Updates from: 05/12/2023 01:53:24
Category Microsoft Docs article Related commit history on GitHub Change details
business-premium M365 Business Premium Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365-business-premium-setup.md
When you're ready to sign up for Microsoft 365 Business Premium, you have severa
- Try or buy Microsoft 365 Business Premium on your own; or - Work with a Microsoft partner.
-## [Sign up on your own](#tab/getown)
+## [Sign up on your own](#tab/GetOwn)
1. Visit the [Microsoft 365 Business Premium product page](https://www.microsoft.com/en-us/microsoft-365/business/microsoft-365-business-premium?activetab=pivot%3aoverviewtab).
When you're ready to sign up for Microsoft 365 Business Premium, you have severa
3. After you have signed up for Microsoft 365 Business Premium, you'll receive an email with a link to sign in and get started. Proceed to [Set up Microsoft 365 Business Premium](#set-up-microsoft-365-business-premium).
-## [Work with a partner](#tab/partner)
+## [Work with a Microsoft partner](#tab/Partner)
Microsoft has a list of solution providers who are authorized to sell offerings, including Microsoft 365 Business Premium. If you're not already working with a solution provider, you can find one by following these steps:
To complete the basic setup process, you can choose from several options availab
## [**Guided setup process**](#tab/Guided)
-## Guided setup
- Microsoft 365 Business Premium includes a guided setup process, as shown in the following video: > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE471FJ]
When you're finished with the basic setup process, you'll see **Setup is complet
> [!IMPORTANT] > At this point, basic setup is complete, but you still need to [set up and configure your security settings](m365bp-security-overview.md).
-## [**Work with a Microsoft partner**](#tab/Partner)
-
-## Work with a Microsoft partner
+## [**Work with a Microsoft partner**](#tab/UsePartner)
If you'd prefer to have a Microsoft partner help you get and set up Microsoft 365 Business Premium, follow these steps:
business-premium M365 Campaigns Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365-campaigns-setup.md
Make sure that you meet the following requirements before you begin your setup p
| Permissions | To complete the initial setup process, you must be a Global Admin. [Learn more about admin roles](../admin/add-users/about-admin-roles.md). | | Browser requirements | Microsoft Edge, Safari, Chrome or Firefox. [Learn more about browser requirements](https://www.microsoft.com/microsoft-365/microsoft-365-and-office-resources#coreui-heading-uyetipy). | | Operating systems (client) | **Windows**: Windows 10 or 11 Pro<br/>**macOS**: One of the three most recent versions of macOS |
-| Operating systems (servers) | Windows Server or Linux Server <br/>(Requires an additional license, such as [Microsoft Defender for Business servers](../security/defender-business/get-defender-business-servers.md).) |
+| Operating systems (servers) | Windows Server or Linux Server <br/>(Requires an additional license, such as [Microsoft Defender for Business servers](../security/defender-business/get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).) |
> [!TIP] > For more detailed information about Microsoft 365, Office, and system requirements, see [Microsoft 365 and Office Resources](https://www.microsoft.com/microsoft-365/microsoft-365-and-office-resources).
business-premium M365bp Maintain Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-maintain-environment.md
audience: Admin
Previously updated : 05/09/2023 Last updated : 05/11/2023 ms.localizationpriority: medium - M365-Campaigns
The [missions](index.md) that were completed during the setup and configuration
| Area | Description | ||| | Microsoft 365 administration | Microsoft 365 administration includes tasks that your administrators (also referred to as *admins*) perform in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) (and potentially other admin centers, such as the Exchange admin center). <br/><br/>As new employees come in and other employees leave, it's important to manage user accounts and devices. Your admins can add or remove users, reset passwords, reset devices to factory settings, and more. These kinds of tasks (and more!) are listed in the [Microsoft 365 Business Premium administration guide](m365bp-admin-guide.md). |
-| Security administration | Security administration includes tasks that your security administrators (also referred to as *security admins*) perform in portals, such as the Microsoft 365 admin center, the Microsoft 365 Defender portal, the Microsoft Intune admin center, and more. <br/><br/>These kinds of tasks include defining or editing security policies, onboarding or offboarding devices, and so forth, and are listed in the [Microsoft 365 Business Premium security admin guide](m365bp-security-admin-guide.md). |
+| Security administration | Security administration includes tasks that your security administrators (also referred to as *security admins*) perform in portals, such as: <br/>- The Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) <br/>- The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com))<br/>- The Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com))<br/><br/>These kinds of tasks include defining or editing security policies, onboarding or offboarding devices, and so forth, and are listed in the [Microsoft 365 Business Premium security admin guide](m365bp-security-admin-guide.md). |
| Security operations | Security operations (also referred to as *SecOps*) and includes tasks that your security team performs in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). <br/><br/>As threats are detected, those threats must be reviewed and addressed. Regular antivirus scans should occur on devices, and you can initiate scans when needed. In addition, you can run automated investigations on devices that have a high risk level or detected threats. These kinds of security tasks (and more!) are listed in the [Microsoft 365 Business Premium security operations guide](m365bp-security-operations-guide.md). |
commerce Buy Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/buy-licenses.md
- adminvideo search.appverid: MET150 description: "Use these steps to buy more licenses or reduce the number of licenses for your Microsoft 365 for business subscription." Previously updated : 09/29/2022 Last updated : 05/10/2023 # Buy or remove Microsoft 365 licenses for a subscription
commerce Manage Third Party App Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-third-party-app-licenses.md
search.appverid: - MET150 description: "Learn how to manage licenses for independent software vendor (ISV) apps in the Microsoft 365 admin center." Previously updated : 06/08/2022 Last updated : 05/10/2023 # Manage ISV app licenses in the Microsoft 365 admin center
compliance Audit Log Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-activities.md
f1.keywords:
Previously updated : 04/18/2023 Last updated : 05/11/2023 audience: Admin
The following table lists the activities in information barriers that are logged
| Changed segments of a site | SegmentsChanged | A SharePoint or global administrator changed one or more information barriers segments for a site. | | Removed segments from a site | SegmentsRemoved | A SharePoint or global administrator removed one or more information barriers segments from a site. |
+## Microsoft Defender Experts activities
+
+The following table lists the activities in Microsoft Defender Experts that are logged into the Microsoft 365 audit log. For more information about Microsoft Defender Experts, see [Learn about Microsoft Defender Experts for XDR](/microsoft-365/security/defender/dex-xdr-overview) and [Learn about Microsoft Defender Experts for Hunting](/microsoft-365/security/defender/defender-experts-for-hunting)
+
+|Friendly name|Operation|Description|
+|:|:--|:-|
+| Defender Experts analyst permission created | DefenderExpertsAnalystPermissionCreated | An administrator granted one or more role permissions to Defender Experts analysts to investigate incidents or remediate threats.|
+| Defender Experts analyst permission modified | DefenderExpertsAnalystPermissionModified | An administrator modified role permissions for Defender Experts analysts to investigate incidents or remediate threats.|
+ ## Microsoft Forms activities The tables in this section the user and admin activities in Microsoft Forms that are logged in the audit log. Microsoft Forms is a forms/quiz/survey tool used to collect data for analysis. Where noted below in the descriptions, some operations contain additional activity parameters.
compliance Audit Log Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-search.md
f1.keywords:
Previously updated : 04/18/2023 Last updated : 05/11/2023 audience: Admin
Why a unified audit log? Because you can search the audit log for activities per
|Data loss prevention (DLP)|ComplianceDLPSharePoint, ComplianceDLPExchange, DLPEndpoint| |Dynamics 365|CRM| |eDiscovery (Standard + Premium)|Discovery, AeD|
+|Encrypted message portal|OMEPortal|
|Exact Data Match|MipExactDataMatch| |Exchange Online|ExchangeAdmin, ExchangeItem, ExchangeItemAggregated| |Forms|MicrosoftForms| |Information barriers|InformationBarrierPolicyApplication| |Microsoft 365 Defender|AirInvestigation, AirManualInvestigation, AirAdminActionInvestigation, MS365DCustomDetection|
+|Microsoft Defender Experts|DefenderExpertsforXDRAdmin|
|Microsoft Defender for Identity (MDI)|MicrosoftDefenderForIdentityAudit|
-|Microsoft Teams|MicrosoftTeams|
|Microsoft Planner|PlannerCopyPlan, PlannerPlan, PlannerPlanList, PlannerRoster, PlannerRosterSensitivityLabel, PlannerTask, PlannerTaskList, PlannerTenantSettings |
+|Microsoft Purview Information Protection (MIP) labels|MIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation|
+|Microsoft Teams|MicrosoftTeams|
|MyAnalytics|MyAnalyticsSettings| |OneDrive for Business|OneDrive| |Power Apps|PowerAppsApp, PowerAppsPlan| |Power Automate|MicrosoftFlow| |Power BI|PowerBIAudit| |Quarantine|Quarantine|
-|Microsoft Purview Information Protection (MIP) labels|MIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation|
|Sensitive information types|DlpSensitiveInformationType| |Sensitivity labels|MIPLabel, SensitivityLabelAction, SensitivityLabeledFileAction, SensitivityLabelPolicyMatch|
-|Encrypted message portal|OMEPortal|
|SharePoint Online|SharePoint, SharePointFileOperation,SharePointSharingOperation, SharePointListOperation, SharePointCommentOperation| |Stream|MicrosoftStream|
+|SystemSync|DataShareCreated, DataShareDeleted, GenerateCopyOfLakeData, DownloadCopyOfLakeData|
|Threat Intelligence|ThreatIntelligence, ThreatIntelligenceUrl, ThreatFinder, ThreatIntelligenceAtpContent| |Viva Goals|Viva Goals| |Workplace Analytics|WorkplaceAnalytics| |Yammer|Yammer|
-|SystemSync|DataShareCreated, DataShareDeleted, GenerateCopyOfLakeData, DownloadCopyOfLakeData|
+ For more information about the operations that are audited in each of the services listed in the previous table, see the [Audit log activities](audit-log-activities.md) article.
compliance Define Mail Flow Rules To Encrypt Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email.md
description: "Admins can learn to create mail flow rules (transport rules) to en
As an administrator that manages Exchange Online, you can create mail flow rules (also known as transport rules) to help protect email messages you send and receive. You can set up rules to encrypt any outgoing email messages and remove encryption from encrypted messages coming from inside your organization or from replies to encrypted messages sent from your organization. You can use the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center (EAC)</a> or Exchange Online PowerShell to create these rules. In addition to overall encryption rules, you can also choose to enable or disable individual message encryption options for end users.
-You can't encrypt inbound mail from senders outside of your organization.
+You can't encrypt inbound mail from senders outside of your Exchange Online organization. If a mail flow rule is set up to encrypt mail from outside the organization, the mail will be rejected and returned to the sender.
If you recently migrated from Active Directory RMS to Azure Information Protection, you'll need to review your existing mail flow rules to ensure that they continue to work in your new environment. Also, to use Microsoft Purview Message Encryption with Azure Information Protection, you need to update your existing mail flow rules. Otherwise, your users will continue to receive encrypted mail that uses the previous HTML attachment format instead of the new, seamless experience. If you haven't set up message encryption yet, see [Set up Microsoft Purview Message Encryption](set-up-new-message-encryption-capabilities.md) for information.
You can define mail flow rules for triggering message encryption with by using t
5. In **Name**, type a name for the rule, such as Encrypt mail for DrToniRamos@hotmail.com.
-6. In **Apply this rule if**, select a condition, and enter a value if necessary. For example, to encrypt messages going to DrToniRamos@hotmail.com:
+6. In **Apply this rule if**, select where the mail originates from inside the Exchange Online organization. Add **The sender is located** \> **Inside the organization** for sending mail.
+
+7. In **Apply this rule if**, select a condition, and enter a value if necessary. For example, to encrypt messages going to DrToniRamos@hotmail.com:
1. In **Apply this rule if**, select **the recipient is**.
You can define mail flow rules for triggering message encryption with by using t
- To enter a new name, type an email address in the **check names** box and then select **check names** \> **OK**.
-7. To add more conditions, choose **More options** and then choose **add condition** and select from the list.
+8. To add more conditions, choose **More options** and then choose **add condition** and select from the list.
For example, to apply the rule only if the recipient is outside your organization, select **add condition** and then select **The recipient is external/internal** \> **Outside the organization** \> **OK**.
-8. To enable message encryption, from **Do the following**, select **Modify the message security** and then choose **Apply Office 365 Message Encryption and rights protection**. Select an RMS template from the list, choose **Save**, and then choose **OK**.
+9. To enable message encryption, from **Do the following**, select **Modify the message security** and then choose **Apply Office 365 Message Encryption and rights protection**. Select an RMS template from the list, choose **Save**, and then choose **OK**.
The list of templates includes all default templates and options as well as any custom templates you've created for use by Office 365. If the list is empty, ensure that you have set up Microsoft Purview Message Encryption as described in [Set up Microsoft Purview Message Encryption](set-up-new-message-encryption-capabilities.md). For information about the default templates, see [Configuring and managing templates for Azure Information Protection](/information-protection/deploy-use/configure-policy-templates). For information about the **Do Not Forward** option, see [Do Not Forward option for emails](/information-protection/deploy-use/configure-usage-rights#do-not-forward-option-for-emails). For information about the **encrypt-only** option, see [Encrypt-only option for emails](/information-protection/deploy-use/configure-usage-rights#encrypt-only-option-for-emails).
You can remove encryption from messages that was applied by your organization. Y
5. In **Name**, type a name for the rule, such as `Remove encryption from outgoing mail`.
-6. In **Apply this rule if**, select the conditions where encryption should be removed from messages. Add **The sender is located** \> **Inside the organization** for sending mail _or_ **The recipient is located** \> **Inside the organization** for receiving mail.
+6. In **Apply this rule if**, select the conditions where encryption should be removed from messages. Add **The sender is located** \> **Inside the organization** for sending mail out to any recipients _or_ add **The recipient is located** \> **Inside the organization** for receiving mail replies from outside the organization.
7. In **Do the following**, select **Modify the message security** \> **Remove Office 365 Message Encryption and rights protection applied by the organization**.
compliance Document Fingerprinting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-fingerprinting.md
Document fingerprinting doesn't detect sensitive information in the following ca
- Files larger than 4 MB > [!NOTE]
-> To use document fingerprinting with devices, **Advanced fingerprinting** must be turned on.
+> To use document fingerprinting with devices, [**Advanced classification scanning and protection**](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#advanced-classification-scanning-and-protection) must be turned on.
Fingerprints are stored in a separate rule pack. This rule pack has a maximum size limit of 150 KB. Given this limit, you can create approximately 50 fingerprints per tenant.
compliance Ediscovery Search And Delete Teams Chat Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-search-and-delete-teams-chat-messages.md
f1.keywords:
Previously updated : 03/28/2023 Last updated : 05/12/2023 audience: Admin
The first step is to create a case in eDiscovery (Premium) to manage the search
## Step 2: Create a collection estimate
-After you create a case, the next step is to create a collection estimate to search for the Teams chat messages that you want to purge. The purge process you perform is Step 5 will purge all items that are found in the collection estimate.
+After you create a case, the next step is to create a collection estimate to search for the Teams chat messages that you want to purge. The purge process you perform is Step 5 purges all items that are found in the collection estimate (within the 10 item per location limit).
In eDiscovery (Premium), a *collection* is an eDiscovery search of the Teams content locations that contain the chat messages that you want to purge. Create the collection estimate in the case that you created in the previous step. For more information, see [Create a collection estimate](ediscovery-create-draft-collection.md).
For instructions about how to identify and remove holds and retention policies,
## Step 5: Purge chat messages from Teams > [!NOTE]
-> Because Microsoft Graph Explorer is not available in the US Government cloud (GCC, GCC High, and DOD), you must use PowerShell to accomplish these tasks. See the [Purge chat messages with PowerShell](#purge-chat-messages-with-powershell) for details.
+> Because Microsoft Graph Explorer is not available in some US Government clouds (GCC High and DOD), you must use PowerShell to accomplish these tasks. See the [Purge chat messages with PowerShell](#purge-chat-messages-with-powershell) for details.
-Now you're ready to actually purge chat messages from Teams. You'll use the Microsoft Graph Explorer to perform the following three tasks:
+Now you're ready to actually purge chat messages from Teams. Use the Microsoft Graph Explorer to perform the following three tasks:
1. Get the ID of the eDiscovery (Premium) case that you created in Step 1. This is the case that contains the collection created in Step 2. 2. Get the ID of the collection that you created in Step 2 and verified the search results in Step 3. The search query in this collection returns the chat messages that will be purged.
For information about using Graph Explorer, see [Use Graph Explorer to try Micro
2. Run the following GET request to retrieve the ID for the eDiscovery (Premium) case. Use the value `https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases` in the address bar of the request query. Be sure to select **v1.0** in the API version dropdown list.
- ![GET request for case Id.](..\media\ediscovery-GraphGetRequestForCaseId.png)
- This request returns information about all cases in your organization on the **Response preview** tab. 3. Scroll through the response to locate the eDiscovery (Premium) case. Use the **displayName** property to identify the case.
- ![Response with case Id.](..\media\GraphResponseForCaseId.png)
- 4. Copy the corresponding ID (or copy and paste it to a text file). You'll use this ID in the next task to get the collection ID. > [!TIP]
For information about using Graph Explorer, see [Use Graph Explorer to try Micro
### Get the eDiscoverySearchID
-1. In Graph Explorer, run the following GET request to retrieve the ID for the collection that you created in Step 2, and contains the items you want to purge. Use the value `https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases{'ediscoverySearchID'}/searches` in the address bar of the request query, where *{ediscoverySearchID}* is the ID that you obtained in the previous procedure.
+1. In Graph Explorer, run the following GET request to retrieve the ID for the collection that you created in Step 2, and contains the items you want to purge. Use the value `https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{ediscoveryCaseID}/searches` in the address bar of the request query, where *{ediscoveryCaseID}* is the CaseID that you obtained in the previous procedure.
2. Scroll through the response to locate the collection that contains the items that you want to purge. Use the *displayName* property to identify the collection that you created in Step 3.
- ![Response with collection Id.](..\media\GraphResponseForCollectionId.png)
- In the response, the search query from the collection is displayed in the *contentQuery* property. Items returned by this query will be purged in the next task. 3. Copy the corresponding ID (or copy and paste it to a text file). You'll use this ID in the next task to purge the chat messages.
For information about using Graph Explorer, see [Use Graph Explorer to try Micro
### Purge the chat messages
-1. In Graph Explorer, run the following POST request to purge the items returned by the collection that you created in Step 2. Use the value `https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{'ediscoveryCaseID'}/searches/{'ediscoverySearchID'}/purgeData` in the address bar of the request query, where *{ediscoveryCaseID}* and *{ediscoverySearchID}* are the IDs that you obtained in the previous procedures.
-
- ![POST request to delete items returned by the collection.](..\media\ediscovery-GraphPOSTRequestToPurgeItems.png)
+1. In Graph Explorer, run the following POST request to purge the items returned by the collection that you created in Step 2. Use the value `https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{ediscoveryCaseID}/searches/{ediscoverySearchID}/purgeData` in the address bar of the request query, where *{ediscoveryCaseID}* and *{ediscoverySearchID}* are the IDs that you obtained in the previous procedures.
If the POST request is successful, an HTTP response code is displayed in a green banner stating that the request was accepted.
Admins can use the procedures in this article to search and delete Teams chat me
## End-user experience
-For deleted chat messages, users will see an automatically generated message stating "This message was deleted by an admin".
+For deleted chat messages, users see an automatically generated message stating "This message was deleted by an admin".
![View of purged chat message in Teams client.](..\media\TeamsPurgeTombstone.png)
compliance Ome Version Comparison https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ome-version-comparison.md
f1.keywords:
Previously updated : 09/17/2019 Last updated : 05/05/2023 audience: Admin
Microsoft Purview Advanced Message Encryption offers more capabilities on top of
- Multiple branding templates
-Advanced Message Encryption isn't supported in GCC High.
+- Encrypted message portal activity logs
For information on using Advanced Message Encryption, see [Microsoft Purview Advanced Message Encryption](ome-advanced-message-encryption.md).
compliance Revoke Ome Encrypted Mail https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/revoke-ome-encrypted-mail.md
Once you know the Message ID of the email you want to revoke, and you have verif
To revoke the message using the Microsoft Purview compliance portal
-1. Using a work or school account that has global administrator permissions in your organization, connect to the Microsoft Purview compliance portal.
+1. Using a work or school account that has global administrator or compliance administrator permissions in your organization, connect to the Microsoft Purview compliance portal.
2. In the **Encryption report**, in the **Details** table for the message, choose **Revoke message**. To revoke an email by using Windows PowerShell, use the Set-OMEMessageRevocation cmdlet.
-1. Using a work or school account that has global administrator permissions in your organization, [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
+1. Using a work or school account that has global administrator, compliance administrator, or Exchange administrator permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
2. Run the Set-OMEMessageRevocation cmdlet as follows:
security Get Defender Business Servers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/get-defender-business-servers.md
- Title: Get Microsoft Defender for Business servers
-description: Find out how to get Microsoft Defender for Business servers.
------ Previously updated : 01/23/2023--- SMB-- m365-security-- tier1---
-# How to get Microsoft Defender for Business servers
-
-Microsoft Defender for Business servers is an add-on to Defender for Business. This new offering enables you to secure your server operating systems with the same protection that you get for client devices in Defender for Business. This article describes how to get Microsoft Defender for Business servers and includes next steps and additional information.
-
-> [!IMPORTANT]
-> - In order to add on Microsoft Defender for Business servers, you'll need at least one paid license for [Microsoft 365 Business Premium](../../business-premium/index.md) or [Defender for Business](mdb-overview.md) (standalone).
-> - You'll need one Microsoft Defender for Business servers license per server instance, although you don't assign it to any devices or users.
-> - There's a limit of 60 Microsoft Defender for Business servers licenses per subscription to Microsoft 365 Business Premium or Defender for Business.
-> - Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) to onboard your servers. To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?
-
-## Get Microsoft Defender for Business servers
-
-Use one of the following procedures to get Microsoft Defender for Business servers:
-
-| Scenario | Procedure |
-|||
-| You currently have [Defender for Business](mdb-overview.md) or [Microsoft 365 Business Premium](../../business-premium/index.md), and you want to add on Microsoft Defender for Business servers. | 1. In the Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)), in the navigation pane, choose **Billing** > **Purchase services**.<br/>2. In the list of results, select the **Details** box for **Microsoft Defender for Business servers**.<br/>3. Review the information, and complete the purchase process. You'll need one Microsoft Defender for Business servers license for each instance of Windows Server or Linux. Note that you won't assign the Microsoft Defender for Business servers license to users or devices. <br/>4. Proceed to onboard your server. To get help with this, see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md). |
-| You do not have either Defender for Business or Microsoft 365 Business Premium yet. | 1. Go to one of the following product pages: <br/> - [Microsoft Defender for Business](https://aka.ms/DefenderforBusiness)<br/> - [Microsoft 365 for business](https://www.microsoft.com/en-us/microsoft-365/business-h)<br/>2. Review the information, and start your subscription today.<br/>3. Depending on what you selected in the previous steps, use one of the following resources to set up your subscription:<br/> - [Set up and configure Microsoft Defender for Business](mdb-setup-configuration.md)<br/> - [Set up and configure Microsoft 365 Business Premium](../../business-premium/index.md)<br/>4. Follow the steps in the preceding scenario ("You currently have Defender for Business or Microsoft 365 Business Premium and you want to add on Microsoft Defender for Business servers"). |
-| You previously onboarded devices, such as servers, and now you want to remove (offboard) some of those devices. | See [Offboard a device from Microsoft Defender for Business](mdb-offboard-devices.md). |
-
-## Next steps
--- [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).-- [Manage devices in Microsoft Defender for Business](mdb-manage-devices.md).-- [Offboard a device from Microsoft Defender for Business](mdb-offboard-devices.md).-
security Get Defender Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/get-defender-business.md
# Get Microsoft Defender for Business
-[Defender for Business](mdb-overview.md) is a new endpoint security solution designed especially for small and medium-sized businesses (up to 300 employees). This article describes how to get and provision Defender for Business.
+[Microsoft Defender for Business](mdb-overview.md) is an endpoint security solution designed especially for small and medium-sized businesses (up to 300 employees). This article describes how to get Defender for Business.
:::image type="content" source="media/mdb-setup-step1.png" alt-text="Visual aid depicting step 1 - Get Defender for Business.":::
+Sections include:
+
+- **[How to get Defender for Business](#how-to-get-microsoft-defender-for-business)** to protect client devices, such as computers, tablets, and phones
+- **[How get Microsoft Defender for Business servers](#how-to-get-microsoft-defender-for-business-servers)**, an add-on that enables you to onboard and protect Windows and Linux servers
+- **[Portals that you'll use](#portals-youll-use-for-setup-and-management)** to set up, configure, and manage Defender for Business
+- **[Next steps](#next-step)**, such as adding users and assigning licenses.
+ > [!IMPORTANT] > You should be a global administrator to complete the tasks described in this article. The person who signs your company up for Microsoft 365 is a global administrator. [Learn more about admin roles in the Microsoft 365 admin center](../../admin/add-users/about-admin-roles.md).
To get Defender for Business, you can choose from several options:
Use the following tabs to learn more about each option.
-# [Get Defender for Business (standalone)](#tab/getmdb)
+## [Get Defender for Business (standalone)](#tab/getmdb)
Defender for Business provides advanced security protection for your company's devices. For more information, see [What is Microsoft Defender for Business](mdb-overview.md)?
Defender for Business provides advanced security protection for your company's d
> [!NOTE] > If you have Microsoft 365 Business Premium and you haven't set it up yet, see [Microsoft 365 Business Premium ΓÇô productivity and cybersecurity for small business](../../business-premium/index.md). This guidance walks you through how to set up and configure all of your productivity and security capabilities, including Defender for Business. -
-# [Get Microsoft 365 Business Premium](#tab/getpremium)
+## [Get Microsoft 365 Business Premium](#tab/getpremium)
Microsoft 365 Business Premium includes Defender for Business, Microsoft Defender for Office 365 Plan 1, and Microsoft 365 Apps (formerly referred to as Office apps). For more information, see [Productivity and security for small and medium-sized businesses](../../business-premium/why-choose-microsoft-365-business-premium.md).
Microsoft 365 Business Premium includes Defender for Business, Microsoft Defende
> [!IMPORTANT] > Make sure to complete all the steps described in [Microsoft 365 Business Premium ΓÇô productivity and cybersecurity for small business](../../business-premium/index.md).
-# [Work with a Microsoft partner](#tab/findpartner)
+## [Work with a Microsoft partner](#tab/findpartner)
Microsoft has a list of solution providers who are authorized to sell offerings, including Microsoft 365 Business Premium and Microsoft Defender for Business. If you'd prefer to work with a Microsoft partner, you can follow these steps to find a solution provider in your area:
Microsoft has a list of solution providers who are authorized to sell offerings,
+## How to get Microsoft Defender for Business servers
+
+Microsoft Defender for Business servers is an add-on to Defender for Business that enables you to secure your server operating systems with the same protection that you get for client devices in Defender for Business.
+
+1. Go to the Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)), and sign in.
+
+2. In the navigation pane, choose **Billing** > **Purchase services**.
+
+3. In the list of results, select the **Details** box for **Microsoft Defender for Business servers**.
+
+4. Review the information, and complete the purchase process. You'll need one Microsoft Defender for Business servers license for each instance of Windows Server or Linux, and you won't assign that license to users or devices.
+
+> [!IMPORTANT]
+> - In order to add on Microsoft Defender for Business servers, you'll need at least one paid license for [Defender for Business](mdb-overview.md) (standalone) or [Microsoft 365 Business Premium](../../business-premium/index.md).
+> - There's a limit of 60 Microsoft Defender for Business servers licenses per subscription to Microsoft 365 Business Premium or Defender for Business.
+> - If preferred, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) instead to onboard your servers. To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?
+
+ ## Portals you'll use for setup and management
-When you use Defender for Business, you'll work with two main portals: the Microsoft 365 admin center, and the Microsoft 365 Defender portal. If your subscription also includes Microsoft Intune, you will use the Intune admin center as well. The following table summarizes these portals and how you'll use them.
+When you use Defender for Business, you'll work with two main portals: the Microsoft 365 admin center, and the Microsoft 365 Defender portal. If your subscription also includes Microsoft Intune, you'll use the Intune admin center as well. The following table summarizes these portals and how you'll use them.
|Portal |Description | |||
When you use Defender for Business, you'll work with two main portals: the Micro
| The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Use the Microsoft 365 Defender portal to set up and configure Defender for Business, and to monitor your devices and threat detections. You'll use the Microsoft 365 Defender portal to: <br/>- View your devices and device protection policies.<br/>- View detected threats and take action.<br/>- View security recommendations and manage your security settings.<br/><br/>To learn more, see [Get started using the Microsoft 365 Defender portal](mdb-get-started.md). | | The Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com/)) | Use the Intune admin center to set up multifactor authentication (MFA), onboard iOS and Android devices, and configure certain capabilities, such as [attack surface reduction rules](mdb-asr.md).<br/><br/>To learn more about Intune, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune). |
-## Next steps
+## Next step
-- [Get Microsoft Defender for Business servers](get-defender-business-servers.md) for your Windows and Linux servers. - Proceed to [Step 2: Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md).
security Mdb Manage Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-devices.md
ms.localizationpriority: medium Previously updated : 09/14/2022 Last updated : 05/10/2023 f1.keywords: NOCSH
In Defender for Business, you can manage devices as follows:
- [View a list of onboarded devices](#view-the-list-of-onboarded-devices) to see their risk level, exposure level, and health state - [Take action on a device](#take-action-on-a-device-that-has-threat-detections) that has threat detections
+- [View the state of Microsoft Defender Antivirus](#view-the-state-of-microsoft-defender-antivirus)
- [Onboard a device to Defender for Business](#onboard-a-device) - [Offboard a device from Defender for Business](#offboard-a-device)
In Defender for Business, you can manage devices as follows:
4. Select an action, such as **Run antivirus scan** or **Initiate Automated Investigation**.
+## View the state of Microsoft Defender Antivirus
+
+Microsoft Defender Antivirus is a key component of next-generation protection in Defender for Business. When devices are onboarded to Defender for Business, Microsoft Defender Antivirus can have one of the following states:
+
+- Active mode
+- Passive mode
+- Disabled (or uninstalled) mode
+
+The following table describes each state and what it means.
+
+| Microsoft Defender Antivirus state | What it means |
+|:|:|
+| **Active mode** <br/>(*recommended*) | Microsoft Defender Antivirus is used as the antivirus app on the machine. Files are scanned, threats are remediated, and detection information is reported in the Microsoft 365 Defender portal and in the Windows Security app on a device running Windows.<br/><br/>We recommend running Microsoft Defender Antivirus in active mode so that devices onboarded to Defender for Business will get all of the following types of protection: <br/>- **Real-time protection**, which locates and stops malware from running on devices. <br/> - **Cloud protection**, which works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected.<br/> - **Network protection**, which helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet.<br/> - **Web content filtering**, which regulates access to websites based on content categories (such as adult content, high bandwidth, and legal liability) across all browsers.<br/> - **Protection from potentially unwanted applications**, such as advertising software, bundling software that offers to install other, unsigned software, and evasion software that attempts to evade security features. |
+| **Passive mode** | A non-Microsoft antivirus/antimalware product is installed on the device, and even though the device has been onboarded to Defender for Business, Microsoft Defender Antivirus can detect threats but doesn't remediate them. Devices with Microsoft Defender Antivirus can still receive security intelligence and platform updates. <br/><br/>You can switch Microsoft Defender Antivirus to active mode automatically by uninstalling the non-Microsoft antivirus/antimalware product. |
+| **Disabled mode** | A non-Microsoft antivirus/antimwalware product is installed on the device, and the device hasn't been onboarded to Defender for Business. Whether Microsoft Defender Antivirus went into disabled mode automatically or was set manually, it's not currently running on the device. In this case, Microsoft Defender Antivirus neither detects nor remediates threats on the device.<br/><br/>You can switch Microsoft Defender Antivirus to active mode by uninstalling the non-Microsoft antivirus/antimalware solution and onboarding the device to Defender for Business. |
+ ## Onboard a device See [Onboard devices to Defender for Business](mdb-onboard-devices.md).
security Mdb Onboard Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md
After a device is enrolled in Intune, you can add it to a device group. [Learn m
## Servers > [!NOTE]
-> If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business-servers.md). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?
+> If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?
Choose the operating system for your server:
Choose the operating system for your server:
> [!IMPORTANT] > Make sure that you meet the following requirements before you onboard a Windows Server endpoint:
-> - You have a Microsoft Defender for Business servers license. (See [How to get Microsoft Defender for Business servers](get-defender-business-servers.md).)
+> - You have a Microsoft Defender for Business servers license. (See [How to get Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).)
> - The enforcement scope for Windows Server is turned on. Go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**, and then select **Save**. You can onboard an instance of Windows Server to Defender for Business by using a local script.
After the command runs, the Command Prompt window will close automatically. If s
> [!IMPORTANT] > Make sure that you meet the following requirements before you onboard a Linux Server endpoint:
-> - You have a Microsoft Defender for Business servers license. (See [How to get Microsoft Defender for Business servers](get-defender-business-servers.md).)
+> - You have a Microsoft Defender for Business servers license. (See [How to get Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).)
> - You meet the [prerequisites for Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md#prerequisites). ### Onboard Linux Server endpoints
security Mdb Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-preview.md
Turn on the preview experience setting to be among the first to try upcoming fea
## See also - [Get Microsoft Defender for Business](get-defender-business.md)-- [How to get Microsoft Defender for Business servers](get-defender-business-servers.md)
+- [How to get Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers)
- [Trial user guide: Microsoft Defender for Business](trial-playbook-defender-business.md) - [Visit the Microsoft 365 Defender portal](mdb-get-started.md)
security Mdb Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-requirements.md
The following table lists the basic requirements you need to configure and use D
| Browser | Microsoft Edge or Google Chrome | | Client computer operating system | To manage devices in the Microsoft 365 Defender portal, your devices must be running one of the following operating systems: <br/>- Windows 10 or 11 Business <br/>- Windows 10 or 11 Professional <br/>- Windows 10 or 11 Enterprise <br/>- Mac (the three most-current releases are supported) <br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed on the Windows devices. | | Mobile devices | To onboard mobile devices, such as iOS or Android OS, you can use [Mobile threat defense capabilities (preview)](mdb-mtd.md) or Microsoft Intune (see note 1 below).<br/><br/>For more details about onboarding devices, including requirements for mobile threat defense (preview), see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md). |
-| Server license | To onboard a device running Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business-servers.md) (see note 2 below). |
+| Server license | To onboard a device running Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers) (see note 2 below). |
| Additional server requirements | Windows Server endpoints must meet the [requirements for Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements#hardware-and-software-requirements), and enforcement scope must be turned on.<br/>1. In the Microsoft 365 Defender portal, go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**. <br/>2. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**. <br/>3. Select **Save**.<br/><br/>Linux Server endpoints must meet the [prerequisites for Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md#prerequisites). | > [!NOTE] > 1. Microsoft Intune is not included in the standalone version of Defender for Business, but Intune can be added on. Intune is included in Microsoft 365 Business Premium. >
-> 2. To onboard servers, we recommend using [Microsoft Defender for Business servers](get-defender-business-servers.md). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions?](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions) and [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).
+> 2. To onboard servers, we recommend using [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions?](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions) and [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).
> > 3. [Azure Active Directory (Azure AD)](/azure/active-directory/fundamentals/active-directory-whatis) is used to manage user permissions and device groups. Azure AD is included in your Defender for Business subscription. > - If you don't have a Microsoft 365 subscription before you start your trial, Azure AD will be provisioned for you during the activation process.
security Mdb Setup Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-setup-configuration.md
ms.localizationpriority: medium Previously updated : 05/01/2023 Last updated : 05/11/2023 f1.keywords: NOCSH
When you're ready to set up and configure Defender for Business, you can choose
> [!IMPORTANT] > You must be a global administrator to complete setup tasks, including running the setup wizard. See [Security roles and permissions in Defender for Business](mdb-roles-permissions.md).
-1. **Get Defender for Business**. Start a trial or paid subscription today. You can choose from the standalone version of Defender for Business, or get it as part of Microsoft 365 Business Premium. See [Get Microsoft Defender for Business](get-defender-business.md). And, if you're planning to onboard servers, see [How to get Microsoft Defender for Business servers](get-defender-business-servers.md).
+1. **Get Defender for Business**. Start a trial or paid subscription today. You can choose from the standalone version of Defender for Business, or get it as part of Microsoft 365 Business Premium. See [Get Microsoft Defender for Business](get-defender-business.md). And, if you're planning to onboard servers, see [How to get Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).
In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Assets** > **Devices**. If Defender for Business isn't provisioned yet, that process begins now.
When you're ready to set up and configure Defender for Business, you can choose
> [!IMPORTANT] > You must be a global administrator to complete setup tasks. See [Security roles and permissions in Defender for Business](mdb-roles-permissions.md).
-1. **Get Defender for Business**. Start a trial or paid subscription today. You can choose from the standalone version of Defender for Business, or get it as part of Microsoft 365 Business Premium. See [Get Microsoft Defender for Business](get-defender-business.md). And, if you're planning to onboard servers, see [How to get Microsoft Defender for Business servers](get-defender-business-servers.md).
+1. **Get Defender for Business**. Start a trial or paid subscription today. You can choose from the standalone version of Defender for Business, or get it as part of Microsoft 365 Business Premium. See [Get Microsoft Defender for Business](get-defender-business.md). And, if you're planning to onboard servers, see [How to get Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).
2. **Add users and assign licenses**. Assign a license for Defender for Business (or Microsoft 365 Business Premium, if that's your subscription) to each member of your organization to protect their devices. You'll also want to make sure multifactor authentication is enabled for all users. See [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md).
When you're ready to set up and configure Defender for Business, you can choose
After reading this article, proceed to:
-1. [Get Microsoft Defender for Business](get-defender-business.md) and [Microsoft Defender for Business servers](get-defender-business-servers.md).
+1. [Get Microsoft Defender for Business](get-defender-business.md) and [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).
2. [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md). After you have set up and configured Defender for Business, your next steps are to:
security Defender Endpoint Antivirus Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions.md
Previously updated : 01/12/2023 Last updated : 05/10/2023
When you're dealing with false positives, or known entities that are generating
| Scenario | Steps to consider | |:|:-|
-| [False positive](defender-endpoint-false-positives-negatives.md): An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. | <ol><li>[Review and classify alerts](defender-endpoint-false-positives-negatives.md#part-1-review-and-classify-alerts) that were generated as a result of the detected entity. </li><li>[Suppress an alert](defender-endpoint-false-positives-negatives.md#suppress-an-alert) for a known entity. </li><li>[Review remediation actions](defender-endpoint-false-positives-negatives.md#part-2-review-remediation-actions) that were taken for the detected entity. </li><li>[Submit the false positive to Microsoft](/microsoft-365/security/intelligence/submission-guide.md) for analysis. </li><li>[Define an exclusion](defender-endpoint-false-positives-negatives.md#part-3-review-or-define-exclusions) for the entity (only if necessary).</li></ol> |
-| [Performance issues](troubleshoot-performance-issues.md) such as one of the following issues:<ul><li>A system is having high CPU usage or other performance issues.</li><li>A system is having memory leak issues.</li><li>An app is slow to load on devices. </li><li>An app is slow to open a file on devices.</li></ul> | <ol><li>[Collect diagnostic data](collect-diagnostic-data.md) for Microsoft Defender Antivirus.</li><li>If you're using a non-Microsoft antivirus solution, [check with the vendor for any needed exclusions](troubleshoot-performance-issues.md#check-with-vendor-for-antivirus-exclusions).</li><li>[Analyze the Microsoft Protection Log](troubleshoot-performance-issues.md#analyze-the-microsoft-protection-log) to see the estimated performance impact.</li><li>[Define an exclusion for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) (if necessary).</li><li>[Create an indicator for Defender for Endpoint](manage-indicators.md) (only if necessary).</li></ul> |
-| [Compatibility issues](microsoft-defender-antivirus-compatibility.md) with non-Microsoft antivirus products. <br/>Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. | <ol><li>If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode). </li><li>If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see [Make the switch to Defender for Endpoint](switch-to-mde-overview.md). This guidance includes:<ul><li>[Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution](switch-to-mde-phase-2.md#step-3-add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution);</li><li>[Exclusions you might need to define for Microsoft Defender Antivirus](switch-to-mde-phase-2.md#step-4-add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus) ; </li><li>[Troubleshooting information](switch-to-mde-troubleshooting.md) (just in case something goes wrong while migrating).</li></ul></li></ol> |
+| [False positive](defender-endpoint-false-positives-negatives.md): An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. | 1. [Review and classify alerts](defender-endpoint-false-positives-negatives.md#part-1-review-and-classify-alerts) that were generated as a result of the detected entity. <br/>2. [Suppress an alert](defender-endpoint-false-positives-negatives.md#suppress-an-alert) for a known entity. <br/>3. [Review remediation actions](defender-endpoint-false-positives-negatives.md#part-2-review-remediation-actions) that were taken for the detected entity. <br/>4. [Submit the false positive to Microsoft](/microsoft-365/security/intelligence/submission-guide.md) for analysis. <br/>5. [Define an exclusion](defender-endpoint-false-positives-negatives.md#part-3-review-or-define-exclusions) for the entity (only if necessary). |
+| [Performance issues](troubleshoot-performance-issues.md) such as one of the following issues:<br/>- A system is having high CPU usage or other performance issues.<br/>- A system is having memory leak issues.<br/>- An app is slow to load on devices.<br/>- An app is slow to open a file on devices. | 1. [Collect diagnostic data](collect-diagnostic-data.md) for Microsoft Defender Antivirus.<br/>2. If you're using a non-Microsoft antivirus solution, [check with the vendor for any needed exclusions](troubleshoot-performance-issues.md#check-with-vendor-for-antivirus-exclusions).<br/>3. [Analyze the Microsoft Protection Log](troubleshoot-performance-issues.md#analyze-the-microsoft-protection-log) to see the estimated performance impact.<br/>4. [Define an exclusion for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) (if necessary).<br/>5. [Create an indicator for Defender for Endpoint](manage-indicators.md) (only if necessary). |
+| [Compatibility issues](microsoft-defender-antivirus-compatibility.md) with non-Microsoft antivirus products. <br/>Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. | 1. If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode).<br/>2. If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see [Make the switch to Defender for Endpoint](switch-to-mde-overview.md). This guidance includes:<br/>- [Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution](switch-to-mde-phase-2.md#step-3-add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution);<br/>- [Exclusions you might need to define for Microsoft Defender Antivirus](switch-to-mde-phase-2.md#step-4-add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus); and <br/>- [Troubleshooting information](switch-to-mde-troubleshooting.md) (just in case something goes wrong while migrating). |
> [!IMPORTANT] > An "allow" indicator is the strongest type of exclusion you can define in Defender for Endpoint. Make sure to use indicators sparingly (only when necessary), and review all exclusions periodically.
The following table summarizes exclusion types that can be defined for Defender
| Product/service | Exclusion types | |:|:-|
-| [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) <br/>[Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | <ul><li>[Automatic exclusions](#automatic-exclusions) (for Windows Server 2016 and later)</li><li>[Custom exclusions](#custom-exclusions), such as process-based exclusions, folder location-based exclusions, file extension exclusions, or contextual file and folder exclusions</li><li>[Custom remediation actions](#custom-remediation-actions) based on threat severity or for specific threats </li></ul> *The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't include server licenses. To onboard servers, you'll need another license, such as Microsoft Defender for Endpoint for Servers or [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/defender-for-servers-introduction). To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).*<br/><br/>*If you're a small or medium-sized business using [Microsoft Defender for Business](../defender-business/mdb-overview.md), you can get [Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).* |
-| [Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) |<ul><li>[Indicators](#defender-for-endpoint-indicators) for files, certificates, or IP addresses, URLs/domains</li><li>[Attack surface reduction exclusions](#attack-surface-reduction-exclusions)</li><li>[Controlled folder access exclusions](#controlled-folder-access-exclusions)</li></ul> |
+| [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) <br/>[Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Automatic exclusions](#automatic-exclusions) (for Windows Server 2016 and later)<br/>- [Custom exclusions](#custom-exclusions), such as process-based exclusions, folder location-based exclusions, file extension exclusions, or contextual file and folder exclusions<br/>- [Custom remediation actions](#custom-remediation-actions) based on threat severity or for specific threats<br/><br/>*The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't include server licenses. To onboard servers, you'll need another license, such as Microsoft Defender for Endpoint for Servers or [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/defender-for-servers-introduction). To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).*<br/><br/>*If you're a small or medium-sized business using [Microsoft Defender for Business](../defender-business/mdb-overview.md), you can get [Microsoft Defender for Business servers](../defender-business/get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).* |
+| [Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Indicators](#defender-for-endpoint-indicators) for files, certificates, or IP addresses, URLs/domains<br/>- [Attack surface reduction exclusions](#attack-surface-reduction-exclusions)<br/>- [Controlled folder access exclusions](#controlled-folder-access-exclusions) |
| [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) | [Automation folder exclusions](#automation-folder-exclusions) (for automated investigation and remediation) | The following sections describe these exclusions in more detail:
Depending on what you're using, you might need to refer to the documentation for
> - Top files that impact scan time > - Top processes that impact scan time > - Top file extensions that impact scan time
-> - Combinations ΓÇô for example:
+> - Combinations, such as:
> - top files per extension > - top paths per extension > - top processes per path
security Defender Endpoint Plan 1 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2.md
You can also use a newly added license usage report to track status.
Defender for Endpoint Plan 1 and 2 (standalone), Defender for Business (standalone), and Microsoft 365 Business Premium don't include server licenses. To onboard servers, choose from the following options: - **Microsoft Defender for Servers Plan 1 or Plan 2** (*recommended for enterprise customers*) as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more. see [Overview of Microsoft Defender for Servers](/azure/defender-for-cloud/defender-for-servers-introduction).-- **Microsoft Defender for Business servers** (*recommended for small and medium-sized businesses who have [Microsoft Defender for Business](../defender-business/mdb-overview.md)*). To learn more, see [How to get Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).
+- **Microsoft Defender for Business servers** (*recommended for small and medium-sized businesses who have [Microsoft Defender for Business](../defender-business/mdb-overview.md)*). To learn more, see [How to get Microsoft Defender for Business servers](../defender-business/get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).
- **Microsoft Defender for Endpoint for Servers** (*if you already have these licenses*). See [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md). ## Start a trial
security Defender Endpoint Plan 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1.md
Most organizations use various devices and operating systems. Defender for Endpo
Servers require an additional license, such as: - **Microsoft Defender for Servers Plan 1 or Plan 2** (*recommended for enterprise customers*) as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more. see [Overview of Microsoft Defender for Servers](/azure/defender-for-cloud/defender-for-servers-introduction).-- **Microsoft Defender for Business servers** (*for small and medium-sized businesses who have [Microsoft Defender for Business](../defender-business/mdb-overview.md)*). To learn more, see [How to get Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).
+- **Microsoft Defender for Business servers** (*for small and medium-sized businesses who have [Microsoft Defender for Business](../defender-business/mdb-overview.md)*). To learn more, see [How to get Microsoft Defender for Business servers](../defender-business/get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).
- **Microsoft Defender for Endpoint for Servers**. See [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md). > [!TIP]
security Device Control Removable Storage Access Control Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control-faq.md
Title: Microsoft Defender for Endpoint Device Control Removable Storage frequent
description: Answers frequently asked questions on MDE device control removable storage.
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
- tier3 Previously updated : 01/31/2023 Last updated : 05/11/2023 search.appverid: met150
The most common reason is there's no required [anti-malware client version](/mic
Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**), and then update.
-If you're deploying and managing the policy by using Group Policy, make sure to combine all PolicyRules into one XML file within a parent node called `PolicyRules`. Also combine all Groups into one XML file within a parent node called `Groups`. If you manage through Intune, keep one PolicyRule XML file, and one Group XML file.
+If you're deploying and managing the policy by using Group Policy, make sure to combine all policy rules into one XML file within a parent node called `PolicyRules`. Also, combine all groups into one XML file within a parent node called `Groups`. If you're managing devices with Intune, keep separate XML files for each group and policy when deploying as `Custom OMA-URI`.
The device (machine) should have a valid certificate. Run the following command on the machine to check:
DeviceFileEvents
:::image type="content" alt-text="Screenshot of media in the Device Manager." source="https://user-images.githubusercontent.com/81826151/181859700-62a6f704-b12e-41e3-a048-7d63432654a4.png":::
-4. Open **Details**, and select **Properties**.
+4. Open **Details**, and then select **Properties**.
:::image type="content" alt-text="Screenshot of right-click menu for disk drives in Device Manager." source="https://user-images.githubusercontent.com/81826151/181859852-00bc8b11-8ee5-4d46-9770-fa29f894d13f.png":::
Another way is to deploy an Audit policy to the organization, and see the events
## How do I find Sid for Azure AD group?
-Different from AD group, the Sid is using Object Id for Azure AD group. You can find the Object Id from Azure portal.
+Different from Azure AD groups, the Sid is using Object Id for Azure AD group. You can find the Object Id from Azure portal.
![image](https://user-images.githubusercontent.com/81826151/200895994-cc395452-472f-472e-8d56-351165d341a7.png)
Different from AD group, the Sid is using Object Id for Azure AD group. You can
The **Default Enforcement** setting is for all device control components, which means if you set it to `Deny`, it will block all printers as well. You can either create custom policy to explicitly allow printers or you can replace the Default Enforcement policy with a custom policy. -
-## Why creating a folder is not blocked by File system level access
+## Why is creating a folder not blocked by File system level access?
Creating an empty folder will not be blocked even if **File system level access** Write access Deny is configured. Any non-empty file will be blocked.
-## Why my USB is still blocked with allow-ready policy?
+## Why is my USB still blocked with an allow-ready policy?
Some specific USB devices require more than Read access, the following list shows some examples: 1. To Read access some Kingston encrypted USBs requires Execute access for its CDROM. 2. To Read access some WD My Passport USBs requires Disk level Write access. For this case, if you want to deny Write access, you should use the **File system level access**
security Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md
search.appverid: met150 Previously updated : 03/23/2021 Last updated : 05/11/2023 # Device discovery overview
Last updated 03/23/2021
**Applies to:** -- [Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Linux Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md
Specifies the behavior of RTP on mount point marked as noexec. There are two val
#### Unmonitor Filesystems
-Configure filesystems to be unmonitored/excluded from Real Time Protection. The filesystems configured are validated against Microsoft Defender's list of permitted filesystems that can be unmonitored. By default NFS and Fuse are unmonitored from RTP and Quick and Full scans.
+Configure filesystems to be unmonitored/excluded from Real Time Protection(RTP). The filesystems configured are validated against Microsoft Defender's list of permitted filesystems. Only post successful validation, will the filesystem be allowed to be unmonitored. These configured unmonitored filesystems will still be scanned by Quick, Full, and custom scans.
+
+By default, NFS and Fuse are unmonitored from RTP, Quick, and Full scans. However, they can still be scanned by a custom scan.
|Description|Value| ||| |**Key**|unmonitoredFilesystems| |**Data type**|Array of strings|
+|**Comments**|Configured filesystem will be unmonitored only if it is present in Microsoft's list of permitted unmonitored filesystems.|
+ #### Configure file hash computation feature Enables or disables file hash computation feature. When this feature is enabled, Defender for Endpoint computes hashes for files it scans. Note that enabling this feature might impact device performance. For more details, please refer to: [Create indicators for files](indicator-file.md).
security Advanced Hunting Devicenetworkevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `RemoteIP` | `string` | IP address that was being connected to | | `RemotePort` | `int` | TCP port on the remote device that was being connected to | | `RemoteUrl` | `string` | URL or fully qualified domain name (FQDN) that was being connected to |
-| `LocalIP` | `string` | IP address assigned to the local machine used during communication |
+| `LocalIP` | `string` | Source IP, or the IP address where the communication came from |
| `LocalPort` | `int` | TCP port on the local machine used during communication | | `Protocol` | `string` | Protocol used during the communication | | `LocalIPType` | `string` | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
security Advanced Hunting Find Ransomware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-find-ransomware.md
Microsoft 365:
- [Deploy ransomware protection for your Microsoft 365 tenant](/microsoft-365/solutions/ransomware-protection-microsoft-365) - [Maximize Ransomware Resiliency with Azure and Microsoft 365](https://azure.microsoft.com/resources/maximize-ransomware-resiliency-with-azure-and-microsoft-365/)-- [Recover from a ransomware attack](/microsoft-365/security/office-365-security/recover-from-ransomware)
+- [Ransomware incident response playbooks](/security/ransomware/)
- [Malware and ransomware protection](/compliance/assurance/assurance-malware-and-ransomware-protection) - [Protect your Windows PC from ransomware](https://support.microsoft.com//windows/protect-your-pc-from-ransomware-08ed68a7-939f-726c-7e84-a72ba92c01c3) - [Handling ransomware in SharePoint Online](/sharepoint/troubleshoot/security/handling-ransomware-in-sharepoint-online)
security Investigate Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md
The following information is displayed in the timeline:
For example:
+![Screenshot of the Timeline tab.](media/investigate-users/time.png)
> [!NOTE] > Microsoft 365 Defender can display date and time information using either your local time zone or UTC. The selected time zone will apply to all date and time information shown in the Identity timeline.
As needed for in-process incidents, continue your [investigation](investigate-in
- [Manage incidents](manage-incidents.md) +
security Anti Phishing Protection About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-about.md
Last updated 11/30/2022
- **Business email compromise (BEC)** uses forged trusted senders (financial officers, customers, trusted partners, etc.) to trick recipients into approving payments, transferring funds, or revealing customer data. Learn more by watching [this video](https://www.youtube.com/watch?v=8Kn31h9HwIQ&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=2). -- **Ransomware** that encrypts your data and demands payment to decrypt it almost always starts out in phishing messages. Anti-phishing protection can't help you decrypt encrypted files, but it can help detect the initial phishing messages that are associated with the ransomware campaign. For more information about recovering from a ransomware attack, see [Recover from a ransomware attack in Microsoft 365](recover-from-ransomware.md).
+- **Ransomware** that encrypts your data and demands payment to decrypt it almost always starts out in phishing messages. Anti-phishing protection can't help you decrypt encrypted files, but it can help detect the initial phishing messages that are associated with the ransomware campaign. For more information about recovering from a ransomware attack, see [Ransomware incident response playbooks](/security/ransomware/).
With the growing complexity of attacks, it's even difficult for trained users to identify sophisticated phishing messages. Fortunately, Exchange Online Protection (EOP) and the additional features in Microsoft Defender for Office 365 can help.
security Recover From Ransomware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recover-from-ransomware.md
- Title: Recover from a ransomware attack----
- - MET150
-
- - m365-security
- - m365initiative-defender-office365
- - m365solution-ransomware
- - highpri
- - tier1
-description: Microsoft 365 admins can learn how to recover from a ransomware attack.
-- Previously updated : 1/31/2023--
-# Recover from a ransomware attack in Microsoft 365
-
-**Applies to**
-- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)-
-Even if you take every precaution to protect your organization, you can still fall victim to a [ransomware](/windows/security/threat-protection/intelligence/ransomware-malware) attack. Ransomware is big business, and in today's threat landscape Microsoft 365 is an ever-increasing [target for sophisticated attacks](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Cloudy-With-A-Chance-Of-APT-Novel-Microsoft-365-Attacks-In-The-Wild.pdf).
-
-The steps in this article will give you the best chance to recover data and stop the internal spread of infection. Before you get started, consider the following items:
--- There's no guarantee that paying the ransom will return access to your files. In fact, paying the ransom can make you a target for more ransomware.-
- If you already paid, but you recovered without using the attacker's solution, contact your bank to see if they can block the transaction.
-
- We also recommend that you report the ransomware attack to law enforcement, scam reporting websites, and Microsoft as described later in this article.
--- It's important for you respond quickly to the attack and its consequences. The longer you wait, the less likely it is that you can recover the affected data.-
-## Step 1: Verify your backups
-
-If you have offline backups, you can probably restore the encrypted data **after** you've removed the ransomware payload (malware) from your environment and **after** you've verified that there's no unauthorized access in your Microsoft 365 environments.
-
-If you don't have backups, or if your backups were also affected by the ransomware, you can skip this step.
-
-## Step 2: Disable Exchange ActiveSync and OneDrive sync
-
-The key point here is to stop the spread of data encryption by the ransomware.
-
-If you suspect email as a target of the ransomware encryption, temporarily disable user access to mailboxes. Exchange ActiveSync synchronizes data between devices and Exchange Online mailboxes.
-
-To disable Exchange ActiveSync for a mailbox, see [How to disable Exchange ActiveSync for users in Exchange Online](https://support.microsoft.com/help/2795303).
-
-To disable other types of access to a mailbox, see:
--- [Enable or disable MAPI for a mailbox](/Exchange/recipients-in-exchange-online/manage-user-mailboxes/enable-or-disable-mapi).--- [Enable or Disable POP3 or IMAP4 access for a user](/Exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/enable-or-disable-pop3-or-imap4-access)-
-Pausing OneDrive sync will help protect your cloud data from being updated by potentially infected devices. For more information, see [How to Pause and Resume sync in OneDrive](https://support.microsoft.com/office/2152bfa4-a2a5-4d3a-ace8-92912fb4421e).
-
-## Step 3: Remove the malware from the affected devices
-
-Run a full, current antivirus scan on all suspected computers and devices to detect and remove the payload that's associated with the ransomware.
-
-Don't forget to scan devices that are synchronizing data, or the targets of mapped network drives.
-
-You can use [Windows Defender](https://www.microsoft.com/windows/comprehensive-security) or (for older clients) [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201).
-
-An alternative that will also help you remove ransomware or malware is the [Malicious Software Removal Tool (MSRT)](https://www.microsoft.com/download/details.aspx?id=9905).
-
-If these options don't work, you can try [Windows Defender Offline](https://support.microsoft.com/help/17466) or [Troubleshoot problems with detecting and removing malware](https://support.microsoft.com/help/4466982).
-
-## Step 4: Recover files on a cleaned computer or device
-
-After you've completed the previous step to remove the ransomware payload from your environment (which will prevent the ransomware from encrypting or removing your files), you can use [File History](https://support.microsoft.com/help/17128) in Windows 11, Windows 10, Windows 8.1, and by using System Protection in Windows 7 to attempt to recover your local files and folders.
-
-**Notes**:
--- Some ransomware will also encrypt or delete the backup versions, so you can't use File History or System Protection to restore files. If that happens, you need use backups on external drives or devices that were not affected by the ransomware or OneDrive as described in the next section.--- If a folder is synchronized to OneDrive and you aren't using the latest version of Windows, there might be some limitations using File History.-
-## Step 5: Recover your files in your OneDrive for Business
-
-Files Restore in OneDrive for Business allows you to restore your entire OneDrive to a previous point in time within the last 30 days. For more information, see [Restore your OneDrive](https://support.microsoft.com/office/fa231298-759d-41cf-bcd0-25ac53eb8a15).
-
-## Step 6: Recover deleted email
-
-In the rare case that the ransomware deleted all your email, you can probably recover the deleted items. For more information, see:
--- [Recover deleted messages in a user's mailbox](/exchange/recipients-in-exchange-online/manage-user-mailboxes/recover-deleted-messages)--- [Recover deleted items in Outlook for Windows](https://support.microsoft.com/office/49e81f3c-c8f4-4426-a0b9-c0fd751d48ce)-
-## Step 7: Re-enable Exchange ActiveSync and OneDrive sync
-
-After you've cleaned your computers and devices and recovered your data, you can re-enable Exchange ActiveSync and OneDrive sync that you previously disabled in [Step 2](#step-2-disable-exchange-activesync-and-onedrive-sync).
-
-## Step 8 (Optional): Block OneDrive sync for specific file extensions
-
-After you've recovered, you can prevent OneDrive for Business clients from synchronizing the file types that were affected by this ransomware. For more information, see [Set-SPOTenantSyncClientRestriction](/powershell/module/sharepoint-online/set-spotenantsyncclientrestriction)
-
-## Report the attack
-
-### Contact law enforcement
-
-You should contact your local or federal law enforcement agencies. For example, if you are in the United States you can contact the [FBI local field office](https://www.fbi.gov/contact-us/field), [IC3](http://www.ic3.gov/complaint/default.aspx) or [Secret Service](http://www.secretservice.gov/).
-
-### Submit a report to your country's scam reporting website
-
-Scam reporting websites provide information about how to prevent and avoid scams. They also provide mechanisms to report if you were victim of scam.
--- Australia: [SCAMwatch](http://www.scamwatch.gov.au/)--- Canada: [Canadian Anti-Fraud Centre](http://www.antifraudcentre-centreantifraude.ca/)--- France: [Agence nationale de la sécurité des systèmes d'information](http://www.ssi.gouv.fr/)--- Germany: [Bundesamt für Sicherheit in der Informationstechnik](https://www.bsi.bund.de/DE/Home/home_node.html)--- Ireland: [a Garda Síochána](http://www.garda.ie/)--- New Zealand: [Consumer Affairs Scams](http://www.consumeraffairs.govt.nz/scams)--- Switzerland [Nationales Zentrum für Cybersicherheit NCSC](https://www.ncsc.admin.ch/ncsc/de/home.html)--- United Kingdom: [Action Fraud](http://www.actionfraud.police.uk/)--- United States: [On Guard Online](http://www.onguardonline.gov/)-
-If your country isn't listed, ask your local or federal law enforcement agencies.
-
-### Submit email messages to Microsoft
-
-You can report phishing messages that contain ransomware by using one of several methods. For more information, see [Report messages and files to Microsoft](submissions-report-messages-files-to-microsoft.md).
-
-## Additional ransomware resources
-
-Key information from Microsoft:
--- [The growing threat of ransomware](https://blogs.microsoft.com/on-the-issues/2021/07/20/the-growing-threat-of-ransomware/), Microsoft On the Issues blog post on July 20, 2021-- [Human-operated ransomware](/security/compass/human-operated-ransomware)-- [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware)-- [2021 Microsoft Digital Defense Report](https://www.microsoft.com/security/business/microsoft-digital-defense-report) (see pages 10-19)-- [Ransomware: A pervasive and ongoing threat](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/overview) threat analytics report in the Microsoft 365 Defender portal-
-Microsoft 365:
--- [Deploy ransomware protection for your Microsoft 365 tenant](/microsoft-365/solutions/ransomware-protection-microsoft-365)-- [Maximize Ransomware Resiliency with Azure and Microsoft 365](https://azure.microsoft.com/resources/maximize-ransomware-resiliency-with-azure-and-microsoft-365/)-- [Malware and ransomware protection](/compliance/assurance/assurance-malware-and-ransomware-protection)-- [Protect your Windows PC from ransomware](https://support.microsoft.com//windows/protect-your-pc-from-ransomware-08ed68a7-939f-726c-7e84-a72ba92c01c3)-- [Handling ransomware in SharePoint Online](/sharepoint/troubleshoot/security/handling-ransomware-in-sharepoint-online)-- [Threat analytics reports for ransomware](https://security.microsoft.com/threatanalytics3?page_size=30&filters=tags%3DRansomware&ordering=-lastUpdatedOn&fields=displayName,alertsCount,impactedEntities,reportType,createdOn,lastUpdatedOn,tags,flag) in the Microsoft 365 Defender portal-
-Microsoft 365 Defender:
--- [Find ransomware with advanced hunting](/microsoft-365/security/defender/advanced-hunting-find-ransomware)-
-Microsoft Azure:
--- [Azure Defenses for Ransomware Attack](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack/)-- [Maximize Ransomware Resiliency with Azure and Microsoft 365](https://azure.microsoft.com/resources/maximize-ransomware-resiliency-with-azure-and-microsoft-365/)-- [Backup and restore plan to protect against ransomware](/security/compass/backup-plan-to-protect-against-ransomware)-- [Help protect from ransomware with Microsoft Azure Backup](https://www.youtube.com/watch?v=VhLOr2_1MCg) (26 minute video)-- [Recovering from systemic identity compromise](/azure/security/fundamentals/recover-from-identity-compromise)-- [Advanced multistage attack detection in Microsoft Sentinel](/azure/sentinel/fusion#ransomware)-- [Fusion Detection for Ransomware in Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-fusion-detection-for-ransomware/ba-p/2621373)-
-Microsoft Defender for Cloud Apps:
--- [Create anomaly detection policies in Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy)-
-Microsoft Security team blog posts:
--- [3 steps to prevent and recover from ransomware (September 2021)](https://www.microsoft.com/security/blog/2021/09/07/3-steps-to-prevent-and-recover-from-ransomware/)-- [A guide to combatting human-operated ransomware: Part 1 (September 2021)](https://www.microsoft.com/security/blog/2021/09/20/a-guide-to-combatting-human-operated-ransomware-part-1/)-
- Key steps on how Microsoft's Detection and Response Team (DART) conducts ransomware incident investigations.
--- [A guide to combatting human-operated ransomware: Part 2 (September 2021)](https://www.microsoft.com/security/blog/2021/09/27/a-guide-to-combatting-human-operated-ransomware-part-2/)-
- Recommendations and best practices.
--- [Becoming resilient by understanding cybersecurity risks: Part 4ΓÇönavigating current threats (May 2021)](https://www.microsoft.com/security/blog/2021/05/26/becoming-resilient-by-understanding-cybersecurity-risks-part-4-navigating-current-threats/)-
- See the **Ransomware** section.
--- [Human-operated ransomware attacks: A preventable disaster (March 2020)](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/)-
- Includes attack chain analyses of actual attacks.
--- [Ransomware responseΓÇöto pay or not to pay? (December 2019)](https://www.microsoft.com/security/blog/2019/12/16/ransomware-response-to-pay-or-not-to-pay/)-- [Norsk Hydro responds to ransomware attack with transparency (December 2019)](https://www.microsoft.com/security/blog/2019/12/17/norsk-hydro-ransomware-attack-transparency/)
security Reports Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-defender-for-office-365.md
- seo-marvel-apr2020 Previously updated : 12/02/2022 Last updated : 5/10/2023 # View Defender for Office 365 reports in the Microsoft 365 Defender portal
Last updated 12/02/2022
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Microsoft Defender for Office 365 organizations (for example, Microsoft 365 E5 subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for Office 365 Plan 2 add-ons) contain a variety of security-related reports. If you have the [necessary permissions](#what-permissions-are-needed-to-view-the-defender-for-office-365-reports), you can view and download these reports in the Microsoft 365 Defender portal.
+In organizations with Microsoft Defender for Office 365 Plan 1 or Plan 2 (for example, Microsoft 365 E5 or Microsoft Business Premium) a variety of security-related reports are available. If you have the [necessary permissions](#what-permissions-are-needed-to-view-the-defender-for-office-365-reports), you can view and download these reports in the Microsoft 365 Defender portal.
-## View and download reports
+The reports are available in the Microsoft 365 Defender portal at <https://security.microsoft.com> on the **Email & collaboration reports** page at **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. Or, to go directly to the **Email & collaboration reports** page, use <https://security.microsoft.com/emailandcollabreport>.
-### View reports
+Summary information for each report is available on the page. Identify the report you want to view, and then select **View details** for that report.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. To go directly to the **Email & collaboration reports** page, use <https://security.microsoft.com/emailandcollabreport>.
-
-1. Choose the report you want to view, and then select **View details**.
-
-### Download reports
-
-In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** > **Email & collaboration** \> **Reports for download**. To go directly to the **Reports for download** page, use <https://security.microsoft.com/ReportsForDownload?viewid=custom>.
-
+The rest of this article describes the reports that are exclusive to Defender for Office 365.
> [!NOTE] > > Email security reports that don't require Defender for Office 365 are described in [View email security reports in the Microsoft 365 Defender portal](reports-email-security.md). >
+> For reports that have been deprecated or replaced, see the table in [Email security report changes in the Microsoft 365 Defender portal](reports-email-security.md#email-security-report-changes-in-the-microsoft-365-defender-portal).
+>
> Reports that are related to mail flow are now in the Exchange admin center (EAC). For more information about these reports, see [Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports).
+Watch this short video to learn how you can use reports to understand the effectiveness of Defender for Office 365 in your organization.
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWBkxB]
+ ## Safe Attachments file types report > [!NOTE]
In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to
## Mail latency report
-The **Mail latency report** shows you an aggregate view of the mail delivery and detonation latency experienced within your organization. Mail delivery times in the service are affected by a number of factors, and the absolute delivery time in seconds is often not a good indicator of success or a problem. A slow delivery time on one day might be considered an average delivery time on another day, or vice-versa. This tries to qualify message delivery based on statistical data about the observed delivery times of other messages.
-
-Client side and network latency are not included.
+The **Mail latency report** shows you an aggregate view of the mail delivery and detonation latency experienced within your Defender for Office 365 organization. Mail delivery times in the service are affected by many factors, and the absolute delivery time in seconds is often not a good indicator of success or a problem. A slow delivery time on one day might be considered an average delivery time on another day, or vice-versa. This report tries to qualify message delivery based on statistical data about the observed delivery times of other messages.
-To view the report, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. To go directly to the **Email & collaboration reports** page, use <https://security.microsoft.com/emailandcollabreport>.
+Client side and network latency aren't included.
-On the **Email & collaboration reports** page, find **Mail latency report** and then click **View details**. To go directly to the report, use <https://security.microsoft.com/mailLatencyReport>.
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Mail latency report**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/mailLatencyReport>.
:::image type="content" source="../../media/mail-latency-report-widget.png" alt-text="The Mail latency report widget on the Email & collaboration reports page" lightbox="../../media/mail-latency-report-widget.png":::
-On the **Mail latency report** page, the following tabs are available on the **Mail latency report** page:
+On the **Mail latency report** page, the following tabs are available:
-- **50th percentile**: This is the middle for message delivery times. You can consider this value as an average delivery time. This tab is selected by default.-- **90th percentile**: This indicates a high latency for message delivery. Only 10% of messages took longer than this value to deliver.-- **99th percentile**: This indicates the highest latency for message delivery.
+- **50th percentile**: The middle for message delivery times. You can consider this value as an average delivery time. This tab is selected by default.
+- **90th percentile**: Indicates a high latency for message delivery. Only 10% of messages took longer than this value to deliver.
+- **99th percentile**: Indicates the highest latency for message delivery.
Regardless of the tab you select, the chart shows messages organized into the following categories: - **Overall**-- **Detonation**
+- **Detonation** (these values are explained in the :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** values)
-When you hover over a category in the chart, you can see a breakdown of the latency in each category.
+Hover over a category in the chart to see a breakdown of the latency in each category.
:::image type="content" source="../../media/mail-latency-report-50th-percentile-view.png" alt-text="The 50th percentiles view of the Mail latency report" lightbox="../../media/mail-latency-report-50th-percentile-view.png":::
-If you click **Filter**, you can filter both the chart and the details table by the following values:
--- **Date (UTC)**: **Start date** and **End date**-- **Message view**: One of the following values:
- - **All messages**
- - **Detonated messages**: One of the following values:
- - **Inline detonation**: Includes messages that are fully tested before delivery.
- - **Asynchronous detonation**
-
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
- In the details table below the chart, the following information is available: - **Date (UTC)**
In the details table below the chart, the following information is available:
- **90th percentile** - **99th percentile**
-On the main report page, the ![Export icon.](../../medi#export-report)** button is available.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
+
+- **Date (UTC)**: **Start date** and **End date**
+- **Message view**: One of the following values:
+ - **All messages**
+ - **Detonated messages**: One of the following values:
+ - **Inline detonation**: Attachments and links in messages that are fully tested before delivery by Safe Attachments and Safe Links.
+ - **Asynchronous detonation**: [Dynamic delivery](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies) of attachments in Safe Attachments and links in email tested after delivery by Safe Links.
+
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
+
+On the **Mail latency report** page, the :::image type="icon" source="../../medi#export-report-data)** action is available.
## Threat protection status report
-The **Threat protection status** report is a single view that brings together information about malicious content and malicious email detected and blocked by [Exchange Online Protection](eop-about.md) (EOP) and Microsoft Defender for Office 365. For more information, see [Threat protection status report](reports-email-security.md#threat-protection-status-report).
+The **Threat protection status** report is a single view that brings together information about malicious content and malicious email detected and blocked by [Exchange Online Protection](eop-about.md) (EOP) and Defender for Office 365. For more information, see [Threat protection status report](reports-email-security.md#threat-protection-status-report).
## Top senders and recipients report
The **Top senders and recipients** report show the top recipients for EOP and De
## URL protection report
-The **URL protection report** provides summary and trend views for threats detected and actions taken on URL clicks as part of [Safe Links](safe-links-about.md). This report will not have click data from users where the Safe Links policy was applied when the **Track user clicks** option is not selected.
+The **URL protection report** provides summary and trend views for threats detected and actions taken on URL clicks as part of [Safe Links](safe-links-about.md). This report doesn't have click data from users if **Track user clicks** in the effective Safe Links policy isn't selected.
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **URL protection page** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/URLProtectionActionReport>.
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **URL protection report**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/URLProtectionActionReport>.
:::image type="content" source="../../media/url-protection-report-widget.png" alt-text="The URL protection report widget on the Email & collaboration reports page" lightbox="../../media/url-protection-report-widget.png":::
-The available views on the **URL protection** report page are described in the following sections.
+The available views in the **URL threat protection** report are described in the following subsections.
-### View data by URL click protection action
+### View data by URL click protection action in the URL protection report
:::image type="content" source="../../media/url-threat-protection-report-url-click-protection-action-view.png" alt-text="The view namely URL click protection action in the URL protection report" lightbox="../../media/url-threat-protection-report-url-click-protection-action-view.png":::
The **View data by URL click protection action** view shows the number of URL cl
A click indicates that the user has clicked through the block page to the malicious website (admins can disable click through in Safe Links policies).
-If you click **Filters**, you can modify the report and the details table by selecting one or more of the following values in the flyout that appears:
--- **Date (UTC)**: **Start date** and **End date**-- **Action**:
- - **Allowed**
- - **Blocked**
- - **Allowed by tenant admin**
- - **Blocked and clicked through**
- - **Blocked by tenant admin and clicked through**
- - **Clicked through during scan**
- - **Pending scan**
-- **Domains**: The URL domains listed in the report results.-- **Recipients**-
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
- The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last 30 days: - **Click time**
The details table below the chart provides the following near-real-time view of
- **Action** - **App**
-On the main report page, the ![Create schedule icon.](../../medi#export-report)** buttons are available.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
-### View data by URL click by application
+- **Date (UTC)**: **Start date** and **End date**.
+- **Action**: The same URL click protection actions as previously described.
+- **Evaluation**: Select **Yes** or **No**. For more information, see [Try Microsoft Defender for Office 365](try-microsoft-defender-for-office-365.md).
+- **Domains (separated by commas)**: The URL domains listed in the report results.
+- **Recipients (separated by commas)**
+
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
+
+On the **URL threat protection** page, the :::image type="icon" source="../../medi#export-report-data)** buttons are available.
+
+### View data by URL click by application in the URL protection report
:::image type="content" source="../../media/url-threat-protection-report-url-click-by-application-view.png" alt-text="The URL click protection action view in the URL protection report" lightbox="../../media/url-threat-protection-report-url-click-by-application-view.png"::: The **View data by URL click by application** view shows the number of URL clicks by apps that support Safe Links: - **Email client**-- **Office document** - **Teams**
+- **Office document**
-If you click **Filters**, you can modify the report and the details table by selecting one or more of the following values in the flyout that appears:
--- **Date (UTC)**: **Start date** and **End date**-- **Detection**: Available apps from the chart.-- **Domains**: The URL domains listed in the report results.-- **Recipients**-
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
-
-The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last 7 days:
+The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last seven days:
- **Click time** - **User** - **URL**-- **Action**
+- **Action**: The same URL click protection actions as previously described for the [View data by URL click protection action](#view-data-by-url-click-protection-action-in-the-url-protection-report) view.
- **App**
-On the main report page, the ![Create schedule icon.](../../medi#export-report)** buttons are available.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
+
+- **Date (UTC)**: **Start date** and **End date**.
+- **Application**: The same click by application values as previously described.
+- **Action**
+- **Evaluation**: Select **Yes** or **No**. For more information, see [Try Microsoft Defender for Office 365](try-microsoft-defender-for-office-365.md).
+- **Domains (separated by commas)**: The URL domains listed in the report results.
+- **Recipients (separated by commas)**
+
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
+
+On the **URL threat protection** page, the :::image type="icon" source="../../medi#export-report-data)** buttons are available.
## Additional reports to view
-In addition to the reports described in this article, several other reports are available, as described in the following table:
+In addition to the reports described in this article, the following tables describe other available reports that are available:
-|Report|Topic|
+|Report|Article|
||| |**Explorer** (Microsoft Defender for Office 365 Plan 2) or **real-time detections** (Microsoft Defender for Office 365 Plan 1)|[Threat Explorer (and real-time detections)](threat-explorer-about.md)| |Email security reports that don't require Defender for Office 365|[View email security reports in the Microsoft 365 Defender portal](reports-email-security.md)|
In addition to the reports described in this article, several other reports are
PowerShell reporting cmdlets:
-|Report|Topic|
+|Report|Article|
||| |Top senders and recipients|[Get-MailTrafficSummaryReport](/powershell/module/exchange/get-mailtrafficsummaryreport)| |Top malware|[Get-MailTrafficSummaryReport](/powershell/module/exchange/get-mailtrafficsummaryreport)|
PowerShell reporting cmdlets:
## What permissions are needed to view the Defender for Office 365 reports? -- You need to be assigned permissions before you can view and use the reports that are described in this article. You have the following options:
- - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): Currently, this option requires membership in the Microsoft 365 Defender Preview program.
- - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups:
- - **Organization Management**
- - **Security Administrator**
- - **Security Reader**
- - **Global Reader**
- - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365.
+See [What permissions are needed to view these reports?](reports-email-security.md#what-permissions-are-needed-to-view-these-reports)
## What if the reports aren't showing data?
-If you are not seeing data in your Defender for Office 365 reports, double-check that your policies are set up correctly. Your organization must have [Safe Links policies](safe-links-policies-configure.md) and [Safe Attachments policies](set-up-safe-attachments-policies.md) defined in order for Defender for Office 365 protection to be in place. Also see [anti-spam](anti-spam-protection-about.md) and [anti-malware protection](anti-malware-protection-about.md).
+If you don't see data in the reports, check the report filters and double-check that your policies are set up correctly. Safe Links policies and Safe Attachments policies from Built-in protection, preset security policies, or custom policies need to be in effect and acting on messages. For more information, see the following articles:
+
+- [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md)
+- [Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365](configuration-analyzer-for-security-policies.md)
+- [Set up Safe Links policies in Microsoft Defender for Office 365](safe-links-policies-configure.md)
+- [Set up Safe Attachments policies in Microsoft Defender for Office 365](safe-attachments-policies-configure.md)
security Reports Email Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md
ms.assetid: 3a137e28-1174-42d5-99af-f18868b43e86
- m365-security - tier2
-description: Admins can learn how to find and use the email security reports that are available in the Microsoft 365 Defender portal. This article helps answer the question What is the The Threat protection status report in Microsoft Defender for Office 365?
+description: "Admins can learn how to find and use the email security reports that are available in the Microsoft 365 Defender portal. This article helps answer the question, 'What is the Threat protection status report in EOP and Microsoft Defender for Office 365?'"
- seo-marvel-apr2020 Previously updated : 5/1/2023 Last updated : 5/10/2023 # View email security reports in the Microsoft 365 Defender portal
Last updated 5/1/2023
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-A variety of reports are available in the Microsoft 365 Defender portal at <https://security.microsoft.com> to help you see how email security features, such as anti-spam and anti-malware features in Microsoft 365 are protecting your organization. If you have the [necessary permissions](#what-permissions-are-needed-to-view-these-reports), you can view and download these reports as described in this article.
+In all Microsoft 365 organizations, a variety of reports are available to help you see how email security features are protecting your organization. If you have the [necessary permissions](#what-permissions-are-needed-to-view-these-reports), you can view and download these reports as described in this article.
+
+The reports are available in the Microsoft 365 Defender portal at <https://security.microsoft.com> on the **Email & collaboration reports** page at **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. Or, to go directly to the **Email & collaboration reports** page, use <https://security.microsoft.com/emailandcollabreport>.
+
+Summary information for each report is available on the page. Identify the report you want to view, and then select **View details** for that report.
+
+The rest of this article describes the reports that are exclusive to Defender for Office 365.
> [!NOTE] >
-> Some of the reports on the **Email & collaboration reports** page require Microsoft Defender for Office 365. For information about these reports, see [View Defender for Office 365 reports in the Microsoft 365 Defender portal](reports-defender-for-office-365.md).
+> - Some of the reports on the **Email & collaboration reports** page are exclusive to Microsoft Defender for Office 365. For information about these reports, see [View Defender for Office 365 reports in the Microsoft 365 Defender portal](reports-defender-for-office-365.md).
>
-> Reports that are related to mail flow are now in the Exchange admin center. For more information about these reports, see [Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports).
-
-Watch this short video to learn how you can use reports to understand the effectiveness of Defender for Office 365 in your organization.
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWBkxB]
+> - Reports that are related to mail flow are now in the Exchange admin center. For more information about these reports, see [Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports).
+>
+> A link to these reports is available in the Defender portal at **Reports** \> **Email & collaboration** \> **Email & collaboration reports** \> **Exchange mail flow reports**, which takes you to <https://admin.exchange.microsoft.com/#/reports/mailflowreportsmain>.
## Email security report changes in the Microsoft 365 Defender portal
The Exchange Online Protection (EOP) and Microsoft Defender for Office 365 repor
|Deprecated report and cmdlets|New report and cmdlets|Message Center ID|Date| |||::|::|
-|**URL trace** <br/><br/> Get-URLTrace|[URL protection report](reports-defender-for-office-365.md#url-protection-report) <br/><br/> [Get-SafeLinksAggregateReport](/powershell/module/exchange/get-safelinksaggregatereport) <br> [Get-SafeLinksDetailReport](/powershell/module/exchange/get-safelinksdetailreport)|MC239999|June 2021|
-|**Sent and received email report** <br/><br/> Get-MailTrafficReport <br> Get-MailDetailReport|[Threat protection status report](#threat-protection-status-report) <br> [Mailflow status report](#mailflow-status-report) <br/><br/> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport) <br> [Get-MailFlowStatusReport](/powershell/module/exchange/get-mailflowstatusreport)|MC236025|June 2021|
-|**Forwarding report** <br/><br/> no cmdlets|[Auto-forwarded messages report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report) <br/><br/> no cmdlets|MC250533|June 2021|
-|**Safe Attachments file types report** <br/><br/> Get-AdvancedThreatProtectionTrafficReport <br> Get-MailDetailMalwareReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <br/><br/> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250532|June 2021|
-|**Safe Attachments message disposition report** <br/><br/> Get-AdvancedThreatProtectionTrafficReport <br> Get-MailDetailMalwareReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <br/><br/> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250531|June 2021|
-|**Malware detected in email report** <br/><br/> Get-MailTrafficReport <br> Get-MailDetailMalwareReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <br/><br/> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250530|June 2021|
-|**Spam detection report** <br/><br/> Get-MailTrafficReport <br> Get-MailDetailSpamReport|[Threat protection status report: View data by Email \> Spam](#view-data-by-email--spam-and-chart-breakdown-by-detection-technology) <br/><br/> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250529|October 2021|
-|Get-AdvancedThreatProtectionDocumentReport <br/><br/> Get-AdvancedThreatProtectionDocumentDetail|[Get-ContentMalwareMdoAggregateReport](/powershell/module/exchange/get-contentmalwaremdoaggregatereport) <br/><br/> [Get-ContentMalwareMdoDetailReport](/powershell/module/exchange/get-contentmalwaremdodetailreport)|MC343433|May 2022|
-|**Exchange transport rule report** <br/><br/> [Get-MailTrafficPolicyReport](/powershell/module/exchange/get-mailtrafficpolicyreport) <br> [Get-MailDetailTransportRuleReport](/powershell/module/exchange/get-maildetailtransportrulereport)|[Exchange transport rule report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-exchange-transport-rule-report) <br/><br/> [Get-MailTrafficPolicyReport](/powershell/module/exchange/get-mailtrafficpolicyreport) <br> [Get-MailDetailTransportRuleReport](/powershell/module/exchange/get-maildetailtransportrulereport)|MC316157|April 2022|
-|Get-MailTrafficTopReport|[Top senders and recipient report](reports-email-security.md#top-senders-and-recipients-report) <br/><br/> [Get-MailTrafficSummaryReport](/powershell/module/exchange/get-mailtrafficsummaryreport) <br/><br/> **Note**: There is no replacement for the encryption reporting capabilities in Get-MailTrafficTopReport.|MC315742|April 2022|
+|**URL trace** <br><br> Get-URLTrace|[URL protection report](reports-defender-for-office-365.md#url-protection-report) <br><br> [Get-SafeLinksAggregateReport](/powershell/module/exchange/get-safelinksaggregatereport) <br> [Get-SafeLinksDetailReport](/powershell/module/exchange/get-safelinksdetailreport)|MC239999|June 2021|
+|**Sent and received email report** <br><br> Get-MailTrafficReport <br> Get-MailDetailReport|[Threat protection status report](#threat-protection-status-report) <br> [Mailflow status report](#mailflow-status-report) <br><br> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport) <br> [Get-MailFlowStatusReport](/powershell/module/exchange/get-mailflowstatusreport)|MC236025|June 2021|
+|**Forwarding report** <br><br> no cmdlets|[Auto-forwarded messages report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report) <br><br> no cmdlets|MC250533|June 2021|
+|**Safe Attachments file types report** <br><br> Get-AdvancedThreatProtectionTrafficReport <br> Get-MailDetailMalwareReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <br><br> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250532|June 2021|
+|**Safe Attachments message disposition report** <br><br> Get-AdvancedThreatProtectionTrafficReport <br> Get-MailDetailMalwareReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <br><br> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250531|June 2021|
+|**Malware detected in email report** <br><br> Get-MailTrafficReport <br> Get-MailDetailMalwareReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <br><br> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250530|June 2021|
+|**Spam detection report** <br><br> Get-MailTrafficReport <br> Get-MailDetailSpamReport|[Threat protection status report: View data by Email \> Spam](#view-data-by-email--spam-and-chart-breakdown-by-detection-technology) <br><br> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250529|October 2021|
+|Get-AdvancedThreatProtectionDocumentReport <br><br> Get-AdvancedThreatProtectionDocumentDetail|[Get-ContentMalwareMdoAggregateReport](/powershell/module/exchange/get-contentmalwaremdoaggregatereport) <br><br> [Get-ContentMalwareMdoDetailReport](/powershell/module/exchange/get-contentmalwaremdodetailreport)|MC343433|May 2022|
+|**Exchange transport rule report** <br><br> [Get-MailTrafficPolicyReport](/powershell/module/exchange/get-mailtrafficpolicyreport) <br> [Get-MailDetailTransportRuleReport](/powershell/module/exchange/get-maildetailtransportrulereport)|[Exchange transport rule report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-exchange-transport-rule-report) <br><br> [Get-MailTrafficPolicyReport](/powershell/module/exchange/get-mailtrafficpolicyreport) <br> [Get-MailDetailTransportRuleReport](/powershell/module/exchange/get-maildetailtransportrulereport)|MC316157|April 2022|
+|Get-MailTrafficTopReport|[Top senders and recipient report](reports-email-security.md#top-senders-and-recipients-report) <br><br> [Get-MailTrafficSummaryReport](/powershell/module/exchange/get-mailtrafficsummaryreport) <br><br> **Note**: There's no replacement for the encryption reporting capabilities in Get-MailTrafficTopReport.|MC315742|April 2022|
## Compromised users report
-> [!NOTE]
-> This report is available in Microsoft 365 organizations with Exchange Online mailboxes. It's not available in standalone Exchange Online Protection (EOP) organizations.
- The **Compromised users** report shows the number of user accounts that were marked as **Suspicious** or **Restricted** within the last 7 days. Accounts in either of these states are problematic or even compromised. With frequent use, you can use the report to spot spikes, and even trends, in suspicious or restricted accounts. For more information about compromised users, see [Responding to a compromised email account](responding-to-a-compromised-email-account.md). :::image type="content" source="../../media/compromised-users-report-widget.png" alt-text="The Compromised users widget on the Email & collaboration reports page." lightbox="../../media/compromised-users-report-widget.png"::: The aggregate view shows data for the last 90 days and the detail view shows data for the last 30 days.
-To view the report in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Compromised users** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/CompromisedUsers>.
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Compromised users**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/reports/CompromisedUsers>.
On the **Compromised users** page, the chart shows the following information for the specified date range: - **Restricted**: The user account has been restricted from sending email due to highly suspicious patterns. - **Suspicious**: The user account has sent suspicious email and is at risk of being restricted from sending email. + The details table below the graph shows the following information: - **Creation time**
The details table below the graph shows the following information:
- **Action** - **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
-You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)**: **Start date** and **End date**. - **Activity**: **Restricted** or **Suspicious** - **Tag**: **All** or the specified user tag (including priority accounts).
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Compromised users** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)**, ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **[Request report](#request-report)**, and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
-
+On the **Compromised users** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
## Exchange transport rule report
-The **Exchange transport rule** report shows the effect of mail flow rules (also known as transport rules) on incoming and outgoing messages in your organization.
-
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Exchange transport rule** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/ETRRuleReport>.
--
-On the **Exchange transport rule report** page, the available charts and data are described in the following sections.
> [!NOTE] > The **Exchange transport rule report** is now available in the EAC. For more information, see [Exchange transport rule report in the new EAC](/exchange/monitoring/mail-flow-reports/mfr-exchange-transport-rule-report).
-### Chart breakdown by Direction
--
-If you select **Chart breakdown by Direction**, the follow charts are available:
--- **View data by Exchange transport rules**: The number of **Inbound** and **Outbound** messages that were affected by mail flow rules.-- **View data by DLP Exchange transport rules**: The number of **Inbound** and **Outbound** messages that were affected by data loss prevention (DLP) mail flow rules.-
-The following information is shown in the details table below the graph:
--- **Date**-- **DLP policy** (**View data by DLP Exchange transport rules** only)-- **Transport rule**-- **Subject**-- **Sender address**-- **Recipient address**-- **Severity**-- **Direction**-
-You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
--- **Date (UTC)** **Start date** and **End date**.-- **Direction**: **Outbound** and **Inbound**.-- **Severity**: **High severity**, **Medium severity**, and **Low severity**-
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
-
-On the **Exchange transport rule report** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)**, ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **[Request report](#request-report)**, and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
-
-### Chart breakdown by Severity
--
-If you select **Chart breakdown by Severity**, the follow charts are available:
--- **View data by Exchange transport rules**: The number of **High severity**, **Medium severity**, and **Low severity** messages. You set the severity level as an action in the rule (**Audit this rule with severity level** or _SetAuditSeverity_). For more information, see [Mail flow rule actions in Exchange Online](/Exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions).--- **View data by DLP Exchange transport rules**: The number of **High severity**, **Medium severity**, and **Low severity** messages that were affected by DLP mail flow rules.-
-The following information is shown in the details table below the graph:
--- **Date**-- **DLP policy** (**View data by DLP Exchange transport rules** only)-- **Transport rule**-- **Subject**-- **Sender address**-- **Recipient address**-- **Severity**-- **Direction**-
-You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
--- **Date (UTC)** **Start date** and **End date**-- **Direction**: **Outbound** and **Inbound**-- **Severity**: **High severity**, **Medium severity**, and **Low severity**-
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
-
-On the **Exchange transport rule report** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)**, ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **[Request report](#request-report)**, and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
- ## Forwarding report > [!NOTE]
On the **Exchange transport rule report** page, the ![Create schedule icon.](../
## Mailflow status report
-The **Mailflow status report** is a smart report that shows information about incoming and outgoing email, spam detections, malware, email identified as "good", and information about email allowed or blocked on the edge. This is the only report that contains edge protection information, and shows just how much email is blocked before being allowed into the service for evaluation by Exchange Online Protection (EOP). It's important to understand that if a message is sent to five recipients we count it as five different messages and not one message.
+The **Mailflow status report** is a smart report that shows information about incoming and outgoing email, spam detections, malware, email identified as "good", and information about email allowed or blocked on the edge. This is the only report that contains edge protection information. The report shows how much email is blocked before entering the service for examination by Exchange Online Protection (EOP) or Defender for Microsoft 365.
-To view the report in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Mailflow status summary** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/mailflowStatusReport>.
+> [!TIP]
+> If a message is sent to five recipients, we count it as five different messages, not one message.
+
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Mailflow status summary**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/reports/mailflowStatusReport>.
:::image type="content" source="../../media/mail-flow-status-report-widget.png" alt-text="The Mailflow status summary widget on the Email & collaboration reports page." lightbox="../../media/mail-flow-status-report-widget.png":::
+The available views in the **Mailflow status report** are described in the following subsections.
+ ### Type view for the Mailflow status report :::image type="content" source="../../media/mail-flow-status-report-type-view.png" alt-text="The Type view in the Mailflow status report." lightbox="../../media/mail-flow-status-report-type-view.png"::: On the **Mailflow status report** page, the **Type** tab is selected by default. The chart shows the following information for the specified date range: -- **Good mail**: Email that's determined not to be spam or are allowed by user or organizational policies.-- **Total** - **Malware**: Email that's blocked as malware by various filters.
+- **Total**
+- **Good mail**: Email that's determined not to be spam or that's allowed by user or organizational policies.
- **Phishing email**: Email that's blocked as phishing by various filters. - **Spam**: Email that's blocked as spam by various filters.-- **Edge protection**: Email that's rejected at the edge/perimeter before being evaluated by EOP or Defender for Office 365.-- **Rule messages**: Email messages that were acted upon by mail flow rules (also known as transport rules).
+- **Edge protection**: Email that's rejected at the edge/perimeter before examination by EOP or Defender for Office 365.
+- **Rule messages**: Email messages that were acted on by mail flow rules (also known as transport rules).
The details table below the graph shows the following information:
The details table below the graph shows the following information:
- **15 days** - **30 days**
-You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)**: **Start date** and **End date**. - **Mail direction**: **Inbound** and **Outbound**.
You can filter both the chart and the details table by clicking **Filter** and s
- **Rule messages** - **Phishing email**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Back on the **Mailflow status report** page, if you click **Choose a category for more details**, you can select from the following values:
+On the **Type** tab, select **Choose a category for more details** to see more information:
- **Phishing email**: This selection takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report). - **Malware in email**: This selection takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report).-- **Spam detections**: This selection takes you to the [Spam Detections report](reports-email-security.md#spam-detections-report).-- **Edge blocked spam**: This selection takes you to the [Spam Detections report](reports-email-security.md#spam-detections-report).
+- **Spam detections**: This selection takes you to the [Spam detections report](reports-email-security.md#spam-detections-report).
-On the **Mailflow status report** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)** and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
+On the ***Type** tab, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)** and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
### Direction view for the Mailflow status report :::image type="content" source="../../media/mail-flow-status-report-direction-view.png" alt-text="The Direction view in the Mailflow status report." lightbox="../../media/mail-flow-status-report-direction-view.png":::
-If you click the **Direction** tab, the chart shows the following information for the specified date range:
+On the **Direction** tab, the chart shows the following information for the specified date range:
- **Inbound** - **Outbound**
-You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)**: **Start date** and **End date**. - **Mail direction**: **Inbound** and **Outbound**.
You can filter both the chart and the details table by clicking **Filter** and s
- **Rule messages** - **Phishing email**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Back on the **Mailflow status report** page, if you click **Choose a category for more details**, you can select from the following values:
+On the **Direction** tab, select **Choose a category for more details** to see more information:
- **Phishing email**: This selection takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report). - **Malware in email**: This selection takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report). - **Spam detections**: This selection takes you to the [Spam Detections report](reports-email-security.md#spam-detections-report).-- **Edge blocked spam**: This selection takes you to the [Spam Detections report](reports-email-security.md#spam-detections-report).
-On the **Mailflow status report** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **Create schedule** and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Export** buttons are available.
+On the **Direction** tab, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create schedule** and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** actions are available.
### Mailflow view for the Mailflow status report
-The **Mailflow** view shows you how Microsoft's email threat protection features filter incoming and outgoing email in your organization. This view uses a horizontal flow diagram (known as a _Sankey_ diagram) to provide details on the total email count, and how the configured threat protection features, including edge protection, anti-malware, anti-phishing, anti-spam, and anti-spoofing affect this count.
+The **Mailflow** tab shows you how Microsoft's email threat protection features filter incoming and outgoing email in your organization. This view uses a horizontal flow diagram (known as a *Sankey* diagram) to provide details on the total email count, and how threat protection features affect this count.
:::image type="content" source="../../media/mail-flow-status-report-mailflow-view.png" alt-text="The Mailflow view in the Mailflow status report." lightbox="../../media/mail-flow-status-report-mailflow-view.png"::: The aggregate view and details table view allow for 90 days of filtering.
-The information in the diagram is color-coded by **EOP** or **Defender for Office 365** technologies.
+The information in the diagram is color-coded by **EOP** and **Defender for Office 365** technologies.
The diagram is organized into the following horizontal bands: - **Total email** band: This value is always shown first. - **Edge block** and **Processed** band:
- - **Edge block**: Messages that are filtered at the edge and identified as Edge Protection.
- - **Processed**: Messages that are handled by the filtering stack.
+ - **Edge block**: Messages that were filtered at the edge and identified as Edge Protection.
+ - **Processed**: Messages that were handled by the filtering stack.
- Outcomes band:
- - **Rule Block**: Messages that are processed by Exchange mail flow rules (transport rules).
- - **Malware block**: Messages that are identified as malware by various filters.<sup>\*</sup>
- - **Phish block**: Messages identified as phish during processing by various filters.<sup>\*</sup>
- - **Spam block**: Messages identified as spam during processing by various filters.<sup>\*</sup>
- - **Impersonation block**: Messages detected as user impersonation or domain impersonation in Defender for Office 365.<sup>\*</sup>
- - **Detonation block**: Messages detected during file or URL detonation by Safe Attachments policies or Safe Links policies in Defender for Office 365.<sup>\*</sup>
- - **ZAP removed**: Messages that are removed by zero-hour auto purge (ZAP).<sup>\*</sup>
- - **Delivered**: Messages delivered to users due to an allow.<sup>\*</sup>
+ - **Rule Block**: Messages that were blocked by Exchange mail flow rules (transport rules).
+ - **Malware block**: Messages that were identified as malware.<sup>\*</sup>
+ - **Phishing block**: Messages that were identified as phishing.<sup>\*</sup>
+ - **Spam block**: Messages that were identified as spam.<sup>\*</sup>
+ - **Impersonation block**: Messages that were detected as user impersonation or domain impersonation in Defender for Office 365.<sup>\*</sup>
+ - **Detonation block**: Messages that were detected during file or URL detonation by Safe Attachments policies or Safe Links policies in Defender for Office 365.<sup>\*</sup>
+ - **ZAP removed**: Messages that were removed by zero-hour auto purge (ZAP).<sup>\*</sup>
+ - **Delivered**: Messages that were delivered to users due to an allow.<sup>\*</sup>
-If you hover over a horizontal band in the diagram, you'll see the number of related messages.
+If you hover over a horizontal band in the diagram, you see the number of related messages.
-<sup>\*</sup> If you click on this element, the diagram is expanded to show further details. For a description of each element in the expanded nodes, see [Detection technologies](/office/office-365-management-api/office-365-management-activity-api-schema#detection-technologies).
+<sup>\*</sup> If you select this element, the diagram expands to show further details. For a description of each element in the expanded nodes, see [Detection technologies](/office/office-365-management-api/office-365-management-activity-api-schema#detection-technologies).
:::image type="content" source="../../media/mail-flow-status-report-mailflow-view-details.png" alt-text="The Phishing block details in Mailflow view in the Mailflow status report." lightbox="../../media/mail-flow-status-report-mailflow-view-details.png"::: The details table below the diagram shows the following information: -- **Date**
+- **Date (UTC)**
- **Total email** - **Edge filtered** - **Rule messages**
The details table below the diagram shows the following information:
- **Detonation detection** - **Anti-spam filtered** - **ZAP removed**-- **Messages where not threats were detected**
+- **Messages where no threats were detected**
-If you select a row in the details table, a further breakdown of the email counts is shown in the details flyout that appears.
+Select a row in the details table to see a further breakdown of the email counts in the details flyout that opens.
-You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)** **Start date** and **End date**.-- **Direction**: **Outbound** and **Inbound**.
+- **Direction**: **Inbound** and **Outbound**.
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Back on the **Mailflow status report** page, you can click **Show trends** to see trend graphs in the **Mailflow trends** flyout that appears.
+On the **Mailflow** tab, select :::image type="icon" source="../../media/m365-cc-sc-show-trends-icon.png" border="false"::: **Show trends** to see trend graphs in the **Mailflow trends** flyout that opens.
:::image type="content" source="../../media/mail-flow-status-report-mailflow-view-show-trends.png" alt-text="The Mailflow trends flyout in Mailflow view in the Mailflow status report." lightbox="../../media/mail-flow-status-report-mailflow-view-show-trends.png":::
-On the **Mailflow status report** page, the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Export** button is available.
+On the **Mailflow** tab, the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** action is available.
## Malware detections report
The **Post-delivery activities** report shows information about email messages t
The report shows real-time information, with updated threat information.
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **ZAP report** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/ZapReport>.
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Post-delivery activities**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/reports/ZapReport>.
:::image type="content" source="../../media/post-delivery-activities-widget.png" alt-text="The Post-delivery activities widget on the Email & collaboration reports page." lightbox="../../media/post-delivery-activities-widget.png":::
The details table below the graph shows the following information:
- **Updated delivery location** - **Detection technology**
-You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+ To see all columns, you likely need to do one or more of the following steps:
+
+ - Horizontally scroll in your web browser.
+ - Narrow the width of appropriate columns.
+ - Zoom out in your web browser.
+
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)**: **Start date** and **End date**. - **Verdict**:
You can filter both the chart and the details table by clicking **Filter** and s
- **Phishing** - **Malware**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Post delivery activities** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)** and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
+On the **Post delivery activities** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)** and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
:::image type="content" source="../../media/post-delivery-activities-report.png" alt-text="The Post-delivery activities report." lightbox="../../media/post-delivery-activities-report.png":::
The aggregate and detail views of the report allows for 90 days of filtering.
> [!NOTE] > The latest available data in the report is 3 to 4 days old.
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Spoof detections** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/SpoofMailReport>.
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Spoof detections**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/reports/SpoofMailReport>.
:::image type="content" source="../../media/spoof-detections-widget.png" alt-text="The Spoof detections widget on the Email & collaboration reports page." lightbox="../../media/spoof-detections-widget.png":::
The chart shows the following information:
- **None** - **Other**
-When you hover over a day (data point) in the chart, you can see how many spoofed messages were detected and why.
-
-You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
--- **Date (UTC)** **Start date** and **End date**-- **Result**:
- - **Pass**
- - **Fail**
- - **SoftPass**
- - **None**
- - **Other**
-- **Spoof type**: **Internal** and **External**-
+Hover over a day (data point) in the chart to see how many spoofed messages were detected and why.
The details table below the graph shows the following information:
The details table below the graph shows the following information:
- **DMARC** - **Message count**
+ To see all columns, you likely need to do one or more of the following steps:
+
+ - Horizontally scroll in your web browser.
+ - Narrow the width of appropriate columns.
+ - Zoom out in your web browser.
+ For more information about composite authentication result codes, see [Anti-spam message headers in Microsoft 365](message-headers-eop-mdo.md).
-On the **Spoof detections** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)**, ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **[Request report](#request-report)**, and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
+
+- **Date (UTC)** **Start date** and **End date**
+- **Result**:
+ - **Pass**
+ - **Fail**
+ - **SoftPass**
+ - **None**
+ - **Other**
+- **Spoof type**: **Internal** and **External**
+
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
+
+On the **Spoof mail report** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
+ ## Submissions report
-The **Submissions** report shows information about items that admins have reported to Microsoft for analysis. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](submissions-admin.md).
+The **Submissions** report shows information about items that admins have reported to Microsoft for analysis for the last 30 days. For more information about admin submissions, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](submissions-admin.md).
-To view the report in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Submissions** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/adminSubmissionReport>. To go to [admin submissions in the Microsoft 365 Defender portal](submissions-admin.md), click **Go to Submissions**. Admins will be able to view the report for last 30 days.
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Submissions**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/adminSubmissionReport>.
+
+To go directly to the **Submissions** page in the Defender portal, select **Go to submissions**.
:::image type="content" source="../../media/submissions-report-widget.png" alt-text="The Submissions widget on the Email & collaboration reports page." lightbox="../../media/submissions-report-widget.png":::
The chart shows the following information:
- **Pending** - **Completed**
-You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+The details table below the graph shows the same information and has the same :::image type="icon" source="../../medi#view-email-admin-submissions-to-microsoft).
-- **Date reported**: **Start time** and **End time**-- **Submission type**:
- - **Email**
- - **URL**
- - **File**
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
+
+- **Date submitted**: **Start date** and **End date**
- **Submission ID** - **Network Message ID** - **Sender**-- **Name**
+- **Recipient**
+- **Submission name**
- **Submitted by** - **Reason for submitting**: - **Not junk**
You can filter both the chart and the details table by clicking **Filter** and s
- **Rescan status**: - **Pending** - **Completed**
+- **Tags**
-The details table below the graph shows the same information and has the same **Group** or **Customize columns** options as on the **Submitted for analysis** tab at **Email & collaboration** \> **Submissions**. For more information, see [View email admin submissions to Microsoft](submissions-admin.md#view-email-admin-submissions-to-microsoft).
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Submissions** page, the **[Export](#export-report)** button is available.
+On the **Submissions** report page, the **[Export](#export-report-data)** action is available.
:::image type="content" source="../../media/submissions-report-page.png" alt-text="The Submissions report page in the Microsoft 365 Defender portal." lightbox="../../media/submissions-report-page.png":::
On the **Submissions** page, the **[Export](#export-report)** button is availabl
The **Threat protection status** report is available in both EOP and Defender for Office 365. However, the reports contain different data. For example, EOP customers can view information about malware detected in email, but not information about malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).
-The report provides the count of email messages with malicious content, such as files or website addresses (URLs) that were blocked by the anti-malware engine, [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md), and Defender for Office 365 features like [Safe Links](safe-links-about.md), [Safe Attachments](safe-attachments-about.md), and [impersonation protection features in anti-phishing policies](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). You can use this information to identify trends or determine whether organization policies need adjustment.
+The report provides the count of email messages with malicious content. For example:
-**Note**: It's important to understand that if a message is sent to five recipients we count it as five different messages and not one message.
+- Files or website addresses (URLs) that were blocked by the anti-malware engine.
+- Files or messages affected by [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md)
+- Files or messages that were blocked by Defender for Office 365 features: [Safe Links](safe-links-about.md), [Safe Attachments](safe-attachments-about.md), and [impersonation protection features in anti-phishing policies](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Threat protection status** and then click **View details**. To go directly to the report, open one of the following URLs:
+You can use the information in this report to identify trends or determine whether your organizational policies need adjustment.
-- Defender for Office 365: <https://security.microsoft.com/reports/TPSAggregateReportATP>-- EOP: <https://security.microsoft.com/reports/TPSAggregateReport>
+> [!TIP]
+> if a message is sent to five recipients, we count it as five different messages, not one message.
+
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Submissions**, and then select **View details**. Or, to go directly to the report, use one of the following URLS:
+
+- **Defender for Office 365**: <https://security.microsoft.com/reports/TPSAggregateReportATP>
+- **EOP**: <https://security.microsoft.com/reports/TPSAggregateReport>
:::image type="content" source="../../media/threat-protection-status-report-widget.png" alt-text="The Threat protection status widget on the Email & collaboration reports page." lightbox="../../media/threat-protection-status-report-widget.png":::
-By default, the chart shows data for the past 7 days. If you click **Filter** on the **Threat protection status report** page, you can select a 90 day date range (trial subscriptions might be limited to 30 days). The details table allows filtering for 30 days.
+By default, the chart shows data for the past seven days. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** on the **Threat protection status report** page to select a 90 day date range (trial subscriptions might be limited to 30 days). The details table allows filtering for 30 days.
-The available views are described in the following sections.
+The available views are described in the following subsections.
### View data by Overview
In the **View data by Overview** view, the following detection information is sh
- **Email malware** - **Email phish** - **Email spam**-- **Content malware**
+- **Content malware** (Defender for Office 365 only)
No details table is available below the chart.
-If you click **Filter**, the following filters are available:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)** **Start date** and **End date**. - **Detection**: The same values as in the chart.
If you click **Filter**, the following filters are available:
- **Mail flow rule** (transport rule) - **Others**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
### View data by Email \> Phish and Chart breakdown by Detection Technology :::image type="content" source="../../media/threat-protection-status-report-phishing-detection-tech-view.png" alt-text="The Detection technology view for phishing email in the Threat protection status report." lightbox="../../media/threat-protection-status-report-phishing-detection-tech-view.png"::: > [!NOTE]
-> Starting in May 2021, phishing detections in email were updated to include **message attachments** that contain phishing URLs. This change might shift some of the detection volume out of the **View data by Email \> Malware** view and into the **View data by Email \> Phish** view. In other words, message attachments with phishing URLs that were traditionally identified as malware now might be identified as phishing instead.
+> In May 2021, phishing detections in email were updated to include **message attachments** that contain phishing URLs. This change might shift some of the detection volume out of the **View data by Email \> Malware** view and into the **View data by Email \> Phish** view. In other words, message attachments with phishing URLs that were traditionally identified as malware now might be identified as phishing instead.
In the **View data by Email \> Phish** and **Chart breakdown by Detection Technology** view, the following information is shown in the chart:
In the details table below the chart, the following information is available:
- **Sender IP** - **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
-If you click **Filter**, the following filters are available:
+To see all columns, you likely need to do one or more of the following steps:
-- **Date (UTC)** **Start date** and **End date**
+ - Horizontally scroll in your web browser.
+ - Narrow the width of appropriate columns.
+ - Zoom out in your web browser.
+
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
+
+- **Date (UTC)**: **Start date** and **End date**
- **Detection**: The same values as in the chart.-- **Protected by**: **MDO** (Defender for Office 365) or **EOP**
+- **Priority account protection**: **Yes** and **No**. For more information, see [Configure and review Priority accounts in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md).
+- **Evaluation**: **Yes** or **No**.
+- **Protected by**: **MDO** (Defender for Office 365) and **EOP**
- **Direction**: - **All** - **Inbound**
If you click **Filter**, the following filters are available:
- **Policy name (details table view only)**: **All** or the specified policy. - **Recipients**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Threat protection status** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)**, ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **[Request report](#request-report)**, and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
+On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
### View data by Email \> Spam and Chart breakdown by Detection Technology
In the **View data by Email \> Spam** and **Chart breakdown by Detection Technol
- **Bulk**: The [bulk complaint level (BCL)](anti-spam-bulk-complaint-level-bcl-about.md) of the message exceeds the defined threshold for spam. - **Domain reputation**: The message was from a domain that was previously identified as sending spam in other Microsoft 365 organizations. - **Fingerprint matching**: The message closely resembles a previous detected malicious message.
+- **General filter**
- **IP reputation**: The message was from a source that was previously identified as sending spam in other Microsoft 365 organizations. - **Mixed analysis detection**: Multiple filters contributed to the verdict for the message. - **URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.
In the details table below the chart, the following information is available:
- **Sender IP** - **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
-If you click **Filter**, the following filters are available:
+To see all columns, you likely need to do one or more of the following steps:
+
+ - Horizontally scroll in your web browser.
+ - Narrow the width of appropriate columns.
+ - Zoom out in your web browser.
+
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)** **Start date** and **End date** - **Detection**: The same values as in the chart.-- **Bulk Complaint Level**
+- **Priority account protection**: **Yes** and **No**. For more information, see [Configure and review Priority accounts in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md).
- **Direction**: - **All** - **Inbound**
If you click **Filter**, the following filters are available:
- **Policy name (details table view only)**: **All** or the specified policy. - **Recipients**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Threat protection status** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)**, ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **[Request report](#request-report)**, and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
+On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
### View data by Email \> Malware and Chart breakdown by Detection Technology :::image type="content" source="../../media/threat-protection-status-report-malware-detection-tech-view.png" alt-text="The Detection technology view for malware in the Threat protection status report." lightbox="../../media/threat-protection-status-report-malware-detection-tech-view.png"::: > [!NOTE]
-> Starting in May 2021, malware detections in email were updated to include **harmful URLs** in messages attachments. This change might shift some of the detection volume out of the **View data by Email \> Phish** view and into the **View data by Email \> Malware** view. In other words, harmful URLs in message attachments that were traditionally identified as phishing now might be identified as malware instead.
+> In May 2021, malware detections in email were updated to include **harmful URLs** in messages attachments. This change might shift some of the detection volume out of the **View data by Email \> Phish** view and into the **View data by Email \> Malware** view. In other words, harmful URLs in message attachments that were traditionally identified as phishing now might be identified as malware instead.
In the **View data by Email \> Malware** and **Chart breakdown by Detection Technology** view, the following information is shown in the chart:
In the **View data by Email \> Malware** and **Chart breakdown by Detection Tech
- **File detonation reputation**<sup>\*</sup>: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations. - **File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations. - **Anti-malware engine**<sup>\*</sup>: Detection from anti-malware engines.-- **Anti-malware policy file type block**: The message was blocked due to the file type of the attachment ([common attachment filtering in anti-malware policies](anti-malware-protection-about.md)).
+- **URL malicious reputation**
- **URL detonation**<sup>\*</sup>: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis. - **URL detonation reputation**<sup>\*</sup>>: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations. - **Campaign**<sup>\*</sup>: Messages identified as part of a [campaign](campaigns.md).
In the details table below the chart, the following information is available:
- **Sender IP** - **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
-If you click **Filter**, the following filters are available:
+ To see all columns, you likely need to do one or more of the following steps:
+
+ - Horizontally scroll in your web browser.
+ - Narrow the width of appropriate columns.
+ - Zoom out in your web browser.
+
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)** **Start date** and **End date** - **Detection**: The same values as in the chart.-- **Protected by**: **MDO** (Defender for Office 365) or **EOP**
+- **Priority account protection**: **Yes** and **No**. For more information, see [Configure and review Priority accounts in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md).
+- **Evaluation**: **Yes** or **No**.
+- **Protected by**: **MDO** (Defender for Office 365) and **EOP**
- **Direction**: - **All** - **Inbound**
If you click **Filter**, the following filters are available:
- **Policy name (details table view only)**: **All** or the specified policy. - **Recipients**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the**Threat protection status** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)**, ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **[Request report](#request-report)**, and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
+On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
### Chart breakdown by Policy type
In the details table below the chart, the following information is available:
- **Sender IP** - **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
-If you click **Filter**, the following filters are available:
+ To see all columns, you likely need to do one or more of the following steps:
+
+ - Horizontally scroll in your web browser.
+ - Narrow the width of appropriate columns.
+ - Zoom out in your web browser.
+
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)** **Start date** and **End date** - **Detection**: Detection technology values as previously described in this article and at [Detection technologies](/office/office-365-management-api/office-365-management-activity-api-schema#detection-technologies).-- **Protected by**: **MDO** (Defender for Office 365) or **EOP**
+- **Priority account protection**: **Yes** and **No**. For more information, see [Configure and review Priority accounts in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md).
+- **Evaluation**: **Yes** or **No**.
+- **Protected by**: **MDO** (Defender for Office 365) and **EOP**
- **Direction**: - **All** - **Inbound**
If you click **Filter**, the following filters are available:
<sup>\*</sup> Defender for Office 365 only
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Threat protection status** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)**, ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **[Request report](#request-report)**, and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
+On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
### Chart breakdown by Delivery status
In the details table below the chart, the following information is available:
- **Sender IP** - **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
-If you click **Filter**, the following filters are available:
+ To see all columns, you likely need to do one or more of the following steps:
+
+ - Horizontally scroll in your web browser.
+ - Narrow the width of appropriate columns.
+ - Zoom out in your web browser.
+
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)** **Start date** and **End date** - **Detection**: Detection technology values as previously described in this article and at [Detection technologies](/office/office-365-management-api/office-365-management-activity-api-schema#detection-technologies).-- **Protected by**: **MDO** (Defender for Office 365) or **EOP**
+- **Protected by**: **MDO** (Defender for Office 365) and **EOP**
- **Direction**: - **All** - **Inbound**
If you click **Filter**, the following filters are available:
<sup>\*</sup> Defender for Office 365 only
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Threat protection status** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)**, ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **[Request report](#request-report)**, and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
+On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
### View data by Content \> Malware
In the **View data by Content \> Malware** view, the following information is sh
In the details table below the chart, the following information is available: -- **Date (UTC)**
+- **Date**
- **Attachment filename** - **Workload** - **Detection technology**: The same detection technology values from the chart. - **File size** - **Last modifying user**
-If you click **Filter**, the following filters are available:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)** **Start date** and **End date**. - **Detection**: The same values as in the chart. - **Workload**: **Teams**, **SharePoint**, and **OneDrive**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Threat protection status** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)**, ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **[Request report](#request-report)**, and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
+On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** action is available.
### View data by System override and Chart breakdown by Reason
On the **Threat protection status** page, the ![Create schedule icon.](../../med
In the **View data by System override** and **Chart breakdown by Reason** view, the following override reason information is shown in the chart: -- **On-premises skip**-- **IP allow** - **Exchange transport rule** (mail flow rule)-- **Organization allowed senders**
+- **IP Allow**
+- **On-premises skip**
- **Organization allowed domains**-- **ZAP not enabled**-- **User Safe Sender**-- **User Safe Domain**
+- **Organization allowed senders**
- **Phishing simulation**: For more information, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](skip-filtering-phishing-simulations-sec-ops-mailboxes.md).
+- **TABL - Both URL and file allowed**
+- **TABL - File allowed**
+- **TABL - File blocked**
+- **TABL - Sender allowed**
+- **TABL - Sender blocked**
+- **TABL - URL allowed**
+- **TABL - URL blocked**
- **Third party filter**
+- **User Safe Domain**
+- **User Safe Sender**
+- **ZAP not enabled**
In the details table below the chart, the following information is available:
In the details table below the chart, the following information is available:
- **Sender IP** - **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
-If you click **Filter**, the following filters are available:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)** **Start date** and **End date** - **Reason**: The same values as the chart.
If you click **Filter**, the following filters are available:
- **Policy name (details table view only)**: **All** - **Recipients**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Threat protection status** page, the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** button is available.
+On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** action is available.
### View data by System override and Chart breakdown by Delivery location
In the details table below the chart, the following information is available:
- **Sender IP** - **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
-If you click **Filter**, the following filters are available:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
- **Date (UTC)** **Start date** and **End date**-- **Reason**
- - **On-premises skip**
- - **IP allow**
- - **Exchange transport rule** (mail flow rule)
- - **Organization allowed senders**
- - **Organization allowed domains**
- - **ZAP not enabled**
- - **User Safe Sender**
- - **User Safe Domain**
- - **Phishing simulation**: For more information, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](skip-filtering-phishing-simulations-sec-ops-mailboxes.md).
- - **Third party filter**
+- **Reason**: The same values as in [Chart breakdown by Policy type](#chart-breakdown-by-policy-type)
- **Delivery Location**: **Junk Mail folder not enabled** or **SecOps mailbox**. - **Direction**: - **All**
If you click **Filter**, the following filters are available:
- **Policy type**: - **All** - **Anti-malware**
- - **Safe Attachments**<sup>\*</sup>
+ - **Safe Attachments** (Defender for Office 365 only)
- **Anti-phish** - **Anti-spam** - **Mail flow rule** (transport rule)
If you click **Filter**, the following filters are available:
- **Policy name (details table view only)**: **All** - **Recipients**
-<sup>\*</sup> Defender for Office 365 only
-
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Threat protection status** page, the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** button is available.
+On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** action is available.
## Top malware report The **Top malware** report shows the various kinds of malware that was detected by [anti-malware protection in EOP](anti-malware-protection-about.md).
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Top malware** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/TopMalware>.
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Top malware**.
+
+Hover over a wedge in the pie chart to see the malware name and how many messages contained the malware.
:::image type="content" source="../../media/top-malware-report-widget.png" alt-text="The Top malware widget on the Email & collaboration reports page." lightbox="../../media/top-malware-report-widget.png":::
-When you hover over a wedge in the pie chart, you can see the name of a kind of malware and how many messages were detected as having that malware.
+Select **View details** to go to the **Top malware report** page. Or, to go directly to the report, use <https://security.microsoft.com/reports/TopMalware>.
On the **Top malware report** page, a larger version of the pie chart is displayed. The details table below the chart shows the following information: -- **Top malware**-- **Count**
+- **Top malware**: The malware name
+- **Count**: How many messages contained the malware.
-If you click **Filter**, you can specify a date range with **Start date** and **End date**.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting the **Start date** and **End date** values in the flyout that opens.
-On the **Top malware** page, the ![Create schedule icon.](../../media/m365-cc-sc-create-icon.png) **[Create schedule](#schedule-report)** and ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** buttons are available.
+On the **Top malware** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)** and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
:::image type="content" source="../../media/top-malware-report-view.png" alt-text="The Top malware report view." lightbox="../../media/top-malware-report-view.png":::
On the **Top malware** page, the ![Create schedule icon.](../../media/m365-cc-sc
The **Top senders and recipients** report is available in both EOP and Defender for Office 365; however, the reports contain different data. For example, EOP customers can view information about top malware, spam, and phishing (spoofing) recipients, but not information about malware detected by [Safe Attachments](safe-attachments-about.md) or phishing detected by [impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
-The **Top senders and recipients** report shows the top 20 message senders in your organization, as well as the top 20 recipients for messages that were detected by EOP and Defender for Office 365 protection features. By default, the report shows data for the last week, but data is available for the last 90 days.
+The **Top senders and recipients** report shows the top 20 message senders in the organization, as well as the top 20 recipients for messages that were detected by EOP and Defender for Office 365 protection features. By default, the report shows data for the last week, but data is available for the last 90 days.
-To view the report in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Top senders and recipients report** and then click **View details**. To go directly to the report, open one of the following URLs:
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Top senders and recipients**.
-- Defender for Office 365: <https://security.microsoft.com/reports/TopSenderRecipientsATP>-- EOP: <https://security.microsoft.com/reports/TopSenderRecipient>
+Hover over a wedge in the pie chart to see the number of messages for the sender or recipient.
:::image type="content" source="../../media/top-senders-and-recipients-widget.png" alt-text="The Top senders and recipients widget in the Reports dashboard." lightbox="../../media/top-senders-and-recipients-widget.png":::
-When you hover over a wedge in the pie chart, you can see the number of messages for the sender or recipient.
+Select **View details** to go to the **Top senders and recipients** page. Or, to go directly to the report, use one of the following URLs:
+
+- **Defender for Office 365**: <https://security.microsoft.com/reports/TopSenderRecipientsATP>
+- **EOP**: <https://security.microsoft.com/reports/TopSenderRecipient>
On the **Top senders and recipients** page, a larger version of the pie chart is displayed. The following charts are available: -- **Show data for Top mail senders** (this is the default view)
+- **Show data for Top mail senders** (default view)
- **Show data for Top mail recipients** - **Show data for Top spam recipients** - **Show data for Top malware recipients** (EOP)
On the **Top senders and recipients** page, a larger version of the pie chart is
- **Show data for Top malware recipients (MDO)** - **Show data for Top phish recipients (MDO)**
-The data changes based on your selection.
+Hover over a wedge in the pie chart to see the message count for that specific sender or recipient.
+
+For each chart, the details table below the chart shows the following information:
-When you hover over a wedge in the pie chart, you can see the message count for that specific sender or recipient.
+- **Email address**
+- **Item count**
+- **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
-The details table below the graph shows the senders or recipients and message counts based on the view you selected.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
-You can filter both the chart and the details table by clicking **Filter** and selecting **Start date** and **End date**. Users can also filter by user tags.
+- **Date (UTC)** **Start date** and **End date**
+- **Tag**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **Top senders and recipients** page, the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Export** button is available.
+On the **Top senders and recipients** page, the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** action is available.
:::image type="content" source="../../media/top-senders-and-recipients-report-view.png" alt-text="The Show data for Top mail senders view in the Top senders and recipients report." lightbox="../../media/top-senders-and-recipients-report-view.png":::
The **URL protection report** is available only in Microsoft Defender for Office
## User reported messages report > [!IMPORTANT]
-> In order for the **User reported messages** report to work correctly, **audit logging must be turned on** for your Microsoft 365 environment. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see [Turn Microsoft 365 audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+> In order for the **User reported messages** report to work correctly, **audit logging must be turned on** in your Microsoft 365 organization (it's on by default). For more information, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
The **User reported messages** report shows information about email messages that users have reported as junk, phishing attempts, or good mail by using the [built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web) or the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook).
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **User reported messages** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/userSubmissionReport>. To go to [admin submissions in the Microsoft 365 Defender portal](submissions-admin.md), click **Go to Submissions**.
+On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **User reported messages**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/reports/userSubmissionReport>.
+
+To go directly to the **Submissions** page in the Defender portal, select **Go to submissions**.
:::image type="content" source="../../media/user-reported-messages-widget.png" alt-text="The user-reported messages widget on the Email & collaboration reports page." lightbox="../../media/user-reported-messages-widget.png":::
-You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+The chart shows the following information:
+
+- **Spam**
+- **Phish**
+- **Not junk**
+
+The details table below the graph shows the same information and has the same :::image type="icon" source="../../medi#view-user-reported-messages-to-microsoft).
+
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
- **Date reported**: **Start time** and **End time** - **Reported by**-- **Email subject**
+- **Name**
- **Message reported ID** - **Network Message ID**
+- **Teams message ID** (currently in Preview)
- **Sender** - **Reported reason**
- - **Not junk**
- - **Phish**
+ - **No threats**
+ - **Threats**
- **Spam**-- **Phish simulation**: **Yes** or **No**
+- **Reported from**: **Microsoft and **Third party**
+- **Phish simulation**: **Yes** and **No**.
+- **Converted to admin submission**: **Yes** and **No**.
+- **Message type**:
+ - **Email**
+ - **Teams message** (currently in Preview)
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-To group the entries, click **Group** and select one of the following values from the drop-down list:
+To group the entries, select **Group** and select one of the following values from the drop-down list:
- **None** - **Reason**
To group the entries, click **Group** and select one of the following values fro
:::image type="content" source="../../media/user-reported-messages-report.png" alt-text="The user-reported messages report." lightbox="../../media/user-reported-messages-report.png":::
-The details table below the graph shows the following information:
+On the **User reported messages** page, the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** action is available.
-- **Email subject**-- **Reported by**-- **Date reported**-- **Sender**-- **Reported reason**-- **Rescan result**-- **Tags**: For more information about user tags, see [User tags](user-tags-about.md).+
+## What permissions are needed to view these reports?
-To submit a message to Microsoft for analysis, select the message entry from the table, click **Submit to Microsoft for analysis** and then select one of the following values from the drop-down list:
+You need to be assigned permissions before you can view and use the reports that are described in this article. You have the following options:
-- **Report clean**-- **Report phishing**-- **Report malware**-- **Report spam**'-- **Trigger investigation** (Defender for Office 365)
+- [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): Currently, this option requires membership in the Microsoft 365 Defender Preview program.
+- [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups:
+ - **Organization Management**<sup>\*</sup>
+ - **Security Administrator**
+ - **Security Reader**
+ - **Global Reader**
+- [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**<sup>\*</sup>, **Security Administrator**, **Security Reader**, or **Global Reader** roles in Azure Active Directory gives users the required permissions _and_ permissions for other features in Microsoft 365.
+the
+<sup>\*</sup> Membership in the **Organization Management** role group or in the **Global Administrator** role is required to use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)** or :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)** actions in reports (where available).
-On the **User reported messages** page, the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **[Export](#export-report)** button is available.
+## What if the reports aren't showing data?
-## What permissions are needed to view these reports?
+If you don't see data in the reports, check the report filters and double-check that your protection policies are configured to detect and take action on messages. For more information, see the following articles:
-- You need to be assigned permissions before you can view and use the reports that are described in this article. You have the following options:
- - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): Currently, this option requires membership in the Microsoft 365 Defender Preview program.
- - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups:
- - **Organization Management**
- - **Security Administrator**
- - **Security Reader**
- - **Global Reader**
- - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365.
+- [Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365](configuration-analyzer-for-security-policies.md)
+- [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md)
+- [How do I turn off spam filtering?](/microsoft-365/security/office-365-security/anti-spam-protection-faq#how-do-i-turn-off-spam-filtering-)
-## What if the reports aren't showing data?
+## Download and export report information
+
+Depending on the report and possibly the specific view in the report, one or more of the following actions might be available on the main report page as previously described:
+
+- :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)**
+- :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**
+- :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**
+
+### Export report data
+
+> [!TIP]
+>
+> - The exported data is affected by any filters that are configured in the report at the time of export.
+> - If the exported data exceeds 150000 entries, the data is split into multiple files.
+
+1. On the report page, select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export**.
+
+2. In the **Export conditions** flyout that opens, review and configure the following settings:
+
+ - **Select a view to export**: Select one of the following values:
+ - **Summary**: Data from the last 90 days is available. This is the default value.
+ - **Details**: Data from the last 30 days is available. A date range of one day is supported.
+ - **Date (UTC)**:
+ - **Start date**: The default value is three months ago.
+ - **End date**: The default value is today.
-If you are not seeing data in your reports, check the filters that you're using and double-check that your policies are set up correctly. To learn more, see [Protect against threats](protect-against-threats.md).
+ When you're finished in the **Export conditions** flyout, select **Export**.
-## Schedule report
+ The **Export** button changes to **Exporting...** and a progress bar is shown.
+
+3. In the **Save as** dialog that opens, you see the default name of the .csv file and the download location (the local Downloads folder by default), but you can change those values and then select **Save** to download the exported data.
+
+ If you see a dialog that security.microsoft.com wants to download multiple files, select **Allow**.
+
+### Schedule recurring reports
> [!NOTE]
-> To create or manage report schedules, you need to be a member of the **Organization management** role.
+> To create scheduled reports, you need to be a member of the **Organization management** role in Exchange Online or the **Global Administrator** role in Azure AD.
-1. On the main page for the specific report, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png"::: **Create schedule**.
-2. The **Create scheduled report** wizard opens. On the **Name scheduled report** page, review or customize the **Name** value, and then click **Next**.
-3. On the **Set preferences** page, configure the following settings:
+1. On the report page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png"::: **Create schedule** to start the new scheduled report wizard.
+
+2. On the **Name scheduled report** page, review or customize the **Name** value, and then select **Next**.
+
+3. On the **Set preferences** page, review or configure the following settings:
- **Frequency**: Select one of the following values: - **Weekly** (default)
+ - **Daily**
- **Monthly**
- - **Start date**: When generation of the report begins. The default value is today.
- - **Expiry date**: When generation of the report ends. The default value is one year from today.
+ - **Start date**: Enter the date when generation of the report begins. The default value is today.
+ - **Expiry date**: Enter the date when generation of the report ends. The default value is one year from today.
- When you're finished, click **Next**.
+ When you're finished on the **Set preferences** page, select **Next**.
-4. On the **Recipients** page, choose recipients for the report. The default value is your email address, but you can add others.
+4. On the **Select filters** page, configure the following settings:
+ - **Direction**: Select one of the following values:
+ - **All** (default)
+ - **Outbound**
+ - **Inbound**
+ - **Sender address**
+ - **Recipient address**
- When you're finished, click **Next**.
+ When you're finished on the **Select filters** page, select **Next**.
-5. On the **Review** page, review your selections. You can click the **Back** button or the **Edit** link in the respective sections to make changes.
+5. On the **Recipients** page, choose recipients for the report in the **Send email to** box. The default value is your email address, but you can add others by doing either of the following steps:
+ - Click in the box, wait for the list of users to resolve, and then select the user from the list below the box.
+ - Click in the box, start typing a value, and then select the user from the list below the box.
- When you're finished, click **Submit**.
+ To remove an entry from the list, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the entry.
-### Managed existing scheduled reports
+ When you're finished on the **Recipients** page, select **Next**.
-To manage scheduled reports that you've already created, do the following steps:
+6. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> expand **Email & collaboration** \> select **Manage schedules**.
+ When you're finished on the **Review page**, select **Submit**.
- To go directly to the **Manage schedules** page, use <https://security.microsoft.com/ManageSubscription>.
+7. On the **New scheduled report created** page, you can select the links to view the scheduled report or create another report.
-2. On the **Manage schedules** page, the following information is shown for each scheduled report:
- - **Schedule start date**
- - **Schedule name**
- - **Report type**
- - **Frequency**
- - **Last sent**
+ When you're finished on the **New scheduled report created** page, select **Done**.
+
+The reports are emailed to the specified recipients based on the schedule you configured
+
+The scheduled report entry is available on the **Managed schedules** page as described in the next subsection.
+
+#### Manage existing scheduled reports
- Find the existing scheduled report that you want to modify.
+After you create a scheduled report as described in the previous section, the scheduled report entry is available on the **Manage schedules** page in the Defender portal.
-3. After you select the scheduled report do any of the following actions in the details flyout that opens:
- - **Edit name**: Click this button, change the name of the report in the flyout that appears, and then click **Save**.
- - **Delete schedule**: Click this button, read the warning that appears (previous reports will no longer be available for download), and then click **Save**.
- - **Schedule details** section: Click **Edit preferences** to change the following settings:
- - **Frequency**: **Weekly** or **Monthly**
- - **Start date**
- - **Expiry date**
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> **Email & collaboration** \> select **Manage schedules**. Or, to go directly to the **Manage schedules** page, use <https://security.microsoft.com/ManageSubscription>.
- When you're finished, click **Save**.
+On the **Manage schedules** page, the following information is shown for each scheduled report entry:
- - **Recipients** section: Click **Edit recipients** to add or remove recipients for the scheduled report. When you're finished, click **Save**
+- **Schedule start date**
+- **Schedule name**
+- **Report type**
+- **Frequency**
+- **Last sent**
- When you're finished, click **Close**.
+To change the list from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
-## Request report
+Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find an existing scheduled report entry.
+
+To modify the scheduled report settings, do the following steps:
+
+1. Select the scheduled report entry by clicking anywhere in the row other than the check box.
+
+2. In the details flyout that opens, do any of the following steps:
+ - Select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit name** to change the name of the scheduled report.
+ - Select the **Edit** link in the section to modify the corresponding settings.
+
+ The settings and configuration steps are the same as described in [Schedule report](#schedule-recurring-reports).
+
+To delete a scheduled report entry, use either of the following methods:
+
+- Select the check box next to one, more or all of the scheduled reports, and then select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears on the main page.
+- Select the scheduled report by clicking anywhere in the row other than the check box, and then select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** in the details flyout that opens.
+
+Read the warning dialog that opens, and then select **OK**.
+
+Back on the **Manage schedules** page, the deleted scheduled report entry is no longer listed, and previous reports for the scheduled report are deleted and are no longer available for download.
+
+### Request on-demand reports for download
+
+[Request on-demand reports](#request-on-demand-reports-for-download)
+
+> [!NOTE]
+> To create on-demand reports, you need to be a member of the **Organization management** role in Exchange Online or the **Global Administrator** role in Azure AD.
+
+1. On the report page, select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Request report** to start the new on-demand report wizard.
+
+2. On the **Name on-demand report** page, review or customize the **Name** value, and then select **Next**.
-1. On the main page for the specific report, click ![Request report icon.](../../media/m365-cc-sc-download-icon.png) **Request report**.
-2. The **Create on-demand report** wizard opens. On the **Name on-demand report** page, review or customize the **Name** value, and then click **Next**.
3. On the **Set preferences** page, review or configure the following settings:
- - **Start date**: When generation of the report begins. The default value is one month ago.
- - **Expiry date**: When generation of the report ends. The default value is today.
+ - **Start date**: Enter the start date for the report data. The default value is one month ago.
+ - **Expiry date**: Enter the end date for the report data. The default value is today.
- When you're finished, click **Next**.
+ When you're finished on the **Name on-demand report** page, select **Next**.
-4. On the **Recipients** page, choose recipients for the report. The default value is your email address, but you can add others.
+4. On the **Recipients** page, choose recipients for the report in the **Send email to** box. The default value is your email address, but you can add others by doing either of the following steps:
+ - Click in the box, wait for the list of users to resolve, and then select the user from the list below the box.
+ - Click in the box, start typing a value, and then select the user from the list below the box.
- When you're finished, click **Next**.
+ To remove an entry from the list, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the entry.
-5. On the **Review** page, review your selections. You can click the **Back** button or the **Edit** link in the respective sections to make changes.
+ When you're finished on the **Recipients** page, select **Next**.
- When you're finished, click **Submit**.
+5. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
-6. After the report has been successfully created, you're taken to the **New on-demand report created** page, where you can click **Create another report** or **Done**.
+ When you're finished on the **Review page**, select **Submit**.
- The report is also available on the **Reports for download** page as described in the next section.
+6. On the **New on-demand report created** page, you can select the link to create another report.
-### Download reports
+ When you're finished on the **New on-demand report created** page, select **Done**.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> expand **Email & collaboration** \> select **Reports for download**.
+The report creation task (and eventually the finished report) is available on the **Reports for download** page as described in the next subsection.
+
+#### Download reports
+
+> [!NOTE]
+> To download on-demand reports, you need to be a member of the **Organization management** role in Exchange Online or the **Global Administrator** role in Azure AD.
- To go directly to the **Reports for download** page, use <https://security.microsoft.com/ReportsForDownload>.
+After you request an on-demand report as described in the previous section, you check the status of the report and eventually download the report on the **Reports for download** page in the Defender portal.
-2. On the **Reports for download** page, the following information is shown for each available report:
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> **Email & collaboration** \> select **Reports for download**. Or, to go directly to the **Reports for download** page, use <https://security.microsoft.com/ReportsForDownload>.
+
+On the **Reports for download** page, the following information is shown for each available report:
- **Start date** - **Name** - **Report type** - **Last sent**
- - **Direction**
-
- Find and select the report you want to download.
-
-## Export report
+ - **Status**:
+ - **Pending**: The report is still being created, and it isn't available to download yet.
+ - **Complete - Ready for download**: Report generation is complete, and the report is available to download.
+ - **Complete - No results found**: Report generation is complete, but the report contains no data, so you can't download it.
-On the main page for the specific report, click ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Export** (if that link is available). An **Export conditions** flyout appears where you can configure the following settings:
--- **Select a view to export**: Select one of the following values:
- - **Summary**: Data is available for the last 90 days.
- - **Details**: Data is available for the last 30 days.
-- **Date (UTC)**: **Start date** and **End date**.
+To download the report, select the check box next in the start date of the report, and then select the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download report** action that appears.
-When you're finished configuring the filters, click **Export**. In the dialog that opens, you can choose to open the file, save the file, or remember the selection.
+Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find an existing report.
-Each exported .csv file is limited to 150,000 rows. If the data contains more than 150,000 rows, multiple .csv files are created.
+In the **Save as** dialog that opens, you see the default name of the .csv file and the download location (the local Downloads folder by default), but you can change those values and then select **Save** to download the report.
-## Related topics
+## Related articles
[Anti-spam protection in EOP](anti-spam-protection-about.md)
security Defense In Depth Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/defense-in-depth-guide.md
The information below will detail how to get the most out of your investment, br
### Protection features -- Consider enabling policies beyond the built-in Protection. Enabling time-of-click protection, or impersonation protection, for example, to add extra layers or fill gaps missing from your third party protection. Be aware that if you have a transport rule or connection filter that is overriding verdicts (this also can be known as SCL-1) you'll need to address this before turning on other protection features.
+- Consider enabling policies beyond the built-in Protection. Enabling time-of-click protection, or impersonation protection, for example, to add extra layers or fill gaps missing from your third party protection. Be aware that if you have a transport rule or connection filter that is overriding verdicts (this also can be known as SCL=-1) you'll need to address this before turning on other protection features.
**Read more here:** [Anti-phishing policies](../anti-phishing-policies-about.md)
security Submissions Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-teams.md
User reporting of messages in Teams is made of two separate settings:
- **In the Teams admin center**: On by default and controls whether users are able to report messages from Teams. When this setting is turned off, users can't report messages within Teams, so the corresponding setting in the Microsoft 365 Defender portal is irrelevant. -- **In the Microsoft 365 Defender portal**: On by default. If user reporting of messages is turned on in the Teams admin center, you must have it turned on in the Defender portal for submissions to show up correctly.
+- **In the Microsoft 365 Defender portal**: On by default. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly.
### Turn off or turn on user reporting in the Teams admin center
For more information about user reported message settings in the Defender portal
:::image type="content" source="../../media/submissions-user-report-message-in-teams-client-click-report.png" alt-text="Screenshot of the final dialog to report a message in the Microsoft Teams client." lightbox="../../media/submissions-user-report-message-in-teams-client-click-report.png"::: > [!NOTE]
- > If you've [turned on reporting for Microsoft Purview Communication Compliance](/microsoftteams/communication-compliance#report-a-concern-in-microsoft-teams), you might also see **Inappropriate - Harassment, violence, nudity, and disturbing content** as an available selection in the **Select a problem** dropdown list.
+ > If [reporting for Microsoft Purview Communication Compliance is turned off](/microsoftteams/communication-compliance#report-a-concern-in-microsoft-teams), users might not have the dropdown list to select **Security risk - Spam, phishing, malicious content**. Instead, they're shown a confirmation pop-up.
3. In the confirmation dialog that opens, click **Close**.
security Tenant Wide Setup For Increased Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
Here are a couple of additional settings that are recommended.
|Area|Recommendation| |||
-|**Mail flow rules** (also known as transport rules)|Add a mail flow rule to help protect against ransomware by blocking executable file types and Office file types that contain macros. For more information, see [Use mail flow rules to inspect message attachments in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments). <p> See these additional topics: <ul><li>[Protect against ransomware](../../business-premium/secure-your-business-data.md)</li><li>[Malware and Ransomware Protection in Microsoft 365](/compliance/assurance/assurance-malware-and-ransomware-protection)</li><li>[Recover from a ransomware attack in Office 365](recover-from-ransomware.md)</li></ul> <br/> Create a mail flow rule to prevent auto-forwarding of email to external domains. For more information, see [Mitigating Client External Forwarding Rules with Secure Score](/archive/blogs/office365security/mitigating-client-external-forwarding-rules-with-secure-score). <p> More information: [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules)|
+|**Mail flow rules** (also known as transport rules)|Add a mail flow rule to help protect against ransomware by blocking executable file types and Office file types that contain macros. For more information, see [Use mail flow rules to inspect message attachments in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments). <p> See these additional topics: <ul><li>[Protect against ransomware](../../business-premium/secure-your-business-data.md)</li><li>[Malware and Ransomware Protection in Microsoft 365](/compliance/assurance/assurance-malware-and-ransomware-protection)</li><li>[Ransomware incident response playbooks](/security/ransomware/)</li></ul> <br/> Create a mail flow rule to prevent auto-forwarding of email to external domains. For more information, see [Mitigating Client External Forwarding Rules with Secure Score](/archive/blogs/office365security/mitigating-client-external-forwarding-rules-with-secure-score). <p> More information: [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules)|
|**Modern authentication**|Modern authentication is a prerequisite for using multi-factor authentication (MFA). MFA is recommended for securing access to cloud resources, including email. <p> See these topics: <ul><li>[Enable or disable modern authentication in Exchange Online](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online)</li><li>[Skype for Business Online: Enable your tenant for modern authentication](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx)</li></ul> <br/> Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business. <p> More information: [How modern authentication works for Office 2013 and Office 2016 client apps](../../enterprise/modern-auth-for-office-2013-and-2016.md)| ## Configure tenant-wide sharing policies in SharePoint admin center
solutions Ransomware Protection Microsoft 365 Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/ransomware-protection-microsoft-365-information.md
Key information from Microsoft:
Microsoft 365: - [Maximize Ransomware Resiliency with Azure and Microsoft 365](https://azure.microsoft.com/resources/maximize-ransomware-resiliency-with-azure-and-microsoft-365/)-- [Recover from a ransomware attack](/microsoft-365/security/office-365-security/recover-from-ransomware)
+- [Ransomware incident response playbooks](/security/ransomware/)
- [Malware and ransomware protection](/compliance/assurance/assurance-malware-and-ransomware-protection) - [Protect your Windows 10 PC from ransomware](https://support.microsoft.com//windows/protect-your-pc-from-ransomware-08ed68a7-939f-726c-7e84-a72ba92c01c3) - [Handling ransomware in SharePoint Online](/sharepoint/troubleshoot/security/handling-ransomware-in-sharepoint-online)
solutions Ransomware Protection Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/ransomware-protection-microsoft-365.md
Key information from Microsoft:
Microsoft 365: - [Maximize Ransomware Resiliency with Azure and Microsoft 365](https://azure.microsoft.com/resources/maximize-ransomware-resiliency-with-azure-and-microsoft-365/)-- [Recover from a ransomware attack](/microsoft-365/security/office-365-security/recover-from-ransomware)
+- [Ransomware incident response playbooks](/security/ransomware/)
- [Malware and ransomware protection](/compliance/assurance/assurance-malware-and-ransomware-protection) - [Protect your Windows 10 PC from ransomware](https://support.microsoft.com//windows/protect-your-pc-from-ransomware-08ed68a7-939f-726c-7e84-a72ba92c01c3) - [Handling ransomware in SharePoint Online](/sharepoint/troubleshoot/security/handling-ransomware-in-sharepoint-online)