Updates from: 06/17/2021 03:15:09
Category Microsoft Docs article Related commit history on GitHub Change details
business-video Get Help Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/get-help-support.md
audience: Admin
-localization_priority: Normal
+localization_priority: Priority
- Adm_O365
You can also [search the Microsoft 365 for business community forums](https://go
[Find docs and training](find-help-answers.md) (article)\ [Employee quick setup](employee-quick-setup.md) (article)\
-[Overview of Microsoft 365 Business Premium setup](setup-overview.md) (video)
+[Overview of Microsoft 365 Business Premium setup](setup-overview.md) (video)
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
There are two different methods for automatically applying a sensitivity label t
- If you have Exchange mail flow rules or data loss prevention (DLP) policies that apply IRM encryption: When content is identified by these rules or policies and an auto-labeling policy, the label is applied. If that label applies encryption, the IRM settings from the Exchange mail flow rules or DLP policies are ignored. However, if that label doesn't apply encryption, the IRM settings from the mail flow rules or DLP policies are applied in addition to the label. - Email that has IRM encryption with no label will be replaced by a label with any encryption settings when there is a match by using auto-labeling. - Incoming email is labeled when there is a match with your auto-labeling conditions:
- - If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption is applied. However, this configuration isn't currently supported.
+ - Rolling out: If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption isn't applied.
- If the label is configured to apply [dynamic markings](sensitivity-labels-office-apps.md#dynamic-markings-with-variables), be aware that this can result in the names of people outside your organization. - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the person who sends the email. There currently isn't a way to set a Rights Manager owner for all incoming email messages that are automatically encrypted.
compliance Retention Policies Exchange https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-exchange.md
The information in this article supplements [Learn about retention](retention.md
## What's included for retention and deletion
-The following Exchange items can be retained and deleted by using retention policies and retention labels: Mail messages (includes drafts) with any attachments, tasks when they have an end date, and notes.
+The following Exchange items from user mailboxes and shared mailboxes can be retained and deleted by using retention policies and retention labels: Mail messages (includes received messages, drafts, sent messages) with any attachments, tasks when they have an end date, and notes.
Calendar items that have an end date are supported for retention policies but aren't supported for retention labels.
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Whether it be adding new solutions to the [Microsoft 365 compliance center](micr
> Interested in what's going on in other admin centers? Check out these articles:<br>[What's new in the Microsoft 365 admin center](/office365/admin/whats-new-in-preview)<br>[What's new in the SharePoint admin center](/sharepoint/what-s-new-in-admin-center)<br>[What's new in Microsoft 365 Defender](../security/defender/whats-new.md)<br><br> And visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap) to learn about Microsoft 365 features that were launched, are rolling out, are in development, have been cancelled, or previously released.
+## May 2021
+
+### Data Loss Prevention
+
+- New guidance for [planning your Data Loss Prevention](dlp-overview-plan-for-dlp.md) strategy.
+
+### Retention and records management
+
+- If you release a retention policy from a SharePoint site or OneDrive account, you no longer have to wait the 30-day grace period before you can delete the site or account. A popular request by customers, this change is now complete for all tenants.
+- In preview, **multi-stage disposition review**: An administrator can now add up to five consecutive stages of [disposition review ](disposition.md) for a retention label, and reviewers can add others users to their disposition review stage. You can also customize the email notifications and reminders.
+
+### Sensitive Information Types
+
+- New information added to help you [Modify a Keyword Dictionary](sit-modify-keyword-dictionary.md).
+
+### Sensitivity labels
+
+- In preview, a new setting for **authentication context** is now available when you configure a [sensitivity label for groups and sites]( sensitivity-labels-teams-groups-sites.md). This option works in conjunction with Azure AD Conditional Access policies to enforce more stringent conditions when users access SharePoint sites that have the label applied. Make sure you read the [dependencies and limitations](sensitivity-labels-teams-groups-sites.md#more-information-about-the-dependencies-for-the-authentication-context-option) before you configure this setting.
+- [Auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) that are configured just for Exchange now support sensitivity labels that apply encryption with **Let users assign permissions** for the Do Not Forward or Encrypt-Only options.
+- [Mandatory labeling](sensitivity-labels-office-apps.md#require-users-to-apply-a-label-to-their-email-and-documents) is now generally available for all Office apps, across all platforms.
+ ## April 2021 ### Advanced eDiscovery
enterprise Ms Cloud Germany Transition Add Csp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-csp.md
CSP customer tenants will be migrated to the new German datacenter region and be
## Missing subscriptions in Azure
-After [the subscription and license transition (phase 3)](ms-cloud-germany-transition-phases.md#phase-9--10-azure-ad-finalization) has been completed, Cloud Solution Providers will not have access to the Azure subscription anymore.
+After [the subscription and license transition (phase 3)](ms-cloud-germany-transition-phases.md#phase-3-subscription-transfer) has been completed, Cloud Solution Providers will not have access to the Azure subscription anymore.
To recover access, follow these steps to [elevate access to manage all Azure subscriptions and management groups](/azure/role-based-access-control/elevate-access-global-admin).
knowledge Topic Center Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-center-overview.md
Title: "Topic center overview in Microsoft Viva Topics"
-description: 'Learn about the Topic Center in Microsoft Viva Topics.'
+ Title: Topic center overview in Microsoft Viva Topics
- m365initiative-viva-topics ROBOTS: localization_priority: None
+description: Learn about the topic center in Microsoft Viva Topics.
# Topic center overview in Microsoft Viva Topics
Once a user confirms their connection to a topic, the user can make edits to the
## Manage topics page
-To work on the **Manage topics** page of topic center, you need to have the required Manage topics permissions needed for the knowledge manager role. Your admin can assign these permissions to users during [knowledge management setup](set-up-topic-experiences.md), or new users can be [added afterwards](topic-experiences-knowledge-rules.md) by an admin through the Microsoft 365 admin center.
+To work on the **Manage topics** page of topic center, you need to have the required Manage topics permissions needed for the knowledge manager role. Your admin can assign these permissions to users during [Viva Topics setup](set-up-topic-experiences.md), or new users can be [added afterwards](topic-experiences-knowledge-rules.md) by an admin through the Microsoft 365 admin center.
On the **Manage topics** page, the topic dashboard shows all the topics, you have access to, that were identified from your specified source locations. Each topic will show the date the topic was discovered. A user who was assigned Manage topics permissions can review the unconfirmed topics and choose to:
knowledge Topic Experiences Get Ready https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-get-ready.md
To make the most of Viva Topics, you want to have as much content as possible in
To plan for Viva Topics, you need to:
-![Migrate, connect, modernize, secure, and identify steps for onboarding to knowledge management](../media/knowledge-management/km-adoption-onboarding-checklist.png)
+![Migrate, connect, modernize, secure, and identify steps for onboarding to Viva Topics.](../media/knowledge-management/km-adoption-onboarding-checklist.png)
1. [Migrate content to SharePoint](#1-migrate-content-to-microsoft-365) - Topic indexing only includes content on SharePoint sites. - Where possible, migrate valuable content into SharePoint Online from external sources. - Prioritize content sources with high potential for tacit knowledge.
- - Highlight the benefits of knowledge management to encourage users to move content from OneDrive to SharePoint sites.
+ - Highlight the benefits of Viva Topics to encourage users to move content from OneDrive to SharePoint sites.
2. [Connect information to Microsoft Graph](#2-connect-information-to-microsoft-graph) - In the future, external content can be brought into the knowledge graph and become available.
Good permissions management is critical here. And good permissions management is
In addition to permissions, you can also control the scope of what is discoverable through topics. You are always in control of what is indexed.
-Administrators can configure indexing in the Microsoft 365 Admin Center. When you set up [Knowledge Management](set-up-topic-experiences.md), you can:
+Administrators can configure indexing in the Microsoft 365 Admin Center. When you set up [Viva Topics](set-up-topic-experiences.md), you can:
- Allow discovery across all SharePoint sites or specify sites to include or exclude as topic sources. - Where you have sensitive terms, you can also exclude topics by name. For example, if you have the name of a sensitive project, where you don't want a highlight or card to appear, irrespective of the user's permissions, you can exclude that project name.
knowledge Topic Experiences Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-overview.md
Viva Topics uses AI to automatically search for and identify *topics* in your or
Topics are displayed to users through: -- [Topic highlights](topic-experiences-overview.md#topic-highlights) in SharePoint pages
+- [Topics highlighted](topic-experiences-overview.md#sharepoint-highlights) on SharePoint pages
- Topic answers in [search results](topic-experiences-overview.md#search-results) - Search in [office applications](topic-experiences-overview.md#office-application-search) - [Topic center](topic-experiences-overview.md#topic-center) home page
-### Topic highlights
+### SharePoint highlights
-When a topic is mentioned in content on SharePoint news and pages, you'll see it highlighted. You can open the topic summary from the highlight. Open the topic details from the title of the summary to view the full topic page. The mentioned topic could be identified automatically or could have been added to the page with a direct reference to the topic by the page author.
+When a topic is mentioned in content on SharePoint news and pages, you'll see it highlighted. You can open the topic summary from the highlight. Open the topic details from the title of the summary to view the full topic page. The mentioned topic could be identified automatically or could have been referenced directly by the page author.
![Screenshot showing topic highlights.](../media/knowledge-management/saturn.png)
managed-desktop Add Admin Contacts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/add-admin-contacts.md
Admin contacts are required when you [submit a Support request](../service-descr
**To add admin contacts**
-1. Sign in to [Microsoft Managed Desktop admin portal](https://aka.ms/mwaasportal).
+1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com).
-2. Under **Support**, select **Admin contacts**.
-
- ![Support menu, Admin contacts near the top selected](../../media/admincontacts.png)
+2. Under **Tenant administration**, look for the **Microsoft Managed Desktop** section then select **Admin contacts**.
3. Select **Add**.
- ![Admin portal, Add button, to the left of Export and Refresh](../../media/adminadd.png)
- 4. Select an **Area of focus** and enter the info for the contact. ![the list of areas of focus, such as Other, Apps, and Security](../../media/areaoffocus.png)
Admin contacts are required when you [submit a Support request](../service-descr
5. [Enable Enterprise State Roaming](enterprise-state-roaming.md) 6. [Set up Microsoft Managed Desktop devices](set-up-devices.md) 7. [Get your users ready to use devices](get-started-devices.md)
-8. [Deploy apps to devices](deploy-apps.md)
+8. [Deploy apps to devices](deploy-apps.md)
managed-desktop Deployment Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/deployment-groups.md
+
+ Title: Device deployment groups
+description: The deployment groups used to manage updates and other changes
+keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
++
+ms.localizationpriority: normal
++++++
+# Device deployment groups
+
+Microsoft Managed Desktop uses deployment groups to manage the release of updates and configuration changes to devices. Devices are added to deployment groups ("rings" or "update groups") automatically when they are enrolled into Microsoft Managed Desktop. Deployment groups allow for devices to receive changes in a phased timeline.
+
+You might want to assign certain devices for test purposes only, or designate specific early adopters to receive the changes first. If you have critical devices such as those used by executives or that do business-critical functions, you might want to keep them in the group that gets updates on the slowest cadence. Microsoft Managed Desktop allows you to specify that a device should stay in any one of the following groups.
+
+- **Test**: best for devices that are used for testing or users who can tolerate frequent changes and exposure to new features and also provide early feedback. This group receives changes frequently and experiences in this group have a strong effect. The Test group is exempt from any established service level agreements and user support. It's best to move just a few devices at first and then check the user experience. Microsoft Managed Desktop won't automatically assign devices to this group; it will only have devices you specify.
+- **First**: ideal for early adopters, volunteer or designated validators, IT Pros, or representatives of business functions, that is, people who can validate changes and provide you feedback on the experience.
+- **Broad** receives changes last. Most of your organization will typically be in this group. You can also specify devices that must be in this group and should only receive changes last because they're doing business critical functions or belong to users in critical roles.
+- **Automatic**: select this option when you want Microsoft Managed Desktop to automatically assign devices to one of the other groups. (We won't automatically assign devices to Test.) If you want to release a device that you've previously specified so it can be automatically assigned again, select this option.
+
+Microsoft Managed Desktop uses some additional groups to control deployments, but you won't be able to assign devices to them. You can, however, move devices from those groups to one of the groups in this article. For more information about how Windows updates are managed in groups, see [How updates are handled in Microsoft Managed Desktop](updates.md).
+
+If a device is in a group you've specified, **Group assigned by** will say **Admin**. If Microsoft Managed Desktop has assigned the group, it will say **Auto**. While a device is in the process of moving to a group, it will say **Pending**. The **Group** field always shows the group the device is currently in and only updates when a move is complete.
+
+> [!IMPORTANT]
+> Don't try to directly modify the membership of these groups. Always follow the steps described in [Assign devices to a deployment group](../working-with-managed-desktop/assign-deployment-group.md).
managed-desktop Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/updates.md
<!--Update management -->
-Microsoft Managed Desktop connects all devices to a modern cloud-based infrastructure. Keeping Windows, Office, drivers, firmware, and Microsoft Store for Business applications up to date is a balance of speed and stability. Deployment groups will be used to ensure operating system updates and policies are rolled out in a safe manner. For more information, see the video [Microsoft Managed Desktop Change and Release Process](https://www.microsoft.com/videoplayer/embed/RE4mWqP).
+Microsoft Managed Desktop connects all devices to a modern cloud-based infrastructure. Keeping Windows, Office, drivers, firmware, and Microsoft Store for Business applications up to date is a balance of speed and stability. We use update groups to ensure operating system updates and policies are rolled out in a safe manner. For more information, see the video [Microsoft Managed Desktop Change and Release Process](https://www.microsoft.com/videoplayer/embed/RE4mWqP).
Updates released by Microsoft are cumulative and are categorized as quality or feature updates. For more information, see [Windows Update for Business: Update types](/windows/deployment/update/waas-manage-updates-wufb#update-types). ## Update groups + Microsoft Managed Desktop uses four Azure AD groups to manage updates: -- **Test**: Used to validate Microsoft Managed Desktop policy changes, operating system updates, feature updates, and other changes pushed to the tenant. There should not be any users placed in the test group. The test group is exempt from any established service level agreements and user support. This group is available for use to validate compatibility of applications with new policy or operating system changes.
+- **Test**: Used to validate Microsoft Managed Desktop policy changes, operating system updates, feature updates, and other changes pushed to the Azure AD organization ("tenant"). Best for testing or users who can provide early feedback. The test group is exempt from any established service level agreements and user support. This group is available for use to validate compatibility of applications with new policy or operating system changes.
- **First**: Contains early software adopters and devices that could be subject to pre-release updates. Devices in this group might experience outages if there are scenarios that were not covered during testing in the test ring. - **Fast**: Prioritizes speed over stability. Useful for detecting quality issues before they are offered to the Broad group. This group serves as a next layer of validation but is typically more stable than the Test and First groups. -- **Broad**: Last group to have feature and quality updates available. This group contains most of users in the tenant, and therefore favors stability over speed in deployment. Testing of apps should be done here as the environment is most stable.
+- **Broad**: Last group to have feature and quality updates available. This group contains most of users in the Azure AD organization, and therefore favors stability over speed in deployment. Testing of apps should be done here as the environment is most stable.
### Moving devices between update groups
-You might want some devices to receive updates last and others that you want to go first. To move these devices into the appropriate update group, [submit an administrator support request](../working-with-managed-desktop/admin-support.md) and we will move the devices for you.
-
-> [!NOTE]
-> If you need to move a user to a different update group, submit a support request. Do not move devices between update groups yourself. There are serious consequences if a device is moved incorrectly. The device could update unexpectedly and policies might conflict, changing the device configuration.
+You might want some devices to receive updates last and others that you want to go first. To move these devices into the appropriate update group, see [Assign devices to a deployment group](../working-with-managed-desktop/assign-deployment-group.md).
For more information on roles and responsibilities within these deployment groups, see [Microsoft Managed Desktop Roles and responsibilities](../intro/roles-and-responsibilities.md) ### Using Microsoft Managed Desktop update groups
-There are parts of the service that you manage, like app deployment, where it might be necessary to target all managed devices. In these instances, it makes sense to use update groups to reach those users with the understanding that you cannot add, remove, or change the membership of those groups.
+There are parts of the service that you manage, like app deployment, where it might be necessary to target all managed devices.
## How update deployment works:
-1. Microsoft Managed Desktop deploys a new feature or quality update according the schedule specified in the following table.
+1. Microsoft Managed Desktop deploys a new feature or quality update according to the schedule specified in the following table.
2. During deployment, Microsoft Managed Desktop monitors for signs of failure or disruption based on diagnostic data and the user support system. If any are detected, we immediately pause the deployment to all current and future groups. - Example: if an issue is discovered while deploying a quality update to the First group, then update deployments to First, Fast, and Broad will all be paused until the issue is resolved. - You can report compatibility issues by filing a ticket in the Microsoft Managed Desktop Admin portal. - Feature and quality updates are paused independently. Pause is in effect for 35 days by default, but can be reduced or extended depending on whether the issue is remediated.
-3. Once the groups are un-paused, deployment resumes according to the schedule in the table.
+3. Once the groups are unpaused, deployment resumes according to the schedule in the table.
This deployment process applies to both feature and quality updates, though the timeline varies for each. -- <table> <tr><th colspan="5">Update deployment settings</th></tr> <tr><th>Update type</th><th>Test</th><th>First</th><th>Fast</th><th>Broad</th></tr>
Any devices found with Windows Insider builds might be put into the Test group a
## Bandwidth management
-We use [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization) for all operating system and driver updates. This minimizes the download size from the Windows Update service by seeking updates from peers within the corporate network.
+We use [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization) for all operating system and driver updates. Delivery Optimization minimizes the download size from the Windows Update service by seeking updates from peers within the corporate network.
managed-desktop Assign Deployment Group https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/assign-deployment-group.md
+
+ Title: Assign devices to a deployment group
+description: How to specify which deployment group you want devices to be in
+keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
++
+ms.localizationpriority: normal
++++++
+# Assign devices to a deployment group
+
+Microsoft Managed Desktop will assign devices to the various deployment groups, but you can specify or change group a device is assigned to a device by using the Admin portal. You change the assignment after a device is registered or after a user has enrolled.
+
+> [!IMPORTANT]
+> If you change the assignment, policies that are specific to that group will be applied to the device. The change might install the latest version of Windows 10 (including any new feature or quality updates). It's best to move just a few devices at first and then check the resulting user experience. Be aware that certain updates will restart the device. Double-check that you've selected the right devices to assign. It can take up to 24 hours for the assignment to take effect.
+
+To assign devices to a deployment group, follow these steps. If you want to move separate devices to different groups, repeat these steps for each group.
+
+1. In Microsoft Endpoint Manager, select **Devices** in the left pane. In the **Microsoft Managed Desktop** section, select **Devices**.
+2. Select the devices you want to assign. All selected devices will be assigned to the group you specify.
+3. Select **Device actions** from the menu.
+4. Select **Assign device to group**. A fly-in opens.
+5. Use the drop-down menu to select the group to move devices to, and then select **Save**. The **Group assigned by** will change to **Pending**.
+
+When the assignment is complete, **Group assigned by** will change to **Admin** (indicated that you made the change) and the **Group** column will show the new group assignment.
+
+> [!NOTE]
+> You can't move devices to other groups if they're in the "error" or "pending" registration state.
+>
+>If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't complete. If you don't see **Group assigned by** change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [See device details in Intune](/mem/intune/remote-actions/device-inventory).
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
####### [Find machines by tag](find-machines-by-tag.md) ####### [Get missing KBs](get-missing-kbs-machine.md) ####### [Set device value](set-device-value.md)
+####### [Update machine](update-machine-method.md)
+ ###### [Machine Action]()
security Api Release Notes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-release-notes.md
The following information lists the updates made to the Microsoft Defender for E
## Release notes - newest to oldest (dd.mm.yyyy)
+### 06.10.2021
+
+- Added new Export assessment API method - _Delta Export software vulnerabilities assessment (OData)_ [Export assessment methods and properties per device](get-assessment-methods-properties.md).
+ ### 05.25.2021 - Added new API [Export assessment methods and properties per device](get-assessment-methods-properties.md).
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
Your organization's attack surface includes all the places where an attacker cou
Attack surface reduction rules target certain software behaviors, such as: -- Launching executable files and scripts that attempt to download or run files;-- Running obfuscated or otherwise suspicious scripts; and-- Performing behaviors that apps don't usually initiate during normal day-to-day work.
+- Launching executable files and scripts that attempt to download or run files
+- Running obfuscated or otherwise suspicious scripts
+- Performing behaviors that apps don't usually initiate during normal day-to-day work
-Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.
+Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe.
For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
In the recommendation details pane, check for user impact to determine what perc
## Audit mode for evaluation
-Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if they were enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without reducing productivity.
+Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without reducing productivity.
## Warn mode for users
You can set attack surface reduction rules for devices that are running any of t
- Windows Server, [version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
-Although attack surface reduction rules don't require a [Windows E5 license](/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-endpoint.md), as well as reporting and configuration capabilities in [Microsoft 365 Defender](/microsoft-365/security/defender/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
+Although attack surface reduction rules don't require a [Windows E5 license](/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. The advanced capabilities - available only in Windows E5 - include:
+
+- The monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-endpoint.md)
+- The reporting and configuration capabilities in [Microsoft 365 Defender](/microsoft-365/security/defender/overview-security-center).
+
+These advanced capabilities aren't available with a Windows Professional or Windows E3 license. However, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
## Review attack surface reduction events in the Microsoft 365 Defender portal Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios.
-You can query Defender for Endpoint data in [Microsoft 365 Defender](microsoft-defender-security-center.md) by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
+You can query Defender for Endpoint data in [Microsoft 365 Defender](microsoft-defender-security-center.md) by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules might affect your environment.
Here is an example query:
If you are configuring attack surface reduction rules by using Group Policy or P
### Block abuse of exploited vulnerable signed drivers
-This rule prevents an application from writing a vulnerable, signed driver to disk. In-the-wild, vulnerable signed drivers can be exploited by local applications \- _that have sufficient privileges_ \- to gain access to the kernel. Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise.
+This rule prevents an application from writing a vulnerable signed driver to disk. In-the-wild, vulnerable signed drivers can be exploited by local applications \- _that have sufficient privileges_ \- to gain access to the kernel. Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise.
-This rule does not block a driver already existing on the system from being loaded.
+The **Block abuse of exploited vulnerable signed drivers** rule does not block a driver already existing on the system from being loaded.
>[!NOTE] >
-> This rule can be configured using [MEM OMA-URI](enable-attack-surface-reduction.md#mem) for MEM OMA-URI custom rules procedural information.
+> You can configure this rule using [MEM OMA-URI](enable-attack-surface-reduction.md#mem) for MEM OMA-URI custom rules procedural information.
>
-> This rule can also be configured using [PowerShell](enable-attack-surface-reduction.md#powershell).
+> You can also configure this rule using [PowerShell](enable-attack-surface-reduction.md#powershell).
>
-> You can use this Web site to [Submit a driver for analysis](https://www.microsoft.com/en-us/wdsi/driversubmission).
+> To have a driver examined, use this Web site to [Submit a driver for analysis](https://www.microsoft.com/en-us/wdsi/driversubmission).
This rule is supported in all versions in which ASR is supported; which is:
GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
-Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
+Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes; such as spawning a command prompt or using PowerShell to configure registry settings.
This rule was introduced in:
GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
### Block credential stealing from the Windows local security authority subsystem
-This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
+This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).
LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
This rule blocks the following file types from launching unless they meet preval
- Executable files (such as .exe, .dll, or .scr)
-Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
+Launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.
> [!IMPORTANT] > You must [enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to use this rule.
GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
-Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
+Malware that abuses Office as a vector might attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
This rule was introduced in:
This rule prevents Outlook from creating child processes, while still allowing l
This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. > [!NOTE]
-> This rule blocks DLP policy tips and ToolTips in Outlook. This rule applies to Outlook and Outlook.com only.
+> This rule blocks DLP policy tips and ToolTips in Outlook. This rule applies to Outlook and Outlook.com only.
This rule was introduced in:
Intune name: `Advanced ransomware protection`
Configuration Manager name: `Use advanced protection against ransomware` GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`--
security Audit Windows Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/audit-windows-defender.md
Last updated 06/02/2021
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**+ - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-If you're part of your organization's security team, you can configure attack surface reduction capabilities to run in audit mode to see how they'll work in your organization. In particular, you can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
+As part of your organization's security team, you can configure attack surface reduction capabilities to run in audit mode to see how they'll work. In audit mode, you can enable:
+
+- Attack surface reduction rules
+- Exploit protection
+- Network protection
+- And controlled folder access in audit mode
+
+Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
-You may want to enable audit mode when testing how the features will work in your organization. This will help make sure your line-of-business apps aren't affected. You can also get an idea of how many suspicious file modification attempts occur over a certain period of time.
+You can enable audit mode when testing how the features will work. This will help make sure your line-of-business apps aren't affected. You can also get an idea of how many suspicious file modification attempts occur over a certain period of time.
-The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled.
+The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what affect the feature would have had if it was enabled.
To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
-You can use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you [investigate issues as part of the alert timeline and investigation scenarios](investigate-alerts.md).
+Use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you [investigate issues as part of the alert timeline and investigation scenarios](investigate-alerts.md).
-You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
+You can enable audit mode using Group Policy, PowerShell, and configuration service providers (CSPs).
> [!TIP] > You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
You can use Group Policy, PowerShell, and configuration service providers (CSPs)
| Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) | Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) | Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)--
security Configure Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-attack-surface-reduction.md
Last updated 06/02/2021
# Configure attack surface reduction capabilities **Applies to:**+ - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > [!TIP] > Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink).
-Defender for Endpoint includes several attack surface reduction capabilities. To learn more, see [Overview of attack surface reduction capabilities](overview-attack-surface-reduction.md). To configure attack surface reduction in your environment, follow these steps:
+Defender for Endpoint includes several attack surface reduction capabilities. To learn more, see [Overview of attack surface reduction capabilities](overview-attack-surface-reduction.md). To configure attack surface reduction in your environment, follow these steps:
1. [Enable hardware-based isolation for Microsoft Edge](/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
-2. Enable application control.
+2. Enable application control.
- 1. Review base policies in Windows. See [example base policies](/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies).
- 2. See the [application control design guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide).
- 3. Refer to the [application control design guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
+ 1. Review base policies in Windows. See [Example Base Policies](/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies).
+ 2. See the [Windows Defender Application Control design guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide).
+ 3. Refer to [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
3. [Enable controlled folder access](enable-controlled-folders.md).
Defender for Endpoint includes several attack surface reduction capabilities. To
1. Get an overview of [Windows Defender Firewall with advanced security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). 2. Use the [Windows Defender Firewall design guide](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide) to decide how you want to design your firewall policies.
- 3. Use the [Windows Defender Firewall deployment guide](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide) to set up your organization's firewall with advanced security.
+ 3. Use the [Windows Defender Firewall deployment guide](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide) to set up your organization's firewall with advanced security.
> [!TIP] > In most cases, when you configure attack surface reduction capabilities, you can choose from among several methods:+ > - Microsoft Endpoint Manager (which now includes Microsoft Intune and Microsoft Endpoint Configuration Manager) > - Group Policy > - PowerShell cmdlets
security Configure Notifications Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus.md
Title: Configure Microsoft Defender Antivirus notifications
-description: Learn how to configure and customize both standard and additional Microsoft Defender Antivirus notifications on endpoints.
+description: Learn how to configure and customize both standard and other Microsoft Defender Antivirus notifications on endpoints.
keywords: notifications, defender, antivirus, endpoint, management, admin search.product: eADQiWindows 10XVcnh ms.prod: m365-security
Previously updated : 05/17/2021 Last updated : 06/16/2021
-# Configure the notifications that appear on endpoints
+# Configure Microsoft Defender Antivirus notifications that appear on endpoints
**Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
+In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. Microsoft Defender Antivirus notifications appear on endpoints when scans are completed and threats are detected. Notifications follow both scheduled and manually triggered scans. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals.
-Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals.
+If you're part of your organization's security team, you can configure how notifications appear on endpoints, such as notifications that prompt for a system reboot or that indicate a threat has been detected and remediated.
-You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated.
-
-## Configure the additional notifications that appear on endpoints
+## Configure antivirus notifications using Group Policy or the Windows Security app
You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](microsoft-defender-security-center-antivirus.md) and with Group Policy. > [!NOTE]
-> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**.
+> In Windows 10, version 1607 the feature was called **Enhanced notifications** and was configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings for all versions of Windows 10, the notification feature is called **Enhanced notifications**.
-> [!IMPORTANT]
-> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
+### Use Group Policy to disable additional notifications
-**Use the Windows Security app to disable additional notifications:**
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Security**.
+2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
-2. Select **Virus & threat protection** tile (or the shield icon on the left menu bar) and, then select **Virus & threat protection settings**
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
-3. Scroll to the **Notifications** section and click **Change notification settings**.
+4. Select **Administrative templates**.
-4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
+5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > Reporting**.
-**Use Group Policy to disable additional notifications:**
+6. Double-click **Turn off enhanced notifications**, and set the option to **Enabled**. Then select **OK**. This will prevent additional notifications from appearing.
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+> [!IMPORTANT]
+> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+### Use the Windows Security app to disable additional notifications
-3. Click **Administrative templates**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Security**.
+
+2. Select **Virus & threat protection** tile (or the shield icon on the left menu bar) and, then select **Virus & threat protection settings**
-4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Reporting**.
+3. Scroll to the **Notifications** section and select **Change notification settings**.
+
+4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
-5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+> [!IMPORTANT]
+> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
-## Configure standard notifications on endpoints
+## Configure standard notifications on endpoints using Group Policy
You can use Group Policy to:
You can use Group Policy to:
- Hide all notifications on endpoints - Hide reboot notifications on endpoints
-Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information.
+Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information. Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Manager Endpoint Protection monitoring dashboard and reports](/configmgr/protect/deploy-use/monitor-endpoint-protection).
-> [!NOTE]
-> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Manager Endpoint Protection monitoring dashboard and reports](/configmgr/protect/deploy-use/monitor-endpoint-protection).
+To add custom contact information to endpoint notifications, see [Customize the Windows Security app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).
+
+### Use Group Policy to hide notifications
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
-See [Customize the Windows Security app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) for instructions to add custom contact information to the notifications that users see on their machines.
+2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
-**Use Group Policy to hide notifications:**
+3. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**.
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and click **Edit**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Client interface**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+5. Double-click **Suppress all notifications** and set the option to **Enabled**.
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
+6. Select **OK**. This will prevent additional notifications from appearing.
-4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+### Use Group Policy to hide reboot notifications
-**Use Group Policy to hide reboot notifications:**
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. Right-click the Group Policy Object you want to configure and then select **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**. 3. Click **Administrative templates**.
-4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Client interface**.
-5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**.
-## Related topics
+5. Select **OK**. This will prevent additional notifications from appearing.
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)-- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
security Customize Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction.md
# Customize attack surface reduction rules **Applies to:**+ - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:+ - Windows 10 Pro, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows 10 Enterprise, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows Server, [version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later
You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configu
## Exclude files and folders
-You can choose to exclude files and folders from being evaluated by attack surface reduction rules. Once excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.
+You can choose to exclude files and folders from being evaluated by attack surface reduction rules. When excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.
For example, consider the ransomware rule:
-The ransomware rule is designed to help enterprise customers reduce risks of ransomware attacks while ensuring business continuity. By default, the ransomware rule will error on the side of caution and protect against files that haven't yet attained sufficient reputation and trust. To reemphasize, the ransomware rule only triggers on files that have not gained enough positive reputation and prevalence, based on usage metrics of millions of our customers. Usually, the blocks are self resolved, because each file's ΓÇ£reputation and trustΓÇ¥ values are incrementally upgraded as non-problematic usage increases.
+The ransomware rule is designed to help enterprise customers reduce risks of ransomware attacks while ensuring business continuity. By default, the ransomware rule errors on the side of caution and protect against files that haven't yet attained sufficient reputation and trust. To reemphasize, the ransomware rule only triggers on files that have not gained enough positive reputation and prevalence, based on usage metrics of millions of our customers. Usually, the blocks are self resolved, because each file's ΓÇ£reputation and trustΓÇ¥ values are incrementally upgraded as non-problematic usage increases.
In cases in which blocks arenΓÇÖt self resolved in a timely manner, customers can - _at their own risk_ - make use of either the self-service mechanism or an Indicator of Compromise (IOC)-based "allow list" capability to unblock the files themselves.
You can customize the notification for when a rule is triggered and blocks an ap
## Related topics
-* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
-* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-* [Attack surface reduction FAQ](attack-surface-reduction.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+- [Attack surface reduction FAQ](attack-surface-reduction.md)
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
Each ASR rule contains one of four settings:
> [!IMPORTANT] > Currently, warn mode is not supported for three ASR rules when you configure ASR rules in Microsoft Endpoint Manager (MEM). To learn more, see [Cases where warn mode is not supported](attack-surface-reduction.md#cases-where-warn-mode-is-not-supported).
-It's highly recommended to use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint). However, if you have another license, such as Windows Professional or Windows E3 that don't include advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (e.g., Event Forwarding).
+It's highly recommended to use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint). However, if you have another license, such as Windows Professional or Windows E3 that don't include advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (for example, Event Forwarding).
> [!TIP] > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul
>[!NOTE] > Conflict handling:
->
+>
> If you assign a device two different ASR policies, the way conflict is handled is rules that are assigned different states, there is no conflict management in place, and the result is an error.
->
+>
> Non-conflicting rules will not result in an error, and the rule will be applied correctly. The result is that the first rule is applied, and subsequent non-conflicting rules are merged into the policy. ## MDM
security Evaluate Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
ms.technology: mde
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
-Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Attack surface reduction rules help close off many of the common entry points used by malware and ransomware.
+Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Attack surface reduction rules help close off many of the common entry points used by malware and ransomware.
Set attack surface reduction rules for devices running any of the following editions and versions of Windows:
Set attack surface reduction rules for devices running any of the following edit
- [Windows Server 2019](/windows-server/get-started-19/whats-new-19) > [!WARNING]
-> Enabling attack service reduction rules on Windows Server 2016 may lead to unexpected results and impact server performance. We do not recommend enabling or deploying attack surface reduction rules to unsupported platforms.
+> Enabling attack service reduction rules on Windows Server 2016 might lead to unexpected results, and impact server performance. We do not recommend enabling or deploying attack surface reduction rules to unsupported platforms.
-Learn how to evaluate attack surface reduction rules by enabling audit mode to test the feature directly in your organization.
+Learn how to evaluate attack surface reduction rules by [enabling audit mode](audit-windows-defender.md) to test the feature directly in your organization.
> [!TIP] > You can also visit the Microsoft Defender for Endpoint demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
See [Customize attack surface reduction rules](customize-attack-surface-reductio
## See also
-* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
-* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
-* [Attack surface reduction FAQ](attack-surface-reduction.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+- [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
+- [Attack surface reduction FAQ](attack-surface-reduction.md)
security Event Views https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-views.md
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**+ - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Reviewing events is handy when you're evaluating the features. You can enable au
This article lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
-Get detailed reporting into events and blocks as part of Windows Security if you have an E5 subscription and use [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).
+Get detailed reporting into events, blocks, and warnings as part of Windows Security if you have an E5 subscription and use [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).
## Use custom views to review attack surface reduction capabilities
You can also manually navigate to the event area that corresponds to the feature
3. Select **Action** > **Import Custom View...**
- ![Animation highlighting Import custom view on the left of the Even viewer window](/windows/security/threat-protection/images/events-import)
+ > [!div class="mx-imgBorder"]
+ > ![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif)
4. Navigate to where you extracted XML file for the custom view you want and select it.
You can also manually navigate to the event area that corresponds to the feature
2. On the left panel, under **Actions**, select **Create Custom View...**
- ![Animation highlighting the create custom view option on the Event viewer window](/windows/security/threat-protection/images/events-create)
+ > [!div class="mx-imgBorder"]
+ > ![Animation highlighting the create custom view option on the Event viewer window](images/events-create.gif)
3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**. 4. Paste the XML code for the feature you want to filter events from into the XML section.
-5. Select **OK**. Specify a name for your filter.
-
-6. It will create a custom view that filters to only show the events related to that feature.
+5. Select **OK**. Specify a name for your filter. This creates a custom view that filters to only show the events related to that feature.
### XML for attack surface reduction rule events
You can access these events in Windows Event viewer:
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below. 3. Double-click on the sub item to see events. Scroll through the events to find the one you're looking.
- ![Animation showing using Event Viewer](/windows/security/threat-protection/images/event-viewer)
+ ![Animation showing using Event Viewer](images/event-viewer.gif)
Feature | Provider/source | Event ID | Description :-|:-|:-:|:-
security Exposed Apis List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-list.md
Topic | Description
:|: [Advanced Hunting](run-advanced-query-api.md) | Run queries from API. [Alert methods and properties](alerts.md) | Run API calls such as \- get alerts, create alert, update alert and more.
-[Export assessment methods and properties per device](get-assessment-methods-properties.md) | Run API calls such as \- export secure configuration assessment, export software inventory assessment, and export software vulnerabilities assessment.
+[Export assessment methods and properties per device](get-assessment-methods-properties.md) | Run API calls to gather vulnerability assessments on a per-device basis, such as: \- export secure configuration assessment, export software inventory assessment, export software vulnerabilities assessment, and delta export software vulnerabilities assessment.
[Automated Investigation methods and properties](investigation.md) | Run API calls such as \- get collection of Investigation. [Get domain related alerts](get-domain-related-alerts.md) | Run API calls such as \- get domain-related devices, domain statistics and more. [File methods and properties](files.md) | Run API calls such as \- get file information, file related alerts, file related devices, and file statistics.
security Get Assessment Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-methods-properties.md
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - ## API description Provides methods and property details about the APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.
Provides methods and property details about the APIs that pull threat and vuln
> > Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
-There are three API methods that you can use to retrieve (export) different types of information:
+You can use the export assessment APIs to retrieve (export) different types of information:
+
+- [1. Export secure configurations assessment](#1-export-secure-configurations-assessment)
-1. Export secure configurations assessment
+- [2. Export software inventory assessment](#2-export-software-inventory-assessment)
-2. Export software inventory assessment
+- [3. Export software vulnerabilities assessment](#3-export-software-vulnerabilities-assessment)
-3. Export software vulnerabilities assessment
+The APIs that correspond to the export information types are described in sections 1, 2, and 3.
For each method, there are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
Method | Data type | Description
:|:|: Export software vulnerabilities assessment **(OData)** | Investigation collection See: [3.2 Properties (OData)](#32-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Export software vulnerabilities assessment **(via files)** | Investigation entity See: [3.3 Properties (via files)](#33-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+**Delta export** software vulnerabilities assessment **(OData)** | Investigation collection See: [3.4 Properties Delta export OData)](#34-properties-delta-export-odata) | Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp. <br><br> The API pulls data in your organization as Json responses, following the OData protocol. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (OData) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export OData API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export OData API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export OData API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
### 3.2 Properties (OData)
Property (ID) | Data type | Description
Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization. GeneratedTime | string | The time that the export was generated.
+### 3.4 Properties (delta export OData)
+
+Property (ID) | Data type | Description
+:|:|:
+CveIdΓÇ»| string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.
+CvssScore | string | The CVSS score of the CVE.
+DeviceId | string | Unique identifier for the device in the service.
+DeviceName | string | Fully qualified domain name (FQDN) of the device.
+DiskPaths | Array[string] | Disk evidence that the product is installed on the device.
+EventTimestamp | String | The time this delta event was found.
+ExploitabilityLevel | string | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)
+FirstSeenTimestamp | string | First time the CVE of this product was seen on the device.
+Id | string | Unique identifier for the record.  
+LastSeenTimestamp | string | Last time the CVE was seen on the device.
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
+RecommendationReference | string | A reference to the recommendation ID related to this software.
+RecommendedSecurityUpdateΓÇ» | string | Name or description of the security update provided by the software vendor to address the vulnerability.
+RecommendedSecurityUpdateIdΓÇ» | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles
+RegistryPathsΓÇ» | Array[string] | Registry evidence that the product is installed in the device.
+SoftwareName | string | Name of the software product.
+SoftwareVendor | string | Name of the software vendor.
+SoftwareVersion | string | Version number of the software product.
+Status | String | **New** (for a new vulnerability introduced on a device). **Fixed** (for a vulnerability that doesn’t exist anymore on the device, which means it was remediated). **Updated** (for a vulnerability on a device that has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate).
+VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.
+ ## See also - [Export secure configuration assessment per device](get-assessment-secure-config.md)
security Get Assessment Secure Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-secure-config.md
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
->
> Returns all of the configurations and their status, on a per-device basis.
security Get Assessment Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-inventory.md
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
->
> There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
security Get Assessment Software Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities.md
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
->
> Returns all known software vulnerabilities and their details for all devices, on a per-device basis.
-There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
+There are different API calls to get different types of data. Because the amount of data can be very large, there are two ways it can be retrieved:
+
+1. [Export software vulnerabilities assessment OData](#1-export-software-vulnerabilities-assessment-odata) The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100 K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
-- [Export software vulnerabilities assessment OData](#1-export-software-vulnerabilities-assessment-odata) The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+2. [Export software vulnerabilities assessment via files](#2-export-software-vulnerabilities-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Via-files is recommended for large organizations, with more than 100 K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
-- [Export software vulnerabilities assessment via files](#2-export-software-vulnerabilities-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+ - Call the API to get a list of download URLs with all your organization data.
- - Call the API to get a list of download URLs with all your organization data.
+ - Download all the files using the download URLs and process the data as you like.
- - Download all the files using the download URLs and process the data as you like.
+3. [Delta export software vulnerabilities assessment OData](#3-delta-export-software-vulnerabilities-assessment-odata) Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp.
+The API pulls data in your organization as Json responses, following the OData protocol. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. <br><br> Unlike the full software vulnerabilities assessment (OData) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export OData API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export OData API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export OData API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
ExploitabilityLevel | string | The exploitability level of this vulnerability (N
FirstSeenTimestamp | string | First time the CVE of this product was seen on the device. | 2020-11-03 10:13:34.8476880 Id | string | Unique identifier for the record. | 123ABG55_573AG&mnp! LastSeenTimestamp | string | Last time the CVE was seen on the device. | 2020-11-03 10:13:34.8476880
-OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
+OSPlatform | string | Platform of the operating system running on the device. This property indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥ | Servers RecommendationReference | string | A reference to the recommendation ID related to this software. | va-_-microsoft-_-silverlight RecommendedSecurityUpdate (optional) | string | Name or description of the security update provided by the software vendor to address the vulnerability. | April 2020 Security Updates
GET https://api-us.securitycenter.contoso.com/api/machines/SoftwareVulnerabiliti
} ```
+## 3. Delta export software vulnerabilities assessment (OData)
+
+### 3.1 API method description
+
+Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls data in your organization as Json responses, following the OData protocol. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (OData) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export OData API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export OData API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥
+
+>[!NOTE]
+>
+>It is highly recommended you use the full export software vulnerabilities assessment by device API call at least once a week, and this additional export software vulnerabilities changes by device (delta) API call all the other days of the week. Unlike the other Assessments OData API, the ΓÇ£delta exportΓÇ¥ is not a full export. The delta export includes only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call).
+
+#### Limitations
+
+- Maximum page size is 200,000.
+
+- The sinceTime parameter has a maximum of 14 days.
+
+- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+
+### 3.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+||
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+### 3.3 URL
+
+```http
+GET /api/machines/SoftwareVulnerabilityChangesByMachine
+```
+
+### 3.4 Parameters
+
+- sinceTime (required) ΓÇô The data between a selected time and today.
+- pageSize (default = 50,000) ΓÇô number of results in response
+- $top ΓÇô number of results to return (doesnΓÇÖt return @odata.nextLink and therefore doesnΓÇÖt pull all the data)
+
+### 3.5 Properties
+
+Each returned record contains all the data from the full export software vulnerabilities assessment by device OData API, plus two additional fields: _**EventTimestamp**_ and _**Status**_.
+
+>[!NOTE]
+>-Some additional columns might be returned in the response. These columns are temporary and might be removed, so please use only the documented columns.
+>
+>-The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+<br>
+
+Property (ID) | Data type | Description | Example of returned value
+:|:|:|:
+CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. | CVE-2020-15992  
+CvssScore | string | The CVSS score of the CVE. | 6.2  
+DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1  
+DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com  
+DiskPaths | Array[string] | Disk evidence that the product is installed on the device. | [ "C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe" ]  
+EventTimestamp | String | The time this delta event was found. | 2021-01-11T11:06:08.291Z
+ExploitabilityLevel | string | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) | ExploitIsInKit  
+FirstSeenTimestamp | string | First time the CVE of this product was seen on the device. | 2020-11-03 10:13:34.8476880  
+Id | string | Unique identifier for the record. | 123ABG55_573AG&mnp!  
+LastSeenTimestamp | string | Last time the CVE was seen on the device. | 2020-11-03 10:13:34.8476880  
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10  
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be “Unassigned.” If the organization doesn’t contain any RBAC groups, the value will be “None.” | Servers  
+RecommendationReference | string | A reference to the recommendation ID related to this software. | va--microsoft--silverlight  
+RecommendedSecurityUpdate  | string | Name or description of the security update provided by the software vendor to address the vulnerability. | April 2020 Security Updates  
+RecommendedSecurityUpdateId  | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles | 4550961  
+RegistryPaths  | Array[string] | Registry evidence that the product is installed in the device. | [ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome" ]  
+SoftwareName | string | Name of the software product. | chrome  
+SoftwareVendor | string | Name of the software vendor. | google  
+SoftwareVersion | string | Version number of the software product. | 81.0.4044.138  
+Status | String | **New** (for a new vulnerability introduced on a device) (1) **Fixed** (if this vulnerability doesn’t exist anymore on the device, which means it was remediated). (2) **Updated** (if a vulnerability on a device has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate). | Fixed
+VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape. | Medium  
+
+#### Clarifications
+
+- If the software was updated from version 1.0 to version 2.0, and both versions are exposed to CVE-A, you will receive 2 separate events:
+ a. Fixed ΓÇô CVE-A on version 1.0 was fixed
+ b. New ΓÇô CVE-A on version 2.0 was added
+
+- If a specific vulnerability (for example, CVE-A) was first seen at a specific time (for example, January 10) on software with version 1.0, and a few days later that software was updated to version 2.0 which also exposed to the same CVE-A, you will receive these two separated events:
+ a. Fixed ΓÇô CVE-X, FirstSeenTimestamp January 10, version 1,0.
+ b. New ΓÇô CVE-X, FirstSeenTimestamp January 10, version 2.0.
+
+### 3.6 Examples
+
+#### 3.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityChangesByMachine?pageSize=5&sinceTime=2021-05-19T18%3A35%3A49.924Z
+```
+
+#### 3.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.DeltaAssetVulnerability)",
+    "value": [
+        {
+            "id": "008198251234544f7dfa715e278d4cec0c16c171_chrome_87.0.4280.88__",
+            "deviceId": "008198251234544f7dfa715e278b4cec0c19c171",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_1c8fee370690ca24b6a0d3f34d193b0424943a8b8.DomainPII_0dc1aee0fa366d175e514bd91a9e7a5b2b07ee8e.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.19042.685",
+            "osArchitecture": "x64",
+            "softwareVendor": "google",
+            "softwareName": "chrome",
+            "softwareVersion": "87.0.4280.88",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [
+                "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
+            ],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Google Chrome"
+            ],
+            "lastSeenTimestamp": "2021-01-04 00:29:42",
+            "firstSeenTimestamp": "2020-11-06 03:12:44",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-google-_-chrome",
+            "status": "Fixed",
+            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+        },
+        {
+            "id": "00e59c61234533860738ecf488eec8abf296e41e_onedrive_20.64.329.3__",
+            "deviceId": "00e56c91234533860738ecf488eec8abf296e41e",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_82c13a8ad8cf3dbaf7bf34fada9fa3aebc124116.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.18363.1256",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "onedrive",
+            "softwareVersion": "20.64.329.3",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_USERS\\S-1-5-21-2127521184-1604012920-1887927527-24918864\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe"
+            ],
+            "lastSeenTimestamp": "2020-12-11 19:49:48",
+            "firstSeenTimestamp": "2020-12-07 18:25:47",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-onedrive",
+            "status": "Fixed",
+            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+        },
+        {
+            "id": "01aa8c73095bb12345918663f3f94ce322107d24_firefox_83.0.0.0_CVE-2020-26971_",
+            "deviceId": "01aa8c73065bb12345918693f3f94ce322107d24",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_42684eb981bea2d670027e7ad2caafd3f2b381a3.DomainPII_21eed80b086e76dbfa178eabfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.19042.685",
+            "osArchitecture": "x64",
+            "softwareVendor": "mozilla",
+            "softwareName": "firefox",
+            "softwareVersion": "83.0.0.0",
+            "cveId": "CVE-2020-26971",
+            "vulnerabilitySeverityLevel": "High",
+            "recommendedSecurityUpdate": "193220",
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [
+                "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"
+            ],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 83.0 (x86 en-US)"
+            ],
+            "lastSeenTimestamp": "2021-01-05 17:04:30",
+            "firstSeenTimestamp": "2020-05-06 12:42:19",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-mozilla-_-firefox",
+            "status": "Fixed",
+            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+        },
+        {
+            "id": "026f0fcb12345fbd2decd1a339702131422d362e_project_16.0.13701.20000__",
+            "deviceId": "029f0fcb13245fbd2decd1a336702131422d392e",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_a5706750acba75f15d69cd17f4a7fcd268d6422c.DomainPII_f290e982685f7e8eee168b4332e0ae5d2a069cd6.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.19042.685",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "project",
+            "softwareVersion": "16.0.13701.20000",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ProjectProRetail - en-us"
+            ],
+            "lastSeenTimestamp": "2021-01-03 23:38:03",
+            "firstSeenTimestamp": "2019-08-01 22:56:12",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-project",
+            "status": "Fixed",
+            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+        },
+        {
+            "id": "038df381234510b357ac19d0113ef622e4e212b3_chrome_81.0.4044.138_CVE-2020-16011_",
+            "deviceId": "038df381234510d357ac19b0113ef922e4e212b3",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_365f5c0bb7202c163937dad3d017969b2d760eb4.DomainPII_29596a43a2ef2bbfa00f6a16c0cb1d108bc63e32.DomainPII_3c5fefd2e6fda2f36257359404f6c1092aa6d4b8.net",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.18363.1256",
+            "osArchitecture": "x64",
+            "softwareVendor": "google",
+            "softwareName": "chrome",
+            "softwareVersion": "81.0.4044.138",
+            "cveId": "CVE-2020-16011",
+            "vulnerabilitySeverityLevel": "High",
+            "recommendedSecurityUpdate": "ADV 200002",
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [
+                "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
+            ],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{C4EBFDFD-0C55-3E5F-A919-E3C54949024A}"
+            ],
+            "lastSeenTimestamp": "2020-12-10 22:45:41",
+            "firstSeenTimestamp": "2020-07-26 02:13:43",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-google-_-chrome",
+            "status": "Fixed",
+            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+        }
+    ],
+    "@odata.nextLink": "https://wpatdadi-eus-stg.cloudapp.net/api/machines/SoftwareVulnerabilitiesTimeline?sincetime=2021-01-11&pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
+}
+```
+ ## See also - [Export assessment methods and properties per device](get-assessment-methods-properties.md)
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
ms.technology: mde
> [!IMPORTANT] > On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
+## 101.32.69 (20.121042.13269.0)
+
+- Addressed an issue where concurrent access to the keychain from Microsoft Defender for Endpoint and other applications can lead to keychain corruption.
+ ## 101.29.64 (20.121042.12964.0) - Starting with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.
security Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine.md
Method|Return Type |Description
[Find machines by tag](find-machines-by-tag.md) | [machine](machine.md) collection | Find machines by [Tag](machine-tags.md). [Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID [Set device value](set-device-value.md)| [machine](machine.md) collection | Set the [value of a device](tvm-assign-device-value.md).
+[Update machine](update-machine-method.md) |[machine](machine.md) collection | Get the update status of a machine.
## Properties
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
Last updated 06/02/2021
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**+ - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > [!TIP] > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink).
-Your attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Defender for Endpoint includes several capabilities to help reduce your attack surfaces. Watch the following video to learn more about attack surface reduction.<p>
+Attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Defender for Endpoint includes several capabilities to help reduce your attack surfaces. Watch the following video to learn more about attack surface reduction.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4woug]
As mentioned in the video, Defender for Endpoint includes several attack surface
| Article | Description | |:|:|
-| [Hardware-based isolation](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
+| [Hardware-based isolation](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. Use container isolation for Microsoft Edge to help guard against malicious websites. |
| [Application control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) | Use application control so that your applications must earn trust in order to run. | | [Controlled folder access](controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus) | | [Network protection](network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus) |
-| [Exploit protection](exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
+| [Exploit protection](exploit-protection.md) | Help protect the operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
| [Attack surface reduction rules](attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Microsoft Defender Antivirus). |
-| [Device control](device-control-report.md) | Protects against data loss by monitoring and controlling media used on devices, such as removable storage and USB drives, in your organization. |
+| [Device control](device-control-report.md) | Protects against data loss by monitoring and controlling media used on devices, such as removable storage and USB drives, in your organization. |
security Respond File Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink)
-Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center.
+Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check on activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
You can contain an attack in your organization by stopping the malicious process
> You can only take this action if: > > - The device you're taking the action on is running Windows 10, version 1703 or later
-> - The file does not belong to trusted third-party publishers or not signed by Microsoft
+> - The file does not belong to trusted third-party publishers or is not signed by Microsoft
> - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data such as registry keys.
This action takes effect on devices with Windows 10, version 1703 or later, wher
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
- - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
+ - **Alerts** - click the corresponding links from the Description or Details in the Alert Story timeline
- **Search box** - select **File** from the dropΓÇôdown menu and enter the file name > [!NOTE]
You can also submit a sample through the [Microsoft Security Center Portal](http
> [!NOTE] > Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint.
-When the sample is collected, Defender for Endpoint runs the file in a secure environment. It then creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
- ### Submit files for deep analysis 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
- - Alerts - select the file links from the **Description** or **Details** in the Artifact timeline
+ - **Alerts** - select the file links from the **Description** or **Details** in the Alert Story timeline
- **Devices list** - select the file links from the **Description** or **Details** in the **Device in organization** section
- - Search box - select **File** from the dropΓÇôdown menu and enter the file name
+ - **Search box** - select **File** from the dropΓÇôdown menu and enter the file name
2. In the **Deep analysis** tab of the file view, select **Submit**.
security Update Machine Method https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/update-machine-method.md
+
+ Title: Update machine entity API
+description: Learn how to update machine tags by using this API. You can update the tags and devicevalue properties.
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+MS.technology: mde
+++
+# Update machine
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
++++
+## API description
+Updates properties of existing [Machine](machine.md).
+<br>Updatable properties are: ```machineTags``` and ```deviceValue```.
++
+## Limitations
+1. You can update machines that are available in the API.
+2. Update machine only appends tags to the tag collection. If tags exist, they must be included in the tags collection in the body.
+3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
++
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:|:|:
+Application | Machine.ReadWrite.All | 'Read and write machine information for all machines'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts investigation'. For more information, see [Create and manage roles](user-roles.md).
+>- The user needs to have access to the device associated with the alert, based on device group settings. For more information, see [Create and manage device groups](machine-groups.md).
+
+## HTTP request
+```
+PATCH /api/machines/{machineId}
+```
+
+## Request headers
+
+Name | Type | Description
+:|:|:
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | String | application/json. **Required**.
++
+## Request body
+In the request body, supply the values for the relevant fields that should be updated.
+<br>Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
+<br>For best performance, you shouldn't include existing values that haven't change.
+
+Property | Type | Description
+:|:|:
+machineTags | String collection | Set of [machine](machine.md) tags.
+deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'.
+
+## Response
+If successful, this method returns 200 OK, and the [machine](machine.md) entity in the response body with the updated properties.
+If machine tags collection in body doesn't contain existing machine tags - 400 Invalid Input and a message informing of the missing tag/s.
+If machine with the specified ID was not found - 404 Not Found.
++
+## Example
+
+**Request**
+
+Here's an example of the request.
+
+```http
+PATCH https://api.securitycenter.microsoft.com/api/machines/{machineId}
+```
+
+```json
+{
+ "deviceValue": "Normal",
+ "machineTags": [
+ "Demo Device",
+ "Generic User Machine - Attack Source",
+ "Windows 10",
+ "Windows Insider - Fast"
+ ]
+}
+```
security Api Supported https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-supported.md
Article | Description
-|- [Advanced Hunting API](api-advanced-hunting.md) | Run Advanced Hunting queries. [Incident APIs](api-incident.md) | List and update incidents, along with other practical tasks.
-[Streaming API](../defender-endpoint/raw-data-export.md) (Preview) | Ship real-time events and alerts as they occur in a single data stream.
+[Streaming API](streaming-api.md) (Preview) | Ship real-time events and alerts as they occur in a single data stream.
### Endpoint URIs
security Configure Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-event-hub.md
+
+ Title: Configure your Event Hub
+description: Learn how to configure your Event Hub
+keywords: event hub, configure, insights
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+localization_priority: normal
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+MS.technology: mde
++
+# Configure your Event Hub
++
+**Applies to:**
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+Learn how to configure your Event Hub so that it can ingest events from Microsoft 365 Defender.
++
+## Setup the required Resource Provider in the Event Hub subscription
++
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select **Subscriptions \> {***Select the subscription the event hub will be deployed
+to***} \> Resource providers**.
+1. Verify that the **Microsoft.Insights** Provider is registered. Otherwise, register it.
+
+![Image of resource providers in Microsoft Azure](../../media/f893db7a7b1f7aa520e8b9257cc72562.png)
+
+## Setup Azure Active Directory App Registration
++
+>![NOTE]
+>You must have Administrator role or Azure Active Directory (AAD) must be
+set to allow non-Administrators to register apps. You must also have an Owner or
+User Access Administrator role to assign the service principal a role.
+For more information, see [Create an Azure AD app & service principal in the
+portal - Microsoft identity platform \| Microsoft
+Docs](/azure/active-directory/develop/howto-create-service-principal-portal).
+
+1. Create a new registration (which inherently creates a service principal) in
+**Azure Active Directory \> App registrations \> New registration.**
+
+1. Fill out the form with just the Name (no Redirect URI is required).
+
+ ![Image of register an application](../../media/336bc84e6be23900c43232b4ef0c253c.png)
+
+ ![Image of Overview information](../../media/06ac04c4ff713c2065cec2ef2f99a294.png)
+
+1. Create a secret by clicking on **Certificates & secrets \> New client secret**:
+
+ ![Image of certificates and secrets](../../media/d2ef88d3d2310d2c60c294b569cdf02e.png)
+
+>[!WARNING]
+>**You won't be able to access the client secret again so make sure
+to save it**.
+
+## Setup Event Hub namespace
++
+1. Create an Event Hub Namespace:
+
+ Go **to Event Hubs \> Add** and select the pricing tier, throughput units and
+ Auto-Inflate (requires standard pricing and under features) appropriate for the
+ load you are expecting.
+ For more information, see [Pricing - Event Hubs \| Microsoft
+ Azure](https://azure.microsoft.com/en-us/pricing/details/event-hubs/)
+
+ >[!NOTE]
+ > You can use an existing event hub, but the throughput and scaling are set at the namespace level so it is recommended to place an event hub in itsown namespace.
+
+ ![Image of Event Hub name space](../../media/ebc4ca37c342ad1da75c4aee4018e51a.png)
+
+1. You will also need the Resource ID of this Event Hub Namespace. Go to your Azure Event Hubs namespace page \> Properties. Copy the text under Resource ID and record it for use during the M365 Configuration section below.
+
+ ![Image of properties](../../media/759498162a4e93cbf17c4130d704d164.png)
+
+1. Once the Event Hub Namespace is created you will need to add the App Registration Service Principal as Reader, Azure Event Hubs Data Receiver, and the user who will be logging into Microsoft 365 Defender as Contributor (this can also be done at Resource Group or Subscription level).
+
+ This is done in **Event Hubs Namespace \> Access Control (IAM) \> Add** and
+verify under **Role assignments**:
+
+ ![Image of access control](../../media/9c9c29137b90d5858920202d87680d16.png)
+
+## Setup Event Hub
++
+**Option 1:**
+
+You can create an Event Hub within your Namespace and **all** the Event Types
+(Tables) you select to export will be written into this **one** Event Hub.
+
+**Option 2:**
+
+Instead of exporting all the Event Types (Tables) into one Event Hub, you can
+export each table into a different Event Hub inside your Event Hub Namespace
+(one Event Hub per Event Type).
+
+In this option, Microsoft 365 Defender will create Event Hubs for you.
+>[!NOTE]
+> If you are using an Event Hub Namespace that is **not** part of an Event Hub Cluster, you will only be able to choose up to 10 Event Types (Tables) to export in each Export Settings you define, due to an Azure limitation of 10 Event Hubs per Event Hub Namespace.
+
+For example:
+
+![Image of example Event Hub](../../media/005c1f6c10c34420d387f594987f9ffe.png)
+
+If you choose this option, you can skip to the [Configure Microsoft 365
+Defender to send email tables](#configure-microsoft-365-defender-to-send-email-tables) section.
+
+Create an Event Hub within your Namespace by selecting **Event Hubs \> + Event
+Hub**.
+
+The Partition Count allows for additional throughput via parallelism, so it is
+recommended to increase this number based on the load you are expecting.
+Default Message Retention and Capture values of 1 and Off are recommended.
+
+![Image of create Event Hub](../../media/1db04b8ec02a6298d7cc70419ac6e6a9.png)
+
+For this Event Hub (not namespace) you will need to configure a Shared Access
+Policy with Send, Listen Claims. Click on your **Event Hub \> Shared access
+policies \> + Add** and then give it a Policy name (not used elsewhere) and
+check **Send** and **Listen**.
+
+![Image of shared access policies](../../media/1867d13f46dc6a0f4cdae6cf00df24db.png)
+
+## Configure Microsoft 365 Defender to send email tables
++
+### Setup Microsoft 365 Defender send Email tables to Splunk via Event Hub
++
+1. Login to Microsoft 365 Defender at <https://security.microsoft.com> with an
+account that meets all the following role requirements:
+
+ - Contributor role at the Event Hub *Namespace* Resource level or higher for
+ the Event Hub that you will be exporting to. Without this you will get an
+ export error when you try to save the settings.
+
+ - Global Admin or Security Admin Role on the tenant tied to Microsoft 365
+ Defender and Azure.
+
+ ![Image of security portal](../../media/55d5b1c21dd58692fb12a6c1c35bd4fa.png)
+
+1. Click on **Raw Data Export \> +Add**.
+
+ You will now use the data that your recorded above.
+
+ **Name**: This is local and should be whatever works in your environment.
+
+ **Forward events to event hub**: Select this checkbox.
+
+ **Event-Hub Resource ID**: This is the Event Hub Namespace Resource ID you
+ recorded above when you setup the Event Hub.
+
+ **Event-Hub name**: If you created an Event Hub inside your Event Hub Namespace, paste the Event Hub name you recorded above.
+
+ If you choose to let Microsoft 365 Defender to create Event Hubs per Event Types
+ (Tables) for you, leave this field empty.
+
+ **Event Types**: Select the Advanced Hunting tables that you want to forward to
+ the Event Hub and then on to your custom app. Alert tables are from Microsoft
+ 365 Defender, Devices tables are from Microsoft Defender for Endpoint (EDR), and
+ Email tables are from Microsoft Defender for Office 365. Email Events records
+ all Email Transactions. The URL (SafeLinks), Attachment (Safe Attachments) and
+ Post Delivery Events (ZAP) are also recorded and can be joined to the Email
+ Events on the NetworkMessageId field.
+
+ ![Image of streaming API settings](../../media/3b2ad64b6ef0f88cf0175f8d57ef8b97.png)
+
+1. Make sure to click **Submit**.
+
+### Verify that the events are being exported to the Event Hub
++
+You can verify that events are being sent to the Event Hub by running a basic
+Advanced Hunting query. Select **Hunting \> Advanced Hunting \> Query** and
+enter the following query:
+
+```
+EmailEvents
+|joinkind=fullouterEmailAttachmentInfoonNetworkMessageId
+|joinkind=fullouterEmailUrlInfoonNetworkMessageId
+|joinkind=fullouterEmailPostDeliveryEventsonNetworkMessageId
+|whereTimestamp\>ago(1h)
+|count
+```
+
+This will show you how many emails were received in the last hour joined across
+all the other tables. It will also show you if you are seeing events that could
+be exported to the event hub. If this count shows 0 then you won't see any data
+going out to the Event Hub.
+
+![Image of advanced hunting](../../media/c305e57dc6f72fa9eb035943f244738e.png)
+
+Once you have verified there is data to export, you can view the Event Hub to
+verify that messages are incoming. This can take up to one hour.
+
+1. In Azure, go to **Event Hubs \> Click on the Namespace \> Event Hubs \> Click on
+the Event Hub**.
+1. Under **Overview**, scroll down and in the Messages graph you should see
+Incoming Messages. If you don't see any results, then there will be no messages
+for your custom app to ingest.
+
+ ![Image of the overview tab with messages](../../media/e88060e315d76e74269a3fc866df047f.png)
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
New-TenantAllowBlockListItems -ListType <FileHash | Url> -Block -Entries "Value1
This example adds a block file entry for the specified files that never expires. ```powershell
-New-TenantAllowBlockListItem -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration
+New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration
``` This example adds a block URL entry for contoso.com and all subdomains (for example, contoso.com, www.contoso.com, and xyz.abc.contoso.com). Because we didn't use the ExpirationDate or NoExpiration parameters, the entry expires after 30 days.
security View Email Security Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-A variety of reports are available in the [Microsoft 365 Defender portal](https://security.microsoft.com) to help you see how email security features, such as anti-spam, anti-malware, and encryption features in Microsoft 365 are protecting your organization. If you have the [necessary permissions](#what-permissions-are-needed-to-view-these-reports), you can view these reports in the Microsoft 365 Defender portal by going to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. To go directly to the Reports dashboard, open <https://security.microsoft.com/emailandcollabreport>.
+A variety of reports are available in the Microsoft 365 Defender portal at <https://security.microsoft.com> to help you see how email security features, such as anti-spam, anti-malware, and encryption features in Microsoft 365 are protecting your organization. If you have the [necessary permissions](#what-permissions-are-needed-to-view-these-reports), you can view these reports in the Microsoft 365 Defender portal by going to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. To go directly to the **Email & collaboration reports** page, open <https://security.microsoft.com/emailandcollabreport>.
-![Reports dashboard in the Microsoft 365 Defender portal](../../media/email-collaboration-reports.png)
+![Email & collaboration reports page in the Microsoft 365 Defender portal](../../media/email-collaboration-reports.png)
+
+> [!NOTE]
+>
+> Some of the reports on the **Email & collaboration reports** page require Microsoft Defender for Office 365. For information about these reports, see [View Defender for Office 365 reports in the Microsoft 365 Defender portal](view-reports-for-mdo.md).
+>
+> Reports that are related to mail flow are now in the Exchange admin center (EAC). For more information about these reports, see [Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports).
## Compromised users report
A variety of reports are available in the [Microsoft 365 Defender portal](https:
The **Compromised users** report shows shows the number of user accounts that were marked as **Suspicious** or **Restricted** within the last 7 days. Accounts in either of these states are problematic or even compromised. With frequent use, you can use the report to spot spikes, and even trends, in suspicious or restricted accounts. For more information about compromised users, see [Responding to a compromised email account](responding-to-a-compromised-email-account.md).
-![Compromised users widget in the Reports dashboard](../../media/compromised-users-report-widget.png)
+![Compromised users widget on the Email & collaboration reports page](../../media/compromised-users-report-widget.png)
The aggregate view shows data for the last 90 days and the detail view shows data for the last 30 days.
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Compromised users**. To go directly to the report, open <https://security.microsoft.com/reports/CompromisedUsers>.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Compromised users**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/CompromisedUsers>.
-You can filter both the chart and the details table by clicking **Filters** and selecting one or more of the following values:
--- **Start date** and **End date**
+After you click **View details**, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
-- **Suspicious**: The user account has sent suspicious email and is at risk of being restricted from sending email.
+- **Date (UTC)**: **Start date** and **End date**.
+- **Activity**:
+ - **Suspicious**: The user account has sent suspicious email and is at risk of being restricted from sending email.
+ - **Restricted**: The user account has been restricted from sending email due to highly suspicious patterns.
-- **Restricted**: The user account has been restricted from sending email due to highly suspicious patterns.
+When you're finished filtering, click **Apply** or **Cancel**.
![Report view in the Compromised users report](../../media/compromised-users-report-activity-view.png)
-If you click **View details table**, you can see the following details:
+In the table below the graph, you can see the following details:
- **Creation time** - **User ID** - **Action**
-To go back to the report view, click **View report**.
+## Exchange transport rule report
-## Encryption report
+The **Exchange transport rule** report shows the effect of mail flow rules (also known as transport rules) on incoming and outgoing messages in your organization.
-The **Encryption report** is available in EOP (subscriptions with mailboxes in Exchange Online or standalone EOP without Exchange Online mailboxes). Your organization's security team can use information in this report to identify patterns and proactively apply or adjust policies for sensitive email messages. For example:
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Exchange transport rule**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/ETRRuleReport>.
-- If you see a high number of email messages encrypted by users, you might want to add an encryption policy to automate encryption for certain use cases. For more information, see [Define mail flow rules to encrypt email messages in Microsoft 365](../../compliance/define-mail-flow-rules-to-encrypt-email.md).
+![Exchange transport rule widget on the Email & collaboration reports page](../../media/transport-rule-report-widget.png)
-- If you have a number of encryption templates available but no one is using them, you might explore whether users need feature training.
+After you click **View details**, the following charts and data are available:
-The aggregate view allows filtering for the last 90 days, while the detail view allows filtering for 10 days.
+- **View data by Exchange transport rules** \> **Chart breakdown by Direction**: This chart shows the number of **Inbound** and **Outbound** messages that were affected by mail flow rules.
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Encryption report**. To go directly to the report, open <https://protection.office.com/reportv2?id=EncryptionReport>.
+- **View data by Exchange transport rules** \> **Chart breakdown by Severity**: This chart shows the number of **High severity**, **Medium severity**, and **Low severity** messages. You set the severity level as an action in the rule (**Audit this rule with severity level** or _SetAuditSeverity_). For more information, see [Mail flow rule actions in Exchange Online](/Exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions).
-To learn more about encryption, see [Email encryption in Microsoft 365](../../compliance/email-encryption.md).
+- **View data by DLP Exchange transport rules** \> **Chart breakdown by Direction**: This chart shows the number of **Inbound** and **Outbound** messages that were affected by data loss prevention (DLP) mail flow rules.
-### Report view for the Encryption report
+- **View data by DLP Exchange transport rules** \> **Chart breakdown by Severity**: This view shows the number of **High severity**, **Medium severity**, and **Low severity** messages that were affected by DLP mail flow rules.
-You can use the following filters on the chart:
+For **View data by Exchange transport rules** selections, the following information is shown in the details table below the graph:
-- **View data by: Message Encryption Report** and **Break down by: Encryption method**: The following encryption methods are available:
+- **Date**
+- **Transport rule**
+- **Subject**
+- **Sender address**
+- **Recipient address**
+- **Severity**
+- **Direction**
- - **Encryption by user**
- - **Encryption by policy**
+For **View data by DLP Exchange transport rules** selections, the following information is shown in the details table below the graph:
- If you click **Filters**, you can modify the chart with the following filters:
+- **Date**
+- **DLP policy**
+- **Transport rule**
+- **Subject**
+- **Sender address**
+- **Recipient address**
+- **Severity**
+- **Direction**
- - **Start date** and **End date**
- - Encryption method.
- - Encryption template.
+You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
-- **View data by: Message Encryption Report** and **Break down by: Encryption template**: The following encryption methods are available:
+- **Start date** and **End date**
+- **Direction**: **Outbound** and **Inbound**
+- **Severity**: **High severity**, **Medium severity**, and **Low severity**
- - **Do not forward**
- - **Encrypt only**
- - **OME previous**
- - **Custom**
+![Report view in the Exchange transport rule report](../../media/transport-rule-report-report-view.png)
- If you click **Filters**, you can modify the chart with the following filters:
+## Mailflow status report
- - **Start date** and **End date**
- - Encryption method
- - Encryption template
+The **Mailflow status report** is a smart report that shows information about incoming and outgoing email, spam detections, malware, email identified as "good", and information about email allowed or blocked on the edge. This is the only report that contains edge protection information, and shows just how much email is blocked before being allowed into the service for evaluation by Exchange Online Protection (EOP). It's important to understand that if a message is sent to five recipients we count it as five different messages and not one message.
-- **View data by: Top 5 recipient domains**: This view shows a pie chart with sent message counts for the top 5 recipient domains.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Mailflow status summary**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/mailflowStatusReport>.
- If you click **Filters**, you can select a **Start date** and **End date**.
+![Mailflow status summary widget on the Email & collaboration reports page](../../media/mail-flow-status-report-widget.png)
-### Details table view for the Encryption report
+### Type view for the Mailflow status report
-If you click **View details table**, the information that's shown depends on the chart you were looking at:
+When you open the report, the **Type** tab is selected by default. By default, this view contains a chart and a data table that's configured with the following filters:
-- **Break down by: Encryption method** or **Break down by: Encryption template**: The following information is shown:
+- **Date**: The last 7 days.
+- **Mail direction**:
+ - **Inbound**
+ - **Outbound**
+ - **Intra-org**: this count is for messages within a tenant i.e sender abc@domain.com sends to recipient xyz@domain.com (counted separately from **Inbound** and **Outbound**)
+- **Type**:
+ - **Good mail**
+ - **Malware**
+ - **Spam**
+ - **Edge protection**
+ - **Rule messages**
+ - **Phishing email**
+- **Domain**: **All**
- - **Date**
- - **Sender address**
- - **Encryption template**
- - **Encryption method**
- - **Recipient address**
- - **Subject**
+The chart is organized by the **Type** values.
-- **View data by: Top 5 recipient domains**:
+You can change these filters by clicking **Filter** or by clicking a value in the chart legend.
- - **Date**
- - **Recipient domain**
- - **Message count**
+The data table contains the following information:
-If you click **Filters** in a details table view, you can modify the results with the following filters:
+- **Direction**
+- **Type**
+- **24 hours**
+- **3 days**
+- **7 days**
+- **15 days**
+- **30 days**
-- **Start date** and **End date**-- Encryption method-- Encryption template
+If you click **Choose a category for more details**, you can select from the following values:
-To go back to the report view, click **View report**.
+- **Phishing email**: This selection takes you to the [Threat protection status report](view-email-security-reports.md#threat-protection-status-report).
+- **Malware in email**: This selection takes you to the [Threat protection status report](view-email-security-reports.md#threat-protection-status-report).
+- **Spam detections**: This selection takes you to the [Spam Detections report](view-email-security-reports.md#spam-detections-report).
+- **Edge blocked spam**: This selection takes you to the [Spam Detections report](view-email-security-reports.md#spam-detections-report).
-## Mailflow status report
+#### Export from Type view
-The **Mailflow status report** contains information about malware, spam, phishing and edge blocked messages. For more details, see [Mailflow status report](view-mail-flow-reports.md#mailflow-status-report).
+For the detail view, you can only export data for one day. So, if you want to export data for 7 days, you need to do 7 different export actions.
-## Malware detections in email report
+Each exported .csv file is limited to 150,000 rows. If the data for that day contains more than 150,000 rows, then multiple .csv files will be created.
-The **Malware detections in email** report shows information about malware detections in incoming and outgoing email messages (malware detected by Exchange Online Protection or EOP). For more information about malware protection in EOP, see [Anti-malware protection in EOP](anti-malware-protection.md).
+![Type view in the Mailflow status report](../../media/mail-flow-status-report-type-view.png)
- The aggregate view filter allows for 90 days, while the details table filter only allows for 10 days.
+### Direction view for the Mailflow status report
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Malware detected in email**. To go directly to the report, open <https://security.microsoft.com/reports/MalwareDetections>.
+If you click the **Direction** tab, the same default filters from the **Type** view are used.
-![Malware detections in email widget in the Reports dashboard](../../media/malware-detections-widget.png)
+The chart is organized by **Direction** values.
-You can filter both the chart and the details table by clicking **Filters** and selecting:
+You can change these filters by clicking **Filter** or by clicking a value in the chart legend. The same filters from the **Type** view are used.
-- **Start date** and **End date**-- **Inbound**-- **Outbound**
+The data table contains same information from the **Type** view.
-![Report view in the Malware detection in email report](../../media/malware-detections-report-view.png)
+The **Choose a category for more details** available selections and behavior are the same as the **Type** view.
-If you click **View details table**, you can see the following details:
+#### Export from Direction view
-- **Date**-- **Sender address**-- **Recipient address**-- **Message ID**: Available in the **Message-ID** header field in the message header and should be unique. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets).-- **Subject**-- **Filename**-- **Malware name**
+For the detail view, you can only export data for one day. So, if you want to export data for 7 days, you need to do 7 different export actions.
-To go back to the report view, click **View report**.
+Each exported .csv file is limited to 150,000 rows. If the data for that day contains more than 150,000 rows, then multiple .csv files will be created.
-## Mail latency report
+![Direction view in the Mailflow status report](../../media/mail-flow-status-report-direction-view.png)
-The **Mail latency report** contains information on the mail delivery and detonation latency experienced within your organization. For more information, see [Mail latency report](view-reports-for-mdo.md#mail-latency-report).
+### Funnel view for the Mailflow status report
-## Sent and received email report
+The **Funnel** view shows you how Microsoft's email threat protection features filter incoming and outgoing email in your organization. It provides details on the total email count, and how the configured threat protection features, including edge protection, anti-malware, anti-phishing, anti-spam, and anti-spoofing affect this count.
-The **Sent and received email** report contains information about malware, spam, mail flow rules (also known as transport rules), and advanced malware detections after email enters the service. For more information, see [Sent and received email report](view-mail-flow-reports.md#sent-and-received-email-report).
+If you click the **Funnel** tab, by default, this view contains a chart and a data table that's configured with the following filters:
-## Spam detections report
+- **Date**: The last 7 days.
-The **Spam detections** report shows spam email messages that were blocked by EOP. Messages are counted individually, not per recipient. For example, if the same spam message was sent to 100 recipients in your organization, it counts as one message.
+- **Direction**:
-The aggregate view allows for 90 days filtering, while the details table allows for 10 days filtering.
+ - **Inbound**
+ - **Outbound**
+ - **Intra-org**: This count is for messages sent within a tenant; i.e, sender abc@domain.com sends to recipient xyz@domain.com (counted separately from Inbound and Outbound).
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click click **View details** under **Spam detections**. To go directly to the report, open <https://security.microsoft.com/reports/SpamDetections>.
+The aggregate view and data table view allow for 90 days of filtering.
-![Spam detections widget in the Reports dashboard](../../media/spam-detections-report-widget.png)
+If you click **Filter**, you can filter both the chart and the data table.
-For more information about anti-spam protection, see [Anti-spam protection in EOP](anti-spam-protection.md).
+This chart shows the email count organized by:
-### Report view for the Spam detections report
+- **Total email**
+- **Email after edge protection**
+- **Email after transport rule** (mail flow rule)
+- **Email after anti-malware, file reputation, file type block**
+- **Email after anti-phish, URL reputation, brand impersonation, anti-spoof**
+- **Email after anti-spam, bulk mail filtering**
+- **Email after user and domain impersonation**<sup>\*</sup>
+- **Email after file and URL detonation**<sup>\*</sup>
+- **Email detected as benign after post-delivery protection (URL click time protection)**
-The following charts are available in the report view:
+<sup>\*</sup> Defender for Office 365 only
-- **Break down by: Action**: The following event types are shown:
+To view the email filtered by EOP or Defender for Office 365 separately, click on the value in the chart legend.
- - **Spam content filtered**
- - **Spam IP block**
- - **Spam envelope block**
- - **Spam DBEB filter**: Directory based edge blocking (DBEB)
+The data table contains the following information, shown in descending date order:
- When you hover over a day (data point) in the chart, you can see how many items were blocked that day, as well as how those items are categorized.
+- **Date**
+- **Total email**
+- **Edge protection**
+- **Anti-malware, file reputation, file type block**:
+ - **File reputation**: Messages filtered due to identification of an attached file by other Microsoft customers.
+ - **File type block**: Messages filtered due to the type of malicious file identified in the message.
+- **Anti-phish, URL reputation, Brand impersonation, anti-spoof**:
+ - **URL reputation**: Messages filtered due to the identification of the URL by other Microsoft customers.
+ - **Brand impersonation**: Messages filtered due to the message coming from well-known brand impersonating senders.
+ - **Anti-spoof**: Messages filtered due to the message attempting to spoof a domain that the recipient belongs to, or a domain that the message sender doesn't own.
+- **Anti-spam, bulk mail filtering**:
+ - **Bulk mail filtering**: Messages filtered based on the bulk complain level (BCL) threshold in an anti-spam policy.
+- **User and domain impersonationΓÇ»(Defender for Office 365)**:
+ - **User impersonation**: Messages filtered due to an attempt to impersonate a user (message sender) that's defined in the impersonation protection settings of an anti-phishing policy.
+ - **Domain impersonation**: Messages filtered due to an attempt to impersonate a domain that's defined in the impersonation protection settings of an anti-phishing policy.
+- **File and URL detonationΓÇ»(Defender for Office 365)**:
+ - **File detonation**: Messages filtered by a Safe Attachments policy.
+ - **URL detonation**: Message filtered by a Safe Links policy.
+- **Post-delivery protection and ZAP (ATP), or ZAP (EOP)**: Zero-hour auto purge (ZAP) for malware, spam, and phishing.
+
+If you select a row in the data table, a further breakdown of the email counts are shown in the flyout.
+
+#### Export from Funnel view
+
+After you click **Export** under **Options**, you can select one of the following values:
+
+- **Summary (with data for last 90 days at most)**
+- **Details (with data for last 30 days at most)**
+
+Under **Date**, choose a range, and then click **Apply**. Data for the current filters will be exported to a .csv file.
+
+Each exported .csv file is limited to 150,000 rows. If the data contains more than 150,000 rows, then multiple .csv files will be created.
+
+![Funnel view in the Mailflow status report](../../media/mail-flow-status-report-funnel-view.png)
- ![Action view in the Spam detections report](../../media/spam-detections-report-action-view.png)
+### Tech view for the Mailflow status report
-- **Break down by: Direction**: The following directions are shown:
+The **Tech view** is similar to the **Funnel** view, providing more granular details for the configured threat protections features. From the chart, you can see how messages are categorized at the different stages of threat protection.
+
+If you click the **Tech view** tab, by default, this view contains a chart and a data table that's configured with the following filters:
+
+- **Date**: The last 7 days.
+
+- **Direction**:
- **Inbound** - **Outbound**
+ - **Intra-org**: this count is for messages within a tenant i.e sender abc@domain.com sends to recipient xyz@domain.com (counted separately from Inbound and Outbound)
- ![Direction view in in the Spam detections report](../../media/spam-detections-report-direction-view.png)
+The aggregate view and data table view allow for 90 days of filtering.
-If you click **Filters** in a report view, you can modify the results with the following filters:
+If you click **Filter**, you can filter both the chart and the data table.
-- **Start date** and **End date**-- Direction values-- Event type values
+This chart shows messages organized into the following categories:
+
+- **Total email**
+- **Edge allow** and **Edge filtered**
+- **Transport rule allow** and **Transport rule filtered** (mail flow rules)
+- **Not malware**, **Safe Attachments detection**<sup>\*</sup>, and **Anti-malware engine detection**
+- **Not phish**, **DMARC failure**, **Impersonation detection**<sup>\*</sup>, **Spoof detection**, and **Phish detection**
+- **No detection with URL detonation** and **URL detonation detection**<sup>\*</sup>
+- **Not spam** and **Spam**
+- **Non-malicious email**, **Safe Links detection**<sup>\*</sup>, and **ZAP**
+
+<sup>\*</sup> Defender for Office 365
+
+When you hover over a category in the chart, you can see the number of messages in that category.
+
+The data table contains the following information, shown in descending date order:
+
+- **Date**
+- **Total email**
+- **Edge filtered**
+- **Rule messages**: Messages filtered due to mail flow rules (also known as transport rules).
+- **Anti-malware engine**, **Safe Attachments**<sup>\*</sup>:
+- **DMARC, impersonation**<sup>\*</sup>, **spoof**, **phish filtered**:
+ - **DMARC**: Messages filtered due to the message failing its DMARC authentication check.
+- **URL detonation detection**<sup>\*</sup>
+- **Anti-spam filtered**
+- **ZAP removed**
+- **Detection by Safe Links**<sup>\*</sup>
+
+<sup>\*</sup> Defender for Office 365
+
+If you select a row in the data table, a further breakdown of the email counts are shown in the flyout.
+
+#### Export from Tech view
+
+On clicking **Export**, under **Options** you can select one of the following values:
+
+- **Summary (with data for last 90 days at most)**
+- **Details (with data for last 30 days at most)**
+
+Under **Date**, choose a range, and then click **Apply**. Data for the current filters will be exported to a .csv file.
+
+Each exported .csv file is limited to 150,000 rows. If the data contains more than 150,000 rows, then multiple .csv files will be created.
+
+![Tech view in the Mailflow status report](../../media/mail-flow-status-report-tech-view.png)
+
+## Malware detections report
+
+The **Malware detections report** report shows information about malware detections in incoming and outgoing email messages (malware detected by Exchange Online Protection or EOP). For more information about malware protection in EOP, see [Anti-malware protection in EOP](anti-malware-protection.md).
+
+The aggregate view filter allows for 90 days, while the details table filter only allows for 10 days.
+
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Malware detected in email**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/MalwareDetections>.
-### Details table view for the Spam detections report
+![Malware detections in email widget on the Email & collaboration reports page](../../media/malware-detections-widget.png)
-If you click **View details table** in any report view, the following information is shown:
+After you click **View details**, you can filter both the chart and the details table by clicking **Filter** and selecting:
+
+- **Date**: **Start date** and **End date**
+- **Direction**: **Inbound** and **Outbound**
+
+![Report view in the Malware detection in email report](../../media/malware-detections-report-view.png)
+
+In the details table below the graph, you can see the following details:
- **Date** - **Sender address** - **Recipient address**-- **Event type**-- **Action**
+- **Message ID**: Available in the **Message-ID** header field in the message header and should be unique. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets).
- **Subject**
+- **Filename**
+- **Malware name**
-If you click **Filters** in a details table, you can modify the results with the following filters:
+## Mail latency report
-- **Start date** and **End date**-- Direction values-- Event type values
+The **Mail latency report** in Defender for Office 365 contains information on the mail delivery and detonation latency experienced within your organization. For more information, see [Mail latency report](view-reports-for-mdo.md#mail-latency-report).
+
+## Spam detections report
-To go back to the report view, click **View report**.
+> [!NOTE]
+> The **Spam detections report** will go away on June 30, 2021. The same information is available in the [Threat protection status report](#threat-protection-status-report).
## Spoof detections report > [!NOTE]
-> The improved Spoof detections report as described in this article is in Preview, is subject to change, and is not available in all organizations. The older version of the report showed only **Good mail** and **Caught as spam**.
+> The improved Spoof detections report as described in this article is in Preview, is subject to change, and is not available in all organizations. The older version of the report shows only **Good mail** and **Caught as spam**.
The **Spoof detections** report shows information about messages that were blocked or allowed due to spoofing. For more information about spoofing, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md).
The aggregate view of the report allows for 45 days of filtering<sup>\*</sup>, w
<sup>\*</sup> Eventually, you'll be able to use up to 90 days of filtering.
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Spoof detections**. To go directly to the report, open <https://security.microsoft.com/reports/SpoofMailReport>.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Spoof detections**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/SpoofMailReportV2>.
-![Spoof detections widget in the Reports dashboard](../../media/spoof-detections-widget.png)
+![Spoof detections widget on the Email & collaboration reports page](../../media/spoof-detections-widget.png)
When you hover over a day (data point) in the chart, you can see how many spoofed messages were detected and why.
-You can filter both the chart and the details table by clicking **Filters** and selecting one or more of the following values:
--- **Start date** and **End date**
+After you click **View details**, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values:
-- **Result**
+- **Date**: **Start date** and **End date**
+- **Result**:
- **Pass** - **Fail** - **SoftPass** - **None** - **Other**- - **Spoof type**: **Internal** and **External**
-![Report view in the Spoof detections report](../../media/spoof-detections-report-view.png)
+![Spoof mail report page in the Microsoft 365 Defender portal](../../media/spoof-detections-report-page.png)
-If you click **View details table**, you can see the following details:
+In the table below the graph, you can see the following details:
- **Date** - **Spoofed user**
If you click **View details table**, you can see the following details:
- **DMARC** - **Message count**
-To go back to the report view, click **View report**.
- For more information about composite authentication result codes, see [Anti-spam message headers in Microsoft 365](anti-spam-message-headers.md). ## Threat protection status report
-The **Threat protection status** report is available in both EOP and Microsoft Defender for Office 365; however, the reports contain different data. For example, EOP customers can view information about malware detected in email, but not information about malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md).
+The **Threat protection status** report is available in both EOP and Defender for Office 365; however, the reports contain different data. For example, EOP customers can view information about malware detected in email, but not information about malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md).
-The report provides the count of email messages with malicious content, such as files or website addresses (URLs) that were blocked by the anti-malware engine, [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md), and Defender for Office 365 features like [Safe Links](safe-links.md), [Safe Attachments](safe-attachments.md), and [Anti-phishing](set-up-anti-phishing-policies.md). You can use this information to identify trends or determine whether organization policies need adjustment.
+The report provides the count of email messages with malicious content, such as files or website addresses (URLs) that were blocked by the anti-malware engine, [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md), and Defender for Office 365 features like [Safe Links](safe-links.md), [Safe Attachments](safe-attachments.md), and [impersonation protection features in anti-phishing policies](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). You can use this information to identify trends or determine whether organization policies need adjustment.
**Note**: It's important to understand that if a message is sent to five recipients we count it as five different messages and not one message.
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Threat protection status**. To go directly to the report, open one of the following URLs:
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Threat protection status**, click **View details**. To go directly to the report, open one of the following URLs:
-- Microsoft Defender for Office 365: <https://protection.office.com/reportv2?id=TPSAggregateReportATP>-- EOP: <https://protection.office.com/reportv2?id=TPSAggregateReport>
+- Defender for Office 365: <https://security.microsoft.com/reports/TPSAggregateReportATP>
+- EOP: <https://security.microsoft.com/reports/TPSAggregateReport>
-![Threat protection status widget in the Reports dashboard](../../media/threat-protection-status-report-widget.png)
+![Threat protection status widget on the Email & collaboration reports page](../../media/threat-protection-status-report-widget.png)
-By default, the chart shows data for the past 7 days. If you click **Filters**, you can select a 90 day date range (trial subscriptions might be limited to 30 days). The details table view allows filtering for 30 days.
+By default, after you click **View details**, the chart shows data for the past 7 days. If you click **Filter**, you can select a 90 day date range (trial subscriptions might be limited to 30 days). The details table allows filtering for 30 days.
-### Report view for the Threat protection status report
+The available views are described in the following sections.
-The following views are available:
+### View data by Overview
-- **View data by: Overview**: The following detection information is shown:
+![Overview view in the Threat protection status report](../../media/threat-protection-status-report-overview-view.png)
- - **Email malware**
- - **Email phish**
- - **Content malware**
+In the **View data by Overview** view, the following detection information is shown in the chart:
- ![Overview view in the Threat protection status report](../../media/threat-protection-status-report-overview-view.png)
+- **Email malware**
+- **Email phish**
+- **Content malware**
-- **View data by: Content \> Malware**<sup>1</sup>: The following information is shown for Microsoft Defender for Office 365 organizations:
+No details table is available below the chart.
- - **Anti-malware engine**: Malicious files detected in Sharepoint, OneDrive, and Microsoft Teams by the [built-in virus detection in Microsoft 365](virus-detection-in-spo.md).
- - **File detonation**: Malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md).
+If you click **Filter**, the following filters are available:
- ![Content malware view in the Threat protection status report](../../media/threat-protection-status-report-content-malware-view.png)
+- **Date**: **Start date** and **End date**
+- **Detection**: **Email malware**, **Email phish**, or **Content malware**
+- **Protected by**: **MDO** (Defender for Office 365) or **EOP**
+- **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Direction**
+- **Domain**
+- **Policy type**
-- **View data by: Message Override**: The following override reason information is shown:
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
- - **On-premises skip**
- - **IP Allow**
- - **Mail flow rule**
- - **Sender allow**
- - **Domain allow**
- - **ZAP not enabled**
- - **Junk Mail folder not enabled**
- - **User Safe Sender**
- - **User Safe Domain**
+### View data by Email \> Phish and Chart breakdown by Detection Technology
- ![Message override view in the Threat protection status report](../../media/threat-protection-status-report-message-override-view.png)
+![Detection technology view for phishing email in the Threat protection status report](../../media/threat-protection-status-report-phishing-detection-tech-view.png)
-- **Break down by: Detection technology** and **View data by: Email \> Phish**: The following information is shown:
+In the **View data by Email \> Phish** and **Chart breakdown by Detection Technology** view, the following information is shown in the chart:
- - **ATP-generated URL reputation**<sup>1</sup>: Malicious URL reputation generated from Defender for Office 365 detonations in other Microsoft 365 customers.
- - **Advanced phish filter**: Phishing signals based on machine learning.
- - **Anti-spoof - DMARC failure**: DMARC authentication failure on messages.
- - **Anti-spoof - intra-org**: Sender is trying to spoof the recipient domain.
- - **Anti-spoof - external domain**: Sender is trying to spoof some other domain.
- - **Brand impersonation**: Impersonation of well-known brands based on senders.
- - **Domain impersonation**<sup>1</sup>: Impersonation of domains that the customer owns or defines.
- - **EOP URL reputation**: Malicious URL reputation.
- - **General phish filter**: Phishing signals based on analyst rules.
- - **Others**
- - **Phish ZAP**<sup>2</sup>: Zero hour auto purge of phishing messages.
- - **URL detonation**<sup>1</sup>
- - **User impersonation**<sup>1</sup>: Impersonation of users defined by admin or learned through mailbox intelligence.
+- **URL malicious reputation**<sup>\*</sup>: Malicious URL reputation generated from Defender for Office 365 detonations in other Microsoft 365 customers.
+- **Advanced filter**: Phishing signals based on machine learning.
+- **General filter**: Phishing signals based on analyst rules.
+- **Spoof intra-org**: Sender is trying to spoof the recipient domain.
+- **Spoof external domain**: Sender is trying to spoof some other domain.
+- **Spoof DMARC**: DMARC authentication failure on messages.
+- **Impersonation brand**: Impersonation of well-known brands based on senders.
+- **Mixed analysis detection**
+- **File reputation**
+- **Fingerprint matching**
+- **URL detonation reputation**<sup>\*</sup>
+- **URL detonation**<sup>\*</sup>
+- **Impersonation user**<sup>\*</sup>
+- **Impersonation domain**<sup>\*</sup>: Impersonation of domains that the customer owns or defines.
+- **Mailbox intelligence impersonation**<sup>\*</sup>: Impersonation of users defined by admin or learned through mailbox intelligence.
+- **File detonation**<sup>\*</sup>
+- **Campaign**<sup>\*</sup>
- ![Detection technology view for phishing email in the Threat protection status report](../../media/threat-protection-status-report-phishing-detection-tech-view.png)
+In the details table below the chart, the following information is available:
-- **Break down by: Detection technology** and **View data by: Email \> Malware**: The following information is shown:
+- **Date**
+- **Subject**
+- **Sender**
+- **Recipients**
+- **Detected by**
+- **Delivery Status**
+- **Source of Compromise**
+- **Tags**
- - **ATP-generated file reputation**<sup>1</sup>: All malicious file reputation generated by Defender for Office 365 detonations.
- - **Anti-malware engine**<sup>1</sup>: Detection from anti-malware engines.
- - **Anti-malware policy file type block**: These are email messages filtered out due to the type of malicious file identified in the message.
- - **File detonation**<sup>1</sup>: Detection by Safe Attachments.
- - **Malicious file reputation**
- - **Malware ZAP**<sup>2</sup>
- - **Others**
+If you click **Filter**, the following filters are available:
- ![Detection technology view for malware in the Threat protection status report](../../media/threat-protection-status-report-malware-detection-tech-view.png)
+- **Date**: **Start date** and **End date**
+- **Detection**
+- **Protected by**: **MDO** (Defender for Office 365) or **EOP**
+- **Direction**
+- **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Domain**
+- **Policy type**
+- **Policy name** (details table only)
+- **Recipients**
-- **Break down by: Policy type** and **View data by: Email \> Phish** or **View data by: Email \> Malware**: The following information is shown:
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
- - **Anti-malware**
- - **Safe Attachments**<sup>1</sup>
- - **Anti-phish**
- - **Anti-spam**
- - **Mail flow rule** (also known as a transport rule)
- - **Others**
+### View data by Email \> Malware and Chart breakdown by Detection Technology
- ![Policy type view for phishing email in the Threat protection status report](../../media/threat-protection-status-report-phishing-policy-type-view.png)
+![Detection technology view for malware in the Threat protection status report](../../media/threat-protection-status-report-malware-detection-tech-view.png)
-- **Break down by: Delivery status** and **View data by: Email \> Phish** or **View data by: Email \> Malware**: The following information is shown:
+In the **View data by Email \> Malware** and **Chart breakdown by Detection Technology** view, the following information is shown in the chart:
- - **Delivery failed**
- - **Dropped**
- - **Forwarded**
- - **Hosted mailbox: Custom folder**
- - **Hosted mailbox: Deleted items**
- - **Hosted mailbox: Inbox**
- - **Hosted mailbox: Junk**
- - **On-premises server: Delivered**
- - **Quarantine**
+- **File detonation**<sup>\*</sup>: Detection by Safe Attachments.
+- **File detonation reputation**<sup>\*</sup>: All malicious file reputation generated by Defender for Office 365 detonations.
+- **File reputation**
+- **Anti-malware engine**<sup>\*</sup>: Detection from anti-malware engines.
+- **Anti-malware policy file type block**: These are email messages filtered out due to the type of malicious file identified in the message.
+- **URL malicious reputation**
+- **URL detonation**
+- **URL detonation reputation**
+- **Campaign**
- ![Delivery status view for phishing email in the Threat protection status report](../../media/threat-protection-status-report-phishing-delivery-status-view.png)
+In the details table below the chart, the following information is available:
-<sup>1</sup> Defender for Office 365 only
+- **Date**
+- **Subject**
+- **Sender**
+- **Recipients**
+- **Detected by**
+- **Delivery Status**
+- **Source of Compromise**
+- **Tags**
-<sup>2</sup> Zero-hour auto purge (ZAP) isn't available in standalone EOP (it only works in Exchange Online mailboxes).
+If you click **Filter**, the following filters are available:
-If you click **Filters**, the filters available depends on the chart you were looking at:
+- **Date**: **Start date** and **End date**
+- **Detection**
+- **Protected by**: **MDO** (Defender for Office 365) or **EOP**
+- **Direction**
+- **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Domain**
+- **Policy type**
+- **Policy name** (details table only)
+- **Recipients**
-- For **View data by: Content \> Malware**, you can modify the report by **Start date** and **End date**, and the **Detection** value.
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
-- For **View data by: Message Override**, you can modify the report with the following filters:
+### Chart breakdown by Policy type and View data by Email \> Phish or View data by Email \> Malware
- - **Start date** and **End date**
- - **Override Reason**
- - **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
- - **Domain**
+![Policy type view for phishing email or malware email in the Threat protection status report](../../media/threat-protection-status-report-phishing-policy-type-view.png)
-- For all other views, you can modify the report with the following filters:
+In the **Chart breakdown by Policy type** and **View data by Email \> Phish** or **View data by Email \> Malware** views, the following information is shown in the charts:
- - **Start date** and **End date**
- - **Detection**
- - **Protected by**: **ATP** or **EOP**
- - **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
- - **Domain**
+- **Anti-malware**
+- **Safe Attachments**<sup>\*</sup>
+- **Anti-phish**
+- **Anti-spam**
+- **Mail flow rule** (also known as a transport rule)
+- **Others**
-### Details table view for the Threat protection status report
+In the details table below the chart, the following information is available:
-If you click **View details table**, the information that's shown depends on the chart you were looking at:
+- **Date**
+- **Subject**
+- **Sender**
+- **Recipients**
+- **Detected by**
+- **Delivery Status**
+- **Source of Compromise**
+- **Tags**
-- **View data by: Overview**: No **View details table** button is available.
+If you click **Filter**, the following filters are available:
-- **View data by: Content \> Malware**:
+- **Date**: **Start date** and **End date**
+- **Detection**
+- **Protected by**: **MDO** (Defender for Office 365) or **EOP**
+- **Direction**
+- **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Domain**
+- **Policy type**
+- **Policy name** (details table only)
+- **Recipients**
- - **Date**
- - **Location**
- - **Directed by**
- - **Malware name**
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
- If you click **Filters** in this view, you can modify the report by **Start date** and **End date**, and the **Detection** value.
+### Chart breakdown by Delivery status and View data by Email \> Phish or View data by Email \> Malware
+
+![Delivery status view for phishing email and malware email in the Threat protection status report](../../media/threat-protection-status-report-phishing-delivery-status-view.png)
+
+In the **Chart breakdown by Delivery status** and **View data by Email \> Phish** or **View data by Email \> Malware** views, the following information is shown in the charts:
+
+- **Hosted mailbox: Inbox**
+- **Hosted mailbox: Junk**
+- **Hosted mailbox: Custom folder**
+- **Hosted mailbox: Deleted items**
+- **Forwarded**
+- **On-premises server: Delivered**
+- **Quarantine**
+- **Delivery failed**
+- **Dropped**
+
+In the details table below the chart, the following information is available:
+
+- **Date**
+- **Subject**
+- **Sender**
+- **Recipients**
+- **Detected by**
+- **Delivery Status**
+- **Source of Compromise**
+- **Tags**
-- **View data by: Message Override**:
+If you click **Filter**, the following filters are available:
- - **Date**
- - **Subject**
- - **Sender**
- - **Recipients**
- - **Detected by**
- - **Override Reason**
- - **Source of Compromise**
- - **Tags**
+- **Date**: **Start date** and **End date**
+- **Detection**
+- **Protected by**: **MDO** (Defender for Office 365) or **EOP**
+- **Direction**
+- **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Domain**
+- **Policy type**
+- **Policy name** (details table only)
+- **Recipients**
- If you click **Filters** in this view, you can modify the report with the following filters:
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
- - **Start date** and **End date**
- - **Override Reason**
- - **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
- - **Domain**
- - **Recipients** (Note that this filterable property is only available in the details table view)
+### View data by Content \> Malware
-- All other charts:
+![Content malware view in the Threat protection status report](../../media/threat-protection-status-report-content-malware-view.png)
- - **Date**
- - **Subject**
- - **Sender**
- - **Recipients**
- - **Detected by**
- - **Delivery Status**
- - **Source of Compromise**
- - **Tags**
+In the **View data by Content \> Malware** view, the following information is shown in the chart for Microsoft Defender for Office 365 organizations:
- If you click **Filters**, you can modify the report with the following filters:
+- **Anti-malware engine**: Malicious files detected in Sharepoint, OneDrive, and Microsoft Teams by the [built-in virus detection in Microsoft 365](virus-detection-in-spo.md).
+- **File detonation**: Malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md).
- - **Start date** and **End date**
- - **Detection**
- - **Protected by**: **Defender for Office 365** or **EOP**
- - **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
- - **Domain**
- - **Recipients** (Note that this filterable property is only available in the details table view)
+In the details table below the chart, the following information is available:
+
+- **Date**: **Start date** and **End date**
+- **Location**
+- **Detected by**
+- **Malware name**
+
+If you click **Filter**, the following filters are available:
+
+- **Date**: **Start date** and **End date**
+- **Detection**: **Anti-malware engine** or **File detonation**
+
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+
+### View data by System override
+
+![Message override view in the Threat protection status report](../../media/threat-protection-status-report-message-override-view.png)
+
+In the **View data by System override** view, the following override reason information is shown in the chart:
+
+- **On-premises skip**
+- **IP allow**
+- **Exchange mail transport rule** (mail flow rule)
+- **Organization allowed senders**
+- **Organization allowed domains**
+- **ZAP not enabled**
+- **Junk Mail folder not enabled**
+- **User Safe Sender**
+- **User Safe Domain**
+
+In the details table below the chart, the following information is available:
+
+- **Date**
+- **Subject**
+- **Sender**
+- **Recipients**
+- **Detected by**
+- **Delivery Status**
+- **Source of Compromise**
+- **Tags**
+
+If you click **Filter**, the following filters are available:
+
+- **Date**: **Start date** and **End date**
+- **Detection**
+- **Protected by**: **MDO** (Defender for Office 365) or **EOP**
+- **Direction**
+- **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Domain**
+- **Policy type**
+- **Policy name** (details table only)
+- **Recipients**
+
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+
+<sup>\*</sup> Defender for Office 365 only
## Top malware report The **Top malware** report shows the various kinds of malware that was detected by [anti-malware protection in EOP](anti-malware-protection.md).
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Top malware**. To go directly to the report, open <https://security.microsoft.com/reports/TopMalware>.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Top malware**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/TopMalware>.
-![Top malware widget in the Reports dashboard](../../media/top-malware-report-widget.png)
+![Top malware widget on the Email & collaboration reports page](../../media/top-malware-report-widget.png)
When you hover over a wedge in the pie chart, you can see the name of a kind of malware and how many messages were detected as having that malware.
-![Top malware report view](../../media/top-malware-report-view.png)
-
-If you click **View details table**, you can see the following details:
+After you click **View details**, a larger version of the pie chart is displayed on the report page.The details table below the chart shows the following information:
- **Top malware** - **Count**
-If you click **Filters** in the report view or details table view, you can specify a date range with **Start date** and **End date**.
+If you click **Filter**, you can specify a date range with **Start date** and **End date**.
+
+![Top malware report view](../../media/top-malware-report-view.png)
## URL threat protection report
The **URL threat protection report** is available in Microsoft Defender for Offi
## User reported messages report
-The **User reported messages** report shows information about email messages that users have reported as junk, phishing attempts, or good mail by using the [Report Message add-in](enable-the-report-message-add-in.md) or [The Report Phishing add-in](enable-the-report-phish-add-in.md).
+> [!IMPORTANT]
+> In order for the **User reported messages** report to work correctly, **audit logging must be turned on** for your Microsoft 365 environment. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see [Turn Microsoft 365 audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
-Details are available for each message, including the delivery reason, such a spam policy exception or mail flow rule configured for your organization. To view details, select an item in the user-reports list, and then view the information on the **Summary** and **Details** tabs.
+The **User reported messages** report shows information about email messages that users have reported as junk, phishing attempts, or good mail by using the [Report Message add-in](enable-the-report-message-add-in.md) or the [Report Phishing add-in](enable-the-report-phish-add-in.md).
-![The User reported messages report shows messages users labeled as junk, not junk, or phishing attempts.](../../media/ad5e9a3d-b833-419c-bcc9-3425d9604ead.png)
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \>**Email & collaboration reports** \> **User reported messages**. On **User reported messages**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/userSubmissionReport>. To go to [admin submissions in the Microsoft 365 Defender portal](admin-submission.md), click **Go to Submissions**.
-To view this report, in the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \>**Email & collaboration reports** \> **User reported messages**.
+![User reported messages widget on the Email & collaboration reports page](../../media/user-reported-messages-widget.png)
-- Go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** \> **User reported messages**.
+After you click **View details**, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
-![In the Microsoft 365 Defender portal, choose Reports \> Email & collaboration \> Email & collaboration reports \> User reported messages](../../media/user-reported-messages.png)
+- **Date reported**: **Start time** and **End time**
+- **Reported by**
+- **Email subject**
+- **Message reported ID**
+- **Network Message ID**
+- **Sender**
+- **Reported reason**
+ - **Not junk**
+ - **Phish**
+ - **Spam**
+- **Phish simulation**: **Yes** or **No**
-> [!IMPORTANT]
-> In order for the User reported messages report to work correctly, **audit logging must be turned on** for your Office 365 environment. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see [Turn Microsoft 365 audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+
+To group the entries, click **Group** and select one of the following values from the drop down list:
+
+- **None**
+- **Reason**
+- **Sender**
+- **Reported by**
+- **Rescan result**
+- **Phish simulation**
+
+![User reported messages report](../../media/user-reported-messages-report.png)
+
+In the table below the graph, you can see the following details:
+
+- **Email subject**
+- **Reported by**
+- **Date reported**
+- **Sender**
+- **Reported reason**
+- **Rescan result**
+- **Tags**
+
+To submit a message to Microsoft for analysis, select the message entry from the table, click **Submit to Microsoft for analysis** and then select one of the following values from the drop down list:
+
+- **Report clean**
+- **Report phishing**
+- **Report malware**
+- **Report spam**'
+- **Trigger investigation** (Defender for Office 365)
## What permissions are needed to view these reports?
security View Mail Flow Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-mail-flow-reports.md
The following charts are available in the report view:
![Direction view in the Sent and received email report](../../media/sent-and-received-email-report-direction-view.png) -- **Drill down by** \> **Malware (anti-malware)**: This selection takes you to the [Malware detections in email report](view-email-security-reports.md#malware-detections-in-email-report).
+- **Drill down by** \> **Malware (anti-malware)**: This selection takes you to the [Malware detections report](view-email-security-reports.md#malware-detections-report).
- **Drill down by** \> **Spam detections)**: This selection takes you to the [Spam Detections report](view-email-security-reports.md#spam-detections-report).