Updates from: 05/26/2021 03:27:36
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Close Or Delete Case https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/close-or-delete-case.md
To close a case:
2. On the **Settings** tab, under **Case Information**, click **Select**.
-3. Click **Close case**.
+3. At the bottom of the **Case Information** flyout page, click (**...**) **More options**, and then click **Close case**.
+
+ ![Option in the More options menu to close an Advanced eDiscovery case](..\Media\CloseAdvancedeDiscoveryCase.png)
It might take up to 60 minutes for the closing process to complete.
To reopen a closed case:
2. On the **Settings** tab, under **Case Information**, click **Select**.
-3. Click **Reopen case**.
+3. At the bottom of the **Case Information** flyout page, click (**...**) **More options**, and then click **Reopen case**.
+
+ ![Option in the More options menu to reopen an Advanced eDiscovery case](..\Media\ReopenAdvancedeDiscoveryCase.png)
It might take up to 60 minutes for the reopening process to complete.
To delete a case:
2. On the **Settings** tab, under **Case Information**, click **Select**.
-3. Click **Delete case**.
+3. At the bottom of the **Case Information** flyout page, click (**...**) **More options**, and then click **Delete case**.
+
+ ![Option in the More options menu to delete an Advanced eDiscovery case](..\Media\DeleteAdvancedeDiscoveryCase.png)
compliance Data Spillage Scenariosearch And Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-spillage-scenariosearch-and-purge.md
Here's a how to manage a data spillage incident:
- When a mailbox is on hold, a deleted message remains in the Recoverable Items folder until the retention period expires or the hold is released. [Step 6](#step-6-prepare-the-mailboxes) describes how to remove hold from the mailboxes. Check with your records management or legal departments before removing the hold. Your organization might have a policy that defines whether a mailbox on hold or a data spillage incident takes priority. -- To control which user mailboxes an data spillage investigator can search and manage who can access the case, you can set up compliance boundaries and create a custom role group, which is described in [Step 1](#optional-step-1-manage-who-can-access-the-case-and-set-compliance-boundaries). To do this, you have to be a member of the Organization Management role group or be assigned the role management role. If you or in administrator in your organization has already set compliance boundaries, you can skip Step 1.
+- To control which user mailboxes a data spillage investigator can search and manage who can access the case, you can set up compliance boundaries and create a custom role group, which is described in [Step 1](#optional-step-1-manage-who-can-access-the-case-and-set-compliance-boundaries). To do this, you have to be a member of the Organization Management role group or be assigned the role management role. If you or an administrator in your organization has already set compliance boundaries, you can skip Step 1.
- To create a case, you must be a member of the eDiscovery Manager role group or be a member of a custom role group that's assigned the Case Management role. If you're not a member, ask a Microsoft 365 administrator to [add you to the eDiscovery manager role group](assign-ediscovery-permissions.md).
Here's a how to manage a data spillage incident:
Depending on your organizational practice, you need to control who can access the eDiscovery case used to investigate a data spillage incident and set up compliance boundaries. The easiest way to do this is to add investigators as members of an existing role group in the Security & Compliance Center and then add the role group as a member of the eDiscovery case. For information about the built-in eDiscovery role groups and how to add members to an eDiscovery case, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
-You can also create a new role group that aligns with your organizational needs. For example, you might want a group of data spillage investigators in the organization to access and collaborate on all data spillage cases. You can do this by creating a "Data Spillage Investigator" role group, assigning the appropriate roles (Export, RMS Decrypt, Review, Preview, Compliance Search, and Case Management), adding the data spillage investigators to the role group, and then adding the role group as a member of the data spillage eDiscovery case. See [Set up compliance boundaries for eDiscovery investigations in Office 365](tagging-and-assessment-in-advanced-ediscovery.md) for detailed instructions on how to do this.
+You can also create a new role group that aligns with your organizational needs. For example, you might want a group of data spillage investigators in the organization to access and collaborate on all data spillage cases. You can do this by creating a "Data Spillage Investigator" role group, assigning the appropriate roles (Export, RMS Decrypt, Review, Preview, Compliance Search, and Case Management), adding the data spillage investigators to the role group, and then adding the role group as a member of the data spillage eDiscovery case. See [Set up compliance boundaries for eDiscovery investigations in Office 365](set-up-compliance-boundaries.md) for detailed instructions on how to do this.
## Step 2: Create an eDiscovery case
If you have more than 1,000 mailboxes or more than 100 email messages per mailbo
If a custodian or end user is assigned an Office 365 E5 license, you can examine up to 10,000 search results at once using Advanced eDiscovery. If there are more than 10,000 email messages to review, you can divide the search query by date range and review each result individually as search results are sorted by date. In Advanced eDiscovery, you can tag search results using the **Label as** feature in the preview panel and filter the search result by the tag you labeled. This is helpful when you collaborate with a secondary reviewer. By using additional analytics tools in Advanced eDiscovery, such as optical character recognition, email threading, and predictive coding, you can quickly process and review thousands of messages and tag them for further review. See [Quick setup for Advanced eDiscovery](./get-started-with-advanced-ediscovery.md).
-When you find an email message that contains spilled data, check the recipients of the message to determine if it was shared externally. To further trace an message, you can collect sender information and date range so you can use the message trace logs, which is described in [Step 5](#step-5-use-message-trace-log-to-check-how-spilled-data-was-shared).
+When you find an email message that contains spilled data, check the recipients of the message to determine if it was shared externally. To further trace a message, you can collect sender information and date ranges so you can use the message trace logs. This process is described in [Step 5](#step-5-use-message-trace-log-to-check-how-spilled-data-was-shared).
After you verified the search results, you may want to share your findings with others for a secondary review. People who you assigned to the case in Step 1 can review the case content in both eDiscovery and Advanced eDiscovery and approve case findings. You can also generate a report without exporting the actual content. You can also use this same report as a proof of deletion, which is described in [Step 8](#step-8-verify-provide-a-proof-of-deletion-and-audit).
After you verified the search results, you may want to share your findings with
3. Select **All items, including ones that have unrecognized format, are encrypted, or weren't indexed for other reasons** and then click **Generate report**.
-4. In the eDiscovery case, click **Export** to display the list of export jobs. You may have to click **Refresh** to update the list to display the export job you just created.
+4. In the eDiscovery case, click **Export** to display the list of export jobs. You may have to click **Refresh** to update the list to display the export job you created.
5. Click the export job, and then click **Download** report on the flyout page.
For more information about exporting reports, see [Export a Content Search repor
## Step 5: Use message trace log to check how spilled data was shared
-To further investigate if email with spilled data was shared, you can optionally query the message trace logs with the sender information and the date range information that you gathered in Step 4. Note that the retention period for message trace is 30 days for real time data and 90 days for historical data.
+To further investigate if email with spilled data was shared, you can optionally query the message trace logs with the sender information and the date range information that you gathered in Step 4. The retention period for message trace is 30 days for real-time data and 90 days for historical data.
You can use Message trace in the security and compliance center or use the corresponding cmdlets in Exchange Online PowerShell. It's important to note that message tracing doesn't offer full guarantees on the completeness of data returned. For more information about using Message trace, see: - [Message trace in the Security & Compliance Center](../security/office-365-security/message-trace-scc.md) -- [New Message Trace in Security & Compliance Center](https://blogs.technet.microsoft.com/exchange/2018/05/02/new-message-trace-in-office-365-security-compliance-center/)
+- [New Message Trace in Security & Compliance Center](https://techcommunity.microsoft.com/t5/exchange-team-blog/new-message-trace-in-office-365-security-038-compliance-center/ba-p/607893)
## Step 6: Prepare the mailboxes
-After you review and validate that the search results contains only the messages that must be deleted, you need to collect a list of the email addresses of the impacted mailboxes to use in Step 7 when you delete the spilled data. You may also have to prepare the mailboxes before you can permanently delete email messages depending on whether single item recovery is enabled on the mailboxes that contain the spilled data or if any of those mailboxes are on hold.
+After you review and validate that the search results contain only the messages that must be deleted, you need to collect a list of the email addresses of the impacted mailboxes to use in Step 7 when you delete the spilled data. You may also have to prepare the mailboxes before you can permanently delete email messages depending on whether single item recovery is enabled on the mailboxes that contain the spilled data or if any of those mailboxes are on hold.
### Get a list of addresses of mailboxes with spilled data
Be sure to revert the mailbox to previous configurations after you verify that t
Using the mailbox locations that you collected and prepared in Step 6 and the search query that was created and refined in Step 3 to find email messages that contain the spilled data, you can now permanently delete the spilled data. As previously explained, to delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role. For information about adding users to a role group, see [Assign eDiscovery permissions in the Security & Compliance Center](./assign-ediscovery-permissions.md).
-To delete the spilled messages, see steps 2 & 3 in [Search for and delete email messages](./search-for-and-delete-messages-in-your-organization.md)
+To delete the spilled messages, see [Search for and delete email messages](search-for-and-delete-messages-in-your-organization.md).
+
+Keep the following limits in mind when deleting spilled data:
+
+- The maximum number of mailboxes in a search that you can use to delete items by doing a search and purge action is 50,000. If the search that you create in Step 3 searches more than 50,000 mailboxes, the purge action will fail. Searching more than 50,000 mailbox in a single search might typically happen when you configure the search to include all mailboxes in your organization. This restriction still applies even when less than 50,000 mailboxes contain items that match the search query.
+
+- A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn't intended to clean up user mailboxes.
> [!IMPORTANT] > Email items in a review set in an Advanced eDiscovery case can't be deleted by using the procedures in this article. That's because items in a review set are copies of items in the live service that are copied and stored in an Azure Storage location. This means they won't be returned by a content search that you create in Step 3. To delete items in a review set, you have to delete the Advanced eDiscovery case that contains the review set. For more information, see [Close or delete an Advanced eDiscovery case](close-or-delete-case.md). ## Step 8: Verify, provide a proof of deletion, and audit
-The final step in the workflow to manage a data spillage incident is to verify that the spilled data was permanently removed from the mailbox by going to the eDiscovery case and re-running the same search query that was used to delete that data to confirm that no results are returned. After you confirm the spilled data has been permanently removed, you can export a report and include it (along with the original report) as a proof of deletion. Then you can [close the case](close-reopen-delete-core-ediscovery-cases.md) which will allow you to re-open it if you have refer to it in the future. Additionally, you can also revert mailboxes to their previous state, delete the search query used to find the spilled data, and search for auditing records of tasks performed when managing the data spillage incident.
+The final step in the workflow to manage a data spillage incident is to verify that the spilled data was permanently removed from the mailbox by going to the eDiscovery case and rerunning the same search query that was used to delete that data to confirm that no results are returned. After you confirm the spilled data has been permanently removed, you can export a report and include it (along with the original report) as a proof of deletion. Then you can [close the case](close-reopen-delete-core-ediscovery-cases.md) which will allow you to reopen it if you have to refer to it in the future. Additionally, you can also revert mailboxes to their previous state, delete the search query used to find the spilled data, and search for auditing records of tasks performed when managing the data spillage incident.
### Reverting the mailboxes to their previous state
If you changed any mailbox configuration in Step 6 to prepare the mailboxes befo
If the keywords in the search query that you created and used in Step 3 contains some of all of the actual spilled data, you should delete the search query to prevent further data spillage. 1. In the security and compliance center, open the eDiscovery case, go to the **Search** page, and select the appropriate content search.
-
+ 2. On the flyout page, click **Delete**. ![Select the search and then click Delete on the flyout page](../media/O365-eDiscoverySolutions-DataSpillage-DeleteSearch.png)
-
+ ### Auditing the data spillage investigation process You can search the audit log for the eDiscovery activities that were performed during the investigation. You can also search the audit log to return the audit records for the **New-ComplianceSearchAction -Purge** command that you ran in Step 7 to delete the spilled data. For more information, see:
compliance Differences Between Estimated And Actual Ediscovery Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/differences-between-estimated-and-actual-ediscovery-search-results.md
Here are some reasons for these differences:
- **De-duplication of Exchange items during export**. For Exchange items, de-duplication reduces the number of items that are exported. You have the option to de-duplicate the search results when you export them. For Exchange messages, this means that only a single instance of a message is exported, even though that message might be found in multiple mailboxes. The estimated search results include every instance of a message. So if you choose the de-duplication option when exporting search results, the actual number of items that are exported might be considerably less than the estimated number of items.
- Another thing to keep in mind if you choose the de-duplication option is that all Exchange items are exported in a single PST file and the folder structure from the source mailboxes isn't preserved. The exported PST file just contains the email items. However, a search results report contains an entry for each exported message that identifies the source mailbox where the message is located. This helps you identify all mailboxes that contain a duplicate message. If you don't enable de-duplication, a separate PST file is exported for each mailbox included in the search.
+The search results report (Results.csv file) contains an entry for each duplicate message and identifies the source mailbox where a duplicate message is located. This helps you identify all mailboxes that contain a duplicate message.
> [!NOTE] > If you don't select the **Include items that are encrypted or have an unrecognized format** option when you export search results or just download the reports, the index error reports are downloaded but they don't have any entries. This doesn't mean there aren't any indexing errors. It just means that unindexed items weren't included in the export.
compliance Dlp Sensitivity Label As Condition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-sensitivity-label-as-condition.md
You can use sensitivity labels as conditions on these items and in these scenari
|Service |Item type |Available to policy tip |Enforceable | ||||| |Exchange |email message |yes |yes |
-|Exchange |email attachment |no * |yes * |
+|Exchange |email attachment |no |yes * |
|SharePoint Online |items in SharePoint Online |yes |yes | |OneDrive for Business |items |yes |yes | |Teams |Teams and channel messages |not applicable |not applicable |
You can use sensitivity labels as conditions on these items and in these scenari
|Windows 10 devices |items |yes |yes | |MCAS (preview) |items |yes |yes |
-\* DLP detection and enforcement of sensitivity labels on emails and attachments are supported in-transit. DLP policy tips of sensitivity labeled email attachments are not.
+\* DLP detection of sensitivity labeled email attachments are supported for Office file types only.
\** Attachments sent in Teams over 1:1 chat or channels are automatically uploaded to OneDrive for Business and SharePoint. So if SharePoint Online or OneDrive for Business are included as locations in your DLP policy, then labeled attachments sent in Teams will be automatically included in the scope of this condition. Teams as a location does not need to be selected in the DLP policy.
compliance Endpoint Dlp Getting Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md
Make sure that the Windows 10 devices that you plan on deploying Endpoint DLP to
- For Windows 10 2004 - KB4568831, KB4577063 - For devices running Office 2016 (and not any other Office version) - KB4577063
-4. All devices must be [Azure Active Directory (Azure AD) joined](/azure/active-directory/devices/concept-azure-ad-join), AD joined, Hybrid Azure AD joined, or AAD registered.
+4. All devices must be one of these:
+- [Azure Active Directory (Azure AD) joined](/azure/active-directory/devices/concept-azure-ad-join)
+- AD joined
+- [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+- [AAD registered](/azure/active-directory/user-help/user-help-register-device-on-network)
5. Install Microsoft Chromium Edge browser on the endpoint device to enforce policy actions for the upload to cloud activity. See, [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium).
compliance Export Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-search-results.md
After a Content search is successfully run, you can export the search results to a local computer. When you export email results, they're downloaded to your computer as PST files. When you export content from SharePoint and OneDrive for Business sites, copies of native Office documents are exported. There are other documents and reports included with the exported search results.
-Exporting the results of a Content search involves preparing the results, and then downloading them to a local computer.
+Exporting the results of a Content search involves preparing the results, and then downloading them to a local computer. These steps for exporting search results also apply to exporting the results of a search that's associated with Core eDiscovery cases.
## Before you export search results
Exporting the results of a Content search involves preparing the results, and th
> <sup>1</sup> Microsoft doesn't manufacture third-party extensions or add-ons for ClickOnce applications. Exporting search results using an unsupported browser with third-party extensions or add-ons isn't supported.<br/> > <sup>2</sup> As a result of recent changes to Microsoft Edge, ClickOnce support is no longer enabled by default. For instructions on enabling ClickOnce support in Edge, see [Use the eDiscovery Export Tool in Microsoft Edge](configure-edge-to-export-search-results.md).
+- The eDiscovery Export Tool that you use in Step 2 to download search results doesn't support automation (by using a script or running cmdlets). We highly recommended that you don't automate the preparation process in Step 1 or the download process in Step 2. If you automate either of these processes, Microsoft Support will not provide assistance if you run into issues.
+ - We recommend downloading search results to a local computer. To eliminate your company's firewall or proxy infrastructure from causing issues when downloading search results, you might consider downloading search results to a virtual desktop outside of your network. This may decrease timeouts that occur in Azure data connections when exporting a large number of files. For more information about virtual desktops, see [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop). - To improve performance when downloading search results, consider dividing searches that return a large set of results into smaller searches. For example, you can use date ranges in search queries to return a smaller set of results that can be downloaded faster.
Exporting the results of a Content search involves preparing the results, and th
</system.net> ``` -- If the results of a Content search are older than 7 days and you submit an export job, an error message is displayed prompting you to rerun the search to update the search results. If this happens, cancel the export, rerun the search, and then start the export again.
+- If the results of a search are older than 7 days and you submit an export job, an error message is displayed prompting you to rerun the search to update the search results. If this happens, cancel the export, rerun the search, and then start the export again.
## Step 1: Prepare search results for export
The next step is to download the search results from the Azure Storage location
>- Disable anti-virus scanning for the folder that you download the search result to.<br/> >- Download search results to different folders for concurrent download jobs.
-6. Click **Start** to download the search results to your computer.
+7. Click **Start** to download the search results to your computer.
The **eDiscovery Export Tool** displays status information about the export process, including an estimate of the number (and size) of the remaining items to be downloaded. When the export process is complete, you can access the files in the location where they were downloaded.
compliance Manage Office 365 Message Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/manage-office-365-message-encryption.md
If the recipient of a message encrypted by OME doesn't use Outlook, regardless o
2. Run the Set-OMEConfiguration cmdlet with the OTPEnabled parameter: ```powershell
- Set-OMEConfiguration -Identity <"OMEConfigurationIdParameter "> -OTPEnabled <$true|$false>
+ Set-OMEConfiguration -Identity <"OMEConfigurationIdParameter"> -OTPEnabled <$true|$false>
``` For example, to disable one-time pass codes:
We hope it doesn't come to it, but if you need to, disabling the new capabilitie
```powershell Set-IRMConfiguration -AzureRMSLicensingEnabled $false
- ```
+ ```
compliance Search For Ediscovery Activities In The Audit Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-ediscovery-activities-in-the-audit-log.md
search.appverid:
- MOE150 - MET150 ms.assetid: 67cc7f42-a53d-4751-b929-6005c80798f7
-description: Learn what events are logged when users assigned eDiscovery permissions perform Content Search and Core eDiscovery tasks in the Security & Compliance Center.
+description: Learn what events are logged when users assigned eDiscovery permissions perform Content search, Core eDiscovery, and Advanced eDiscovery tasks in the Microsoft 365 compliance center.
# Search for eDiscovery activities in the audit log
-Content Search and eDiscovery-related activities (for Core eDiscovery and Advanced eDiscovery) that are performed in Security & Compliance Center or by running the corresponding PowerShell cmdlets are logged in the audit log. Events are logged when administrators or eDiscovery managers (or any user assigned eDiscovery permissions) perform the following Content Search and Core eDiscovery tasks in the Security & Compliance Center:
+Content Search and eDiscovery-related activities (for Core eDiscovery and Advanced eDiscovery) that are performed in Microsoft 365 compliance center or by running the corresponding PowerShell cmdlets are logged in the audit log. Events are logged when administrators or eDiscovery managers (or any user assigned eDiscovery permissions) perform the following Content Search and Core eDiscovery tasks in the Microsoft 365 compliance center:
- Creating and managing Core and Advanced eDiscovery cases -- Creating, starting, and editing Content Searches
+- Creating, starting, and editing Content searches
-- Performing Content Search actions, such as previewing, exporting, and deleting search results
+- Performing search actions, such as previewing, exporting, and deleting search results
- Managing custodians and review sets in Advanced eDiscovery -- Configuring permissions filtering for Content Search
+- Configuring permissions filtering for Content search
- Managing the eDiscovery Administrator role-
-> [!IMPORTANT]
-> The activities described in this article are only the result of eDiscovery tasks performed by using the Security & Compliance Center. eDiscovery tasks that were performed by using the In-Place eDiscovery tool in Exchange Online or the eDiscovery Center in SharePoint Online aren't included.
-For more information about searching the audit log, the permissions that are required, and exporting search results, see [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md).
+For more information about searching the audit log, the permissions that are required, and exporting search results, see [Search the audit log in the Microsoft 365 compliance center](search-the-audit-log-in-security-and-compliance.md).
## How to search for and view eDiscovery activities Currently, you have to do a few specific things to view eDiscovery activities in the audit log. Here's how.
-1. Go to [https://protection.office.com](https://protection.office.com).
-
-2. Sign in using your work or school account.
+1. Go to <https://compliance.microsoft.com> and sign in using your work or school account.
-3. In the left pane, click **Search**, and then click **Audit log search**.
+2. In the left navigation pane of the Microsoft 365 compliance center, click **Show all**, and then click **Audit**.
-4. In the **Activities** drop-down list, under **eDiscovery activities** or **Advanced eDiscovery activities**, click one or more activities to search for.
+3. In the **Activities** drop-down list, under **eDiscovery activities** or **Advanced eDiscovery activities**, click one or more activities to search for.
> [!NOTE] > The **Activities** drop-down list also includes a group of activities named **eDiscovery cmdlet activities** that will return records from the cmdlet audit log.
-5. Select a date and time range to display eDiscovery events that occurred within that period.
+4. Select a date and time range to display eDiscovery events that occurred within that period.
-6. In the **Users** box, select one or more users to display search results for. Leave this box blank to return entries for all users.
+5. In the **Users** box, select one or more users to display search results for. Leave this box blank to return entries for all users.
-7. Click **Search** to run the search using your search criteria.
+6. Click **Search** to run the search using your search criteria.
-8. After the search results are displayed, you can click **Filter results** to filter or sort the resulting activity records. Unfortunately, you can't use filtering to explicitly exclude certain activities.
+7. After the search results are displayed, you can click **Filter results** to filter or sort the resulting activity records. Unfortunately, you can't use filtering to explicitly exclude certain activities.
-9. To view details about an activity, click the activity record in the list of search results.
+8. To view details about an activity, click the activity record in the list of search results.
A **Details** fly out page is displayed that contains the detailed properties from the event record. To display additional details, click **More information**. For a description of these properties, see the [Detailed properties for eDiscovery activities](#detailed-properties-for-ediscovery-activities) section.
-10. If desired, you can export the audit log search results to a CSV file, and then use the Excel Power Query feature to format and filter these records. For more information, see [Export, configure, and view audit log records](export-view-audit-log-records.md).
+9. If desired, you can export the audit log search results to a CSV file, and then use the Excel Power Query feature to format and filter these records. For more information, see [Export, configure, and view audit log records](export-view-audit-log-records.md).
## eDiscovery activities
-The following table describes the Content Search and Core eDiscovery activities that are logged when an administrator or eDiscovery manager performs an eDiscovery-related activity using the Security & Compliance Center or running the corresponding cmdlet in Security & Compliance Center PowerShell. Note also that some activities performed in Advanced will be returned when you search for activities in this list.
+The following table describes the Content Search and Core eDiscovery activities that are logged when an administrator or eDiscovery manager performs an eDiscovery-related activity using the compliance center or running the corresponding cmdlet in Security & Compliance Center PowerShell. Note also that some activities performed in Advanced eDiscovery may be returned when you search for activities in this list.
> [!NOTE]
-> The eDiscovery activities described in this section provide similar information to the eDiscovery cmdlet activities described in the next section. We recommend that you use the eDiscovery activities described in this section because they will appear in the audit log search results within 30 minutes. It takes up to 24 hours for the eDiscovery cmdlet activities to appear in audit log search results.
+> The eDiscovery activities described in this section provide similar information to the eDiscovery cmdlet activities described in the next section. We recommend that you use the eDiscovery activities described in this section because they will appear in the audit log search results within 30 minutes. It takes up to 24 hours for the eDiscovery cmdlet activities to appear in audit log search results.
|**Friendly name**|**Operation**|**Corresponding cmdlet**|**Description**| |:--|:--|:--|:--|
The following table describes the Content Search and Core eDiscovery activities
|Removed purge action performed on content search <br/> |RemovedSearchResultsPurged <br/> |Remove-ComplianceSearchAction <br/> |A content search purge action was deleted. <br/> | |Removed search report <br/> |SearchReportRemoved <br/> |Remove-ComplianceSearchAction <br/> |A content search export report action was deleted. <br/> | |Started analysis of content search <br/> |SearchResultsSentToZoom <br/> |New-ComplianceSearchAction <br/> |The results of a content search were prepared for analysis in Advanced eDiscovery. <br/> |
-|Started content search <br/> |SearchStarted <br/> |Start-ComplianceSearch <br/> |A content search was started. When you create or change a content search by using the Security & Compliance Center GUI, the search is automatically started. If you create or change a search by using the **New-ComplianceSearch** or **Set-ComplianceSearch** cmdlet, you have to run the **Start-ComplianceSearch** cmdlet to start the search. <br/> |
+|Started content search <br/> |SearchStarted <br/> |Start-ComplianceSearch <br/> |A content search was started. When you create or change a content search by using the Microsoft 365 compliance center GUI, the search is automatically started. If you create or change a search by using the **New-ComplianceSearch** or **Set-ComplianceSearch** cmdlet, you have to run the **Start-ComplianceSearch** cmdlet to start the search. <br/> |
|Started export of content search <br/> |SearchExported <br/> |New-ComplianceSearchAction <br/> |A user exported the results of a content search. <br/> | |Started export report <br/> |SearchReport <br/> |New-ComplianceSearchAction <br/> |A user exported a content search report. <br/> | |Stopped content search <br/> |SearchStopped <br/> |Stop-ComplianceSearch <br/> |A user stopped a content search. <br/> |
-|(none)|CaseViewed|Get-ComplianceCase|A user viewed the list of cases on the **eDiscovery** page in the security and compliance center or by running the cmdlet.|
-|(none)|SearchViewed|Get-ComplianceSearch|A user viewed the list on content searches (listed on the **Searches** tab) in the security and compliance center or by running the cmdlet. This activity is also logged when a user views the list of content searches associated with an eDiscovery case (by clicking the **Searches** tab in a case) or by running the **Get-ComplianceSearch -Case** command.|
-|(none)|ViewedSearchExported|Get-ComplianceSearchAction -Export|A user viewed the list of content search export jobs (listed on the **Exports** tab) in the security and compliance center or by running the cmdlet. This activity is also logged when a user views the list of export jobs in an eDiscovery case (listed on the **Exports** tab in a case) or by running the **Get-ComplianceSearchAction -Case -Export** command.|
-|(none)|ViewedSearchPreviewed|Get-ComplianceSearchAction -Preview|A user previews the results of a content search in the security and compliance center or by running the cmdlet.|
+|(none)|CaseViewed|Get-ComplianceCase|A user viewed the list of cases on the **Core eDiscovery** page or the **Advanced eDiscovery** page in the compliance center or by running the Get-ComplianceCase cmdlet.|
+|(none)|SearchViewed|Get-ComplianceSearch|A user viewed the list on content searches (listed on the **Searches** tab) in the compliance center or by running the cmdlet. This activity is also logged when a user views the list of content searches associated with an eDiscovery case (by clicking the **Searches** tab in a case) or by running the **Get-ComplianceSearch -Case** command.|
+|(none)|ViewedSearchExported|Get-ComplianceSearchAction -Export|A user viewed the list of content search export jobs (listed on the **Exports** tab) in the compliance center or by running the cmdlet. This activity is also logged when a user views the list of export jobs in an eDiscovery case (listed on the **Exports** tab in a case) or by running the **Get-ComplianceSearchAction -Case -Export** command.|
+|(none)|ViewedSearchPreviewed|Get-ComplianceSearchAction -Preview|A user previews the results of a content search in the compliance center or by running the cmdlet.|
||||| ## Advanced eDiscovery activities
-The following table describes the Advanced eDiscovery activities logged in the audit log. These activities (in addition to relevant eDiscovery activities can be used to help you track the progression of activity in an Advanced eDiscovery case.
+The following table describes the Advanced eDiscovery activities logged in the audit log. These activities can be used to help you track the progression of activity in an Advanced eDiscovery case.
|**Friendly name**|**Operation**|**Description**| |:--|:--|:--|
The following table describes the Advanced eDiscovery activities logged in the a
## eDiscovery cmdlet activities
-The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the Security & Compliance Center or by running the corresponding cmdlet in remote PowerShell that's connected to your organization's Security & Compliance Center. The detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section.
+The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the compliance center or by running the corresponding cmdlet in Security & Compliance Center PowerShell. The detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section.
As previously stated, it takes up to 24 hours for eDiscovery cmdlet activities to appear in the audit log search results.
As previously stated, it takes up to 24 hours for eDiscovery cmdlet activities t
|Created content search <br/> |[New-ComplianceSearch](/powershell/module/exchange/new-compliancesearch) <br/> |A new content search was created. <br/> | |Deleted content search <br/> |[Remove-ComplianceSearch](/powershell/module/exchange/remove-compliancesearch) <br/> |An existing content search was deleted. <br/> | |Changed content search <br/> |[Set-ComplianceSearch](/powershell/module/exchange/set-compliancesearch) <br/> |An existing content search was changed. Changes can include adding or removing content locations that are searched and editing the search query. <br/> |
-|Started content search <br/> |[Start-ComplianceSearch](/powershell/module/exchange/start-compliancesearch) <br/> |A content search was started. When you create or change a content search by using the Security & Compliance Center GUI, the search is automatically started. If you create or change a search by using the **New-ComplianceSearch** or **Set-ComplianceSearch** cmdlet, you have to run the **Start-ComplianceSearch** cmdlet to start the search. <br/> |
+|Started content search <br/> |[Start-ComplianceSearch](/powershell/module/exchange/start-compliancesearch) <br/> |A content search was started. When you create or change a content search by using the compliance center GUI, the search is automatically started. If you create or change a search by using the **New-ComplianceSearch** or **Set-ComplianceSearch** cmdlet, you have to run the **Start-ComplianceSearch** cmdlet to start the search. <br/> |
|Stopped content search <br/> |[Stop-ComplianceSearch](/powershell/module/exchange/stop-compliancesearch) <br/> |A content search that was running was stopped. <br/> | |Created content search action <br/> |[New-ComplianceSearchAction](/powershell/module/exchange/new-compliancesearchaction) <br/> |A content search action was created. Content search actions include previewing search results, exporting search results, preparing search results for analysis in Advanced eDiscovery, and permanently deleting items that match the search criteria of a content search. <br/> | |Deleted content search action <br/> |[Remove-ComplianceSearchAction](/powershell/module/exchange/remove-compliancesearchaction) <br/> |A content search action was deleted. <br/> |
As previously stated, it takes up to 24 hours for eDiscovery cmdlet activities t
|Created eDiscovery administrator <br/> |[Add-eDiscoveryCaseAdmin](/powershell/module/exchange/add-ediscoverycaseadmin) <br/> |A user was added as an eDiscovery Administrator in your organization. <br/> | |Deleted eDiscovery administrator <br/> |[Remove-eDiscoveryCaseAdmin](/powershell/module/exchange/remove-ediscoverycaseadmin) <br/> |An eDiscovery Administrator was deleted from your organization. <br/> | |Changed eDiscovery administrator membership <br/> |[Update-eDiscoveryCaseAdmin](/powershell/module/exchange/update-ediscoverycaseadmin) <br/> |The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the **Add-eDiscoveryCaseAdmin** or **Remove-eDiscoveryCaseAdmin** operation is logged. <br/> |
-
+ ## Detailed properties for eDiscovery activities
-The following table describes the properties that are included when you click **More information** on the **Details** page for an eDiscovery activity listed in the search results. These properties are also included in the CSV file when you export the audit log search results. An audit log record for an eDiscovery activity won't include every detailed property listed below.
+The following table describes the properties that are included when you click **More information** on the **Details** page for an eDiscovery activity listed in the search results. These properties are also included in the CSV file when you export the audit log search results. An audit log record for an eDiscovery activity won't include every detailed property listed below.
> [!TIP] > When you export the search results, the CSV file contains a column named **Detail**, which contains the detailed properties described in the following table in a multi-value property. You can use the Power Query feature in Excel to split this column into multiple columns so that each property will have its own column. This will let you sort and filter on one or more of these properties. For more information, see the "Export the search results to a file" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#step-4-export-the-search-results-to-a-file).
The following table describes the properties that are included when you click **
|**Property**|**Description**| |:--|:--| |Case <br/> |The identity (GUID) of the eDiscovery case that was created, changed, or deleted. <br/> |
-|ClientApplication <br/> |eDiscovery cmdlet activities have a value of **EMC** for this property. This indicates the activity was performed by using the Security & Compliance Center GUI or running the cmdlet in PowerShell. <br/> |
+|ClientApplication <br/> |eDiscovery cmdlet activities have a value of **EMC** for this property. This indicates the activity was performed by using the compliance center GUI or running the cmdlet in PowerShell. <br/> |
|ClientIP <br/> |The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. <br/> | |ClientRequestId <br/> | For eDiscovery activities, this property is typically blank. <br/> |
-|CmdletVersion <br/> |The build number for the version of the Security & Compliance Center running in your organization. <br/> |
+|CmdletVersion <br/> |The build number for the version of the compliance center running in your organization. <br/> |
|CreationTime <br/> |The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was completed. <br/> | |EffectiveOrganization <br/> |The name of the Microsoft 365 organization. <br/> | |ExchangeLocations <br/> |The Exchange Online mailboxes that are included in a content search or placed on hold in an eDiscovery case. <br/> |
The following table describes the properties that are included when you click **
|Query <br/> |The search query associated with the activity, such as a content search or a query-based hold. <br/> | |RecordType <br/> |The type of operation indicated by the record. The value of **18** indicates an event related to an activity listed in the [eDiscovery cmdlet activities](#ediscovery-cmdlet-activities) section. A value of **24** indicates an event related to an activity listed in the [How to search for and view eDiscovery activities](#how-to-search-for-and-view-ediscovery-activities) section. <br/> | |ResultStatus <br/> |Indicates whether the action (specified in the Operation property) was successful or not. <br/> |
-|SecurityComplianceCenterEventType <br/> |Indicates that the activity was a Security & Compliance Center event. All eDiscovery activities will have a value of **0** for this property. <br/> |
+|SecurityComplianceCenterEventType <br/> |Indicates that the activity was a compliance center event. All eDiscovery activities will have a value of **0** for this property. <br/> |
|SharepointLocations <br/> |The SharePoint Online sites that are included in a content search or placed on hold in an eDiscovery case. <br/> | |StartTime <br/> |The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was started. <br/> | |UserId <br/> |The user who performed the activity (specified in the Operation property) that resulted in the record being logged. Records for eDiscovery activity performed by system accounts (such as NT AUTHORITY\SYSTEM) are also included in the audit log. <br/> |
The following table describes the properties that are included when you click **
|UserServicePlan <br/> |The subscription used by your organization. For eDiscovery activities, this property is typically blank. <br/> | |UserType <br/> |The type of user that performed the operation. The following values indicate the user type. <br/> 0 A regular user. 2 An administrator in your organization. 3 A Microsoft datacenter administrator or datacenter system account. 4 A system account. 5 An application. 6 A service principal. | |Version <br/> |Indicates the version number of the activity (identified by the Operation property) that's logged. <br/> |
-|Workload <br/> |Theservice where the activity occurred. For eDiscovery activities, the value is **SecurityComplianceCenter**. <br/> |
+|Workload <br/> |Theservice where the activity occurred. For eDiscovery activities, the value is **SecurityComplianceCenter**. <br/> |
compliance Turn Audit Log Search On Or Off https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/turn-audit-log-search-on-or-off.md
Title: "Turn audit log search on or off"
+ Title: "Turn auditing on or off"
f1.keywords: - NOCSH
search.appverid:
- MET150 ms.assetid: e893b19a-660c-41f2-9074-d3631c95a014
-description: How to turn on or off the Audit log search feature in the Security & Compliance Center to enable or disable the ability of admins to search the audit log.
+description: How to turn on or off the Audit log search feature in the Microsoft 365 compliance center to enable or disable the ability of admins to search the audit log.
-# Turn audit log search on or off
+# Turn auditing on or off
-Audit logging is turned on by default for Microsoft 365 and Office 365 enterprise organizations. This includes organizations with E3/G3 or E5/G5 subscriptions. When audit log search in the compliance center is turned on, user and admin activity from your organization is recorded in the audit log and retained for 90 days, and up to one year depending on the license assigned to users. However, your organization may have reasons for not wanting to record and retain audit log data. In those cases, a global admin may decide to turn off auditing in Microsoft 365.
+Audit logging is turned on by default for Microsoft 365 and Office 365 enterprise organizations. This includes organizations with E3/G3 or E5/G5 subscriptions. When auditing in the compliance center is turned on, user and admin activity from your organization is recorded in the audit log and retained for 90 days, and up to one year depending on the license assigned to users. However, your organization may have reasons for not wanting to record and retain audit log data. In those cases, a global admin may decide to turn off auditing in Microsoft 365.
> [!IMPORTANT]
-> If you turn off audit log search in Microsoft 365, you can't use the Office 365 Management Activity API or Azure Sentinel to access auditing data for your organization. Turning off audit log search by following the steps in this article means that no results will be returned when you search the audit log using the Security & Compliance Center or when you run the **Search-UnifiedAuditLog** cmdlet in Exchange Online PowerShell. This also means that audit logs won't be available through the Office 365 Management Activity API or Azure Sentinel.
+> If you turn off auditing in Microsoft 365, you can't use the Office 365 Management Activity API or Azure Sentinel to access auditing data for your organization. Turning off auditing by following the steps in this article means that no results will be returned when you search the audit log using the Security & Compliance Center or when you run the **Search-UnifiedAuditLog** cmdlet in Exchange Online PowerShell. This also means that audit logs won't be available through the Office 365 Management Activity API or Azure Sentinel.
-## Before you turn audit log search on or off
+## Before you turn auditing on or off
+
+- You have to be assigned the Audit Logs role in Exchange Online to turn auditing on or off in your Microsoft 365 organization. By default, this role is assigned to the Compliance Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online.
-- You have to be assigned the Audit Logs role in Exchange Online to turn audit log search on or off in your Microsoft 365 organization. By default, this role is assigned to the Compliance Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online.
-
> [!NOTE]
- > Users have to be assigned permissions in Exchange Online to turn audit log search on or off. If you assign users the Audit Logs role on the **Permissions** page in the Security & Compliance Center, they won't be able to turn audit log search on or off. This is because the underlying cmdlet is an Exchange Online PowerShell cmdlet.
-
+ > Users have to be assigned permissions in Exchange Online to turn auditing on or off. If you assign users the Audit Logs role on the **Permissions** page in the Security & Compliance Center, they won't be able to turn auditing on or off. This is because the underlying cmdlet is an Exchange Online PowerShell cmdlet.
+ - For step-by-step instructions on searching the audit log, see [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md). For more information about the Microsoft 365 Management Activity API, see [Get started with Microsoft 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis). -- To verify that audit log search is turned on, you can run the following command in Exchange Online PowerShell:
+- To verify that auditing is turned on, you can run the following command in Exchange Online PowerShell:
```powershell Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled ```
- The value of `True` for the _UnifiedAuditLogIngestionEnabled_ property indicates that audit log search is turned on.
-
-## Turn on audit log search
+ The value of `True` for the _UnifiedAuditLogIngestionEnabled_ property indicates that auditing is turned on.
+
+## Turn on auditing
-If audit log search is not turned on for your organization, you can turn it on in the compliance center or by using Exchange Online PowerShell. It may take several hours after you turn on audit log search before you can return results when you search the audit log.
+If auditing is not turned on for your organization, you can turn it on in the compliance center or by using Exchange Online PowerShell. It may take several hours after you turn on auditing before you can return results when you search the audit log.
-### Use the compliance center to turn on audit log search
+### Use the compliance center to turn on auditing
-1. [Go to the compliance center](https://protection.office.com) and sign in.
+1. Go to <https://compliance.microsoft.com> and sign in.
-2. In the compliance center, go to **Search** > **Audit log search**.
+2. In the left navigation pane of the Microsoft 365 compliance center, click **Show all**, and then click **Audit**.
- If audit log search is not turned on for your organization, a banner is displayed saying that auditing has to be turned on to record user and admin activity.
+ If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
-3. Click **Turn on auditing**.
+ ![Banner on Audit page](../media/39a9d35f-88d0-4bbe-a962-0be2f838e2bf.png)
- ![Click Turn on auditing](../media/39a9d35f-88d0-4bbe-a962-0be2f838e2bf.png)
-
- The banner is updated to say the audit log is being prepared and that you can search for user and admin activity in a few hours.
+3. Click the **Start recording user and admin activity** banner.
+
+ It may take up to 60 minutes for the change to take effect.
-### Use PowerShell to turn on audit log search
+### Use PowerShell to turn on auditing
1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell)
-2. Run the following PowerShell command to turn on audit log search in Office 365.
+2. Run the following PowerShell command to turn on auditing in Office 365.
```powershell Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
If audit log search is not turned on for your organization, you can turn it on i
A message is displayed saying that it may take up to 60 minutes for the change to take effect.
-## Turn off audit log search
+## Turn off auditing
-You have to use Exchange Online PowerShell to turn off audit log search.
+You have to use Exchange Online PowerShell to turn off auditing.
1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell)
-2. Run the following PowerShell command to turn off audit log search.
+2. Run the following PowerShell command to turn off auditing.
```powershell Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false ```
-3. After a while, verify that audit log search is turned off (disabled). There are two ways to do this:
+3. After a while, verify that auditing is turned off (disabled). There are two ways to do this:
- In Exchange Online PowerShell, run the following command:
You have to use Exchange Online PowerShell to turn off audit log search.
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled ```
- The value of `False` for the _UnifiedAuditLogIngestionEnabled_ property indicates that audit log search is turned off.
+ The value of `False` for the _UnifiedAuditLogIngestionEnabled_ property indicates that auditing is turned off.
- - In the [compliance center](https://protection.office.com), go to **Search** \> **Audit log search**.
+ - Go to the **Audit** page in the Microsoft 365 compliance center.
- A banner is displayed saying that auditing has to be turned on in order to record user and admin activity.
+ If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
contentunderstanding Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/index.md
Learn more about how to use and implement SharePoint Syntex in your organization
| If you're looking for this information: | Go to this resource: | |:--|:--|
-|Learn how to start planning to use SharePoint Syntex. |[SharePoint Syntex adoption: get started](./adoption-getstarted.md)<br><br>|
+|Learn how to start planning to use SharePoint Syntex |[SharePoint Syntex adoption: get started](./adoption-getstarted.md)|
+|Learn how to use SharePoint Syntex to automate document processes |[Manage contracts using a Microsoft 365 solution](./solution-manage-contracts-in-microsoft-365.md)|
## Set up SharePoint Syntex
contentunderstanding Solution Manage Contracts In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-in-microsoft-365.md
description: "Learn how to manage contracts using a Microsoft 365 solution of Sh
This article describes how to create a contracts management solution for your organization by using SharePoint Syntex and components of Microsoft 365. It provides you with a framework to help you plan and create a solution that fits your unique business needs. Even if this solution doesn't suit your business needs as a whole, parts of it can be adopted in your planning to create a custom contract management solution.
+*This content set documents a Microsoft 365 solution developed by Thomas Molbach with the Modern Work Solution Strategy Team at Microsoft.*
+ ## Identify the business problem The first step in planning your contract management system is to understand the problem you're trying to solve. For this solution, four key issues need to be addressed:
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
If you're using a third-party service or line-of-business (LOB) apps that are in
If you are using the same Azure Active Directory identity partition for Office 365 and Microsoft Azure in the Microsoft Cloud Deutschland instance, make sure that you are preparing for the customer driven migration of Microsoft Azure services. > [!NOTE]
-> The migration of your Microsoft Azure services must not be started before your Office 365 tenant has reached migration phase 3 and must be completed before migration phase 8 has been completed.
+> The migration of your Microsoft Azure services may not start before your Office 365 tenant has reached migration phase 9 and must be completed before migration phase 10 has been completed.
Customers who use Office 365 and Azure resources (for example, networking, compute, and storage) will perform the migration of resources to the Office 365 services instance. This migration is the customer's responsibility. Message Center posts will signal the start. Migration must be completed before finalization of the Azure AD organization in the Office 365 services environment. For Azure migrations, see the Azure migration playbook, [Overview of migration guidance for Azure Germany](https://docs.microsoft.com/azure/germany/germany-migration-main).
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
In case you have line-of-business apps, make sure you have completed the [prewor
**Applies to:** All customers
-When the Office 365 tenant completes the final step of the migration (Azure AD Finalization (Phase 9)) all services are transitioned to worldwide. No application or user should be accessing resources for the tenant against any of the Microsoft Cloud Deutschland endpoints. Automatically, 30 days after the finalization completes, the Microsoft Cloud Deutschland Azure AD service will stop endpoint access for the transitioned tenant. Endpoint requests such as Authentication will fail from this point forward against the Microsoft Cloud Deutschland service.
+When the Office 365 tenant completes the final step of the migration (Phase 9: Azure AD Finalization), all services are transitioned to worldwide. No application or user should be accessing resources for the tenant against any of the Microsoft Cloud Deutschland endpoints. Automatically, 30 days after the finalization completes, the Microsoft Cloud Deutschland Azure AD service will stop endpoint access for the transitioned tenant. Endpoint requests such as authentication will fail from this point forward against the Microsoft Cloud Deutschland service.
+
+Microsoft Azure customers must transition their Azure workloads following the steps described in the [Azure migration playbook](/azure/germany/germany-migration-main) as soon as their tenant completes the migration to worldwide (Phase 9).
| Step(s) | Description | Impact | |:-|:-|:-| | Update user endpoints | Ensure all users access the service using the proper Microsoft worldwide endpoints |30 days after the migration finalizes, the Microsoft Cloud Deutschland endpoints will stop honoring requests; client or application traffic will fail. | | Update Azure AD application endpoints | You must update Authentication, Azure Active Directory (Azure AD) Graph, and MS Graph endpoints for your applications to those of the Microsoft Worldwide service. | 30 days after the migration finalizes, the Microsoft Cloud Deutschland endpoints will stop honoring requests; client or application traffic will fail. |
+| Migrate Azure Workloads | Azure services customers must provision new worldwide subscriptions for Azure services and execute migration per the [Azure migration playbook](/azure/germany/germany-migration-main). | When fully transitioned to the worldwide service (Phase 10), customers will no longer be able to access Azure workloads present in the Microsoft Cloud Deutschland Azure portal. |
|||| ### Azure AD Connect
enterprise Urls And Ip Address Ranges https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/urls-and-ip-address-ranges.md
Title: "Office 365 URLs and IP address ranges"
Previously updated : 04/29/2021 Last updated : 05/19/2021 audience: Admin
Office 365 requires connectivity to the Internet. The endpoints below should be
|||| |:--|:--|:--|
-|**Last updated:** 04/29/2021 - ![RSS](../medi#pacfiles) <br/> |
+|**Last updated:** 05/19/2021 - ![RSS](../medi#pacfiles) <br/> |
Start with [Managing Office 365 endpoints](managing-office-365-endpoints.md) to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This allows for customers who do not yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you are using a script or a network device to access this data, you should go to the [Web service](microsoft-365-ip-web-service.md) directly.
knowledge Manage Topics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/manage-topics.md
Note that you can still choose to reject a confirmed topic. To do this, go to th
Published topics have been edited so that specific information will always appear to whoever encounters the page. Manually created topics are listed here as well. ![Manage Topics](../media/knowledge-management/manage-topics-new.png)+
+## Topic count dashboard
+
+This chart in the dashboard view lets you see the number of topics in your Viva Topics topic center. The chart shows the topic counts per topic lifecycle stage and also shows how topic counts have trended over time. Knowledge managers can visually monitor the rate at which new topics are being discovered by AI and the rate at which topics are getting confirmed or published by the knowledge manager or user actions.
+
+Knowledge managers might see a different count of topics represented in the list of topics on the **Manage topics** page than they see in the dashboard. This is because a knowledge manager might not have access to all topics. The count presented in the dashboard view is taken before applying permission-trimming.
+
+ ![Screenshot of topic count dashboard](../media/knowledge-management/topic-count-dashboard.png)
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
###### [Configure iOS features](ios-configure-features.md) ##### [Troubleshoot]()
-###### [Troubleshoot issues](ios-troubleshoot.md)
+###### [FAQs and Troubleshoot issues](ios-troubleshoot.md)
##### [Privacy](ios-privacy.md)
####### [Get alert related device information](get-alert-related-machine-info.md) ####### [Get alert related user information](get-alert-related-user-info.md)
+###### [Assessments of vulnerabilities and secure configurations]()
+####### [Export assessment methods and properties](get-assessmnt-1methods-properties.md)
+####### [Export secure configuration assessment](get-assessmnt-secure-cfg.md)
+####### [Export software inventory assessment](get-assessmnt-software-inventory.md)
+####### [Export software vulnerabilities assessment](get-assessmnt-software-vulnerabilities.md)
+ ###### [Automated Investigation]() ####### [Investigation methods and properties](investigation.md) ####### [List Investigation](get-investigation-collection.md)
security Get Assessmnt 1Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessmnt-1methods-properties.md
+
+ Title: Export assessment methods and properties per device
+description: Provides information about the APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. Since the amount of data can be very large, there are two ways it can be retrieved
+keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+
+# Export assessment methods and properties per device
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
++
+## API description
+
+Provides methods and property details about the APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.
+
+> [!Note]
+>
+> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+
+There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
+
+- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+
+- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+
+ - Call the API to get a list of download URLs with all your organization data.
+
+ - Download all the files using the download URLs and process the data as you like.
+
+The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+
+Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+
+## 1. Export secure configurations assessment
+
+Returns all of the configurations and their status, on a per-device basis.
+
+### 1.1 Methods
+
+Method | Data type | Description
+:|:|:
+[Export secure configuration assessment (OData)](get-assessmnt-secure-cfg.md#1-export-secure-configuration-assessment-odata) | Secure configuration by device collection. See: [1.2 Properties (OData)](#12-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+[Export secure configuration assessment (via files)](get-assessmnt-secure-cfg.md#2-export-secure-configuration-assessment-via-files) | secure configuration by device files. See: [1.3 Properties (via files)](#13-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+
+### 1.2 Properties (OData)
+
+Property (ID) | Data type | Description
+:|:|:
+ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls
+ConfigurationId | string | Unique identifier for a specific configuration
+ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10)
+ConfigurationName | string | Display name of the configuration
+ConfigurationSubcategory | string | Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features.
+DeviceId | string | Unique identifier for the device in the service.
+DeviceName | string | Fully qualified domain name (FQDN) of the device.
+IsApplicable | bool | Indicates whether the configuration or policy is applicable
+IsCompliant | bool | Indicates whether the configuration or policy is properly configured
+IsExpectedUserImpact | bool | Indicates whether there will be user impact if the configuration will be applied
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
+RecommendationReference | string | A reference to the recommendation ID related to this software.
+Timestamp | string | Last time the configuration was seen on the device
+
+### 1.3 Properties (via files)
+
+Property (ID) | Data type | Description
+:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization.
+GeneratedTime | string | The time that the export was generated.
+
+## 2. Export software inventory assessment
+
+Returns all of the installed software and their details on each device.
+
+### 2.1 Methods
+
+Method | Data type | Description
+:|:|:
+[Export software inventory assessment (OData)](get-assessmnt-software-inventory.md#1-export-software-inventory-assessment-odata) | Software inventory by device collection. See: [2.2 Properties (OData)](#22-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+[Export software inventory assessment (via files)](get-assessmnt-software-inventory.md#2-export-software-inventory-assessment-via-files) | Software inventory by device files. See: [2.3 Properties (via files)](#23-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+
+### 2.2 Properties (OData)
+
+Property (ID) | Data type | Description
+:|:|:
+DeviceId | string | Unique identifier for the device in the service.
+DeviceName | string | Fully qualified domain name (FQDN) of the device.
+DiskPaths | Array[string] | Disk evidence that the product is installed on the device.
+EndOfSupportDate | string | The date in which support for this software has or will end.
+EndOfSupportStatus | string | End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software.
+Id | string | Unique identifier for the record.
+NumberOfWeaknesses | int|Number of weaknesses on this software on this device
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
+RegistryPaths | Array[string] | Registry evidence that the product is installed in the device.
+SoftwareFirstSeenTimestamp | string | The first time this software was seen on the device.
+SoftwareName | string | Name of the software product.
+SoftwareVendor | string | Name of the software vendor.
+SoftwareVersion | string | Version number of the software product.
+
+### 2.3 Properties (via files)
+
+Property (ID) | Data type | Description
+:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization.
+GeneratedTime | string | The time that the export was generated.
+
+## 3. Export software vulnerabilities assessment per device
+
+Returns all the known vulnerabilities on a device and their details, for all devices.
+
+### 3.1 Methods
+
+Method | Data type | Description
+:|:|:
+[Export software vulnerabilities assessment (OData)](get-assessmnt-software-vulnerabilities.md#1-export-software-vulnerabilities-assessment-odata) | Investigation collection See: [3.2 Properties (OData)](#32-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+[Export software vulnerabilities assessment (via files)](get-assessmnt-software-vulnerabilities.md#2-export-software-vulnerabilities-assessment-via-files) | Investigation entity See: [3.3 Properties (via files)](#33-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+
+### 3.2 Properties (OData)
+
+Property (ID) | Data type | Description
+:|:|:
+CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.
+CvssScore | string | The CVSS score of the CVE.
+DeviceId | string | Unique identifier for the device in the service.
+DeviceName | string | Fully qualified domain name (FQDN) of the device.
+DiskPaths | Array\[string\] | Disk evidence that the product is installed on the device.
+ExploitabilityLevel | string | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)
+FirstSeenTimestamp | string | First time the CVE of this product was seen on the device.
+Id | string | Unique identifier for the record.
+LastSeenTimestamp | string | Last time the CVE was seen on the device.
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
+RecommendationReference | string | A reference to the recommendation ID related to this software.
+RecommendedSecurityUpdate | string | Name or description of the security update provided by the software vendor to address the vulnerability.
+RecommendedSecurityUpdateId | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles
+Registry Paths Array\[string\] | Registry evidence that the product is installed in the device.
+SoftwareName | string | Name of the software product.
+SoftwareVendor | string | Name of the software vendor.
+SoftwareVersion | string | Version number of the software product.
+VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.
+
+### 3.3 Properties (via files)
+
+Property (ID) | Data type | Description
+:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization.
+GeneratedTime | string | The time that the export was generated.
+
+## See also
+
+- [Export secure configuration assessment per device](get-assessmnt-secure-cfg.md)
+
+- [Export software inventory assessment per device](get-assessmnt-software-inventory.md)
+
+- [Export software vulnerabilities assessment per device](get-assessmnt-software-vulnerabilities.md)
+
+Other related
+
+- [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)
+
+- [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Assessmnt Secure Cfg https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessmnt-secure-cfg.md
+
+ Title: Export secure configuration assessment per device
+description: Returns an entry for every unique combination of DeviceId, ConfigurationId.
+keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
+
+
+
+# Export secure configuration assessment per device
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+>
+>
+Returns all of the configurations and their status, on a per-device basis.
+
+There are different API calls to get different types of data. Because the amount of data can be very large, there are two ways it can be retrieved:
+
+- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+
+- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+
+ - Call the API to get a list of download URLs with all your organization data.
+
+ - Download all the files using the download URLs and process the data as you like.
+
+The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+
+Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+
+## 1. Export secure configuration assessment (OData)
+
+### 1.1 API method description
+
+This API response contains the Secure Configuration Assessment on your exposed devices, and returns an entry for every unique combination of DeviceId, ConfigurationId.
+
+#### 1.1.1 Limitations
+
+- Maximum page size is 200,000.
+
+- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+
+### 1.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+||
+Application | Vulnerability.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | Vulnerability.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+### 1.3 URL
+
+```http
+GET /api/machines/SecureConfigurationsAssessmentByMachine
+```
+
+### 1.4 Parameters
+
+- pageSize \(default = 50,000\) ΓÇô number of results in response
+
+- \$top ΓÇô number of results to return \(doesnΓÇÖt return \@odata.nextLink and therefore doesnΓÇÖt pull all the data\)
+
+### 1.5 Properties
+
+>[!Note]
+>
+>- The properties defined in the following table are listed alphanumerically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in these tables.
+>
+>- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+>
+
+Property (id) | Data type | Description | Example of a returned value
+:|:|:|:
+ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | Security controls
+ConfigurationId | string | Unique identifier for a specific configuration | scid-10000
+ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | 9
+ConfigurationName | string | Display name of the configuration | Onboard devices to Microsoft Defender for Endpoint
+ConfigurationSubcategory | string | Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | Onboard Devices
+DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
+DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com
+IsApplicable | bool | Indicates whether the configuration or policy is applicable | true
+IsCompliant | bool | Indicates whether the configuration or policy is properly configured | false
+IsExpectedUserImpact | bool | Indicates whether there will be user impact if the configuration will be applied | true
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥ | Servers
+RecommendationReference | string | A reference to the recommendation ID related to this software. | sca-_-scid-20000
+Timestamp | string | Last time the configuration was seen on the device | 2020-11-03 10:13:34.8476880
+
+### 1.6 Examples
+
+#### 1.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAssessmentByMachine?pageSize=5
+```
+
+#### 1.6.2 Response example
+
+```json
+{
+    "@odata.context": "api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetConfiguration)",
+    "value": [
+        {
+            "deviceId": "00013ee62c6b12345b10214e1801b217b50ab455c293d",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_5d96860d69c73fdd06fc8d1679e1eb73eceb8330",
+            "osPlatform": "Windows10",
+            "osVersion": "NT kernel 6.x",
+            "timestamp": "2021-01-11 09:47:58.854",
+            "configurationId": "scid-10000",
+            "configurationCategory": "Network",
+            "configurationSubcategory": "",
+            "configurationImpact": 5,
+            "isCompliant": true,
+            "isApplicable": true,
+            "isExpectedUserImpact": false,
+            "configurationName": "Disable insecure administration protocol – Telnet",
+            "recommendationReference": "sca-_-scid-10000"
+        },
+        {
+            "deviceId": "0002a1be533813b9a8c6de739785365bce7910",
+            "rbacGroupName": "hhh",
+            "deviceName": null,
+            "osPlatform": "Windows10",
+            "osVersion": "10.0",
+            "timestamp": "2021-01-11 09:47:58.854",
+            "configurationId": "scid-20000",
+            "configurationCategory": "Security controls",
+            "configurationSubcategory": "Onboard Devices",
+            "configurationImpact": 9,
+            "isCompliant": false,
+            "isApplicable": true,
+            "isExpectedUserImpact": false,
+            "configurationName": "Onboard devices to Microsoft Defender for Endpoint",
+            "recommendationReference": "sca-_-scid-20000"
+        },
+        {
+            "deviceId": "0002a1de123456a8c06de736785395d4ce7610",
+            "rbacGroupName": "hhh",
+            "deviceName": null,
+            "osPlatform": "Windows10",
+            "osVersion": "10.0",
+            "timestamp": "2021-01-11 09:47:58.854",
+            "configurationId": "scid-10000",
+            "configurationCategory": "Network",
+            "configurationSubcategory": "",
+            "configurationImpact": 5,
+            "isCompliant": true,
+            "isApplicable": true,
+            "isExpectedUserImpact": false,
+            "configurationName": "Disable insecure administration protocol – Telnet",
+            "recommendationReference": "sca-_-scid-10000"
+        },
+        {
+            "deviceId": "00044f912345bdaf756492dbe6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663d45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eeb80b086e76bdfa178eadfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "timestamp": "2021-01-11 09:47:58.854",
+            "configurationId": "scid-39",
+            "configurationCategory": "OS",
+            "configurationSubcategory": "",
+            "configurationImpact": 5,
+            "isCompliant": true,
+            "isApplicable": true,
+            "isExpectedUserImpact": false,
+            "configurationName": "Enable 'Domain member: Digitally sign secure channel data (when possible)'",
+            "recommendationReference": "sca-_-scid-39"
+        },
+        {
+            "deviceId": "00044f912345daf759462bde6bd733d6a9c56ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663b45612eeb224d2de2f5ea3142726e63f16a.DomainPII_21eed80d086e76dbfa178eadfa25e8be9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "timestamp": "2021-01-11 09:47:58.854",
+            "configurationId": "scid-6093",
+            "configurationCategory": "Security controls",
+            "configurationSubcategory": "Antivirus",
+            "configurationImpact": 5,
+            "isCompliant": false,
+            "isApplicable": false,
+            "isExpectedUserImpact": false,
+            "configurationName": "Enable Microsoft Defender Antivirus real-time behavior monitoring for Linux",
+            "recommendationReference": "sca-_-scid-6093"
+        }
+    ],
+    "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAssessmentByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
+}
+```
+
+## 2. Export secure configuration assessment (via files)
+
+### 2.1 API method description
+
+This API response contains the Secure Configuration Assessment on your exposed devices, and returns an entry for every unique combination of DeviceId, ConfigurationId.
+
+#### 2.1.2 Limitations
+
+Rate limitations for this API are 5 calls per minute and 20 calls per hour.
+
+### 2.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+||
+Application | Vulnerability.Read.All | \'Read "threat and vulnerability management" vulnerability information\'
+Delegated (work or school account) | Vulnerability.Read | \'Read "threat and vulnerability management" vulnerability information\'
+
+### 2.3 URL
+
+```http
+GET /api/machines/SecureConfigurationsAssessmentExport
+```
+
+### Parameters
+
+- sasValidHours ΓÇô The number of hours that the download URLs will be valid for (Maximum 24 hours).
+
+### 2.5 Properties
+
+>[!Note]
+>
+>- The files are gzip compressed & in multiline Json format.
+>
+>- The download URLs are only valid for 3 hours; otherwise you can use the parameter.
+>
+>- For maximum download speed of your data, you can make sure you are downloading from the same Azure region in which your data resides.
+>
+Property (id) | Data type | Description | Example of a returned value
+:|:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization | [ Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ]
+GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z ]
+
+### 2.6 Examples
+
+#### 2.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAssessmentExport
+```
+
+#### 2.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#contoso.windowsDefenderATP.api.ExportFilesResponse",
+    "exportFiles": [
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=..."
+    ],
+    "generatedTime": "2021-01-11T11:01:00Z"
+}
+```
+
+## See also
+
+- [Export assessment methods and properties per device](get-assessmnt-1methods-properties.md)
+
+- [Export software inventory assessment per device](get-assessmnt-software-inventory.md)
+
+- [Export software vulnerabilities assessment per device](get-assessmnt-software-vulnerabilities.md)
+
+Other related
+
+- [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)
+
+- [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Assessmnt Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessmnt-software-inventory.md
+
+ Title: Export software inventory assessment per device
+description: Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
+keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+
+# Export software inventory assessment per device
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+>
+>
+There are different API calls to get different types of data. Because the amount of data can be very large, there are two ways it can be retrieved:
+
+- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100 K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+
+- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100 K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+
+ - Call the API to get a list of download URLs with all your organization data.
+
+ - Download all the files using the download URLs and process the data as you like.
+
+The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+
+Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+
+## 1. Export software inventory assessment (OData)
+
+### 1.1 API method description
+
+This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
+
+#### Limitations
+
+- Maximum page size is 200,000.
+
+- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+
+### 1.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+||
+Application | Software.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | Software.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+### 1.3 URL
+
+```http
+GET /api/machines/SoftwareInventoryByMachine
+```
+
+### 1.4 Parameters
+
+- pageSize (default = 50,000) ΓÇô number of results in response.
+
+- $top ΓÇô number of results to return (doesnΓÇÖt return @odata.nextLink and therefore doesnΓÇÖt pull all the data)
+
+### 1.5 Properties
+
+>[!NOTE]
+>
+>-Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+
+>-The properties defined in the following table are listed alphanumerically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in these tables.
+>
+>-Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+
+Property (id) | Data type | Description | Example of a returned value
+:|:|:|:
+DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
+DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com
+DiskPaths | Array[string] | Disk evidence that the product is installed on the device. | [ "C:\\Program Files (x86)\\Microsoft\\Silverlight\\Application\\silverlight.exe" ]
+EndOfSupportDate | string | The date in which support for this software has or will end. | 2020-12-30
+EndOfSupportStatus | string | End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software. | Upcoming EOS
+Id | string | Unique identifier for the record. | 123ABG55_573AG&mnp!
+NumberOfWeaknesses | int | Number of weaknesses on this software on this device | 3
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥ | Servers
+RegistryPaths | Array[string] | Registry evidence that the product is installed in the device. | [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Silverlight" ]
+SoftwareFirstSeenTimestamp | string | The first time this software was seen on the device. | 2019-04-07 02:06:47
+SoftwareName | string | Name of the software product. | Silverlight
+SoftwareVendor | string | Name of the software vendor. | microsoft
+SoftwareVersion | string | Version number of the software product. | 81.0.4044.138
+
+### 1.6 Examples
+
+#### 1.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine?pageSize=5 &sinceTime=2021-05-19T18%3A35%3A49.924Z
+```
+
+#### 1.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(contoso.windowsDefenderATP.api.AssetSoftware)",
+    "value": [
+        {
+            "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "softwareVendor": "microsoft",
+            "softwareName": "windows_10",
+            "softwareVersion": "10.0.17763.1637",
+            "numberOfWeaknesses": 58,
+            "diskPaths": [],
+            "registryPaths": [],
+            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
+            "endOfSupportStatus": "Upcoming EOS Version",
+            "endOfSupportDate": "2021-05-11T00:00:00+00:00"
+        },
+        {
+            "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "softwareVendor": "microsoft",
+            "softwareName": ".net_framework",
+            "softwareVersion": "4.0.0.0",
+            "numberOfWeaknesses": 0,
+            "diskPaths": [],
+            "registryPaths": [
+                "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4.0\\Client\\Install"
+            ],
+            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
+            "endOfSupportStatus": "None",
+            "endOfSupportDate": null
+        },
+        {
+            "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eed80d086e79bdfa178eadfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "softwareVendor": "microsoft",
+            "softwareName": "system_center_2012_endpoint_protection",
+            "softwareVersion": "4.7.214.0",
+            "numberOfWeaknesses": 0,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client"
+            ],
+            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
+            "endOfSupportStatus": "None",
+            "endOfSupportDate": null
+        },
+        {
+            "deviceId": "00044f68765ddaf71234bde6bd733d6a9c59ad4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178aedfa25e8be9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "softwareVendor": "microsoft",
+            "softwareName": "configuration_manager",
+            "softwareVersion": "5.0.8634.1000",
+            "numberOfWeaknesses": 0,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{B7D3A842-E826-4542-B39B-1D883264B279}"
+            ],
+            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
+            "endOfSupportStatus": "None",
+            "endOfSupportDate": null
+        },
+        {
+            "deviceId": "00044f38765bbaf712342dbe6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18993b45912eeb224b2de2f5ea3142726e63f16a.DomainPII_21eeb80d086e79bdfa178eadfa25e8be9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "softwareVendor": "microsoft",
+            "softwareName": "system_center_2012_endpoint_protection",
+            "softwareVersion": "4.10.209.0",
+            "numberOfWeaknesses": 0,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client"
+            ],
+            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
+            "endOfSupportStatus": "None",
+            "endOfSupportDate": null
+        }
+    ],
+    "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0yNS8wMjAwLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
+}
+```
+
+## 2. Export software inventory assessment (via files)
+
+### 2.1 API method description
+
+This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
+
+#### 2.1.1 Limitations
+
+Rate limitations for this API are 5 calls per minute and 20 calls per hour.
+
+### 2.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+||
+Application | Software.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | Software.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+### 2.3 URL
+
+```http
+GET /api/machines/SoftwareInventoryExport
+```
+
+### Parameters
+
+- sasValidHours ΓÇô The number of hours that the download URLs will be valid for (Maximum 24 hours)
+
+### 2.5 Properties
+
+>[!Note]
+>
+>- The files are gzip compressed & in multiline Json format.
+>
+>- The download URLs are only valid for 3 hours. Otherwise you can use the parameter.
+>
+>_ For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
+>
+Property (id) | Data type | Description | Example of a returned value
+:|:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization | [ Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ]
+GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z ]
+
+### 2.6 Examples
+
+#### 2.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryExport
+```
+
+#### 2.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",
+    "exportFiles": [
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=..."
+    ],
+    "generatedTime": "2021-01-11T11:01:00Z"
+}
+```
+
+## See also
+
+- [Export assessment methods and properties per device](get-assessmnt-1methods-properties.md)
+
+- [Export secure configuration assessment per device](get-assessmnt-secure-cfg.md)
+
+- [Export software vulnerabilities assessment per device](get-assessmnt-software-vulnerabilities.md)
+
+Other related
+
+- [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)
+
+- [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Assessmnt Software Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessmnt-software-vulnerabilities.md
+
+ Title: Export software vulnerabilities assessment per device
+description: The API response is per device and contains vulnerable software installed on your exposed devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information.
+keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+
+# Export software vulnerabilities assessment per device
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+>
+>
+Returns all the known vulnerabilities and their details for all devices, on a per-device basis.
+
+There are different API calls to get different types of data. Because the amount of data can be very large, there are two ways it can be retrieved:
+
+- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+
+- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+
+ - Call the API to get a list of download URLs with all your organization data.
+
+ - Download all the files using the download URLs and process the data as you like.
+
+The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+
+Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+
+## 1. Export software vulnerabilities assessment (OData)
+
+### 1.1 API method description
+
+This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID.
+
+#### Limitations
+
+>- Maximum page size is 200,000.
+>
+>- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+
+### 1.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+||
+Application | Vulnerability.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | Vulnerability.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+### 1.3 URL
+
+```http
+GET /api/machines/SoftwareVulnerabilitiesByMachine
+```
+
+### 1.4 Parameters
+
+- pageSize (default = 50,000) ΓÇô number of results in response
+- $top ΓÇô number of results to return (doesnΓÇÖt return @odata.nextLink and therefore doesnΓÇÖt pull all the data)
+
+### 1.5 Properties
+>
+>[!Note]
+>
+>- Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+>
+>- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+>
+>- The properties defined in the following table are listed alphanumerically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in these tables.
+>
+
+Property (id) | Data type | Description | Example of a returned value
+:|:|:|:
+CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. | CVE-2020-15992
+CvssScore | string | The CVSS score of the CVE. | 6.2
+DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
+DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com
+DiskPaths | Array\[string\] | Disk evidence that the product is installed on the device. | [ "C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe" ]
+ExploitabilityLevel | string | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) | ExploitIsInKit
+FirstSeenTimestamp | string | First time the CVE of this product was seen on the device. | 2020-11-03 10:13:34.8476880
+Id | string | Unique identifier for the record. | 123ABG55_573AG&mnp!
+LastSeenTimestamp | string | Last time the CVE was seen on the device. | 2020-11-03 10:13:34.8476880
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥ | Servers
+RecommendationReference | string | A reference to the recommendation ID related to this software. | va-_-microsoft-_-silverlight
+RecommendedSecurityUpdate (optional) | string | Name or description of the security update provided by the software vendor to address the vulnerability. | April 2020 Security Updates
+RecommendedSecurityUpdateId (optional) | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles | 4550961
+RegistryPaths | Array\[string\] | Registry evidence that the product is installed in the device. | [ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftSilverlight" ]
+SoftwareName | string | Name of the software product. | chrome
+SoftwareVendor | string | Name of the software vendor. | google
+SoftwareVersion | string | Version number of the software product. | 81.0.4044.138
+VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape. | Medium
+
+### 1.6 Examples
+
+#### 1.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?pageSize=5
+```
+
+#### 1.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetVulnerability)",
+    "value": [
+        {
+            "id": "00044f612345baf759462dbe6db733b6a9c59ab4_edge_10.0.17763.1637__",
+            "deviceId": "00044f612345daf756462bde6bd733b9a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663b45912eed224b2de2f5ea3142726e63f16a.DomainPII_21eeb80d089e79bdfa178eabfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "edge",
+            "softwareVersion": "10.0.17763.1637",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [],
+            "lastSeenTimestamp": "2020-12-30 14:17:26",
+            "firstSeenTimestamp": "2020-12-30 11:07:15",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-edge"
+        },
+        {
+            "id": "00044f912345baf756462bde6db733b9a9c56ad4_.net_framework_4.0.0.0__",
+            "deviceId": "00044f912345daf756462bde6db733b6a9c59ad4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663b45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eeb80b086e79bdfa178eabfa25e8de6acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": ".net_framework",
+            "softwareVersion": "4.0.0.0",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [
+                "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4.0\\Client\\Install"
+            ],
+            "lastSeenTimestamp": "2020-12-30 13:18:33",
+            "firstSeenTimestamp": "2020-12-30 11:07:15",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-.net_framework"
+        },
+        {
+            "id": "00044f912345baf756462dbe6db733d6a9c59ab4_system_center_2012_endpoint_protection_4.10.209.0__",
+            "deviceId": "00044f912345daf756462bde6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663b45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eed80b089e79bdfa178eadfa25e8be6acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "system_center_2012_endpoint_protection",
+            "softwareVersion": "4.10.209.0",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client"
+            ],
+            "lastSeenTimestamp": "2020-12-30 14:17:26",
+            "firstSeenTimestamp": "2020-12-30 11:07:15",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-system_center_2012_endpoint_protection"
+        },
+        {
+            "id": "00044f612345bdaf759462dbe6bd733b6a9c59ab4_onedrive_20.245.1206.2__",
+            "deviceId": "00044f91234daf759492dbe6bd733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_189663d45612eed224b2be2f5ea3142729e63f16a.DomainPII_21eed80b086e79bdfa178eadfa25e8de6acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "onedrive",
+            "softwareVersion": "20.245.1206.2",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_USERS\\S-1-5-21-2944539346-1310925172-2349113062-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe"
+            ],
+            "lastSeenTimestamp": "2020-12-30 13:18:33",
+            "firstSeenTimestamp": "2020-12-30 11:07:15",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-onedrive"
+        },
+        {
+            "id": "00044f912345daf759462bde6db733b6a9c56ab4_windows_10_10.0.17763.1637__",
+            "deviceId": "00044f912345daf756462dbe6db733d6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663b45912eeb224d2be2f5ea3142729e63f16a.DomainPII_21eeb80d086e79bdfa178eadfa25e8de6acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "windows_10",
+            "softwareVersion": "10.0.17763.1637",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [],
+            "lastSeenTimestamp": "2020-12-30 14:17:26",
+            "firstSeenTimestamp": "2020-12-30 11:07:15",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-windows_10"
+        }
+    ],
+    "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
+}
+```
+
+## 2. Export software vulnerabilities assessment (via files)
+
+### 2.1 API method description
+
+This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID.
+
+#### 2.1.2 Limitations
+
+Rate limitations for this API are 5 calls per minute and 20 calls per hour.
+
+### 2.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+||
+Application | Vulnerability.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | Vulnerability.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+### 2.3 URL
+
+```http
+GET /api/machines/SoftwareVulnerabilitiesExport
+```
+
+### 2.4 Parameters
+
+- sasValidHours ΓÇô The number of hours that the download URLs will be valid for (Maximum 24 hours)
+
+### 2.5 Properties
+
+>[!Note]
+>
+>- The files are gzip compressed & in multiline Json format.
+>
+>- The download URLs are only valid for 3 hours; otherwise you can use the parameter.
+>
+>- For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
+>
+
+>[!Note]
+>
+>- Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+>
+>- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+>
+>- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in these tables.
+>
+
+Property (id) | Data type | Description | Example of a returned value
+:|:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization. | [ ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ]
+GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z
+
+### 2.6 Examples
+
+#### 2.6.1 Request example
+
+```http
+GET https://api-us.securitycenter.contoso.com/api/machines/SoftwareVulnerabilitiesExport
+```
+
+#### 2.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",
+    "exportFiles": [
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c002.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=..."
+    ],
+    "generatedTime": "2021-01-11T11:01:00Z"
+}
+```
+
+## See also
+
+- [Export assessment methods and properties per device](get-assessmnt-1methods-properties.md)
+
+- [Export secure configuration assessment per device](get-assessmnt-secure-cfg.md)
+
+- [Export software inventory assessment per device](get-assessmnt-software-inventory.md)
+
+Other related
+
+- [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)
+
+- [Vulnerabilities in your organization](tvm-weaknesses.md)
security Linux Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-privacy.md
The following fields are collected:
| cloud_service.service_uri | URI used to communicate with the cloud. | | cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | | cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). |
+| cloud_service.automatic_definition_update_enabled | Whether automatic definition update is turned on or not. |
| edr.early_preview | Whether the device should run EDR early preview features. | | edr.group_id | Group identifier used by the detection and response component. | | edr.tags | User-defined tags. |
The following fields are collected:
| antivirus_engine.scan_cache_maximum | Size of the product cache. | | antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. | | antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
+| antivirus_engine.threat_type_settings | Configuration for how different threat types are handled by the product. |
| filesystem_scanner.full_scan_directory | Full scan directory. | | filesystem_scanner.quick_scan_directories | List of directories used in quick scan. | | edr.latency_mode | Latency mode used by the detection and response component. |
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
ms.technology: mde
## 101.29.64 (30.121042.12964.0)
+- Starting with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.
+- `mdatp diagnostic real-time-protection-statistics` now supports two additional switches:
+ - `--sort`: sorts the output descending by total number of files scanned
+ - `--top N`: displays the top N results (only works if `--sort` is also specified)
- Performance improvements & bug fixes ## 101.25.72 (30.121022.12563.0)
security Mac Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-privacy.md
The following fields are collected:
| cloud_service.service_uri | URI used to communicate with the cloud. | | cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | | cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. |
+| cloud_service.automatic_definition_update_enabled | Whether automatic definition update is turned on or not. |
| edr.early_preview | Whether the device should run EDR early preview features. | | edr.group_id | Group identifier used by the detection and response component. | | edr.tags | User-defined tags. |
The following fields are collected:
| antivirus_engine.scan_cache_maximum | Size of the product cache. | | antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. | | antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
+| antivirus_engine.threat_type_settings | Configuration for how different threat types are handled by the product. |
| filesystem_scanner.full_scan_directory | Full scan directory. | | filesystem_scanner.quick_scan_directories | List of directories used in quick scan. | | edr.latency_mode | Latency mode used by the detection and response component. |
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
ms.technology: mde
> [!IMPORTANT] > On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
+## 101.29.64 (20.121042.12964.0)
+
+- Starting with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.
+- `mdatp diagnostic real-time-protection-statistics` now supports two additional switches:
+ - `--sort`: sorts the output descending by total number of files scanned
+ - `--top N`: displays the top N results (only works if `--sort` is also specified)
+- Performance improvements (specifically for when YARN is used) & bug fixes
+ ## 101.27.50 (20.121022.12750.0) - Fix to accommodate for Apple certificate expiration for macOS Catalina and earlier. This fix restores Threat & Vulnerability Management (TVM) functionality.
security Product Long https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/includes/product-long.md
+Microsoft Defender for Identity
security Product Short https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/includes/product-short.md
+Defender for Identity
security Manage Security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/manage-security-alerts.md
+
+ Title: Microsoft Defender for Identity security alerts in Microsoft 365 Defender
+description: Learn how to manage and review security alerts issued by Microsoft Defender for Identity in Microsoft 365 Defender
Last updated : 05/20/2021+++++++
+# Defender for Identity security alerts in Microsoft 365 Defender
+
+**Applies to:**
+
+- Microsoft 365 Defender
+- Defender for Identity
+
+This article explains the basics of how to work with [Microsoft Defender for Identity](/defender-for-identity) security alerts in the [Microsoft 365 security center](/microsoft-365/security/defender/overview-security-center).
+
+Defender for Identity alerts are natively integrated into the [Microsoft 365 security center](https://security.microsoft.com) with a dedicated Identity alert page format. This marks the first step in the journey to [introduce the full Microsoft Defender for Identity experience into Microsoft 365 Defender](/defender-for-identity/defender-for-identity-in-microsoft-365-defender).
+
+The new Identity alert page gives Microsoft Defender for Identity customers better cross-domain signal enrichment and new automated identity response capabilities. It ensures that you stay secure and helps improve the efficiency of your security operations.
+
+One of the benefits of investigating alerts through [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender) is that Microsoft Defender for Identity alerts are further correlated with information obtained from each of the other products in the suite. These enhanced alerts are consistent with the other Microsoft 365 Defender alert formats originating from [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security) and [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). The new page effectively eliminates the need to navigate to another product portal to investigate alerts associated with identity.
+
+Alerts originating from Defender for Identity can now trigger the [Microsoft 365 Defender automated investigation and response (AIR)](/microsoft-365/security/defender/m365d-autoir) capabilities, including automatically remediating alerts and the mitigation of tools and processes that can contribute to the suspicious activity.
+
+>[!IMPORTANT]
+>As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
+
+## Review security alerts
+
+Alerts can be accessed from multiple locations, including the **Alerts** page, the **Incidents** page, the pages of individual **Devices**, and from the **Advanced hunting** page. In this example, we'll review the **Alerts page**.
+
+In the [Microsoft 365 security center](https://security.microsoft.com/), go to **Incidents & alerts** and then to **Alerts**.
+
+![Go to Incidents and Alerts, then Alerts](../../media/defender-identity/incidents-alerts.png)
+
+To see alerts from Defender for Identity, on the top-right select **Filter**, and then under **Service sources** select **Microsoft Defender for Identity**, and select **Apply**:
+
+![Filter for Defender for Identity events](../../media/defender-identity/filter-defender-for-identity.png)
+
+The alerts are displayed with information in the following columns: **Alert name**, **Tags**, **Severity**, **Investigation state**, **Status**, **Category**, **Detection source**, **Impacted assets**, **First activity**, and **Last activity**.
+
+![Defender for Identity events](../../media/defender-identity/filtered-alerts.png)
+
+## Manage alerts
+
+If you click the **Alert name** for one of the alerts, you'll go to the page with details about the alert. In the left pane, you'll see a summary of **What happened**:
+
+![What happened in alert](../../media/defender-identity/what-happened.png)
+
+Above the **What happened** box are buttons for the **Accounts**, **Destination Host** and **Source Host** of the alert. For other alerts, you might see buttons for details about additional hosts, accounts, IP addresses, domains, and security groups. Select any of them to get more details about the entities involved.
+
+On the right pane, you'll see the **Alert details**. Here you can see more details and perform several tasks:
+
+- **Classify this alert** - Here you can designate this alert as a **True alert** or **False alert**
+
+ ![Classify alert](../../media/defender-identity/classify-alert.png)
+
+- **Alert state** - In **Set Classification**, you can classify the alert as **True** or **False**. In **Assigned to**, you can assign the alert to yourself or unassign it.
+
+ ![Alert state](../../media/defender-identity/alert-state.png)
+
+- **Alert details** - Under **Alert details**, you can find more information about the specific alert, follow a link to documentation about the type of alert, see which incident the alert is associated with, review any automated investigations linked to this alert type, and see the impacted devices and users.
+
+ ![Alert details](../../media/defender-identity/alert-details.png)
+
+- **Comments & history** - Here you can add your comments to the alert, and see the history of all actions associated with the alert.
+
+ ![Comments and history](../../media/defender-identity/comments-history.png)
+
+- **Manage alert** - If you select **Manage alert**, you'll go to a pane that will allow you to edit the:
+ - **Status** - You can choose **New**, **Resolved** or **In progress**.
+ - **Classification** - You can choose **True alert** or **False alert**.
+ - **Comment** - You can add a comment about the alert.
+
+ If you select the three dots next to **Manage alert**, you can **Consult a threat expert**, **Export** the alert to an Excel file, or **Link to another incident**.
+
+ ![Manage alert](../../media/defender-identity/manage-alert.png)
+
+ >[!NOTE]
+ >In the Excel file, you now have two links available: **View in Microsoft Defender for Identity** and **View in Microsoft 365 Defender**. Each link will bring you to the relevant portal, and provide information about the alert there.
+
+## See also
+
+- [Investigate alerts in Microsoft 365 Defender](../defender/investigate-alerts.md)
security First Incident Post https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-post.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-National Institute of Standards and Technology (NIST) recommends that once all steps have been taken to recover from the attack, organizations must review the incident to learn from it and learn and improve security posture or processes. Assessing the different aspects of incident-handling becomes important in preparing for the next incident.
+National Institute of Standards and Technology (NIST) recommends that once all steps have been taken to recover from the attack, organizations must review the incident to learn from it and improve security posture or processes. Assessing the different aspects of incident-handling becomes important in preparing for the next incident.
Microsoft 365 Defender can assist in performing post-incident activities by providing an organization with alerts that align with [MITRE ATT&CK Framework](https://attack.mitre.org/). All Microsoft Defender solutions label attacks in accordance with an ATT&CK tactic or technique.
security Get Incident Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-incident-notifications.md
Follow these steps to create a new rule and customize email notification setting
To edit an existing rule, select it from the list of rules. On the pane with the rule name, select **Edit rule** and make your changes on the **Basics**, **Notification settings**, and **Recipients** pages.
-To edit an existing rule, select it from the list of rules. On the pane with the rule name, select **Delete**.
+To delete a rule, select it from the list of rules. On the pane with the rule name, select **Delete**.
## See also - [Incidents overview](incidents-overview.md)
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
You can also select the **Open the main alert page** action from the **Manage al
An alert page is composed of these sections: -- Alert story-- Actions taken (including impacted assets)-- Related events
+- Alert story, which is the chain of events and alerts related to this alert in chronological order
- Summary details :::image type="content" source="../../media/investigate-alerts/alerts-ss-alerts-main.png" alt-text="Example of the details page of an alert in the Microsoft 365 security center":::
-Throughout an alert page, you can select the ellipses (**...**) beside any entity to see available actions, such as opening the specific asset page or taking specific remediation steps.
+Throughout an alert page, you can select the ellipses (**...**) beside any entity to see available actions, such as opening the alert page or linking the alert to another incident.
### Analyze affected assets
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
Here's an example.
:::image type="content" source="../../media/investigate-incidents/incident-alerts.png" alt-text="Example of an Alerts page for an incident":::
-By default, the alerts are ordered chronologically to allow you to see how the incident played out over time. Selecting each alert takes you to the alert's main page where you can conduct an in-depth analysis of that alert.
+By default, the alerts are ordered chronologically to allow you to see how the incident played out over time.
+When you select an alert within an incident, Microsoft 365 Defender displays the alert information specific to the context of the overall incident.
+
+You can see the events of the alert, which other triggered alerts caused the current alert, and all the affected entities and activities involved in the attack, including files, users, and mailboxes.
+
+Here's an example.
++
+This incident alert page is composed of these sections:
+
+- Alert story, which includes a summary of what happened
+- Related events and alerts
+- Summary details
Learn how to use the alert queue and alert pages in [investigate alerts](investigate-alerts.md).
The **Users** tab lists all the users that have been identified to be part of or
:::image type="content" source="../../media/investigate-incidents/incident-users.png" alt-text="Example of a Users page for an incident":::
-You can select the check mark for a user to see details of the user account threat, exposure, and contact information.
-Select the user name to see additional user account details.
+You can select the check mark for a user to see details of the user account threat, exposure, and contact information. Select the user name to see additional user account details.
+
+Learn how to view additional user information and manage the users of an incident in [investigate users](investigate-users.md).
+ ## Mailboxes
security Microsoft 365 Security Mdo Redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-mdo-redirection.md
To start routing accounts to the Microsoft 365 security center at security.micro
> After redirection is enabled, accounts in active sessions while this setting is applied will not be ejected from their session and will only be routed to the Microsoft 365 security center after ending their current session and signing back in again. ## Can I go back to using the former portal?
-If something isnΓÇÖt working for you or if thereΓÇÖs anything youΓÇÖre unable to complete through the Microsoft 365 security center portal, we want to hear about it using the portal feedback option. If youΓÇÖve encountered any issues with redirection, we encourage you to reach out to your PM buddy directly through private preview or let us know via the Give feedback submission form.
+If something isnΓÇÖt working for you or if thereΓÇÖs anything youΓÇÖre unable to complete through the Microsoft 365 security center portal, we want to hear about it using the portal feedback option. If youΓÇÖve encountered any issues with redirection, please let us know.
To revert to the former portal: 1. [Sign in](https://security.microsoft.com/) to the Microsoft 365 security center as a global administrator or using and account with security administrator permissions in Azure Active directory.
-2. Navigate to **Settings** > **Endpoints** > **General** > **Portal redirection**.
+2. Navigate to **Settings** > **Email & collaboration** > **Portal redirection**.
3. Toggle the Automatic redirection setting to **Off**.
security Microsoft Secure Score Whats Coming https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-whats-coming.md
Microsoft Secure Score can be found at https://security.microsoft.com/securescor
We're making some changes in the near future to make [Microsoft Secure Score](microsoft-secure-score.md) a better representative of your security posture and improve usability. Your score and the maximum possible score may change.
-### No Planned Changes
+### June 2021
-There are no planned changes at this time.
+#### Remove improvement action related to Microsoft Cloud App Security
+
+- Use Cloud App Security to detect anomalous behavior
## Related resources
security Advanced Spam Filtering Asf Options https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-spam-filtering-asf-options.md
For each ASF setting, the following options are available in anti-spam policies:
The following ASF settings set the spam confidence level (SCL) of detected messages to 5 or 6, which corresponds to the **Spam** filter verdict and the corresponding action in anti-spam policies.
+<br>
+ **** |Anti-spam policy setting|Description|X-header added|
The following ASF settings set the spam confidence level (SCL) of detected messa
The following ASF settings set the SCL of detected messages to 9, which corresponds to the **High confidence spam** filter verdict and the corresponding action in anti-spam policies.
+<br>
+ **** |Anti-spam policy setting|Description|X-header added|
The following ASF settings set the SCL of detected messages to 9, which correspo
|**SPF record: hard fail** <p> *MarkAsSpamSpfRecordHardFail*|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <p> Test mode is not available for this setting.|`X-CustomSpam: SPF Record Fail`| |**Conditional Sender ID filtering: hard fail** <p> *MarkAsSpamFromAddressAuthFail*|Messages that hard fail a conditional Sender ID check are marked as spam. <p> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <p> Test mode is not available for this setting.|`X-CustomSpam: SPF From Record Fail`| |**NDR backscatter** <p> *MarkAsSpamNdrBackscatter*|*Backscatter* is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](backscatter-messages-and-eop.md). <p> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered, and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route *outbound* email through EOP.</li></ul> <p> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs will be delivered to the original message sender. Some, but not all, backscatter are marked as high confidence spam. By definition, backscatter can only be delivered to the spoofed sender, not to the original sender.</li></ul> <p> Test mode is not available for this setting.|`X-CustomSpam: Backscatter NDR`|
-|
+|