Updates from: 06/01/2022 01:18:10
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Communication Compliance Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-plan.md
Before getting started with [communication compliance](communication-compliance.
For more information and an overview of the planning process to address compliance and risky activities in your organization, see [Starting an insider risk management program](https://download.microsoft.com/download/b/2/0/b208282a-2482-4986-ba07-15a9b9286df0/pwc-starting-an-insider-risk-management-program-with-pwc-and-microsoft.pdf).
+You can also check out the [Microsoft Mechanics video](https://www.youtube.com/watch?v=Ynkfu8OF0wQ) on how insider risk management and communication compliance work together to help minimize data risks from users in your organization.
+ > [!IMPORTANT] > Communication compliance is currently available in tenants hosted in geographical regions and countries supported by Azure service dependencies. To verify that communication compliance is supported for your organization, see [Azure dependency availability by country/region](/troubleshoot/azure/general/dependency-availability-by-country).
compliance Communication Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance.md
For a quick overview of communication compliance, see the [Detect workplace hara
Check out how [TD Securities is using communication compliance](https://customers.microsoft.com/story/1391545301764211731-td-securities-banking-capital-markets-compliance) to address their regulatory obligations and meet their security and stability needs.
+Check out the [Microsoft Mechanics video](https://www.youtube.com/watch?v=Ynkfu8OF0wQ) on how insider risk management and communication compliance work together to help minimize data risks from users in your organization.
+ To keep up with the latest communication compliance updates, select **What's new** in [communication compliance](https://compliance.microsoft.com/) for your organization. > [!IMPORTANT]
compliance Insider Risk Management Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-plan.md
Watch the video below to learn how the insider risk management workflow can help
>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4OUXB]
+Check out the [Microsoft Mechanics video](https://www.youtube.com/watch?v=Ynkfu8OF0wQ) on how insider risk management and communication compliance work together to help minimize data risks from users in your organization.
+ ## Work with stakeholders in your organization Identify the appropriate stakeholders in your organization to collaborate for taking actions on insider risk management alerts and cases. Some recommended stakeholders to consider including in initial planning and the end-to-end [insider risk management workflow](insider-risk-management.md#workflow) are people from the following areas of your organization:
compliance Insider Risk Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management.md
Watch the videos below to learn how insider risk management can help your organi
**Insider risk management workflow**: >[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4OUXB]
+Check out the [Microsoft Mechanics video](https://www.youtube.com/watch?v=Ynkfu8OF0wQ) on how insider risk management and communication compliance work together to help minimize data risks from users in your organization.
+ > [!IMPORTANT] > Insider risk management is currently available in tenants hosted in geographical regions and countries supported by Azure service dependencies. To verify that insider risk management is supported for your organization, see [Azure dependency availability by country/region](/troubleshoot/azure/general/dependency-availability-by-country).
compliance Retention Policies Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
Other mailbox types, such as RoomMailbox that is used for Teams conference rooms
Teams uses an Azure-powered chat service as its primary storage for all messages (chats and channel messages). If you need to delete Teams messages for compliance reasons, retention policies for Teams can delete messages after a specified period, based on when they were created. Messages are then permanently deleted from both the Exchange mailboxes where they stored for compliance operations, and from the primary storage used by the underlying Azure-powered chat service. For more information about the underlying architecture, see [Security and compliance in Microsoft Teams](/MicrosoftTeams/security-compliance-overview) and specifically, the [Information Protection Architecture](/MicrosoftTeams/security-compliance-overview#information-protection-architecture) section.
-Although this data from Teams chats and channel messages are stored in mailboxes, you must configure a retention policy for the **Teams channel messages** and **Teams chats** locations. Teams chats and channel messages aren't included in retention policies that are configured for Exchange user or group mailboxes. Similarly, retention policies for Teams don't affect other email items stored mailboxes.
+Although this data from Teams chats and channel messages are stored in mailboxes, you must configure a retention policy for the **Teams channel messages** and **Teams chats** locations. Teams chats and channel messages aren't included in retention policies that are configured for Exchange user or group mailboxes. Similarly, retention policies for Teams don't affect other email items stored in mailboxes.
If a user is added to a chat, a copy of all messages shared with them are ingested into their mailbox. The created date of those messages doesn't change for the new user and remains the same for all users.
After a retention policy is configured for chat and channel messages, a timer jo
Messages remain in the SubstrateHolds folder for at least 1 day, and then if they're eligible for deletion, the timer job permanently deletes them the next time it runs. > [!IMPORTANT]
-> Because of the [first principle of retention](retention.md#the-principles-of-retention-or-what-takes-precedence) and since Teams chat and channel messages are stored in Exchange Online mailboxes, permanent deletion from the SubstrateHolds folder is always suspended if the mailbox is affected by another retention policy for the same location, Litigation Hold, delay hold, or if an eDiscovery hold is applied to the mailbox for legal or investigative reasons.
+> Because of the [first principle of retention](retention.md#the-principles-of-retention-or-what-takes-precedence) and since Teams chat and channel messages are stored in Exchange Online mailboxes, permanent deletion from the SubstrateHolds folder is always suspended if the mailbox is affected by another Teams retention policy for the same location, Litigation Hold, delay hold, or if an eDiscovery hold is applied to the mailbox for legal or investigative reasons.
> > While the mailbox is included in an applicable hold, Teams chat and channel messages that have been deleted will no longer be visible in the Teams app but will continue to be discoverable with eDiscovery.
When external users are included in a meeting that your organization hosts:
## When a user leaves the organization
-If a user who has a mailbox in Exchange Online leaves your organization and their Microsoft 365 account is deleted, their chat messages that are subject to retention are stored in an inactive mailbox. The chat messages remain subject to any retention policy that was placed on the user before their mailbox was made inactive, and the contents are available to an eDiscovery search. For more information, see [Inactive mailboxes in Exchange Online](inactive-mailboxes-in-office-365.md).
+If a user who has a mailbox in Exchange Online leaves your organization and their Microsoft 365 account is deleted, their chat messages that are subject to retention are stored in an inactive mailbox. The chat messages remain subject to any retention policy that was placed on the user before their mailbox was made inactive, and the contents are available to an eDiscovery search. For more information, see [Learn about inactive mailboxes](inactive-mailboxes-in-office-365.md).
If the user stored any files in Teams, see the [equivalent section](retention-policies-sharepoint.md#when-a-user-leaves-the-organization) for SharePoint and OneDrive.
compliance Retention Policies Yammer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-yammer.md
Even though they are stored in Exchange, Yammer messages are only included in a
After a retention policy is configured for Yammer messages, a timer job from the Exchange service periodically evaluates items in the hidden folder where these Yammer messages are stored. The timer job takes up to seven days to run. When these items have expired their retention period, they're moved to the SubstrateHolds folderΓÇöa hidden folder that's in every user or group mailbox to store "soft-deleted" items before they're permanently deleted. > [!IMPORTANT]
-> Because of the [first principle of retention](retention.md#the-principles-of-retention-or-what-takes-precedence) and since Yammer messages are stored in Exchange Online mailboxes, permanent deletion from the SubstrateHolds folder is always suspended if the mailbox is affected by another retention policy for the same location, Litigation Hold, delay hold, or if an eDiscovery hold is applied to the mailbox for legal or investigative reasons.
+> Because of the [first principle of retention](retention.md#the-principles-of-retention-or-what-takes-precedence) and since Yammer messages are stored in Exchange Online mailboxes, permanent deletion from the SubstrateHolds folder is always suspended if the mailbox is affected by another Yammer retention policy for the same location, Litigation Hold, delay hold, or if an eDiscovery hold is applied to the mailbox for legal or investigative reasons.
> > While the mailbox is included in an applicable hold, Yammer messages that have been deleted will no longer be visible in Yammer but will continue to be discoverable with eDiscovery.
For the two paths in the diagram:
2. **If a Yammer message is not deleted** and for current messages after editing, the message is moved to the SubstrateHolds folder after the retention period expires. This action takes up to seven days from the expiry date. When the message is in the SubstrateHolds folder, it's then immediately permanently deleted. > [!NOTE]
-> Messages in the SubstrateHolds folder are searchable by eDiscovery tools. Until messages are permanently deleted (in the SubstrateHolds folder), they remain searchable by eDiscovery tools.
+> Messages in the SubstrateHolds folder are searchable by eDiscovery tools. Until messages are permanently deleted from the SubstrateHolds folder, they remain searchable by eDiscovery tools.
+
+When the retention period expires and moves a message to the SubstrateHolds folder, a delete operation is communicated to the Yammer service, that then relays the same operation to the Yammer client app. Delays in this communication or caching can explain why, for a short period of time, users continue to see these messages in their Yammer app.
+
+In this scenario where the Yammer service receives a delete command because of a retention policy, the corresponding message in the Yammer app is deleted for all users in the conversation. Some of these users might be from another organization, have a retention policy with a longer retention period, or no retention policy assigned to them. For these users, copies of the messages are still stored in their mailboxes and remain searchable for eDiscovery until the messages are permanently deleted by another retention policy.
+
+> [!IMPORTANT]
+> Messages visible in the Yammer app are not an accurate reflection of whether they are retained or permanently deleted for compliance requirements.
When the retention policy is retain-only, or delete-only, the content's paths are variations of retain and delete.
At this time, Azure B2B guest users are not supported.
## When a user leaves the organization
-If a user leaves your organization and their Microsoft 365 account is deleted, their Yammer user messages that are subject to retention are stored in an inactive mailbox. These messages remain subject to any retention policy that was placed on the user before their mailbox was made inactive, and the contents are available to an eDiscovery search. For more information, see [Inactive mailboxes in Exchange Online](inactive-mailboxes-in-office-365.md).
+If a user leaves your organization and their Microsoft 365 account is deleted, their Yammer user messages that are subject to retention are stored in an inactive mailbox. These messages remain subject to any retention policy that was placed on the user before their mailbox was made inactive, and the contents are available to an eDiscovery search. For more information, see [Learn about inactive mailboxes](inactive-mailboxes-in-office-365.md).
If the user stored any files in Yammer, see the [equivalent section](retention-policies-sharepoint.md#when-a-user-leaves-the-organization) for SharePoint and OneDrive.
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
Yes. The Office 365 Management Activity API is used to fetch the audit logs prog
**Are there other ways to get auditing logs other than using the security and compliance portal or the Office 365 Management Activity API?**
-No. These are the only two ways to get data from the auditing service.
+Yes, You can retrieve audit logs by using the following methods:
+
+- The [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference).
+
+- The [audit log search tool](search-the-audit-log-in-security-and-compliance.md) in the Microsoft Purview compliance portal.
+
+- The [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) cmdlet in Exchange Online PowerShell.
**Do I need to individually enable auditing in each service that I want to capture audit logs for?**
enterprise Microsoft 365 Mailbox Utilization Service Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-mailbox-utilization-service-alerts.md
- admindeeplinkEXCHANGE f1.keywords: - NOCSH
-description: "Use mailbox utilization service alerts to monitor mailboxes on hold that are reaching their mailbox quota."
+description: "Use mailbox utilization service advisories to monitor mailboxes on hold that are reaching their mailbox quota."
-# Service alerts for mailbox utilization in Exchange Online monitoring
+# Service advisories for mailbox utilization in Exchange Online monitoring
-We've released a new Exchange Online service alert that informs you of mailboxes that are on hold that are at risk of reaching or exceeding their quota. These service alerts provide visibility to the number of mailboxes in your organization that may require admin intervention.
+We've released a new Exchange Online service advisories that informs you of mailboxes that are on hold that are at risk of reaching or exceeding their quota. These service advisories provide visibility to the number of mailboxes in your organization that may require admin intervention.
-These service alerts are displayed in the Microsoft 365 admin center. To view these service alerts, go to **Health** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">**Service health**</a> > **Exchange Online** and then click the **Active issues** tab. Here's an example of a mailbox utilization service alert.
+These service advisories are displayed in the Microsoft 365 admin center. To view these service advisories, go to **Health** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">**Service health**</a> > **Exchange Online** and then click the **Active issues** tab. Here's an example of a mailbox utilization service advisory.
:::image type="content" alt-text="Mailbox utilization service alert." source="../media/MailboxUtilizationServiceAlert.png" lightbox="../media/MailboxUtilizationServiceAlert.png":::
-To display a list of mailboxes that are nearing their storage quota (called the *mailbox usage report*), click the highlighted link in the following screenshot. This link is displayed in the service alert.
+To display a list of mailboxes that are nearing their storage quota (called the *mailbox usage report*), click the highlighted link in the following screenshot. This link is displayed in the service advisory.
:::image type="content" alt-text="Link to mailbox usage report." source="../media/LinkToMailboxUsageReport.png" lightbox="../media/LinkToMailboxUsageReport.png"::: Alternatively, the direct URL to the mailbox usage report is <https://admin.microsoft.com/Adminportal/Home?source=applauncher#/reportsUsage/MailboxUsage>.
-## What do these service alerts indicate?
+## What do these service advisories indicate?
-The service alerts for mailbox utilization inform admins about mailboxes on hold that are nearing the mailbox storage quota. The type of holds that that can be placed on mailboxes include Litigation holds, eDiscovery hold, and Microsoft 365 retention policies (that are configured to retain data). When a mailbox is on hold, users (or automated processes) can't permanently remove data from their mailbox. Instead, admins must configure MRM retention policies in Exchange Online (inline with their organization's compliance policies related to data retention) to move data from a user's primary mailbox to their archive mailbox. If not and a mailbox on a hold reaches a critical or warning state, admins have to [enable archive mailboxes](../compliance/enable-archive-mailboxes.md) and [enable auto-expanding archiving](../compliance/enable-autoexpanding-archiving.md) and then make sure that the retention period for the archive policy assigned to the mailbox (that moves email from the primary mailbox to the archive mailbox) is short enough. If nothing is done to resolve the quota issues that are identified by the mailbox utilization service alerts, then users might not be able to send or receive email messages or meeting invites.
+The service advisories for mailbox utilization inform admins about mailboxes on hold that are nearing the mailbox storage quota. The type of holds that that can be placed on mailboxes include Litigation holds, eDiscovery hold, and Microsoft 365 retention policies (that are configured to retain data). When a mailbox is on hold, users (or automated processes) can't permanently remove data from their mailbox. Instead, admins must configure MRM retention policies in Exchange Online (inline with their organization's compliance policies related to data retention) to move data from a user's primary mailbox to their archive mailbox. If not and a mailbox on a hold reaches a critical or warning state, admins have to [enable archive mailboxes](../compliance/enable-archive-mailboxes.md) and [enable auto-expanding archiving](../compliance/enable-autoexpanding-archiving.md) and then make sure that the retention period for the archive policy assigned to the mailbox (that moves email from the primary mailbox to the archive mailbox) is short enough. If nothing is done to resolve the quota issues that are identified by the mailbox utilization service advisory, then users might not be able to send or receive email messages or meeting invites.
-A service alert for mailbox utilization contains tables about the number of mailboxes that are nearing their quota. The following sections describe the information in these tables and the action admins can take to help ensure these mailboxes don't exceed their quota.
+A service advisory for mailbox utilization contains tables about the number of mailboxes that are nearing their quota. The following sections describe the information in these tables and the action admins can take to help ensure these mailboxes don't exceed their quota.
> [!NOTE]
-> Service alerts contain descriptions of the mailbox quota properties that appear in the columns in the tables described in the following sections.
+> Service advisories contain descriptions of the mailbox quota properties that appear in the columns in the tables described in the following sections.
### Mailboxes on hold without an archive
Admins should also make sure that an MRM archive policy that moves items to the
### MRM retention policies in your organization
-Service alerts for mailbox utilization may also contain a table with information about the MRM retention policies in your organization and whether or not the mailboxes that are a retention policy have an archive mailbox. For more information about retention policies, see [Retention tags and retention policies in Exchange Online](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies).
+Service advisories for mailbox utilization may also contain a table with information about the MRM retention policies in your organization and whether or not the mailboxes that are a retention policy have an archive mailbox. For more information about retention policies, see [Retention tags and retention policies in Exchange Online](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies).
| RetentionPolicyGuid | MailboxType | HasMoveDumpsterToArchiveTag | HasMovePrimaryToArchiveTag | HasPersonalArchiveTag | Mailboxes | |:--|:--|:|:|:|: |
The following list describes each column in the previous table.
- **Mailboxes**: Indicates the number of mailboxes (those with or without an archive, which is indicated in the **MailboxType** column) the retention policy is assigned to.
-## How often will I see these service alerts?
+## How often will I see these service advisories?
-If you don't take action to resolve the quota issues, you can expect to see this type of service alert every four days. Subsequent service alerts may contain higher mailbox counts for other mailboxes that are nearing their quota. If you take action to resolve quota issues, this service alert will only occur when another mailbox with quota issues is identified.
+If you don't take action to resolve the quota issues, you can expect to see this type of service advisory every seven days. Subsequent service advisories may contain higher mailbox counts for other mailboxes that are nearing their quota. If you take action to resolve quota issues, this service advisory will only occur when another mailbox with quota issues is identified.
## More information
enterprise Microsoft 365 Mrs Source Delays Service Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-mrs-source-delays-service-alerts.md
- Strat_O365_Enterprise f1.keywords: - NOCSH
-description: "Use mailbox migration service alerts to monitor delays in mailbox migration requests in your organization."
+description: "Use mailbox migration service advisories to monitor delays in mailbox migration requests in your organization."
-# Service alerts for MRS source delays in Exchange Online monitoring
+# Service advisories for MRS source delays in Exchange Online monitoring
-Mailbox Replication Service (MRS) source delay service alerts inform you of storage limitations or high processor utilization issues on the tenant side (migration source) that might be delaying mailbox migrations in your Microsoft 365 organization. These service alerts also includes links to Microsoft resources to help you resolve these issues.
+Mailbox Replication Service (MRS) source delay service advisories inform you of storage limitations or high processor utilization issues on the tenant side (migration source) that might be delaying mailbox migrations in your Microsoft 365 organization. These service advisories also include links to Microsoft resources to help you resolve these issues.
-These service alerts are displayed in the Microsoft 365 admin center. To view these service alerts, go to **Health** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">**Service health**</a> > **Exchange Online** and then click the **Active issues** tab.
+These service advisories are displayed in the Microsoft 365 admin center. To view these service advisories, go to **Health** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">**Service health**</a> > **Exchange Online** and then click the **Active issues** tab.
-## What do these service alerts indicate?
+## What do these service advisories indicate?
-This service alert informs you of potential delays to mailbox migrations in your organization. This includes cross-forest migrations, onboarding migrations, and offboarding migrations. The service alert contains a table with information about the current migrations in your organization. Here's an example of the table with information about migration delays.
+This service advisory informs you of potential delays to mailbox migrations in your organization. This includes cross-forest migrations, onboarding migrations, and offboarding migrations. The service advisory contains a table with information about the current migrations in your organization. Here's an example of the table with information about migration delays.
-| BatchName | ExchangeGuid | RequestGuid | DelayReason |QueuedHours | DelayInHours | SourceServer | RemoteDatabaseName |
+| BatchGuid | ExchangeGuid | RequestGuid | DelayReason |QueuedHours | DelayInHours | SourceServer | RemoteDatabaseName |
|:|:|:|:|:|:|:|:|
-|MRS Migration|246c21f7-ca3c-4bba-ab5d-23456558c52a|3d7fab16-7d8e-4c81-a849-e0795054292a|DiskLatency|35.2|27.3|RD1GBL01EXCH003|GBL01EDAG001-db002|
-|MRS Tenant Monitoring|21e9a608-78c3-44ef-a4dd-d5e7222aae82|9974aeb4-2aa4-4a2c-aeb6-d94d78cc25c9|DiskLatency|0.4|0.9|RD1GBL01EXCH010|GBL01EDAG010-db003|
+|12345678-1234-1234-1234-1234567891011|246c21f7-ca3c-4bba-ab5d-23456558c52a|3d7fab16-7d8e-4c81-a849-e0795054292a|DiskLatency|35.2|27.3|RD1GBL01EXCH003|GBL01EDAG001-db002|
+|87654321-4321-4321-4321-1101987654321|21e9a608-78c3-44ef-a4dd-d5e7222aae82|9974aeb4-2aa4-4a2c-aeb6-d94d78cc25c9|DiskLatency|0.4|0.9|RD1GBL01EXCH010|GBL01EDAG010-db003|
The following list describes each column in the previous example. -- **BatchName**: Unique name for the migration job.
+- **BatchGuid**: Unique GUID for the migration job.
- **ExchangeGuid**: The globally unique identifier (GUID) of the user mailbox that's being migrated.
enterprise Multi Geo Ediscovery Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-ediscovery-configuration.md
description: Learn how to use the Region parameter to configure eDiscovery for u
Without eDiscovery (Premium) capabilities, an eDiscovery manager or administrator of a multi-geo tenant will be able to conduct eDiscovery only in the central location of that tenant. To support the ability to conduct eDiscovery for satellite locations, a new compliance security filter parameter named "Region" is available via PowerShell. This parameter can be used by tenants whose central location is in North America, Europe, or Asia Pacific. eDiscovery (Premium) is recommended for tenants whose central location is not in North America, Europe, or Asia Pacific and who need to perform eDiscovery across satellite geo locations.
-The Microsoft 365 global administrator must assign eDiscovery Manager permissions to allow others to perform eDiscovery and assign a "Region" parameter in their applicable Compliance Security Filter to specify the region for conducting eDiscovery as satellite location, otherwise, no eDiscovery will be carried out for the satellite location. Only one "Region" security filter per user is supported, so all the regions need to be inside the same security filter.
+The Microsoft 365 global administrator must assign eDiscovery Manager permissions to allow others to perform eDiscovery and assign a "Region" parameter in their applicable Compliance Security Filter to specify the region for conducting eDiscovery as satellite location, otherwise, no eDiscovery will be carried out for the satellite location. Only one "Region" security filter per user is supported.
When the eDiscovery Manager or Administrator role is set for a particular satellite location, the eDiscovery Manager or Administrator will only be able to perform eDiscovery search actions against the SharePoint sites and OneDrive sites located in that satellite location. If an eDiscovery Manager or Administrator attempts to search SharePoint or OneDrive sites outside the specified satellite location, no results will be returned. Also, when the eDiscovery Manager or Administrator for a satellite location triggers an export, data is exported to the Azure instance of that region. This helps organizations stay in compliance by not allowing content to be exported across controlled borders.
includes Microsoft 365 Content Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md
+## Week of May 23, 2022
++
+| Published On |Topic title | Change |
+|||--|
+| 5/23/2022 | [Add a marketing campaign ID to a Bookings page URL](/microsoft-365/bookings/campaign-id?view=o365-21vianet) | added |
+| 5/23/2022 | [Learn about how to provide feedback to Microsoft](/microsoft-365/admin/misc/feedback-provide-microsoft?view=o365-21vianet) | modified |
+| 5/23/2022 | [Multifactor authentication for Microsoft 365](/microsoft-365/admin/security-and-compliance/multi-factor-authentication-microsoft-365?view=o365-21vianet) | modified |
+| 5/23/2022 | [Create, test, and tune a DLP policy](/microsoft-365/compliance/create-test-tune-dlp-policy?view=o365-21vianet) | modified |
+| 5/23/2022 | [What's new in the Microsoft 365 admin center?](/microsoft-365/admin/whats-new-in-preview?view=o365-21vianet) | modified |
+| 5/23/2022 | [Microsoft Purview auditing solutions](/microsoft-365/compliance/auditing-solutions-overview?view=o365-21vianet) | modified |
+| 5/23/2022 | [Host firewall reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/host-firewall-reporting?view=o365-21vianet) | modified |
+| 5/23/2022 | [Web content filtering](/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-21vianet) | modified |
+| 5/23/2022 | [Email security with Threat Explorer in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/email-security-in-microsoft-defender?view=o365-21vianet) | modified |
+| 5/23/2022 | [Mail flow insights in the Mail flow dashboard](/microsoft-365/security/office-365-security/mail-flow-insights-v2?view=o365-21vianet) | modified |
+| 5/23/2022 | [Smart reports and insights](/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance?view=o365-21vianet) | modified |
+| 5/24/2022 | Set up Microsoft 365 Business Premium | removed |
+| 5/24/2022 | [Integrate Microsoft OneDrive LTI with Canvas](/microsoft-365/lti/onedrive-lti?view=o365-21vianet) | modified |
+| 5/24/2022 | [Use Trusted ARC senders for legitimate devices and services between the sender and receiver](/microsoft-365/security/office-365-security/use-arc-exceptions-to-mark-trusted-arc-senders?view=o365-21vianet) | added |
+| 5/24/2022 | [Adjust scheduling preferences for Scheduler for Microsoft 365 Overview](/microsoft-365/scheduler/scheduler-preferences?view=o365-21vianet) | added |
+| 5/24/2022 | [What's new in Microsoft Purview](/microsoft-365/compliance/whats-new?view=o365-21vianet) | modified |
+| 5/24/2022 | [SIEM server integration with Microsoft 365 services and applications](/microsoft-365/security/office-365-security/siem-server-integration?view=o365-21vianet) | modified |
+| 5/24/2022 | [Investigate Microsoft Defender for Endpoint files](/microsoft-365/security/defender-endpoint/investigate-files?view=o365-21vianet) | modified |
+| 5/25/2022 | [No billing account found for buying products](/microsoft-365/commerce/no-billing-account-found?view=o365-21vianet) | added |
+| 5/25/2022 | Threats detected by Microsoft Defender Antivirus | removed |
+| 5/25/2022 | [What's new in the Microsoft 365 admin center?](/microsoft-365/admin/whats-new-in-preview?view=o365-21vianet) | modified |
+| 5/25/2022 | Important information for Office 365 E4 customers | removed |
+| 5/25/2022 | Upgrade from an Office 365 E4 subscription | removed |
+| 5/25/2022 | [Search for and delete chat messages in Teams](/microsoft-365/compliance/search-and-delete-teams-chat-messages?view=o365-21vianet) | modified |
+| 5/25/2022 | [Microsoft Defender for Endpoint evaluation lab](/microsoft-365/security/defender-endpoint/evaluation-lab?view=o365-21vianet) | modified |
+| 5/25/2022 | [Simulation automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-21vianet) | modified |
+| 5/25/2022 | Manage and monitor priority accounts | removed |
+| 5/25/2022 | [What's new in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-whats-new?view=o365-21vianet) | modified |
+| 5/26/2022 | [Review detected threats on devices and take action](/microsoft-365/business-premium/m365bp-review-threats-take-action?view=o365-21vianet) | modified |
+| 5/26/2022 | [Learn the advanced hunting query language in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-21vianet) | modified |
+| 5/26/2022 | [Paying for your subscription with a billing profile](/microsoft-365/commerce/billing-and-payments/pay-for-subscription-billing-profile?view=o365-21vianet) | modified |
+| 5/26/2022 | [Paying for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?view=o365-21vianet) | modified |
+| 5/26/2022 | [Create a DLP policy from a template](/microsoft-365/compliance/create-a-dlp-policy-from-a-template?view=o365-21vianet) | modified |
+| 5/26/2022 | [Data Loss Prevention Reference](/microsoft-365/compliance/data-loss-prevention-policies?view=o365-21vianet) | modified |
+| 5/26/2022 | [How DLP works with Security & Compliance Center & Exchange admin center](/microsoft-365/compliance/how-dlp-works-between-admin-centers?view=o365-21vianet) | modified |
+| 5/26/2022 | [Learn about retention for Teams](/microsoft-365/compliance/retention-policies-teams?view=o365-21vianet) | modified |
+| 5/26/2022 | [Learn about retention for Yammer](/microsoft-365/compliance/retention-policies-yammer?view=o365-21vianet) | modified |
+| 5/26/2022 | [View the reports for data loss prevention](/microsoft-365/compliance/view-the-dlp-reports?view=o365-21vianet) | modified |
+| 5/26/2022 | [What DLP policy templates include](/microsoft-365/compliance/what-the-dlp-policy-templates-include?view=o365-21vianet) | modified |
+| 5/26/2022 | [Run a trial of Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/trial-syntex) | modified |
+| 5/26/2022 | [Azure ExpressRoute for Office 365](/microsoft-365/enterprise/azure-expressroute?view=o365-21vianet) | modified |
+| 5/26/2022 | [Content delivery networks](/microsoft-365/enterprise/content-delivery-networks?view=o365-21vianet) | modified |
+| 5/26/2022 | [Cross-tenant mailbox migration](/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-21vianet) | modified |
+| 5/26/2022 | [Deploy Microsoft 365 Directory Synchronization in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure?view=o365-21vianet) | modified |
+| 5/26/2022 | [Diagnosing performance issues with SharePoint Online](/microsoft-365/enterprise/diagnosing-performance-issues-with-sharepoint-online?view=o365-21vianet) | modified |
+| 5/26/2022 | [Image optimization for SharePoint Online classic publishing sites](/microsoft-365/enterprise/image-optimization-for-sharepoint-online?view=o365-21vianet) | modified |
+| 5/26/2022 | [Managing ExpressRoute for Office 365 connectivity](/microsoft-365/enterprise/managing-expressroute-for-connectivity?view=o365-21vianet) | modified |
+| 5/26/2022 | [Managing Office 365 endpoints](/microsoft-365/enterprise/managing-office-365-endpoints?view=o365-21vianet) | modified |
+| 5/26/2022 | [Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-21vianet) | modified |
+| 5/26/2022 | [Configure your Event Hubs](/microsoft-365/security/defender/configure-event-hub?view=o365-21vianet) | modified |
+| 5/26/2022 | [Stream Microsoft 365 Defender events to Azure Event Hubs](/microsoft-365/security/defender/streaming-api-event-hub?view=o365-21vianet) | modified |
+| 5/27/2022 | [Deploy an information protection solution with Microsoft Purview](/microsoft-365/compliance/information-protection-solution?view=o365-21vianet) | modified |
+| 5/27/2022 | [End-user notifications for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-end-user-notifications?view=o365-21vianet) | modified |
+| 5/27/2022 | [Microsoft Defender for Office 365 data retention](/microsoft-365/security/office-365-security/mdo-data-retention?view=o365-21vianet) | added |
+| 5/27/2022 | [Set up Safe Links policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/set-up-safe-links-policies?view=o365-21vianet) | modified |
+| 5/27/2022 | [Use Trusted ARC senders for legitimate devices and services between the sender and receiver](/microsoft-365/security/office-365-security/use-arc-exceptions-to-mark-trusted-arc-senders?view=o365-21vianet) | modified |
+| 5/27/2022 | [Use DMARC to validate email, setup steps](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-21vianet) | modified |
+| 5/27/2022 | [eDiscovery (Premium) limits](/microsoft-365/compliance/limits-ediscovery20?view=o365-21vianet) | modified |
+| 5/27/2022 | [Anti-malware protection FAQ](/microsoft-365/security/office-365-security/anti-malware-protection-faq-eop?view=o365-21vianet) | modified |
++ ## Week of May 16, 2022
| 5/5/2022 | [Redirection of users from the Office 365 Security and Compliance Center to the Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center-redirection?view=o365-21vianet) | modified | | 5/5/2022 | [Microsoft Purview compliance documentation # < 60 chars](/microsoft-365/compliance/index?view=o365-21vianet) | modified | | 5/6/2022 | [Microsoft Purview compliance documentation # < 60 chars](/microsoft-365/compliance/index?view=o365-21vianet) | modified |--
-## Week of April 25, 2022
--
-| Published On |Topic title | Change |
-|||--|
-| 4/25/2022 | [Microsoft 365 encryption chains](/microsoft-365/compliance/encryption-office-365-certificate-chains?view=o365-21vianet) | modified |
-| 4/25/2022 | [Learn the advanced hunting query language in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-21vianet) | modified |
-| 4/25/2022 | [Take action on advanced hunting query results in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-take-action?view=o365-21vianet) | modified |
-| 4/25/2022 | [Collaborate with external participants in a shared channel](/microsoft-365/solutions/collaborate-teams-direct-connect?view=o365-21vianet) | modified |
-| 4/25/2022 | [Microsoft 365 alert policies](/microsoft-365/compliance/alert-policies?view=o365-21vianet) | modified |
-| 4/25/2022 | [Microsoft Bookings Frequently Asked Questions](/microsoft-365/bookings/bookings-faq?view=o365-21vianet) | modified |
-| 4/26/2022 | [Microsoft Purview solutions trial playbook](/microsoft-365/compliance/compliance-easy-trials-compliance-playbook?view=o365-21vianet) | modified |
-| 4/26/2022 | [What's new in Microsoft Purview](/microsoft-365/compliance/whats-new?view=o365-21vianet) | modified |
-| 4/26/2022 | [Performance analyzer for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-21vianet) | modified |
-| 4/27/2022 | [Enhancing mail flow with MTA-STS ](/microsoft-365/compliance/enhancing-mail-flow-with-mta-sts?view=o365-21vianet) | added |
-| 4/27/2022 | [UrlClickEvents table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-urlclickevents-table?view=o365-21vianet) | added |
-| 4/27/2022 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-21vianet) | modified |
-| 4/27/2022 | [Microsoft Defender for Office 365 trial playbook](/microsoft-365/security/office-365-security/trial-playbook-defender-for-office-365?view=o365-21vianet) | modified |
-| 4/27/2022 | [Encrypted message portal activity log](/microsoft-365/compliance/ome-message-access-logs?view=o365-21vianet) | added |
-| 4/27/2022 | [Remove blocked connectors from the Restricted entities portal in Microsoft 365](/microsoft-365/security/office-365-security/remove-blocked-connectors?view=o365-21vianet) | added |
-| 4/27/2022 | [Respond to a compromised connector in Microsoft 365](/microsoft-365/security/office-365-security/respond-compromised-connector?view=o365-21vianet) | added |
-| 4/27/2022 | Increase threat protection for Microsoft 365 for Business | removed |
-| 4/27/2022 | [Create eDiscovery holds in a eDiscovery (Standard) case](/microsoft-365/compliance/create-ediscovery-holds?view=o365-21vianet) | modified |
-| 4/27/2022 | [Manage holds in eDiscovery (Premium)](/microsoft-365/compliance/managing-holds?view=o365-21vianet) | modified |
-| 4/27/2022 | [Search the audit log in the Microsoft Purview compliance portal](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-21vianet) | modified |
-| 4/27/2022 | [Manage your allows in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/manage-tenant-allows?view=o365-21vianet) | modified |
-| 4/27/2022 | [Remove blocked users from the Restricted users portal](/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam?view=o365-21vianet) | modified |
-| 4/28/2022 | [What is Microsoft 365 for business](/microsoft-365/admin/admin-overview/what-is-microsoft-365-for-business?view=o365-21vianet) | added |
-| 4/28/2022 | [Learn how to mitigate the Log4Shell vulnerability in Microsoft Defender for Endpoint - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-manage-log4shell-guidance?view=o365-21vianet) | added |
-| 4/28/2022 | [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune?view=o365-21vianet) | modified |
-| 4/28/2022 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-21vianet) | modified |
-| 4/28/2022 | [Azure Active Directory setup guides](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-21vianet) | modified |
-| 4/28/2022 | [How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications](/microsoft-365/compliance/how-smtp-dane-works?view=o365-21vianet) | modified |
-| 4/28/2022 | [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments?view=o365-21vianet) | modified |
-| 4/29/2022 | [Microsoft 365 admin center activity reports](/microsoft-365/admin/activity-reports/activity-reports?view=o365-21vianet) | modified |
-| 4/29/2022 | [Understand the proposal workflow](/microsoft-365/commerce/understand-proposal-workflow?view=o365-21vianet) | modified |
-| 4/29/2022 | [Enable the Report Message or the Report Phishing add-ins](/microsoft-365/security/office-365-security/enable-the-report-message-add-in?view=o365-21vianet) | modified |
-| 4/29/2022 | [Manage your allows and blocks in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list?view=o365-21vianet) | modified |
-| 4/29/2022 | [Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight](/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight?view=o365-21vianet) | modified |
-| 4/29/2022 | [Microsoft Purview auditing solutions](/microsoft-365/compliance/auditing-solutions-overview?view=o365-21vianet) | modified |
-| 4/25/2022 | [Microsoft 365 encryption chains](/microsoft-365/compliance/encryption-office-365-certificate-chains?view=o365-21vianet) | modified |
-| 4/25/2022 | [Learn the advanced hunting query language in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-21vianet) | modified |
-| 4/25/2022 | [Take action on advanced hunting query results in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-take-action?view=o365-21vianet) | modified |
-| 4/25/2022 | [Collaborate with external participants in a shared channel](/microsoft-365/solutions/collaborate-teams-direct-connect?view=o365-21vianet) | modified |
-| 4/25/2022 | [Microsoft 365 alert policies](/microsoft-365/compliance/alert-policies?view=o365-21vianet) | modified |
-| 4/25/2022 | [Microsoft Bookings Frequently Asked Questions](/microsoft-365/bookings/bookings-faq?view=o365-21vianet) | modified |
-| 4/26/2022 | [Microsoft Purview solutions trial playbook](/microsoft-365/compliance/compliance-easy-trials-compliance-playbook?view=o365-21vianet) | modified |
-| 4/26/2022 | [What's new in Microsoft Purview](/microsoft-365/compliance/whats-new?view=o365-21vianet) | modified |
-| 4/26/2022 | [Performance analyzer for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-21vianet) | modified |
-| 4/27/2022 | [Enhancing mail flow with MTA-STS ](/microsoft-365/compliance/enhancing-mail-flow-with-mta-sts?view=o365-21vianet) | added |
-| 4/27/2022 | [UrlClickEvents table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-urlclickevents-table?view=o365-21vianet) | added |
-| 4/27/2022 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-21vianet) | modified |
-| 4/27/2022 | [Microsoft Defender for Office 365 trial playbook](/microsoft-365/security/office-365-security/trial-playbook-defender-for-office-365?view=o365-21vianet) | modified |
-| 4/27/2022 | [Encrypted message portal activity log](/microsoft-365/compliance/ome-message-access-logs?view=o365-21vianet) | added |
-| 4/27/2022 | [Remove blocked connectors from the Restricted entities portal in Microsoft 365](/microsoft-365/security/office-365-security/remove-blocked-connectors?view=o365-21vianet) | added |
-| 4/27/2022 | [Respond to a compromised connector in Microsoft 365](/microsoft-365/security/office-365-security/respond-compromised-connector?view=o365-21vianet) | added |
-| 4/27/2022 | Increase threat protection for Microsoft 365 for Business | removed |
-| 4/27/2022 | [Create eDiscovery holds in a eDiscovery (Standard) case](/microsoft-365/compliance/create-ediscovery-holds?view=o365-21vianet) | modified |
-| 4/27/2022 | [Manage holds in eDiscovery (Premium)](/microsoft-365/compliance/managing-holds?view=o365-21vianet) | modified |
-| 4/27/2022 | [Search the audit log in the Microsoft Purview compliance portal](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-21vianet) | modified |
-| 4/27/2022 | [Manage your allows in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/manage-tenant-allows?view=o365-21vianet) | modified |
-| 4/27/2022 | [Remove blocked users from the Restricted users portal](/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam?view=o365-21vianet) | modified |
-| 4/28/2022 | [What is Microsoft 365 for business](/microsoft-365/admin/admin-overview/what-is-microsoft-365-for-business?view=o365-21vianet) | added |
-| 4/28/2022 | [Learn how to mitigate the Log4Shell vulnerability in Microsoft Defender for Endpoint - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-manage-log4shell-guidance?view=o365-21vianet) | added |
-| 4/28/2022 | [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune?view=o365-21vianet) | modified |
-| 4/28/2022 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-21vianet) | modified |
-| 4/28/2022 | [Azure Active Directory setup guides](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-21vianet) | modified |
-| 4/28/2022 | [How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications](/microsoft-365/compliance/how-smtp-dane-works?view=o365-21vianet) | modified |
-| 4/28/2022 | [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments?view=o365-21vianet) | modified |
-| 4/29/2022 | [Manage your allows in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/manage-tenant-allows?view=o365-21vianet) | modified |
-| 4/29/2022 | [Understand the proposal workflow](/microsoft-365/commerce/understand-proposal-workflow?view=o365-21vianet) | modified |
-| 4/29/2022 | [Enable the Report Message or the Report Phishing add-ins](/microsoft-365/security/office-365-security/enable-the-report-message-add-in?view=o365-21vianet) | modified |
-| 4/29/2022 | [Manage your allows and blocks in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list?view=o365-21vianet) | modified |
-| 4/29/2022 | [Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight](/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight?view=o365-21vianet) | modified |
-| 4/29/2022 | [Use customer-managed keys to encrypt your organization's auditing data](/microsoft-365/compliance/auditing-cmk-encryption?view=o365-21vianet) | added |
-| 4/29/2022 | [Microsoft Purview auditing solutions](/microsoft-365/compliance/auditing-solutions-overview?view=o365-21vianet) | modified |
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
These are the known gaps:
|Network discovery|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)| |Reports: Device Control, Device health, Firewall|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development| |Web content filtering|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|
-
+|Microsoft Secure Score|![Yes](images/svg/check-yes.svg) <sup>1</sup>|![No](images/svg/check-no.svg) Not supported|![No](images/svg/check-no.svg) Not supported|
+
+> [!NOTE]
+> <sup>1</sup> While Microsoft Secure Score is available for GCC customers, there are some security recommendations that aren't available.
+ These are the features and known gaps for [Mobile Threat Defense (Microsoft Defender for Endpoint on Android & iOS)](mtd.md):
These are the features and known gaps for [Mobile Threat Defense (Microsoft Defe
|Support for MAM|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)| |Privacy Controls|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)| |Threat and Vulnerability Management (TVM)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
-
-
security Tamperprotection Macos https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tamperprotection-macos.md
If running the command `mdatp health` reports that the tamper protection is disa
```console $ sudo grep -F '\[{tamperProtection}\]: Feature state:' /Library/Logs/Microsoft/mdatp/microsoft_defender_core.log | tail -n 1
-\[85246\]\[2021-12-08 15:45:34.184781 UTC\]\[info\]: \[{tamperProtection}\]: Feature state: enabledmode: "block"
+ ``` The mode must be "block" (or "audit"). If it is not, then you haven't set the tamper protection mode either through `mdatp config` command or through Intune.
security Defender Vulnerability Management Capabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities.md
This article is intended to provide a high-level overview of the vulnerability f
- **Microsoft Defender Vulnerability Management**. To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).
-| Defender Vulnerability Management <p> _Core capabilities part of Defender for Endpoint Plan 2_| Defender Vulnerability Management add-on <p> _Additional capabilities for Defender for Endpoint Plan 2_| Defender Vulnerability Management Standalone <p> _Full vulnerability Management capabilities_|
-|:|:|:|
- [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Software assessment](tvm-software-inventory.md) <p> | [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md) | [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Software assessment](tvm-software-inventory.md) <p> [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md)|
+|Feature/Capability_| Defender Vulnerability Management <p> _Core capabilities part of Defender for Endpoint Plan 2_| Defender Vulnerability Management add-on <p> _Additional capabilities for Defender for Endpoint Plan 2_| Defender Vulnerability Management Standalone <p> _Full vulnerability Management capabilities_|
+|:|:|:|:|
+[Device discovery](../defender-endpoint/device-discovery.md) <p> |Yes <p>| No <p>|Yes <p>|
+[Device inventory](../defender-endpoint/machines-view-overview.md) <p> |Yes <p>| No <p>|Yes <p>|
+[Vulnerability assessment](tvm-weaknesses.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> |Yes <p>| No <p>|Yes <p>|
+[Risk based prioritization](tvm-security-recommendation.md) <p> |Yes <p>| No <p>|Yes <p>|
+[Remediation tracking](tvm-remediation.md) <p> |Yes <p>| No <p>|Yes <p>|
+[Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> |Yes <p>| No <p>|Yes <p>|
+[Software assessment](tvm-software-inventory.md) <p> |Yes <p>| No <p>|Yes <p>|
+[Security baselines assessment](tvm-security-baselines.md) <p> |No <p>| Yes <p>|Yes <p>|
+[Block vulnerable applications](tvm-block-vuln-apps.md) <p> |No <p>| Yes <p>|Yes <p>|
+[Browser extensions](tvm-browser-extensions.md) <p> |No <p>| Yes <p>|Yes <p>|
+[Digital certificate assessment](tvm-certificate-inventory.md) <p> |No <p>| Yes <p>|Yes <p>|
+[Network share analysis](tvm-network-share-assessment.md) |No <p>| Yes <p>|Yes <p>|
## Next steps
security Playbook Detecting Ransomware M365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/playbook-detecting-ransomware-m365-defender.md
+
+ Title: Detecting human-operated ransomware attacks with Microsoft 365 Defender
+description: This article describes proactive detection of new or ongoing human-operated ransomware attacks with the Microsoft 365 Defender portal
+search.appverid: MET150
+++
+audience: ITPro
+ Last updated : 05/30/2022
+ms.localizationpriority: medium
+
+f1.keywords: NOCSH
++
+# Detecting human-operated ransomware attacks with Microsoft 365 Defender
++
+Ransomware is a type of extortion attack that destroys or encrypts files and folders, preventing access to critical data or disrupting critical business systems. There are two types of ransomware:
+
+* Commodity ransomware is malware that spreads with phishing or between devices and encrypts files before demanding a ransom.
+* Human-operated ransomware is a planned and coordinated attack by active cybercriminals who employ multiple attack methods. In many cases, known techniques and tools are used to infiltrate your organization, find the assets or systems worth extorting, and then demand a ransom. Upon compromising a network, the attacker carries out reconnaissance of assets and systems which can be encrypted or extorted. The attackers then encrypt or exfiltrate data before demanding a ransom.
+
+This article describes proactive detection of new or ongoing human-operated ransomware attacks with the Microsoft 365 Defender portal, an extended detection and response (XDR) solution for the following security
+
+* Microsoft Defender for Endpoint
+* Microsoft Defender for Office 365
+* Microsoft Defender for Identity
+* Microsoft Defender for Cloud Apps (including the app governance add-on)
+* Microsoft Azure AD Identity Protection
+* Microsoft Defender for IoT
+* Microsoft 365 Business Premium
+* Microsoft Defender for Business
+
+For information about preventing ransomware attacks, see [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware-phase3).
+
+## The importance of proactive detection
+
+Because human-operated ransomware is typically performed by active attackers who might be performing the steps to infiltrate and discover your most valuable data and systems in real time, the time taken to detect ransomware attacks is crucial.
+
+If pre-ransom activities are detected quickly, the likelihood of a severe attack decreases. The pre-ransom stage typically includes the following techniques: initial access, reconnaissance, credential theft, lateral movement, and persistence. These techniques can initially seem unrelated and often fly under the radar. If these techniques lead to the ransom stage, it's often too late. Microsoft 365 Defender can help identify those small and seemingly unrelated incidents as possibly part of a larger ransomware campaign.
+
+* When detected during the pre-ransom stage, smaller-scale mitigations such as isolating infected devices or user accounts can be used to disrupt and remediate the attack.
+* If detection comes at a later stage, such as when the malware used to encrypt files is being deployed, more aggressive remediation steps that can cause downtime might need to be used to disrupt and remediate the attack.
+
+Business operation disruptions are likely when responding to a ransomware attack. The end stage of a ransomware attack is often a choice between downtime caused by attackers with major risks, or a controlled downtime to ensure network safety and give you time to fully investigate. We never recommend paying a ransom. Paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored. See, [Ransomware response - Microsoft Security Blog](https://www.microsoft.com/security/blog/2019/12/16/ransomware-response-to-pay-or-not-to-pay/).
+
+HereΓÇÖs the qualitative relationship of the impact of a ransomware attack and your time to respond for no detection vs. proactive detection and response.
+
+![The qualitative relationship of the impact of a ransomware attack and your time to respond for no detection vs. proactive detection and response, showing the impact to your business reduces, the quicker you respond.](../../media/defender/playbook-detecting-ransomware-m365-defender-qualitative-diagram.png)
+
+### Proactive detection via common malware tools and techniques
+
+In many cases, human-operated ransomware attackers use well-known and field-tested malware tactics, techniques, tools, and procedures including phishing, business email compromise (BEC), and credential theft. Your security analysts must become aware of and familiar with how attackers use common malware and cyberattack methods to gain a foothold in your organization.
+
+To see examples of how ransomware attacks get started with common malware, see these resources:
+
+* [Human-operated ransomware attacks: A preventable disaster](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/)
+* [Ransomware threat analytics reports in the Microsoft 365 Defender portal](https://sip.security.microsoft.com/threatanalytics3?page_size=30&filters=tags%3DRansomware&ordering=-lastUpdatedOn&fields=displayName,alertsCount,impactedEntities,exposureLevel,MisconfiguredDevices,VulnerableDevices,reportType,createdOn,lastUpdatedOn,tags,flag)
+
+Being familiar with pre-ransom malware, payloads, and activities helps your analysts know what to look for to prevent the later stages of an attack.
+
+## Human-operated ransomware attack tactics
+
+Because human-operated ransomware can use known attack techniques and tools, your analystsΓÇÖ understanding and experience with existing attack techniques and tools will be a valuable asset when preparing your SecOps team for focused ransomware detection practices.
+
+### Attack tactics and methods
+
+Here are some typical techniques and tools used by ransomware attackers for the following [MITRE ATT&CK](https://attack.mitre.org/tactics/enterprise/) tactics:
+
+Initial access:
+
+* RDP brute force
+* Vulnerable internet-facing system
+* Weak application settings
+* Phishing email
+
+Credential theft:
+
+* Mimikatz
+* LSA secrets
+* Credential vault
+* Credentials in plaintext
+* Abuse of service accounts
+
+Lateral movement:
+
+* Cobalt Strike
+* WMI
+* Abuse of management tools
+* PsExec
+
+Persistence:
+
+* New accounts
+* GPO changes
+* Shadow IT tools
+* Schedule tasks
+* Service registration
+
+Defense evasion:
+
+* Disabling security features
+* Clearing log files
+* Deleting attack artifact files
+* Resetting timestamps on altered files
+
+Exfiltration:
+
+* Exfiltration of sensitive data
+Impact (financial leverage):
+* Encryption of data in place and in backups
+* Deletion of data in place and backups, which might be combined with a preceding exfiltration
+* Threat of public leakage of exfiltrated, sensitive data
+
+### What to look for
+
+The challenge for security analysts is recognizing when an alert is part of a larger attack chain with the goal of extorting your sensitive data or crucial systems. For example, a detected phishing attack might be:
+
+* A one-off attack to surveil the email messages of someone in the finance department of an organization.
+* The pre-ransom part of an attack chain to use compromised user account credentials to discover the resources available to the user account and to compromise other user accounts with higher levels of privilege and access.
+
+This section provides common attack phases and methods and the signal sources that feed into the central Microsoft 365 Defender portal, which creates alerts and incidents composed of multiple related alerts for security analysis. In some cases, there are alternate security portals to view the attack data.
+
+#### Initial attacks to gain entry
+
+Attacker is attempting to compromise a user account, device, or app.
+
+Attack method |Signal source |Alternate security portals
+|:|:|:
+RDP brute force|Defender for Endpoint|Defender for Cloud Apps
+Vulnerable internet-facing system|Windows security features, Microsoft Defender for Servers|
+Weak application settings |Defender for Cloud Apps, Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps |
+Malicious app activity |Defender for Cloud Apps, Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps |
+Phishing email |Defender for Office 365
+Password spray against Azure AD accounts |Azure AD Identity Protection via Defender for Cloud Apps |Defender for Cloud Apps
+Password spray against on-premises accounts |Microsoft Defender for Identity
+Device compromise |Defender for Endpoint
+Credential theft |Microsoft Defender for Identity
+Escalation of privilege |Microsoft Defender for Identity
+
+#### Recent spike in otherwise typical behavior
+
+Attacker is attempting to probe for additional entities to compromise.
+
+Spike category |Signal source |Alternate security portals
+|: |: |:
+Sign-ins: Numerous failed attempts, attempts to logon to multiple devices in a short period, multiple first-time logons, etc. |Azure AD Identity Protection via Defender for Cloud Apps, Microsoft Defender for Identity |Defender for Cloud Apps
+Recently active user account, group, machine account, app |Azure AD Identity Protection via Defender for Cloud Apps (Azure AD), Defender for Identity (Active Directory Domain Services [AD DS]) |Defender for Cloud Apps
+Recent app activity such as data access |Apps with Defender for Cloud Apps with the app governance add-on |Defender for Cloud Apps
+
+#### New activity
+
+Attacker is creating new entities to further their reach, install malware agents, or evade detection.
+
+Activity |Signal source |Alternate security portal
+|: |: |:
+New apps that are installed |Defender for Cloud Apps with the app governance add-on |Defender for Cloud Apps
+New user accounts |Azure Identity Protection |Defender for Cloud Apps
+Role changes |Azure Identity Protection |Defender for Cloud Apps
+
+#### Suspicious behavior
+
+Attacker is downloading sensitive information, encrypting files, or otherwise collecting or damaging organization assets.
+
+Behavior |Signal source
+|: |:
+Malware spread to multiple devices |Defender for Endpoint
+Resource scanning |Defender for Endpoint, Defender for Identity
+Changes in mailbox forwarding rules |Defender for Office 365
+Data exfiltration and encryption |Defender for Office 365
+
+**Monitor for Adversary Disabling Security** ΓÇô as this is often part of human-operated ransomware (HumOR) attack chain
+
+* **Event Logs Clearing** ΓÇô especially the Security Event log and PowerShell Operational logs
+* **Disabling of security tools/controls** (associated with some groups)
+
+## Detect ransomware attacks with the Microsoft 365 Defender portal
+
+The Microsoft 365 Defender portal provides a centralized view for information on detections, impacted assets, automated actions taken, and related evidence a combination of:
+
+* An incident queue, which groups related alerts for an attack to provide the full attack scope, impacted assets, and automated remediation actions.
+* An alerts queue, which lists all of the alerts being tracked by Microsoft 365 Defender.
+
+### Incident and alert sources
+
+Microsoft 365 Defender portal centralizes signals from:
+
+* Microsoft Defender for Endpoint
+* Microsoft Defender for Office 365
+* Microsoft Defender for Identity
+* Microsoft Defender for Cloud Apps (including the app governance add-on)
+* Microsoft Azure AD Identity Protection
+* Microsoft Defender for IoT
+
+This table lists some typical attacks and their corresponding signal source for Microsoft 365 Defender.
+
+Attacks and incidents |Signal source
+|: |:
+Cloud identity: Password spray, numerous failed attempts, attempts to log on to multiple devices in a short period, multiple first-time logons, recently active user accounts |Azure AD Identity Protection
+On-premises identity (AD DS) compromise |Defender for Identity
+Phishing |Defender for Office 365
+Malicious apps |Defender for Cloud Apps or Defender for Cloud Apps with app governance add-on
+Endpoint (device) compromise |Defender for Endpoint
+IoT-capable device compromise |Defender for IoT
+
+### Filtering ransomware-identified incidents
+
+You can easily filter the incidents queue for incidents that have been categorized by Microsoft 365 Defender as ransomware.
+
+1. From the Microsoft 365 Defender portal navigation pane, go to the incidents queue by selecting **Incidents and alerts > Incidents**.
+2. Select **Filters**.
+3. Under **Categories**, select **Ransomware**, select **Apply**, and then close the **Filters** pane.
+
+Each filter setting for the incidents queue creates a URL that you can save and access later as a link. These URLs can be bookmarked or otherwise saved and used when needed at a single click. For example, you can create bookmarks for:
+
+* Incidents containing the ΓÇ£ransomwareΓÇ¥ category. Here is the corresponding [link](https://security.microsoft.com/incidents?filters=AlertStatus%3DNew%257CInProgress,category%3Dransomware&page_size=30&fields=expand,name,tags,severity,investigationStates,category,impactedEntities,alertCount,serviceSource,detectionSource,firstEventTime,lastEventTime,sensitivity,status,incidentAssignment,classification,determination,rbacGroup).
+* Incidents with a specified **Actor** name known to be performing ransomware attacks.
+* Incidents with a specified **Associated threat** name known to be used in ransomware attacks.
+* Incidents containing a custom tag that your SecOps team uses for incidents that are known to be part of a larger, coordinated ransomware attack.
+
+### Filtering ransomware-identified threat analytics reports
+
+Similar to filtering incidents in the incident queue, you can filter threat analytics reports for reports that include ransomware.
+
+1. From the navigation pane, select **Threat analytics**.
+2. Select **Filters**.
+3. Under **Threat tags**, select **Ransomware**, select **Apply**, and then close the **Filters** pane.
+
+You can also click this link.
+
+From the **Detection details** section of many threat analytics reports, you can see a list of alert names created for the threat.
+
+### Microsoft 365 Defender APIs
+
+You can also use the Microsoft 365 Defender APIs to query the Microsoft 365 Defender incidents and alerts data in your tenant. A custom app can filter the data, filter it based on custom settings, and then provide a filtered list of links to alerts and incidents that you can easily select to go right to that alert or incident. See [List incidents API in Microsoft 365 Defender | Microsoft Docs](/api-list-incidents.md). You can also integrate your SIEM with Microsoft Defender, see [Integrate your SIEM tools with Microsoft 365 Defender](/configure-siem-defender.md).
+
+### Microsoft 365 Defender Sentinel Integration
+
+Microsoft Sentinel's Microsoft 365 Defender incident integration allows you to stream all Microsoft 365 Defender incidents into Microsoft Sentinel and keep them synchronized between both portals. Incidents include all associated alerts, entities, and relevant information. Once in Sentinel, incidents will remain bi-directionally synced with Microsoft 365 Defender, allowing you to take advantage of the benefits of both portals in your incident investigation. See, [Microsoft 365 Defender integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration).
+
+### Proactive scanning with advanced hunting
+
+[Advanced hunting](/advanced-hunting-overview.md) is a query-based threat hunting tool that lets you explore and inspect events in your network to locate threat indicators and entities. This flexible and customizable analysis tool enables unconstrained hunting for both known and potential threats. Microsoft 365 Defender also supports using a custom query to create [custom detection rules](/custom-detections-overview.md), which create alerts based on a query can be and scheduled to run automatically.
+
+For proactive scanning of ransomware activities, you should assemble a catalog of advanced hunting queries for commonly used ransomware attack methods for identities, endpoints, apps, and data. Here are some key sources for ready-to-use advanced hunting queries:
+
+* The [Hunt for ransomware](/advanced-hunting-find-ransomware.md) article
+* GitHub repository for advanced hunting queries:
+ * [Ransomware-specific](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware) queries
+ * [All categories](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware) of queries
+* Threat analytics reports
+ * Advanced hunting section of the [Ransomware: A pervasive and ongoing threat](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) analyst report
+ * Advanced hunting section of other analyst reports
+
+### Automated hunting
+
+Advanced hunting queries can also be used to create custom detection rules and actions based on known elements of a ransomware attack method (for example, the use of unusual PowerShell commands). Custom detection rules create alerts that can be seen and addressed by your security analysts.
+
+To create a custom detection rule, select **Create custom detection** rule from the page of an advanced hunting query. Once created, you can specify:
+
+* How often to run the custom detection rule
+* The severity of the alert created by the rule
+* The MITRE attack phase for the created alert
+* Impacted entities
+* Actions to take on impacted entities
+
+## Prepare your SecOps Team for focused ransomware detection
+
+Preparing your SecOps team for proactive ransomware detection requires:
+
+* Pre-work for your SecOps team and organization
+* Security analyst training, as needed
+* Ongoing operational work to incorporate the latest attacks and detection experiences of your security analysts
+
+### Pre-work for your SecOps team and organization
+
+Consider these steps to get your SecOps team and organization ready for focused ransomware attack prevention:
+
+1. Configure your IT and cloud infrastructure for ransomware prevention with the [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware-phase3) guidance. The phases and tasks in this guidance can be done in parallel with the following steps.
+2. Get the appropriate licenses for the Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, the app governance add-on, Defender for IoT, and Azure AD Identity Protection services.
+3. Assemble a catalog of advanced hunting queries tuned for known ransomware attack methods or attack phases.
+4. Create the set of custom detection rules for specific advanced hunting queries that create alerts for known ransomware attack methods, including their schedule, alert naming, and automated actions.
+5. Determine the set of [custom tags](/manage-incidents.md) or standards to create new one to identify incidents that are known to be part of a larger, coordinated ransomware attack
+6. Determine the set of operational tasks for ransomware incident and alert management. For example:
+
+* Processes for Tier 1 analyst scanning of incoming incidents and alerts and assignment to Tier 2 analysts for investigation.
+* Manually running advanced hunting queries and their schedule (daily, weekly, monthly).
+* Ongoing changes based on ransomware attack investigation and mitigation experiences.
+
+### Security analyst training
+
+As needed, you can provide your security analysts with internal training for:
+
+* Common ransomware attack chains (MITRE attack tactics and common threat techniques and malware)
+* Incidents and alerts and how to locate and analyze them in the Microsoft 365 Defender portal using:
+ * Alerts and incidents already created by Microsoft 365 Defender
+ * Pre-scanned URL-based filters for the Microsoft 365 Defender portal
+ * Programmatically via the incidents API
+* Advanced hunting queries to use and their manual schedule (daily, weekly, monthly)
+* Custom detection rules to use and their settings
+* Custom incident tags
+* The latest [threat analytics reports for ransomware](https://security.microsoft.com/threatanalytics3?page_size=30&filters=tags%3DRansomware&ordering=-lastUpdatedOn&fields=displayName,alertsCount,impactedEntities,reportType,createdOn,lastUpdatedOn,tags,flag) attacks in the Microsoft 365 Defender portal
+
+### Ongoing work based on operational learning and new threats
+
+As part of your SecOps teamΓÇÖs ongoing tool and process best practices and security analystsΓÇÖ experiences, you should:
+
+* Update your catalog of advanced hunting queries with:
+ * New queries based on the latest threat analytics reports in the Microsoft 365 Defender portal or the [Advanced Hunting GitHub repository](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware>).
+ * Changes to existing ones to optimize for threat identification or for better alert quality.
+* Update custom detection rules based on new or changed advanced hunting queries.
+* Update the set of operational tasks for ransomware detection.
security Playbook Responding Ransomware M365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/playbook-responding-ransomware-m365-defender.md
+
+ Title: Responding to ransomware attacks
+description: This article provides a generalized playbook for responding to ransomware attacks.
+search.appverid: MET150
+++
+audience: ITPro
+ Last updated : 05/30/2022
+ms.localizationpriority: medium
+
+f1.keywords: NOCSH
+
+# Responding to ransomware attacks
++
+When you suspect you were or are currently under a ransomware attack, establish secure communications with your incident response team immediately. They can perform the following response phases to disrupt the attack and mitigate the damage:
+
+* Investigation and containment
+* Eradication and recovery
+
+This article provides a generalized playbook for responding to ransomware attacks. Consider adapting the described steps and tasks in this article to your own security operations playbook.
+NOTE: For information about preventing ransomware attacks, see [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware).
+
+## Containment
+
+Containment and investigation should occur as simultaneously as possible; however, you should focus on quickly achieving containment, so you have more time to investigate. These steps help you determine the scope of the attack and to isolate it to only affected entities, such as user accounts and devices.
+
+### Step 1: Assess the scope of the incident
+
+Run through this list of questions and tasks to discover the extent of the attack. Microsoft 365 Defender can provide a consolidated view of all impacted or at-risk assets to aid in your incident response assessment. See [Incident response with Microsoft 365 Defender | Microsoft Docs](/incidents-overview.md). You can use the alerts and the evidence list in the incident to determine:
+
+* Which user accounts might be compromised?
+ * Which accounts were used to deliver the payload?
+* Which [onboarded](../defender-endpoint/investigate-machines.md) and [discovered](../defender-endpoint/device-discovery.md) devices are affected and how?
+ * Originating devices
+ * Impacted devices
+ * Suspicious devices
+* Identify any network communication that is associated with the incident.
+* Which applications are affected?
+* What payloads were spread?
+* How is the attacker communicating with the compromised devices? (Network protection must be [enabled](../defender-endpoint/enable-network-protection.md)):
+ * Go to the [indicators page](../defender-endpoint/indicator-ip-domain.md#create-indicators-for-ips-and-urlsdomains) to add a block for the IP and URL (if you have that information).
+* What was the payload delivery medium?
+
+### Step 2: Preserve existing systems
+
+Run through this list of tasks and questions to protect existing systems from attack:
+
+* If you have online backups, consider disconnecting the backup system from the network until you are confident that the attack is contained, see [Backup and restore plan to protect against ransomware | Microsoft Docs](/security/compass/backup-plan-to-protect-against-ransomware).
+* If you are experiencing or expect an imminent and active ransomware deployment:
+ * [Suspend privileged and local accounts](/investigate-users.md) that you suspect are part of the attack. You can do this from the **Users** tab in the properties of the incident in the Microsoft 365 Defender portal.
+ * Stop all [remote logon sessions](/defender-for-identity/playbook-domain-dominance).
+ * Reset the compromised user account passwords and require the users of compromised user accounts to sign in again.
+ * Do the same for user accounts that might be compromised.
+ * If shared local accounts are compromised, have your IT admin help you to enforce a password change across all exposed devices. Example Kusto query:
+
+```kusto
+DeviceLogonEvents | where DeviceName contains (AccountDomain) | take 10
+```
+
+* For the devices that are not yet isolated and are not part of the critical infrastructure:
+ * Isolate compromised devices from the network but do not shut them off.
+ * If you identify the originating or spreader devices, isolate those first.
+* Preserve compromised systems for analysis.
+
+### Step 3: Prevent the spread
+
+Use this list to keep the attack from spreading to additional entities.
+
+* If shared local accounts are being used in the attack, consider [Blocking Remote Use of Local Accounts](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/blocking-remote-use-of-local-accounts/ba-p/701042).
+ * Kusto query for all network logons that are local admins:
+
+```kusto
+DeviceLogonEvents
+| where IsLocalAdmin == true and AccountDomain == DeviceName
+| extend IsLocalLogon = tobool(todynamic(AdditionalFields).IsLocalLogon)
+| where IsLocalLogon==false
+```
+
+* Kusto query for non-RDP logons (more realistic for most networks):
+
+```kusto
+DeviceLogonEvents
+| where IsLocalAdmin == true and AccountDomain == DeviceName and LogonType != 'RemoteInteractive'
+| extend IsLocalLogon = tobool(todynamic(AdditionalFields).IsLocalLogon)
+| where IsLocalLogon==false
+```
+
+* Quarantine and add indicators for files that are infected.
+* Ensure that your antivirus solution is configurable in its optimal protection state. For Microsoft Defender Antivirus, this includes:
+ * [Real time protection](../defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
+ * [Tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md) is enabled. In the Microsoft 365 Defender portal, select **Settings > Endpoints > Advanced features > Tamper protection**.
+ * [Attack surface reduction (ASR)](../defender-endpoint/enable-attack-surface-reduction.md) rules are enabled.
+ * [Cloud protection](../defender-endpoint/enable-attack-surface-reduction.md) is enabled.
+* Disable Exchange ActiveSync and OneDrive sync.
+ * To disable Exchange ActiveSync for a mailbox, see [How to disable Exchange ActiveSync for users in Exchange Online](/exchange/recipients-in-exchange-online/manage-user-mailboxes/enable-or-disable-exchange-activesync).
+ * To disable other types of access to a mailbox, see:
+ * [Enable or disable MAPI for a mailbox](/exchange/recipients-in-exchange-online/manage-user-mailboxes/enable-or-disable-mapi).
+ * [Enable or Disable POP3 or IMAP4 access for a user](/exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/enable-or-disable-pop3-or-imap4-access).
+ * Pausing OneDrive sync will help protect your cloud data from being updated by potentially infected devices. For more information, see [How to Pause and Resume sync in OneDrive](https://support.microsoft.com/office/how-to-pause-and-resume-sync-in-onedrive-2152bfa4-a2a5-4d3a-ace8-92912fb4421e).
+* Apply relevant patches and configuration changes on affected systems.
+* Block ransomware communications using internal and external controls.
+* Purge cached content
+
+## Investigation
+
+Use this section to investigate the attack and plan your response.
+
+### Assess your current situation
+
+* What initially made you aware of the ransomware attack?
+ * If IT staff identified the initial threatΓÇösuch as noticing backups being deleted, antivirus alerts, endpoint detection and response (EDR) alerts, or suspicious system changesΓÇöit is often possible to take quick decisive measures to thwart the attack, typically by the containment actions described in this article.
+* What date and time did you first learn of the incident?
+ * What system and security updates were not installed on devices on that date? This is important to understand what vulnerabilities might have been leveraged so they can be addressed on other devices.
+ * What user accounts were used on that date?
+ * What new user accounts were created since that date?
+ * What programs were added to automatically start around the time that the incident occurred?
+* Is there any indication that the attacker is currently accessing systems?
+ * Are there any suspected compromised systems that are experiencing unusual activity?
+ * Are there any suspected compromised accounts that appear to be actively used by the adversary?
+ * Is there any evidence of active command-and-control (C2) servers in EDR, firewall, VPN, web proxy, and other logs?
+
+### Identify the ransomware process
+
+* Using [advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview.md), search for the identified process in the process creation events on other devices.
+
+### Look for exposed credentials in the infected devices
+
+* For user accounts whose credentials were potentially compromised, reset the account passwords, and require the users to sign in again.
+* The following IOAs might indicate lateral movement:
+
+<details>
+ <summary>Click to expand</summary>
+
+* SuspiciousExploratoryCommands
+* MLFileBasedAlert
+* IfeoDebuggerPersistence
+* SuspiciousRemoteFileDropAndExecution
+* ExploratoryWindowsCommands
+* IoaStickyKeys
+* Mimikatz Defender Amplifier
+* Network scanning tool used by PARINACOTA
+* DefenderServerAlertMSSQLServer
+* SuspiciousLowReputationFileDrop
+* SuspiciousServiceExecution
+* AdminUserAddition
+* MimikatzArtifactsDetector
+* Scuba-WdigestEnabledToAccessCredentials
+* DefenderMalware
+* MLSuspCmdBehavior
+* MLSuspiciousRemoteInvocation
+* SuspiciousRemoteComponentInvocation
+* SuspiciousWmiProcessCreation
+* MLCmdBasedWithRemoting
+* Process Accesses Lsass
+* Suspicious Rundll32 Process Execution
+* BitsAdmin
+* DefenderCobaltStrikeDetection
+* DefenderHacktool
+* IoaSuspPSCommandline
+* Metasploit
+* MLSuspToolBehavior
+* RegistryQueryForPasswords
+* SuspiciousWdavExclusion
+* ASEPRegKey
+* CobaltStrikeExecutionDetection
+* DefenderBackdoor
+* DefenderBehaviorSuspiciousActivity
+* DefenderMalwareExecuted
+* DefenderServerAlertDomainController
+* DupTokenPrivilegeEscalationDetector
+* FakeWindowsBinary
+* IoaMaliciousCmdlets
+* LivingOffTheLandBinary
+* MicrosoftSignedBinaryAbuse
+* MicrosoftSignedBinaryScriptletAbuse
+* MLFileBasedWithRemoting
+* MLSuspSvchostBehavior
+* ReadSensitiveMemory
+* RemoteCodeInjection-IREnabled
+* Scuba-EchoSeenOverPipeOnLocalhost
+* Scuba-SuspiciousWebScriptFileDrop
+* Suspicious DLL registration by odbcconf
+* Suspicious DPAPI Activity
+* Suspicious Exchange Process Execution
+* Suspicious scheduled task launch
+* SuspiciousLdapQueryDetector
+* SuspiciousScheduledTaskRegistration
+* Untrusted application opens a RDP connection
+
+</details>
+
+### Identify the line of business (LOB) apps that are unavailable due to the incident
+
+* Does the app require an identity?
+ * How is authentication performed?
+ * How are credentials such as certificates or secrets stored and managed?
+* Are evaluated backups of the application, its configuration, and its data available?
+* Determine your compromise recovery process.
+
+## Eradication and recovery
+
+Use these steps to eradicate the threat and recover damaged resources.
+
+### Step 1: Verify your backups
+
+If you have offline backups, you can probably restore the data that has been encrypted after you have removed the ransomware payload (malware) from your environment and after you have verified that there's no unauthorized access in your Microsoft 365 tenant.
+
+### Step 2: Add indicators
+
+Add any known attacker communication channels as indicators, blocked in firewalls, in your proxy servers, and on endpoints.
+
+### Step 3: Reset compromised users
+
+Reset the passwords of any known compromised user accounts and require a new sign-in.
+
+* Consider resetting the passwords for any privileged account with broad administrative authority, such as the members of the Domain Admins group.
+* If a user account might have been created by an attacker, disable the account. Do not delete the account unless there are no plans to perform security forensics for the incident.
+
+### Step 4: Isolate attacker control points
+
+Isolate any known attacker control points inside the enterprise from the Internet.
+
+### Step 5: Remove malware
+
+Remove the malware from the affected devices.
+
+* Run a full, current antivirus scan on all suspected computers and devices to detect and remove the payload that is associated with the ransomware.
+* Do not forget to scan devices that synchronize data or the targets of mapped network drives.
+
+### Step 6: Recover files on a cleaned device
+
+Recover files on a cleaned device.
+
+* You can use [File History](https://support.microsoft.com/help/17128) in Windows 11, Windows 10, Windows 8.1, and System Protection in Windows 7 to attempt to recover your local files and folders.
+
+### Step 7: Recover files in OneDrive for Business
+
+Recover files in OneDrive for Business.
+
+* Files Restore in OneDrive for Business allows you to restore an entire OneDrive to a previous point in time within the last 30 days. For more information, see [Restore your OneDrive](https://support.microsoft.com/office/restore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15).
+
+### Step 8: Recover deleted email
+
+Recover deleted email.
+
+* In the rare case that the ransomware deleted all the email in a mailbox, you can recover the deleted items. See [Recover deleted messages in a user's mailbox in Exchange Online](/exchange/recipients-in-exchange-online/manage-user-mailboxes/recover-deleted-messages).
+
+### Step 9: Re-enable Exchange ActiveSync and OneDrive sync
+
+* After you have cleaned your computers and devices and recovered the data, you can re-enable Exchange ActiveSync and OneDrive sync that you previously disabled in step 3 of containment.
solutions Plan External Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/plan-external-collaboration.md
Admins can apply a [retention policy](/microsoft-365/compliance/retention) on a
### Sensitivity labels
-[Sensitivity labels](/microsoft-365/compliance/sensitivity-labels) available in the host organization are the only labels that can be applied to the documents in a shared channel site. A file that is encrypted by a sensitivity label cannot be opened by external participants. Automatic labeling is not used.
+[Sensitivity labels](/microsoft-365/compliance/sensitivity-labels) available in the host organization are the only labels that can be applied to the documents in a shared channel site. A file that is encrypted by a sensitivity label cannot be opened by external participants unless permissions are granted. Automatic labeling is not used.
Shared channels and their associated SharePoint sites inherit the label from the parent team.
test-base Testapplication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/testapplication.md
Title: 'Test your Binary Files on Test Base'
-description: How to test your Binaries Files on Test Base
+ Title: 'Creating and Testing Binary Files on Test Base'
+description: How to create and test binaries files on Test Base
search.appverid: MET150
f1.keywords: NOCSH
-# Test your Binary Files on Test Base
+# Creating and Testing Binary Files on Test Base
-> [!NOTE]
-> This guide will guide you to create a new Test Base package from scratch. If you already have a Test Base package (.zip) in hand, you can switch to use our legacy upload experience [Upload your Test Base package (Zip)](uploadApplication.md).
-
-## Prerequisites
+This section provides all the steps necessary to create a new package containing binary files, for uploading and testing on Test Base. If you already have a pre-built .zip file, you can see [Uploading pre-built Zip package](uploadApplication.md), to upload your file.
-A Test Base account. If you don't have one, [create a Test Base account](createAccount.md).
+> [!IMPORTANT]
+> If you don't have a **Test Base** account, you'll need to create one before proceeding, as described in [Creating a Test Base account](createAccount.md).
## Create a new package
-In the [Azure portal](https://portal.azure.com/), go to the Test Base account in which you want to upload your package. In the left menu under **Package catalog**, select the **New package**. Then click the first card **ΓÇÿCreate new package'** to build your package within 5 steps!
+In the [Azure portal](https://portal.azure.com/), go to the **Test Base** account for which you'll be creating and uploading your package and perform the steps that follow.
+
+In the left-hand menu under **Package catalog**, select the **New package**. Then click the first card **ΓÇÿCreate new package online'** to build your package online within 5 steps!
> [!div class="mx-imgBorder"] > ![Create a new Package wizard](Media/testapplication01.png) ### Step 1. Define content
-1. In the **Package source** section, choose your package source. If you have an Intunewin app, select Intunewin, for others, e.g. exe or msi, select Binaries.
+1. In the **Package source** section, select Binaries (for example: .exe, .msi) in the Package source type.
> [!div class="mx-imgBorder"] > ![Choose your package source](Media/testapplication02.png)
-2. Then upload your app file by clicking ΓÇÿSelect file' button or checking the box to use the Test Base sample template as a starting point if you don't have your file ready yet.
+2. Then upload your app file by clicking 'Select file' button or checking the box to use the Test Base sample template as a starting point if you don't have your file ready yet.
> [!div class="mx-imgBorder"] > ![Select file](Media/testapplication03.png)
In the [Azure portal](https://portal.azure.com/), go to the Test Base account in
> [!div class="mx-imgBorder"] > ![Enter basic information](Media/testapplication04.png)
-4. Once all required info is filled out, you can move to step 2 by clicking the Next button at the bottom.
+4. After all the requested information is specified, you can proceed to the next phase by clicking the **Next: Configuration test** button.
> [!div class="mx-imgBorder"] > ![Next step](Media/testapplication05.png) ### Step 2. Configure test
-1. Select the **Type of test**. There're two test types supported:
+1. Select the **Type of test**. There are two test types supported:
- An **Out of Box (OOB) test** performs an install, launch, close, and uninstall of your package. After the install, the launch-close routine is repeated 30 times before a single uninstall is run. The OOB test provides you with standardized telemetry on your package to compare across Windows builds. - A **Functional test** would execute your uploaded test script(s) on your package. The scripts are run in the sequence you specified and a failure in a particular script will stop subsequent scripts from executing.
+ > [!NOTE]
+ > Out of Box test is optional now.
+ > [!div class="mx-imgBorder"] > ![Out of Box test is optional](Media/testapplication07.png)
In the [Azure portal](https://portal.azure.com/), go to the Test Base account in
- Check your package folder and file structure in **Package Preview**. - Edit your scripts online with the **PowerShell code editor**.
+ > [!NOTE]
+ > Some sample scripts have been generated for your reference. You need to review each script carefully and replace the command and process name with your own.
+ > [!div class="mx-imgBorder"] > ![edit scripts online](Media/testapplication09.png)
In the [Azure portal](https://portal.azure.com/), go to the Test Base account in
- If the **Out of Box test** is selected in step 2, you can see the **outofbox** folder under the scripts folder. You also have the option to add **ΓÇÿReboot after install'** tag for the Install script. > [!div class="mx-imgBorder"]
- > ![Resources in outofbox folder](Media/testapplication11.png)
+ > ![Reference script](Media/testapplication11.png)
> [!NOTE]
- > Install, Launch and Close script tags are mandatory for the OOB test type.
+ > Install, Launch and Close script tags are mandatory for the OOB test type. Reassigning tags ensures that the correct script path will be used when testing is initiated.
+
+ > [!div class="mx-imgBorder"]
+ > ![Edit package prompt](Media/testapplication11-2.png)
- - If the **Functional test** is selected in step 2, you can see the **functional** folder under the scripts folder. Additional functional test scripts can be added using the **'Add to functional test list'** button. You need a minimum of one (1) script and can add up to eight (8) functional test scripts.
+ - If the **Functional test** is selected in step 2, you can see the **functional** folder under the scripts folder. More functional test scripts can be added using the **'Add to functional test list'** button. You need a minimum of one (1) script and can add up to eight (8) functional test scripts.
> [!div class="mx-imgBorder"] > ![Add to functional test list](Media/testapplication12.png)
In the [Azure portal](https://portal.azure.com/), go to the Test Base account in
> [!NOTE] > At least 1 functional script tag is mandatory for the functional test type.
- By clicking the **'Add to functional test list'**, the action panel will pop up, you can:
- - Reorder the script paths by dragging with the left ellipse buttons. The functional scripts run in the sequence they are listed. A failure in a particular script stops subsequent scripts from executing.
- - Set ΓÇÿRestart after execution' for multiple scripts.
+ To add more Functional scripts, you can click the **'Add to functional test list'**. Then the action panel will pop up, you can:
+ - Reorder the script paths by dragging with the left ellipse buttons. The functional scripts run in the sequence they're listed. A failure in a particular script stops subsequent scripts from executing.
+ - Set 'Restart after execution' for multiple scripts.
- Apply update before on specific script path. This is for users who wish to perform functional tests to indicate when the Windows Update patch should be applied in the sequence of executing their functional test scripts. > [!div class="mx-imgBorder"]
In the [Azure portal](https://portal.azure.com/), go to the Test Base account in
### Step 4. Test matrix
-1. In the Test matrix tab, select the **OS update type**. There're two OS update types supported.
+1. In the Test matrix tab, select the **OS update type**. There are two OS update types supported.
- The **Security updates** enable your package to be tested against incremental churns of Windows pre-release monthly security updates. - The **Feature updates** enable your package to be tested against Windows pre-release bi-annual feature updates builds from the Windows Insider Program.
In the [Azure portal](https://portal.azure.com/), go to the Test Base account in
### Step 5. Review + publish
-1. Can review all the information of your draft package and you're able to back to early steps to make changes if needed.
+1. Review all the information for correctness and accuracy of your draft package. To make corrections, you can navigate back to early steps where you specified the settings as needed.
> [!div class="mx-imgBorder"] > ![Review package](Media/testapplication15.png)
In the [Azure portal](https://portal.azure.com/), go to the Test Base account in
> [!div class="mx-imgBorder"] > ![Notification](Media/testapplication16.png)
-3. Once you make sure all info is correct, you can proceed to upload your package to Test Base by clicking the **ΓÇÿPublish'** button. A notification will pop up when the package has been published successfully.
+3. When you're done finalizing the input data configuration, click **Publish** to upload your package to Test Base. The notification that follows displays when the package is successfully published and has entered the Verification process.
+
+ > [!NOTE]
+ > The package must be verified before it is accepted for future tests. The Verification can take up to 24 hours, as it includes running the package in an actual test environment.
> [!div class="mx-imgBorder"] > ![Package publish prompts](Media/testapplication17.png)
In the [Azure portal](https://portal.azure.com/), go to the Test Base account in
> [!div class="mx-imgBorder"] > ![Manage packages](Media/testapplication18.png)
-### Continue package creation
-
-On the **New package** page, you can see a list of all your previously saved draft packages. You can continue your edit directly to the step you paused last time by clicking the 'edit' icon.
-
-> [!NOTE]
-> The dashboard only shows the working in progress package. For the published package, you can check the Manage Package page.
-
-> [!div class="mx-imgBorder"]
-> ![Manage packages page](Media/testapplication19.png)
-
-### Zip Upload (Legacy upload experience)
+ > [!NOTE]
+ > When the Verification process is complete, the Verification status will change to Accepted. At this point, no further actions are required. Your package will be acquired automatically for execution whenever your configured operating systems have new updates available. If the Verification process fails, your package is not ready for testing. Please check the logs and assess whether any errors occurred. You may also need to check your package configuration settings for potential issues.
-If you have a Zip file already, you can switch back to the legacy package upload experience (zip upload). Learn more about the Zip upload [Upload your package | Microsoft Docs](uploadApplication.md).
+### Resume creation of a saved draft package
-> [!div class="mx-imgBorder"]
-> ![Upload package](Media/testapplication01.png)
+If you have any previous draft packages, you can view the list of your saved draft packages on the **New package** page. By clicking the **'Edit'** pencil icon, you can resume editing the package you selected from where you left off, as described in the **Status** column.
> [!div class="mx-imgBorder"]
-> ![Legacy upload experience](Media/testapplication21.png)
+> ![New package page](Media/testapplication19.png)
-### Intunewin Upload Flow
-
-As part of commercial roadmap, Test Base started to support intunewin format for IT Pros who manages apps for their apps within Intune as the standard onboarding package format. The intunewin upload flow provides the experience for IT Pros to reuse their intunewin format packages, which contain the apps they deployed to their end devices via MEM/Intune to onboarding their apps and test configurations quickly to Test Base.
+> [!NOTE]
+> The dashboard only shows the saved draft packages. To view published packages, you will need to go to the Manage Packages page.
-[Test your Intune app on Test Base.](testintuneapplication.md)