance**<br/> - If you have in-house apps/scripts or a legitimate third-party app/script getting flagged, Microsoft security researchers analyze suspicious files to determine if they're threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware by using the unified submissions experience (for more information, see [Unified submissions experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770)) or [File submissions](https://www.microsoft.com/wdsi/filesubmission). <br/><br/> - See [troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).<br/><br/> - Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support). -|wdavdaemon edr| N/A |EDR engine|The following diagram shows the workflow and steps to troubleshoot wdavedaemon_edr process issues. <br/><br/> :::image type="content" source="images/wdavdaemon_edr_engine.png" alt-text="Image of troubleshooting wdavdaemon edr process." lightbox="images/wdavdaemon_edr_engine.png"::: <br/><br/>**General troubleshooting guidance**<br/>- If you have in-house apps/scripts or a legitimate third-party app/script getting flagged, Microsoft security researchers analyze suspicious files to determine if they're threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe are incorrectly classified as malware by using the unified submissions experience (for more information, see [Unified submissions experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770)) or [File submissions](https://www.microsoft.com/wdsi/filesubmission). <br/><br/> - See [troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).<br/><br/> - Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support). +|wdavdaemon unprivileged|N/A|Antivirus engine| The following diagram shows the workflow and steps required in order to add Antivirus exclusions. <br/><br/> :::image type="content" source="mediEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support). +|wdavdaemon edr| N/A |EDR engine|The following diagram shows the workflow and steps to troubleshoot wdavedaemon_edr process issues. <br/><br/> :::image type="content" source="mediEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support). |mdatp_audisp_plugin|Audit framework|Audit log ingestion| See [Troubleshoot AuditD performance issues with Microsoft Defender for Endpoint on Linux](troubleshoot-auditd-performance-issues.md). ## 22. Uninstall your non-Microsoft solution |
security | Configure Device Connectivity | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-connectivity.md | Devices must meet specific prerequisites to use the streamlined connectivity met The following illustration shows the streamlined connectivity process and the corresponding stages: ### Stage 1. Configure your network environment for cloud connectivity |
security | Configure Endpoints Gp | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md | Browse to **Computer Configuration** \> **Policies** \> **Administrative Templat :::image type="content" source="media/signature-update-1.png" alt-text="Signature update" lightbox="media/signature-update-1.png"::: ### Configure cloud deliver timeout and protection level |
security | Configure Machines Asr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md | The *Attack surface management card* is an entry point to tools in <a href="http Select **Go to attack surface management** \> **Reports** \> **Attack surface reduction rules** \> **Add exclusions**. From there, you can navigate to other sections of Microsoft Defender portal. > *The **Add exclusions** tab in the Attack surface reduction rules page in Microsoft Defender portal* |
security | Configure Machines Onboarding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-onboarding.md | Watch this video to learn how to easily onboard clients with Microsoft Defender The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows devices that have actually onboarded to Defender for Endpoint against the total number of Intune-managed Windows devices. *Card showing onboarded devices compared to the total number of Intune-managed Windows devices* Defender for Endpoint provides several convenient options for [onboarding Window From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state. *Microsoft Defender for Endpoint device compliance page on Intune device management* |
security | Configure Machines Security Baseline | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-security-baseline.md | Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 and Windows 11 devices that have been assigned the Defender for Endpoint security baseline. *Card showing compliance to the Defender for Endpoint security baseline* Device configuration management monitors baseline compliance only of Windows 10 2. Create a new profile. - :::image type="content" source="media/secconmgmt_baseline_intuneprofile1.png" alt-text="The Create profile tab in the Microsoft Defender for Endpoint security baseline overview on Intune" lightbox="media/secconmgmt_baseline_intuneprofile1.png":::<br> + :::image type="content" source="media/secconmgmt-baseline-intuneprofile1.png" alt-text="The Create profile tab in the Microsoft Defender for Endpoint security baseline overview on Intune" lightbox="media/secconmgmt-baseline-intuneprofile1.png":::<br> *Microsoft Defender for Endpoint security baseline overview on Intune* 3. During profile creation, you can review and adjust specific settings on the baseline. - :::image type="content" source="media/secconmgmt_baseline_intuneprofile2.png" alt-text="The Security baseline options during profile creation on Intune" lightbox="media/secconmgmt_baseline_intuneprofile2.png":::<br> + :::image type="content" source="media/secconmgmt-baseline-intuneprofile2.png" alt-text="The Security baseline options during profile creation on Intune" lightbox="media/secconmgmt-baseline-intuneprofile2.png":::<br> *Security baseline options during profile creation on Intune* 4. Assign the profile to the appropriate device group. - :::image type="content" source="media/secconmgmt_baseline_intuneprofile3.png" alt-text="The Security baseline profiles on Intune" lightbox="media/secconmgmt_baseline_intuneprofile3.png":::<br> + :::image type="content" source="media/secconmgmt-baseline-intuneprofile3.png" alt-text="The Security baseline profiles on Intune" lightbox="media/secconmgmt-baseline-intuneprofile3.png":::<br> *Assigning the security baseline profile on Intune* 5. Create the profile to save it and deploy it to the assigned device group. - :::image type="content" source="media/secconmgmt_baseline_intuneprofile4.png" alt-text="Assigning the security baseline on Intune" lightbox="media/secconmgmt_baseline_intuneprofile4.png":::<br> + :::image type="content" source="media/secconmgmt-baseline-intuneprofile4.png" alt-text="Assigning the security baseline on Intune" lightbox="media/secconmgmt-baseline-intuneprofile4.png":::<br> *Creating the security baseline profile on Intune* > [!TIP] |
security | Configure Machines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines.md | With properly configured devices, you can boost overall resilience against threa Click **Configuration management** from the navigation menu to open the Device configuration management page. *Device configuration management page* If you have been assigned other roles, ensure you have the necessary permissions - Read permissions to device compliance policies - Read permissions to the organization *Device configuration permissions on Intune* |
security | Defender Endpoint Demonstration App Reputation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-app-reputation.md | This program has a good reputation; the download should run uninterrupted: Launching this link should render a message similar to the following: - :::image type="content" source="images/smartscreen-app-reputation-known-good.png" alt-text="Based on the target file's reputation, SmartScreen allows the download without interference."::: + :::image type="content" source="media/smartscreen-app-reputation-known-good.png" alt-text="Based on the target file's reputation, SmartScreen allows the download without interference."::: ### Unknown program Because the program download doesn't have sufficient reputation to ensure that i Launching this link should render a message similar to the following: - :::image type="content" source="images/smartscreen-app-reputation-unknown.png" alt-text="SmartScreen doesn't have sufficient reputation information about the download file, and warns the user to stop or proceed with caution."::: + :::image type="content" source="media/smartscreen-app-reputation-unknown.png" alt-text="SmartScreen doesn't have sufficient reputation information about the download file, and warns the user to stop or proceed with caution."::: ### Known malware This download is known malware; SmartScreen should block this program from runni Launching this link should render a message similar to the following: - :::image type="content" source="images/smartscreen-app-reputation-known-malware.png" alt-text="Screenshot showing how SmartScreen detects a file download with an unsafe reputation; the download is blocked."::: + :::image type="content" source="media/smartscreen-app-reputation-known-malware.png" alt-text="Screenshot showing how SmartScreen detects a file download with an unsafe reputation; the download is blocked."::: ## Learn more |
security | Defender Endpoint Demonstration Smartscreen Url Reputation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation.md | Alerts the user to a suspicious page and ask for feedback: Launching this link should render a message similar to the following screenshot: - :::image type="content" source="images/smartscreen-url-reputation-is-this-phishing.png" alt-text="SmartScreen alerts the user the site is potentially a phishing site and possibly unsafe"::: + :::image type="content" source="media/smartscreen-url-reputation-is-this-phishing.png" alt-text="SmartScreen alerts the user the site is potentially a phishing site and possibly unsafe"::: ### Phishing Page A page known for phishing that should be blocked: Launching this link should render a message similar to the following example: - :::image type="content" source="images/smartscreen-url-reputation-this-is-phishing.png" alt-text="SmartScreen reports the site is known for containing phishing threats"::: + :::image type="content" source="media/smartscreen-url-reputation-this-is-phishing.png" alt-text="SmartScreen reports the site is known for containing phishing threats"::: ### Malware page A page that hosts malware and should be blocked: Launching this link should render a message similar to the following screenshot: - :::image type="content" source="images/smartscreen-url-reputation-malware-page.png" alt-text="SmartScreen alerts the user that the site is know for containing harmful programs"::: + :::image type="content" source="media/smartscreen-url-reputation-malware-page.png" alt-text="SmartScreen alerts the user that the site is know for containing harmful programs"::: ### Blocked download A benign page hosting a malicious advertisement Launching this link should render a message similar to the following screenshot: - :::image type="content" source="images/smartscreen-url-reputation-malvertising.png" alt-text="A demonstration of how SmartScreen responds to a frame on a page that is detected to be malicious. Only the malicious frame is blocked"::: + :::image type="content" source="media/smartscreen-url-reputation-malvertising.png" alt-text="A demonstration of how SmartScreen responds to a frame on a page that is detected to be malicious. Only the malicious frame is blocked"::: ## See also |
security | Evaluation Lab | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md | Running threat simulations using third-party platforms is a good way to evaluate 6. View the progress of a simulation by selecting the **Simulations** tab. View the simulation state, active alerts, and other details. - :::image type="content" source="images/simulations-tab.png" alt-text="Simulations tab" lightbox="images/simulations-tab.png"::: + :::image type="content" source="media/simulations-tab.png" alt-text="Simulations tab" lightbox="media/simulations-tab.png"::: After running your simulations, we encourage you to walk through the lab progress bar and explore **Microsoft Defender for Endpoint triggered an automated investigation and remediation**. Check out the evidence collected and analyzed by the feature. A list of supported third-party threat simulation agents are listed, and specifi You can conveniently run any available simulation right from the catalog. Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run. **Examples:** ## Evaluation report |
security | Indicator Ip Domain | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-ip-domain.md | Applying multiple different web content filtering policies to the same device wi The result is that categories 1-4 are all blocked. This is illustrated in the following image. ## Create an indicator for IPs, URLs, or domains from the settings page |
security | Investigate Machines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md | When you investigate a specific device, you see: - Tabs (overview, alerts, timeline, security recommendations, software inventory, discovered vulnerabilities, missing KBs) - Cards (active alerts, logged on users, security assessment, device health status) > [!NOTE] > Due to product constrains, the device profile does not consider all cyber evidence when determining the 'Last Seen' timeframe (as seen on the device page as well). The **Security policies** tab shows the endpoint security policies that are appl The **Software inventory** tab lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software takes you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. See [Software inventory](tvm-software-inventory.md) for details. ### Discovered vulnerabilities |
security | Ios Configure Features | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md | Defender for Endpoint on iOS supports vulnerability assessments of OS and apps. 1. To enable the feature in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint Security** \> **Microsoft Defender for Endpoint** \> **Enable App sync for iOS/iPadOS devices**. - :::image type="content" source="images/tvm-app-sync-toggle.png" alt-text="App sync toggleSup" lightbox="images/tvm-app-sync-toggle.png"::: + :::image type="content" source="media/tvm-app-sync-toggle.png" alt-text="App sync toggleSup" lightbox="media/tvm-app-sync-toggle.png"::: > [!NOTE] > To get the list of all the apps including unmanaged apps, the admin has to enable **Send full application inventory data on personally owned iOS/iPadOS devices** in the Intune Admin Portal for the supervised devices marked as "Personal". Defender for Endpoint on iOS supports vulnerability assessments of OS and apps. 1. To enable the feature in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint Security** \> **Microsoft Defender for Endpoint** \> **Enable App sync for iOS/iPadOS devices**. - :::image type="content" source="images/tvm-app-sync-toggle.png" alt-text="App sync toggle" lightbox="images/tvm-app-sync-toggle.png"::: + :::image type="content" source="media/tvm-app-sync-toggle.png" alt-text="App sync toggle" lightbox="media/tvm-app-sync-toggle.png"::: 1. To get the list of all the apps including unmanaged apps, enable the toggle **Send full application inventory data on personally owned iOS/iPadOS devices**. - :::image type="content" source="images/tvm-full-app-data.png" alt-text="Full App Data" lightbox="images/tvm-full-app-data.png"::: + :::image type="content" source="media/tvm-full-app-data.png" alt-text="Full App Data" lightbox="media/tvm-full-app-data.png"::: 1. Use the following steps to configure the privacy setting. - Go to **Apps** \> **App configuration policies** \> **Add** \> **Managed devices**. Defender for Endpoint on iOS supports vulnerability assessments of OS and apps. - Privacy approval screen will come only for unsupervised devices. - Only if end-user approves the privacy, the app information is sent to the Defender for Endpoint console. - :::image type="content" source="images/tvm-user-privacy2.png" alt-text="Screenshot of the end user privacy screen." lightbox="images/tvm-user-privacy2.png"::: + :::image type="content" source="media/tvm-user-privacy2.png" alt-text="Screenshot of the end user privacy screen." lightbox="media/tvm-user-privacy2.png"::: Once the client versions are deployed to target iOS devices, the processing will start. Vulnerabilities found on those devices will start showing up in the Defender Vulnerability Management dashboard. The processing might take few hours (max 24 hours) to complete. Especially for the entire list of apps to show up in the software inventory. |
security | Limited Periodic Scanning Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md | Limited periodic scanning is a special type of threat detection and remediation By default, Microsoft Defender Antivirus enables itself on a Windows 10 or a Windows 11 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly. If Microsoft Defender Antivirus is enabled, the usual options to configure it are available on that device: If another antivirus product is installed and working correctly, Microsoft Defender Antivirus disables itself. In this case, the Windows Security app changes the **Virus & threat protection** section to show status about the antivirus product, and provides a link to the product's configuration options. |
security | Linux Update Mde Linux | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-update-mde-linux.md | Type "`:wq`" w/o the double quotes. To view your cron jobs, type `sudo crontab -l` To inspect cron job runs: |
security | Mac Install Manually | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md | To complete this process, you must have admin privileges on the device. 3. Read through the **Software License Agreement** and select **Continue** to agree with the terms. - :::image type="content" source="images/software-license-agreement.png" alt-text="Screenshot that shows the Software License Agreement."::: + :::image type="content" source="media/software-license-agreement.png" alt-text="Screenshot that shows the Software License Agreement."::: 4. Read through the *End-User License Agreement (EULA)* and select **Agree**. |
security | Mac Jamfpro Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md | Alternatively, you can download [fulldisk.mobileconfig](https://github.com/micro - Distribution Method: Install Automatically - Level: Computer Level - :::image type="content" source="images/sysext-new-profile.png" alt-text="The configuration settings sysext new profile." lightbox="images/sysext-new-profile.png"::: + :::image type="content" source="media/sysext-new-profile.png" alt-text="The configuration settings sysext new profile." lightbox="media/sysext-new-profile.png"::: 3. In **System Extensions** select **Configure**. - :::image type="content" source="images/sysext-configure.png" alt-text="The pane with the Configure option for the system extensions." lightbox="images/sysext-configure.png"::: + :::image type="content" source="media/sysext-configure.png" alt-text="The pane with the Configure option for the system extensions." lightbox="media/sysext-configure.png"::: 4. In **System Extensions**, enter the following details: Alternatively, you can download [fulldisk.mobileconfig](https://github.com/micro - **com.microsoft.wdav.epsext** - **com.microsoft.wdav.netext** - :::image type="content" source="images/sysext-configure2.png" alt-text="The MDATP MDAV system extensions pane." lightbox="images/sysext-configure2.png"::: + :::image type="content" source="mediAV system extensions pane." lightbox="media/sysext-configure2.png"::: 5. Select the **Scope** tab. Alternatively, you can download [fulldisk.mobileconfig](https://github.com/micro 9. Select **Save**. - :::image type="content" source="images/sysext-scope.png" alt-text="The display of options regarding MDATP MDAV System Extensions." lightbox="images/sysext-scope.png"::: + :::image type="content" source="mediAV System Extensions." lightbox="media/sysext-scope.png"::: 10. Select **Done**. - :::image type="content" source="images/sysext-final.png" alt-text="The configuration settings sysext - final." lightbox="images/sysext-final.png"::: + :::image type="content" source="media/sysext-final.png" alt-text="The configuration settings sysext - final." lightbox="media/sysext-final.png"::: ## Step 8: Configure Network Extension |
security | Mac Support License | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md | Select the **x** symbol. When you select the **x** symbol, you see options as shown in the following screenshot: When you select **Action needed**, you get the error message as shown in the following screenshot: |
security | Mac Troubleshoot Mode | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode.md | or newer. For example, when you use `mdatp config real-time-protection --value disabled` command to disable real time protection, you'll be prompted to enter your password. Select **OK** after entering your password. - :::image type="content" source="images/ts-mode-rtp-disable.png" alt-text="Screenshot displaying the screenshot of real time protection being disabled."::: + :::image type="content" source="media/ts-mode-rtp-disable.png" alt-text="Screenshot displaying the screenshot of real time protection being disabled."::: The output report similar to the following screenshot will be displayed on running mdatp health with `real_time_protection_enabled` as "false" and `tamper_protection` as "block." - :::image type="content" source="images/ts-mode-mdatp-health.png" alt-text="Screnshot displaying the screenshot of the output report of mdatp health running."::: + :::image type="content" source="mediatp health running."::: ## Advanced hunting queries for detection |
security | Manage Sys Extensions Manual Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-manual-deployment.md | You might see the prompt that's shown in the following screenshot: 1. Select **Action needed**. The following screen appears: - :::image type="content" source="images/virus-and-threat-protection-screen.png" alt-text="The Virus & threat protection screen containing the Fix button." lightbox="images/virus-and-threat-protection-screen.png"::: + :::image type="content" source="media/virus-and-threat-protection-screen.png" alt-text="The Virus & threat protection screen containing the Fix button." lightbox="media/virus-and-threat-protection-screen.png"::: 1. Click **Fix** on the top-right corner of this screen. You'll get a prompt, as shown in the following screenshot: |
security | Manage Tamper Protection Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune.md | Tamper protection helps protect certain [security settings](prevent-changes-to-s ## Turn tamper protection on (or off) in Microsoft Intune 1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** \> **Antivirus**, and then choose **+ Create Policy**. |
security | Mde Plugin Wsl | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plugin-wsl.md | Be aware of the following before you start: - Defender for Endpoint must be onboarded and running on the Windows host OS. -- The host OS must be running Windows 10, version 2004 and higher (build 19041 and higher) or Windows 11 to support the Windows Subsystem for Linux versions that can work with the plug-in.+- The host OS must be running Windows 10, version 2004 and higher (build 19044 and higher) or Windows 11 to support the Windows Subsystem for Linux versions that can work with the plug-in. ## Software components and installer file names Reuse the Defender for Endpoint static proxy setting (`TelemetryProxyServer`). If you want to use the host [static proxy](configure-proxy-internet.md) configuration for MDE for the WSL plug-in, nothing more is required. This configuration is adopted by the plug-in automatically. -### Set up a different/specific proxy configuration for MDE WSL +If you want to use the host network and network proxy setting for MDE for WSL plug-in, nothing more is required. This configuration is adopted by the plug-in automatically. -If you want to set up a different proxy for Defender running in WSL (other than the Windows proxy specified with `TelemetryProxyServer`), or you have currently configured a system-wide proxy, the proxy configuration isn't automatically available for the plug-in. In this case, take these steps: +## Plug-in Proxy selection -1. Open Registry Editor as an administrator or use a tool that can configure registry keys across devices. +If your host machine contains multiple proxy settings, the plug-in will select the proxy configurations with the following hierarchy -2. Create a registry key with the following details: -- - **Name:** `DefenderProxyServer` - - **Type:** `REG_SZ` - - **Value:** *IP address*: *port number* (Example: `192.126.30.222:8888`) - - **Path:** `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\Plugins\DefenderPlug-in` +1. Defender for Endpoint static proxy setting (`TelemetryProxyServer`) -3. Once the registry is set, if WSL is already running or plug-in is already installed, restart wsl using the following steps: +2. Winhttp proxy (configured through netsh command) - 1. Open Command Prompt and run `wsl --shutdown`. +3. Network & Internet proxy settings - 2. Then, run the command `wsl`. +Example: If your host machine as both Winhttp proxy as well as Network & Internet proxy, plug-in will select `Winhttp proxy` as the proxy configuration for plug-in. ## Connectivity test for Defender running in WSL DeviceProcessEvents :::image type="content" source="medieplugin-wsl/wsl-health-check-support.png"::: - - Enable the connectivity test and check for Defender for Endpoint connectivity in WSL. If the connectivity test fails, provide the output of the health check tool to [mdeforwsl-preview@microsoft.com](mailto:mdeforwsl-preview@microsoft.com). +- Enable the connectivity test and check for Defender for Endpoint connectivity in WSL. If the connectivity test fails, provide the output of the health check tool to [mdeforwsl-preview@microsoft.com](mailto:mdeforwsl-preview@microsoft.com). 5. In case you face any other challenges or issues, open the terminal and run the following commands to generate the support bundle: |
security | Onboard Downlevel | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md | For Windows Server 2008 R2 you'll need (and it will only copy down) the followin Once this is done, you'll need to create a start-up script policy: The name of the file to run here is c:\windows\MMA\DeployMMA.cmd. Once the server is restarted as part of the start-up process it will install the Update for customer experience and diagnostic telemetry KB, and then install the MMA Agent, while setting the Workspace ID and Key, and the server will be onboarded. |
security | Partner Applications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md | Logo|Partner name|Description ![Logo for Micro Focus ArcSight.](media/arcsight-logo.png)|[Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548)|Use Micro Focus ArcSight to pull Defender for Endpoint detections ![Logo for RSA NetWitness.](media/rsa-netwitness-logo.png)|[RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566)|Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API ![Logo for SafeBreach.](media/safebreach-logo.png)|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)|Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations-![Logo for Skybox Vulnerability Control.](images/skybox-logo.png)|[Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467)|Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities -![Logo for Splunk.](images/splunk-logo.png)|[Splunk](https://go.microsoft.com/fwlink/?linkid=2129805)|The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk -![Logo for XM Cyber.](images/xmcyber-logo.png)|[XM Cyber](/microsoft-365/compliance/insider-risk-management-configure)|Prioritize your response to an alert based on risk factors and high value assets +![Logo for Skybox Vulnerability Control.](media/skybox-logo.png)|[Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467)|Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities +![Logo for Splunk.](media/splunk-logo.png)|[Splunk](https://go.microsoft.com/fwlink/?linkid=2129805)|The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk +![Logo for XM Cyber.](media/xmcyber-logo.png)|[XM Cyber](/microsoft-365/compliance/insider-risk-management-configure)|Prioritize your response to an alert based on risk factors and high value assets + ### Orchestration and automation Logo|Partner name|Description ![Logo for Microsoft Flow & Azure Functions.](media/ms-flow-logo.png)|[Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures ![Logo for Rapid7 InsightConnect.](media/rapid7-logo.png)|[Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040)|InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes ![Logo for ServiceNow.](media/servicenow-logo.png)|[ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621)|Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration-![Logo for Swimlane.](images/swimlane-logo.png)|[Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902)|Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together +![Logo for Swimlane.](media/swimlane-logo.png)|[Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902)|Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together ### Threat intelligence Logo|Partner name|Description ![Logo for Blue Hexagon for Network.](media/bluehexagon-logo.png)|[Blue Hexagon for Network](/training/modules/explore-malware-threat-protection/)|Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection ![Logo for CyberMDX.](mediX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment ![Logo for HYAS Protect.](media/hyas-logo.png)|[HYAS Protect](https://go.microsoft.com/fwlink/?linkid=2156763)|HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect Microsoft Defender for Endpoint endpoints from cyberattacks-![Logo for Vectra Network Detection and Response (NDR).](images/vectra-logo.png)|[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)|Vectra applies AI & security research to detect and respond to cyber-attacks in real time +![Logo for Vectra Network Detection and Response (NDR).](media/vectra-logo.png)|[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)|Vectra applies AI & security research to detect and respond to cyber-attacks in real time ### Cross platform Logo|Partner name|Description ![Logo for Better Mobile.](media/bettermobile-logo.png)|[Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)|AI-based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy ![Logo for Corrata.](media/corrata-new.png)|[Corrata](https://go.microsoft.com/fwlink/?linkid=2081148)|Mobile solution - Protect your mobile devices with granular visibility and control from Corrata ![Logo for Lookout.](media/lookout-logo.png)|[Lookout](https://go.microsoft.com/fwlink/?linkid=866935)|Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices-![Logo for Symantec Endpoint Protection Mobile.](images/symantec-logo.png)|[Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)|SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices -![Logo for Zimperium.](images/zimperium-logo.png)|[Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense +![Logo for Symantec Endpoint Protection Mobile.](media/symantec-logo.png)|[Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)|SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices +![Logo for Zimperium.](media/zimperium-logo.png)|[Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense + ## Other integrations |
security | Respond File Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md | You can also submit a sample through the [Microsoft Defender portal](https://www 2. In the **Deep analysis** tab of the file view, select **Submit**. - :::image type="content" source="images/submit-file.png" alt-text="The submit PE files button" lightbox="images/submit-file.png"::: + :::image type="content" source="media/submit-file.png" alt-text="The submit PE files button" lightbox="media/submit-file.png"::: > [!NOTE] > Only PE files are supported, including _.exe_ and _.dll_ files. |
security | Review Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-alerts.md | Selecting a device or a user card in the affected assets sections will switch to - **For users**, the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view. - :::image type="content" source="images/user-page-details.png" alt-text="The details pane when a user is selected" lightbox="images/user-page-details.png"::: + :::image type="content" source="media/user-page-details.png" alt-text="The details pane when a user is selected" lightbox="media/user-page-details.png"::: ## Related topics |
security | Schedule Antivirus Scan In Mde | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scan-in-mde.md | Use the following steps to schedule scans: vi /etc/anacron ``` -1. :::image type="content" source="images/vi_etc_anacron.png" alt-text="Sample Anacron Job Linux." lightbox="images/vi_etc_anacron.png" link="images/vi_etc_anacron.png"::: +1. :::image type="content" source="media/vi-etc-anacron.png" alt-text="Sample Anacron Job Linux." lightbox="media/vi-etc-anacron.png" link="media/vi-etc-anacron.png"::: ```shell # /etc/anacrontab: configuration file for anacron Use the following steps to schedule scans: ls -lh /etc/cron* ``` - :::image type="content" source="images/vi_etc_anacron.png" alt-text="Sample Anacron Job Linux." lightbox="images/vi_etc_anacron.png" link="images/vi_etc_anacron.png"::: + :::image type="content" source="media/vi-etc-anacron.png" alt-text="Sample Anacron Job Linux." lightbox="media/vi-etc-anacron.png" link="media/vi-etc-anacron.png"::: ```shell [root@redhat7 /] # ls -lh /etc/cron* Use the following steps to schedule scans: Press Insert ``` - :::image type="content" source="images/vi_mdavfullscan.png" alt-text="weekly antivirus scans"::: + :::image type="content" source="mediavfullscan.png" alt-text="weekly antivirus scans"::: ```shell #!/bin/sh Use the following steps to schedule scans: cat /logs/mdav_avacron_full_scan.log ``` - :::image type="content" source="media/mdav_avacron_full_scan_log.png" alt-text="verify the job ran"::: + :::image type="content" source="media/mdav-avacron-full-scan-log.png" alt-text="verify the job ran"::: ```shell [root@redhat7 cron.weekly] # cat /logs/mdav_avacron_full_scan.log Use the following steps to schedule scans: Tue Jun 14 20:20:50 UTC 2022 Time Scan Finished [root@redhat7 cron.weekly] # ```+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Threat Analytics | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics.md | The threat analytics dashboard is a great jump off point for getting to the repo Select a threat from the dashboard to view the report for that threat. ## View a threat analytics report |
security | Troubleshoot Collect Support Log | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md | If you also require Defender Antivirus support logs (MpSupportFiles.cab), then f 3. Select **Upload file to library**. - :::image type="content" source="images/upload-file.png" alt-text="The upload file" lightbox="images/upload-file.png"::: + :::image type="content" source="media/upload-file.png" alt-text="The upload file" lightbox="media/upload-file.png"::: 4. Select **Choose file**. |
security | Troubleshoot Onboarding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md | First, you should check that the service is set to start automatically when Wind If the service is enabled, then the result should look like the following screenshot: - :::image type="content" source="images/windefatp-sc-qc-diagtrack.png" alt-text="The result of the sc query command for diagtrack" lightbox="images/windefatp-sc-qc-diagtrack.png"::: + :::image type="content" source="media/windefatp-sc-qc-diagtrack.png" alt-text="The result of the sc query command for diagtrack" lightbox="media/windefatp-sc-qc-diagtrack.png"::: If the `START_TYPE` isn't set to `AUTO_START`, then you need to set the service to automatically start. |
security | Troubleshoot Performance Issues | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues.md | Alternatively, you can also use the command-line tool *wpr.exe*, which is availa 2. Under *Windows Kits*, right-click **Windows Performance Recorder**. - :::image type="content" source="images/wpr-01.png" alt-text="The Start menu" lightbox="images/wpr-01.png"::: + :::image type="content" source="media/wpr-01.png" alt-text="The Start menu" lightbox="media/wpr-01.png"::: Select **More**. Select **Run as administrator**. 3. When the User Account Control dialog box appears, select **Yes**. - :::image type="content" source="images/wpt-yes.png" alt-text="The UAC page" lightbox="images/wpt-yes.png"::: + :::image type="content" source="media/wpt-yes.png" alt-text="The UAC page" lightbox="media/wpt-yes.png"::: 4. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder like `C:\temp`. 5. On the WPR dialog box, select **More options**. - :::image type="content" source="images/wpr-03.png" alt-text="The page on which you can select more options" lightbox="images/wpr-03.png"::: + :::image type="content" source="media/wpr-03.png" alt-text="The page on which you can select more options" lightbox="media/wpr-03.png"::: 6. Select **Add Profiles...** and browse to the path of the `MDAV.wprp` file. 7. After that, you should see a new profile set under *Custom measurements* named *Microsoft Defender for Endpoint analysis* underneath it. - :::image type="content" source="images/wpr-infile.png" alt-text="The in-file" lightbox="images/wpr-infile.png"::: + :::image type="content" source="media/wpr-infile.png" alt-text="The in-file" lightbox="media/wpr-infile.png"::: > [!WARNING] > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system could consume a high amount of non-paged pool memory or buffers which can lead to system instability. You can choose which profiles to add by expanding **Resource Analysis**. Alternatively, you can also use the command-line tool *wpr.exe*, which is availa 9. Now you're ready to collect data. Exit all the applications that are not relevant to reproducing the performance issue. You can select **Hide options** to keep the space occupied by the WPR window small. - :::image type="content" source="images/wpr-08.png" alt-text="The Hide options" lightbox="images/wpr-08.png"::: + :::image type="content" source="media/wpr-08.png" alt-text="The Hide options" lightbox="media/wpr-08.png"::: > [!TIP] > Try starting the trace at whole number seconds. For instance, 01:30:00. This will make it easier to analyze the data. Also try to keep track of the timestamp of exactly when the issue is reproduced. 10. Select **Start**. - :::image type="content" source="images/wpr-09.png" alt-text="The Record system information page" lightbox="images/wpr-09.png"::: + :::image type="content" source="media/wpr-09.png" alt-text="The Record system information page" lightbox="media/wpr-09.png"::: 11. Reproduce the issue. Alternatively, you can also use the command-line tool *wpr.exe*, which is availa 12. Select **Save**. - :::image type="content" source="images/wpr-10.png" alt-text="The Save option" lightbox="images/wpr-10.png"::: + :::image type="content" source="media/wpr-10.png" alt-text="The Save option" lightbox="media/wpr-10.png"::: 13. Fill up **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue. - :::image type="content" source="images/wpr-12.png" alt-text="The pane in which you fill" lightbox="images/wpr-12.png"::: + :::image type="content" source="media/wpr-12.png" alt-text="The pane in which you fill" lightbox="media/wpr-12.png"::: 1. Select **File Name:** to determine where your trace file will be saved. By default, it is saved to `%user%\Documents\WPR Files\`. 1. Select **Save**. 14. Wait while the trace is being merged. - :::image type="content" source="images/wpr-13.png" alt-text="The WPR gathering general trace" lightbox="images/wpr-13.png"::: + :::image type="content" source="media/wpr-13.png" alt-text="The WPR gathering general trace" lightbox="media/wpr-13.png"::: 15. Once the trace is saved, select **Open folder**. - :::image type="content" source="images/wpr-14.png" alt-text="The page displaying the notification that WPR trace has been saved" lightbox="images/wpr-14.png"::: + :::image type="content" source="media/wpr-14.png" alt-text="The page displaying the notification that WPR trace has been saved" lightbox="media/wpr-14.png"::: Include both the file and the folder in your submission to Microsoft Support. - :::image type="content" source="images/wpr-15.png" alt-text="The details of the file and the folder" lightbox="images/wpr-15.png"::: + :::image type="content" source="media/wpr-15.png" alt-text="The details of the file and the folder" lightbox="media/wpr-15.png"::: ### Capture performance logs using the WPR CLI |
security | Web Content Filtering | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md | Applying multiple different web content filtering policies to the same device re The result is that categories 1-4 are all blocked, as illustrated in the following image. ## Turn on web content filtering This card lists the parent web content categories with the largest increase or d In the first 30 days of using this feature, your organization might not have enough data to display this information. ### Web content filtering summary card This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category. ### Web activity summary card This card displays the total number of requests for web content in all URLs. ### View card details You can access the **Report details** for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and device groups. - **Web categories**: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout. |
security | Web Protection Monitoring | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-monitoring.md | Web protection lets you monitor your organization's web browsing security throug - **Web threat protection detections over time** - this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months) - :::image type="content" source="images/wtp-blocks-over-time.png" alt-text="The card showing web threats protection detections over time" lightbox="images/wtp-blocks-over-time.png"::: + :::image type="content" source="media/wtp-blocks-over-time.png" alt-text="The card showing web threats protection detections over time" lightbox="media/wtp-blocks-over-time.png"::: - **Web threat protection summary** - this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites. - :::image type="content" source="images/wtp-summary.png" alt-text="The card showing web threats protection summary" lightbox="images/wtp-summary.png"::: + :::image type="content" source="media/wtp-summary.png" alt-text="The card showing web threats protection summary" lightbox="media/wtp-summary.png"::: > [!NOTE] > It can take up to 12 hours before a block is reflected in the cards or the domain list. |
security | Web Protection Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-overview.md | |
security | Web Protection Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-response.md | Each alert provides the following information: - Malicious URL or URL in the custom indicator list - Recommended actions for responders > [!NOTE] > To reduce the volume of alerts, Microsoft Defender for Endpoint consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md). You can dive deeper by selecting the URL or domain of the website in the alert. - Incidents and alerts related to the website - How frequent the website was seen in events in your organization - :::image type="content" source="images/wtp-website-details.png" alt-text="The domain or URL entity details page" lightbox="images/wtp-website-details.png"::: + :::image type="content" source="media/wtp-website-details.png" alt-text="The domain or URL entity details page" lightbox="media/wtp-website-details.png"::: For more information, see [About URL or domain entity pages](investigate-domain.md). For more information, see [About device entity pages](investigate-machines.md). With web protection in Defender for Endpoint, your end users are prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is done by [network protection](network-protection.md) and not their web browser, users see a generic error from the web browser. They also see a notification from Windows. *Web threat blocked on Microsoft Edge* *Web threat blocked on Chrome* ## Related articles |
security | Advanced Hunting Microsoft Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-microsoft-defender.md | In Microsoft Defender, you can connect workspaces by selecting **Connect a works After connecting your Microsoft Sentinel workspace and Microsoft Defender XDR advanced hunting data, you can start querying Microsoft Sentinel data from the advanced hunting page. For an overview of advanced hunting features, read [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md). ### What to expect for Defender XDR tables streamed to Microsoft Sentinel-- **Use tables with longer data retention period in queries** ΓÇô Advanced hunting follows the maximum data retention period configured for the Defender XDR tables. If you stream Defender XDR tables to Microsoft Sentinel and have a data retention period longer than 30 days for said tables, you can query for the longer period in advanced hunting.+- **Use tables with longer data retention period in queries** ΓÇô Advanced hunting follows the maximum data retention period configured for the Defender XDR tables (see [Understand quotas](advanced-hunting-limits.md#understand-advanced-hunting-quotas-and-usage-parameters)). If you stream Defender XDR tables to Microsoft Sentinel and have a data retention period longer than 30 days for said tables, you can query for the longer period in advanced hunting. - **Use Kusto operators you've used in Microsoft Sentinel** ΓÇô In general, queries from Microsoft Sentinel work in advanced hunting, including queries that use the `adx()` operator. There might be cases where IntelliSense warns you that the operators in your query don't match the schema, however, you can still run the query and it should still be executed successfully.-- **Use the time filter dropdown instead of *Set in query*** ΓÇô If you're filtering ingestion of Defender XDR tables to Microsoft Sentinel instead of streaming the tables as is, don't use the **Set in query** option for filtering time as doing this might result in incomplete results. If the **Set in query** option is used, the streamed, filtered data from Microsoft Sentinel is the one queried because it usually has the longer data retention period. If you would like to make sure you're querying all Defender XDR data for up to 30 days, use the time filter dropdown provided in the query editor instead. +- **Use the time filter dropdown instead of setting the time span in the query** ΓÇô If you are filtering ingestion of Defender XDR tables to Sentinel instead of streaming the tables as is, do not filter the time in the query as this might generate incomplete results. If you set the time in the query, the streamed, filtered data from Sentinel will be used because it usually has the longer data retention period. If you would like to make sure you are querying all Defender XDR data for up to 30 days, use the time filter dropdown provided in the query editor instead. - **View `SourceSystem` and `MachineGroup` columns for Defender XDR data that have been streamed from Microsoft Sentinel** ΓÇô Since the columns `SourceSystem` and `MachineGroup` are added to Defender XDR tables once they're streamed to Microsoft Sentinel, they also appear in results in advanced hunting in Defender. However, they remain blank for Defender XDR tables that weren't streamed (tables that follow the default 30-day data retention period). |
security | Automatic Attack Disruption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/automatic-attack-disruption.md | audience: ITPro - m365-security - tier1+ - usx-security + - usx-security search.appverid: - MOE150 - MET150 Previously updated : 05/31/2023 Last updated : 02/21/2024 # Automatic attack disruption in Microsoft Defender XDR This article provides an overview of automated attack disruption and includes li ## How automatic attack disruption works -Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption in uses the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise. +Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption uses the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise. +Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption uses the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise. +While many XDR and security orchestration, automation, and response (SOAR) platforms allow you to create your automatic response actions, automatic attack disruption is built in and uses insights from Microsoft security researchers and advanced AI models to counteract the complexities of advanced attacks. Automatic attack disruption considers the entire context of signals from different sources to determine compromised assets. While many XDR and security orchestration, automation, and response (SOAR) platforms allow you to create your automatic response actions, automatic attack disruption is built in and uses insights from Microsoft security researchers and advanced AI models to counteract the complexities of advanced attacks. Automatic attack disruption considers the entire context of signals from different sources to determine compromised assets. Automatic attack disruption operates in three key stages: Investigations are integral to monitoring our signals and the attack threat land Automatic attack disruption uses Microsoft-based XDR response actions. Examples of these actions are: - [Device contain](/microsoft-365/security/defender-endpoint/respond-machine-alerts#contain-devices-from-the-network) - based on Microsoft Defender for Endpoint's capability, this action is an automatic containment of a suspicious device to block any incoming/outgoing communication with the said device.+ - [Disable user](/defender-for-identity/remediation-actions) - based on Microsoft Defender for Identity's capability, this action is an automatic suspension of a compromised account to prevent additional damage like lateral movement, malicious mailbox use, or malware execution.+ - [Contain user](../defender-endpoint/respond-machine-alerts.md#contain-user-from-the-network) - based on Microsoft Defender for Endpoint's capability, this response action automatically contains suspicious identities temporarily to help block any lateral movement and remote encryption related to incoming communication with Defender for Endpoint's onboarded devices. For more information, see [remediation actions](m365d-remediation-actions.md) in Microsoft Defender XDR. +### Automated response actions for SAP with Microsoft Sentinel (Preview) ++If you're using the [unified security operations platform](microsoft-sentinel-onboard.md) and also deployed the Microsoft Sentinel solution for SAP applications, you can also deploy automatic attack disruption for SAP. ++For example, deploy attack disruption for SAP to contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack. ++After the risk is mitigated, Microsoft Defender admins can manually unlock the users that had been automatically locked by the attack disruption response. The ability to manually unlock users is available from the Microsoft Defender action center, and only for users that were locked by attack disruption. ++For more information, see [Track the actions in the Action center](autoad-results.md#track-the-actions-in-the-action-center) and [Deploy automatic attack disruption for SAP](https://aka.ms/attack-disrupt-sentinel). + ## Identify when an attack disruption happens in your environment The Defender XDR incident page will reflect the automatic attack disruption actions through the attack story and the status indicated by a yellow bar (Figure 1). The incident shows a dedicated disruption tag, highlight the status of the assets contained in the incident graph, and add an action to the Action Center. |
security | Compare Rbac Roles | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/compare-rbac-roles.md | |
security | Configure Attack Disruption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-attack-disruption.md | audience: ITPro ms.localizationpriority: medium Previously updated : 05/31/2023 Last updated : 04/04/2024 - m365-security - tier2 Microsoft Defender XDR includes powerful [automated attack disruption](automatic This article describes how to configure automatic attack disruption capabilities in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> with these steps: 1. [Review the prerequisites](#prerequisites-for-automatic-attack-disruption-in-microsoft-365-defender).-2. [Review or change the automation level for device groups](#review-or-change-the-automation-level-for-device-groups). -3. [Review or change the automated response exclusions for users](#review-or-change-automated-response-exclusions-for-users). +2. [Review or change the automated response exclusions for users](#review-or-change-automated-response-exclusions-for-users). Then, after you're all set up, you can view and manage containment actions in Incidents and the Action center. And, if necessary, you can make changes to settings. Then, after you're all set up, you can view and manage containment actions in In |Deployment requirements|<ul><li>Deployment across Defender products (e.g., Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps)</li><ul><li>The wider the deployment, the greater the protection coverage is. For example, if a Microsoft Defender for Cloud Apps signal is used in a certain detection, then this product is required to detect the relevant specific attack scenario.</li><li>Similarly, the relevant product should be deployed to execute an automated response action. For example, Microsoft Defender for Endpoint is required to automatically contain a device. </li></ul><li>Microsoft Defender for Endpoint's device discovery is set to 'standard discovery'</li></ul>| |Permissions|To configure automatic attack disruption capabilities, you must have one of the following roles assigned in either Microsoft Entra ID (<https://portal.azure.com>) or in the Microsoft 365 admin center (<https://admin.microsoft.com>): <ul><li>Global Administrator</li><li>Security Administrator</li></ul>To work with automated investigation and response capabilities, such as by reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](m365d-action-center.md#required-permissions-for-action-center-tasks).| -## Review or change the automation level for device groups +### Microsoft Defender for Endpoint Prerequisites -Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, like your organization's device group policies. Review the configured automation level for your device group policies. You must be a global administrator or security administrator to perform the following procedure: +#### Minimum Sense Client version (MDE client) ++The Minimum Sense Agent version required for the **Contain User** action to work is v10.8470. You can identify the Sense Agent version on a device by running the following PowerShell command: ++> Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\' -Name "InstallLocation" ++#### Automation setting for your organizations devices ++Review the configured automation level for your device group policies, wWhether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings. You must be a global administrator or security administrator to perform the following procedure: 1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. Whether automated investigations run, and whether remediation actions are taken 3. Review your device group policies. Look at the **Automation level** column. We recommend using **Full - remediate threats automatically**. You might need to create or edit your device groups to get the level of automation you want. To exclude a device group from automated containment, set its automation level to **no automated response**. Note that this is not highly recommended and should only be done for a limited number of devices. +#### Device Discovery configuration ++Device Discovery settings must be activated to "Standard Discovery" at a minimum. Learn how to configure Device Discovery in [Set up device discovery](/defender-endpoint/configure-device-discovery). + >[!NOTE] >Attack disruption can act on devices independent of a device's Microsoft Defender Antivirus operating state. The operating state can be in Active, Passive, or EDR Block Mode. +### Microsoft Defender for Identity Prerequisites ++#### Set up auditing in domain controllers ++Learn how to set up auditing in domain controllers in [Configure audit policies for Windows event logs](/defender-for-identity/deploy/configure-windows-event-collection) to ensure that required audit events are configured on the domain controllers where the Defender for Identity sensor is deployed. ++#### Configure action accounts ++Defender for Identity allows you to take remediation actions targeting on-premises Active Directory accounts in the event that an identity is compromised. To take these actions, Defender for Identity needs to have the required permissions to do so. By default, the Defender for Identity sensor impersonates the LocalSystem account of the domain controller and performs the actions. Since the default can be changed, validate that Defender for Identity has the required permissions. ++You can find more information on the action accounts in [Configure Microsoft Defender for Identity action accounts](/defender-for-identity/deploy/manage-action-accounts) ++The Defender for Identity sensor needs to be deployed on the domain controller where the Active Directory account is to be turned off. ++>[!NOTE] +>If you have automations in place to activate or block a user, check if the automations can interfere with Disruption. For example, if there is an automation in place to regularly check and enforce that all active employees have enabled accounts, this could unintentionally activate accounts that were deactivated by attack disruption while an attack is detected. ++### Microsoft Defender for Cloud Apps prerequisites ++#### Microsoft Office 365 Connector ++Microsoft Defender for Cloud Apps must be connected to Microsoft Office 365 through the connector. To connect Defender for Cloud Apps, see [Connect Microsoft 365 to Microsoft Defender for Cloud Apps](/defender-cloud-apps/protect-office-365#connect-microsoft-365-to-microsoft-defender-for-cloud-apps). ++#### App Governance ++App Governance must be turned on. Refer to the [app governance documentation](/defender-cloud-apps/app-governance-get-started) to turn it on. ++### Microsoft Defender for Office 365 prerequisites ++#### Mailboxes location ++Mailboxes are required to be hosted in Exchange Online. ++#### Mailbox audit logging ++The following mailbox events need to be audited by minimum: ++- MailItemsAccessed +- UpdateInboxRules +- MoveToDeletedItems +- SoftDelete +- HardDelete ++Review [Manage mailbox auditing](/purview/audit-mailboxes) to learn about managing mailbox auditing. ++#### Safelinks policy needs to be present. + ## Review or change automated response exclusions for users Automatic attack disruption enables the exclusion of specific user accounts from automated containment actions. Excluded users won't be affected by automated actions triggered by attack disruption. You must be a global administrator or security administrator to perform the following procedure: Excluding user accounts is not recommended, and accounts added to this list won' ## See also - [Automatic attack disruption in Microsoft Defender XDR](automatic-attack-disruption.md)+- [Automatic attack disruption for SAP](/azure/sentinel/sap/deployment-attack-disrupt) [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Configure Email Notifications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-email-notifications.md | |
security | Manage Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md | To generate the PDF, perform the following steps: :::image type="content" source="../../media/incidents-queue/export-incident-download-small.png" alt-text="Screenshot highlighting export message and status when download is available." lightbox="../../media/incidents-queue/export-incident-download.png"::: -The report is cached for a couple of minutes. The system provides the previously generated PDF if you try to export the same incident again within a short time frame. To generate a newer version of the PDF, wait for the cache to expire. +The report is cached for a couple of minutes. The system provides the previously generated PDF if you try to export the same incident again within a short time frame. To generate a newer version of the PDF, wait for a few minutes for the cache to expire. ## Next steps |
security | Streaming Api Storage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-storage.md | Once the Storage account is created, you'll need to: - A blob container is created for each event type: - :::image type="content" source="../defender-endpoint/images/storage-account-event-schema.png" alt-text="Example of a blob container" lightbox="../defender-endpoint/images/storage-account-event-schema.png"::: + :::image type="content" source="../defender-endpoint/media/storage-account-event-schema.png" alt-text="Example of a blob container" lightbox="../defender-endpoint/media/storage-account-event-schema.png"::: - The schema of each row in a blob is the following JSON: |
security | Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md | You can also get product updates and important notifications through the [messag - (GA) **[Microsoft Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md)** is now generally available. Copilot in Defender helps you investigate and respond to incidents faster and more effectively. Copilot provides guided responses, incident summaries and reports, helps you build KQL queries to hunt for threats, provide file and script analyses, and enable you to summarize relevant and actionable threat intelligence. - Copilot in Defender customers can now export incident data to PDF. Use the exported data to easily share incident data, facilitating discussions with your security teams and other stakeholders. For details, see **[Export incident data to PDF](manage-incidents.md#export-incident-data-to-pdf)**.+- **Notifications in the Microsoft Defender portal** are now available. On the top right-hand side of the Defender portal, select the bell icon to view all your active notifications. Different types of notifications are supported such as success, info, warning, and error. Dismiss individual notifications or dismiss all from the notifications tab. ## February 2024 |
security | Assess The Impact Of Security Configuration Changes With Explorer | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/assess-the-impact-of-security-configuration-changes-with-explorer.md | Title: Assess the impact of security configuration changes with Explorer -description: Examples and walkthrough of using Explorer to determine the impact of a security control (configuration) change in Microsoft Defender for Office 365 -search.product: +description: Examples and walk-through of using Explorer to determine the impact of a security control (configuration) change in Microsoft Defender for Office 365. -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH -Before you make change(s) to your security configuration, such as policies or transport rules, it's important to understand the impact of the change(s) so that you can plan and ensure *minimal* disruption to your organization. +Before you make changes to your security configuration, such as policies or transport rules, it's important to understand the impact of those changes so that you can plan and ensure *minimal* disruption to your organization. -This step-by-step guide takes you through assessing a change, and exporting the impacted emails for assessment. The procedure can be applied to many different changes, by altering the criteria (filters) you use in explorer. +This step-by-step guide takes you through assessing a change, and exporting the impacted emails for assessment. -## What you'll need +## What you need - Microsoft Defender for Office 365 Plan 2 (included as part of E5). - Sufficient permissions (Security reader minimum required to assess via Threat Explorer).-- 5-10 minutes to perform the steps below.+- 5-10 minutes to perform the following procedures. ## Assess changing normal confidence phish delivery location to quarantine (from the Junk email folder) -1. **Login** to the security portal and navigate to Explorer (underneath *Email & Collaboration* on the left nav) <https://security.microsoft.com/threatexplorer>. +1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) and navigate to Explorer (underneath *Email & Collaboration* on the left nav) <https://security.microsoft.com/threatexplorer>. 1. Select **Phish** from the top tab selection (*All email* is the default view). 1. Press the **filter** button (defaulted to *Sender*) and select **Phish confidence level**. 1. Select the **Phish confidence level** of **Normal**. This step-by-step guide takes you through assessing a change, and exporting the ## Assess removing a sender / domain override removal -1. **Login** to the security portal and navigate to **Explorer** (underneath Email & Collaboration on the left nav) <https://security.microsoft.com/threatexplorer>. +1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) and navigate to **Explorer** (underneath Email & Collaboration on the left nav) <https://security.microsoft.com/threatexplorer>. 1. Select **All email** if not already selected. 1. Press the **filter** button (defaulted to *Sender*) and add either a sender or sender domain filter, then add the entry where you wish to assess the impact of removal. 1. Expand the date range to the maximum & press **Refresh** You should now see mail listed if the sender / sending domain is still active in messaging your organization. If *not* you may need to tweak the filter, or alternatively you no longer receive mail from that domain / sender and can remove the entry safely. This step-by-step guide takes you through assessing a change, and exporting the ### Further reading -Consider using secure presets [Ensuring you always have the optimal security controls with preset security policies](ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md) +Consider using secure presets [Ensuring you always have the optimal security controls with preset security policies](ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md). -You can also manage email authentication issues with spoof intelligence [Spoof intelligence insight](../anti-spoofing-spoof-intelligence.md) +You can also manage email authentication issues with spoof intelligence [Spoof intelligence insight](../anti-spoofing-spoof-intelligence.md). -Learn more about email authentication [Email Authentication in Exchange Online Protection](../email-authentication-about.md) +Learn more about email authentication [Email Authentication in Exchange Online Protection](../email-authentication-about.md). |
security | Connect Microsoft Defender For Office 365 To Microsoft Sentinel | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/connect-microsoft-defender-for-office-365-to-microsoft-sentinel.md | Title: Connect Microsoft Defender for Office 365 to Microsoft Sentinel description: The steps to connect Microsoft Defender for Office 365 to Sentinel. Add your Microsoft Defender for Office 365 data (*and* data from the rest of the Microsoft Defender XDR suite), including incidents, to Microsoft Sentinel for a single pane of glass into your security. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH You can ingest your Microsoft Defender for Office 365 data (*and* data from the Take advantage of rich security information events management (SIEM) combined with data from other Microsoft 365 sources, synchronization of incidents and alerts, and advanced hunting. -## What you will need +## What you need - Microsoft Defender for Office 365 Plan 2 or higher. (Included in E5 plans) - Microsoft Sentinel [Quickstart guide](/azure/sentinel/quickstart-onboard).-- Sufficient permissions (Security Administrator in M365 & Read / Write permissions in Sentinel).+- Sufficient permissions (Security Administrator in Microsoft 365 & Read / Write permissions in Sentinel). ## Add the Microsoft Defender XDR Connector -1. [Login to the Azure Portal](https://portal.azure.com) and navigate to **Microsoft Sentinel** \> Pick the relevant workspace to integrate with Microsoft Defender XDR. - 1. On the left-hand navigation menu underneath the heading **Configuration** \> choose **Data connectors**. -2. When the page loads, **search for** Microsoft Defender XDR **and select the Microsoft Defender XDR connector**. -3. On the right-hand flyout, select **Open Connector Page**. -4. Under the **Configuration** section of the page that loads, select **Connect incidents & alerts**, leaving Turn off all Microsoft incident creation rules for these products ticked. -5. Scroll to **Microsoft Defender for Office 365** in the **Connect events** section of the page. Select **EmailEvents, EmailUrlInfo, EmailAttachmentInfo & EmailPostDeliveryEvents** then **Apply Changes** at the bottom of the page. (Choose tables from other Defender products if helpful and applicable, during this step.) +1. [Sign in to the Azure portal](https://portal.azure.com) and navigate to **Microsoft Sentinel** \> Pick the relevant workspace to integrate with Microsoft Defender XDR. +1. In the navigation pane, under **Configuration**, go to **Data connectors**. +1. When the page loads, **search for** Microsoft Defender XDR **and select the Microsoft Defender XDR connector**. +1. On the right-hand flyout, select **Open Connector Page**. +1. Under the **Configuration** section of the page that loads, select **Connect incidents & alerts**, leaving **Turn off all Microsoft incident creation rules for these products** selected. +1. Scroll to **Microsoft Defender for Office 365** in the **Connect events** section of the page. Select **EmailEvents, EmailUrlInfo, EmailAttachmentInfo & EmailPostDeliveryEvents** then **Apply Changes** at the bottom of the page. (Choose tables from other Defender products if helpful and applicable, during this step.) ## Next Steps -Admins will now be able to see incidents, alerts, and raw data in Microsoft Sentinel and use this data for *advanced hunting*, pivoting on existing and new data from Microsoft Defender. +Admins are now able to see incidents, alerts, and raw data in Microsoft Sentinel and use this data for *advanced hunting*, pivoting on existing and new data from Microsoft Defender. ## More Information -[Connect Microsoft Defender XDR data to Microsoft Sentinel | Microsoft Docs](/azure/sentinel/connect-microsoft-365-defender?tabs=MDE) +[Connect Microsoft Defender XDR data to Microsoft Sentinel | Microsoft Docs](/azure/sentinel/connect-microsoft-365-defender?tabs=MDE). -[Connect Microsoft Teams to Microsoft Sentinel](/microsoftteams/teams-sentinel-guide) +[Connect Microsoft Teams to Microsoft Sentinel](/microsoftteams/teams-sentinel-guide). |
security | Defense In Depth Guide | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/defense-in-depth-guide.md | Title: Getting started with defense in-depth configuration for email security description: Step-by-step configuration guidance on how to get security value from Microsoft Defender for Office 365 when you have third party email filtering. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Deploy And Configure The Report Message Add In | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md | Title: How-to deploy and configure the report message add-in description: The steps to deploy and configure Microsoft's phish reporting add-ins aimed at security administrators. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Ensuring You Always Have The Optimal Security Controls With Preset Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md | Title: Steps to set up the Standard or Strict preset security policies for Microsoft Defender for Office 365 description: Step to set up preset security policies in Microsoft Defender for Office 365 so you have the security recommended by the product. Preset policies set a security profile of either *Standard* or *Strict*. Set these and Microsoft Defender for Office 365 will manage and maintain these security controls for you. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | How To Configure Quarantine Permissions With Quarantine Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-configure-quarantine-permissions-with-quarantine-policies.md | Title: How to configure quarantine permissions and policies description: The steps to configure quarantine policies and permissions across different groups, including AdminOnlyPolicy, limited access, full access, and providing security admins and users with a simple way to manage false positive folders. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH -Providing security admins and users with a very simple way to manage false positive folders is vital given the increased demand for a more aggressive security posture with the evolution of hybrid work. Taking a prescriptive approach, admins and users can achieve this with the guidance below. +Providing security admins and users with a simple way to manage false positive folders is vital, given the increased demand for a more aggressive security posture with the evolution of hybrid work. Taking a prescriptive approach, admins and users can achieve this with the guidance in this article. > [!TIP] > For a short video aimed at admins trying to set quarantine permissions and policies, [see this link](https://www.youtube.com/watch?v=vnar4HowfpY). If you are an end user opt for this [1 minute overview](https://www.youtube.com/watch?v=s-vozLO43rI) of the process. -## What you will need +## What you need - Sufficient permissions (Security Administrator role)-- 5 minutes to perform the steps below.+- 5 minutes to perform the following procedures. ## Deciding between built-in or custom quarantine policies. Our custom policies give admins the ability to decide what items their users can ## Assigning quarantine policies and enabling notification with organization branding -Once it has been decided the categories of items users can triage or not-triage, and created the corresponding quarantine policies, admins should to assign these policies to the respective users and enable notifications. +When your security team has decided on which categories of items that users can triage (or not), and they've created the corresponding quarantine policies, admins should assign these policies to the respective users and enable notifications. 1. Identify the users, groups, or domains that you would like to include in the *full access* category vs. the *limited access* category, versus the *Admin-Only* category. 1. Sign in to the [Microsoft Security portal](https://security.microsoft.com). Once it has been decided the categories of items users can triage or not-triage, 1. Select each of the following: **Anti-spam policies**, **Anti-phishing policy**, **Anti-Malware policy**. 1. Select **Create policy** and choose **Inbound**. 1. Add policy Name, users, groups, or domains to apply the policy to, and **Next**.-1. In the **Actions** tab, select **Quarantine message** for categories. You will notice an additional panel for *select quarantine policy*, use that dropdown to select the quarantine policy you created earlier. -1. Move on to the **Review** section and click the **Confirm** button to create the new policy. +1. In the **Actions** tab, select **Quarantine message** for categories. You notice another panel for *select quarantine policy*. Use the dropdown to select the quarantine policy you created earlier. +1. Move on to the **Review** section and select the **Confirm** button to create the new policy. 1. Repeat these same steps for the other policies: **Anti-phishing policy**, **Anti-Malware policy**, and **Safe Attachment policy**. > [!TIP] > For more detailed information on what you've learned so far, see [Configure spam filter policies - Office 365](../../office-365-security/anti-spam-policies-configure.md)| [Configure anti-phishing policies in EOP](../../office-365-security/anti-phishing-policies-eop-configure.md) | [Configure anti-malware policies](../../office-365-security/anti-malware-policies-configure.md)| [Set up Safe Attachments policies in Microsoft Defender for Office 365](../../office-365-security/safe-attachments-policies-configure.md) Once it has been decided the categories of items users can triage or not-triage, ## More information -Learn more about organization branding and notification settings here [Quarantine policies - Office 365 | Microsoft Docs](../../office-365-security/quarantine-policies.md) +Learn more about organization branding and notification settings here [Quarantine policies](../../office-365-security/quarantine-policies.md). |
security | How To Enable Dmarc Reporting For Microsoft Online Email Routing Address Moera And Parked Domains | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains.md | Title: How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains description: The steps to configure DMARC for MOERA and parked domains. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | How To Handle False Negatives In Microsoft Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365.md | Title: (False Negatives) How to handle malicious emails that are delivered to recipients using Microsoft Defender for Office 365 description: The steps to handle malicious emails coming through to end users and inboxes (as False Negatives) with Microsoft Defender for Office 365 in order to prevent loss of business. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | How To Handle False Positives In Microsoft Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-positives-in-microsoft-defender-for-office-365.md | Title: (False Positives) How to handle legitimate emails getting blocked from delivery using Microsoft Defender for Office 365 description: The steps to handle legitimate email getting blocked(False Positive) by Microsoft Defender for Office 365 in order to prevent lose of business. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | How To Prioritize And Manage Automated Investigations And Response Air | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-prioritize-and-manage-automated-investigations-and-response-air.md | Title: How to prioritize and manage Automated Investigations and Response (AIR). description: How to steps to analyze and approve AIR actions directly from the Action Center. When alerts are triggered, Automated Investigation and Response (AIR) determines the scope of impact of a threat in your organization and provided recommended remediation actions. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | How To Prioritize Manage Investigate And Respond To Incidents In Microsoft 365 Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-prioritize-manage-investigate-and-respond-to-incidents-in-microsoft-365-defender.md | Title: How to prioritize, Manage, Investigate & Respond to Incidents in Microsoft Defender XDR description: The steps to manage alerts triggered in Microsoft Defender XDR. Automated investigation and response (AIR) hunt across the subscription and determines the impact and scope of a threat, and combines the information into a single Incident. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH -When alerts are triggered in Microsoft Defender XDR, automated investigation and response (AIR) will trigger to hunt across an organization's subscription, determine the impact and scope of the threat, and collate the information into a single Incident so that admins don't have to manage multiple incidents. +When alerts are triggered in Microsoft Defender XDR, automated investigation and response (AIR) begins and hunts across an organization's subscription, determine the impact and scope of the threat, and collate the information into a single Incident so that admins don't have to manage multiple incidents. -## What you'll need +## What you need - Microsoft Defender for Office 365 Plan 2 or higher - Sufficient permissions (Security reader, security operations, or security administrator, plus [Search and purge](../mdo-portal-permissions.md) role) Navigate to the security portal Incidents page <https://security.microsoft.com/i When the Incident page loads you can filter and prioritize by clicking columns to sort the actions or press Filters to apply a filter such as data source, tags or state. -Now you have a prioritized list of incidents, from which you can select to rename, assign, classify, tag, change the status or add comments via the Manage incidents button. +Now you have a prioritized list of incidents, from which you can select to rename, assign, classify, tag, change the status or add comments via the **Manage incidents** button. Use the filters to make sure Microsoft Defender for Office 365 items are included. -If you are looking for specific alerts, either use the incident search capability (*Search for name or ID*) or consider using the alert queue filtering on a specific alert. +If you're looking for specific alerts, either use the incident search capability (*Search for name or ID*) or consider using the alert queue filtering on a specific alert. ## Investigate & Respond to Incidents -After you have prioritized your incident queue, click on the Incident you'd like to investigate to load the incidents Overview page. There will be useful information such as *MITRE ATT&CK techniques observed* and a *timeline of the attack*. +After you have prioritized your incident queue, select the Incident you'd like to investigate to load the incidents Overview page. You see useful information, such as *MITRE ATT&CK techniques observed* and a *timeline of the attack*. The tabs at the top of the incident page allow you to explore more details such as the affected users, mailboxes, endpoints, and et cetera. The *Evidence and Response* tab shows items identified as related to the original alert via the investigation. -Any items showing as *Pending Action* within Evidence and Response are awaiting approval from an administrator. Sorting by the remediation status column in the *All Evidence* view is recommended, followed by clicking the entity or cluster to load the flyout menu where you can then approve the actions if appropriate. +Any items showing as *Pending Action* within Evidence and Response are awaiting approval from an administrator. Sorting by the remediation status column in the *All Evidence* view is recommended, followed by clicking the entity or cluster to load the flyout menu where you can then approve the actions if appropriate. -If you need to understand the items involved further, you can use the incident graph to see the visual linkage of the evidence and entities involved. Alternatively, you can review the underlying investigations, which will show more of the entities and items involved in the security event. +If you need to understand the items involved further, you can use the incident graph to see the visual linkage of the evidence and entities involved. Alternatively, you can review the underlying investigations, which show more of the entities and items involved in the security event. ## Next Steps You can start using *Action Center* to act on pending action items from all inci ## More Information -[Manage incidents in Microsoft Defender XDR | Microsoft Docs](../../defender/manage-incidents.md) +[Manage incidents in Microsoft Defender XDR | Microsoft Docs](../../defender/manage-incidents.md). -[How automated investigation and response works in Microsoft Defender for Office 365](../air-about-office.md) +[How automated investigation and response works in Microsoft Defender for Office 365](../air-about-office.md). -[Remediation actions in Microsoft Defender for Office 365](../air-remediation-actions.md) +[Remediation actions in Microsoft Defender for Office 365](../air-remediation-actions.md). |
security | How To Run Attack Simulations For Your Team | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-run-attack-simulations-for-your-team.md | Title: How to run attack simulations for your team -description: The steps to send an Attack Simulation payload to your target users for your team or organization for training. Simulated attacks can help you identify and find vulnerable users, policies and practices before a real attack impacts your organization. -search.product: +description: The steps to send an Attack Simulation payload to your target users for your team or organization for training. Simulated attacks can help you identify and find vulnerable users, policies, and practices before a real attack impacts your organization. -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH -Attack simulation training allows you to run realistic but benign cyber attack scenarios in your organization. Simulated attacks can help you identify and find vulnerable users, policies and practices before a real attack impacts your organization, leveraging inbuilt or custom training to reduce risk and better educate end users about threats. +Attack simulation training allows you to run realistic but benign cyber attack scenarios in your organization. Simulated attacks can help you identify and find vulnerable users, policies, and practices before a real attack impacts your organization, using inbuilt or custom training to reduce risk and better educate end users about threats. -## What you'll need +## What you need - Microsoft Defender for Office 365 Plan 2 (included as part of E5) - Sufficient permissions (Security Administrator role)-- 5-10 minutes to perform the steps below.+- 5-10 minutes to perform the following procedures. ## Send a payload to target users 1. Navigate to [Attack Simulation Training](https://security.microsoft.com/attacksimulator) in your subscription. 1. Choose **Simulations** from the top navigation bar. 1. Select **Launch a simulation**.-1. Pick the technique you'd like to use from the flyout, and press **Next**. -1. Name the Simulation with something relevant / memorable and press **Next**. -1. Pick a relevant payload from the wizard, review the details and customize if appropriate, when you are happy with the choice, press **Next**. -1. Choose who to target with the payload. If choosing the entire organization highlight the radio button and press **Next**. -1. Otherwise, select **Add Users** and then search or filter the users with the wizard. Select Add User(s) and then **Next**. +1. Pick the technique you'd like to use from the flyout, and select **Next**. +1. Name the Simulation with something relevant / memorable and select **Next**. +1. Pick a relevant payload from the wizard, review the details and customize if appropriate, when you're happy with the choice, select **Next**. +1. Choose who to target with the payload. If you're choosing the entire organization, select that option and then select **Next**. +1. Otherwise, select **Add Users** and then search or filter the users with the wizard. Select Add Users and then **Next**. 1. Under **Select training content preference**, leave the default *Microsoft training experience (Recommended)* or select *Redirect to a custom URL* if you want to use the custom URL. If you don't want to assign any training, then select *No training*. - You can either let Microsoft assign training courses by selecting *Assign training for me* or you can choose specific modules with *Select training courses and modules myself* - Select a Due Date (30, 15, or 7 days) from the drop-down menu.- - Click **Next** to continue. + - Select **Next** to continue. 1. Customize the landing page displayed when a user is phished if appropriate, or otherwise leave the Microsoft Default.- 1. Under **Payload indicators**, check the box to add payload indicators to email. Adding payloads will help users to learn how to identify the phishing email. Select *Open preview panel* to view the message. - 1. Click **Next** to continue. + 1. Under **Payload indicators**, check the box to add payload indicators to email. Adding payloads helps users to learn how to identify the phishing email. Select *Open preview panel* to view the message. + 1. Select **Next** to continue. 1. Choose if you'd like end user notifications, and if so, select the delivery preferences and customize where needed. 1. Notice that you can also select *default language* for the notification under the **Select default language** drop-down menu.-1. Select when to launch the simulation, and how long it should be valid for. You can also enable *region aware time zone delivery*. This option will deliver simulated attack messages to your employees during *their working hours* based on their region. Select **Next**. -1. Send a test if you're ready. Review the summary of choices. Click **Submit**. +1. Select when to launch the simulation, and how long it should be valid for. You can also enable *region aware time zone delivery*. This option delivers simulated attack messages to your employees during *their working hours* based on their region. Select **Next**. +1. Send a test if you're ready. Review the summary of choices. Select **Submit**. ### Further reading -To learn how Attack Simulation works see [Simulate a phishing attack with Attack simulation training - Office 365 | Microsoft Docs](../../office-365-security/attack-simulation-training-simulations.md) +To learn how Attack Simulation works see [Simulate a phishing attack with Attack simulation training - Office 365 | Microsoft Docs](../../office-365-security/attack-simulation-training-simulations.md). |
security | How To Setup Attack Simulation Training For Automated Attacks And Training | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-setup-attack-simulation-training-for-automated-attacks-and-training.md | Title: How to setup automated attacks and training within Attack simulation training -description: The steps to automate Attack Simulation training and send a payload to target users. By following this guide, you will learn to create automated attack flows with specific techniques and payloads. -search.product: +description: The steps to automate Attack Simulation training and send a payload to target users. By following this guide, you learn to create automated attack flows with specific techniques and payloads. -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH -Attack simulation training lets you run benign attack simulations on your organization to assess your phishing risk and teach your users how to better avoid phish attacks. By following this guide, you can configure automated flows with specific techniques and payloads that run when the specified conditions are met, launching simulations against your organization. +Attack simulation training lets you run benign attack simulations on your organization to assess your phishing risk and teach your users how to better avoid phishing attacks. By following this guide, you can configure automated flows with specific techniques and payloads that run when the specified conditions are met, launching simulations against your organization. -## What you'll need +## What you need - Microsoft Defender for Office 365 Plan 2 (included as part of E5). - Sufficient permissions (Security Administrator role).-- 5-10 minutes to perform the steps below.+- 5-10 minutes to perform the following procedures. ## Send a payload to target users Attack simulation training lets you run benign attack simulations on your organi 1. Name the Simulation automation with something relevant and memorable. *Next*. 1. Pick the techniques you'd like to use from the flyout. *Next*. 1. Manually select up to 20 payloads you'd like to use for this automation, or alternatively select Randomize. *Next*.-1. If you picked OAuth as a Payload, you need to enter the name, logo and scope (permissions) you'd like the app to have when it's used in a simulation. *Next*. +1. If you picked OAuth as a Payload, you need to enter the name, logo, and scope (permissions) you'd like the app to have when it's used in a simulation. *Next*. 1. Choose who to target with the payload, if choosing the entire organization highlight the radio button. *Next*.-1. Otherwise, select **Add Users** and then search or filter the users with the wizard, press Add User(s). *Next*. +1. Otherwise, select **Add Users** and then search or filter the users with the wizard, press Add Users. *Next*. 1. Customize the training if appropriate, otherwise leave Assign training for me (recommended) selected. *Next*. 1. Customize the landing page displayed when a user is phished if appropriate, otherwise leave as the Microsoft Default. *Next*. 1. Choose if you'd like end user notifications, if so select the delivery preferences and customize where appropriate. *Next*. 1. For Simulation schedule, you can either select **Randomized** or **Fixed**, the recommended option is Randomized, once selected, select *Next*.-1. Depending on your choice of Randomized or Fixed, the schedule details may differ, but select preferences on the choice, including the start and end dates of the automation. *Next*. +1. Depending on your choice of Randomized or Fixed, the schedule details can differ, but select preferences on the choice, including the start and end dates of the automation. *Next*. 1. For **Launch Details**, select any final options you want, such as using unique payloads, or targeting repeat offenders and then select *Next*.-1. **Submit** and the Simulation automation is setup. +1. **Submit** and the Simulation automation is set up. ## Learn More |
security | Optimize And Correct Security Policies With Configuration Analyzer | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/optimize-and-correct-security-policies-with-configuration-analyzer.md | Title: Optimize and correct security policies with configuration analyzer description: The steps to optimize and correct security policies with configuration analyzer. Configuration analyzer is a central location and single pane of glass for administering and viewing the email security policies you have configured in your tenant. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Protect Your C Suite With Priority Account Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/protect-your-c-suite-with-priority-account-protection.md | Title: Protect your c-suite with Priority account protection in Microsoft Defender for Office 365 Plan 2 -description: The steps to protect your c-suite with priority account protection. Tagging an account as a Priority account will enable the additional protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations. -search.product: +description: The steps to protect your c-suite with priority account protection. Tagging an account as a Priority account enables the extra protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations. -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH -Priority account protection helps IT and security teams ensure a high quality of service and protection for the critical people within your organization. Tagging an account as a priority account will enable the additional protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations. +Priority account protection helps IT and security teams ensure a high quality of service and protection for the critical people within your organization. Tagging an account as a priority account enables the extra protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations. -## What you'll need +## What you need - Microsoft Defender for Office 365 Plan 2 (included as part of E5 plans) - Sufficient permissions (Security Administrator role)-- 5 minutes to perform the steps below.+- 5 minutes to perform the following procedures. ## Tag Priority users 1. Identify the users, groups, or domains you would like to tag as priority accounts.-1. Login to the [Microsoft Security Portal](https://security.microsoft.com/) and navigate to Settings on the left navigation bar. -1. Select Email & collaboration on the page that loads and then click User tags -1. On the User tags page, select the Priority account tag and press Edit -1. On the flyout that appears, select Add members -1. Search for the users you wish to tag, select one or more users and press Add -1. Review the members you have selected and press Next -1. Press Submit to confirm the changes +1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com/) and navigate to Settings on the left navigation bar. +1. Select **Email & collaboration** on the page that loads and then select **User tags**. +1. On the **User tags** page, select the **Priority account** tag, and then select **Edit**. +1. On the flyout that appears, select **Add members**. +1. Search for the users you wish to tag, select one or more users, and then select **Add**. +1. Review the members you selected, and then select **Next**. +1. Select **Submit** to confirm the changes. ## Confirm priority account protection is enabled for tagged users -1. Login to the [Microsoft Security Portal](https://security.microsoft.com/) and navigate to Settings on the left navigation bar. -1. Select **Priority account protection** -1. Ensure the protection is set to "On" +1. Sign to the [Microsoft Defender portal](https://security.microsoft.com/). +1. In the navigation bar, select **Settings**. +1. Select **Priority account protection**. +1. Make sure protection is set to **On**. To learn what priority account tags are see [Manage and monitor priority accounts - Microsoft 365 admin | Microsoft Docs](../../../admin/setup/priority-accounts.md). ## Next Steps -[Review differentiated protection from priority account protection] +[Review differentiated protection from priority account protection]. [Review the differentiated protection for users tagged as Priority accounts](../priority-accounts-turn-on-priority-account-protection.md#review-differentiated-protection-from-priority-account-protection). |
security | Reducing Attack Surface In Microsoft Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams.md | Title: Reduce the attack surface for Microsoft Teams description: Configuration which can be used to reduce the attack surface in Microsoft Teams, including enabling Microsoft Defender for Office 365. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Review Allow Entries | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/review-allow-entries.md | Title: Review and remove unnecessary allow list entries with Advanced Hunting in Microsoft Defender for Office 365 -description: Steps and sample queries for advanced hunting to start reviewing your security configuration and removing unnecessary allow list entries. -search.product: + Title: Review and remove unnecessary allowlist entries with Advanced Hunting in Microsoft Defender for Office 365 +description: Steps and sample queries for advanced hunting to start reviewing your security configuration and removing unnecessary allowlist entries. -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH Last updated 01/04/2023 # Introduction -Historically, allow lists have told Exchange Online Protection to ignore the signals indicating an email is malicious. It's commonplace for vendors to request IPs, domains, and sender addresses be overridden unnecessarily. Attackers have been known to take advantage of this mistake and it's a pressing security loophole to have unnecessary allow list entries. This step-by-step guide walks you through using advanced hunting to identify these misconfigured overrides and remove them, so you can increase your organization's security posture. +Historically, allowlists enabled Exchange Online Protection to ignore the signals indicating an email is malicious. It's commonplace for vendors to request IPs, domains, and sender addresses be overridden unnecessarily. Attackers are known to take advantage of this mistake and it's a pressing security loophole to have unnecessary allowlist entries. This step-by-step guide walks you through using advanced hunting to identify these misconfigured overrides and remove them, so you can increase your organization's security posture. -## What you will need +## What you need - Microsoft Defender for Office 365 Plan 2 (Included in E5 plans, or trial available at aka.ms/trymdo) - Sufficient permissions (Security reader role)-- 5-10 minutes to do the steps below.+- 5-10 minutes to do the following procedures. ## Common steps for all the below queries -1. [Login to the security portal and navigate to advanced hunting](https://security.microsoft.com/advanced-hunting) +1. [Sign in to the security portal and navigate to advanced hunting](https://security.microsoft.com/advanced-hunting) 2. Enter the KQL query into the query box, and press **Run Query**.-3. Pressing the **NetworkMessageId** hyperlink for individual emails when shown in the results loads a flyout, allowing easy access to the email entity page, where the **analysis** tab provides further details, such as the transport rule(s) that email matched. +3. Pressing the **NetworkMessageId** hyperlink for individual emails when shown in the results loads a flyout, allowing easy access to the email entity page, where the **analysis** tab provides further details, such as the transport rules that email matched. 4. The results can also be exported by pressing **Export** for manipulation / analysis offline. > [!TIP]-> Changing **OrgLevelAction** to **UserLevelAction** will allow you to search for emails getting overridden by users rather than administrators, and can also be a useful insight. +> Changing **OrgLevelAction** to **UserLevelAction** will allow you to search for email warnings that were overridden by users rather than administrators, and can also be a useful insight. ## Queries ### Top override source -Use this query to find where the most unnecessary overrides are located. This query looks for emails that have been overridden without any detection that needed an override. +Use this query to find where the most unnecessary overrides are located. This query looks for emails that were overridden without any detection that needed an override. ```kusto EmailEvents EmailEvents ### Top overridden IPs -This query looks for emails that have been overridden by IP, without any detection that called for an override. +This query looks for emails that were overridden by IP, without any detection that called for an override. ```kusto EmailEvents EmailEvents ### Top overridden domains -This query looks for emails that have been overridden by sending domain without any detection that called for an override. **(Change to SenderMailFromDomain to check the 5321.MailFrom)** +This query looks for emails that were overridden by sending domain without any detection that called for an override. **(Change to SenderMailFromDomain to check the 5321.MailFrom)** ```kusto EmailEvents EmailEvents ### Top overridden senders -This query looks for emails that have been overridden by sending address without any detection that requires an override. **(Change to SenderMailFromAddress to check the 5321.MailFrom)** +This query looks for emails that were overridden by sending address without any detection that requires an override. **(Change to SenderMailFromAddress to check the 5321.MailFrom)** ```kusto EmailEvents EmailEvents ## Learn More -Hopefully you found this useful, with some basic queries to get you started with advanced hunting, to learn more check out the below articles +Hopefully you found this article to be useful, with some basic queries to get you started with advanced hunting, to learn more check out the below articles: -Learn more about advanced hunting: [Overview - Advanced hunting](../../defender/advanced-hunting-overview.md) +Learn more about advanced hunting: [Overview - Advanced hunting](../../defender/advanced-hunting-overview.md). -Learn more about authentication: [Email Authentication in Exchange Online Protection](../email-authentication-about.md) +Learn more about authentication: [Email Authentication in Exchange Online Protection](../email-authentication-about.md). |
security | Search For Emails And Remediate Threats | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/search-for-emails-and-remediate-threats.md | Title: Search for emails and remediate threats using Threat Explorer in Microsoft Defender XDR description: The steps to do manual remediation in Threat Explorer in Microsoft Defender XDR, including how to get the best performance and scenarios that call for remediation. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH -## What you'll need +## What you need - Microsoft Defender for Office 365 Plan 2 (Included in E5 plans) - Sufficient permissions (be sure to grant the account [Search and Purge](https://sip.security.microsoft.com/securitypermissions) role) ## Create and track the remediation -1. **Select a threat to remediate** in [Threat Explorer](https://security.microsoft.com/threatexplorer) and select the **Message Actions** button, which will offer you options such as *Soft Delete* or *Hard Delete*. -1. The side pane will open and ask for details like a name for the remediation, severity, and description. Once the information is reviewed, press **Submit**. -1. As soon as the admin approves this action, they will see the Approval ID and a link to the Microsoft Defender XDR Action Center [here](https://security.microsoft.com/action-center/history). This page is where **actions can be tracked**. +1. **Select a threat to remediate** in [Threat Explorer](https://security.microsoft.com/threatexplorer) and select the **Message Actions** button, which offers you options such as *Soft Delete* or *Hard Delete*. +1. The side pane opens and asks for details, like a name for the remediation, severity, and description. Once the information is reviewed, select **Submit**. +1. As soon as the admin approves this action, they see the Approval ID and a link to the Microsoft Defender XDR Action Center [here](https://security.microsoft.com/action-center/history). This page is where **actions can be tracked**. 1. **Admin action alert** - A system alert shows up in the alert queue with the name 'Administrative action submitted by an Administrator'. This indicates that an admin took the action of remediating an entity. It gives details such as the name of the admin who took the action, and the investigation link and time. This makes admins aware of each important action, like remediation, taken on entities.- 1. **Admin action investigation** - Since the analysis on entities was already done by the admin and that's what led to the action taken, no additional analysis is done by the system. It shows details such as related alert, entity selected for remediation, action taken, remediation status, entity count, and approver of the action. This allows admins to keep track of the investigation and actions carried out *manually*--an admin action investigation. + 1. **Admin action investigation** - Since the analysis on entities was already done by the admin and that's what led to the action taken, no more analysis is done by the system. It shows details such as related alert, entity selected for remediation, action taken, remediation status, entity count, and approver of the action. This allows admins to keep track of the investigation and actions carried out *manually*--an admin action investigation. 1. **Action logs in unified action center** - History and action logs for email actions like soft delete and move to deleted items folder, are *all available in a centralized view* under the unified **Action Center** > **History tab**. 1. **Filters in unified action center** - There are multiple filters such as remediation name, approval ID, Investigation ID, status, action source, and action type. These are useful for finding and tracking email actions in unified Action center. Email remediation is an already existing feature that helps admins act on emails Here are scenarios of email remediation: -1. As part of an investigation SecOps identifies a threat in an end-user's mailbox and wants to clear out the problem email(s). +1. As part of an investigation SecOps identifies a threat in an end-user's mailbox and wants to clear out the problem emails. 1. When suggested email actions in Automated Investigation and Response (AIR) are approved by SecOps, remediation action triggers automatically for the given email or email cluster. Two manual email remediation scenarios: Given the common scenarios, email remediation can be triggered in three differen 1. Go to the [Microsoft Defender portal](https://security.microsoft.com) and sign in. 1. In the navigation pane, select **Action center**.-1. Go to the **History** tab, click on any waiting approval list. It opens up a side pane. +1. Go to the **History** tab, select any waiting approval list. It opens up a side pane. 1. Track the action status in the unified action center. ## More information -[Learn more about email remediation](../../office-365-security/air-review-approve-pending-completed-actions.md) +[Learn more about email remediation](../../office-365-security/air-review-approve-pending-completed-actions.md). |
security | Stay Informed With Message Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/stay-informed-with-message-center.md | Title: Steps to set up a weekly digest email of message center changes for Microsoft Defender for Office 365 description: The steps to set up a weekly digest email of message center activity to stay up-to-date about changes to Microsoft Defender for Office 365. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Step By Step Guide Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/step-by-step-guide-overview.md | Title: Microsoft Defender for Office 365 step-by-step guides and how to use them -description: What are the step-by-step-guides for Microsoft Defender XDR for Office 365? See *only the steps needed to complete a task* and set up features. Information for use in trial subscriptions and production. Guidance designed to minimise information overload and speed up your configuration and use. -search.product: +description: What are the step-by-step-guides for Microsoft Defender XDR for Office 365? See *only the steps needed to complete a task* and set up features. Information for use in trial subscriptions and production. Guidance designed to minimize information overload and speed up your configuration and use. -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH -Microsoft Defender for Office 365 is a powerful product with a lot of capabilities. Along with that comes a lot of documentation and detail. **But sometimes you have to get a task completed *quickly*. That's when you need a step-by-step guide.** +Microsoft Defender for Office 365 is a powerful product with many capabilities. Along with that comes much documentation and detail. **But sometimes you have to get a task completed *quickly*. That's when you need a step-by-step guide.** -These step-by-step guides help administrators configure and use Microsoft Defender for Office 365 by reducing distracting information like how a feature might work, and other details not *directly linked to completing a process*. The guides maximize on specific steps and clicks needed to do a thing, and reduce the time taken for admins to test a feature and secure an organization. +These step-by-step guides help administrators configure and use Microsoft Defender for Office 365 by reducing distracting information like how a feature might work, and other details not *directly linked to completing a process*. The guides focus on specific steps to perform a task, and reduce the time taken for admins to test a feature and secure an organization. -***If you learn Microsoft products best by doing***, the step-by-step guides will jumpstart configuration and testing. They are as useful for set up in a *trial subscription* as they are in *production*. +***If you learn Microsoft products best by doing***, the step-by-step guides will jumpstart configuration and testing. They're as useful for setup in a *trial subscription* as they are in *production*. > [!NOTE]-> Try the [Defender for Office 365 setup guide](https://go.microsoft.com/fwlink/?linkid=2224785) for step-by-step instructions that are tenant-aware and customized to your organization's needs. This setup guide helps you implement anti-malware policies, anti-phishing policies, safe attachments, and more. +> Try the [Defender for Office 365 setup guide](https://admin.microsoft.com/Adminportal/Home?Q=ADG#/modernonboarding/office365advancedthreatprotectionadvisor) for step-by-step instructions that are tenant-aware and customized to your organization's needs. This setup guide helps you implement anti-malware policies, anti-phishing policies, safe attachments, and more. ## Why use Microsoft Defender for Office 365 step-by-step guides These step-by-step guides help administrators configure and use Microsoft Defend Beyond links to the documentation, the step-by-step guides don't concern themselves with product details (the docs around Microsoft Defender for Office 365 are thorough for when you need them). -Instead, these guides are streamlined for **learning by doing**, **testing**, and **running experiments**. They're ideal for **trial subscriptions**, and will allow admins and security operators to **deploy the same logic in production**. +Instead, these guides are streamlined for **learning by doing**, **testing**, and **running experiments**. They're ideal for **trial subscriptions**, and allow admins and security operators to **deploy the same logic in production**. ## Examples -- If you've just got Microsoft Defender for Office 365, and you want to get protected as quickly as possible use [Preset security policies](ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md).+- If you recently got Microsoft Defender for Office 365, and you want to get protected as quickly as possible use [Preset security policies](ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md). -- Take advantage of additional protections designed for [members of your c-suite](protect-your-c-suite-with-priority-account-protection.md).+- Take advantage of other protections designed for [members of your c-suite](protect-your-c-suite-with-priority-account-protection.md). - How do you [setup](how-to-run-attack-simulations-for-your-team.md) or [automate](how-to-setup-attack-simulation-training-for-automated-attacks-and-training.md) a new simulation quickly and easily? |
security | Track And Respond To Emerging Threats With Campaigns | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/track-and-respond-to-emerging-threats-with-campaigns.md | Title: Track and respond to emerging security threats with campaigns view in Microsoft Defender for Office 365 description: Walkthrough of threat campaigns within Microsoft Defender for Office 365 to demonstrate how they can be used to investigate a coordinated email attack against your organization. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Tune Bulk Mail Filtering Walkthrough | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/tune-bulk-mail-filtering-walkthrough.md | Title: Assess and tune your filtering for bulk mail in Defender for Office 365 description: Tune bulk filtering settings within Exchange Online and Microsoft Defender for Office 365 -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |
security | Utilize Microsoft Defender For Office 365 In Sharepoint Online | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online.md | Title: Use Microsoft Defender for Office 365 in SharePoint Online description: The steps to ensure that you can use, and get the value from, Microsoft Defender for Office 365 in SharePoint Online and OneDrive. -search.product: -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH |