-**Need something different?** You can:

-## Sign up for Microsoft 365 for business

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3znhX]

-Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Microsoft 365 offers an added layer of encryption for your content. This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Microsoft Teams.

-With Customer Key, you control your organization's encryption keys and then configure Microsoft 365 to use them to encrypt your data at rest in Microsoft's data centers. In other words, Customer Key allows customers to add a layer of encryption that belongs to them, with their keys.

-Before you get started, ensure that you have the appropriate Azure subscriptions and licensing for your organization. Use paid Azure Subscriptions using either an Enterprise Agreement or a Cloud Service Provider. Credit Card based payments are not accepted. Approve and set up the account needs for invoicing. Subscriptions you got through Free, Trial, Sponsorships, MSDN Subscriptions, and those under Legacy Support are not eligible.

-Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Microsoft 365 E5 Information Protection & Governance SKUs offer Customer Key. Office 365 Advanced Compliance SKU is no longer available for procuring new licenses. Existing Office 365 Advanced Compliance licenses will continue to be supported.

-

-Before contacting the Microsoft 365 team, you must do the following steps for each Azure subscription that you use with Customer Key. Ensure that you have the [Azure PowerShell Az](/powershell/azure/new-azureps-module-az) module installed before you start.

-

-3. Contact Microsoft to complete the process.

- - For enabling Customer Key for assigning DEP to individual Exchange Online mailboxes, contact [exock@microsoft.com](mailto:exock@microsoft.com).

- - For enabling Customer Key for assigning DEPs to encrypt SharePoint Online and OneDrive for Business content (including Teams files) for all tenant users, contact [spock@microsoft.com](mailto:spock@microsoft.com).

- - For enabling Customer Key for assigning DEPs to encrypt content across multiple Microsoft 365 workloads (Exchange Online, Teams, Microsoft Information Protection) for all tenant users, contact [m365-ck@service.microsoft.com](mailto:m365-ck@service.microsoft.com).

- - Include the following information in your email:

- Include the subscription IDs for which you want to complete the mandatory retention period and the output of Get-AzProviderFeature for each subscription.

- The Service Level Agreement (SLA) for completion of this process is five business days once Microsoft has been notified (and verified) that you have registered your subscriptions to use a mandatory retention period.

-4. Once you receive notification from Microsoft that registration is complete, verify the status of your registration by running the Get-AzProviderFeature command as follows. If verified, the Get-AzProviderFeature command returns a value of **Registered** for the **Registration State** property. Complete this step for each subscription.

-5. To complete the process, run the Register-AzResourceProvider command. Complete this step for each subscription.

-Create a separate, paired set of vaults for each data encryption policy. For Exchange Online, the scope of a data encryption policy is chosen by you when you assign the policy to mailbox. A mailbox can have only one policy assigned, and you can create up to 50 policies. The scope of a SharePoint Online policy includes all of the data within an organization in a geographic location, or _geo_. The scope for a multi-workload policy includes all of the data across the supported workloads for all users.

-> [!IMPORTANT]

-> To maximize availability, place your key vaults in regions close to your Microsoft 365 service For example, if your Exchange Online organization is in North America, place your key vaults in North America. If your Exchange Online organization is in Europe, place your key vaults in Europe.

->

-> Use a common prefix for key vaults, and include an abbreviation of the use and scope of the key vault and keys (e.g., for the Contoso SharePoint service where the vaults will be located in North America, a possible pair of names is Contoso-CK-SP-NA-VaultA1 and Contoso-CK-SP-NA-VaultA2. Vault names are globally unique strings within Azure, so you may need to try variations of your desired names in case the desired names are already claimed by other Azure customers. As of July 2017 vault names cannot be changed, so a best practice is to have a written plan for setup and use a second person to verify the plan is executed correctly.

->

-> If possible, create your vaults in non-paired regions. Paired Azure regions provide high availability across service failure domains. Therefore, regional pairs can be thought of as each other's backup region. This means that an Azure resource that is placed in one region is automatically gaining fault tolerance through the paired region. For this reason, choosing regions for two vaults used in a data encryption policy where the regions are paired means that only a total of two regions of availability are in use. Most geographies only have two regions, so it's not yet possible to select non-paired regions. If possible, choose two non-paired regions for the two vaults used with a data encryption policy. This benefits from a total of four regions of availability. For more information, see [Business continuity and disaster recovery (BCDR): Azure Paired Regions](/azure/best-practices-availability-paired-regions) for a current list of regional pairs.

-

-3. Confirm soft delete is configured for the key vault by running the **Get-AzKeyVault** cmdlet. If soft delete is configured properly for the key vault, then the _Soft Delete Enabled_ property returns a value of **True**:

-

-To create a key directly in your key vault, run the [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey) cmdlet as follows:

-

-```powershell

-Add-AzKeyVaultKey -VaultName <vault name> -Name <key name> -Destination <HSM|Software> -KeyOps wrapKey,unwrapKey

-```

-Where:

- > [!TIP]

- > Name keys using a similar naming convention as described above for key vaults. This way, in tools that show only the key name, the string is self-describing.

-

-If you intend to protect the key with an HSM, ensure that you specify **HSM** as the value of the _Destination_ parameter, otherwise, specify **Software**.

-For example:

-Add-AzKeyVaultKey -VaultName Contoso-CK-EX-NA-VaultA1 -Name Contoso-CK-EX-NA-VaultA1-Key001 -Destination HSM -KeyOps wrapKey,unwrapKey

-To import a key directly into your key vault, you need to have a nCipher nShield Hardware Security Module.

-Some organizations prefer this approach to establish the provenance of their keys, and then this method also provides the following attestations:

-Check with your security group to determine if the above attestations are required. For detailed steps to create a key on-premises and import it into your key vault, see [How to generate and transfer HSM-protected keys for Azure Key Vault](/azure/key-vault/keys/hsm-protected-keys). Use the Azure instructions to create a key in each key vault.

-

-If the _Recovery Level_ property returns anything other than a value of **Recoverable+ProtectedSubscription**, ensure that you have put the subscription on the Do Not Cancel list and that you have soft delete enabled on each of your key vaults.

-

-### Back up Azure Key Vault

-Immediately following creation or any change to a key, perform a backup and store copies of the backup, both online and offline. Don't connect offline copies to any network. Instead store them in an offline location, such as in a physical safe or commercial storage facility. At least one copy of the backup should be stored in a location that will be accessible if a disaster occurs. The backup blobs are the sole means of restoring key material should a Key Vault key be permanently destroyed or otherwise rendered inoperable. Keys that are external to Azure Key Vault and imported to Azure Key Vault don't qualify as a backup because the metadata necessary for Customer Key to use the key doesn't exist with the external key. Only a backup taken from Azure Key Vault can be used for restore operations with Customer Key. Therefore, you must create a backup of Azure Key Vault after you upload or create a key.

-

-To create a backup of an Azure Key Vault key, run the [Backup-AzKeyVaultKey](/powershell/module/az.keyvault/backup-azkeyvaultkey) cmdlet as follows:

-```powershell

-Backup-AzKeyVaultKey -VaultName <vault name> -Name <key name>

-```

-Ensure that your output file uses the suffix `.backup`.

-

-The output file resulting from this cmdlet is encrypted and cannot be used outside of Azure Key Vault. The backup can be restored only to the Azure subscription from which the backup was taken.

-

-> [!TIP]

-> For the output file, choose a combination of your vault name and key name. This will make the file name self-describing. It will also ensure that backup file names do not collide.

-

-For example:

-

-```powershell

-Backup-AzKeyVaultKey -VaultName Contoso-CK-EX-NA-VaultA1 -Name Contoso-CK-EX-NA-VaultA1-Key001 -OutputFile Contoso-CK-EX-NA-VaultA1-Key001-Backup-20170802.backup

-```

-### Validate Azure Key Vault configuration settings

-Validating before using keys in a DEP is optional, but highly recommended. If you use steps to set up your keys and vaults other than the ones described in this article, validate the health of your Azure Key Vault resources before you configure Customer Key.

-

-To verify that your keys have `get`, `wrapKey`, and `unwrapKey` operations enabled:

-

-Run the [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault) cmdlet as follows:

-

-```powershell

-Get-AzKeyVault -VaultName <vault name>

-```

-In the output, look for the Access Policy and for the Exchange Online identity (GUID) or the SharePoint Online identity (GUID) as appropriate. All three of the above permissions must be shown under Permissions to Keys.

-

-If the access policy configuration is incorrect, run the Set-AzKeyVaultAccessPolicy cmdlet as follows:

-

-```powershell

-Set-AzKeyVaultAccessPolicy -VaultName <vault name> -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName <Office 365 appID>

-```

-For example, for Exchange Online and Skype for Business:

-

-```powershell

-Set-AzKeyVaultAccessPolicy -VaultName Contoso-CK-EX-NA-VaultA1

-```

-For example, for SharePoint Online and OneDrive for Business:

-

-```powershell

-Set-AzKeyVaultAccessPolicy -VaultName Contoso-CK-SP-NA-VaultA1

-```

-To verify that an expiration date isn't set for your keys, run the [Get-AzKeyVaultKey](/powershell/module/az.keyvault/get-azkeyvault) cmdlet as follows:

-

-```powershell

-Get-AzKeyVaultKey -VaultName <vault name>

-```

-Customer Key can't use an expired key. Operations attempted with an expired key will fail, and possibly result in a service outage. We strongly recommend that keys used with Customer Key don't have an expiration date. An expiration date, once set, cannot be removed, but can be changed to a different date. If a key must be used that has an expiration date set, change the expiration value to 12/31/9999. Keys with an expiration date set to a date other than 12/31/9999 won't pass Microsoft 365 validation.

-

-To change an expiration date that has been set to any value other than 12/31/9999, run the [Update-AzKeyVaultKey](/powershell/module/az.keyvault/update-azkeyvaultkey) cmdlet as follows:

-

-```powershell

-Update-AzKeyVaultKey -VaultName <vault name> -Name <key name> -Expires (Get-Date -Date "12/31/9999")

-```

-> [!CAUTION]

-> Don't set expiration dates on encryption keys you use with Customer Key.

-

-|**Create**|An item was created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox (for example, a new meeting request is created). Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder is not audited.|^\*|^\*||

-| Supported languages| English <br>Coming later in 2022: Latin alphabet languages | Models work on all Latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese.|

-

-

-

-

- >

- >

- > Get-OrganizationRelationship | fl name, DomainNames, MailboxMoveEnabled, MailboxMoveCapability

- | | |

- | | |

-3. Non-hybrid target tenants can modify the quota on the Recoverable Items folder for the MailUsers prior to migration by running the following command to enable Litigation Hold on the MailUser object and increasing the quota to 100 GB: `Set-MailUser -EnableLitigationHoldForMigration`. Note this will not work for tenants in hybrid.

-

- > The *contoso.onmicrosoft.com* address is *not* present in the EmailAddresses / proxyAddresses array.

- | Advanced eDiscovery Storage (500 GB) |

- | |

-|**MX** <br/> **(Exchange Online)** <br/> |Sends incoming mail for your domain to the Exchange Online service in Office 365. <br/> **Note:** Once email is flowing to Exchange Online, you should remove the MX records that are pointing to your old system. |**Domain:** For example, contoso.com <br/> **Target email server:**\<MX token\>.mail.protection.outlook.com <br/> **Preference/Priority:** Lower than any other MX records (this ensures mail is delivered to Exchange Online) - for example 1 or 'low' <br/> Find your \<MX token\> by following these steps: <br/> Sign in to Office 365, go to Office 365 admin \> Domains. <br/> In the Action column for your domain, choose Fix issues. <br/> In the MX records section, choose What do I fix? <br/> Follow the directions on this page to update your MX record. <br/> [What is MX priority?](../admin/setup/domains-faq.yml) <br/> |

-A Zero Trust approach extends throughout the entire digital estate and serves as an integrated security philosophy and end-to-end strategy.

-For more information about this architecture, including deployment objectives for your entire digital estate, see [Zero Trust Rapid Modernization Plan (RaMP)](https://review.docs.microsoft.com/security/zero-trust/zero-trust-ramp-overview?branch=zt-content-prototype).

-The first step is to build your Zero Trust foundation by configuring identity and device access protection.

-|Includes |Prerequisites |Doesn't include |

-|Recommended identity and device access policies for three tiers of protection:<br>- Starting point<br>- Enterprise (recommended)<br>- Specialized<br><br>Additional recommendations for:<br>- External users (guests<br>- Microsoft Teams<br>- SharePoint Online<br>- Microsoft Defender for Cloud Apps| Microsoft E3 or E5<br><br>Azure Active Directory in either of these modes:<br>- Cloud-only<br>- Hybrid with password hash sync (PHS) authentication<br>- Hybrid with pass-through authentication (PTA)<br>- Federated |Device enrollment for policies that require managed devices. See ΓÇ£Manage endpoints with IntuneΓÇ¥ to enroll devices |

-| | | |

-Start by implementing the starting-point tier. These policies do not require enrolling devices into management.

-Next, enroll your devices into management and begin protecting these with more sophisticated controls.

-Go to [**_Manage devices with Intune_**](../solutions/manage-devices-with-intune-overview.md) for prescriptive guidance to accomplish this.

-|Includes |Prerequisites |Doesn't include |

-|Enroll devices with Intune<br>- Corporate-owned devices<br>- Autopilot/automated<br>- enrollment<br><br>Configure policies<br>- App Protection policies<br>- Compliance policies<br>- Device profile policies | Register endpoints with Azure AD | Configuring information protection capabilities, including:<br>- Sensitive information types<br>- Labels<br>- DLP policies<br>For these capabilities, see Step 5. Protect and govern data (later in this article). |

-| | | |

-Return to [**_Common identity and device access policies_**](office-365-security/identity-access-policies.md) and add the policies in the Enterprise tier.

-Go to [**_Evaluate and pilot Microsoft 365 Defender_**](defender/eval-overview.md) for a methodical guide to piloting and deploying Microsoft 365 Defender components.

-|Includes |Prerequisites |Doesn't include |

-| Set up the evaluation and pilot environment for all components:<br>- Defender for Identity<br>- Defender for Office 365<br>- Defender for Endpoint<br>- Microsoft Defender for Cloud Apps<br><br>Protect against threats<br><br> Investigate and respond to threats | See the guidance to read about the architecture requirements for each component of Microsoft 365 Defender. | Azure AD Identity Protection is not included in this solution guide. It is included in Step 1: Configure Zero Trust identity and device access protection. |

-| | | |

-While this work is represented at the top of the deployment stack illustrated earlier in this article, you can begin this work anytime.

-For more information on how to plan and deploy information protection, see [**_Deploy a Microsoft Information Protection solution_**](../compliance/information-protection-solution.md).

-If you're deploying information protection for data privacy regulations, this solution guide provides a recommended framework for the entire process: [**_Deploy information protection for data privacy regulations with Microsoft 365_**](../solutions/information-protection-deploy.md).

-If you donΓÇÖt already have Microsoft Defender for Business, you can choose from several options:

-| **Custom rules** | [Custom rules](mdb-custom-rules-firewall.md) allow you to block or allow specific connections. For example, suppose that you want to block all incoming connections on devices that are connected to a private network, except for connections through a specific app on a device. In this case, you would set **Private network** to block all incoming connections, and then add a custom rule to define the exception. <br/><br/>You can use custom rules to define exceptions for specific files or apps, an Internet protocol (IP) address, or a range of IP addresses. <br/><br/>Depending on the type of custom rule you're creating, here are some example values you can use: <br/><br/>Application file path: `C:\Windows\System\Notepad.exe or %WINDIR%\Notepad.exe` <br/><br/>IP: A valid IPv4/IPv6 address, such as `192.168.1.0` or `192.168.1.0/24` ΓÇï<br/><br/>IP: A valid IPv4/IPv6 address range, formatted like `192.168.1.0-192.168.1.9` (with no spaces included) |

-Use the navigation bar on the left side of the screen to access your incidents, view reports, and manage your security policies. The following table describes items youΓÇÖll see in your navigation bar.

-| **Home** | Takes you to your home page in Microsoft 365 Defender. The home page includes cards that highlight any active threats that were detected, along with recommendations to help secure your companyΓÇÖs data and devices. <br/><br/>Recommendations are included in Defender for Business can save your security team time and effort. Recommendations are based on industry best practices. To learn more about recommendations, see [Security recommendations - threat and vulnerability management](../defender-endpoint/tvm-security-recommendation.md). |

-| **Secure score** | Provides you with a representation of your companyΓÇÖs security position and offers suggestions to improve it.<br/><br/>To learn more about Secure Score, see [Microsoft Secure Score for Devices](../defender-endpoint/tvm-microsoft-secure-score-devices.md). |

-| **Reports** | Lists your available security reports. These reports enable you to see your security trends, view details about threat detections and alerts, and learn more about your companyΓÇÖs vulnerable devices. |

-| **Health** | Enables you to view your service health status and plan for upcoming changes. <br/>- Select **Service health** to view the health status of the Microsoft 365 services that are included in your companyΓÇÖs subscription. <br/>- Select **Message center** to learn about planned changes and what to expect. |

-| **Permissions & roles** | Enables you to assign permissions to the people in your company who will be managing your security and viewing incidents and reports in the Microsoft 365 Defender portal. Also enables you to set up and manage device groups to onboard your companyΓÇÖs devices and assign your threat protection policies. |

-| **Settings** | Enables you to edit settings for the Microsoft 365 Defender portal and Microsoft Defender for Business. For example, you can onboard (or offboard) and your companyΓÇÖs devices (also referred to as endpoints). You can also define rules, such as alert suppression rules, and set up indicators to block or allow certain files or processes. |

-| **Allow users to access the Windows Security app** | Turn this setting on to enable users to open the Windows Security app on their devices. Users wonΓÇÖt be able to override settings that you configure in Microsoft Defender for Business, but they'll be able to run a quick scan if need be, or view any detected threats. |

-As policies are added, youΓÇÖll notice that an order of priority is assigned. You can edit the order of priority for the policies that you define, but you canΓÇÖt change the order of priority for default policies. For example, suppose that for your Windows client devices, you have three next-generation protection policies. In this case, your default policy is number 3 in priority. You can change the order of your policies that are numbered 1 and 2, but the default policy will remain number 3 in your list.

-When it comes to onboarding devices and configuring security settings for your companyΓÇÖs devices, you can choose from several experiences:

-| **Threat & Vulnerability Management (core scenarios)** | Learn about threat and vulnerability management through three scenarios: <br/><br/>1. Reduce your companyΓÇÖs threat and vulnerability exposure. <br/>2. Request a remediation. <br/>3. Create an exception for security recommendations. <br/><br/> Threat and vulnerability management uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. |

- - When youΓÇÖre ready to proceed, choose **Update policy**.

- - When youΓÇÖre ready to proceed, choose **Create policy**.

- - **Profile**: Select ΓÇ£CustomΓÇ¥ and click Create

-5. Locate ΓÇ£Microsoft Defender for EndpointΓÇ¥ and select **DonΓÇÖt Optimize**.

-2. Select ΓÇ£Help & feedbackΓÇ¥.

-3. Select ΓÇ£Send feedback to MicrosoftΓÇ¥.

-4. Choose from the given options. To report an issue, select ΓÇ£I want to report an issueΓÇ¥.

-5. Provide details of the issue that you are facing and check ΓÇ£Send diagnostic dataΓÇ¥. We recommend checking ΓÇ£Include your email addressΓÇ¥ so that the team can reach back to you with a solution or a follow-up.

-6. Click on ΓÇ£SubmitΓÇ¥ to successfully send the feedback.

-> If your organization is previewing ΓÇÿTamper protectionΓÇÖ feature and if the new storage permissions are not granted by the user within 7 days of updating to the latest version, the user might lose access to corporate resources.

- > This permission allows Microsoft Defender for Endpoint to access storage on userΓÇÖs device, which helps detect and remove malicious and unwanted apps. Microsoft Defender for Endpoint accesses/scans Android app package file (.apk) only. On devices with a Work Profile, Defender for Endpoint only scans work-related files.

-1. After all exclusions are determined while in audit mode, start setting some ASR rules to "block" mode, starting with the rule that has the fewest triggered events. SeeΓÇ¥ [Enable attack surface reduction rules](enable-attack-surface-reduction.md).

-Warn mode is effectively a Block instruction, but with the option for the user to ΓÇ£UnblockΓÇ¥ subsequent executions of the given flow or app. Warn mode unblocks on a per device, user, file and process combination. The warn mode information is stored locally and has a duration of 24 hours.

-5. Set rules to ΓÇ£blockΓÇ¥

-When testing attack surface reduction (ASR) rules it is important to start with the right business unit. YouΓÇÖll want to start with a small group of people in a specific business unit. You can identify some ASR champions within a particular business unit who can provide real-world impact about the ASR rules, and help you tune your implementation.

-For large enterprises, Microsoft recommends deploying ASR rules in ΓÇ£rings.ΓÇ¥ Rings are groups of devices that are visually represented as concentric circles that radiate outward like non-overlapping tree rings. When the innermost ring is successfully deployed, you can transition the next ring into the testing phase. Thorough assessment of your business units, ASR rules champions, apps, and processes is imperative to defining your rings.

-Some rules donΓÇÖt work well if un-signed, internally developed application and scripts are in high usage. It is more difficult to deploy ASR rules if code signing is not enforced.

-For rules with the ΓÇ£Rule StateΓÇ¥ specified:

-You can also set a rule in warn mode via PowerShell by simply specifying the AttackSurfaceReductionRules_Actions as ΓÇ£WarnΓÇ¥. For example:

-> The default state for the Attack Surface Reduction (ASR) rule ΓÇ£Block credential stealing from the Windows local security authority subsystem (lsass.exe)ΓÇ¥ will change from **Not Configured** to **Configured** and the default mode set to **Block**. All other ASR rules will remain in their default state: **Not Configured**. Additional filtering logic has already been incorporated in the rule to reduce end user notifications. Customers can configure the rule to **Audit**, **Warn** or **Disabled** modes, which will override the default mode. The functionality of this rule is the same, whether the rule is configured in the on-by-default mode, or if you enable Block mode manually. ΓÇ»

->IBM QRadar integration with Microsoft 365 Defender, which include Microsoft Defender for Endpoint is now supported by the new Microsoft 365 Defender Device Support Module (DSM) that calls the [Microsoft 365 Defender Streaming API](../defender/streaming-api.md) that allows ingesting streaming event data from Microsoft 365 Defender products, including Microsoft Defender for Endpoint. For more information on the new QRadar Microsoft 365 Defender DSM, see [IBM QRadar Product Documentation](https://www.ibm.com/docs/en/dsm?topic=microsoft-365-defender), and for more information on Streaming API supported event types, see [Supported event types](../defender/supported-event-types.md).

-Microsoft has partnered with [Corelight](https://corelight.com/integrations/iot-security), provider of the industryΓÇÖs leading open network detection and response (NDR) platform, to help you discover IoT/OT devices across your organization. Using data, sent from Corelight network appliances, Microsoft 365 Defender gains increased visibility into the network activities of unmanaged devices, including communication with other unmanaged devices or external networks.

-To enable the Corelight integration, youΓÇÖll need to take the following steps:

-| Device | Isolate device | Disconnects a device from your organizationΓÇÖs network while retaining connectivity to Defender for Endpoint. This action enables you to monitor the device and take further action if needed. |

-Your organizationΓÇÖs attack surfaces are all the places where youΓÇÖre vulnerable to cyberattacks. With Defender for Endpoint Plan 1, you can reduce your attack surfaces by protecting the devices and applications that your organization uses. The attack surface reduction capabilities that are included in Defender for Endpoint Plan 1 are described in the following sections.

-Sometimes threats to your organizationΓÇÖs devices come in the form of files on removable drives, such as USB drives. Defender for Endpoint includes capabilities to help prevent threats from unauthorized peripherals from compromising your devices. You can configure Defender for Endpoint to block or allow removable devices and files on removable devices.

-With web protection, you can protect your organizationΓÇÖs devices from web threats and unwanted content. Web protection includes web threat protection and web content filtering.

-With network firewall protection, you can set rules that determine which network traffic is permitted to flow to or from your organizationΓÇÖs devices. With your network firewall and advanced security that you get with Defender for Endpoint, you can:

-With the Defender for Endpoint APIs, you can automate workflows and integrate with your organizationΓÇÖs custom solutions.

-

-

-

-

-

-

-

-You can generate GUID through online open source, or through PowerShell - [How to generate GUID through PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?msclkid=c1398a25a6d911ec9c888875fa1f24f5&view=powershell-7.2)

-

-

-

-If still not working, you may want to contact us and share support cab by running cmd with administrator: ΓÇ£%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles

-You can run ΓÇÿGet-MpComputerStatusΓÇÖ on PowerShell as an Administrator. The following value will show whether the latest policy has been applied to the target machine.

-|Device Class|[How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|For information about Device ID formats, see [device setup class](/windows-hardware/drivers/install/overview-of-device-setup-classes). The following two links provide the complete list of Device Setup Classes. ΓÇÿSystem UseΓÇÖ classes are mostly refer to devices that come with a computer/machine from the factory, while ΓÇÿVendorΓÇÖ classes are mostly refer to devices that could be connected to an existing computer/machine: [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) and [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use). **Note**: Device Installation can be applied to any devices, not only Removable storage.|

-As opposed to malicious activity, which would typically scan the entire network from a small number of compromised devices, Microsoft Defender for EndpointΓÇÖs Standard discovery probing is initiated from all onboarded Windows devices making the activity benign and non-anomalous. The probing is centrally managed from the cloud to balance the probing attempt between all the supported onboarded devices in the network.

-The device discovery capabilities have been built to only discover and identify unmanaged devices on your network. This means that previously discovered devices that are already onboarded with Microsoft Defender for Endpoint wonΓÇÖt be probed.

-Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions will ensure that those devices wonΓÇÖt be actively probed and wonΓÇÖt be alerted. Those devices will be discovered using passive methods only (similar to Basic discovery mode).

-Network devices are not managed as standard endpoints, as Defender for Endpoint doesn't have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan will obtain the necessary information from the devices. To do this, a designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for EndpointΓÇÖs threat and vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.

- - When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that donΓÇÖt conflict are added to the superset policy that applies to a device.

-Once devices are excluded, you won’t be able to view updated or relevant information about vulnerabilities and installed software on these devices. It affects all threat and vulnerability management pages, reports, and related tables in advanced hunting.

-2. Select **Exclude** from the action bar on the device inventory page or from the actions menu in the device flyout.

-

- 3. Select a justification:

- - Device doesnΓÇÖt exist

- - Out of scope  

-4. Type a note and select **Exclude device**.

-> Excluding active devices is not recommended, since it is especially risky to not have visibility into their vulnerability info. If a device is active and you try to exclude it, youΓÇÖll get a warning message and a confirmation pop-up asking if you are sure you want to exclude an active device.

-Excluded devices are still visible in the Device inventory list. You can manage your view of excluded devices by:

-Once a device is excluded, if you go to the device page of an excluded device, you wonΓÇÖt be able to see data for discovered vulnerabilities, software inventory or security recommendations. The data also wonΓÇÖt show up in vulnerability management pages, related advanced hunting tables and the vulnerable devices report.

-You’ll be able to stop excluding a device at any time. Once devices are no longer excluded, their vulnerability data will be visible in vulnerability management pages, reports, and in advanced hunting. It may take up to 8 hours for the changes to take effect.

-2. Select **Stop exclusion**

-Γ¥» ./mde_installer.sh --help

- > DonΓÇÖt forget to add the comma after the closing curly bracket at the end of the `cloudService` block. Also, make sure that there are two closing curly brackets after adding Tag or Group ID block (please see the above example). At the moment, the only supported key name for tags is `GROUP`.

-+ΓÇöΓÇöΓÇöΓÇöΓÇö- minute (values: 0 - 59) (special characters: , - * /) <br>

-| +ΓÇöΓÇöΓÇöΓÇö- hour (values: 0 - 23) (special characters: , - * /) <br>

-| | +ΓÇöΓÇöΓÇö- day of month (values: 1 - 31) (special characters: , - * / L W C) <br>

-| | | +ΓÇöΓÇö- month (values: 1 - 12) (special characters: ,- * / ) <br>

-| | | | +ΓÇö- day of week (values: 0 - 6) (Sunday=0 or 7) (special characters: , - * / L W C) <br>

- mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json

- 73467 actool     1249

- 1    launchd    407

- 73468 ibtool     344

- 549  telemetryd_v1   325

- 125  CrashPlanService 164

- - **macOS** - Only applicable for Public Preview, minimum required version: 101.43.84

-

-

- - **Linux** - Only applicable for Public Preview, minimum required version: 101.45.13

-

-

-

- - **Windows Server 2022**

-

- >

- >Signature verification only applies for PowerShell scripts.

-<br>

-****

-<br>

-****

-| remediate | Remediates an entity on the device. The remediation action will vary depending on the entity type: File: delete Process: stop, delete image file Service: stop, delete image file Registry entry: delete Scheduled task: remove Startup folder item: delete file NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with remediate to automatically run the prerequisite command. | Y | Y | Y |

-Access the device inventory page by selecting **Device inventory** from the **Endpoints** navigation menu in the [Microsoft 365 Defender portal](/defender/microsoft-365-security-center-mde).

-The device inventory opens on the **Computers and Mobile** tab. At a glance youΓÇÖll see information such as device name, domain, risk level, exposure level, OS platform, onboarding status, sensor health state, and other details for easy identification of devices most at risk.

-From the **Network devices** and **IoT devices** tabs, youΓÇÖll also see information such as vendor, model and device type:

-**Exposure level** </br> | The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation. </br> </br> If the exposure level says ΓÇ£No data available,ΓÇ¥ there are a few reasons why this may be the case:</br>- Device stopped reporting for more than 30 days. In that case itΓÇÖs considered inactive, and the exposure isnΓÇÖt computed.</br>- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements).</br>- Device with stale agent (unlikely).

-**Tags** </br> | Filter the list based on the grouping and tagging that youΓÇÖve added to individual devices. See [Create and manage device tags](machine-tags.md).

-**OS Platform** </br>| Filter by the OS platforms youΓÇÖre interested in investigating </br></br>(_Computers and mobile and IoT devices only_)

-**Windows version** </br> | Filter by the Windows versions youΓÇÖre interested in investigating.</br></br> (_Computers and mobile only_)

-**Onboarding status** </br> | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. You can filter by the following states: </br> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint. </br> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but itΓÇÖs not currently onboarded. Microsoft highly recommends onboarding these devices. </br> - **Unsupported**: The endpoint was discovered in the network, but is not supported by Microsoft Defender for Endpoint. </br> - **Insufficient info**: The system couldnΓÇÖt determine the supportability of the device.</br></br> (_Computers and mobile only_)

-**Group** </br> | Filter the list based on the group youΓÇÖre interested in investigating. </br></br> (_Computers and mobile only_)

-**Device Type** </br> | Filter by the device type youΓÇÖre interested in investigating.</br></br> (_IoT devices only_)

-

-

-

-

-

- Adding PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB on above screen capture is because it's not enough to enable only a single hardware ID to enable a single USB thumb-drive. You have to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. You can open Device Manager and change view to ΓÇÿDevices by connectionsΓÇÖ to see the way devices are installed in the PnP tree. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:

- Adding PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB on above screen capture is because it's not enough to enable only a single hardware ID to enable a single USB thumb-drive. You have to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. You can open Device Manager and change view to ΓÇÿDevices by connectionsΓÇÖ to see the way devices are installed in the PnP tree. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:

- - ΓÇ£Intel(R) USB 3.0 eXtensible Host Controller ΓÇô 1.0 (Microsoft)ΓÇ¥ -> PCI\CC_0C03

- - ΓÇ£USB Root Hub (USB 3.0)ΓÇ¥ -> USB\ROOT_HUB30

- - ΓÇ£Generic USB HubΓÇ¥ -> USB\USB20_HUB

-5. Plug in the allowed USB again. YouΓÇÖll see that it's now allowed and available.

-Defender for Endpoint offers you much flexibility and configuration options. You can adjust and fine-tune your settings to suit your organizationΓÇÖs needs. For example, you can use Microsoft Endpoint Manager, Group Policy, and other methods to manage your endpoint security settings.

-If youΓÇÖre seeing false positives/negatives in Defender for Endpoint, see [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md).

-When youΓÇÖre ready to onboard your organizationΓÇÖs endpoints, you can choose from several methods, as listed in the following table: <br/><br/>

-We recommend using [Microsoft Endpoint Manager](/mem) to manage your organizationΓÇÖs devices and security settings, as shown in the following image:

-2. Select **Endpoint security** > **Antivirus**, and then select an existing policy. (If you donΓÇÖt have an existing policy, create a new policy.)

-The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is where you'll view alerts, manage devices, and view reports. When you sign into the Microsoft 365 Defender portal, youΓÇÖll start with the Home page, as shown in the following image:

-To view and manage your organizationΓÇÖs devices, in the navigation bar, under **Endpoints**, select **Device inventory**. YouΓÇÖll see a list of devices as shown in the following image:

-By default, Microsoft Defender Antivirus is installed and functional on Windows Server. Sometimes, the user interface (GUI) is installed by default. The GUI isnΓÇÖt required; you can use PowerShell, Group Policy, or other methods to manage Microsoft Defender Antivirus. However, many organizations prefer to use the GUI for Microsoft Defender Antivirus. To install the GUI, use one of the procedures in the following table:

-To view all the services that arenΓÇÖt running, run the following PowerShell cmdlet:

-By default, Windows Update doesnΓÇÖt download and install updates automatically on Windows Server 2019 or Windows Server 2022, or Windows Server 2016. You can change this configuration by using one of the following methods:

-| **Windows Update** in Control Panel | **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/><br/> **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates arenΓÇÖt automatically installed. |

-| The **AUOptions** registry key | The following two values allow Windows Update to automatically download and install Security intelligence updates: <br/><br/> **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/><br/> **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates arenΓÇÖt automatically installed. |

-Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We donΓÇÖt collect files that contain personal data, like Microsoft Word documents and PDF files.

-| **0** - **Always prompt** | The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but isnΓÇÖt recommended for installations on Windows Server 2016 or 2019, or Windows Server 2022 without a GUI. |

-| **2** - **Never send** | The Microsoft Defender Antivirus service doesnΓÇÖt prompt and doesnΓÇÖt send any files. |

-If youΓÇÖre using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled mode. If your Windows Server endpoint is onboarded to Microsoft Defender for Endpoint, you can set Microsoft Defender Antivirus to passive mode. If you're not using Microsoft Defender for Endpoint, set Microsoft Defender Antivirus to disabled mode.

-| Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard | See [Install or Uninstall Roles, Role Services, or Features](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. <br/><br/>When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option. <br/><br/> If you clear **Windows Defender** by itself under the **Windows Defender Features** section, youΓÇÖll be prompted to remove the interface option **GUI for Windows Defender**.<br/><br/>Microsoft Defender Antivirus will still run normally without the user interface, but the user interface canΓÇÖt be enabled if you disable the core **Windows Defender** feature. |

- > - Microsoft Defender for Endpoint now extends protection to an organizationΓÇÖs data within a managed application (MAM) for devices that are not enrolled using mobile device management (MDM), but are using Intune to manage mobile applications. It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for [mobile application management (MAM)](/mem/intune/apps/mam-faq).

- > - Microsoft Defender for Endpoint now extends protection to an organizationΓÇÖs data within a managed application for those who arenΓÇÖt using mobile device management (MDM) but are using Intune to manage mobile applications. It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for [mobile application management (MAM)](/mem/intune/apps/mam-faq).

-Onboarding devices effectively enables the endpoint detection and response capability of Micorosft Defender for Endpoint.

-Group policy doesnΓÇÖt apply to tamper protection. Changes made to Microsoft Defender Antivirus settings are ignored when tamper protection is on.

-Files that have been quarantined by Microsoft Defender Antivirus or your security team will be saved in a compliant way according to your [sample submission configurations](enable-cloud-protection-microsoft-defender-antivirus.md). Your security team can download the files directly from the fileΓÇÖs detail page via the "Download file" button. **This preview feature is turned 'On' by default**.

-Security Management for Microsoft Defender for Endpoint is a capability for devices that arenΓÇÖt managed by a Microsoft Endpoint Manager, either Microsoft Intune or Microsoft Endpoint Configuration Manager, to receive security configurations for Microsoft Defender directly from Endpoint Manager.

-If some elements or data is missing on Microsoft 365 Defender itΓÇÖs possible that proxy settings are blocking it.

-If Tamper protection is enabled then, any attempt to change any of DefenderΓÇÖs settings if blocked and Event ID 5013 is generated that states which setting change was blocked.

-4. Analyze the results using the performance analyzerΓÇÖs `Get-MpPerformanceReport`parameter. For example, on executing the command `Get-MpPerformanceReport -Path <recording.etl> -TopFiles 3 -TopScansPerFile 10`, the user is provided with a list of top-ten scans for the top 3 files affecting performance.

-This `New-MpPerformanceRecording` cmdlet provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided ΓÇ£AS ISΓÇ¥, and is not intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution.

-Specifies how many top extensions to output, sorted by "DurationΓÇ¥.

-Specifies how many top extensions to output for each top process, sorted by "DurationΓÇ¥.

-Requests a top-processes report and specifies how many of the top processes to output, sorted by "DurationΓÇ¥.

-Specifies how many top processes to output for each top extension, sorted by "DurationΓÇ¥.

-Specifies how many top processes to output for each top file, sorted by "Duration ΓÇ£.

-Specifies how many top scans to output for each top extension for each top process, sorted by "DurationΓÇ¥.

-Specifies how many top scans to output for each top file, sorted by "DurationΓÇ¥.

-Specifies how many top scans for output for each top file for each top process, sorted by "DurationΓÇ¥.

-Specifies how many top scans to output for each top process in the Top Processes report, sorted by "DurationΓÇ¥.

-Specifies how many top scans for output for each top process for each top extension, sorted by "DurationΓÇ¥.

-Specifies how many top scans for output for each top process for each top file, sorted by "DurationΓÇ¥.

-If a user visits a web page that poses a risk of malware, phishing, or other web threats, Microsoft Edge will trigger a block page that reads ΓÇÿThis site has been reported as unsafeΓÇÖ along with information related to the threat.

-In any case, no block pages are shown in third-party browsers, and the user sees a ΓÇÿSecure Connection FailedΓÇÖ page along with a toast notification. Depending on the policy responsible for the block, a user will see a different message in the toast notification. For example, web content filtering will display the message ΓÇÿThis content is blockedΓÇÖ.

-The `CloudAppEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about activities in various cloud apps and services covered by Microsoft Defender for Cloud Apps. For a complete list, jump to [Apps and services covered](#apps-and-services-covered). Use this reference to construct queries that return information from this table.

->[!IMPORTANT]

->This table includes information that used to be available in the `AppFileEvents` table. Starting March 7, 2021, users hunting through file-related activities in cloud services on and beyond this date should use the `CloudAppEvents` table instead. <br><br>Make sure to search for queries and custom detection rules that still use the `AppFileEvents` table and edit them to use the `CloudAppEvents` table. More guidance about converting affected queries can be found in [Hunt across cloud app activities with Microsoft 365 Defender advanced hunting](https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857).

-| `DeviceType` | `string` | Type of device based on purpose and functionality, such as "Network device", "Workstation", "Server", "Mobile", "Gaming console", or "Printer" |

-| `AccountType` | `string` | Type of user account, indicating its general role and access levels, such as Regular, System, Admin, DcAdmin, System, Application |

-| `IsExternalUser` | `boolean` | Indicates whether a user inside the network doesn't belong to the organizationΓÇÖs domain |

-| `IsImpersonated` | `boolean` | Indicates whether the activity was performed by one user for another (impersonated) user |

-| `IPTags` | `dynamic` | Customer-defined information applied to specific IP addresses and IP address ranges |

-| `IPCategory` | `string` | Additional information about the IP address |

-| `UserAgentTags` | `dynamic` | More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot |

-| `SenderObjectId` | `string` | Unique identifier for the senderΓÇÖs account in Azure AD |

->[!TIP]

-| `SenderObjectId` | `string` |Unique identifier for the senderΓÇÖs account in Azure AD |

-|--|--|--|--|

-| Episode 3: Summarizing, pivoting, and visualizing data | Now that you've learned to filter, manipulate, and join data, itΓÇÖs time to summarize, quantify, pivot, and visualize. This episode discusses the `summarize` operator and various calculations, while introducing additional tables in the schema. You'll also learn to turn datasets into charts that can help you extract insight. | [YouTube](https://youtu.be/UKnk9U1NH6Y?t=296) (48:52) | [Text file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%203%20-%20Summarizing%2C%20Pivoting%2C%20and%20Joining.txt) |

-| Episode 4: LetΓÇÖs hunt! Applying KQL to incident tracking | In this episode, you learn to track some attacker activity. We use our improved understanding of Kusto and advanced hunting to track an attack. Learn actual tricks used in the field, including the ABCs of cybersecurity and how to apply them to incident response. | [YouTube](https://youtu.be/2EUxOc_LNd8?t=291) (59:36) | [Text file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%204%20-%20Lets%20Hunt.txt)

-|--|--|--|--|

-You can transition without affecting your existing Defender for Endpoint workflows. Saved queries remain intact, and custom detection rules continue to run and generate alerts. They will, however, be visible in Microsoft 365 Defender.

->[!TIP]

->In addition to the columns in the following table, the `AlertEvidence` table includes many other columns that provide a more holistic picture of alerts from various sources. [See all AlertEvidence columns](advanced-hunting-alertevidence-table.md)

-| where Timestamp > ago(7d)

-AlertInfo

-| where Timestamp > ago(7d)

-| where AttackTechniques has "PowerShell (T1086)"

-When Microsoft Defender for Endpoint rules are edited on Microsoft 365 Defender, they continue to function as before if the resulting query looks at device tables only.

-For example, alerts generated by custom detection rules that query only device tables will continue to be delivered to your SIEM and generate email notifications, depending on how youΓÇÖve configured these in Microsoft Defender for Endpoint. Any existing suppression rules in Defender for Endpoint will also continue to apply.

-Once you edit a Defender for Endpoint rule so that it queries identity and email tables, which are only available in Microsoft 365 Defender, the rule is automatically moved to Microsoft 365 Defender.

-

-In the Microsoft 365 Defender schema, the `AlertInfo` and `AlertEvidence` tables are provided to accommodate the diverse set of information that accompany alerts from various sources.

-To get the same alert information that you used to get from the `DeviceAlertEvents` table in the Microsoft Defender for Endpoint schema, filter the `AlertInfo` table by `ServiceSource` and then join each unique ID with the `AlertEvidence` table, which provides detailed event and entity information.

-| project Timestamp, Title, AlertId, DeviceName, FileName, ProcessCommandLine

-| join AlertEvidence on AlertId

-| where EntityType == "Ip" and RemoteIP == "192.88.99.01"

-If you're dealing with a list of values that isnΓÇÖt finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top 10 sender domains with the most phishing emails, use the query below:

-| where ThreatTypes has "Phish"

-| summarize Count = count() by SenderFromDomain

-The line chart below clearly highlights time periods with more activity involving `invoice.doc`:

->[!NOTE]

->Some tables in this article might not be available at Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).

-Threat actors can use compromised user accounts for several malicious purposes, including reading emails in a userΓÇÖs inbox, forwarding emails to external recipients, and sending phishing mails, among others. The targeted user might be unaware that their emails are being forwarded. This is a very common tactic that attackers use when user accounts are compromised.

-Attackers might set up email rules to hide incoming emails in the compromised user mailbox to obscure their malicious activities from the user. They might also set rules in the compromised user mailbox to delete emails, move the emails into another less noticeable folder such as an RSS folder, or forward emails to an external account.

-Some rules might move all the emails to another folder and mark them as ΓÇ£readΓÇ¥, while some rules might move only mails which contain specific keywords in the email message or subject. For example, the inbox rule might be set to look for keywords like ΓÇ£invoiceΓÇ¥, ΓÇ£phishΓÇ¥, ΓÇ£do not replyΓÇ¥, ΓÇ£suspicious emailΓÇ¥, or ΓÇ£spamΓÇ¥ among others, and move them to an external email account. Attackers might also use the compromised user mailbox to distribute spam, phishing emails, or malware.

-

-

-

- - Exchange Transport Rule (ETR): Forwarded using and Exchange Transport Rule

- - SMTP: Forwarded using Mailbox Forwarding

- - InboxRule: Forwarded using an Inbox Rule

-By looking at senderΓÇÖs past behavior and recent activities, you should be able to determine whether the user's account should be considered compromised or not. You can see the details of alerts raised from the userΓÇÖs page in the Microsoft 365 Defender portal.

- - Observe how many of the recent email sent by the sender are detected as phish, spam or malware.

- - Observe how many of the sent emails contain sensitive information.

-Investigate the email forwarding activity. For instance, check the type of email, recipient of this email, or the manner in which the email is forwarded.

-

- :::image type="content" source="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-recipients-list.png" alt-text="Example of the list of recipients" lightbox="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-recipients-list.png":::

- - Who else has forwarded emails to these recipients?

- - How many emails have been forwarded to these recipients?

- - How frequently are emails forwarded to these recipients?

-

- - What additional details are available for this email? For example: subject, return path, and timestamp.

- - What is the origin of this email? Are there any similar emails?

- - Does this email contain any URLs? Does the URL point to any sensitive data?

- - Does the email contain any attachments? Do the attachments contain sensitive information?

- - What was the action taken on the email? Was it deleted, marked as read, or moved to another folder?

- - Are there any threats associated with this email? Is this email part of any campaign?

->[!Note]

->Certain parameters are unique to your organization or network. Fill in these specific parameters as instructed in each query.

->

-

- "New-InboxRule",

- "UpdateInboxRules",

- "Set-InboxRule",

- "Set-Mailbox",

-let sender = "{SENDER}"; //Replace {SENDER} with email of the Forwarder

- You can see mailbox forwarding rules by selecting the senderΓÇÖs mailbox **\> Manage mail flow settings \> Email forwarding \> Edit**.

-2. For the InboxRule forwarding type, reset the userΓÇÖs account credentials.

- - Reset the user accountΓÇÖs credentials.

-Threat actors can use compromised user accounts for several malicious purposes including reading emails in a userΓÇÖs inbox, creating inbox rules to forward emails to external accounts, sending phishing mails, among others. Malicious inbox rules are widely common during business email compromise (BEC) and phishing campaigns, and it important to monitor them consistently.

-This playbook helps you investigate alerts for suspicious inbox forwarding rules and quickly grade them as either a True Positive (TP) or a False Positive (TP). You can then take recommended actions for the TP alerts to remediate the attack.

-After gaining access to users' mailboxes, attackers often create an inbox rule that allows them to exfiltrate sensitive data to an external email address and use it for malicious purposes.

-Malicious inbox rules automate the exfiltration process. With specific rules, every email in the target userΓÇÖs inbox that matches the rule criteria will be forwarded to the attackerΓÇÖs mailbox. For example, an attacker might want to gather sensitive data related to finance. They create an inbox rule to forward all emails that contain keywords, such as ΓÇÿfinanceΓÇÖ and ΓÇÿinvoiceΓÇÖ in the subject or message body, to their mailbox.

-Suspicious inbox forwarding rules might be very difficult to detect because maintenance of inbox rules is common task done by users. Therefore, itΓÇÖs important to monitor the alerts.

-

-### Investigate rule parameters

-

-1. Search for other suspicious cloud activities that originated from the same IP in the tenant. For instance, suspicious activity might be multiple failed logins attempts.

-You can review all user activities before creating rules, check for indicators of compromise, and investigate user actions that seem suspicious. For instance, multiple failed sign ins.

- Validate that the sign in activity prior to the rule creation event is not suspicious (such as the common location, ISP, or user-agent).

- - Did other alerts trigger for the user prior to the rule creation. If so, then this might indicate that the user got compromised.

- - If the alert correlates with other alerts to indicate an incident, then does the incident contain other true positive alerts?

-[Advanced Hunting](advanced-hunting-overview.md) is a query-based threat hunting tool that lets you inspect events in your network and locate threat indicators.

-Run this query to find all the new inbox rule events during a specific time window.

-let start_date = now(-10h);

-let alert_date = now(); //enter alert date

-let timeback = 30d;

-let userid = ""; //enter here user id

-CloudAppEvents

-| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

-| where AccountObjectId == userid

-| make-series ActivityCount = count() default = 0 on Timestamp from (alert_date-timeback) to (alert_date-1h) step 12h by ISP

-let alert_date = now(); //enter alert date

-let timeback = 30d;

-let userid = ""; //enter here user id

-CloudAppEvents

-| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

-| where AccountObjectId == userid

-let alert_date = now(); //enter alert date

-let timeback = 30d;

-let userid = ""; //enter here user id

-CloudAppEvents

-| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

-| where AccountObjectId == userid

-let start_date = now(-10h);

-1. Disable the malicious inbox rule.

-2. Reset the userΓÇÖs account credentials. You can also verify if the user account has been compromised with Microsoft Defender for Cloud Apps, which gets security signals from Azure Active Directory (Azure AD) Identity Protection.

-Threat actors can use compromised user accounts for many malicious purposes including reading emails in a userΓÇÖs inbox, creating inbox rules to forward emails to external accounts, deleting traces, and sending phishing mails. Malicious inbox rules are common during business email compromise (BEC) and phishing campaigns and it is important to monitor for them consistently.

-This playbook helps you investigate any incident related to suspicious inbox manipulation rules configured by attackers and take recommended actions to remediate the attack and protect your network. This playbook is for security teams, including security operations center (SOC) analysts and IT administrators who review, investigate, and grade the alerts. You can quickly grade alerts as either a True Positive (TP) or a False Positive (TP) and take recommended actions for the TP alerts to remediate the attack.

-Attackers might set up email rules to hide incoming emails in the compromised user mailbox to obscure their malicious activities from the user. They might also set rules in the compromised user mailbox to delete emails, move the emails into another less noticeable folder (like RSS), or forward mails to an external account. Some rules might move all the emails to another folder and mark them as ΓÇ£readΓÇ¥, while some rules might move only mails which contain specific keywords in the email message or subject.

-For example, the inbox rule might be set to look for keywords like ΓÇ£invoiceΓÇ¥, ΓÇ£phishΓÇ¥, ΓÇ£do not replyΓÇ¥, ΓÇ£suspicious emailΓÇ¥, or ΓÇ£spamΓÇ¥ among others, and move them to an external email account. Attackers might also use the compromised user mailbox to distribute spam, phishing emails, or malware.

-### 2. Investigate inbox manipulation rule parameters

- The attacker might apply the manipulation rule only to emails that contains certain words. You can find these keywords under certain attributes such as: ΓÇ£BodyContainsWordsΓÇ¥, ΓÇ£SubjectContainsWordsΓÇ¥ or ΓÇ£SubjectOrBodyContainsWordsΓÇ¥.

- If there are filtering by keywords, then check whether the keywords seem suspicious to you (common scenarios are to filter emails related to the attacker activities, such as ΓÇ£phishΓÇ¥, ΓÇ£spamΓÇ¥, ΓÇ£do not replyΓÇ¥, among others).

- To evade security detection, the attacker might move the emails to a less noticeable folder and mark the emails as read (for example, ΓÇ£RSSΓÇ¥ folder). If the attacker applies ΓÇ£MoveToFolderΓÇ£ and ΓÇ£MarkAsReadΓÇ¥ action, check whether the destination folder is somehow related to the keywords in the rule to decide if it seems suspicious or not.

- Some attackers will just delete all the incoming emails to hide their activity. Mostly, a rule of ΓÇ£delete all incoming emailsΓÇ¥ without filtering them with keywords is an indicator of malicious activity.

-

-Here's an example of a ΓÇ£delete all incoming emailsΓÇ¥ rule configuration (as seen on RawEventData.Parameters) of the relevant event log.

-You can review all user activities before rules were created, check for indicators of compromise, and investigate user actions that seem suspicious.

-For instance, for multiple failed logins, examine:

- Validate that the login activity prior to the rule creation is not suspicious. (common location / ISP / user-agent).

-[Advanced Hunting](advanced-hunting-overview.md) is a query-based threat hunting tool that lets you inspect events in your network to locate threat indicators.

-Use this query to find all the new inbox rule events during specific time window.

-let start_date = now(-10h);

-let alert_date = now(); //enter alert date

-let timeback = 60d;

-let userid = ""; //enter here user id

-CloudAppEvents

-| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

-| where AccountObjectId == userid

-| make-series ActivityCount = count() default = 0 on Timestamp from (alert_date-timeback) to (alert_date-1h) step 12h by ISP

-let alert_date = now(); //enter alert date

-let timeback = 60d;

-let userid = ""; //enter here user id

-CloudAppEvents

-| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

-| where AccountObjectId == userid

-let alert_date = now(); //enter alert date

-let timeback = 60d;

-let userid = ""; //enter here user id

-CloudAppEvents

-| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

-| where AccountObjectId == userid

-In general, youΓÇÖll need to take the following steps to use the APIs:

-### Microsoft Threat ExpertsΓÇÖ alert communications

-> Microsoft Threat Experts is a managed threat hunting service and not an incident response service. However, you can engage with your own incident response team to address issues that require an incident response. If you donΓÇÖt have your own incident response team and would like MicrosoftΓÇÖs help, you can engage with the CSS Cybersecurity Incident Response Team (CIRT). They can open a ticket to help address your inquiry.

-Each supported service that you deploy provides an extremely rich set of raw signals as well as correlated information. While limited deployment doesnΓÇÖt cause Microsoft 365 Defender functionality to turn off, its ability to provide comprehensive visibility across your endpoints, apps, data, and identities is affected. At the same time, any remediation capabilities only apply to entities that can be managed by the services youΓÇÖve deployed.

-| Microsoft Defender for Endpoint | - Endpoint states and raw events<br />- Endpoint detections and alerts, including antivirus, EDR, attack surface reduction<br />- Info on files and other entities observed on endpoints | Endpoints |

-|Microsoft Defender for Office 365 | - Mail and mailbox states and raw events<br />- Email, attachment, and link detections | - Mailboxes<br />- Microsoft 365 accounts |

-| Microsoft Defender for Identity | - Active Directory signals, including authentication events<br />- Identity-related behavioral detections | Identities |

-| Microsoft Defender for Cloud Apps | - Detection of unsanctioned cloud apps and services (shadow IT)<br />- Exposure of data to cloud apps<br />- Threat activity associated with cloud apps | Cloud apps |

-Once youΓÇÖve deployed the supported services, [turn on Microsoft 365 Defender](m365d-enable.md).

-As you spend some time establishing, implementing, and maintaining security measures according to the organizationΓÇÖs standards, you can set up security solutions to help you quickly identify security risks and threats. Microsoft 365 Defender allows you to detect, triage, and investigate incidents through its single-pane-of-glass experience where you can find the information you need to make timely decisions.

-Incident response in Microsoft 365 Defender starts once you triage the list of incidents using your organizationΓÇÖs recommended method of prioritization. To triage means to assign a level of importance or urgency to incidents, which then determines the order in which they will be investigated.

- For example, by looking at which [MITRE ATT&CK](https://attack.mitre.org/) tactics the attacker used based on the incidentΓÇÖs categories, you might prioritize this incident because the attacker used stolen credentials, established command and control, performed lateral movement, and exfiltrated some data. These actions suggest that the attacker has already gone deep into the network and possibly stolen confidential information.

-3. To investigate our example further, scrolling to the bottom of the page to view the **Users affected**. To see the activity and context surrounding the malware detection, select Annette HillΓÇÖs user page.

-5. Each alert can be selected to obtain more information on the activity. For example, selecting **Activity from a Tor IP Address** alert leads you to that alertΓÇÖs own page. Annette is an Administrator of Office 365, which indicates elevated privileges and that the source incident might have led to access to confidential information.

-Post-incident review activity can also result in fine-tuning your security configuration and security team's processes to streamline your organizationΓÇÖs response capabilities.

-Preparing for incident handling involves setting up sufficient protection of an organization's network from different kinds of security incidents. To reduce the risk of security incidents, National Institute of Standards and Technology (NIST) recommends several security practices including risk assessments, hardening host security, configuring networks securely, and preventing malware.

-Microsoft 365 Defender can help address several aspects of incident prevention:

-[Zero Trust](/security/zero-trust/) is an integrated security philosophy and end-to-end strategy that considers the complex nature of any modern environment, including the mobile workforce and the users, devices, applications and data, wherever they may be located. By providing a single pane of glass to manage all detections in a consistent way, Microsoft 365 Defender can make it easier for your security operations team to implement the [guiding principles](/security/zero-trust/#guiding-principles-of-zero-trust) of Zero Trust.

-Components of Microsoft 365 Defender can display violations of rules that have been implemented to establish Conditional Access policies for Zero Trust by integrating data from Microsoft Defender for Endpoint or other mobile security vendors as an information source for device compliance policies and implementation of device-based Conditional Access policies.

-## Step 2. Determine your organizationΓÇÖs security posture

-Next, organizations can use the [Microsoft Secure Score](microsoft-secure-score.md) in Microsoft 365 Defender to determine your current security posture and consider recommendations on how to improve it. The higher the score is, the more security recommendations and improvement actions have been taken by the organization. Secure Score recommendations can be taken across different products and allow organizations to raise their scores even higher.

-

-## Step 3. Assess your organizationΓÇÖs vulnerability exposure

-

-An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.

-Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.

-If [enabled](m365d-enable.md), Microsoft 365 Defender can [automatically investigate and resolve](m365d-autoir.md) alerts through automation and artificial intelligence. You can also perform additional remediation steps to resolve the attack.

-Selecting an incident name displays a summary of the incident and provides access to tabs with additional information. HereΓÇÖs an example.

-

-

-Annual tasks can include conducting a major incident or breach exercise to test your staff, systems, and processes.

-See [ Integrating Microsoft 365 Defender into your security operations](integrate-microsoft-365-defender-secops.md) for more details.

-You can add or remove recipients in the email notifications. New recipients get notified about incidents after they're added.

->[!NOTE]

->You need the **Manage security settings** permission to configure email notification settings. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. <br> <br>

-5. Select **Next**. On the **Recipients** page, add the email addresses that will receive the incident notifications. Select **Add** after typing each new email address. To test notifications and ensure that the recipients receive them in the inboxes, select **Send test email**.

-|:-|:--|

-Whatever the current maturity of your security operations, it is important for you to align with your Security Operations Center (SOC). While there is no single model that fits every organization, there are certain aspects that are more common than others.

-## Centralize monitoring and logging of your organizationΓÇÖs security sources

-Usually, the SOC teamΓÇÖs core function is to make sure all security devices such as firewalls, intrusion prevention systems, data loss prevention systems, threat and vulnerability management systems, and identity systems are functioning correctly and being monitored. The SOC teams will work with the broader network operations such as identity, DevOps, cloud, application, data science, and other business teams to ensure the analysis of security information is centralized and secured. Additionally, the SOC team is responsible for maintaining logs of the data in useable and readable formats, which could include parsing and normalizing disparate formats.

-The following table breaks out each SOC teamΓÇÖs roles and responsibilities and how their roles integrate with Microsoft 365 Defender.

-The recommended methods to deploy Microsoft 365 Defender in your Security Operations Center (SOC) will depend on the SOC teamΓÇÖs current set of tools, processes, and skillsets. Maintaining cyber hygiene across platforms can be challenging because of the vast amount of data coming from dozens if not hundreds of security sources.

-The SOC should define a high-level standard and process for developing use cases, which would be regulated by the SOC Oversight team. The SOC Oversight team should work with your business, IT, legal, HR, and other groups to prioritize use cases for the SOC that will eventually make their way into the SOC teamΓÇÖs runbooks and playbooks. Priority of use cases are based on objectives, such as compliance or privacy.

-The first step in creating a use case is to outline the workflow using a story board. HereΓÇÖs an example of a high-level story board for a new phishing exploit notification to a Threat Intelligence team.

-In these example use cases, the testing revealed several gaps in the SOC teamΓÇÖs requirements that were established as baselines for the responsibilities of each team. The use case checklist can be as comprehensive as needed to ensure that the SOC team is prepared for the Microsoft 365 Defender integration with new or existing SOC requirements. Since this will be an iterative process, the use case development process and the use case output content will naturally serve to update and mature the SOCΓÇÖs runbooks with lessons learned.

-Once use case testing has been remediated for all gaps, the lessons learned and metrics collected in them can be incorporated into your SOC teamΓÇÖs production runbooks (operating processes) and playbooks (incident responses and escalation procedures).

-YouΓÇÖll need to have any of the following roles to access Microsoft Defender for Office 365 alerts:

-If youΓÇÖve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the **History** tab, you can undo any of the following actions:

-## I donΓÇÖt have a Microsoft 365 E5 license. Can I still use Microsoft 365 Defender?

- >IP and URL searches are exact match and donΓÇÖt appear in the search results page ΓÇô they lead directly to the entity page.

-The learning hub opens with Learning paths organized around topics such as ΓÇ£How to Investigate Using Microsoft 365 Defender?ΓÇ¥ and ΓÇ£Microsoft Defender for Office 365 Best PracticesΓÇ¥. This section is currently curated by the security Product Group inside Microsoft. Each Learning path reflects a projected time it takes to get through the concepts. For example 'Steps to take when a Microsoft Defender for Office 365 user account is compromised' is projected to take 8 minutes, and is valuable learning on the fly.

-|Search | The search bar is located at the top of the page. Suggestions are provided as you type. You can search across the following entities in Defender for Endpoint and Defender for Identity: <br><br> - **Devices** - supported for both Defender for Endpoint and Defender for Identity. You can even use search operators, for example, you can use "contains" to search for part of a host name. <br><br> - **Users** - supported for both Defender for Endpoint and Defender for Identity. <br><br> - **Files, IPs, and URLs** - same capabilities as in Defender for Endpoint. <br> NOTE: *IP and URL searches are exact match and donΓÇÖt appear in the search results page ΓÇô they lead directly to the entity page. <br><br> - **TVM** - same capabilities as in Defender for Endpoint (vulnerabilities, software, and recommendations). <br><br> The enhanced search results page centralizes the results from all entities. |

-If you use the [Defender for Endpoint SIEM API](../defender-endpoint/enable-siem-integration.md), you can continue to do so. WeΓÇÖve added new links on the API payload that point to the alert page or the incident page in the Microsoft 365 security portal. New API fields include LinkToMTP and IncidentLinkToMTP. For more information, see [Redirecting accounts from Microsoft Defender for Endpoint to Microsoft 365 Defender](./microsoft-365-security-mde-redirection.md).

-The comparison data is anonymized so we donΓÇÖt know exactly which others tenants are in the mix.

-9. Add a TXT or MX record to validate the domain ownership. Once youΓÇÖve added the TXT or MX record to your domain, select **Verify**.

-You can access threat analytics either from the upper left-hand side of Microsoft 365 security portalΓÇÖs navigation bar, or from a dedicated dashboard card that shows the top threats to your org, both in terms of impact, and in terms of exposure.

-Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other peopleΓÇÖs computing resources.

-No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates.ΓÇ» With almost 2 billion websites on the internet and software continuously updated and released, it's impossible to have information about every single site and program.

-* **Command and Control:** A type of malware that infects your device and establishes communication with the hackersΓÇÖ command-and-control server to receive instructions. Once communication is established, hackers can send commands that can steal data, shut down and reboot the device, and disrupt web services.

-* **Dropper:** A type of malware that installs other malware files onto your device. Unlike a downloader, a dropper doesn't have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.

-Infections of this type can be particularly difficult to detect because most antivirus products donΓÇÖt have the capability to inspect firmware. In cases where a product does have the ability to inspect and detect malicious firmware, there are still significant challenges associated with remediation of threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. ItΓÇÖs not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks.

-ItΓÇÖs possible to carry out such installation via command line without requiring a backdoor to already be on the file. The malware can be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file in a central storage area managed by the CIM Object Manager, and usually contains legitimate data. Even though the infection chain does technically use a physical file, itΓÇÖs considered a fileless attack because the WMI repository is a multi-purpose data container that can't be detected and removed.

-*Figure 2. KovterΓÇÖs registry key*

-**CPU-based** (Type I): Modern CPUs are complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/), bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologiesΓÇÖ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off.

-**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. The BIOS is an important component that operates at a low level and executes before the boot sector. ItΓÇÖs possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/).

-**Disk-based** (Type II: Boot Record): The Boot Record is the first sector of a disk or volume, and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code. When the machine is booted, the malware immediately gains control. The Boot Record resides outside the file system, but itΓÇÖs accessible by the operating system. Modern antivirus products have the capability to scan and restore it.

-* DonΓÇÖt open suspicious emails or suspicious attachments.

-Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a companyΓÇÖs network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers.

-The best protection is awareness and education. DonΓÇÖt open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL.

-Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information. They should also instruct employees to report the threat to the companyΓÇÖs security operations team immediately.

-* There are **multiple recipients** in the ΓÇ£ToΓÇ¥ field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.

-### If youΓÇÖre on a suspicious website

-keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesnΓÇÖt detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesnΓÇÖt detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence

-ΓÇ»

-## Implement Required Enterprise Application permissions

- 1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).

- 2. Select **Grant admin consent for organization**.

- 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.

- 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.

-ΓÇ»

-> [!Note]

-ΓÇ»

-## Option 2 Provide admin consent by authenticating the application as an admin

-3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed.

-4. Review the permissions required by the application, and then select **Accept**.

-

-If you encounter an unsafe site, click **More […] > Send feedback** on Microsoft Edge. You can also [report unsafe sites directly to Microsoft](https://www.microsoft.com/wdsi/support/report-unsafe-site).

-Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you canΓÇÖt trust any information that device reports about itself.

-If you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesnΓÇÖt want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device.

-Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you have a rootkit that your antimalware software isnΓÇÖt detecting, you may need an extra tool that lets you boot to a known trusted environment.

-[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from the Windows Security app and has the latest antimalware updates from Microsoft. ItΓÇÖs designed to be used on devices that aren't working correctly because of a possible malware infection.

-### What if I canΓÇÖt remove a rootkit?

-keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesnΓÇÖt detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesnΓÇÖt detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence

-You can send us files that you think might be malware or files that have been incorrectly detected through the [sample submission portal](https://www.microsoft.com/en-us/wdsi/filesubmission).

-No, we only accept submissions through our [sample submission portal](https://www.microsoft.com/en-us/wdsi/filesubmission).

-[Submit the file](https://www.microsoft.com/en-us/wdsi/filesubmission) in question as a software developer. Wait until your submission has a final determination.

-If youΓÇÖre not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.

-You can track your submissions through the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).

-You can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).

-Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when theyΓÇÖre released to the public. The malicious code then runs with the same trust and permissions as the app.

- * Check for digital signatures, and donΓÇÖt let the software updater accept generic input and commands.

-When you engage with the scammers, they can offer fake solutions for your ΓÇ£problemsΓÇ¥ and ask for payment in the form of a one-time fee or subscription to a purported support service.

-* DonΓÇÖt call the number in the pop-ups. MicrosoftΓÇÖs error and warning messages never include a phone number.

-* Download software only from official vendor websites or the Microsoft Store. Be wary of downloading software from third-party sites, as some of them might have been modified without the authorΓÇÖs knowledge to bundle support scam malware and other threats.

-Trojans are a common type of malware which, unlike viruses, canΓÇÖt spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them.

- - Your organization develops anti-malware technology that can run on Windows and your organizationΓÇÖs product is commercially available.

-AV-Comparatives | Real-World Protection Test </br> https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |ΓÇ£ApprovedΓÇ¥ rating from AV Comparatives

-AV-Test | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted </br> https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST ApprovedΓÇ¥ (for corporate users)

-West Coast Labs | Checkmark Certified </br> http://www.checkmarkcertified.com/sme/ | ΓÇ£AΓÇ¥ Rating on Product Security Performance

-* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. WeΓÇÖve seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues.

-Trending trackers (formerly called Campaigns) highlight new threats received in your organization's email in the past week. The Trending trackers view provides dynamic assessments of email threats impacting your organizationΓÇÖs Office 365 environment. This view shows tenant level malware trends, identifying malware families on the rise, flat, or declining, giving admins greater insight into which threats require further attention.

- Turning on Enhanced Filtering for Connectors without an SCL=-1 rule for incoming mail from the protection service will vastly improve the detection capabilities of EOP protection features like [spoof intelligence](anti-spoofing-protection.md), and could impact the delivery of those newly-detected message (for example, move to the Junk Email folder or to quarantine). This impact is limited to EOP policies; as previously explained, Defender for Office 365 policies are created in audit mode.

- - **I'm only using Microsoft Exchange Online**: Yhe MX records for your domain point to Microsoft 365. There's nothing left to configure, so click **Finish**.

- - [View data by Email \> Spam and Chart breakdown by Detection Technology](view-email-security-reports.md#view-data-by-email--spam-and-chart-breakdown-by-detection-technology)

-|**Safe Attachments file types report** <p> Get-AdvancedThreatProtectionTrafficReport <br> Get-MailDetailMalwareReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <p> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250532|June 2021|

-|**Safe Attachments message disposition report** <p> Get-AdvancedThreatProtectionTrafficReport <br> Get-MailDetailMalwareReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <p> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250531|June 2021|

-|**Malware detected in email report** <p> Get-MailTrafficReport <br> Get-MailDetailMalwareReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <p> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250530|June 2021|

-Go to [Step 2. Enroll devices into management with Intune](manage-devices-with-intune-enroll.md).

-Enrolling devices into management gives you the ability to achieve even greater security and control of data in your environment. [Step 2. Enroll devices into management](manage-devices-with-intune-enroll.md) details how to accomplish this using Intune and Autopilot. This article covers the next step, which is to configure device compliance policies.

-If you completed [Step 2. Enroll devices into management](manage-devices-with-intune-enroll.md) and [Step 6. Enroll devices into Defender for Endpoint to monitor device risk and compliance to security baselines](manage-devices-with-intune-monitor-risk.md), your devices are already enabled for Endpoint DLP.

-# Step 2. Enroll devices into management with Intune

-There are several ways to secure the endpoint, a term often used to refer to the combined entity including devices, apps, and user identity. Security policies must be enforced consistently and reliably not only on the apps but the device itself. Enrolling the device into management and registering with a cloud identity provider, such as Azure Active Directory, is a great start.

-This article recommends methods for enrolling devices into management using Intune. For more information about these methods and how to deploy each one, see [Deployment guidance: Enroll devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment).

-Protecting the data and apps on devices and the devices themselves is a multi-layer process. There are some protections you can gain on unmanaged devices. After enrolling devices into management, you can implement more sophisticated controls. When threat protection is deployed across your endpoints, you gain even more insights and the ability to automatically remediate some attacks. Finally, if your organization has put the work into identifying sensitive data, applying classification and labels, and configuring data loss prevention policies, you can obtain even more granular protection for data on your endpoints.

-|2|Enroll devices into management|This task requires more planning and time to implement. Microsoft recommends using Intune to enroll devices because this tool provides optimal integration. There are several options for enrolling devices, depending on the platform. For example, Windows devices can be enrolled by using Azure AD Join or by using Autopilot. You need to review the options for each platform and decide which enrollment option is best for your environment. See [Step 3ΓÇöEnroll devices into management](manage-devices-with-intune-enroll.md) for more information.|E3, E5, F1, F3, F5|

-If you follow this guidance, you will enroll devices into management using Intune (or another tool) and you will onboard devices for two

-2. Use Intune to onboard devices to Defender for Endpoint.

-3. Devices that are onboarded to Defender for Endpoint are also onboarded for Microsoft 365 compliance features, including Endpoint DLP.

-Note that only Intune is managing devices. Onboarding refers to the ability for a device to share information with a specific service. The following table summarizes the differences between enrolling devices into management and onboarding devices for a specific service.

-|Scope|These device management tools manage the entire device, including configuring the device to meet specific objectives, like security.|Onboarding only affects the services that apply.|