Updates from: 04/08/2021 03:10:52
Category Microsoft Docs article Related commit history on GitHub Change details
admin Microsoft365 Apps Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft365-apps-usage-ww.md
The Microsoft 365 **Reports** dashboard shows you the activity overview across t
> [!NOTE]
- > You must be a global administrator, global reader or reports reader in Microsoft 365 or an Exchange, SharePoint, or Skype for Business administrator to see reports.
+ > You must be a global administrator, global reader or reports reader in Microsoft 365 or an Exchange, SharePoint, or Skype for Business administrator to see reports. Shared computer activations are not supported in this report.
## How to get to the Microsoft 365 Apps usage report
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
You'll probably only need to assign the following roles in your organization. By
|License admin | Assign the License admin role to users who need to assigm amd remove licenses from users and edit their usage location. <br/><br/> License admins also can: <br> - Reprocess license assignments for group-based licensing <br> - Assign product licenses to groups for group-based licensing | |Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Office cloud policy service to create and manage cloud-based policies for Office <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Office apps <br> - Monitor service health | |Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. |
-|Service support admin | Assign the Service Support admin role as an additional role to admins or users need to do the following in addition to their usual admin role: <br> - Open and manage service requests <br> - View and share message center posts |
+|Service support admin | Assign the Service Support admin role as an additional role to admins or users need to do the following in addition to their usual admin role: <br> - Open and manage service requests <br> - View and share message center posts <br> - Monitor service health |
|SharePoint admin | Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. <br><br>SharePoint admins can also: <br> - Create and delete sites <br> - Manage site collections and global SharePoint settings | |Teams service admin | Assign the Teams service admin role to users who need to access and manage the Teams admin center. <br><br>Teams service admins can also: <br> - Manage meetings <br> - Manage conference bridges <br> - Manage all org-wide settings, including federation, teams upgrade, and teams client settings | |User admin | Assign the User admin role to users who need to do the following for all users: <br> - Add users and groups <br> - Assign licenses <br> - Manage most users properties <br> - Create and manage user views <br> - Update password expiration policies <br> - Manage service requests <br> - Monitor service health <br><br> The user admin can also do the following actions for users who aren't admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader: <br> - Manage usernames<br> - Delete and restore users<br> - Reset passwords <br> - Force users to sign out <br> - Update (FIDO) device keys |
Before the partner can assign these roles to users, you must add the partner as
[Exchange Online admin role](about-exchange-online-admin-role.md)
-[Activity reports in the Microsoft 365 admin center](../activity-reports/activity-reports.md)
+[Activity reports in the Microsoft 365 admin center](../activity-reports/activity-reports.md)
admin Configure Focused Inbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/configure-focused-inbox.md
This example turns Focused Inbox **Off** for Tim Matthews in the Contoso organiz
You can check email message headers to see if the email messages are landing in the Inbox due to the Focused Inbox transport rule bypass. Pick an email message from a mailbox in your organization that has the Focused Inbox transport rule applied. Look at the headers stamped on the message, and you should see the **X-MS-Exchange-Organization-BypassFocusedInbox: true** header. This means the bypass is working. Check out the [View the Internet header information for an email message](https://go.microsoft.com/fwlink/p/?LinkId=822530) article for info on how to find the header information.
+### What will the user see?
+
+If a transport rule is in place, a notification will be shown for the override. Outlook on the web will disable the "Always move to Other" and show a tooltip. Outlook clients on desktop will allow selection for "Always move to Other" and will pop up a dialog.
+ ## Turn on/off Clutter We've received reports that Clutter suddenly stopped working for some users. If this happens, you can enable it again for specific users. See [Configure Clutter for your organization](../email/configure-clutter.md).
There are two cmdlets for controlling Focused Inbox. When you run Get-FocusedInb
### Can I run a script to see who has turned on Focused Inbox?
-No, and this is by design. Focused Inbox enablement is a client side setting, so all the cmdlet can do is tell you if the user's mailbox is eligible for the client experience. It is possible for it to be simultaneously enabled in some clients and disabled in others, for example, enabled in Outlook app and Outlook Mobile but disabled in Outlook on the web.
+No, and this is by design. Focused Inbox enablement is a client side setting, so all the cmdlet can do is tell you if the user's mailbox is eligible for the client experience. It is possible for it to be simultaneously enabled in some clients and disabled in others, for example, enabled in Outlook app and Outlook Mobile but disabled in Outlook on the web.
admin Priority Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/priority-accounts.md
description: "Monitor failed and delayed emailed messages sent to or from accoun
In every Microsoft 365 organization, there are people that are essential, like executives, leaders, managers, or other users who have access to sensitive, proprietary, or high priority information.
-To help your organization protect these accounts, you can now designate specific users as priority accounts and leverage app-specific features that provide them with extra protection. In the future, more apps and features will support priority accounts, and to start with, weΓÇÖve announced two capabilities: **priority account protection** and **premium mail flow monitoring**.
+To help your organization protect these accounts, you can now designate specific users as priority accounts and leverage app-specific features that provide them with extra protection. In the future, more apps and features will support priority accounts, and to start with, we've announced two capabilities: **priority account protection** and **premium mail flow monitoring**.
- **Priority account protection** - Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) supports priority accounts as tags that can be used in filters in alerts, reports, and investigations. For more information, check out [User tags in Microsoft Defender for Office 365](../../security/office-365-security/user-tags.md).+
+ A natural question is, "Aren't all users a priority? Why not designate all users as priority accounts?" Yes, all users are a priority, but priority account protection offers the following additional benefits:
+
+ - **Additional heuristics**: Our analysis of mail flow in the Microsoft datacenters indicates that mail flow patterns for company executives are different than the average employee. Priority account protection offers additional heuristics that are specifically tailored to company executives that wouldn't benefit a regular employee.
+ - **Additional visibility in reporting**: In effect, information for all users (or all affected users) is already available in alerts, reports, and investigations. The priority accounts tag as a filter allows you to specifically target your investigations.
+ - **Premium Mail Flow Monitoring** - Healthy mail flow can be critical to business success, and delivery delays or failures can have a negative impact on the business. You can choose a threshold for failed or delayed emails, receive alerts when that threshold is exceeded, and view a report of email issues for priority accounts. For more information, check out [Email issues for priority accounts report in the modern EAC](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report) For security best practices for priority accounts, see [Security recommendations for priority accounts](../../security/office-365-security/security-recommendations-for-priority-accounts.md).
The **Premium Mail Flow Monitoring** feature that's described in this topic is a
> [!NOTE] > You can monitor up to 250 priority accounts.
+When you apply priority account protection to a mailbox, you should also apply priority account protection to users who have access to the mailbox (for example, the CEO and the CEO's executive assistant who manages the CEO's calendar).
+ ### Add priority accounts from the Setup page Add priority accounts from the **Setup page**.
Add priority accounts from the Active users page.
## Related topics
-[Using Priority Accounts in Microsoft 365](https://techcommunity.microsoft.com/t5/microsoft-365-blog/using-priority-accounts-in-microsoft-365/ba-p/1873314)
+[Using Priority Accounts in Microsoft 365](https://techcommunity.microsoft.com/t5/microsoft-365-blog/using-priority-accounts-in-microsoft-365/ba-p/1873314)
commerce Change Your Billing Addresses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- Adm_TOC-- commerce - okr_SMB - AdminSurgePortfolio
+- commerce
search.appverid:-- BCS160 - MET150-- MOE150-- BEA160-- GEA150 description: "Learn how to update your billing addresses for Microsoft 365 for business. You can also update the email address used to receive billing notifications." # Change your billing addresses -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[About the new Microsoft 365 admin center](../../admin/microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
-- Your bill or invoice contains three addresses: - **Sold-To Address** Your company name and address, as shown in your organization profile.
Your bill or invoice contains three addresses:
- **Service Usage Address** The address where the service is being used, usually the same as the **Sold-To** address. If your organization has remote users or multiple offices, use the address where the majority of your users are located. In most cases, these addresses are the same. If you need to change one or more of the addresses, you can do that. You can also provide an alternate email address to receive billing notifications and change the alternate email address for other admins.
-
To learn more about your bill or invoice, see [View your bill or invoice](view-your-bill-or-invoice.md) and [Understand your bill or invoice](understand-your-invoice2.md).
+## Change your Sold-To address
++
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page.
+ ::: moniker-end ::: moniker range="o365-germany"
-To learn more about your bill or invoice, see [View your bill or invoice](view-your-bill-or-invoice.md) and [Understand your bill or invoice](understand-your-invoice2.md).
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Billing accounts** page.
::: moniker-end ::: moniker range="o365-21vianet"
-If you're using Office 365 operated by 21Vianet in China, see [View your bill or get Fapiaos for Office 365 operated by 21Vianet](../../admin/services-in-chin).
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Billing accounts** page.
::: moniker-end
-## Change your Sold-To address
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page.
-
-2. select **Edit billing account information**.
+2. Select **Edit billing account information**.
3. Update your organization information, then select **Save**.
If you're using Office 365 operated by 21Vianet in China, see [View your bill or
1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2018806" target="_blank">Payment methods</a> page.
-2. Select the credit card or bank account that you want to change.
-
-3. On the **Payment method details** page, select **Edit**.
-
-4. Update your billing address, then select **Save** \> **Done**.
- ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-
-2. Select the subscription you want to change, then select **Change payment details**.
-
- ![The Payment method section of a Subscription card for a subscription that pays by credit card.](../../media/6c9d9cae-6086-4687-a979-bb971f35f1b4.png)
-
-3. *Credit card and bank account customers:* On the **Change payment details** page, select the credit card or bank account that you want to update, select **Edit details**, update your billing address, then select **Submit**.
-
- > [!NOTE]
- > The ability to pay by bank account isn't available in some countries or regions.
-
- *Invoice customers:* On the **Change payment details** page, update your billing address, then select **Submit**.
-
- > [!NOTE]
- > The ability to pay an invoice by check isn't available in some countries or regions.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Payment methods** page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Payment methods** page.
-2. Select the subscription you want to change, then select **Change payment details**.
- ![The Payment method section of a Subscription card for a subscription that pays by invoice.](../../media/51ab38aa-6e15-4e51-9f27-261c38c98fed.png)
-
-3. On the **Change payment details** page, update your billing address, and then select **Submit**.
+2. Select the credit card or bank account that you want to change.
- You can change your payment method for Office 365 operated by 21Vianet from Invoice to Online payment using Alipay or China UnionPay, or vice versa.
+3. On the **Payment method details** page, select **Edit**.
+4. Update your billing address, then select **Save** \> **Done**.
## Change your service usage address ::: moniker range="o365-worldwide" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the **Products** tab, select the subscription that you want to change.
-3. On the subscription details page, in the **Service usage address** section, select **Edit service usage address**.
-4. In the **Edit service usage address** pane, update your address, then select **Save**.
::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-
-2. Select the subscription you want to change, select **More actions**, then choose **Edit service usage address**.
-
- ![Close up of the More Actions menu.](../../media/befa74b7-62c1-42a3-a38e-db76a1c97dba.png)
-
-3. In the **Edit your service usage address** pane, update your address, then select **Submit**.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
-2. Select the subscription you want to change, select **More actions**, then choose **Edit service usage address**.
-
- ![Close up of the More Actions menu.](../../media/befa74b7-62c1-42a3-a38e-db76a1c97dba.png)
-
-3. In the **Edit your service usage address** pane, update your address, then select **Submit**.
+ If you're using Office 365 operated by 21Vianet in China, see [View your bill or get Fapiaos for Office 365 operated by 21Vianet](../../admin/services-in-chin).
::: moniker-end
+2. On the **Products** tab, select the subscription that you want to change.
+
+3. On the subscription details page, in the **Service usage address** section, select **Edit service usage address**.
+
+4. In the **Edit service usage address** pane, update your address, then select **Save**.
+ ## Change the alternate email address your billing notifications are sent to By default, your organization's billing notifications are sent to the Microsoft email address and the alternate email address of every global and billing admin in your organization. Each admin can change their alternate email address by updating their profile information.
By default, your organization's billing notifications are sent to the Microsoft
## Change the alternate email address for another admin You can also change the alternate email address of other global and billing admins in your organization.- + 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=853212" target="_blank">Billing notifications</a> page. ::: moniker-end
You can also change the alternate email address of other global and billing admi
::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=853215" target="_blank">Billing Notifications</a> page.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=853215" target="_blank">Billing notifications</a> page.
::: moniker-end
You can also change the alternate email address of other global and billing admi
3. In the **Edit user roles** pane, type the alternate email address you want to use, then select **Save**.
-## Related articles
-
-[View your bill or invoice](view-your-bill-or-invoice.md)
-
-[Understand your bill or invoice](understand-your-invoice2.md)
-
-[Pay for your subscription](pay-for-your-subscription.md)
+## Related content
+[View your bill or invoice](view-your-bill-or-invoice.md)\
+[Understand your bill or invoice](understand-your-invoice2.md)\
+[Pay for your subscription](pay-for-your-subscription.md)\
[Subscriptions and billing - Admin Help](../index.yml)
commerce Understand Your Invoice2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice2.md
If you pay by invoice, you can add or change the purchase order (PO) number for
::: moniker range="o365-worldwide" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.-
-2. If you're in **Table** view, select **Cards** to switch views.
-
-3. Find the subscription that you want to change.
-
-4. In the **Billing** section, next to **invoice**, select **Edit**.
-
-5. At the bottom of the **Edit payment details** pane, enter your PO number, then select **Save**.
- ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-
-2. Select the subscription that you want to change, and in the **Payment method** section, select **Change payment details**.
-
-3. At the bottom of the **Change payment details** pane, enter your PO number, then select **Submit**.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
-2. Select the subscription that you want to change, and in the **Payment method** section, select **Change payment details**.
+1. On the **Products** tab, select the subscription that you want to change.
-3. At the bottom of the **Change payment details** pane, enter your PO number, then select **Submit**.
+1. On the subscription details page, in the **Subscription and payment settings** section, select **Edit invoice**.
+1. At the bottom of the **Edit details for paying by voice** pane, enter your PO number, and then select **Save**.
## Related articles
commerce Add Licenses Bought Through Vlsc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/add-licenses-bought-through-vlsc.md
description: "Learn how to add licenses to your Microsoft 365 subscription purch
# Add licenses to a subscription purchased through the Volume Licensing Service Center If you purchased your Microsoft 365 for business or Office 365 Enterprise plan through a third party partner, you must buy additional licenses through that partner. If the partner that the subscription was purchased from is known by Microsoft, you can find out how to contact your partner using the following procedure.-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-
-2. Select the subscription to which you want to add licenses, then select the **Volume Licensing Service Center (VLSC)** link.
-
-3. Follow the steps in the VLSC to complete your purchase.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-
-2. On the Subscriptions page, select the subscription to which you want to add licenses, then select the **Volume Licensing Service Center (VLSC)** link.
-
-3. Follow the steps in the VLSC to complete your purchase.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
-
-2. On the Subscriptions page, select the subscription to which you want to add licenses, then select the **Volume Licensing Service Center (VLSC)** link.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
-3. Follow the steps in the VLSC to complete your purchase.
+2. Select the subscription to which you want to add licenses, then select the **Volume Licensing Service Center (VLSC)** link.
+3. Follow the steps in the VLSC to complete your purchase.
commerce Add Licenses Using Product Key https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/add-licenses-using-product-key.md
Prepaid licenses are issued to you as a 25-character alphanumeric code. After yo
::: moniker range="o365-worldwide" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the **Products** tab, select the subscription to which you want to add licenses.
-3. On the subscription details page, in the **Licenses** section, select **Add more licenses**.
-4. In the **Add more licenses pane**, select **Use a new and unused product key**, then select **Next**.
-5. Enter the product key, then select **Next**.
- > [!NOTE]
- > If you have more than one product key, you can select **Add another product key** to enter them.
-6. Review your order details, then select **Redeem**.
- ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Products & services</a> page.
-
-2. Find the subscription to which you want to add licenses. Select the **More actions** drop-down list, and then choose **Renew or add license with token**.
-
-3. On the **Renew or add user licenses** page, select **Use a new and unused product key**, then select **Next**.
-
-4. Enter the product key, then select **Next**.
-
- > [!NOTE]
- > If you have more than one product key, you can select **Add another product key** to enter them.
-
-5. Choose to add users to the subscription, then select **Next**.
-
-6. Review your order details, then select **Redeem**.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Products & services</a> page.
-
-2. Find the subscription to which you want to add licenses. Select the **More actions** drop-down list, and then choose **Renew or add license with token**.
-
-3. On the **Renew or add user licenses** page, select **Use a new and unused product key**, then select **Next**.
-
-4. Enter the product key, then select **Next**.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
+2. On the **Products** tab, select the subscription to which you want to add licenses.
+3. On the subscription details page, in the **Licenses** section, select **Add more licenses**.
+4. In the **Add more licenses pane**, select **Use a new and unused product key**, then select **Next**.
+5. Enter the product key, then select **Next**.
> [!NOTE] > If you have more than one product key, you can select **Add another product key** to enter them.-
-5. Choose to add users to the subscription, then select **Next**.
- 6. Review your order details, then select **Redeem**.- ## Extend the expiration date of your subscription ::: moniker range="o365-worldwide" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the **Products** tab, select the subscription that you want to extend.
-3. On the subscription details page, in the **Subscription and payment settings** section, select **Extend end date**.
-4. On the **renew or add user licenses** page, select **Use a new and unused product key**, then select **Next**.
-5. Enter the product key, then select **Next**.
- > [!NOTE]
- > If you have more than one product key, you can select **Add another product key** to enter them.
-6. Review your order details, then select **Redeem**.
- ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Products & services</a> page.
-
-2. Find the subscription which you want to extend. Select the **More actions** drop-down list, and then select **Renew or add license with token**.
-
-3. On the **Renew or add user licenses** page, select **Use a new and unused product key**, then select **Next**.
-
-4. Enter the product key, then select **Next**.
-
- > [!NOTE]
- > If you have more than one product key, you can select **Add another product key** to enter them.
-
-5. Choose to extend your subscription expiration date, then select **Next**.
-
-6. Review your order details, then select **Redeem**.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Products & services</a> page.
-
-2. Find the subscription which you want to extend. Select the **More actions** drop-down list, and then select **Renew or add license with token**.
-
-3. On the **Renew or add user licenses** page, select **Use a new and unused product key**, then select **Next**.
-
-4. Enter the product key, then select **Next**.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
+2. On the **Products** tab, select the subscription that you want to extend.
+3. On the subscription details page, in the **Subscription and payment settings** section, select **Extend end date**.
+4. On the **renew or add user licenses** page, select **Use a new and unused product key**, then select **Next**.
+5. Enter the product key, then select **Next**.
> [!NOTE] > If you have more than one product key, you can select **Add another product key** to enter them.-
-5. Choose to extend your subscription expiration date, then select **Next**.
- 6. Review your order details, then select **Redeem**. - ## Related articles [Assign licenses to users](../../admin/manage/assign-licenses-to-users.md)
commerce Buy Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/buy-licenses.md
f1.keywords:
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
Last updated
# Buy or remove licenses -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[About the new Microsoft 365 admin center](../../admin/microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
-- You can buy more licenses or reduce the number of licenses for your subscriptions by using the following steps. ## Before you begin
If youΓÇÖve removed licenses from a subscription, the next thing to do is [delet
::: moniker range="o365-worldwide"
-1. In the Microsoft 365 admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the **Products** tab, find the subscription for which you want to buy or remove licenses. Select **More actions** (three dots), then select **Buy licenses**. [What if I don't see the Buy licenses or Remove licenses buttons?](#what-if-i-dont-see-the-buy-licenses-or-remove-licenses-buttons)
-3. If you want to reduce the number of licenses, at the top of the **Buy licenses** pane, select **remove licenses**.
-4. To buy or remove licenses, under **New quantity** in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to add five more, enter 105. If you want to remove five of them, enter 95.
-5. Select **Save**.
-
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-2. On the **Subscriptions** page, select the subscription to which you want to buy or remove licenses, and then select **Add/Remove licenses**. [What if I don't see the Buy licenses or Remove licenses buttons?](#what-if-i-dont-see-the-buy-licenses-or-remove-licenses-buttons)
-3. In the **Total licenses** box, enter the total number of licenses that you want for this subscription, then select **Submit** \> **Close**. For example, if you have 100 licenses and you want to add five more, enter 105. If you want to remove five licenses, enter 95.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
-2. On the **Subscriptions** page, select the subscription to which you want to buy or remove licenses, and then select **Add/Remove licenses**. [What if I don't see the Buy licenses or Remove licenses buttons?](#what-if-i-dont-see-the-buy-licenses-or-remove-licenses-buttons)
-3. In the **Total licenses** box, enter the total number of licenses that you want for this subscription, and then select **Submit** \> **Close**. For example, if you have 100 licenses and you need to add 5 more, enter 105. If you want to remove 5 of them, enter 95.
-
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
::: moniker-end
+2. On the **Products** tab, find the subscription for which you want to buy or remove licenses. Select **More actions** (three dots), then select **Buy licenses**. [What if I don't see the Buy licenses or Remove licenses buttons?](#what-if-i-dont-see-the-buy-licenses-or-remove-licenses-buttons)
+3. If you want to reduce the number of licenses, at the top of the **Buy licenses** pane, select **remove licenses**.
+4. To buy or remove licenses, under **New quantity** in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to add five more, enter 105. If you want to remove five of them, enter 95.
+5. Select **Save**.
+ > [!NOTE] > You can't reduce the number of licenses for your subscription if all licenses are currently assigned to users. To reduce the number of licenses, first [unassign one or more licenses from users](../../admin/manage/remove-licenses-from-users.md), then remove the licenses from the subscription.
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
Last updated
# Cancel your subscription -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[About the new Microsoft 365 admin center](../../admin/microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
-- *Eligibility:* If you have fewer than 25 licenses assigned to users, you can cancel your Microsoft 365 for business trial or paid subscription online in the Microsoft 365 admin center at any time. If you have more than 25 licenses assigned to users, reduce it to less than 25 or [call support to cancel your subscription](../../admin/contact-support-for-business-products.md). *Refund:* Any prorated credit will be returned to you within the next billing cycle.
If you added your own domain name to use with your subscription, you must remove
::: moniker range="o365-worldwide"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page, then select the **Products** tab.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
2. Find the subscription that you want to cancel. Select **More actions** (three dots), then select **Cancel subscription**. 3. In the **Cancel subscription** pane, choose a reason why you're canceling. Optionally, provide any feedback. 4. Select **Save**. Your subscription now appears in a **Disabled** state, and has reduced functionality until it's deleted. For more information about what you can expect when a paid Microsoft 365 for business subscription is canceled, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](what-if-my-subscription-expires.md)
+> [!NOTE]
+> If you explicitly delete a subscription, then it skips the Expired and Disabled stages and the SharePoint Online data and content, including OneDrive, is deleted immediately.
+ ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-
-2. On the **Subscriptions** page, select a subscription.
-
-3. From the **More actions** menu, select **Cancel subscription**.
-
- ![Close up of the More Actions menu.](../../media/befa74b7-62c1-42a3-a38e-db76a1c97dba.png)
-
-4. Review the important dates, provide feedback about why you are canceling, then select **Cancel subscription**.
-
- Your subscription now appears in a **Disabled** state and has reduced functionality until it's deleted. For more information about what you can expect when a paid Microsoft 365 for business subscription is canceled, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](what-if-my-subscription-expires.md)
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
-
-2. On the **Subscriptions** page, select a subscription.
-
-3. From the **More actions** menu, select **Cancel subscription**.
-
- ![Close up of the More Actions menu.](../../media/befa74b7-62c1-42a3-a38e-db76a1c97dba.png)
-
-4. Review the important dates, provide feedback about why you are canceling, then select **Cancel subscription**.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
- Your subscription now appears in a **Disabled** state, and has reduced functionality until it's deleted. For more information about what you can expect when a paid Microsoft 365 for business subscription is canceled, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](what-if-my-subscription-expires.md)
+2. Select the **Products** tab.
+3. Find the subscription that you want to cancel. Select **More actions** (three dots), then select **Cancel subscription**.
+4. In the **Cancel subscription** pane, choose a reason why you're canceling. Optionally, provide any feedback.
+5. Select **Save**.
+Your subscription now appears in a **Disabled** state, and has reduced functionality until it's deleted. For more information about what you can expect when a paid Microsoft 365 for business subscription is canceled, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](what-if-my-subscription-expires.md).
## What happens when you cancel a subscription
If you want to completely close your account with Microsoft, see [Close your acc
[Renew your subscription](renew-your-subscription.md) (article)\ [Reactivate your subscription](reactivate-your-subscription.md) (article)\
-[Move users to a different subscription](move-users-different-subscription.md) (article)
+[Move users to a different subscription](move-users-different-subscription.md) (article)
commerce Move Users Different Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/move-users-different-subscription.md
Last updated 07/01/2020
# Move users to a different subscription -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[Overview of Microsoft 365 admin center](../../business-video/admin-center-overview.md).
-- If you have more than one subscription, have users with a license for one subscription, but want to move them to another subscription, you can replace their existing license with a different one. ## Before you begin
-You must be a Global, License, or User admin to assign licenses. For more information, see [About Microsoft 365 admin roles](../../admin/add-users/about-admin-roles.md?view=o365-worldwide).
+You must be a Global, License, or User admin to assign licenses. For more information, see [About Microsoft 365 admin roles](../../admin/add-users/about-admin-roles.md).
## Move users to a different subscription
You must be a Global, License, or User admin to assign licenses. For more inform
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the circles next to the names of the users that you want to replace existing licenses for.
-
-3. At the top, select **Manage product licenses**.
-
-4. In the **Manage product licenses** pane, select **Replace** and select the licenses that you would like to assign to the users.
-
-5. At the bottom, select **Save Changes** \> **Close**.
- ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-
-2. Select the boxes next to the names of the users you want to replace existing licenses for.
-
-3. In the **Bulk actions** pane, select **Edit product licenses**.
-
-4. In the **Assign products** pane, select **Replace existing product license assignments** \> **Next**.
-
-5. Switch the toggle to the **On** position for the licenses that you want to assign to these users.
-
- You can limit which services are available to the users. Switch the toggles to the **Off** position for the services that you don't want that users to have. Any previous license assignments for the selected users are removed.
-
-6. At the bottom of the **Replace existing products** pane, select **Replace** \> **Close** \> **Close**.
+ 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-
-2. Select the boxes next to the names of the users you want to replace existing licenses for.
-
-3. In the **Bulk actions** pane, select **Edit product licenses**.
+ 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-4. In the **Assign products** pane, select **Replace existing product license assignments** \> **Next**.
-5. Switch the toggle to the **On** position for the licenses that you want to assign to these users.
+2. Select the circles next to the names of the users that you want to replace existing licenses for.
- You can limit which services are available to the users. Switch the toggles to the **Off** position for the services that you don't want that users to have. Any previous license assignments for the selected users are removed.
+3. At the top, select **Manage product licenses**.
-6. At the bottom of the **Replace existing products** pane, select **Replace** \> **Close** \> **Close**.
+4. In the **Manage product licenses** pane, select **Replace** and select the licenses that you would like to assign to the users.
+5. At the bottom, select **Save Changes** \> **Close**.
## Next steps
commerce Reactivate Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/reactivate-your-subscription.md
description: "Learn how to reactivate your subscription when it expires, is disa
# Reactivate your subscription -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[About the new Microsoft 365 admin center](../../admin/microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
-- You can reactivate your subscription in the admin center if: the subscription expired, was disabled by Microsoft, or if you canceled it in the middle of a subscription term. ## Before you begin
You must be a Global or Billing admin to reactivate a subscription. For more inf
::: moniker range="o365-worldwide" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the **Products** tab, find the subscription that you want to reactivate. Select **More actions** (three dots), then select **Reactivate this subscription**.\
- If you don't see **Reactivate this subscription**, [contact support](../../admin/contact-support-for-business-products.md).
-3. In the **Reactivate this subscription** pane, select a payment method from the drop-down list, or select **Add payment method**.
-4. Select **Save**.
- ::: moniker-end ::: moniker range="o365-germany"
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-
-2. Find the subscription that you want to reactivate, then select **Reactivate**.
-
- ![Close-up of a Subscription card that says Disabled and Reduced functionality with a Reactivate button.](../../media/4042c2c7-48d3-4add-963f-42f9fbcede07.png)
-
- If you don't see **Reactivate** as an available action, [call Support](../../admin/contact-support-for-business-products.md) to reactivate your subscription.
-
-3. Enter your payment details. You can update your existing payment information here.
- If your subscription was expired, then after you submit your payment details, your subscription returns to an active state, and the **Next billing** date extends by either one month or one year, depending on your current subscription commitment. If you pay by credit card or bank account, your credit card or bank account will be charged for the extension. If you pay by invoice, you'll see the extension reflected on your next invoice. To make sure that your subscription doesn't expire again, [turn on Recurring billing](renew-your-subscription.md#turn-recurring-billing-off-or-on).
-
- > [!NOTE]
- > The ability to pay by bank account isn't available in some countries or regions.
-
- If your subscription was canceled, or was disabled because a payment wasn't received, it returns to an active state, and your **Next billing** date stays the same.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
-
-2. Find the subscription that you want to reactivate, then select **Reactivate**.
-
- ![Close-up of a Subscription card that says Disabled and Reduced functionality with a Reactivate button.](../../media/4042c2c7-48d3-4add-963f-42f9fbcede07.png)
-
- If you don't see **Reactivate** as an available action, [call Support](../../admin/contact-support-for-business-products.md) to reactivate your subscription.
-
-3. Enter your payment details. You can update your existing payment information here.
-
- If your subscription was expired, then after you submit your payment details, your subscription returns to an active state, and the **Next billing** date extends by either one month or one year, depending on your current subscription commitment. If you pay by credit card or bank account, your credit card or bank account will be charged for the extension. If you pay by invoice, you'll see the extension reflected on your next invoice. To make sure that your subscription doesn't expire again, [turn on Recurring billing](renew-your-subscription.md#turn-recurring-billing-off-or-on).
-
- > [!NOTE]
- > The ability to pay by bank account isn't available in some countries or regions.
-
- If your subscription was canceled, or was disabled because a payment wasn't received, it returns to an active state, and your **Next billing** date stays the same.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
::: moniker-end
+2. On the **Products** tab, find the subscription that you want to reactivate. Select **More actions** (three dots), then select **Reactivate this subscription**.\
+ If you don't see **Reactivate this subscription**, [contact support](../../admin/contact-support-for-business-products.md).
+3. In the **Reactivate this subscription** pane, select a payment method from the drop-down list, or select **Add payment method**.
+4. Select **Save**.
+ ## Related content [Try or buy a Microsoft 365 for business subscription](../try-or-buy-microsoft-365.md) (article)\
commerce Renew Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/renew-your-subscription.md
description: "Learn how to renew your Microsoft 365 by turning recurring billing
# Renew Microsoft 365 for business -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[About the new Microsoft 365 admin center](../../admin/microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
-- This article applies to most paid Microsoft 365 for business subscriptions. To renew by using a product key that you bought from a retail store or Microsoft partner, see [Find and enter your product key](../enter-your-product-key.md).
If you prepaid for your subscription with a product key, your subscription will
::: moniker range="o365-worldwide" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. Select the subscription for which you want to manage recurring billing.
-3. On the subscription details page, under **Subscription and payment settings**, select **Edit recurring billing**.
-4. In the **Edit recurring billing settings** pane, select **On**, **On, but renew once**, or **Turn off**.
-5. Select **Save**.
-
- > [!NOTE]
- > - You can only change the **Recurring billing** setting for active subscriptions. If your subscription has already expired or is disabled, you will need to [reactivate it](reactivate-your-subscription.md) before you can turn **Recurring billing** on or off.
- > - When **Recurring billing** is turned off, the subscription isn't cancelled. If you want to keep the subscription active, you must pay the bill manually.
- > - If you turn off **Recurring billing**, the subscription remains active until it expires. You can view the expiration date on the subscription details page in the **Subscription and payment settings** section.
- > - To learn how to cancel the subscription right away, see [Cancel my subscription](cancel-your-subscription.md).
- ::: moniker-end ::: moniker range="o365-germany"
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-
-2. Choose the subscription for which you want to manage recurring billing.
-3. To turn on **Recurring billing**, switch the toggle to **On**.
-
- ![Close-up of a Subscription card that has Recurring billing turned on.](../../media/984464dc-6b63-4b24-84e1-67f6c4b1d48e.png)
-
- You can turn off **Recurring billing** by switching the toggle to **Off**.
-
- > [!NOTE]
- > - You can only change the **Recurring billing** setting for active subscriptions. If your subscription has already expired or is disabled, you will need to [reactivate it](reactivate-your-subscription.md) before you can turn **Recurring billing** on or off.
- > - When **Recurring billing** is turned off, the subscription isn't cancelled right away. It remains active until it expires. You can view the expiration date on the subscription card
- > - To learn how to cancel the subscription right away, see [Cancel my subscription](cancel-your-subscription.md).
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
-2. Choose the subscription for which you want to manage recurring billing.
-
-3. To turn on **Recurring billing**, switch the toggle to **On**.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
- ![Close-up of a Subscription card that has Recurring billing turned on.](../../media/984464dc-6b63-4b24-84e1-67f6c4b1d48e.png)
-
- You can turn off **Recurring billing** by switching the toggle to **Off**.
+2. Select the subscription for which you want to manage recurring billing.
+3. On the subscription details page, under **Subscription and payment settings**, select **Edit recurring billing**.
+4. In the **Edit recurring billing settings** pane, select **On**, **On, but renew once**, or **Turn off**.
+5. Select **Save**.
> [!NOTE] > - You can only change the **Recurring billing** setting for active subscriptions. If your subscription has already expired or is disabled, you will need to [reactivate it](reactivate-your-subscription.md) before you can turn **Recurring billing** on or off.
- > - When **Recurring billing** is turned off, the subscription isn't cancelled right away. It remains active until it expires. You can view the expiration date on the subscription card.
+ > - When **Recurring billing** is turned off, the subscription isn't cancelled. If you want to keep the subscription active, you must pay the bill manually.
+ > - If you turn off **Recurring billing**, the subscription remains active until it expires. You can view the expiration date on the subscription details page in the **Subscription and payment settings** section.
> - To learn how to cancel the subscription right away, see [Cancel my subscription](cancel-your-subscription.md). - ## Related articles [Reactivate your subscription](reactivate-your-subscription.md)
commerce What If My Subscription Expires https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires.md
The following table explains what you can expect when a paid Microsoft 365 for b
## What happens if I cancel a subscription?
-If you cancel your subscription before its term end date, the subscription skips the expired state and moves directly into the disabled state, which is 90 days for most subscriptions, in most countries and regions. We recommend that you [back up your data](back-up-data-before-switching-plans.md) before canceling, but as an admin, you can still access and back up data for your organization while it is in the disabled state. Any customer data that you leave behind may be deleted after 90 days, and will be deleted no later than 180 days after cancellation.
+If you cancel your subscription before its term end date, the subscription skips the Expired stage and moves directly into the Disabled stage, which is 90 days for most subscriptions, in most countries and regions. We recommend that you [back up your data](back-up-data-before-switching-plans.md) before canceling, but as an admin, you can still access and back up data for your organization while it is in the Disabled stage. Any customer data that you leave behind may be deleted after 90 days, and will be deleted no later than 180 days after cancellation.
Here's what to expect for you and your users if you cancel a subscription.
Here's what to expect for you and your users if you cancel a subscription.
To learn how to cancel, see [Cancel your subscription](cancel-your-subscription.md). > [!IMPORTANT]
-> If you want your subscription data to be deleted before the typical Disabled period is over, you can [close your account](../close-your-account.md).
+> If you want your subscription data to be deleted before the typical Disabled stage is over, you can [close your account](../close-your-account.md).
+> [!NOTE]
+> If you explicitly delete a subscription, then it skips the Expired and Disabled stages and the SharePoint Online data and content, including OneDrive, is deleted immediately.
+ ## What are my options if my subscription is about to expire? While a subscription is active, you and your end users have normal access to your data, services like email and OneDrive for Business, and Office applications. As the admin, you'll receive a series of notifications via email and in the admin center as your subscription nears its expiration date. Before the subscription actually reaches its expiration date, you have a few options:- - **Enable recurring billing for the subscription.**
Before the subscription actually reaches its expiration date, you have a few opt
- If you're an Open Volume Licensing customer working with a partner, you can let your subscription expire by taking no action.
- - If you're a Office 365 Small Business Premium customer, and you prepaid for Office 365 and activated it with a product key, you can let your subscription expire by taking no action.
+ - If you're a Microsoft 365 Business Standard customer, and you prepaid for your subscription and activated it with a product key, you can let your subscription expire by taking no action.
- **Cancel before the subscription expires.** For details, see [Cancel your subscription](cancel-your-subscription.md).
-
-
-
-- **Manage recurring billing for the subscription.**-
- - If **Recurring billing** is already turned on, you don't have to take any action. Your subscription will be automatically billed, and you'll be charged for an additional year or month, depending on your current payment frequency. If for any reason you've turned **Recurring billing** off, you can always [turn Recurring billing back on](renew-your-subscription.md).
-
- - If you purchased Microsoft 365 Apps for business with a prepaid card, you can [turn on Recurring billing](renew-your-subscription.md) for your subscription.
-
- - If you're an Open Volume Licensing customer with a prepaid, one-year subscription, contact your partner to purchase a new product key. You'll receive instructions via email to activate your key in the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=282016). To learn how to find a new partner, or the partner you've worked with in the past, see [Find your partner or reseller](../../admin/manage/find-your-partner-or-reseller.md).
-
- - If you have Microsoft 365 Apps for business, see [Renew your subscription](renew-your-subscription.md).
--- **Let the subscription expire.**-
- - If you're paying by credit card or invoice and you don't want to continue your subscription, [turn Recurring billing off](renew-your-subscription.md). Your subscription will expire on its expiration date, and you can ignore all related email notifications.
-
- - If you're an Open Volume Licensing customer working with a partner, you can let your subscription expire by taking no action.
-
- - If you're a Office 365 Small Business Premium customer, and you prepaid for Office 365 and activated it with a product key, you can let your subscription expire by taking no action.
--- **Cancel before the subscription expires.** For details, see [Cancel your subscription](cancel-your-subscription.md).
-
-
-
-- **Renew the subscription.** If **Recurring billing** is already turned on, you don't have to take any action. Your subscription will be automatically billed, and you'll be charged for an additional year or month, depending on your current payment frequency. If for any reason you've turned **Recurring billing** off, you can always [turn Recurring billing back on](renew-your-subscription.md).--- **Let the subscription expire.** If you're paying by credit card or invoice and you don't want to continue your subscription, [turn Recurring billing off](renew-your-subscription.md). Your subscription will expire on its expiration date, and you can ignore all related email notifications.--- **Cancel before the subscription expires.** For details, see [Cancel your subscription](cancel-your-subscription.md).- ## What happens after my subscription expires?+ If you let your subscription expire, it goes through multiple states before it is ultimately deleted. This gives you, as the admin, time to reactivate if you want to continue the service, or to back up your data if you decide you no longer want the subscription. Here's what you can expect when your subscription is in each state. ### State: Expired
-
- **What to expect:** The expired state lasts for 30 days for most subscriptions, including subscriptions purchased through [Microsoft Open](https://go.microsoft.com/fwlink/p/?LinkID=613298), in most countries and regions. For Volume Licensing products, except for Microsoft Open, the expired state lasts 90 days.
---
- **What to expect:** The expired state lasts for 30 days for most subscriptions, including subscriptions purchased through [Microsoft Open](https://go.microsoft.com/fwlink/p/?LinkID=613298), in most countries and regions. For Volume Licensing products, except for Microsoft Open, the expired state lasts 90 days.
---
- **What to expect:** The expired state is 30 days for most subscriptions, in most countries and regions.
-
+ **What to expect:** The Expired stage lasts for 30 days for most subscriptions, including subscriptions purchased through [Microsoft Open](https://go.microsoft.com/fwlink/p/?LinkID=613298), in most countries and regions. For Volume Licensing products, except for Microsoft Open, the Expired stage lasts 90 days.
In this state, users have normal access to the Microsoft 365 portal, Office applications, and services such as email and SharePoint Online. As an admin, you still have access to the admin center. Don't worryΓÇöglobal or billing admins can [reactivate the subscription](reactivate-your-subscription.md) and continue using Microsoft 365. If you don't reactivate, [back up your data](back-up-data-before-switching-plans.md). ### State: Disabled
-
-
- **What to expect:** If you don't reactivate your subscription while it is in the expired state, it moves into a disabled state, which lasts for 90 days for most subscriptions, in most countries and regions. For Volume Licensing products, the disabled state lasts 30 days.
---
- **What to expect:** If you don't reactivate your subscription while it is in the expired state, it moves into a disabled state, which lasts for 90 days for most subscriptions, in most countries and regions. For Volume Licensing products, the disabled state lasts 30 days.
--
- **What to expect:** If you don't reactivate your subscription while it is in the expired state, it moves into a disabled state, which is 90 days for most subscriptions, in most countries and regions.
--
+ **What to expect:** If you don't reactivate your subscription while it is in the Expired stage, it moves into a Disabled stage, which lasts for 90 days for most subscriptions, in most countries and regions. For Volume Licensing products, the Disabled stage lasts 30 days.
In this state, your access decreases significantly. Your users can't sign in, or access services like email or SharePoint Online. Office applications eventually move into a read-only, reduced functionality mode and display [Unlicensed Product notifications](https://support.microsoft.com/office/0d23d3c0-c19c-4b2f-9845-5344fedc4380.aspx). You can still sign in and get to the admin center, but can't assign licenses to users. Your customer data, including all user data, email, and files on team sites, is available only to you and other admins. - As a global or billing admin, you can [reactivate the subscription](reactivate-your-subscription.md) and continue using Microsoft 365 with all of your customer data intact. If you choose not to reactivate, [back up your data](back-up-data-before-switching-plans.md). ### State: Deleted
- **What to expect:** If you don't reactivate your subscription while it is in grace or disabled, the subscription is deleted.
+ **What to expect:** If you don't reactivate your subscription while it is expired or disabled, the subscription is deleted.
Admins and users no longer have access to the services or Office applications that came with the subscription. All customer dataΓÇöfrom user data to documents and emailΓÇöis permanently deleted and is unrecoverable. At this point, you can't reactivate the subscription. However, as a global or billing admin, you can still access the admin center to manage other subscriptions, or to buy new subscriptions to meet your business needs. > [!NOTE]
-> Adding a new subscription of the same type that has been deleted does not restore the data that was associated with the deleted subscription.
--
-> [!NOTE]
-> If a CSP license is suspended, there is no 30 day grace period, and services are disabled immediately. Data will be deleted after 90 days if the tenant is not reactivated by adding a new license.
+> - Adding a new subscription of the same type that has been deleted does not restore the data that was associated with the deleted subscription.
+> - If a CSP license is suspended, there is no 30 day Expired stage, and services are disabled immediately. Data is deleted after 90 days if the tenant is not reactivated by adding a new license.
### What happens when my trial ends? When your trial ends, you can't continue using Microsoft 365 for free. You have a few options: --- **Buy Microsoft 365.** When your trial expires, it moves into a grace period, giving you another 30 days (for most trials, in most countries and regions) to purchase Microsoft 365. To learn how to convert your trial into a paid subscription, see [Buy your trial version of Microsoft 365 for business](../try-or-buy-microsoft-365.md).----- **Buy Microsoft 365.** When your trial expires, it moves into a grace period, giving you another 30 days (for most trials, in most countries and regions) to purchase Microsoft 365. To learn how to convert your trial into a paid subscription, see [Buy your trial version of Microsoft 365 for business](../try-or-buy-microsoft-365.md).----- **Buy Office 365.** When your trial expires, it moves into a grace period, giving you another 30 days (for most trials, in most countries and regions) to purchase Office 365. To learn how to convert your trial into a paid subscription, see [Buy or try subscriptions for Office 365 operated by 21Vianet](../../admin/services-in-chin).-
+- **Buy Microsoft 365.** When your trial expires, it moves into the Expired stage, giving you another 30 days (for most trials, in most countries and regions) to purchase Microsoft 365. To learn how to convert your trial into a paid subscription, see [Buy a subscription from your free trial](../try-or-buy-microsoft-365.md#buy-a-subscription-from-your-free-trial).
- **Extend your trial.** Need more time to evaluate Microsoft 365? In certain cases, you can [extend your trial](../extend-your-trial.md). -- **Cancel the trial or let it expire.** If you decide not to buy Microsoft 365, you can let your trial expire or [cancel it](cancel-your-subscription.md). Back up any data you want to keep. Soon after the 30 day grace period, your trial account information and data is permanently erased.
+- **Cancel the trial or let it expire.** If you decide not to buy Microsoft 365, you can let your trial expire or [cancel it](cancel-your-subscription.md). Back up any data you want to keep. Soon after the 30 day Expired stage, your trial account information and data is permanently erased.
> [!NOTE] > The information on this page is subject to the [Microsoft Policy Disclaimer and Change Notice](https://go.microsoft.com/fwlink/p/?LinkId=613651). Return to this site periodically to review any changes.
-## Related content
+## Related content
[Cancel your subscription](./cancel-your-subscription.md) (article)\ [Renew Microsoft 365 for business](./renew-your-subscription.md) (article)\
-[Reactivate your subscription](./reactivate-your-subscription.md) (article)
+[Reactivate your subscription](./reactivate-your-subscription.md) (article)
commerce Why Can T I Switch Plans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/why-can-t-i-switch-plans.md
description: "Understand the reasons why sometimes switching plans has to be don
# Why can't I switch Microsoft 365 for business plans? > [!NOTE] > This article applies to the old admin center. To view the article about the admin center (preview), see [Why can't I upgrade plans?](upgrade-to-different-plan.md#why-cant-i-upgrade-plans). The preview is available to all Microsoft 365 admins, you can opt in by selecting **Try the preview** toggle located at the top of the Home page. For more information, see [About the new Microsoft 365 admin center](../../admin/microsoft-365-admin-center-preview.md). If you don't see the **Switch plans** button, your plan can't be switched automatically. In some cases, you might be able to resolve the issue so that you can use the **Switch plans** button, or you might be able to [switch plans manually](switch-plans-manually.md), instead. Position your mouse over the info icon to view a message that explains why the **Switch plans** button is not available. Use the information in this article to resolve the issue.
-
-
- **Need something else?** [Buy another subscription](../try-or-buy-microsoft-365.md) | [Cancel your subscription](cancel-your-subscription.md) | [Subscriptions and billing](../index.yml) | [Call support](../../admin/contact-support-for-business-products.md)
- **Need something else?** [Buy another subscription](../try-or-buy-microsoft-365.md) | [Cancel your subscription](cancel-your-subscription.md) | [Subscriptions and billing](../index.yml) | [Call support](../../admin/contact-support-for-business-products.md) --
- **Need something else?** [Buy or try subscriptions for Office 365 operated by 21Vianet](../../admin/services-in-chin)
-- ## Why isn't the Switch plans button available for my subscription? ### You can't switch subscriptions now because you have more users than licenses. - To use the **Switch plans** button to switch plans automatically, all of your users need to be assigned valid licenses. If you have assigned more licenses than you have purchased, you'll see an alert on the <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page that says you have a licensing conflict that needs to be resolved. [Learn how to resolve license conflicts](../../commerce/licenses/buy-licenses.md). After you have resolved any licensing conflicts, you should see the **Switch plans** button. If not, you can [switch plans manually](switch-plans-manually.md), or [call support](../../admin/contact-support-for-business-products.md). --
-To use the **Switch plans** button to switch plans automatically, all of your users need to be assigned valid licenses. If you have assigned more licenses than you have purchased, you'll see an alert on the <a href="https://go.microsoft.com/fwlink/p/?linkid=848038" target="_blank">Licenses</a> page that says you have a licensing conflict that needs to be resolved. [Learn how to resolve license conflicts](../../commerce/licenses/buy-licenses.md). After you have resolved any licensing conflicts, you should see the **Switch plans** button. If not, you can [switch plans manually](switch-plans-manually.md), or [call support](../../admin/contact-support-for-business-products.md).
---
-To use the **Switch plans** button to switch plans automatically, all of your users need to be assigned valid licenses. If you have assigned more licenses than you have purchased, you'll see an alert on the <a href="https://go.microsoft.com/fwlink/p/?linkid=850625" target="_blank">Licenses</a> page that says you have a licensing conflict that needs to be resolved. [Learn how to resolve license conflicts](../../commerce/licenses/buy-licenses.md). After you have resolved any licensing conflicts, you should see the **Switch plans** button. If not, you can [switch plans manually](switch-plans-manually.md), or [call support](../../admin/contact-support-for-business-products.md).
-- ### You can't switch subscriptions right now because this subscription isn't fully set up or the service isn't available. -- To see if there are provisioning or service health issues, in the admin center, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">Service health</a> page, or select **Health** \> **Service health**. --
-To see if there are provisioning or service health issues, in the Microsoft 365 admin center, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=848042" target="_blank">Service health</a> page, or select **Health** \> **Service health**.
---
-To see if there are provisioning or service health issues, in the Microsoft 365 admin center, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=850629" target="_blank">Service health</a> page, or select **Health** \> **Service health**.
-- If you find that a service is not fully provisioned, or you have a service health issue, please wait a few hours for your service to become available, and try again. If you still have a problem, please [call support](../../admin/contact-support-for-business-products.md). ### You can't switch plans because another plan is in the process of being switched and is pending a credit check.
compliance Create A Keyword Dictionary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-keyword-dictionary.md
description: "Learn the basic steps to creating a keyword dictionary in the Offi
# Create a keyword dictionary Data loss prevention (DLP) can identify, monitor, and protect your sensitive items. Identifying sensitive items sometimes requires looking for keywords, particularly when identifying generic content (such as healthcare-related communication), or inappropriate or explicit language. Although you can create keyword lists in sensitive information types, keyword lists are limited in size and require modifying XML to create or edit them. Keyword dictionaries provide simpler management of keywords and at a much larger scale, supporting up to 1MB of terms (post compression) in the dictionary and support any language. The tenant limit is also 1MB after compression. 1MB of post compression limit means that all dictionaries combined across a tenant can have close to 1 million character.
-
-> [!NOTE]
-> There is a limit of 50 keyword dictionary based sensitive information types that can be created per tenant.
-> [!NOTE]
-> Microsoft 365 Information Protection now supports in preview double byte character set languages for:
-> - Chinese (simplified)
-> - Chinese (traditional)
-> - Korean
-> - Japanese
->
->This support is available for sensitive information types. See, [Information protection support for double byte character sets release notes (preview)](mip-dbcs-relnotes.md) for more information.
+## Keyword dictionary limits
+
+There is a limit of 50 keyword dictionary based sensitive information types that can be created per tenant. To find out how many keyword dictionaries you have in your tenant, you can run this PowerShell script against your tenant.
+
+```powershell
+$rawFile = $env:TEMP + "\rule.xml"
+
+$kd = Get-DlpKeywordDictionary
+$ruleCollections = Get-DlpSensitiveInformationTypeRulePackage
+Set-Content -path $rawFile -Encoding Byte -Value $ruleCollections.SerializedClassificationRuleCollection
+$UnicodeEncoding = New-Object System.Text.UnicodeEncoding
+$FileContent = [System.IO.File]::ReadAllText((Resolve-Path $rawFile), $unicodeEncoding)
+
+if($kd.Count -gt 0)
+{
+$count = 0
+$entities = $FileContent -split "Entity id"
+for($j=1;$j -lt $entities.Count;$j++)
+{
+for($i=0;$i -lt $kd.Count;$i++)
+{
+$Matches = Select-String -InputObject $entities[$j] -Pattern $kd[$i].Identity -AllMatches
+$count = $Matches.Matches.Count + $count
+if($Matches.Matches.Count -gt 0) {break}
+}
+}
+
+Write-Output "Total Keyword Dictionary SIT:"
+$count
+}
+else
+{
+$Matches = Select-String -InputObject $FileContent -Pattern $kd.Identity -AllMatches
+Write-Output "Total Keyword Dictionary SIT:"
+$Matches.Matches.Count
+}
+
+Remove-Item $rawFile
+```
## Basic steps to creating a keyword dictionary
Paste the identity into your custom sensitive information type's XML and upload
<Description default="true" langcode="en-us">Detects various diseases</Description> </Resource> </LocalizedStrings>
-```
+```
+
+> [!NOTE]
+> Microsoft 365 Information Protection supports in preview double byte character set languages for:
+> - Chinese (simplified)
+> - Chinese (traditional)
+> - Korean
+> - Japanese
+>
+>This support is available for sensitive information types. See, [Information protection support for double byte character sets release notes (preview)](mip-dbcs-relnotes.md) for more information.
compliance Dlp Microsoft Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-microsoft-teams.md
To learn more about licensing requirements, see [Microsoft 365 Tenant-Level Serv
Recently, [data loss prevention](data-loss-prevention-policies.md) (DLP) capabilities were extended to include Microsoft Teams chat and channel messages, **including private channel messages**. > [!IMPORTANT]
-> DLP currently applies only to the actual messages in the chat or channel thread. Activity notifications -- which include a short message preview and appear based on a user's notification settings -- are **not** included in Teams DLP at this time. Any sensitive information present in the part of the message that appears in the preview will remain visible in the notification even after the DLP policy has been applied and removed sensitive inforamtion the message itself.
+> DLP currently applies only to the actual messages in the chat or channel thread. Activity notifications -- which include a short message preview and appear based on a user's notification settings -- are **not** included in Teams DLP at this time. Any sensitive information present in the part of the message that appears in the preview will remain visible in the notification even after the DLP policy has been applied and removed sensitive information the message itself.
If your organization has DLP, you can now define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session. Here are some examples of how this protection works:
enterprise EU Data Storage Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/EU-data-storage-locations.md
Microsoft secures your data using multiple layers of security and encryption pro
By default, Microsoft Managed Keys protect your customer data. Data that persists on any physical media is always encrypted using FIPS 140-2 compliant encryption protocols. You can also employ customer-managed keys (CMK), [double encryption](../compliance/double-key-encryption.md), and/or hardware security modules (HSMs) for increased data protection.
-All data traffic moving between datacenters is also protected using IEEE 802.1AE MAC Security Standards, preventing physical "man-in-the-middle" attacks.
+In addition, Microsoft by default uses the [Transport Layer Security (TLS)](https://wikipedia.org/wiki/Transport_Layer_Security) protocol to encrypt data when itΓÇÖs traveling between the cloud services and customers. Microsoft Services negotiate a TLS connection with client systems that connect to Microsoft 365 services.
To prevent unauthorized physical access to datacenters, we employ rigorous operational controls and processes that include 24×7 video monitoring, trained security personnel and processes, and smart card or biometric multifactor access controls. Upon end of life, data disks are shredded and destroyed. If a disk drive used for storage suffers a hardware failure or reaches its end of life, it is securely erased or destroyed. The data on the drive is completely overwritten to ensure the data cannot be recovered by any means. When such devices are decommissioned, they are shredded and destroyed in line with NIST SP 800-88 R1, Guidelines for Media Sanitization. Records of the destruction are retained and reviewed as part of the Microsoft audit and compliance process. All Microsoft 365 services utilize approved media storage and disposal management services.
enterprise Microsoft 365 Networking China https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-networking-china.md
Title: "Microsoft 365 global tenant performance optimization for China users"
Previously updated : 6/23/2020 Last updated : 11/17/2020 audience: Admin
description: "This article provides guidance for optimizing network performance
For enterprises with global Microsoft 365 tenants and a corporate presence in China, Microsoft 365 client performance for China-based users can be complicated by factors unique to China Telco's Internet architecture.
-China ISPs have regulated offshore connections to the global public Internet that go through perimeter devices which are prone to high-levels of cross-border network congestion. This congestion creates packet loss and latency for all Internet traffic going into and out of China.
+China ISPs have regulated offshore connections to the global public Internet that go through perimeter devices that are prone to high-levels of cross-border network congestion. This congestion creates packet loss and latency for all Internet traffic going into and out of China.
![Microsoft 365 traffic - unoptimized](../media/O365-networking/China-O365-unoptimized.png)
-Packet loss and latency is detrimental to the performance of network services, especially services that require large data exchanges (such as large file transfers) or requiring near real-time performance (audio and video applications).
+Packet loss and latency are detrimental to the performance of network services, especially services that require large data exchanges (such as large file transfers) or requiring near real-time performance (audio and video applications).
The goal of this topic is to provide best practices for mitigating the impact of China cross-border network congestion on Microsoft 365 services. This topic does not address other common last-mile performance issues such as issues of high packet latency due to complex routing within China carriers.
Many enterprises with global Microsoft 365 tenants and users in China have imple
As a first step, it is crucial that you follow our benchmark network guidance at [Network planning and performance tuning for Microsoft 365](./network-planning-and-performance.md). The primary goal should be to avoid accessing global Microsoft 365 services from the Internet in China if possible. -- Leverage your existing private network to carry Microsoft 365 network traffic between China office networks and offshore locations that egress on the public Internet outside China. Almost any location outside China will provide a clear benefit. Network administrators can further optimize by egressing in areas with low-latency interconnect with the [Microsoft global network](/azure/networking/microsoft-global-network). Hong Kong, Japan, and South Korea are examples.-- Configure user devices to access the corporate network over a VPN connection to allow Microsoft 365 traffic to transit the corporate network's private offshore link. Ensure that VPN clients are either not configured to use split tunneling, or that user devices are configured to ignore split tunneling for Microsoft 365 traffic.
+- Leverage your existing private network to carry Microsoft 365 network traffic between China office networks and offshore locations that egress on the public Internet outside China. Almost any location outside China will provide a clear benefit. Network administrators can further optimize by egressing in areas with low-latency interconnect with the [Microsoft global network](https://docs.microsoft.com/azure/networking/microsoft-global-network). Hong Kong, Japan, and South Korea are examples.
+- Configure user devices to access the corporate network over a VPN connection to allow Microsoft 365 traffic to transit the corporate network's private offshore link. Ensure that VPN clients are either not configured to use split tunneling, or that user devices are configured to ignore split tunneling for Microsoft 365 traffic. For additional information on optimizing VPN connectivity for Teams and real-time media traffic, see [this section](#optimizing-microsoft-teams-meetings-network-performance-for-users-in-china).
- Configure your network to route all Microsoft 365 traffic across your private offshore link. If you must minimize the volume of traffic on your private link, you can choose to only route endpoints in the **Optimize** category, and allow requests to **Allow** and **Default** endpoints to transit the Internet. This will improve performance and minimize bandwidth consumption by limiting optimized traffic to critical services that are most sensitive to high latency and packet loss. - If possible, use UDP instead of TCP for live media streaming traffic, such as for Teams. UDP offers better live media streaming performance than TCP.
For information about how to selectively route Microsoft 365 traffic, see [Manag
## User best practices
-Users in China who connect to global Microsoft 365 tenants from remote locations such as homes, coffee shops, hotels and branch offices with no connection to enterprise networks can experience poor network performance because traffic between their devices and Microsoft 365 must transit China's congested cross-border network circuits.
+Users in China who connect to global Microsoft 365 tenants from remote locations such as homes, coffee shops, hotels, and branch offices with no connection to enterprise networks can experience poor network performance because traffic between their devices and Microsoft 365 must transit China's congested cross-border network circuits.
If cross-border private networks and/or VPN access into the corporate network are not an option, per-user performance issues can still be mitigated by training your China-based users to follow these best practices.
If cross-border private networks and/or VPN access into the corporate network ar
- If your Microsoft 365 tenant has been configured with the _Audio Conferencing_ feature, Teams users can join meetings via the public switched telephone network (PSTN). For more information, see [Audio Conferencing in Office 365](/microsoftteams/audio-conferencing-in-office-365). - If users experience network performance issues, they should report to their IT department for troubleshooting, and escalate to Microsoft support if trouble with Microsoft 365 services is suspected. Not all issues are caused by cross-border network performance.
-Microsoft is continually working to improve the Microsoft 365 user experience and the performance of clients over the widest possible range of network architectures and characteristics. Visit the [Office 365 Tech Community](https://techcommunity.microsoft.com/t5/office-365/bd-p/Office365General) to start or join a conversation, find resources, and submit feature requests and suggestions.
+## Optimizing Microsoft Teams meetings network performance for users in China
+
+For organizations with global Microsoft 365 tenants and a presence in China, Microsoft 365 client performance for China-based users can be complicated by factors unique to the China Internet architecture. Many companies and schools have reported good results by following this guidance. However, the scope is limited to user network locations that are under control of the IT networking setup, for example, office locations or home/mobile endpoints with VPN connectivity. Microsoft Teams calls and meetings are often used from external locations, such as home offices, mobile locations, on the road, and coffee shops. Because calls and meetings rely on real-time media traffic, these Teams experiences are particularly sensitive to network congestion.
+
+As a result, Microsoft has partnered with telecommunications providers to carry Teams and Skype for Business Online real-time media traffic using a higher-quality, preferential network path between domestic and public internet connections in China and the Teams and Skype services in the Microsoft 365 global cloud. This capability has resulted in a more than ten-fold improvement in packet loss and other key metrics impacting your user's experience.
+
+>[!IMPORTANT]
+>Currently, these improvements do not address attending Microsoft Live Events meetings such as large broadcast or ΓÇ£town hallΓÇ¥ style meetings using Teams or Microsoft Stream. To view a Live Events meeting, users in China need to use a private network or SDWAN/VPN solution. However, the network improvements will benefit users who are presenting or producing a Live Events meeting, because that experience acts as a regular Teams meeting for the producer or presenter.
+
+### Organization network best practices for Teams meetings
+
+You need to consider how to leverage these network improvements, given that the previous guidance to consider a private network extension to avoid cross-border network congestion. There are two general options for organization office networks:
+
+1. Do nothing new. Continue to follow the earlier guidance around private network bypass to avoid cross-border congestion. Teams real-time media traffic will leverage that setup, as before.
+2. Implement a split/hybrid pattern.
+
+ - Use the previous guidance for all traffic flagged for optimization except Teams meetings and calling real-time media traffic.
+
+ - Route Teams meeting and calling real-time media traffic over the public internet. See the following information for specifics on identifying the real-time media network traffic.
+
+Sending Teams real-time media audio and video traffic over the public internet, which uses the higher quality connectivity, can result in considerable cost savings, because it is free versus paying to send that traffic over a private network. There may be similar additional benefits if users are also using SDWAN or VPN clients. Some organizations may also prefer to have more of their data traverse public internet connections as a general practice.
+
+The same options could apply to SDWAN or VPN configurations. For example, a user is using an SDWAN or VPN to route Microsoft 365 traffic to the corporate network and then leveraging the private extension of that network to avoid cross-border congestion. The userΓÇÖs SDWAN or VPN can now be configured to exclude Teams meeting and calling real-time traffic from the VPN routing. This VPN configuration is referred to as split tunneling. See [VPN split tunneling for Office 365](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel) for more information.
+
+You can also continue to use your SDWAN or VPN for all Microsoft 365 traffic, including for Microsoft Teams real-time traffic. Microsoft has no recommendations on the use of SDWAN or VPN solutions.
+
+### Home, mobile, and user network best practices for Teams meetings
+
+Users in China can take advantage of these improvements simply by connecting to the public internet service in China with a landline or mobile connection. Teams real-time media audio and video traffic on the public internet directly benefits from improved connectivity and quality.
+
+However, data from other Microsoft 365 servicesΓÇöand other traffic in Teams, such as chat or filesΓÇöwill not directly benefit from these improvements. Users outside the organization network may still experience poor network performance for this traffic. As discussed in this article, you can mitigate these effects by using a VPN or SDWAN. You can also have your users use rich desktop clients over web clients, which support in-app caching to mitigate network issues.
+
+### Identifying Teams real-time media network traffic
+
+For configuring a network device or a VPN/SDWAN setup, you need to exclude only the Teams real-time media audio and video traffic. The traffic details can be found for ID 11 on the official list of [Office 365 URLs and IP address ranges](https://docs.microsoft.com/microsoft-365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams). All other network configurations should remain as-is.
+
+Microsoft is continually working to improve the Microsoft 365 user experience and the performance of clients over the widest possible range of network architectures and characteristics. Visit the [Office 365 Networking Tech Community]( https://techcommunity.microsoft.com/t5/office-365-networking/bd-p/Office365Networking) to start or join a conversation, find resources, and submit feature requests and suggestions
## Related topics
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
Read and apply the [ADFS Migration steps](ms-cloud-germany-transition-add-adfs.m
| Notify users of required IMAP4/POP3/SMTP client changes. | Users who have device connections to Microsoft Cloud Deutschland endpoints for client protocols IMAP4, POP3, SMTP are required to manually update their client devices to switch to the [Office 365 worldwide endpoints](https://docs.microsoft.com/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide). | Pre-communicate this dependency to users of these protocols and ensure they either switch to use Outlook mobile or Outlook on the web during this migration. Failure to update client endpoints will result in client connection failures against Microsoft Cloud Deutschland when user mailboxes are migrated. | ||||
-### Exchange Online Hybrid configuration
+### Exchange Online Hybrid customers
**Applies to:** All customers using an active Exchange Hybrid Configuration with Exchange servers on-premises<br> **When applied**: Any time before Phase 5 starts
-Enterprise customers with a hybrid deployment of Exchange Online and an on-premises Exchange Server run the Hybrid Configuration Wizard (HCW) to maintain and establish the hybrid setup. When transitioning from Microsoft Cloud Deutschland to the Office 365 Germany region, the administrator must re-run the latest build of HCW in "Office 365 Germany" mode before the Exchange migration (Phase 5) begins. Then, run the HCW again in "Office 365 Worldwide" mode on completion of Phase 5 to finalize the on-premises deployment with the Office 365 Germany region settings.
+Enterprise customers with a hybrid deployment of Exchange Online and an on-premises Exchange Server run the Hybrid Configuration Wizard (HCW) and AAD Connect to maintain and establish the hybrid setup. When transitioning from Microsoft Cloud Deutschland to the Office 365 Germany region, the administrator must re-run the latest build of HCW in "Office 365 Germany" mode before the Exchange migration (Phase 5) begins. Then, run the HCW again in "Office 365 Worldwide" mode on completion of Phase 5 to finalize the on-premises deployment with the Office 365 Germany region settings. Directory attributes are synced between Office 365 and Azure AD with the on-premises deployment through AAD Connect.
| Step(s) | Description | Impact | |:-|:-|:-|
-| (Pre-Stage 5) - Re-run HCW using Office 365 Germany settings <br><br> <i>You may start this activity immediately after receiving the message center notification that your Office 365 tenant migration has begun (phase 1).</i>| Uninstalling and re-running HCW (17.0.5378.0 or higher) from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard) before Stage 5 will ensure that your on-premises configuration is prepared to send and receive mail with both Microsoft Cloud Deutschland users and users who are migrated to Office 365 Germany region. <p><li> In the HCW, for the list box below **My Office 365 organization is hosted by**, select **Office 365 Germany.** | Failing to complete this task before Stage 5 [Exchange Migration] begins may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.
-| (Post-Stage 5) - Re-run HCW using Office 365 Worldwide settings <br><br> <i>You may start this activity after receiving the message center notification that your Exchange Migration is complete (Phase 5).</i>| Uninstalling and re-running HCW from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard) after Stage 5 will reset the on-premises configuration for hybrid configuration with only Office 365 global. <p><li> In the list box below **My Office 365 organization is hosted by**, select **Office 365 Worldwide**. | Failing to complete this task before Stage 9 [Migration Complete] may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.
+| (Pre-Phase 5) - Re-run HCW using Office 365 Germany settings <br><br> <i>You may start this activity immediately after receiving the message center notification that your Office 365 tenant migration has begun (phase 1).</i>| Uninstalling and re-running HCW (17.0.5378.0 or higher) from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard) before Phase 5 will ensure that your on-premises configuration is prepared to send and receive mail with both Microsoft Cloud Deutschland users and users who are migrated to Office 365 Germany region. <p><li> In the HCW, for the list box below **My Office 365 organization is hosted by**, select **Office 365 Germany.** | Failing to complete this task before Phase 5 [Exchange Migration] begins may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.
+| (Post-Phase 5) - Re-run HCW using Office 365 Worldwide settings <br><br> <i>You may start this activity after receiving the message center notification that your Exchange Migration is complete (Phase 5).</i>| Uninstalling and re-running HCW from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard) after Phase 5 will reset the on-premises configuration for hybrid configuration with only Office 365 global. <p><li> In the list box below **My Office 365 organization is hosted by**, select **Office 365 Worldwide**. | Failing to complete this task before Phase 9 [Migration Complete] may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.
| Establish AuthServer on-premises pointing to global Security Token Service (STS) for authentication | This ensures that authentication requests for Exchange availability requests from users in migration state that target the hybrid on-premises environment are authenticated to access the on-premises service. Similarly, this will ensure authentication of requests from on-premises to Office 365 Global services endpoints. | After Azure AD migration (phase 2) is complete, the administrator of the on-premises Exchange (hybrid) topology must add a new authentication service endpoint for the Office 365 Global services. With this command from Exchange PowerShell, replace `<TenantID>` with your organization's tenant ID found in the Azure portal on Azure Active Directory.<br>`New-AuthServer GlobalMicrosoftSts -AuthMetadataUrl https://accounts.accesscontrol.windows.net/<TenantId>/metadata/json/1`<br> Failing to complete this task may result in hybrid free-busy requests failing to provide information for mailbox users who have been migrated from Microsoft Cloud Deutschland to Office 365 services. |
+| (Pre-Phase 5) - Preserving Shared Mailbox settings | Some Hybrid customers have converted cloud user mailboxes to be 'shared' mailboxes using Exchange Online commands. This cloud mailbox configuration is written to the mailbox and local Exchange Online directory, however, it is not synced back to the customer's Active Directory via AAD Connect. The result is a discrepancy between the Active Directory representation of the mailbox RemoteRecipientType and RemoteDisplayType values and that in Exchange Online defining the mailbox as shared. <br><br> The customer is responsible to ensure that all Shared mailboxes are properly provisioned using `New-RemoteMailbox -Shared`, `Enable-RemoteMailbox -Shared`, or `Set-RemoteMailbox -Shared`. See this reference for how to [Convert a user's mailbox in a hybrid environment](https://docs.microsoft.com/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox?view=o365-worldwide).| Failing to complete this task before Phase 5 [Exchange Online Migration] may result in NDRs for Shared Mailboxes which convert back to unlicensed mailboxes and loss of shared access for affected mailboxes. [Shared mailboxes are unexpectedly converted to user mailboxes after directory synchronization runs in an Exchange hybrid deployment](https://docs.microsoft.com/exchange/troubleshoot/user-and-shared-mailboxes/shared-mailboxes-unexpectedly-converted-to-user-mailboxes) outlines the impact of not addressing this before Exchange Online Migration completes.
|||| ## Skype for Business Online
enterprise View Service Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-service-health.md
If you are unable to sign in to the admin center, you can use the [service statu
1. Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2024339), and sign in with an admin account. > [!NOTE]
- > People who are assigned the global admin or service administrator role can view service health. To allow Exchange, SharePoint, and Skype for Business admins to view service health, they must also be assigned the Service admin role. For more information about roles that can view service health, see [About admin roles](../admin/add-users/about-admin-roles.md?preserve-view=true&view=o365-worldwide#commonly-used-microsoft-365-admin-center-roles).
+ > People who are assigned the global admin or service support admin role can view service health. To allow Exchange, SharePoint, and Skype for Business admins to view service health, they must also be assigned the Service admin role. For more information about roles that can view service health, see [About admin roles](../admin/add-users/about-admin-roles.md?preserve-view=true&view=o365-worldwide#commonly-used-microsoft-365-admin-center-roles).
2. If you are not using the new admin center, on the **Home** page, select the **Try the new admin center** toggle in the upper-right corner.
security Advanced Hunting Assignedipaddress Function https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-assignedipaddress-function.md
- Title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender for Endpoint
-description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender for Endpoint, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--- Previously updated : 09/20/2020--
-# AssignedIPAddresses()
--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
-Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
-
-This function returns a table with the following columns:
-
-Column | Data type | Description
--|-|-
-`Timestamp` | datetime | Latest time when the device was observed using the IP address
-`IPAddress` | string | IP address used by the device
-`IPType` | string | Indicates whether the IP address is a public or private address
-`NetworkAdapterType` | int | Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype)
-`ConnectedNetworks` | int | Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet
-
-## Syntax
-
-```kusto
-AssignedIPAddresses(x, y)
-```
-
-## Arguments
--- **x**ΓÇö`DeviceId` or `DeviceName` value identifying the device-- **y**ΓÇö`Timestamp` (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses.-
-## Examples
-
-### Get the list of IP addresses used by a device 24 hours ago
-
-```kusto
-AssignedIPAddresses('example-device-name', ago(1d))
-```
-
-### Get IP addresses used by a device and find devices communicating with it
-
-This query uses the `AssignedIPAddresses()` function to get assigned IP addresses for the device (`example-device-name`) on or before a specific date (`example-date`). It then uses the IP addresses to find connections to the device initiated by other devices.
-
-```kusto
-let Date = datetime(example-date);
-let DeviceName = "example-device-name";
-// List IP addresses used on or before the specified date
-AssignedIPAddresses(DeviceName, Date)
-| project DeviceName, IPAddress, AssignedTime = Timestamp
-// Get all network events on devices with the assigned IP addresses as the destination addresses
-| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
-// Get only network events around the time the IP address was assigned
-| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h))
-```
-
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Best Practices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-best-practices.md
- Title: Query best practices for advanced hunting
-description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# Advanced hunting query best practices
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
-
-## Optimize query performance
-
-Apply these recommendations to get results faster and avoid timeouts while running complex queries.
--- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.-- Use time filters first. Ideally, limit your queries to seven days.-- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.-- Use the `has` operator over `contains` when looking for full tokens.-- Look in a specific column rather than running full text searches across all columns.-- When joining tables, specify the table with fewer rows first.-- `project` only the necessary columns from tables you've joined.-
->[!TIP]
->For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
-
-## Query tips and pitfalls
-
-### Queries with process IDs
-
-Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
-
-The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
-
-```kusto
-DeviceNetworkEvents
-| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
-| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
-| where RemoteIPCount > 10
-```
-
-The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
-
-### Queries with command lines
-
-Command lines can vary. When applicable, filter on file names and do fuzzy matching.
-
-There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
-
-To create more durable queries using command lines, apply the following practices:
--- Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command-line field.-- When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.-- Use case insensitive matches. For example, use `=~`, `in~`, and `contains` instead of `==`, `in` and `contains_cs`-- To mitigate DOS command-line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones.-
-The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
-
-```kusto
-// Non-durable query - do not use
-DeviceProcessEvents
-| where ProcessCommandLine == "net stop MpsSvc"
-| limit 10
-
-// Better query - filters on filename, does case-insensitive matches
-DeviceProcessEvents
-| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc"
-
-// Best query also ignores quotes
-DeviceProcessEvents
-| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe")
-| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
-| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
-```
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
-
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Work with query results](advanced-hunting-query-results.md)-- [Custom detections overview](overview-custom-detections.md)
security Advanced Hunting Deviceevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-deviceevents-table.md
- Title: DeviceEvents table in the advanced hunting schema
-description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceEvents
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populatedΓÇöuse the SHA1 column when available |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `AccountDomain` | string | Domain of the account |
-| `AccountName` |string | User name of the account |
-| `AccountSid` | string | Security Identifier (SID) of the account |
-| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
-| `ProcessId` | int | Process ID (PID) of the newly created process |
-| `ProcessCommandLine` | string | Command line used to create the new process |
-| `ProcessCreationTime` | datetime | Date and time the process was created |
-| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
-| `RegistryKey` | string | Registry key that the recorded action was applied to |
-| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
-| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
-| `RemoteIP` | string | IP address that was being connected to |
-| `RemotePort` | int | TCP port on the remote device that was being connected to |
-| `LocalIP` | string | IP address assigned to the local device used during communication |
-| `LocalPort` | int | TCP port on the local device used during communication |
-| `FileOriginUrl` | string | URL where the file was downloaded from |
-| `FileOriginIP` | string | IP address where the file was downloaded from |
-| `AdditionalFields` | string | Additional information about the event in JSON array format |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populatedΓÇöuse the SHA1 column when available |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
--
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Devicefilecertificateinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicefilecertificateinfo-table.md
- Title: DeviceFileCertificateInfo table in the advanced hunting schema
-description: Learn about file signing information in the DeviceFileCertificateInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--- Previously updated : 01/14/2020--
-# DeviceFileCertificateInfo
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceFileCertificateInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `IsSigned` | boolean | Indicates whether the file is signed |
-| `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file |
-| `Signer` | string | Information about the signer of the file |
-| `SignerHash` | string | Unique hash value identifying the signer |
-| `Issuer` | string | Information about the issuing certificate authority (CA) |
-| `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA) |
-| `CertificateSerialNumber` | string | Identifier for the certificate that is unique to the issuing certificate authority (CA) |
-| `CrlDistributionPointUrls` | string | JSON array listing the URLs of network shares that contain certificates and certificate revocation lists (CRLs) |
-| `CertificateCreationTime` | datetime | Date and time the certificate was created |
-| `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire |
-| `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned |
-| `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes |
-| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
--
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Devicefileevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicefileevents-table.md
- Title: DeviceFileEvents table in the advanced hunting schema
-description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceFileEvents
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populatedΓÇöuse the SHA1 column when available |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `FileOriginUrl` | string | URL where the file was downloaded from |
-| `FileOriginReferrerUrl` | string | URL of the web page that links to the downloaded file |
-| `FileOriginIP` | string | IP address where the file was downloaded from |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessIntegrityLevel` | string | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `RequestProtocol` | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
-| `ShareName` | string | Name of shared folder containing the file |
-| `RequestSourceIP` | string | IPv4 or IPv6 address of the remote device that initiated the activity |
-| `RequestSourcePort` | string | Source port on the remote device that initiated the activity |
-| `RequestAccountName` | string | User name of account used to remotely initiate the activity |
-| `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity |
-| `RequestAccountSid` | string | Security Identifier (SID) of the account to remotely initiate the activity |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection |
-| `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
-| `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Deviceimageloadevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-deviceimageloadevents-table.md
- Title: DeviceImageLoadEvents table in the advanced hunting schema
-description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceImageLoadEvents
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Deviceinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-deviceinfo-table.md
- Title: DeviceInfo table in the advanced hunting schema
-description: Learn about OS, computer name, and other device information in the DeviceInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceInfo
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about devices in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ClientVersion` | string | Version of the endpoint agent or sensor running on the device |
-| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Defender for Endpoint service. This could be the IP address of the device itself, a NAT device, or a proxy |
-| `OSArchitecture` | string | Architecture of the operating system running on the device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
-| `OSBuild` | string | Build version of the operating system running on the device |
-| `IsAzureADJoined` | boolean | Boolean indicator of whether device is joined to the Azure Active Directory |
-| `LoggedOnUsers` | string | List of all users that are logged on the device at the time of the event in JSON array format |
-| `RegistryDeviceTag` | string | Device tag added through the registry |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
-| `OSVersion` | string | Version of the operating system running on the device |
-| `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Devicelogonevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicelogonevents-table.md
- Title: DeviceLogonEvents table in the advanced hunting schema
-description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceLogonEvents
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
-
-> [!NOTE]
-> Collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008 R2.
-> We recommend upgrading to Windows 10 or Windows Server 2019 for optimal visibility into user logon activity.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string |Type of activity that triggered the event |
-| `AccountDomain` | string | Domain of the account |
-| `AccountName` | string | User name of the account |
-| `AccountSid` | string | Security Identifier (SID) of the account |
-| `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the device using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
-| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
-| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
-| `RemoteIP` | string | IP address that was being connected to |
-| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| `RemotePort` | int | TCP port on the remote device that was being connected to |
-| `AdditionalFields` | string | Additional information about the event in JSON array format |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populatedΓÇöuse the SHA1 column when available |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the device |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Devicenetworkevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicenetworkevents-table.md
- Title: DeviceNetworkEvents table in the advanced hunting schema
-description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceNetworkEvents
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `RemoteIP` | string | IP address that was being connected to |
-| `RemotePort` | int | TCP port on the remote device that was being connected to |
-| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| `LocalIP` | string | IP address assigned to the local device used during communication |
-| `LocalPort` | int | TCP port on the local device used during communication |
-| `Protocol` | string | IP protocol used, whether TCP or UDP |
-| `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Devicenetworkinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicenetworkinfo-table.md
- Title: DeviceNetworkInfo table in the advanced hunting schema
-description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, device, mac, ip, adapter, dns, dhcp, gateway, tunnel, DeviceNetworkInfo
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceNetworkInfo
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of devices, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `NetworkAdapterName` | string | Name of the network adapter |
-| `MacAddress` | string | MAC address of the network adapter |
-| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2&preserve-view=true) |
-| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2&preserve-view=true) |
-| `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
-| `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
-| `DnsAddresses` | string | DNS server addresses in JSON array format |
-| `IPv4Dhcp` | string | IPv4 address of DHCP server |
-| `IPv6Dhcp` | string | IPv6 address of DHCP server |
-| `DefaultGateways` | string | Default gateway addresses in JSON array format |
-| `IPAddresses` | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Deviceprocessevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-deviceprocessevents-table.md
- Title: DeviceProcessEvents table in the advanced hunting schema
-description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceProcessEvents
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populatedΓÇöuse the SHA1 column when available. |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `ProcessId` | int | Process ID (PID) of the newly created process |
-| `ProcessCommandLine` | string | Command line used to create the new process |
-| `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
-| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| `ProcessCreationTime` | datetime | Date and time the process was created |
-| `AccountDomain` | string | Domain of the account |
-| `AccountName` | string | User name of the account |
-| `AccountSid` | string | Security Identifier (SID) of the account |
-| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populatedΓÇöuse the SHA1 column when available |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Deviceregistryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-deviceregistryevents-table.md
- Title: DeviceRegistryEvents table in the advanced hunting schema
-description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceRegistryEvents
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `RegistryKey` | string | Registry key that the recorded action was applied to |
-| `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
-| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
-| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
-| `PreviousRegistryValueName` | string | Original name of the registry value before it was modified |
-| `PreviousRegistryValueData` | string | Original data of the registry value before it was modified |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Devicetvmsecureconfigurationassessment Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
- Title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
-description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceTvmSecureConfigurationAssessment
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)---
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--
-Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
-| `Timestamp` | datetime |Date and time when the record was generated |
-| `ConfigurationId` | string | Unique identifier for a specific configuration |
-| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
-| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
-| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
-| `IsApplicable` | boolean | Indicates whether the configuration or policy applies to the device |
-| `Context` | string | Additional contextual information about the configuration or policy |
-| `IsExpectedUserImpactCompliant` | boolean | Indicates whether there will be user impact if the configuration or policy is applied |
-
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
security Advanced Hunting Devicetvmsecureconfigurationassessmentkb Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
- Title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
-description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceTvmSecureConfigurationAssessmentKB
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--
-The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations ΓÇö such as whether a device has automatic updates on ΓÇö checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `ConfigurationId` | string | Unique identifier for a specific configuration |
-| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| `ConfigurationName` | string | Display name of the configuration |
-| `ConfigurationDescription` | string | Description of the configuration |
-| `RiskDescription` | string | Description of the associated risk |
-| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
-| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
-| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
-| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
-| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
-
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
security Advanced Hunting Devicetvmsoftwareinventory Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicetvmsoftwareinventory-table.md
- Title: DeviceTvmSoftwareInventory table in the advanced hunting schema
-description: Learn about the inventory of software in your devices in the DeviceTvmSoftwareInventory table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceTvmSoftwareInventory
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--
-The `DeviceTvmSoftwareInventory` table in the advanced hunting schema contains the [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) inventory of software currently installed on devices in your network, including end of support information. You can, for instance, hunt for events involving devices that are installed with a currently vulnerable software version. Use this reference to construct queries that return information from the table.
-
-DeviceTVMSoftwareInventory contains all the software which threat and vulnerability management was able to match to a Common Platform Enumeration (CPE) ΓÇô whether it is vulnerable or not.
-
->[!NOTE]
->The `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables have replaced the `DeviceTvmSoftwareInventoryVulnerabilities` table. Together, the first two tables include more columns you can use to help inform your vulnerability management activities.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `DeviceId` | string | Unique identifier for the device in the service. |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device. |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
-| `OSVersion` | string | Version of the operating system running on the device. |
-| `OSArchitecture` | string | Architecture of the operating system running on the device. |
-| `SoftwareVendor` | string | Name of the software vendor. |
-| `SoftwareName` | string | Name of the software product. |
-| `SoftwareVersion` | string | Version number of the software product. |
-| `EndOfSupportStatus` | string | Indicates the lifecycle stage of the software product relative to its specified end-of-support (EOS) or end-of-life (EOL) date. |
-| `EndOfSupportDate` | string | End-of-support (EOS) or end-of-life (EOL) date of the software product. |
-
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
security Advanced Hunting Devicetvmsoftwareinventoryvulnerabilities Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
- Title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
-description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceTvmSoftwareInventoryVulnerabilities
---
-**Applies to:**
--- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
---
-The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
-| `OSVersion` | string | Version of the operating system running on the device |
-| `OSArchitecture` | string | Architecture of the operating system running on the device |
-| `SoftwareVendor` | string | Name of the software vendor |
-| `SoftwareName` | string | Name of the software product |
-| `SoftwareVersion` | string | Version number of the software product |
-| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
---
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
security Advanced Hunting Devicetvmsoftwarevulnerabilities Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md
- Title: DeviceTvmSoftwareVulnerabilities table in the advanced hunting schema
-description: Learn about software vulnerabilities found on devices and the list of available security updates that address each vulnerability in the DeviceTvmSoftwareVulnerabilities table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceTvmSoftwareVulnerabilities
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--
-The `DeviceTvmSoftwareVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) list of vulnerabilities in installed software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. You can use this table, for example, to hunt for events involving devices that have severe vulnerabilities in their software. Use this reference to construct queries that return information from the table.
-
->[!NOTE]
->The `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables have replaced the `DeviceTvmSoftwareInventoryVulnerabilities` table. Together, the first two tables include more columns you can use to help inform your vulnerability management activities.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
-| `OSVersion` | string | Version of the operating system running on the device |
-| `OSArchitecture` | string | Architecture of the operating system running on the device |
-| `SoftwareVendor` | string | Name of the software vendor |
-| `SoftwareName` | string | Name of the software product |
-| `SoftwareVersion` | string | Version number of the software product |
-| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
-| `RecommendedSecurityUpdate` | string | Name or description of the security update provided by the software vendor to address the vulnerability |
-| `RecommendedSecurityUpdateId` | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles |
---
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
security Advanced Hunting Devicetvmsoftwarevulnerabilitieskb Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
- Title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema
-description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# DeviceTvmSoftwareVulnerabilitiesKB
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--
-The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
-| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available |
-| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
-| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified |
-| `PublishedDate` | datetime | Date vulnerability was disclosed to public |
-| `VulnerabilityDescription` | string | Description of vulnerability and associated risks |
-| `AffectedSoftware` | string | List of all software products affected by the vulnerability |
-
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
security Advanced Hunting Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-errors.md
- Title: Handle errors in advanced hunting for Microsoft Defender ATP
-description: Understand errors displayed when using advanced hunting
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# Handle advanced hunting errors
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)--
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors.
-
-| Error type | Cause | Resolution | Error message examples |
-|--|--|--|--|
-| Syntax errors | The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables. | Ensure references to [Kusto operators and functions](https://docs.microsoft.com/azure/data-explorer/kusto/query/) are correct. Check [the schema](advanced-hunting-schema-reference.md) for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense. | `A recognition error occurred.` |
-| Semantic errors | While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error. | Check for errors in the structure of query. Refer to [Kusto documentation](https://docs.microsoft.com/azure/data-explorer/kusto/query/) for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense. | `'project' operator: Failed to resolve scalar expression named 'x'`|
-| Timeouts | A query can only run within a [limited period before timing out](advanced-hunting-limits.md). This error can happen more frequently when running complex queries. | [Optimize the query](advanced-hunting-best-practices.md) | `Query exceeded the timeout period.` |
-| CPU throttling | Queries in the same tenant have exceeded the [CPU resources](advanced-hunting-limits.md) that have been allocated based on tenant size. | The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated limit. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. [Optimize your queries to avoid hitting CPU limits](advanced-hunting-best-practices.md) | - `This query used X% of your organization's allocated resources for the current 15 minutes.`<br>- `You have exceeded processing resources allocated to this tenant. You can run queries again in <duration>.` |
-| Result size limit exceeded | The aggregate size of the result set for the query has exceeded the maximum limit. This error can occur if the result set is so large that truncation at the 10,000-record limit can't reduce it to an acceptable size. Results that have multiple columns with sizable content are more likely to be impacted by this error. | [Optimize the query](advanced-hunting-best-practices.md) | `Result size limit exceeded. Use "summarize" to aggregate results, "project" to drop uninteresting columns, or "take" to truncate results.` |
-| Excessive resource consumption | The query has consumed excessive amounts of resources and has been stopped from completing. In some cases, advanced hunting identifies the specific operator that wasn't optimized. | [Optimize the query](advanced-hunting-best-practices.md) | -`Query stopped due to excessive resource consumption.`<br>-`Query stopped. Adjust use of the <operator name> operator to avoid excessive resource consumption.` |
-| Unknown errors | The query failed because of an unknown reason. | Try running the query again. Contact Microsoft through the portal if queries continue to return unknown errors. | `An unexpected error occurred during query execution. Please try again in a few minutes.`
-
-## Related topics
-- [Advanced hunting best practices](advanced-hunting-best-practices.md)-- [Service limits](advanced-hunting-limits.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Kusto Query Language overview](https://docs.microsoft.com/azure/data-explorer/kusto/query/)
security Advanced Hunting Extend Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-extend-data.md
- Title: Extend advanced hunting coverage with the right settings
-description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting
-keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender for Endpoint, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--- Previously updated : 10/10/2020--
-# Extend advanced hunting coverage with the right settings
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-
-[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
-
-## Advanced security auditing on Windows devices
-
-Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.
-
-Data | Description | Schema table | How to configure
--|-|-|-
-Account management | Events captured as various `ActionType` values indicating local account creation, deletion, and other account-related activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit User Account Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-user-account-management)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
-Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
-Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
-
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Work with query results](advanced-hunting-query-results.md)-- [Apply query best practices](advanced-hunting-best-practices.md)-- [Custom detections overview](overview-custom-detections.md)
security Advanced Hunting Fileprofile Function https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-fileprofile-function.md
- Title: FileProfile() function in advanced hunting for Microsoft Defender for Endpoint
-description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender for Endpoint, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--- Previously updated : 09/20/2020--
-# FileProfile()
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)-
-The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query.
-
-Column | Data type | Description
--|-|-
-SHA1 | string | SHA-1 of the file that the recorded action was applied to
-SHA256 | string | SHA-256 of the file that the recorded action was applied to
-MD5 | string | MD5 hash of the file that the recorded action was applied to
-FileSize | int | Size of the file in bytes
-GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally
-GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally
-GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally
-Signer | string | Information about the signer of the file
-Issuer | string | Information about the issuing certificate authority (CA)
-SignerHash | string | Unique hash value identifying the signer
-IsCertificateValid | boolean | Whether the certificate used to sign the file is valid
-IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft
-IsExecutable | boolean | Whether the file is a Portable Executable (PE) file
-ThreatName | string | Detection name for any malware or other threats found
-Publisher | string | Name of the organization that published the file
-SoftwareName | string | Name of the software product
-
-## Syntax
-
-```kusto
-invoke FileProfile(x,y)
-```
-
-## Arguments
--- **x** ΓÇö file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified-- **y** ΓÇö limit to the number of records to enrich, 1-1000; function uses 100 if unspecified-
-## Examples
-
-### Project only the SHA1 column and enrich it
-
-```kusto
-DeviceFileEvents
-| where isnotempty(SHA1) and Timestamp > ago(1d)
-| take 10
-| project SHA1
-| invoke FileProfile()
-```
-
-### Enrich the first 500 records and list low-prevalence files
-
-```kusto
-DeviceFileEvents
-| where ActionType == "FileCreated" and Timestamp > ago(1d)
-| project CreatedOn = Timestamp, FileName, FolderPath, SHA1
-| invoke FileProfile("SHA1", 500)
-| where GlobalPrevalence < 15
-```
-
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)
security Advanced Hunting Go Hunt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-go-hunt.md
- Title: Get relevant info about an entity with go hunt
-description: Learn how to use the go hunt tool to quickly query for relevant information about an entity or event using advanced hunting.
-keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
--
-localization_priority: Normal
-----
-# Quickly hunt for entity or event information with go hunt
--
-**Applies to:**
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--
-With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.
-
-The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections:
--- In the [incident page](investigate-incidents.md), you can review details about users, devices, and many other entities associated with an incident. When you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a device is selected, showing details about the device as well the option to hunt for more information about the device.-
- ![Image showing device details with the go hunt option](./images/go-hunt-device.png)
--- In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity.-
- ![Image showing selected url with the go hunt option in the Evidence tab](./images/go-hunt-evidence-url.png)
--- When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting.-
- ![Image showing event details with the go hunt option](./images/go-hunt-event.png)
-
-Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event.
-
-## Query for entity information
-
-When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident.
-
-Here is an example of the go hunt query for a device:
-
-```kusto
-let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z);
-let deviceName = "fv-az770.example.com";
-let deviceId = "device-guid";
-search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents)
-Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
-and DeviceName == deviceName
-// or RemoteDeviceName == deviceName
-// or DeviceId == deviceId
-| take 100
-```
-
-### Supported entity types
-
-You can use *go hunt* after selecting any of these entity types:
--- Files-- Users-- Devices-- IP addresses-- URLs-
-## Query for event information
-
-When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device:
-
-```kusto
-// List relevant events 30 minutes before and after selected RegistryValueSet event
-let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z);
-search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
- Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m))
- and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4"
-| sort by Timestamp desc
-| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event"))
-| project-reorder Relevance
-```
-
-## Adjust the query
-
-With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window:
-
-```kusto
-Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
-```
-
-In addition to modifying the query to get more relevant results, you can also:
--- [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart)-- [Create a custom detection rule](custom-detection-rules.md)-
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Work with query results](advanced-hunting-query-results.md)-- [Custom detection rules](custom-detection-rules.md)
security Advanced Hunting Limits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-limits.md
- Title: Advanced hunting limits in Microsoft Defender ATP
-description: Understand various service limits that keep the advanced hunting service responsive
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# Advanced hunting service limits
--
-**Applies to:**
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-To keep the service performant and responsive, advanced hunting sets various limits for queries run manually and by [custom detection rules](custom-detection-rules.md). Refer to the following table to understand these limits.
-
-| Limit | Size | Refresh cycle | Description |
-|--|--|--|--|
-| Data range | 30 days | Every query | Each query can look up data from up to the past 30 days. |
-| Result set | 10,000 rows | Every query | Each query can return up to 10,000 records. |
-| Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error.
-| CPU resources | Based on tenant size | - On the hour and then every 15 minutes<br>- Daily at 12 midnight | The service enforces the daily and the 15-minute limit separately. For each limit, the [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next daily or 15-minute cycle. |
-
->[!NOTE]
->A separate set of limits apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](run-advanced-query-api.md)
-
-Customers who run multiple queries regularly should track consumption and [apply optimization best practices](advanced-hunting-best-practices.md) to minimize disruption resulting from exceeding these limits.
-
-## Related topics
--- [Advanced hunting best practices](advanced-hunting-best-practices.md)-- [Handle advanced hunting errors](advanced-hunting-errors.md)-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Custom detections rules](custom-detection-rules.md)
security Advanced Hunting Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-overview.md
Watch this video for a quick overview of advanced hunting and a short tutorial t
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings. >[!TIP]
->Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/mtp-enable)
+>Use [advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable).<br><br>
+Learn more about how to move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-migrate-from-mde).
## Get started with advanced hunting
Time information in advanced hunting is currently in the UTC time zone.
- [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md)-- [Custom detections overview](overview-custom-detections.md)
+- [Custom detections overview](overview-custom-detections.md)
security Advanced Hunting Query Language https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-query-language.md
- Title: Learn the advanced hunting query language
-description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# Learn the advanced hunting query language
--
-**Applies to:**
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query.
-
-## Try your first query
-
-In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
-
-```kusto
-// Finds PowerShell execution events that could involve a download
-union DeviceProcessEvents, DeviceNetworkEvents
-| where Timestamp > ago(7d)
-// Pivoting on PowerShell processes
-| where FileName in~ ("powershell.exe", "powershell_ise.exe")
-// Suspicious commands
-| where ProcessCommandLine has_any("WebClient",
- "DownloadFile",
- "DownloadData",
- "DownloadString",
- "WebRequest",
- "Shellcode",
- "http",
- "https")
-| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
-FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
-| top 100 by Timestamp
-```
-**[Run this query in advanced hunting](https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAI2TT0vDQBDF5yz4HUJPFcTqyZsXqyCIBFvxKNGWtpo_NVlbC8XP7m8mado0K5Zls8nkzdu3b2Z70pNAbmUmqYyk4D2UTJYyllwGMmWNGQHrN_NNvsSBzUBrbMFMiWieAx3xDEBl4GL4AuNd8B0bNgARENcdUmIZ3yM5liPwac3bN-YZPGPU5ET1rWDc7Ox4uod8YDp4MzI-GkjlX4Ne2nly0zEkKzFWh4ZE5sSuTN8Ehq5couvEMnvmUAhez-HsRBMipVa_W_OG6vEfGtT12JRHpqV064e1Kx04NsxFzXxW1aFjp_djXmDRPbfY3XMMcLogTz2bWZ2KqmIJI6q6wKe2WYnrRsa9KVeU9kCBBo2v7BzPxF_Bx2DKiqh63SGoRoc6Njti48z_yL71XHQAcgAur6rXRpcqH3l-4knZF23Utsbq2MircEqmw-G__xR1TdZ1r7zb7XLezmx3etkvGr-ze6NdGdW92azUfpcdluWvr-aqbh_nofnqcWI3aYyOsBV7giduRUO7187LMKTT5rxvHHX80_t8IeeMgLquvL7-Ak3q-kz8BAAA&runQuery=true&timeRangeId=week)**
-
-### Describe the query and specify the tables to search
-A short comment has been added to the beginning of the query to describe what it is for. This comment helps if you later decide to save the query and share it with others in your organization.
-
-```kusto
-// Finds PowerShell execution events that could involve a download
-```
-The query itself will typically start with a table name followed by several elements that start with a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
-
-```kusto
-union DeviceProcessEvents, DeviceNetworkEvents
-```
-### Set the time range
-The first piped element is a time filter scoped to the previous seven days. Limiting the time range helps ensure that queries perform well, return manageable results, and don't time out.
-
-```kusto
-| where Timestamp > ago(7d)
-```
-
-### Check specific processes
-The time range is immediately followed by a search for process file names representing the PowerShell application.
-
-```kusto
-// Pivoting on PowerShell processes
-| where FileName in~ ("powershell.exe", "powershell_ise.exe")
-```
-
-### Search for specific command strings
-Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
-
-```kusto
-// Suspicious commands
-| where ProcessCommandLine has_any("WebClient",
- "DownloadFile",
- "DownloadData",
- "DownloadString",
- "WebRequest",
- "Shellcode",
- "http",
- "https")
-```
-
-### Customize result columns and length
-Now that your query clearly identifies the data you want to locate, you can define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
-
-```kusto
-| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
-FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
-| top 100 by Timestamp
-```
-
-Select **Run query** to see the results. Use the expand icon at the top right of the query editor to focus on your hunting query and the results.
-
-![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png)
-
->[!TIP]
->You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
-
-## Learn common query operators for advanced hunting
-
-You've just run your first query and have a general idea of its components. It's time to backtrack slightly and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
-
-| Operator | Description and usage |
-|--|--|
-| `where` | Filter a table to the subset of rows that satisfy a predicate. |
-| `summarize` | Produce a table that aggregates the content of the input table. |
-| `join` | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
-| `count` | Return the number of records in the input record set. |
-| `top` | Return the first N records sorted by the specified columns. |
-| `limit` | Return up to the specified number of rows. |
-| `project` | Select the columns to include, rename or drop, and insert new computed columns. |
-| `extend` | Create calculated columns and append them to the result set. |
-| `makeset` | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
-| `find` | Find rows that match a predicate across a set of tables. |
-
-To see a live example of these operators, run them from the **Get started** section of the advanced hunting page.
-
-## Understand data types
-
-Advanced hunting supports Kusto data types, including the following common types:
-
-| Data type | Description and query implications |
-|--|--|
-| `datetime` | Data and time information typically representing event timestamps. [See supported datetime formats](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/datetime) |
-| `string` | Character string in UTF-8 enclosed in single quotes (`'`) or double quotes (`"`). [Read more about strings](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/string) |
-| `bool` | This data type supports `true` or `false` states. [See supported literals and operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/bool) |
-| `int` | 32-bit integer |
-| `long` | 64-bit integer |
-
-To learn more about these data types, [read about Kusto scalar data types](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/).
-
-## Get help as you write queries
-Take advantage of the following functionality to write queries faster:
--- **Autosuggest**ΓÇöas you write queries, advanced hunting provides suggestions from IntelliSense.-- **Schema tree**ΓÇöa schema representation that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.-- **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**ΓÇöin-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries-
-## Work with multiple queries in the editor
-You can use the query editor to experiment with multiple queries. To use multiple queries:
--- Separate each query with an empty line.-- Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**.-
-![Image of the advanced hunting query editor with multiple queries](images/ah-multi-query.png)
-_Query editor with multiple queries_
-
-## Use sample queries
-
-The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
-
-![Image of the advanced hunting get started tab](images/atp-advanced-hunting.png)
-
-> [!NOTE]
-> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the [GitHub query repository](https://aka.ms/hunting-queries).
-
-## Access comprehensive query language reference
-
-For detailed information about the query language, see [Kusto query language documentation](https://docs.microsoft.com/azure/kusto/query/).
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Work with query results](advanced-hunting-query-results.md)-- [Use shared queries](advanced-hunting-shared-queries.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Apply query best practices](advanced-hunting-best-practices.md)
security Advanced Hunting Query Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-query-results.md
- Title: Work with advanced hunting query results in Microsoft Defender ATP
-description: Make the most of the query results returned by advanced hunting in Microsoft Defender ATP
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# Work with advanced hunting query results
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
--- View results as a table or chart-- Export tables and charts-- Drill down to detailed entity information-- Tweak your queries directly from the results or apply filters-
-## View query results as a table or chart
-By default, advanced hunting displays query results as tabular data. You can also display the same data as a chart. Advanced hunting supports the following views:
-
-| View type | Description |
-| -- | -- |
-| **Table** | Displays the query results in tabular format |
-| **Column chart** | Renders a series of unique items on the x-axis as vertical bars whose heights represent numeric values from another field |
-| **Stacked column chart** | Renders a series of unique items on the x-axis as stacked vertical bars whose heights represent numeric values from one or more other fields |
-| **Pie chart** | Renders sectional pies representing unique items. The size of each pie represents numeric values from another field. |
-| **Donut chart** | Renders sectional arcs representing unique items. The length of each arc represents numeric values from another field. |
-| **Line chart** | Plots numeric values for a series of unique items and connects the plotted values |
-| **Scatter chart** | Plots numeric values for a series of unique items |
-| **Area chart** | Plots numeric values for a series of unique items and fills the sections below the plotted values |
-
-### Construct queries for effective charts
-When rendering charts, advanced hunting automatically identifies columns of interest and the numeric values to aggregate. To get meaningful charts, construct your queries to return the specific values you want to see visualized. Here are some sample queries and the resulting charts.
-
-#### Alerts by severity
-Use the `summarize` operator to obtain a numeric count of the values you want to chart. The query below uses the `summarize` operator to get the number of alerts by severity.
-
-```kusto
-DeviceAlertEvents
-| summarize Total = count() by Severity
-```
-When rendering the results, a column chart displays each severity value as a separate column:
-
-![Image of advanced hunting query results displayed as a column chart](images/advanced-hunting-column-chart.jpg)
-*Query results for alerts by severity displayed as a column chart*
-
-#### Alert severity by operating system
-You could also use the `summarize` operator to prepare results for charting values from multiple fields. For example, you might want to understand how alert severities are distributed across operating systems (OS).
-
-The query below uses a `join` operator to pull in OS information from the `DeviceInfo` table, and then uses `summarize` to count values in both the `OSPlatform` and `Severity` columns:
-
-```kusto
-DeviceAlertEvents
-| join DeviceInfo on DeviceId
-| summarize Count = count() by OSPlatform, Severity
-```
-These results are best visualized using a stacked column chart:
-
-![Image of advanced hunting query results displayed as a stacked chart](images/advanced-hunting-stacked-chart.jpg)
-*Query results for alerts by OS and severity displayed as a stacked chart*
-
-#### Top ten device groups with alerts
-If you're dealing with a list of values that isnΓÇÖt finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten device groups with the most alerts, use the query below:
-
-```kusto
-DeviceAlertEvents
-| join DeviceInfo on DeviceId
-| summarize Count = count() by MachineGroup
-| top 10 by Count
-```
-Use the pie chart view to effectively show distribution across the top groups:
-
-![Image of advanced hunting query results displayed as a pie chart](images/advanced-hunting-pie-chart.jpg)
-*Pie chart showing distribution of alerts across device groups*
-
-#### Malware detections over time
-Using the `summarize` operator with the `bin()` function, you can check for events involving a particular indicator over time. The query below counts detections of an EICAR test file at 30 minute intervals to show spikes in detections of that file:
-
-```kusto
-DeviceEvents
-| where ActionType == "AntivirusDetection"
-| where SHA1 == "3395856ce81f2b7382dee72602f798b642f14140"
-| summarize Detections = count() by bin(Timestamp, 30m)
-```
-The line chart below clearly highlights time periods with more detections of the test malware:
-
-![Image of advanced hunting query results displayed as a line chart](images/advanced-hunting-line-chart.jpg)
-*Line chart showing the number of detections of a test malware over time*
--
-## Export tables and charts
-After running a query, select **Export** to save the results to local file. Your chosen view determines how the results are exported:
--- **Table view** ΓÇö the query results are exported in tabular form as a Microsoft Excel workbook-- **Any chart** ΓÇö the query results are exported as a JPEG image of the rendered chart-
-## Drill down from query results
-To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
-
-To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. The panel provides the following information based on the selected record:
--- **Assets** ΓÇö A summarized view of the main assets (mailboxes, devices, and users) found in the record, enriched with available information, such as risk and exposure levels-- **Process tree** ΓÇö A chart generated for records with process information and enriched using available contextual information; in general, queries that return more columns can result in richer process trees.-- **All details** ΓÇö Lists all the values from the columns in the record-
-## Tweak your queries from the results
-Right-click a value in the result set to quickly enhance your query. You can use the options to:
--- Explicitly look for the selected value (`==`)-- Exclude the selected value from the query (`!=`)-- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with` -
-![Image of advanced hunting result set](images/advanced-hunting-results-filter.png)
-
-## Filter the query results
-The filters displayed in the right pane provide a summary of the result set. Every column has its own section in the pane, each of which lists the values found in that column, and the number of instances.
-
-Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude. Then select **Run query**.
-
-![Image of advanced hunting filter](images/advanced-hunting-filter.png)
-
-Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Use shared queries](advanced-hunting-shared-queries.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Apply query best practices](advanced-hunting-best-practices.md)-- [Custom detections overview](overview-custom-detections.md)
security Advanced Hunting Schema Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-schema-reference.md
Last updated 01/14/2020
ms.technology: mde
-# Understand the advanced hunting schema
+# Understand the advanced hunting schema in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
Table and column names are also listed within the Microsoft Defender Security Ce
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | | **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
+>[!TIP]
+>Use [advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable)<br><br>
+Learn more about how to move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-migrate-from-mde).
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security Advanced Hunting Shared Queries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-shared-queries.md
- Title: Use shared queries in advanced hunting
-description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# Use shared queries in advanced hunting
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-[Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
-
-![Image of shared queries](images/atp-advanced-hunting-shared-queries.png)
-
-## Save, modify, and share a query
-You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.
-
-1. Type a new query or load an existing one from under **Shared queries** or **My queries**.
-
-2. Select **Save** or **Save as** from the save options. To avoid overwriting an existing query, choose **Save as**.
-
-3. Enter a name for the query.
-
- ![Image of saving a query](images/advanced-hunting-save-query.png)
-
-4. Select the folder where you'd like to save the query.
- - **Shared queries** ΓÇö shared to all users in your organization
- - **My queries** ΓÇö accessible only to you
-
-5. Select **Save**.
-
-## Delete or rename a query
-1. Right-click on a query you want to rename or delete.
-
- ![Image of delete query](images/atp_advanced_hunting_delete_rename.png)
-
-2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
-
-## Create a direct link to a query
-To generate a link that opens your query directly in the advanced hunting query editor, finalize your query and select **Share link**.
-
-## Access queries in the GitHub repository
-Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/).
-
->[!TIP]
->Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Work with query results](advanced-hunting-query-results.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Apply query best practices](advanced-hunting-best-practices.md)-- [Custom detections overview](overview-custom-detections.md)
security Advanced Hunting Take Action https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-take-action.md
- Title: Take action on advanced hunting query results in Microsoft Threat Protection
-description: Quickly address threats and affected assets in your advanced hunting query results
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--- Previously updated : 09/20/2020--
-# Take action on advanced hunting query results
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can:
--- Take various actions on devices-- Quarantine files-
-## Required permissions
-
-To be able to take action through advanced hunting, you need a role in Defender for Endpoint with [permissions to submit remediation actions on devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission:
-
-*Active remediation actions > Threat and vulnerability management - Remediation handling*
-
-## Take various actions on devices
-
-You can take the following actions on devices identified by the `DeviceId` column in your query results:
--- Isolate affected devices to contain an infection or prevent attacks from moving laterally-- Collect investigation package to obtain more forensic information-- Run an antivirus scan to find and remove threats using the latest security intelligence updates-- Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices-- Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables-
-To learn more about how these response actions are performed through Defender for Endpoint, [read about response actions on devices](respond-machine-alerts.md).
-
-## Quarantine files
-
-You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine:
--- `SHA1` ΓÇö In most advanced hunting tables, this is the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this would be the copied file.-- `InitiatingProcessSHA1` ΓÇö In most advanced hunting tables, this is the file responsible for initiating the recorded action. For example, if a child process was launched, this would be the parent process. -- `SHA256` ΓÇö This is the SHA-256 equivalent of the file identified by the `SHA1` column.-- `InitiatingProcessSHA256` ΓÇö This is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column.-
-To learn more about how quarantine actions are taken and how files can be restored, [read about response actions on files](respond-file-alerts.md).
-
->[!NOTE]
->To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers.
-
-## Take action
-
-To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions.
-
-![Image of selected record with panel for inspecting the record](images/ah-take-actions.png)
-
-## Review actions taken
-
-Each action is individually recorded in the action center, under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action.
-
-## Related topics
--- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Understand the schema](advanced-hunting-schema-reference.md)-- [Work with query results](advanced-hunting-query-results.md)-- [Apply query best practices](advanced-hunting-best-practices.md)-- [Custom detections overview](overview-custom-detections.md)
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/custom-detection-rules.md
- Title: Create custom detection rules in Microsoft Defender ATP-
-description: Learn how to create custom detection rules based on advanced hunting queries
-keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--- Previously updated : 09/20/2020--
-# Create custom detection rules
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
-
-Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
-
-Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
-
-> [!NOTE]
-> To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## 1. Prepare the query.
-
-In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
-
->[!IMPORTANT]
->To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
-
-### Required columns in the query results
-
-To use a query for a custom detection rule, the query must return the following columns:
--- `Timestamp`-- `DeviceId`-- `ReportId`-
-Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
-
-There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
-
-The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this to find only those devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
-
-```kusto
-DeviceEvents
-| where Timestamp > ago(7d)
-| where ActionType == "AntivirusDetection"
-| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
-| where count_ > 5
-```
-
-> [!TIP]
-> For better query performance, set a time filter that matches your intended run frequency for the rule. Since the least frequent run is every 24 hours, filtering for the past day will cover all new data.
-
-## 2. Create a new rule and provide alert details.
-
-With the query in the query editor, select **Create detection rule** and specify the following alert details:
--- **Detection name**ΓÇöname of the detection rule-- **Frequency**ΓÇöinterval for running the query and taking action. [See additional guidance below](#rule-frequency)-- **Alert title**ΓÇötitle displayed with alerts triggered by the rule-- **Severity**ΓÇöpotential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)-- **Category**ΓÇötype of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)-- **MITRE ATT&CK techniques**ΓÇöone or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software-- **Description**ΓÇömore information about the component or activity identified by the rule -- **Recommended actions**ΓÇöadditional actions that responders might take in response to an alert-
-For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
-
-### Rule frequency
-
-When saved, a new custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
--- **Every 24 hours**ΓÇöruns every 24 hours, checking data from the past 30 days-- **Every 12 hours**ΓÇöruns every 12 hours, checking data from the past 24 hours-- **Every 3 hours**ΓÇöruns every 3 hours, checking data from the past 6 hours-- **Every hour**ΓÇöruns hourly, checking data from the past 2 hours-
-When you edit a rule, it will run with the applied changes in the next run time scheduled according to the frequency you set.
--
-> [!TIP]
-> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.
-
-Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
-
-## 3. Choose the impacted entities.
-
-Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return both device and user IDs. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
-
-You can select only one column for each entity type. Columns that are not returned by your query can't be selected.
-
-## 4. Specify actions.
-
-Your custom detection rule can automatically take actions on files or devices that are returned by the query.
-
-### Actions on devices
-
-These actions are applied to devices in the `DeviceId` column of the query results:
--- **Isolate device**ΓÇöapplies full network isolation, preventing the device from connecting to any application or service, except for the Defender for Endpoint service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)-- **Collect investigation package**ΓÇöcollects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)-- **Run antivirus scan**ΓÇöperforms a full Microsoft Defender Antivirus scan on the device-- **Initiate investigation**ΓÇöstarts an [automated investigation](automated-investigations.md) on the device-- **Restrict app execution**ΓÇösets restrictions on the device to allow only files that are signed with a Microsoft-issued certificate to run. [Learn more about restricting app execution](respond-machine-alerts.md#restrict-app-execution)-
-### Actions on files
-
-These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
--- **Allow/Block**ΓÇöautomatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.-- **Quarantine file**ΓÇödeletes the file from its current location and places a copy in quarantine-
-### Actions on users
--- **Mark user as compromised**ΓÇösets the user's risk level to "high" in Azure Active Directory, triggering the corresponding [identity protection policies](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-levels).-
-## 5. Set the rule scope.
-
-Set the scope to specify which devices are covered by the rule:
--- All devices-- Specific device groups-
-Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
-
-## 6. Review and turn on the rule.
-
-After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
-
-You can [view and manage custom detection rules](custom-detections-manage.md), check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
-
-## Related topics
--- [View and manage custom detection rules](custom-detections-manage.md)-- [Custom detections overview](overview-custom-detections.md)-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the advanced hunting query language](advanced-hunting-query-language.md)-- [View and organize alerts](alerts-queue.md)
security Custom Detections Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/custom-detections-manage.md
- Title: View and manage custom detection rules in Microsoft Defender ATP-
-description: Learn how to view and manage custom detection rules
-keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
------
-# View and manage custom detection rules
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
-
-Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
-
-## Required permissions
-
-To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## View existing rules
-
-To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
--- **Last run**ΓÇöwhen a rule was last run to check for query matches and generate alerts-- **Last run status**ΓÇöwhether a rule ran successfully-- **Next run**ΓÇöthe next scheduled run-- **Status**ΓÇöwhether a rule has been turned on or off-
-## View rule details, modify rule, and run rule
-
-To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the following information:
--- General information about the rule, including the details of the alert, run status, and scope-- List of triggered alerts-- List of triggered actions-
-![Custom detection rule page](images/atp-custom-detection-rule-details.png)<br>
-*Custom detection rule page*
-
-You can also take the following actions on the rule from this page:
--- **Run**ΓÇörun the rule immediately. This action also resets the interval for the next run.-- **Edit**ΓÇömodify the rule without changing the query-- **Modify query**ΓÇöedit the query in advanced hunting-- **Turn on** / **Turn off**ΓÇöenable the rule or stop it from running-- **Delete**ΓÇöturn off the rule and remove it-
->[!TIP]
->To quickly view information and take action on an item in a table, use the selection column [&#10003;] at the left of the table.
-
-## Related topics
-- [Custom detections overview](overview-custom-detections.md)-- [Create detection rules](custom-detection-rules.md)-- [Advanced hunting overview](advanced-hunting-overview.md)-- [View and organize alerts](alerts-queue.md)
security Data Storage Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md
You can choose the data retention policy for your data. This determines how long
**At contract termination or expiration**<br> Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from MicrosoftΓÇÖs systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
+**Advanced Hunting data**<br>
+Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data.
+ ## Can Microsoft help us maintain regulatory compliance?
security Ios Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md
+
+ Title: What's new in Microsoft Defender for Endpoint for iOS
+description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint for iOS.
+keywords: microsoft, defender, atp, mac, installation, macos, whatsnew
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+
+ms.technology: mde
++
+# What's new in Microsoft Defender for Endpoint for iOS
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+## 1.1.15010101
+
+- With this version, we are announcing support for iPadOS/iPad devices.
+- Bug fixes.
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+## 101.25.72 (30.121022.12563.0)
+
+- Microsoft Defender for Endpoint for Linux is now available in preview for US Government customers. For more information, see [Microsoft Defender for Endpoint for US Government customers](gov.md).
+- Fixed an issue where usage of Microsoft Defender for Endpoint for Linux on systems with FUSE filesystems was leading to OS hang
+- Performance improvements & other bug fixes
+ ## 101.25.63 (30.121022.12563.0) - Performance improvements & bug fixes
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
ms.technology: mde
> [!IMPORTANT] > On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
-> [!IMPORTANT]
-> Support for macOS 10.13 (High Sierra) has been discontinued on February 15th, 2021.
+## 101.25.69 (20.121022.12569.0)
+
+- Microsoft Defender for Endpoint for Mac is now available in preview for US Government customers. For more information, see [Microsoft Defender for Endpoint for US Government customers](gov.md).
+- Performance improvements (specifically for the situation when the XCode Simulator app is used) & bug fixes
## 101.23.64 (20.121021.12364.0)
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-i
## Resources -- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
+- Stay informed about upcoming releases by visiting [What's new in Microsoft Defender for Endpoint for iOS](ios-whatsnew.md) or our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
- Provide feedback through in-app feedback system or through [SecOps portal](https://securitycenter.microsoft.com)
security Overview Custom Detections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-custom-detections.md
- Title: Overview of custom detections in Microsoft Defender ATP-
-description: Understand how you can use advanced hunting to create custom detections and generate alerts
-keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
-----
-# Custom detections overview
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
--
-With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions.
-
-Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
-
-Custom detections provide:
-- Alerts for rule-based detections built from advanced hunting queries-- Automatic response actions that apply to files and devices-
-## Related topics
-- [Create detection rules](custom-detection-rules.md)-- [View and manage detection rules](custom-detections-manage.md)-- [Advanced hunting overview](advanced-hunting-overview.md)
security Detect And Remediate Illicit Consent Grants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
The simplest way to verify the Illicit Consent Grant attack is to run [Get-Azure
5. Run this PowerShell command: ```powershell
- Get-AzureADPSPermissions.ps1 | Export-csv -Path "Permissions.csv" -NoTypeInformation
+ .\Get-AzureADPSPermissions.ps1 | Export-csv -Path "Permissions.csv" -NoTypeInformation
``` The script produces one file named Permissions.csv. Follow these steps to look for illicit application permission grants:
Your Microsoft 365 subscription comes with a powerful set of security capabiliti
- [Application and service principal objects in Azure Active Directory (Azure AD)](/azure/active-directory/develop/active-directory-application-objects) provides an overview of the Application and Service principal objects that are core to the application model. -- [Manage access to apps](/azure/active-directory/active-directory-managing-access-to-apps) is an overview of the capabilities that administrators have to manage user access to apps.
+- [Manage access to apps](/azure/active-directory/active-directory-managing-access-to-apps) is an overview of the capabilities that administrators have to manage user access to apps.
security Identity Access Policies Guest Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies-guest-access.md
Only one organization can manage a device. If you don't exclude guests and exter
## Next step
-![Step 4: Policies for Microsoft 365 cloud apps](../../media/microsoft-365-policies-configurations/identity-device-access-steps-next-step-4.png)
+![Step 4: Policies for Microsoft 365 cloud apps and Microsoft Cloud App Security](../../media/microsoft-365-policies-configurations/identity-device-access-steps-next-step-4.png)
Configure Conditional Access policies for: - [Microsoft Teams](teams-access-policies.md) - [Exchange Online](secure-email-recommended-policies.md)-- [SharePoint](sharepoint-file-access-policies.md)
+- [SharePoint](sharepoint-file-access-policies.md)
+- [Microsoft Cloud App Security](mcas-saas-access-policies.md)
+
security Microsoft 365 Policies Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
Microsoft recommends that you do not create policy sets that apply to all apps b
1. Configure prerequisite identity features and their settings. 2. Configure the common identity and access Conditional Access policies. 3. Configure Conditional Access policies for guest and external users.
-4. Configure Conditional Access policies for Microsoft 365 cloud apps such as Microsoft Teams, Exchange Online, and SharePoint.
+4. Configure Conditional Access policies for Microsoft 365 cloud appsΓöÇsuch as Microsoft Teams, Exchange Online, and SharePointΓöÇand Microsoft Cloud App Security policies.
After you have configured identity and device access, see the [Azure AD feature deployment guide](/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2) for a phased checklist of additional features to consider and [Azure AD Identity Governance](/azure/active-directory/governance/) to protect, monitor, and audit access.
security Report Junk Email And Phishing Scams In Outlook On The Web Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-In Microsoft 365 organizations with mailboxes in Exchange Online, you can use the built-in reporting options in Outlook on the web (formerly known as Outlook Web App) to submit false positives (good email marked as spam), false negatives (bad email allowed) and phishing messages to Exchange Online Protection (EOP).
+In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises mailboxes using [hybrid modern authentication](../../enterprise/hybrid-modern-auth-overview.md), you can submit false positives (good email marked as spam), false negatives (bad email allowed), and phishing messages to Exchange Online Protection (EOP).
## What do you need to know before you begin?
+- For the best user submission experience we recommend using the Report Message and the Report Phishing add-ins. See [Enable the Report Message add-in](./enable-the-report-message-add-in.md) and [Enable the Report Phishing add-in](./enable-the-report-phish-add-in.md) for more information.
+ - If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md). - Admins can disable or enable the ability for users to report messages to Microsoft in Outlook on the web. For details, see the [Disable or enable junk email reporting in Outlook on the web](#disable-or-enable-junk-email-reporting-in-outlook-on-the-web) section later in this article.
In Microsoft 365 organizations with mailboxes in Exchange Online, you can use th
- For more information about reporting messages to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
-## Report spam and phishing messages in Outlook on the web
-
-1. For messages in the Inbox or any other email folder except Junk Email, use either of the following methods to report spam and phishing messages:
-
- - Select the message, click **Junk** on the toolbar, and then select **Junk** or **Phishing**.
-
- ![Report junk or phishing email from the ribbon](../../media/owa-report-junk.png)
-
- - Select one or more messages, right-click, and then select **Mark as junk**.
-
-2. In the dialog that appears, click **Report**. If you change your mind, click **Don't Report**.
-
- |Junk|Phishing|
- |::|::|
- |![Report as junk dialog](../../media/owa-report-as-junk-dialog.png)|![Report as phishing dialog](../../media/owa-report-as-phishing-dialog.png)|
-
-3. The selected messages will be sent to Microsoft for analysis. To confirm that the messages have been submitted, open your **Sent Items** folder to view the submitted messages.
-
-## Report non-spam and phishing messages from the Junk Email folder in Outlook on the web
-
-1. In the Junk Email folder, use either of the following methods to report spam false positives or phishing messages:
-
- - Select the message, click **Not Junk** on the toolbar, and then select **Not Junk** or **Phishing**.
-
- ![Report not junk or not phishing email from the ribbon](../../media/owa-report-not-junk.png)
-
- - Select one or more messages, right-click, and then select **Mark as not junk**.
-
-2. In the dialog that appears, read the information and click **Report**. If you change your mind, click **Don't Report**.
-
- |Not Junk|Phishing|
- |::|::|
- |![Report as not junk dialog](../../media/owa-report-as-not-junk-dialog.png)|![Report as phishing dialog](../../media/owa-report-as-phishing-dialog.png)|
-
-3. The selected messages will be sent to Microsoft for analysis. To confirm that the messages have been submitted, open your **Sent Items** folder to view the submitted messages.
- ## Disable or enable junk email reporting in Outlook on the web By default, users can report spam false positives, false negatives, and phishing messages to Microsoft for analysis in Outlook on the web. Admins can configure Outlook on the web mailbox policies in Exchange Online PowerShell to prevent users from reporting spam false positives and spam false negatives to Microsoft. You can't disable the ability for users to report phishing messages to Microsoft.
security Safe Docs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-docs.md
ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)] **Applies to**-- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md) Safe Documents is a feature in Microsoft 365 E5 or Microsoft 365 E5 Security that uses [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) to scan documents and files that are opened in [Protected View](https://support.microsoft.com/office/d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653) or [Application Guard for Office](https://support.microsoft.com/topic/9e0fb9c2-ffad-43bf-8ba3-78f785fdba46).
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
The settings in Safe Links policies that apply to email messages are described i
- **Do not allow users to click through to original URL**: Allows or blocks users from clicking through the [warning page](#warning-pages-from-safe-links) to the original URL. The recommend value is enabled. -- **Display the organization branding on notification and warning pages**: This option shows your organization's branding on warning pages. Branding helps users identify legitimate warnings, because default Microsoft warning pages are often used by attackers. For more information about customized branding, see [Add branding to your organization's Azure Active Directory sign-in page](/azure/active-directory/fundamentals/customize-branding).
+- **Display the organization branding on notification and warning pages**: This option shows your organization's branding on warning pages. Branding helps users identify legitimate warnings, because default Microsoft warning pages are often used by attackers. For more information about customized branding, see [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md).
- **Do not rewrite the following URLs**: Leaves URLs as they are. Keeps a custom list of safe URLs that don't need scanning. The list is unique for each Safe Links policy. For more information about the **Do not rewrite the following URLs** list, see the ["Do not rewrite the following URLs" lists in Safe Links policies](#do-not-rewrite-the-following-urls-lists-in-safe-links-policies) section later in this article.
security Security Recommendations For Priority Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts.md
Microsoft 365 and Microsoft Defender for Office 365 contain several key features
|[Train users](#train-users)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)| |
+> [!NOTE]
+> For information about securing _privileged accounts_ (admin accounts), see [this topic](/azure/architecture/framework/security/critical-impact-accounts).
+ ## Increase sign-in security for priority accounts Priority accounts require increased sign-in security. You can increase their sign-in security by requiring multi-factor authentication (MFA) and disabling legacy authentication protocols.
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
one among the following options:
> If you have [disabled junk email reporting in Outlook on the web](report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md#disable-or-enable-junk-email-reporting-in-outlook-on-the-web) using Outlook on the web mailbox policies, but you configure either of the previous settings to report messages to Microsoft, users will be able to report messages to Microsoft in Outlook on the web using the Report Message add-in or the Report Phishing add-in.
- 1. **Disable the Report Message feature for Outlook**: Select this option if you use third-party reporting tools instead of the Report Message add-in, the Report Phishing add-in or the built-in reporting in Outlook on the web, and then configure the following settings:
+ 2. **Disable the Report Message feature for Outlook**: Select this option if you use third-party reporting tools instead of the Report Message add-in, the Report Phishing add-in, or the built-in reporting in Outlook on the web, and then configure the following settings:
Select **Use this custom mailbox to receive user reported submissions**. In the box that appears, enter the email address of an existing mailbox that is already in Office 365. This has to be an existing mailbox in Exchange Online that can receive email.
security User Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags.md
User tags are identifiers for specific groups of users in [Microsoft Defender fo
If your organization has Defender for Office 365 Plan 2 (included in your subscription or as an add-on), you can create custom user tags in addition to using the priority accounts tag.
+> [!NOTE]
+> Currently, you can only apply user tags to mailbox users.
+ After you apply system tags or custom tags to users, you can use those tags as filters in alerts, reports, and investigations: - [Alerts in the Security & Compliance Center](alerts.md)
To see how user tags are part of the strategy to help protect high-impact user a
- You can also manage and monitor priority accounts in the Microsoft 365 admin center. For instructions, see [Manage and monitor priority accounts](../../admin/setup/priority-accounts.md).
+- For information about securing _privileged accounts_ (admin accounts), see [this topic](/azure/architecture/framework/security/critical-impact-accounts).
+ ## Use the Security & Compliance Center to create user tags 1. In the Security & Compliance Center, go to **Threat management** \> **User tags**.