-### WhatΓÇÖs the scope of user-level table?

- - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both within the last 28 days.

- - Numerator: The number of people who have shared files externally with in the last 28 days

- - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both, and sent at least one attachment within the last 28 days.

- - Numerator: The number of people who have shared files internally only within the last 28 days

- :::image type="content" source="images/validate-intune-connector.png" alt-text="The intune-connector status pane in the Microsoft Defender portal." lightbox="images/validate-intune-connector.png":::

- > 

- :::image type="content" source="mediE_new.png":::

- :::image type="content" source="../images/webapp-create-key2.png" alt-text="The Certificates & secrets menu item in the Manage pane in the Microsoft Entra admin center" lightbox="../images/webapp-create-key2.png":::

- :::image type="content" source="../images/webapp-create-key2.png" alt-text="The create app key" lightbox="../images/webapp-create-key2.png":::

- :::image type="content" source="../images/webapp-decoded-token.png" alt-text="The token validation page" lightbox="../images/webapp-decoded-token.png":::

- :::image type="content" source="../images/webapp-create-key2.png" alt-text="The create application option" lightbox="../images/webapp-create-key2.png":::

- :::image type="content" source="../images/webapp-decoded-token.png" alt-text="The token details portion" lightbox="../images/webapp-decoded-token.png":::

- :::image type="content" source="../images/storage-account-resource-id.png" alt-text="The Event Hubs with resource ID1" lightbox="../images/storage-account-resource-id.png":::

- :::image type="content" source="../images/storage-account-event-schema.png" alt-text="The Event Hubs with resource ID2" lightbox="../images/storage-account-event-schema.png":::

- :::image type="content" source="images/ua-migration.png" alt-text="Screenshot of saving the shared folder by MECM.":::

- :::image type="content" source="images/user-experience-in-deployment-type-wizard.png" alt-text="Screenshot that shows user experience in deployment-type wizard.":::

-|wdavdaemon unprivileged|N/A|Antivirus engine| The following diagram shows the workflow and steps required in order to add Antivirus exclusions. <br/><br/> :::image type="content" source="images/unprivileged-plugins.png" alt-text="Screenshot that shows This is unprivileged sensors." lightbox="images/unprivileged-plugins.png"::: <br/><br/>**General troubleshooting guidance**<br/> - If you have in-house apps/scripts or a legitimate third-party app/script getting flagged, Microsoft security researchers analyze suspicious files to determine if they're threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware by using the unified submissions experience (for more information, see [Unified submissions experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770)) or [File submissions](https://www.microsoft.com/wdsi/filesubmission). <br/><br/> - See [troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).<br/><br/> - Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support).

-|wdavdaemon edr| N/A |EDR engine|The following diagram shows the workflow and steps to troubleshoot wdavedaemon_edr process issues. <br/><br/> :::image type="content" source="images/wdavdaemon_edr_engine.png" alt-text="Image of troubleshooting wdavdaemon edr process." lightbox="images/wdavdaemon_edr_engine.png"::: <br/><br/>**General troubleshooting guidance**<br/>- If you have in-house apps/scripts or a legitimate third-party app/script getting flagged, Microsoft security researchers analyze suspicious files to determine if they're threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe are incorrectly classified as malware by using the unified submissions experience (for more information, see [Unified submissions experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770)) or [File submissions](https://www.microsoft.com/wdsi/filesubmission). <br/><br/> - See [troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).<br/><br/> - Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support).

- :::image type="content" source="media/secconmgmt_baseline_intuneprofile1.png" alt-text="The Create profile tab in the Microsoft Defender for Endpoint security baseline overview on Intune" lightbox="media/secconmgmt_baseline_intuneprofile1.png":::<br>

- :::image type="content" source="media/secconmgmt_baseline_intuneprofile2.png" alt-text="The Security baseline options during profile creation on Intune" lightbox="media/secconmgmt_baseline_intuneprofile2.png":::<br>

- :::image type="content" source="media/secconmgmt_baseline_intuneprofile3.png" alt-text="The Security baseline profiles on Intune" lightbox="media/secconmgmt_baseline_intuneprofile3.png":::<br>

- :::image type="content" source="media/secconmgmt_baseline_intuneprofile4.png" alt-text="Assigning the security baseline on Intune" lightbox="media/secconmgmt_baseline_intuneprofile4.png":::<br>

- :::image type="content" source="images/smartscreen-app-reputation-known-good.png" alt-text="Based on the target file's reputation, SmartScreen allows the download without interference.":::

- :::image type="content" source="images/smartscreen-app-reputation-unknown.png" alt-text="SmartScreen doesn't have sufficient reputation information about the download file, and warns the user to stop or proceed with caution.":::

- :::image type="content" source="images/smartscreen-app-reputation-known-malware.png" alt-text="Screenshot showing how SmartScreen detects a file download with an unsafe reputation; the download is blocked.":::

- :::image type="content" source="images/smartscreen-url-reputation-is-this-phishing.png" alt-text="SmartScreen alerts the user the site is potentially a phishing site and possibly unsafe":::

- :::image type="content" source="images/smartscreen-url-reputation-this-is-phishing.png" alt-text="SmartScreen reports the site is known for containing phishing threats":::

- :::image type="content" source="images/smartscreen-url-reputation-malware-page.png" alt-text="SmartScreen alerts the user that the site is know for containing harmful programs":::

- :::image type="content" source="images/smartscreen-url-reputation-malvertising.png" alt-text="A demonstration of how SmartScreen responds to a frame on a page that is detected to be malicious. Only the malicious frame is blocked":::

- :::image type="content" source="images/simulations-tab.png" alt-text="Simulations tab" lightbox="images/simulations-tab.png":::

- :::image type="content" source="images/tvm-app-sync-toggle.png" alt-text="App sync toggleSup" lightbox="images/tvm-app-sync-toggle.png":::

- :::image type="content" source="images/tvm-app-sync-toggle.png" alt-text="App sync toggle" lightbox="images/tvm-app-sync-toggle.png":::

- :::image type="content" source="images/tvm-full-app-data.png" alt-text="Full App Data" lightbox="images/tvm-full-app-data.png":::

- :::image type="content" source="images/tvm-user-privacy2.png" alt-text="Screenshot of the end user privacy screen." lightbox="images/tvm-user-privacy2.png":::

- :::image type="content" source="images/software-license-agreement.png" alt-text="Screenshot that shows the Software License Agreement.":::

- :::image type="content" source="images/sysext-new-profile.png" alt-text="The configuration settings sysext new profile." lightbox="images/sysext-new-profile.png":::

- :::image type="content" source="images/sysext-configure.png" alt-text="The pane with the Configure option for the system extensions." lightbox="images/sysext-configure.png":::

- :::image type="content" source="images/sysext-configure2.png" alt-text="The MDATP MDAV system extensions pane." lightbox="images/sysext-configure2.png":::

- :::image type="content" source="images/sysext-scope.png" alt-text="The display of options regarding MDATP MDAV System Extensions." lightbox="images/sysext-scope.png":::

- :::image type="content" source="images/sysext-final.png" alt-text="The configuration settings sysext - final." lightbox="images/sysext-final.png":::

- :::image type="content" source="images/ts-mode-rtp-disable.png" alt-text="Screenshot displaying the screenshot of real time protection being disabled.":::

- :::image type="content" source="images/ts-mode-mdatp-health.png" alt-text="Screnshot displaying the screenshot of the output report of mdatp health running.":::

- :::image type="content" source="images/virus-and-threat-protection-screen.png" alt-text="The Virus & threat protection screen containing the Fix button." lightbox="images/virus-and-threat-protection-screen.png":::

-### Set up a different/specific proxy configuration for MDE WSL

-If you want to set up a different proxy for Defender running in WSL (other than the Windows proxy specified with `TelemetryProxyServer`), or you have currently configured a system-wide proxy, the proxy configuration isn't automatically available for the plug-in. In this case, take these steps:

-1. Open Registry Editor as an administrator or use a tool that can configure registry keys across devices.

-2. Create a registry key with the following details:

- - **Name:** `DefenderProxyServer`

- - **Type:** `REG_SZ`

- - **Value:** *IP address*: *port number* (Example: `192.126.30.222:8888`)

- - **Path:** `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\Plugins\DefenderPlug-in`

-3. Once the registry is set, if WSL is already running or plug-in is already installed, restart wsl using the following steps:

- 1. Open Command Prompt and run `wsl --shutdown`.

- 2. Then, run the command `wsl`.

- - Enable the connectivity test and check for Defender for Endpoint connectivity in WSL. If the connectivity test fails, provide the output of the health check tool to [mdeforwsl-preview@microsoft.com](mailto:mdeforwsl-preview@microsoft.com).

-|[Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467)|Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities

-|[Splunk](https://go.microsoft.com/fwlink/?linkid=2129805)|The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk

-|[XM Cyber](/microsoft-365/compliance/insider-risk-management-configure)|Prioritize your response to an alert based on risk factors and high value assets

-|[Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902)|Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together

-|[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)|Vectra applies AI & security research to detect and respond to cyber-attacks in real time

-|[Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)|SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices

-|[Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense

- :::image type="content" source="images/submit-file.png" alt-text="The submit PE files button" lightbox="images/submit-file.png":::

- :::image type="content" source="images/user-page-details.png" alt-text="The details pane when a user is selected" lightbox="images/user-page-details.png":::

-1. :::image type="content" source="images/vi_etc_anacron.png" alt-text="Sample Anacron Job Linux." lightbox="images/vi_etc_anacron.png" link="images/vi_etc_anacron.png":::

- :::image type="content" source="images/vi_etc_anacron.png" alt-text="Sample Anacron Job Linux." lightbox="images/vi_etc_anacron.png" link="images/vi_etc_anacron.png":::

- :::image type="content" source="images/vi_mdavfullscan.png" alt-text="weekly antivirus scans":::

- :::image type="content" source="media/mdav_avacron_full_scan_log.png" alt-text="verify the job ran":::

- :::image type="content" source="images/upload-file.png" alt-text="The upload file" lightbox="images/upload-file.png":::

- :::image type="content" source="images/windefatp-sc-qc-diagtrack.png" alt-text="The result of the sc query command for diagtrack" lightbox="images/windefatp-sc-qc-diagtrack.png":::

- :::image type="content" source="images/wpr-01.png" alt-text="The Start menu" lightbox="images/wpr-01.png":::

- :::image type="content" source="images/wpt-yes.png" alt-text="The UAC page" lightbox="images/wpt-yes.png":::

- :::image type="content" source="images/wpr-03.png" alt-text="The page on which you can select more options" lightbox="images/wpr-03.png":::

- :::image type="content" source="images/wpr-infile.png" alt-text="The in-file" lightbox="images/wpr-infile.png":::

- :::image type="content" source="images/wpr-08.png" alt-text="The Hide options" lightbox="images/wpr-08.png":::

- :::image type="content" source="images/wpr-09.png" alt-text="The Record system information page" lightbox="images/wpr-09.png":::

- :::image type="content" source="images/wpr-10.png" alt-text="The Save option" lightbox="images/wpr-10.png":::

- :::image type="content" source="images/wpr-12.png" alt-text="The pane in which you fill" lightbox="images/wpr-12.png":::

- :::image type="content" source="images/wpr-13.png" alt-text="The WPR gathering general trace" lightbox="images/wpr-13.png":::

- :::image type="content" source="images/wpr-14.png" alt-text="The page displaying the notification that WPR trace has been saved" lightbox="images/wpr-14.png":::

- :::image type="content" source="images/wpr-15.png" alt-text="The details of the file and the folder" lightbox="images/wpr-15.png":::

- :::image type="content" source="images/wtp-blocks-over-time.png" alt-text="The card showing web threats protection detections over time" lightbox="images/wtp-blocks-over-time.png":::

- :::image type="content" source="images/wtp-summary.png" alt-text="The card showing web threats protection summary" lightbox="images/wtp-summary.png":::

- :::image type="content" source="images/wtp-website-details.png" alt-text="The domain or URL entity details page" lightbox="images/wtp-website-details.png":::

-Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption in uses the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise.

-2. [Review or change the automation level for device groups](#review-or-change-the-automation-level-for-device-groups).

-3. [Review or change the automated response exclusions for users](#review-or-change-automated-response-exclusions-for-users).

-## Review or change the automation level for device groups

-Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, like your organization's device group policies. Review the configured automation level for your device group policies. You must be a global administrator or security administrator to perform the following procedure:

-The report is cached for a couple of minutes. The system provides the previously generated PDF if you try to export the same incident again within a short time frame. To generate a newer version of the PDF, wait for the cache to expire.

- :::image type="content" source="../defender-endpoint/images/storage-account-event-schema.png" alt-text="Example of a blob container" lightbox="../defender-endpoint/images/storage-account-event-schema.png":::

-description: Examples and walkthrough of using Explorer to determine the impact of a security control (configuration) change in Microsoft Defender for Office 365

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-Before you make change(s) to your security configuration, such as policies or transport rules, it's important to understand the impact of the change(s) so that you can plan and ensure *minimal* disruption to your organization.

-This step-by-step guide takes you through assessing a change, and exporting the impacted emails for assessment. The procedure can be applied to many different changes, by altering the criteria (filters) you use in explorer.

-## What you'll need

-1. **Login** to the security portal and navigate to Explorer (underneath *Email & Collaboration* on the left nav) <https://security.microsoft.com/threatexplorer>.

-1. **Login** to the security portal and navigate to **Explorer** (underneath Email & Collaboration on the left nav) <https://security.microsoft.com/threatexplorer>.

-Consider using secure presets [Ensuring you always have the optimal security controls with preset security policies](ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md)

-You can also manage email authentication issues with spoof intelligence [Spoof intelligence insight](../anti-spoofing-spoof-intelligence.md)

-Learn more about email authentication [Email Authentication in Exchange Online Protection](../email-authentication-about.md)

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-## What you will need

-1. [Login to the Azure Portal](https://portal.azure.com) and navigate to **Microsoft Sentinel** \> Pick the relevant workspace to integrate with Microsoft Defender XDR.

- 1. On the left-hand navigation menu underneath the heading **Configuration** \> choose **Data connectors**.

-2. When the page loads, **search for** Microsoft Defender XDR **and select the Microsoft Defender XDR connector**.

-3. On the right-hand flyout, select **Open Connector Page**.

-4. Under the **Configuration** section of the page that loads, select **Connect incidents & alerts**, leaving Turn off all Microsoft incident creation rules for these products ticked.

-5. Scroll to **Microsoft Defender for Office 365** in the **Connect events** section of the page. Select **EmailEvents, EmailUrlInfo, EmailAttachmentInfo & EmailPostDeliveryEvents** then **Apply Changes** at the bottom of the page. (Choose tables from other Defender products if helpful and applicable, during this step.)

-Admins will now be able to see incidents, alerts, and raw data in Microsoft Sentinel and use this data for *advanced hunting*, pivoting on existing and new data from Microsoft Defender.

-[Connect Microsoft Defender XDR data to Microsoft Sentinel | Microsoft Docs](/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)

-[Connect Microsoft Teams to Microsoft Sentinel](/microsoftteams/teams-sentinel-guide)

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-Providing security admins and users with a very simple way to manage false positive folders is vital given the increased demand for a more aggressive security posture with the evolution of hybrid work. Taking a prescriptive approach, admins and users can achieve this with the guidance below.

-## What you will need

-Once it has been decided the categories of items users can triage or not-triage, and created the corresponding quarantine policies, admins should to assign these policies to the respective users and enable notifications.

-1. In the **Actions** tab, select **Quarantine message** for categories. You will notice an additional panel for *select quarantine policy*, use that dropdown to select the quarantine policy you created earlier.

-1. Move on to the **Review** section and click the **Confirm** button to create the new policy.

-Learn more about organization branding and notification settings here [Quarantine policies - Office 365 | Microsoft Docs](../../office-365-security/quarantine-policies.md)

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-When alerts are triggered in Microsoft Defender XDR, automated investigation and response (AIR) will trigger to hunt across an organization's subscription, determine the impact and scope of the threat, and collate the information into a single Incident so that admins don't have to manage multiple incidents.

-## What you'll need

-Now you have a prioritized list of incidents, from which you can select to rename, assign, classify, tag, change the status or add comments via the Manage incidents button.

-If you are looking for specific alerts, either use the incident search capability (*Search for name or ID*) or consider using the alert queue filtering on a specific alert.

-After you have prioritized your incident queue, click on the Incident you'd like to investigate to load the incidents Overview page. There will be useful information such as *MITRE ATT&CK techniques observed* and a *timeline of the attack*.

-Any items showing as *Pending Action* within Evidence and Response are awaiting approval from an administrator. Sorting by the remediation status column in the *All Evidence* view is recommended, followed by clicking the entity or cluster to load the flyout menu where you can then approve the actions if appropriate.

-If you need to understand the items involved further, you can use the incident graph to see the visual linkage of the evidence and entities involved. Alternatively, you can review the underlying investigations, which will show more of the entities and items involved in the security event.

-[Manage incidents in Microsoft Defender XDR | Microsoft Docs](../../defender/manage-incidents.md)

-[How automated investigation and response works in Microsoft Defender for Office 365](../air-about-office.md)

-[Remediation actions in Microsoft Defender for Office 365](../air-remediation-actions.md)

-description: The steps to send an Attack Simulation payload to your target users for your team or organization for training. Simulated attacks can help you identify and find vulnerable users, policies and practices before a real attack impacts your organization.

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-Attack simulation training allows you to run realistic but benign cyber attack scenarios in your organization. Simulated attacks can help you identify and find vulnerable users, policies and practices before a real attack impacts your organization, leveraging inbuilt or custom training to reduce risk and better educate end users about threats.

-## What you'll need

-1. Pick the technique you'd like to use from the flyout, and press **Next**.

-1. Name the Simulation with something relevant / memorable and press **Next**.

-1. Pick a relevant payload from the wizard, review the details and customize if appropriate, when you are happy with the choice, press **Next**.

-1. Choose who to target with the payload. If choosing the entire organization highlight the radio button and press **Next**.

-1. Otherwise, select **Add Users** and then search or filter the users with the wizard. Select Add User(s) and then **Next**.

- - Click **Next** to continue.

- 1. Under **Payload indicators**, check the box to add payload indicators to email. Adding payloads will help users to learn how to identify the phishing email. Select *Open preview panel* to view the message.

- 1. Click **Next** to continue.

-1. Select when to launch the simulation, and how long it should be valid for. You can also enable *region aware time zone delivery*. This option will deliver simulated attack messages to your employees during *their working hours* based on their region. Select **Next**.

-1. Send a test if you're ready. Review the summary of choices. Click **Submit**.

-To learn how Attack Simulation works see [Simulate a phishing attack with Attack simulation training - Office 365 | Microsoft Docs](../../office-365-security/attack-simulation-training-simulations.md)

-description: The steps to automate Attack Simulation training and send a payload to target users. By following this guide, you will learn to create automated attack flows with specific techniques and payloads.

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-Attack simulation training lets you run benign attack simulations on your organization to assess your phishing risk and teach your users how to better avoid phish attacks. By following this guide, you can configure automated flows with specific techniques and payloads that run when the specified conditions are met, launching simulations against your organization.

-## What you'll need

-1. If you picked OAuth as a Payload, you need to enter the name, logo and scope (permissions) you'd like the app to have when it's used in a simulation. *Next*.

-1. Otherwise, select **Add Users** and then search or filter the users with the wizard, press Add User(s). *Next*.

-1. Depending on your choice of Randomized or Fixed, the schedule details may differ, but select preferences on the choice, including the start and end dates of the automation. *Next*.

-1. **Submit** and the Simulation automation is setup.

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-description: The steps to protect your c-suite with priority account protection. Tagging an account as a Priority account will enable the additional protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations.

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-Priority account protection helps IT and security teams ensure a high quality of service and protection for the critical people within your organization. Tagging an account as a priority account will enable the additional protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations.

-## What you'll need

-1. Login to the [Microsoft Security Portal](https://security.microsoft.com/) and navigate to Settings on the left navigation bar.

-1. Select Email & collaboration on the page that loads and then click User tags

-1. On the User tags page, select the Priority account tag and press Edit

-1. On the flyout that appears, select Add members

-1. Search for the users you wish to tag, select one or more users and press Add

-1. Review the members you have selected and press Next

-1. Press Submit to confirm the changes

-1. Login to the [Microsoft Security Portal](https://security.microsoft.com/) and navigate to Settings on the left navigation bar.

-1. Select **Priority account protection**

-1. Ensure the protection is set to "On"

-[Review differentiated protection from priority account protection]

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-description: Steps and sample queries for advanced hunting to start reviewing your security configuration and removing unnecessary allow list entries.

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-Historically, allow lists have told Exchange Online Protection to ignore the signals indicating an email is malicious. It's commonplace for vendors to request IPs, domains, and sender addresses be overridden unnecessarily. Attackers have been known to take advantage of this mistake and it's a pressing security loophole to have unnecessary allow list entries. This step-by-step guide walks you through using advanced hunting to identify these misconfigured overrides and remove them, so you can increase your organization's security posture.

-## What you will need

-1. [Login to the security portal and navigate to advanced hunting](https://security.microsoft.com/advanced-hunting)

-3. Pressing the **NetworkMessageId** hyperlink for individual emails when shown in the results loads a flyout, allowing easy access to the email entity page, where the **analysis** tab provides further details, such as the transport rule(s) that email matched.

-> Changing **OrgLevelAction** to **UserLevelAction** will allow you to search for emails getting overridden by users rather than administrators, and can also be a useful insight.

-Use this query to find where the most unnecessary overrides are located. This query looks for emails that have been overridden without any detection that needed an override.

-This query looks for emails that have been overridden by IP, without any detection that called for an override.

-This query looks for emails that have been overridden by sending domain without any detection that called for an override. **(Change to SenderMailFromDomain to check the 5321.MailFrom)**

-This query looks for emails that have been overridden by sending address without any detection that requires an override. **(Change to SenderMailFromAddress to check the 5321.MailFrom)**

-Hopefully you found this useful, with some basic queries to get you started with advanced hunting, to learn more check out the below articles

-Learn more about advanced hunting: [Overview - Advanced hunting](../../defender/advanced-hunting-overview.md)

-Learn more about authentication: [Email Authentication in Exchange Online Protection](../email-authentication-about.md)

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-## What you'll need

-1. **Select a threat to remediate** in [Threat Explorer](https://security.microsoft.com/threatexplorer) and select the **Message Actions** button, which will offer you options such as *Soft Delete* or *Hard Delete*.

-1. The side pane will open and ask for details like a name for the remediation, severity, and description. Once the information is reviewed, press **Submit**.

-1. As soon as the admin approves this action, they will see the Approval ID and a link to the Microsoft Defender XDR Action Center [here](https://security.microsoft.com/action-center/history). This page is where **actions can be tracked**.

- 1. **Admin action investigation** - Since the analysis on entities was already done by the admin and that's what led to the action taken, no additional analysis is done by the system. It shows details such as related alert, entity selected for remediation, action taken, remediation status, entity count, and approver of the action. This allows admins to keep track of the investigation and actions carried out *manually*--an admin action investigation.

-1. As part of an investigation SecOps identifies a threat in an end-user's mailbox and wants to clear out the problem email(s).

-1. Go to the **History** tab, click on any waiting approval list. It opens up a side pane.

-[Learn more about email remediation](../../office-365-security/air-review-approve-pending-completed-actions.md)

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-description: What are the step-by-step-guides for Microsoft Defender XDR for Office 365? See *only the steps needed to complete a task* and set up features. Information for use in trial subscriptions and production. Guidance designed to minimise information overload and speed up your configuration and use.

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-Microsoft Defender for Office 365 is a powerful product with a lot of capabilities. Along with that comes a lot of documentation and detail. **But sometimes you have to get a task completed *quickly*. That's when you need a step-by-step guide.**

-These step-by-step guides help administrators configure and use Microsoft Defender for Office 365 by reducing distracting information like how a feature might work, and other details not *directly linked to completing a process*. The guides maximize on specific steps and clicks needed to do a thing, and reduce the time taken for admins to test a feature and secure an organization.

-***If you learn Microsoft products best by doing***, the step-by-step guides will jumpstart configuration and testing. They are as useful for set up in a *trial subscription* as they are in *production*.

-> Try the [Defender for Office 365 setup guide](https://go.microsoft.com/fwlink/?linkid=2224785) for step-by-step instructions that are tenant-aware and customized to your organization's needs. This setup guide helps you implement anti-malware policies, anti-phishing policies, safe attachments, and more.

-Instead, these guides are streamlined for **learning by doing**, **testing**, and **running experiments**. They're ideal for **trial subscriptions**, and will allow admins and security operators to **deploy the same logic in production**.

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-search.product:

-ms.sitesec: library

-ms.pagetype: security

-search.product:

-ms.sitesec: library

-ms.pagetype: security