Updates from: 06/19/2021 03:10:40
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
For more information about the PowerShell cmdlets that support auto-labeling pol
- [Remove-AutoSensitivityLabelPolicy](/powershell/module/exchange/remove-autosensitivitylabelpolicy) - [Remove-AutoSensitivityLabelRule](/powershell/module/exchange/remove-autosensitivitylabelrule) - [Set-AutoSensitivityLabelPolicy](/powershell/module/exchange/set-autosensitivitylabelpolicy)-- [Set-AutoSensitivityLabelRule](/powershell/module/exchange/set-autosensitivitylabelrule)
+- [Set-AutoSensitivityLabelRule](/powershell/module/exchange/set-autosensitivitylabelrule)
+
+## Tips to increase labeling reach
+
+Although auto-labeling is one of the most efficient ways to classify, label, and protect Office files that your organization owns, check whether you can supplement it with any of the additional methods to increase your labeling reach:
+
+- When you use the [Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2):
+
+ - For files in on-premises data stores such as network shares and SharePoint Server libraries: Use the [scanner](/azure/information-protection/deploy-aip-scanner) to discover sensitive information in these files and label them appropriately. If you are planning to migrate or upload these files to SharePoint in Microsoft 365, use the scanner to label the files before you move them to the cloud.
+
+ - If you have used another labeling solution before using sensitivity labels: Use PowerShell and [an advanced setting to reuse labels](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#migrate-labels-from-secure-islands-and-other-labeling-solutions) from these solutions.
+
+- Encourage [manual labeling](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9) after providing users with training which sensitivity labels to apply. When you're confident that users understand which label to apply, consider configuring a default label and mandatory labeling as [policy settings](sensitivity-labels.md#what-label-policies-can-do).
+
+Additionally, consider [marking new files as sensitive by default](/sharepoint/sensitive-by-default) in SharePoint to prevent guests from accessing newly added files until at least one DLP policy scans the content of the file.
compliance Get Started With Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-sensitivity-labels.md
All scenarios require you to [Create and configure sensitivity labels and their
|Use co-authoring and AutoSave in Office desktop apps when documents are encrypted | [Enable co-authoring for files encrypted with sensitivity labels](sensitivity-labels-coauthoring.md) |Automatically apply sensitivity labels to documents and emails | [Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md)| |Use sensitivity labels to protect content in Teams and SharePoint |[Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites](sensitivity-labels-teams-groups-sites.md)|
-|Prevent or warn users about sharing files or emails with a specific sensitivity label |[Use sensitivity labels as conditions in DLP policies (preview)](dlp-sensitivity-label-as-condition.md) |
+|Prevent or warn users about sharing files or emails with a specific sensitivity label |[Use sensitivity labels as conditions in DLP policies](dlp-sensitivity-label-as-condition.md) |
|Discover, label, and protect files stored in data stores that are on premises |[Deploying the Azure Information Protection scanner to automatically classify and protect files](/azure/information-protection/deploy-aip-scanner)| |Discover, label, and protect files stored in data stores that are in the cloud|[Discover, classify, label, and protect regulated and sensitive data stored in the cloud](/cloud-app-security/best-practices#discover-classify-label-and-protect-regulated-and-sensitive-data-stored-in-the-cloud)| |Apply and view labels in Power BI, and protect data when it's saved outside the service|[Sensitivity labels in Power BI](/power-bi/admin/service-security-sensitivity-label-overview)|
compliance Permissions Filtering For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/permissions-filtering-for-content-search.md
The **New-ComplianceSecurityFilter** is used to create a search permissions filt
|:--|:--| | _Action_ <br/> | The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content Search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> | | _FilterName_ <br/> |The _FilterName_ parameter specifies the name of the permissions filter. This name is used to identity a filter when using the **Get-ComplianceSecurityFilter**, **Set-ComplianceSecurityFilter,** and **Remove-ComplianceSecurityFilter** cmdlets. <br/> |
-| _Filters_ <br/> | The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create three different types of filters: <br/><br/> **Mailbox filtering:** This type of filter specifies the mailboxes the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes that have the value "OttawaUsers" in the CustomAttribute10 property. <br/> Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/> **Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName: value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content Search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. <br/> For a list of searchable message properties, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md). <br/> <br/> **Important:** A single search filter can't contain a mailbox filter and a mailbox content filter. To combine these in a single filter, you have to use a [filters list](#using-a-filters-list-to-combine-filter-types). But a filter can contain a more complex query of the same type. For example, `"Mailbox_CustomAttribute10 -eq 'FTE' -and Mailbox_MemberOfGroup -eq '$($DG.DistinguishedName)'"` <br/><br/> **Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/> - **Site_** _SearchableSiteProperty_ <br/> - **SiteContent_** _SearchableSiteProperty_ <br/><br/> These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` return the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.sharepoint.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/> For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> **Important:** You have to create a search permissions filter to explicitly prevent users from searching content locations in a specific service (such as preventing a user from searching any Exchange mailbox or any SharePoint site). In other words, creating a search permissions filter that allows a user to search all SharePoint sites in the organization doesn't prevent that user from searching mailboxes. For example, to allow SharePoint admins to only search SharePoint sites, you have to create a filter that prevents them from searching mailboxes. Similarly, to allow Exchange admins to only search mailboxes, you have to create a filter that prevents them from searching sites. |
+| _Filters_ <br/> | The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create three different types of filters: <br/><br/> **Mailbox or OneDrive filtering:** This type of filter specifies the mailboxes and OneDrive accounts the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes and OneDrive accounts that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes and OneDrive accounts that have the value "OttawaUsers" in the CustomAttribute10 property. <br/> Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/> **Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName: value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content Search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. <br/> For a list of searchable message properties, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md). <br/> <br/> **Important:** A single search filter can't contain a mailbox filter and a mailbox content filter. To combine these in a single filter, you have to use a [filters list](#using-a-filters-list-to-combine-filter-types). But a filter can contain a more complex query of the same type. For example, `"Mailbox_CustomAttribute10 -eq 'FTE' -and Mailbox_MemberOfGroup -eq '$($DG.DistinguishedName)'"` <br/><br/> **Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/> - **Site_** _SearchableSiteProperty_ <br/> - **SiteContent_** _SearchableSiteProperty_ <br/><br/> These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` return the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.sharepoint.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/> For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> **Important:** You have to create a search permissions filter to explicitly prevent users from searching content locations in a specific service (such as preventing a user from searching any Exchange mailbox or any SharePoint site). In other words, creating a search permissions filter that allows a user to search all SharePoint sites in the organization doesn't prevent that user from searching mailboxes. For example, to allow SharePoint admins to only search SharePoint sites, you have to create a filter that prevents them from searching mailboxes. Similarly, to allow Exchange admins to only search mailboxes, you have to create a filter that prevents them from searching sites. |
| _Users_ <br/> |The _Users_ parameter specifies the users who get this filter applied to their Content Searches. Identify users by their alias or primary SMTP address. You can specify multiple values separated by commas, or you can assign the filter to all users by using the value **All**. <br/> You can also use the _Users_ parameter to specify a Security & Compliance Center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/> You can't specify distribution groups with this parameter. <br/> | ### Using a filters list to combine filter types
An alternative to using a filters list would be to create two separate search pe
Keep the following things in mind about using a filters list: -- You have to use a filters list to create a filter that includes a **Mailbox** filter and a **MailboxContent** filter. --- As previously suggested, you don't have to use a filters list to include a **Site** and a **SiteContent** filter in a single search permissions filter. For example, you can combine **Site** and a **SiteContent** filters using an **-or** operator.-
- ```powershell
- -Filters "Site_ComplianceAttribute -eq 'FourthCoffee' -or Site_Path -like 'https://contoso.sharepoint.com/sites/FourthCoffee*'"
- ```
+- You have to use a filters list to create a filter that includes a **Mailbox** filter and a **MailboxContent** filter.
- Each component of a filters list can contain a complex filter syntax. For example, the mailbox and site filters can contain multiple filters separated by an **-or** operator: ```powershell
- -Filters "Mailbox_Department -eq 'CohoWinery' -or Mailbox_CustomAttribute10 -eq 'CohoUsers'", "Site_ComplianceAttribute -eq 'CohoWinery' -or Site_Path -like 'https://contoso.sharepoint.com/sites/CohoWinery*'"
+ -Filters "Mailbox_Department -eq 'CohoWinery' -or Mailbox_CustomAttribute10 -eq 'CohoUsers'", "Site_Path -like 'https://contoso.sharepoint.com/sites/CohoWinery*'"
``` ## Examples of creating search permissions filters
New-ComplianceSecurityFilter -FilterName NoSaraJanet -Users All -Filters "Mailbo
This example uses a filters list to combine mailbox and site filters. ```powershell
-New-ComplianceSecurityFilter -FilterName "Coho Winery Security Filter" -Users "Coho Winery eDiscovery Managers", "Coho Winery Investigators" -Filters "Mailbox_Department -eq 'CohoWinery'", "Site_ComplianceAttribute -eq 'CohoWinery' -or Site_Path -like 'https://contoso.sharepoint.com/sites/CohoWinery*'" -Action ALL
+New-ComplianceSecurityFilter -FilterName "Coho Winery Security Filter" -Users "Coho Winery eDiscovery Managers", "Coho Winery Investigators" -Filters "Mailbox_Department -eq 'CohoWinery'", "Site_Path -like 'https://contoso.sharepoint.com/sites/CohoWinery*'" -Action ALL
``` ## Get-ComplianceSecurityFilter
The **Set-ComplianceSecurityFilter** is used to modify an existing search permis
|:--|:--| | _Action_| The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content Search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> | | _FilterName_|The _FilterName_ parameter specifies the name of the permissions filter. |
-| _Filters_| The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create two different types of filters: <br/><br/>**Mailbox filtering:** This type of filter specifies the mailboxes the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes that have the value "OttawaUsers" in the CustomAttribute10 property. Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/>**Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName:value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content Search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. For a list of searchable message properties, see [Keyword queries for Content Search](keyword-queries-and-search-conditions.md). <br/><br/>**Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/>- **Site_** *SearchableSiteProperty* <br/>- **SiteContent**_*SearchableSiteProperty*<br/><br/>These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` returns the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.spoppe.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/>For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> |
+| _Filters_| The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create two different types of filters: <br/><br/>**Mailbox and OneDrive filtering:** This type of filter specifies the mailboxes and OneDrive accounts the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes that have the value "OttawaUsers" in the CustomAttribute10 property. Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/>**Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName:value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content Search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. For a list of searchable message properties, see [Keyword queries for Content Search](keyword-queries-and-search-conditions.md). <br/><br/>**Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/>- **Site_** *SearchableSiteProperty* <br/>- **SiteContent**_*SearchableSiteProperty*<br/><br/>These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` returns the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.spoppe.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/>For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> |
| _Users_|The _Users_ parameter specifies the users who get this filter applied to their Content Searches. Because this is a multi-value property, specifying a user or group of users with this parameter overwrite the existing list of users. See the following examples for the syntax to add and remove selected users. <br/><br/>You can also use the _Users_ parameter to specify a Security & Compliance Center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/><br/>You can't specify distribution groups with this parameter. | ## Examples of changing search permissions filters
compliance Sensitivity Labels Teams Groups Sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md
To help you manage the coexistence of sensitivity labels and Azure AD classifica
If somebody uploads a document to a site that's protected with a sensitivity label and their document has a [higher priority](sensitivity-labels.md#label-priority-order-matters) sensitivity label than the sensitivity label applied to the site, this action isn't blocked. For example, you've applied the **General** label to a SharePoint site, and somebody uploads to this site a document labeled **Confidential**. Because a sensitivity label with a higher priority identifies content that is more sensitivity than content that has a lower priority order, this situation could be a security concern.
-Although the action isn't blocked, it is audited and automatically generates an email to the person who uploaded the document and the site administrator. As a result, both the user and administrators can identify documents that have this misalignment of label priority and take action if needed. For example, delete or move the uploaded document from the site.
+Although the action isn't blocked, it is audited and by default, automatically generates an email to the person who uploaded the document and the site administrator. As a result, both the user and administrators can identify documents that have this misalignment of label priority and take action if needed. For example, delete or move the uploaded document from the site.
It wouldn't be a security concern if the document has a lower priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled **General** is uploaded to a site labeled **Confidential**. In this scenario, an auditing event and email aren't generated.
To search the audit log for this event, look for **Detected document sensitivity
The automatically generated email has the subject **Incompatible sensitivity label detected** and the email message explains the labeling mismatch with a link to the uploaded document and site. It also contains a documentation link that explains how users can change the sensitivity label. Currently, these automated emails cannot be disabled or customized.
+To prevent this automatically generated email, use the following PowerShell command from [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite):
+
+```PowerShell
+Set-SPOTenant -BlockSendLabelMismatchEmail $True
+```
+ When somebody adds or removes a sensitivity label to or from a site or group, these activities are also audited but without automatically generating an email. All these auditing events can be found in the [Sensitivity label activities](search-the-audit-log-in-security-and-compliance.md#sensitivity-label-activities) category. For instructions to search the audit log, see [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md).
compliance Set Up Compliance Boundaries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-compliance-boundaries.md
In this example, Contoso LTD is an organization that consists of two subsidiarie
- The search permissions filtering functionality in Content search controls the content locations that eDiscovery managers and investigators can search. This means eDiscovery managers and investigators in the Fourth Coffee agency can only search content locations in the Fourth Coffee subsidiary. The same restriction applies to the Coho Winery subsidiary. -- Role groups provide the following functions for compliance boundaries:
+- [Role groups](assign-ediscovery-permissions.md#rbac-roles-related-to-ediscovery) provide the following functions for compliance boundaries:
- - Control who can see the eDiscovery cases in the Security & Compliance Center. This means that eDiscovery managers and investigators can only see the eDiscovery cases in their agency.
+ - Control who can see the eDiscovery cases in the Microsoft 365 compliance center. This means that eDiscovery managers and investigators can only see the eDiscovery cases in their agency.
- Control who can assign members to an eDiscovery case. This means eDiscovery managers and investigators can only assign members to cases that they themselves are a member of.
Here's the process for setting up compliance boundaries:
[Step 1: Identify a user attribute to define your agencies](#step-1-identify-a-user-attribute-to-define-your-agencies)
-[Step 2: File a request with Microsoft Support to synchronize the user attribute to OneDrive accounts](#step-2-file-a-request-with-microsoft-support-to-synchronize-the-user-attribute-to-onedrive-accounts)
+[Step 2: Create a role group for each agency](#step-2-create-a-role-group-for-each-agency)
-[Step 3: Create a role group for each agency](#step-3-create-a-role-group-for-each-agency)
+[Step 3: Create a search permissions filter to enforce the compliance boundary](#step-3-create-a-search-permissions-filter-to-enforce-the-compliance-boundary)
-[Step 4: Create a search permissions filter to enforce the compliance boundary](#step-4-create-a-search-permissions-filter-to-enforce-the-compliance-boundary)
-
-[Step 5: Create an eDiscovery case for an intra-agency investigations](#step-5-create-an-ediscovery-case-for-intra-agency-investigations)
+[Step 4: Create an eDiscovery case for an intra-agency investigations](#step-4-create-an-ediscovery-case-for-intra-agency-investigations)
## Before you set up compliance boundaries
-You have to meet the following prerequisites before the Azure Active Directory (Azure AD) attribute that you identity (in Step 1) can be successfully synched to a user's OneDrive account (in Step 2):
--- Users must be assigned an Exchange Online license and a SharePoint Online license.--- User mailboxes must be at least 10 MB in size. If a user's mailbox is less than 10 MB, the attribute used to define your agencies won't be synched to the user's OneDrive account.--- Compliance boundaries and the attributes used to create search permissions filters require that Azure Active Directory (Azure AD) attributes are synchronized to user mailboxes. To verify that the attributes that you want to use have been synchronized, run the [Get-User](/powershell/module/exchange/get-user) cmdlet in Exchange Online PowerShell. The output of this cmdlet displays the Azure AD attributes synchronized to Exchange Online.
+- Users must be assigned an Exchange Online license. To verify this, use the [Get-User](/powershell/module/exchange/get-user) cmdlet in Exchange Online PowerShell.
## Step 1: Identify a user attribute to define your agencies
-The first step is to choose an Azure AD attribute to use that will define your agencies. This attribute is used to create the search permissions filter that limits an eDiscovery manager to search only the content locations of users who are assigned a specific value for this attribute. For example, let's say Contoso decides to use the **Department** attribute. The value for this attribute for users in the Fourth Coffee subsidiary would be `FourthCoffee` and the value for users in Coho Winery subsidiary would be `CohoWinery`. In Step 4, you use this `attribute:value` pair (for example, *Department:FourthCoffee*) to limit the user content locations that eDiscovery managers can search.
+The first step is to choose an attribute to use that will define your agencies. This attribute is used to create the search permissions filter that limits an eDiscovery manager to search only the content locations of users who are assigned a specific value for this attribute. For example, let's say Contoso decides to use the **Department** attribute. The value for this attribute for users in the Fourth Coffee subsidiary would be `FourthCoffee` and the value for users in Coho Winery subsidiary would be `CohoWinery`. In Step 3, you use this `attribute:value` pair (for example, *Department:FourthCoffee*) to limit the user content locations that eDiscovery managers can search.
-Here's a list of Azure AD user attributes that you can use for compliance boundaries:
+Here are some examples of user attributes that you can use for compliance boundaries:
- Company
Here's a list of Azure AD user attributes that you can use for compliance bounda
- Office -- C (Two-letter country code) <sup>*</sup>-
- > [!NOTE]
- > <sup>*</sup> This attribute maps to the CountryOrRegion property that is returned by running the **Get-User** cmdlet in Exchange Online PowerShell. The cmdlet returns the localized country name, which is translated from the two-letter country code. For more information, see the CountryOrRegion parameter description in the [Set-User](/powershell/module/exchange/set-user) cmdlet reference article.
-
-Although more user attributes are available, particularly for Exchange mailboxes, the attributes listed above are the only ones currently supported by OneDrive.
-
-## Step 2: File a request with Microsoft Support to synchronize the user attribute to OneDrive accounts
-
-> [!IMPORTANT]
-> This step is no longer required. Starting in June 2021, mailbox filters will apply to OneDrive for Business. Support requests to synchronize the attribute to OneDrive will be declined because it's no longer required. This article will be updated in the near future.
-
-The next step is to file a request with Microsoft Support to synchronize the Azure AD attribute that you chose in Step 1 to all OneDrive accounts in your organization. After this synchronization occurs, the attribute (and its value) that you chose in Step 1 will be mapped to a hidden managed property named `ComplianceAttribute`. You use this attribute to create the search permissions filter for OneDrive in Step 4.
-
-Include the following information when you submit the request to Microsoft support:
-
-- The default domain name of your organization--- The name of the Azure AD attribute (from Step 1)
+- CountryOrRegion (Two-letter country code)
-- The following title or description of the purpose of the support request: "Enable OneDrive for Business Synchronization with Azure AD for Compliance Security Filters". This helps route the request to the eDiscovery engineering team who implements the request.
+For a complete list, see the full list of supported [mailbox filters](/powershell/exchange/recipientfilter-properties#filterable-recipient-properties).
-After the engineering change is made and the attribute is synchronized to OneDrive, Microsoft Support will send you the build number that the change was made in and an estimated deployment date. The deployment process usually takes 4ΓÇô6 weeks after you submit the support request.
-
-> [!IMPORTANT]
-> You can complete Step 3 through Step 5 before this attribute change is deployed. But running content searches won't return documents from OneDrive accounts that are specified in a search permissions filter until after the attribute synch is deployed.
-
-## Step 3: Create a role group for each agency
+## Step 2: Create a role group for each agency
The next step is to create the role groups in the Security & Compliance Center that will align with your agencies. We recommend that you create a role group by copying the built-in eDiscovery Managers group, adding the appropriate members, and removing roles that may not be applicable to your needs. For more information about eDiscovery-related roles, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
Using the Contoso compliance boundaries scenario, four role groups need to be cr
To meet the requirements of the Contoso compliance boundaries scenario, you would also remove the **Hold** and **Export** roles from the investigators role groups to prevent investigators from placing holds on content locations and exporting content from a case.
-## Step 4: Create a search permissions filter to enforce the compliance boundary
+## Step 3: Create a search permissions filter to enforce the compliance boundary
After you've created role groups for each agency, the next step is to create the search permissions filters that associate each role group to its specific agency and defines the compliance boundary itself. You need to create one search permissions filter for each agency. For more information about creating security permissions filters, see [Configure permissions filtering for Content Search](permissions-filtering-for-content-search.md). Here's the syntax that's used to create a search permissions filter used for compliance boundaries. ```powershell
-New-ComplianceSecurityFilter -FilterName <name of filter> -Users <role groups> -Filters "Mailbox_<ComplianceAttribute> -eq '<AttributeVale> '", "Site_<ComplianceAttribute> -eq '<AttributeValue>' -or Site_Path -like '<SharePointURL>*'" -Action <Action >
+New-ComplianceSecurityFilter -FilterName <name of filter> -Users <role groups> -Filters "Mailbox_<MailboxPropertyName> -eq '<Value> '", "Site_Path -like '<SharePointURL>*'" -Action <Action>
``` Here's a description of each parameter in the command:
Here's a description of each parameter in the command:
- `Users`: Specifies the users or groups who get this filter applied to the search actions they perform. For compliance boundaries, this parameter specifies the role groups (that you created in Step 3) in the agency that you're creating the filter for. Note this is a multi-value parameter so you can include one or more role groups, separated by commas. -- `Filters`: Specifies the search criteria for the filter. For the compliance boundaries, you define the following filters. Each one applies to a content location.
+- `Filters`: Specifies the search criteria for the filter. For the compliance boundaries, you define the following filters. Each one applies to a content location.
- - `Mailbox`: Specifies the mailboxes that the role groups defined in the `Users` parameter can search. For compliance boundaries, *ComplianceAttribute* is the same attribute that you identified in Step 1 and *AttributeValue* specifies the agency. This filter allows members of the role group to search only the mailboxes in a specific agency; for example, `"Mailbox_Department -eq 'FourthCoffee'"`.
-
- - `Site`: Specifies the OneDrive accounts that the role groups defined in the `Users` parameter can search. For the OneDrive filter, use the actual string `ComplianceAttribute`. This maps to the same attribute that you identified in Step 1 and that's synchronized to OneDrive accounts as a result of the support request that you submitted in Step 2; *AttributeValue* specifies the agency. This filter allows members of the role group to search only the OneDrive accounts in a specific agency; for example, `"Site_ComplianceAttribute -eq 'FourthCoffee'"`.
+ - `Mailbox`: Specifies the mailboxes or OneDrive accounts that the role groups defined in the `Users` parameter can search. This filter allows members of the role group to search only the mailboxes or OneDrive accounts in a specific agency; for example, `"Mailbox_Department -eq 'FourthCoffee'"`.
- `Site_Path`: Specifies the SharePoint sites that the role groups defined in the `Users` parameter can search. The *SharePointURL* specifies the sites in the agency that members of the role group can search. For example, `"Site_Path -like 'https://contoso.sharepoint.com/sites/FourthCoffee*'"`. Notice the `Site` and `Site_Path` filters are connected by an **-or** operator. > [!NOTE]
- > The syntax for the `Filters` parameter includes a *filters list*. A filters list is a filter that includes a mailbox filter and a site filter separated by a comma. In the previous example, notice that a comma separates **Mailbox_ComplianceAttribute** and **Site_ComplianceAttribute**: `-Filters "Mailbox_<ComplianceAttribute> -eq '<AttributeVale> '", "Site_ComplianceAttribute -eq '<AttributeValue>' -or Site_Path -like '<SharePointURL>*'"`. When this filter is processed during the running of a content search, two search permissions filters are created from the filters list: one mailbox filter and one site filter. An alternative to using a filters list would be to create two separate search permissions filters for each agency: one search permissions filter for the mailbox attribute and one filter for the site attributes. In either case, the results will be the same. Using a filters list or creating separate search permissions filters is a matter of preference.
+ > The syntax for the `Filters` parameter includes a *filters list*. A filters list is a filter that includes a mailbox filter and a site path filter separated by a comma. In the previous example, notice that a comma separates **Mailbox_MailboxPropertyName** and **Site_Path**: `-Filters "Mailbox_<MailboxPropertyName> -eq '<Value> '", "Site_Path -like '<SharePointURL>*'"`. When this filter is processed during the running of a content search, two search permissions filters are created from the filters list: one mailbox filter and one SharePoint filter. An alternative to using a filters list would be to create two separate search permissions filters for each agency: one search permissions filter for the mailbox attribute and one filter for the SharePoint site attributes. In either case, the results will be the same. Using a filters list or creating separate search permissions filters is a matter of preference.
- `Action`: Specifies the type of search action the filter is applied to. For example, `-Action Search` would only apply the filter when members of the role group defined in the `Users` parameter run a search. In this case, the filter wouldn't be applied when exporting search results. For compliance boundaries, use `-Action All` so the filter applies to all search actions.
Here are examples of the two search permissions filters that would be created to
### Fourth Coffee ```powershell
-New-ComplianceSecurityFilter -FilterName "Fourth Coffee Security Filter" -Users "Fourth Coffee eDiscovery Managers", "Fourth Coffee Investigators" -Filters "Mailbox_Department -eq 'FourthCoffee'", "Site_ComplianceAttribute -eq 'FourthCoffee' -or Site_Path -like 'https://contoso.sharepoint.com/sites/FourthCoffee*'" -Action ALL
+New-ComplianceSecurityFilter -FilterName "Fourth Coffee Security Filter" -Users "Fourth Coffee eDiscovery Managers", "Fourth Coffee Investigators" -Filters "Mailbox_Department -eq 'FourthCoffee'", "Site_Path -like 'https://contoso.sharepoint.com/sites/FourthCoffee*'" -Action ALL
``` ### Coho Winery ```powershell
-New-ComplianceSecurityFilter -FilterName "Coho Winery Security Filter" -Users "Coho Winery eDiscovery Managers", "Coho Winery Investigators" -Filters "Mailbox_Department -eq 'CohoWinery'", "Site_ComplianceAttribute -eq 'CohoWinery' -or Site_Path -like 'https://contoso.sharepoint.com/sites/CohoWinery*'" -Action ALL
+New-ComplianceSecurityFilter -FilterName "Coho Winery Security Filter" -Users "Coho Winery eDiscovery Managers", "Coho Winery Investigators" -Filters "Mailbox_Department -eq 'CohoWinery'", "Site_Path -like 'https://contoso.sharepoint.com/sites/CohoWinery*'" -Action ALL
```
-## Step 5: Create an eDiscovery case for intra-agency investigations
+## Step 4: Create an eDiscovery case for intra-agency investigations
-The final step is to create a Core eDiscovery case or Advanced eDiscovery case in the Microsoft 365 compliance center and then add the role group that you created in Step 3 as a member of the case. This results in two important characteristics of using compliance boundaries:
+The final step is to create a Core eDiscovery case or Advanced eDiscovery case in the Microsoft 365 compliance center and then add the role group that you created in Step 2 as a member of the case. This results in two important characteristics of using compliance boundaries:
- Only members of the role group added to the case will be able to see and access the case in the Security & Compliance Center. For example, if the Fourth Coffee Investigators role group is the only member of a case, then members of the Fourth Coffee eDiscovery Managers role group (or members of any other role group) won't be able to see or access the case. -- When a member of the role group assigned to a case runs a search associated with the case, they will only be able to search the content locations within their agency (which is defined by the search permissions filter that you created in Step 4.)
+- When a member of the role group assigned to a case runs a search associated with the case, they will only be able to search the content locations within their agency (which is defined by the search permissions filter that you created in Step 3.)
To create a case and assign members:
Search permissions filters also let you control where content is routed for expo
Here are examples of using the **Region** parameter when creating search permission filters for compliance boundaries. This assumes that the Fourth Coffee subsidiary is located in North America and that Coho Winery is in Europe. ```powershell
-New-ComplianceSecurityFilter -FilterName "Fourth Coffee Security Filter" -Users "Fourth Coffee eDiscovery Managers", "Fourth Coffee Investigators" -Filters "Mailbox_Department -eq 'FourthCoffee'", "Site_Department -eq 'FourthCoffee' -or Site_Path -like 'https://contoso.sharepoint.com/sites/FourthCoffee*'" -Action ALL -Region NAM
+New-ComplianceSecurityFilter -FilterName "Fourth Coffee Security Filter" -Users "Fourth Coffee eDiscovery Managers", "Fourth Coffee Investigators" -Filters "Mailbox_Department -eq 'FourthCoffee'" -or Site_Path -like 'https://contoso.sharepoint.com/sites/FourthCoffee*'" -Action ALL -Region NAM
``` ```powershell
-New-ComplianceSecurityFilter -FilterName "Coho Winery Security Filter" -Users "Coho Winery eDiscovery Managers", "Coho Winery Investigators" -Filters "Mailbox_Department -eq 'CohoWinery'", "Site_Department -eq 'CohoWinery' -or Site_Path -like 'https://contoso.sharepoint.com/sites/CohoWinery*'" -Action ALL -Region EUR
+New-ComplianceSecurityFilter -FilterName "Coho Winery Security Filter" -Users "Coho Winery eDiscovery Managers", "Coho Winery Investigators" -Filters "Mailbox_Department -eq 'CohoWinery'" -or Site_Path -like 'https://contoso.sharepoint.com/sites/CohoWinery*'" -Action ALL -Region EUR
``` Keep the following things in mind when searching and exporting content in multi-geo environments. -- The **Region** parameter doesn't control searches of Exchange mailboxes. All datacenters will be searched when you search mailboxes. To limit the scope of which Exchange mailboxes are searched, use the **Filters** parameter when creating or changing a search permissions filter.
+- The **Region** parameter doesn't control searches of Exchange mailboxes. All datacenters will be searched when you search mailboxes. To limit the scope of which Exchange mailboxes are searched, use the **Filters** parameter when creating or changing a search permissions filter.
- If it's necessary for an eDiscovery Manager to search across multiple SharePoint regions, you need to create a different user account for that eDiscovery manager to use in the search permissions filter to specify the region where the SharePoint sites or OneDrive accounts are located. For more information about setting this up, see the "Searching for content in a SharePoint Multi-Geo environment" section in [Content Search](content-search-reference.md#searching-for-content-in-a-sharepoint-multi-geo-environment).
Keep the following limitations in mind when managing eDiscovery cases and invest
## More information -- If a mailbox is de-licensed or soft-deleted, Azure AD attributes are no longer synchronized to the mailbox. If a hold was placed on the mailbox when it was deleted, the content preserved in the mailbox is still subject to a compliance boundary or search permissions filter based on the last time the Azure AD attributes were synchronized before the mailbox was deleted. -
- Additionally, the synchronization between the user's mailbox and OneDrive account will cease if the mailbox is de-licensed or soft-deleted. The last stamped value of the compliance attribute for the OneDrive account will remain in effect.
--- The compliance attribute is synchronized from a user's Exchange mailbox to their OneDrive account every seven days. As previously stated, this synchronization only occurs when the user is assigned both an Exchange Online and SharePoint Online license and the user's mailbox is at least 10 MB.--- If compliance boundaries and search permissions filters are implemented for both a user's mailbox and OneDrive account, then we recommend that you don't delete a user's mailbox and not their OneDrive account. In other words, if you delete a user's mailbox, you should also remove the user's OneDrive account.
+- If a mailbox is de-licensed or soft-deleted, the user will no longer be considered within the compliance boundary. If a hold was placed on the mailbox when it was deleted, the content preserved in the mailbox is still subject to a compliance boundary or search permissions filter.
-- There are situations (such as a returning employee) where a user might have two or more OneDrive accounts. In these cases, only the primary OneDrive account associated with the user in Azure AD will be synchronized.
+- If compliance boundaries and search permissions filters are implemented for a user, then we recommend that you don't delete a user's mailbox and not their OneDrive account. In other words, if you delete a user's mailbox, you should also remove the user's OneDrive account since mailbox_RecipientFilter is used to enforce search permission filter for OneDrive.
-- Compliance boundaries and search permissions filters depend on attributes being stamped on content in Exchange, OneDrive, and SharePoint and the subsequent indexing of this stamped content.
+- Compliance boundaries and search permissions filters depend on attributes being stamped on content in Exchange, OneDrive, and SharePoint and the subsequent indexing of this stamped content.
-- We don't recommend using exclusion filters (such as using `-not()` in a search permissions filter) for a content-based compliance boundary. Using an exclusion filter can have unexpected results if content with recently updated attributes hasn't been indexed.
+- We don't recommend using exclusion filters (such as using `-not()` in a search permissions filter) for a content-based compliance boundary. Using an exclusion filter can have unexpected results if content with recently updated attributes hasn't been indexed.
## Frequently asked questions **Who can create and manage search permissions filters (using New-ComplianceSecurityFilter and Set-ComplianceSecurityFilter cmdlets)?**
-To create, view, and modify search permissions filters, you have to be a member of the Organization Management role group in the Security & Compliance Center.
+To create, view, and modify search permissions filters, you have to be a member of the Organization Management role group in the Microsoft 365 compliance center.
**If an eDiscovery manager is assigned to more than one role group that spans multiple agencies, how do they search for content in one agency or the other?**
-The eDiscovery manager can add parameters to their search query that restrict the search to a specific agency. For example, if an organization has specified the **CustomAttribute10** property to differentiate agencies, they can append the following to their search query to search mailboxes and OneDrive accounts in a specific agency: `CustomAttribute10:<value> AND Site_ComplianceAttribute:<value>`.
+The eDiscovery manager can add parameters to their search query that restrict the search to a specific agency. For example, if an organization has specified the **CustomAttribute10** property to differentiate agencies, they can append the following to their search query to search mailboxes and OneDrive accounts in a specific agency: `CustomAttribute10:<value>`.
**What happens if the value of the attribute that's used as the compliance attribute in a search permissions filter is changed?**
contentunderstanding Apply A Sensitivity Label To A Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/apply-a-sensitivity-label-to-a-model.md
description: "Learn how to apply a sensitivity label to a model in SharePoint Sy
You can easily apply a [sensitivity label](../compliance/sensitivity-labels.md) to document understanding models in Microsoft SharePoint Syntex. This feature isn't available yet for form processing models.
-Sensitivity labels let you apply encryption, sharing, and conditional access policies to the documents that your models identify. For example, you want your model to not only identify any financial documents that contain bank account numbers or credit card numbers that are uploaded to your document library, but also to apply an *Encryption* sensitivity label to them to restrict who can access that content and how it can be used.
+Sensitivity labels let you apply encryption, sharing, and conditional access policies to the documents that your models identify. For example, you want your model to not only identify any financial documents that contain bank account numbers or credit card numbers that are uploaded to your document library, but also to apply an *Encryption* sensitivity label to them to restrict who can access that content and how it can be used. SharePoint Syntex models honor the [label order](../compliance/apply-sensitivity-label-automatically.md?view=o365-worldwide#how-multiple-conditions-are-evaluated-when-they-apply-to-more-than-one-label) rules and also do not overwrite an existing label that was manually applied by a user to the file.
You can apply a pre-existing sensitivity label to your model through your model settings on your model's home page. The label must already be published to be available for selection from model settings.
You can add a sensitivity label to an existing form processing model that you ow
[Create an extractor](create-an-extractor.md)
-[Document Understanding overview](document-understanding-overview.md)
+[Document Understanding overview](document-understanding-overview.md)
enterprise Configure Search For Multi Geo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-search-for-multi-geo.md
Here's a sample CSOM query that's fanned out to **all** geo locations:
var keywordQuery = new KeywordQuery(ctx); keywordQuery.QueryText = query.SearchQueryText; keywordQuery.ClientType = <enter a string here>;
-keywordQuery["EnableMultiGeoSearch"] = true;
-```
+keywordQuery.Properties["EnableMultiGeoSearch"] = true;
+```
enterprise Ipv6 Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ipv6-support.md
If the program that you use to connect to Exchange Online supports IPv6, it will
If the program that you use to connect to SharePoint Online supports IPv6, it will use IPv6 by default on both wired and wireless networks. If you want to control communications to SharePoint Online, use the IP address ranges in [Office 365 URLs and IP address ranges](urls-and-ip-address-ranges.md).
- **Office 365 Government G1/G3/G4/K1** If the program that you use to connect to SharePoint Online supports IPv6, it will attempt to use IPv6 by default.
+
### Skype for Business and IPv6
Here's a short link you can use to come back: [https://aka.ms/o365ip6]()
[IPv6 Learning Roadmap](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/gg250710(v%3dws.10))
-[IPv6 Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/1728.ipv6-survival-guide.aspx)
+[IPv6 Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/1728.ipv6-survival-guide.aspx)
security Api Release Notes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-release-notes.md
The following information lists the updates made to the Microsoft Defender for E
### 06.10.2021 -- Added new Export assessment API method - _Delta Export software vulnerabilities assessment (OData)_ [Export assessment methods and properties per device](get-assessment-methods-properties.md).
+- Added new Export assessment API method - _Delta Export software vulnerabilities assessment (JSON response)_ [Export assessment methods and properties per device](get-assessment-methods-properties.md).
### 05.25.2021
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)- - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ## Why attack surface reduction rules are important
The "engine version" listed for attack surface reduction events in the event log
## Attack surface reduction rules
-The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name.
+The following table and subsections describe each of the 16 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name.
If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs.
security Behavioral Blocking Containment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md
audience: ITPro
ms.prod: m365-security localization_priority: Normal-+ - next-gen - edr-+ - m365-security-compliance - m365initiative-defender-endpoint ms.technology: mde
ms.technology: mde
## Overview
-TodayΓÇÖs threat landscape is overrun by [fileless malware](/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Defender for Endpoint](/windows/security).
+Today's threat landscape is overrun by [fileless malware](/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Defender for Endpoint](/windows/security).
-Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities.
+Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities.
:::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment":::
Behavioral blocking and containment capabilities work with multiple components a
- [Defender for Endpoint](overview-endpoint-detection-response.md) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft 365 Defender](../defender/microsoft-365-defender.md), Defender for Endpoint processes and correlates these signals, raises detection alerts, and connects related alerts in incidents.
-With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks.
+With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks.
The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities:
The following image shows an example of an alert that was triggered by behaviora
## Components of behavioral blocking and containment -- **On-client, policy-driven [attack surface reduction rules](attack-surface-reduction.md)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft 365 Defender ([https://security.microsoft.com](https://security.microsoft.com)) as informational alerts. Attack surface reduction rules are not enabled by default; you configure your policies in the [Microsoft 365 Defender](microsoft-defender-security-center.md).
+- **On-client, policy-driven [attack surface reduction rules](attack-surface-reduction.md)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in Microsoft 365 Defender <https://security.microsoft.com> as informational alerts. Attack surface reduction rules are not enabled by default; you configure your policies in the [Microsoft 365 Defender](microsoft-defender-security-center.md).
-- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
+- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
-- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
+- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
-- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode is not enabled by default; you turn it on in Microsoft 365 Defender.)
+- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode is not enabled by default; you turn it on in Microsoft 365 Defender.)
Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap).
Below are two real-life examples of behavioral blocking and containment in actio
### Example 1: Credential theft attack against 100 organizations
-As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the userΓÇÖs device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server.
+As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user's device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server.
-Behavior-based device learning models in Defender for Endpoint caught and stopped the attackerΓÇÖs techniques at two points in the attack chain:
+Behavior-based device learning models in Defender for Endpoint caught and stopped the attacker's techniques at two points in the attack chain:
- The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.-- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot).
+- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot).
While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the [Microsoft 365 Defender portal](microsoft-defender-security-center.md) (formerly the Microsoft Defender Security Center):
This example shows how behavior-based device learning models in the cloud add ne
### Example 2: NTLM relay - Juicy Potato malware variant
-As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Defender for Endpoint detected a privilege escalation activity on a device in an organization. An alert called ΓÇ£Possible privilege escalation using NTLM relayΓÇ¥ was triggered.
+As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Defender for Endpoint detected a privilege escalation activity on a device in an organization. An alert called "Possible privilege escalation using NTLM relay" was triggered.
:::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware":::
-The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device.
+The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device.
Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image: :::image type="content" source="images/Artifactblockedjuicypotato.png" alt-text="Artifact blocked":::
-A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing additional attackers or other malware from deploying on the device.
+A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing additional attackers or other malware from deploying on the device.
-This example shows that with behavioral blocking and containment capabilities, threats are detected, contained, and blocked automatically.
+This example shows that with behavioral blocking and containment capabilities, threats are detected, contained, and blocked automatically.
## Next steps
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
localization_priority: Normal audience: ITPro--- m365-security-compliance +
+- m365-security-compliance
- m365initiative-defender-endpoint - m365solution-scenario - m365scenario-fpfn
In endpoint protection solutions, a false positive is an entity, such as a file
Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in [Microsoft 365 Defender](microsoft-defender-security-center.md) (formerly the Microsoft Defender Security Center), your security operations can take steps to address them by using the following process:
-1. [Review and classify alerts](#part-1-review-and-classify-alerts)
-2. [Review remediation actions that were taken](#part-2-review-remediation-actions)
-3. [Review and define exclusions](#part-3-review-or-define-exclusions)
-4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis)
-5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
+1. [Review and classify alerts](#part-1-review-and-classify-alerts)
+2. [Review remediation actions that were taken](#part-2-review-remediation-actions)
+3. [Review and define exclusions](#part-3-review-or-define-exclusions)
+4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis)
+5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
You can get help if you still have issues with false positives/negatives after performing the tasks described in this article. See [Still need help?](#still-need-help)
You can get help if you still have issues with false positives/negatives after p
## Part 1: Review and classify alerts
-If you see an [alert](alerts.md) that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well.
+If you see an [alert](alerts.md) that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well.
Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
Managing your alerts and classifying true/false positives helps to train your th
Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign.
-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+1. Go to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts in Microsoft Defender for Endpoint](review-alerts.md).)
-4. Depending on the alert status, take the steps described in the following table:
+4. Depending on the alert status, take the steps described in the following table:
-| Alert status | What to do |
-|:|:|
-| The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. |
-| The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive. <br/>2. [Suppress the alert](#suppress-an-alert). <br/> 3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint. <br/> 4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). |
-| The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). |
+<br>
+
+****
+
+|Alert status|What to do|
+|||
+|The alert is accurate|Assign the alert, and then [investigate it](investigate-alerts.md) further.|
+|The alert is a false positive|<ol><li>[Classify the alert](#classify-an-alert) as a false positive.</li><li>[Suppress the alert](#suppress-an-alert).</li><li>[Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.</li><li>[Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis).</li></ol>|
+|The alert is accurate, but benign (unimportant)|[Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert).|
+|||
### Classify an alert
-Alerts can be classified as false positives or true positives in the Microsoft 365 Defender. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts.
+Alerts can be classified as false positives or true positives in Microsoft 365 Defender. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts.
-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+1. Go to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
2. Select **Alerts queue**, and then select an alert.
Alerts can be classified as false positives or true positives in the Microsoft 3
4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) > [!TIP]
-> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too.
+> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too.
### Suppress an alert
-If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in the Microsoft 365 Defender. Suppressing alerts helps reduce noise in your security operations dashboard.
+If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in Microsoft 365 Defender. Suppressing alerts helps reduce noise in your security operations dashboard.
-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+1. Go to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
2. In the navigation pane, select **Alerts queue**.
If you have alerts that are either false positives or that are true positives bu
## Part 2: Review remediation actions
-[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Several types of remediation actions occur automatically through automated investigation and Microsoft Defender Antivirus:
+[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Several types of remediation actions occur automatically through automated investigation and Microsoft Defender Antivirus:
+ - Quarantine a file - Remove a registry key - Kill a process
After you have reviewed your alerts, your next step is to [review remediation ac
- [Restore a quarantined file from the Action Center](#restore-a-quarantined-file-from-the-action-center) - [Undo multiple actions at one time](#undo-multiple-actions-at-one-time)-- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). and
+- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). and
- [Restore file from quarantine](#restore-file-from-quarantine) When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions). ### Review completed actions
-1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.
+1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
-2. Select the **History** tab to view a list of actions that were taken.
+2. Select the **History** tab to view a list of actions that were taken.
3. Select an item to view more details about the remediation action that was taken. ### Restore a quarantined file from the Action Center
-1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.
+1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
2. On the **History** tab, select an action that you want to undo.
When you're done reviewing and undoing actions that were taken as a result of fa
### Undo multiple actions at one time
-1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.
+1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**.
-### Remove a file from quarantine across multiple devices
+### Remove a file from quarantine across multiple devices
> [!div class="mx-imgBorder"] > ![Quarantine file](images/autoir-quarantine-file-1.png)
-1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.
+1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
2. On the **History** tab, select a file that has the Action type **Quarantine file**.
When you're done reviewing and undoing actions that were taken as a result of fa
### Restore file from quarantine
-You can roll back and remove a file from quarantine if youΓÇÖve determined
-that itΓÇÖs clean after an investigation. Run the following command on each
-device where the file was quarantined.
+You can roll back and remove a file from quarantine if you've determined that it's clean after an investigation. Run the following command on each device where the file was quarantined.
1. Open an elevated commandΓÇôline prompt on the device:- 1. Go to **Start** and type _cmd_.-
- 1. RightΓÇôclick **Command prompt** and select **Run as administrator**.
+ 2. RightΓÇôclick **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
device where the file was quarantined.
``` > [!IMPORTANT]
- > In some scenarios, the **ThreatName** may appear as `EUS:Win32/
- CustomEnterpriseBlock!cl`. Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
+ > In some scenarios, the **ThreatName** may appear as `EUS:Win32/CustomEnterpriseBlock!cl`. Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
+ >
> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
-3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
+3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
## Part 3: Review or define exclusions
-An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process wonΓÇÖt be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
+An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won't be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
To define exclusions across Microsoft Defender for Endpoint, perform the following tasks:+ - [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus)-- [Create ΓÇ£allowΓÇ¥ indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint)
+- [Create "allow" indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint)
> [!NOTE] > Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use exclusions for Microsoft Defender Antivirus and [custom indicators](/microsoft-365/security/defender-endpoint/manage-indicators) for Microsoft Defender for Endpoint.
In general, you should not need to define exclusions for Microsoft Defender Anti
#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies)
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you donΓÇÖt have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)).
+2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)).
3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**.
In general, you should not need to define exclusions for Microsoft Defender Anti
#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**.
+2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**.
3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**).
To specify entities as exclusions for Microsoft Defender for Endpoint, create "a
#### Indicators for files
-When you [create an "allow" indicator for a file, such as an executable](/microsoft-365/security/defender-endpoint/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
+When you [create an "allow" indicator for a file, such as an executable](/microsoft-365/security/defender-endpoint/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
Before you create indicators for files, make sure the following requirements are met:+ - Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))-- Antimalware client version is 4.18.1901.x or later -- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 -- The [Block or allow feature is turned on](/microsoft-365/security/defender-endpoint/advanced-features)
+- Antimalware client version is 4.18.1901.x or later
+- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
+- The [Block or allow feature is turned on](/microsoft-365/security/defender-endpoint/advanced-features)
#### Indicators for IP addresses, URLs, or domains When you [create an "allow" indicator for an IP address, URL, or domain](/microsoft-365/security/defender-endpoint/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked. Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met:+ - Network protection in Defender for Endpoint is enabled in block mode (see [Enable network protection](/microsoft-365/security/defender-endpoint/enable-network-protection))-- Antimalware client version is 4.18.1906.x or later -- Devices are running Windows 10, version 1709, or later
+- Antimalware client version is 4.18.1906.x or later
+- Devices are running Windows 10, version 1709, or later
Custom network indicators are turned on in the [Microsoft 365 Defender](microsoft-defender-security-center.md). To learn more, see [Advanced features](/microsoft-365/security/defender-endpoint/advanced-features).
-#### Indicators for application certificates
+#### Indicators for application certificates
-When you [create an "allow" indicator for an application certificate](/microsoft-365/security/defender-endpoint/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported.
+When you [create an "allow" indicator for an application certificate](/microsoft-365/security/defender-endpoint/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported.
Before you create indicators for application certificates, make sure the following requirements are met: - Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](deploy-manage-report-microsoft-defender-antivirus.md))-- Antimalware client version is 4.18.1901.x or later -- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 -- Virus and threat protection definitions are up to date
+- Antimalware client version is 4.18.1901.x or later
+- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
+- Virus and threat protection definitions are up to date
> [!TIP]
-> When you create indicators, you can define them one by one, or import multiple items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
+> When you create indicators, you can define them one by one, or import multiple items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
## Part 4: Submit a file for analysis
If you have a file that was either wrongly detected as malicious or was missed,
1. Review the guidelines here: [Submit files for analysis](/windows/security/threat-protection/intelligence/submission-guide).
-2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s).
+2. Visit the Microsoft Security Intelligence submission site (<https://www.microsoft.com/wdsi/filesubmission>), and submit your file(s).
### Submit a fileless detection for analysis
-If something was detected as malware based on behavior, and you donΓÇÖt have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10.
+If something was detected as malware based on behavior, and you don't have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10.
-1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`, and then run `MpCmdRun.exe` as an administrator.
+1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`, and then run `MpCmdRun.exe` as an administrator.
+
+2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**.
-2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**.
A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
-3. Review the guidelines here: [Submit files for analysis](/windows/security/threat-protection/intelligence/submission-guide).
+3. Review the guidelines here: [Submit files for analysis](/windows/security/threat-protection/intelligence/submission-guide).
-4. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your .cab files.
+4. Visit the Microsoft Security Intelligence submission site (<https://www.microsoft.com/wdsi/filesubmission>), and submit your .cab files.
### What happens after a file is submitted?
-Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. ItΓÇÖs possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly.
+Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. It's possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly.
For submissions that were not already processed, they are prioritized for analysis as follows:
For submissions that were not already processed, they are prioritized for analys
- Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given a higher priority. - Submissions flagged as high priority by SAID holders are given immediate attention.
-To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission).
+To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission).
> [!TIP] > To learn more, see [Submit files for analysis](/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions). ## Part 5: Review and adjust your threat protection settings
-Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If youΓÇÖre getting numerous false positives, make sure to review your organizationΓÇÖs threat protection settings. You might need to make some adjustments to:
+Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you're getting numerous false positives, make sure to review your organization's threat protection settings. You might need to make some adjustments to:
- [Cloud-delivered protection](#cloud-delivered-protection) - [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications)
We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies)
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you donΓÇÖt have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)).
+2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)).
3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy)
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**.
We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).)
-8. On the **Review + create** tab, review the settings, and then choose **Create**.
+8. On the **Review + create** tab, review the settings, and then choose **Create**.
### Remediation for potentially unwanted applications
Potentially unwanted applications (PUA) are a category of software that can caus
> [!TIP] > To learn more about PUA, see [Detect and block potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
-
+ Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) to edit or set PUA protection settings; however, you can use other methods, such as [Group Policy](/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). #### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles)
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you donΓÇÖt have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).)
+2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).)
3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**.
We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
#### Use Microsoft Endpoint Manager to set PUA protection (for a new configuration profile)
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+1. Go to the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
2. Choose **Devices** > **Configuration profiles** > **+ Create profile**.
We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
### Automated investigation and remediation
-[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
+[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-Depending on the [level of automation](/microsoft-365/security/defender-endpoint/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be *Malicious* or *Suspicious*. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team.
+Depending on the [level of automation](/microsoft-365/security/defender-endpoint/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be *Malicious* or *Suspicious*. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team.
-- [Learn more about automation levels](/microsoft-365/security/defender-endpoint/automation-levels); and then
+- [Learn more about automation levels](/microsoft-365/security/defender-endpoint/automation-levels); and then
- [Configure AIR capabilities in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation). > [!IMPORTANT]
-> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle.
+> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle.
## Still need help? If you have worked through all the steps in this article and still need help, contact technical support.
-1. Go to the Microsoft 365 Defender ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+1. Go to Microsoft 365 Defender (<https://security.microsoft.com>) and sign in.
2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**.
-3. In the **Support Assistant** window, describe your issue, and then send your message. From there, you can open a service request.
+3. In the **Support Assistant** window, describe your issue, and then send your message. From there, you can open a service request.
## See also [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)
-[Overview of Microsoft 365 Defender portal](/microsoft-365/security/defender-endpoint/use)
+[Overview of Microsoft 365 Defender portal](/microsoft-365/security/defender-endpoint/use)
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
ms.prod: m365-security
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ localization_priority: Normal audience: ITPro
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
## Prepare your endpoints
-Deploy Removable Storage Access Control on Windows 10 devices that have Anti-malware Client Version **4.18.2103.3 or later**.
-1. **4.18.2104 or later**: Add SerialNumberId, VID_PID, filepath-based GPO support, ComputerSid
+Deploy Removable Storage Access Control on Windows 10 devices that have antimalware client version **4.18.2103.3 or later**.
-2. **4.18.2105 or later**: Add Wildcard support for HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId, the combination of specific user on specific machine, removeable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support
+- **4.18.2104 or later**: Add SerialNumberId, VID_PID, filepath-based GPO support, ComputerSid
+
+- **4.18.2105 or later**: Add Wildcard support for HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId, the combination of specific user on specific machine, removeable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support
:::image type="content" source="images/powershell.png" alt-text="The PowerShell interface":::
- > [!NOTE]
- > None of Windows Security components need to be active, you can run Removable Storage Access Control independent of Windows Security status.
+> [!NOTE]
+> None of Windows Security components need to be active, you can run Removable Storage Access Control independent of Windows Security status.
## Policy properties - You can use the following properties to create a removable storage group: **Property name: Group Id**
List the device properties you want to use to cover in the group.
For each device property, see **Device Properties** section above for more detail. 1. Options:+ - Primary ID - RemovableMediaDevices - CdRomDevices
For each device property, see **Device Properties** section above for more detai
1. Description: When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship. 1. Options:
- - MatchAll: Any attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.
+ - MatchAll: Any attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.
- MatchAny: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. -- Following are the access control policy properties: **Property name: PolicyRuleId**
Following are the access control policy properties:
**Property name: IncludedIdList**
-1. Description: The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.
+2. Description: The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.
-1. Options: The Group ID/GUID must be used at this instance.
+3. Options: The Group ID/GUID must be used at this instance.
The following example shows the usage of GroupID:
The following example shows the usage of GroupID:
**Property name: ExcludedIDList**
-1. Description: The group(s) that the policy will not be applied to.
-1. Options: The Group ID/GUID must be used at this instance.
+Description: The group(s) that the policy will not be applied to.
+
+Options: The Group ID/GUID must be used at this instance.
**Property name: Entry Id**
The following example shows the usage of GroupID:
1. Description: Defines the action for the removable storage groups in IncludedIDList. - Enforcement: Allow or Deny - Audit: AuditAllowed or AuditDenied
-1. Options:
+
+2. Options:
+ - Allow - Deny - AuditAllowed: Defines notification and event when access is allowed
When there are conflict types for the same media, the system will apply the firs
**Property name: Sid**
-1. Description: Defines whether apply this policy over specific user or user group; one entry can have maximum one Sid and an entry without any Sid means applying the policy over the machine.
+Description: Defines whether apply this policy over specific user or user group; one entry can have maximum one Sid and an entry without any Sid means applying the policy over the machine.
**Property name: ComputerSid**
-1. Description: Defines whether apply this policy over specific machine or machine group; one entry can have maximum one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry.
+Description: Defines whether apply this policy over specific machine or machine group; one entry can have maximum one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry.
**Property name: Options**
-1. Description: Defines whether to display notification or not.
+Description: Defines whether to display notification or not.
:::image type="content" source="images/device-status.png" alt-text="The screen on which the status of the device can be seen":::
-1. Options: 0-4. When Type Allow or Deny is selected:
+Options: 0-4. When Type Allow or Deny is selected:
- 0: nothing - 4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the **AuditDenied** is setting configured, the system will not show notification.
When there are conflict types for the same media, the system will apply the firs
**Property name: AccessMask**
-1. Description: Defines the access.
+Description: Defines the access.
-1. Options:
- 1-7:
- - 1: Read
- - 2: Write
- - 3: Read and Write
- - 4: Execute
- - 5: Read and Execute
- - 6: Write and Execute
- - 7: Read and Write and Execute
+Options 1-7:
+ - 1: Read
+ - 2: Write
+ - 3: Read and Write
+ - 4: Execute
+ - 5: Read and Execute
+ - 6: Write and Execute
+ - 7: Read and Write and Execute
## Common Removable Storage Access Control scenarios
To help familiarize you with Microsoft Defender for Endpoint Removable Storage A
### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs 1. Create groups+ 1. Group 1: Any removable storage and CD/DVD. An example of a removable storage and CD/DVD is: Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. 2. Group 2: Approved USBs based on device properties. An example for this use case is:
To help familiarize you with Microsoft Defender for Endpoint Removable Storage A
> You have to replace `&` with `&amp;` in the value. 2. Create policy
- 1. Policy 1: Block Write and Execute Access but allow approved USBs. An example for this use case is: PolicyRule **c544a991-5786-4402-949e-a032cb790d0e** in the sample [Scenario 1 Block Write and Execute Access but allow approved USBs .xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
+
+ 1. Policy 1: Block Write and Execute Access but allow approved USBs. An example for this use case is: PolicyRule **c544a991-5786-4402-949e-a032cb790d0e** in the sample [Scenario 1 Block Write and Execute Access but allow approved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
2. Policy 2: Audit Write and Execute access to allowed USBs. An example for this use case is: PolicyRule **36ae1037-a639-4cff-946b-b36c53089a4c** in the sample [Scenario 1 Audit Write and Execute access to approved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. ### Scenario 2: Audit Write and Execute access to all but block specific unapproved USBs 1. Create groups+ 1. Group 1: Any removable storage and CD/DVD. An example for this use case is: Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
To help familiarize you with Microsoft Defender for Endpoint Removable Storage A
> You have to replace `&` with `&amp;` in the value. 2. Create policy+ 1. Policy 1: Block Write and Execute access to all but block specific unapproved USBs. An example of this use case is: PolicyRule **23b8e437-66ac-4b32-b3d7-24044637fc98** in the sample [Scenario 2 Audit Write and Execute access to all but block specific unapproved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. 2. Policy 2: Audit Write and Execute access to others. An example of this use case is: PolicyRule **b58ab853-9a6f-405c-a194-740e69422b48** in the sample [Scenario 2 Audit Write and Execute access to others.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
DeviceEvents
``` :::image type="content" source="images/block-removable-storage.png" alt-text="The screen depicting the blockage of the removable storage":::+
+## Frequently asked questions
+**What is the removable storage media limitation for the maximum number of USBs?**
+
+We have validated one USB group with 100,000 media - up to 7 MB in size. The policy works in both Intune and GPO without performance issues.
+
+**Why does the policy not work?**
+
+The most common reason is there is no required [antimalware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide#prepare-your-endpoints).
+
+Another reason could be that the XML file is not correctly formatted, for example, not using the correct markdown formatting for the "&" character in the XML file, or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files which causes the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**) and then update.
+
+If there is a value and the policy is managed via Group Policy, check whether the client device can access the policy XML path.
+
+**How can I know which machine is using out of date antimalware client version in the organization?**
+
+You can use following query to get antimalware client version on the Microsoft 365 security portal:
+```kusto
+//check the antimalware client version
+DeviceFileEvents
+| where FileName == "MsMpEng.exe"
+| where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
+| extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
+//| project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
+| summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
+| order by PlatformVersion desc
+```
+
security Get Assessment Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-methods-properties.md
Title: Export assessment methods and properties per device
-description: Provides information about the APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. Since the amount of data can be large, there are two ways it can be retrieved
+description: Provides information about the APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.
keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, search.product: eADQiWindows 10XVcnh ms.prod: m365-security
The APIs that correspond to the export information types are described in sectio
For each method, there are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved: -- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+- **JSON response** The API pulls all data in your organization as JSON responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
For each method, there are different API calls to get different types of data. B
- Download all the files using the download URLs and process the data as you like.
-Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+Data that is collected (using either _JSON response_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
## 1. Export secure configurations assessment
Returns all of the configurations and their status, on a per-device basis.
Method | Data type | Description :|:|:
-Export secure configuration assessment **(OData)** | Secure configuration by device collection. See: [1.2 Properties (OData)](#12-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
-Export secure configuration assessment **(via files)** | Secure configuration by device collection. See: [1.2 Properties (OData)](#12-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+Export secure configuration assessment **(JSON response)** | Secure configuration by device collection. See: [1.2 Properties (JSON response)](#12-properties-json-response) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export secure configuration assessment **(via files)** | Secure configuration by device collection. See: [1.3 Properties (via files)](#13-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
-### 1.2 Properties (OData)
+### 1.2 Properties (JSON response)
Property (ID) | Data type | Description :|:|:
Returns all of the installed software and their details on each device.
Method | Data type | Description :|:|:
-Export software inventory assessment **(OData)** | Software inventory by device collection. See: [2.2 Properties (OData)](#22-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export software inventory assessment **(JSON response)** | Software inventory by device collection. See: [2.2 Properties (JSON response)](#22-properties-json-response) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
Export software inventory assessment **(via files)** | Software inventory by device files. See: [2.3 Properties (via files)](#23-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
-### 2.2 Properties (OData)
+### 2.2 Properties (JSON response)
Property (ID) | Data type | Description :|:|:
Returns all the known vulnerabilities on a device and their details, for all dev
Method | Data type | Description :|:|:
-Export software vulnerabilities assessment **(OData)** | Investigation collection See: [3.2 Properties (OData)](#32-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export software vulnerabilities assessment **(JSON response)** | Investigation collection See: [3.2 Properties (JSON response)](#32-properties-json-response) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
Export software vulnerabilities assessment **(via files)** | Investigation entity See: [3.3 Properties (via files)](#33-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
-**Delta export** software vulnerabilities assessment **(OData)** | Investigation collection See: [3.4 Properties Delta export OData)](#34-properties-delta-export-odata) | Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp. <br><br> The API pulls data in your organization as Json responses, following the OData protocol. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (OData) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export OData API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export OData API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export OData API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
+**Delta export** software vulnerabilities assessment **(JSON response)** | Investigation collection See: [3.4 Properties Delta export (JSON response)](#34-properties-delta-export-json-response) | Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp. <br><br> The API pulls data in your organization as JSON responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export OData API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export OData API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export OData API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
-### 3.2 Properties (OData)
+### 3.2 Properties (JSON response)
Property (ID) | Data type | Description :|:|:
Property (ID) | Data type | Description
Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization. GeneratedTime | string | The time that the export was generated.
-### 3.4 Properties (delta export OData)
+### 3.4 Properties (delta export JSON response)
Property (ID) | Data type | Description :|:|:
security Get Assessment Secure Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-secure-config.md
Returns all of the configurations and their status, on a per-device basis.
There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved: -- [Export secure configuration assessment **OData**](#1-export-secure-configuration-assessment-odata): The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+- [Export secure configuration assessment **JSON response**](#1-export-secure-configuration-assessment-json-response): The API pulls all data in your organization as Json responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
- [Export secure configuration assessment **via files**](#2-export-secure-configuration-assessment-via-files): This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
Data that is collected (using either _OData_ or _via files_) is the current snap
> > Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
-## 1. Export secure configuration assessment (OData)
+## 1. Export secure configuration assessment (JSON response)
### 1.1 API method description
security Get Assessment Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-inventory.md
> There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved: -- [Export software inventory assessment **OData**](#1-export-software-inventory-assessment-odata) The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+- [Export software inventory assessment **JSON response**](#1-export-software-inventory-assessment-json-response) The API pulls all data in your organization as Json responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
- [Export software inventory assessment **via files**](#2-export-software-inventory-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
Data that is collected (using either _OData_ or _via files_) is the current snap
> > Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
-## 1. Export software inventory assessment (OData)
+## 1. Export software inventory assessment (JSON response)
### 1.1 API method description
GET /api/machines/SoftwareInventoryByMachine
>[!NOTE] >
->-Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for you.
-
->-The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+>- Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+>
+>- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
>
->-Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+>- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+
+<br/>
Property (ID) | Data type | Description | Example of a returned value :|:|:|:
GET /api/machines/SoftwareInventoryExport
>[!Note] >
->- The files are gzip compressed & in multiline Json format.
+>- The files are gzip compressed & in multiline JSON format.
> >- The download URLs are only valid for 3 hours. Otherwise you can use the parameter. >
->_ For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
->
+>- For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
+
+<br/><br/>
+ Property (ID) | Data type | Description | Example of a returned value :|:|:|: Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization | [ Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ]
security Get Assessment Software Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities.md
Returns all known software vulnerabilities and their details for all devices, on
There are different API calls to get different types of data. Because the amount of data can be very large, there are two ways it can be retrieved:
-1. [Export software vulnerabilities assessment OData](#1-export-software-vulnerabilities-assessment-odata) The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100 K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+1. [Export software vulnerabilities assessment **JSON response**](#1-export-software-vulnerabilities-assessment-json-response) The API pulls all data in your organization as Json responses. This method is best for _small organizations with less than 100 K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
-2. [Export software vulnerabilities assessment via files](#2-export-software-vulnerabilities-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Via-files is recommended for large organizations, with more than 100 K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+2. [Export software vulnerabilities assessment **via files**](#2-export-software-vulnerabilities-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Via-files is recommended for large organizations, with more than 100 K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
- Call the API to get a list of download URLs with all your organization data. - Download all the files using the download URLs and process the data as you like.
-3. [Delta export software vulnerabilities assessment OData](#3-delta-export-software-vulnerabilities-assessment-odata) Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp.
-The API pulls data in your organization as Json responses, following the OData protocol. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. <br><br> Unlike the full software vulnerabilities assessment (OData) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export OData API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export OData API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export OData API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
+3. [Delta export software vulnerabilities assessment **JSON response**](#3-delta-export-software-vulnerabilities-assessment-json-response) Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp.
+The API pulls data in your organization as Json responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. <br><br> Unlike the full "software vulnerabilities assessment (JSON response)" - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export OData API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export JSON response API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
Data that is collected (using either _OData_ or _via files_) is the current snap
> > Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
-## 1. Export software vulnerabilities assessment (OData)
+## 1. Export software vulnerabilities assessment (JSON response)
### 1.1 API method description This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID.
-#### Limitations
+#### 1.1.1 Limitations
->- Maximum page size is 200,000.
->
->- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+- Maximum page size is 200,000.
+
+- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
### 1.2 Permissions
GET /api/machines/SoftwareVulnerabilitiesByMachine
- $top ΓÇô number of results to return (doesnΓÇÖt return @odata.nextLink and therefore doesnΓÇÖt pull all the data) ### 1.5 Properties
->
+ >[!Note] >
->- Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+>- Each record is approximately 1 KB of data. You should take this into account when choosing the correct pageSize parameter for you.
> >- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns. > >- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
->
+
+<br/>
Property (ID) | Data type | Description | Example of a returned value :|:|:|:
GET https://api-us.securitycenter.contoso.com/api/machines/SoftwareVulnerabiliti
} ```
-## 3. Delta export software vulnerabilities assessment (OData)
+## 3. Delta export software vulnerabilities assessment (JSON response)
### 3.1 API method description
-Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls data in your organization as Json responses, following the OData protocol. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (OData) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export OData API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export OData API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥
+Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls data in your organization as Json responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (JSON response)ΓÇöwhich is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by deviceΓÇöthe delta export JSON response API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥
>[!NOTE] >
->It is highly recommended you use the full export software vulnerabilities assessment by device API call at least once a week, and this additional export software vulnerabilities changes by device (delta) API call all the other days of the week. Unlike the other Assessments OData API, the ΓÇ£delta exportΓÇ¥ is not a full export. The delta export includes only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call).
+>It is highly recommended you use the full export software vulnerabilities assessment by device API call at least once a week, and this additional export software vulnerabilities changes by device (delta) API call all the other days of the week. Unlike the other Assessments JSON response APIs, the ΓÇ£delta exportΓÇ¥ is not a full export. The delta export includes only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call).
-#### Limitations
+#### 3.1.1 Limitations
- Maximum page size is 200,000.
GET /api/machines/SoftwareVulnerabilityChangesByMachine
Each returned record contains all the data from the full export software vulnerabilities assessment by device OData API, plus two additional fields: _**EventTimestamp**_ and _**Status**_. >[!NOTE]
->-Some additional columns might be returned in the response. These columns are temporary and might be removed, so please use only the documented columns.
+>- Some additional columns might be returned in the response. These columns are temporary and might be removed, so please use only the documented columns.
>
->-The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
-<br>
+>- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+<br><br/>
Property (ID) | Data type | Description | Example of returned value :|:|:|:
VulnerabilitySeverityLevel | string | Severity level assigned to the security vu
#### Clarifications - If the software was updated from version 1.0 to version 2.0, and both versions are exposed to CVE-A, you will receive 2 separate events:
- a. Fixed ΓÇô CVE-A on version 1.0 was fixed
- b. New ΓÇô CVE-A on version 2.0 was added
+ 1. Fixed ΓÇô CVE-A on version 1.0 was fixed
+ 1. New ΓÇô CVE-A on version 2.0 was added
- If a specific vulnerability (for example, CVE-A) was first seen at a specific time (for example, January 10) on software with version 1.0, and a few days later that software was updated to version 2.0 which also exposed to the same CVE-A, you will receive these two separated events:
- a. Fixed ΓÇô CVE-X, FirstSeenTimestamp January 10, version 1,0.
- b. New ΓÇô CVE-X, FirstSeenTimestamp January 10, version 2.0.
+ 1. Fixed ΓÇô CVE-X, FirstSeenTimestamp January 10, version 1,0.
+ 1. New ΓÇô CVE-X, FirstSeenTimestamp January 10, version 2.0.
### 3.6 Examples
security Onboard Offline Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-offline-machines.md
Title: Onboard devices without Internet access to Microsoft Defender for Endpoint description: Onboard devices without Internet access so that they can send sensor data to the Microsoft Defender for Endpoint sensor
-keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma
+keywords: onboard, servers, vm, on-premises, oms gateway, log analytics, azure log analytics, mma
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
For more information about onboarding methods, see the following articles:
- [Onboard servers to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) - [Configure device proxy and Internet connectivity settings](/microsoft-365/security/defender-endpoint/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
-## On-premise devices
+## On-premises devices
- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: - [Azure Log Analytics Agent](/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
security Api Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-access.md
Use this context for apps that run without a signed-in user present, such as bac
2. Assign the desired permissions to the application. 3. Create a key for the application. 4. Get a security token using the application and its key.
-5. Use the token to access Microsoft 365 Defender API.
+5. Use the token to access the Microsoft 365 Defender API.
For more information, see **[Create an app to access Microsoft 365 Defender without a user](api-create-app-web.md)**.
Use this context to perform actions on behalf of a single user.
1. Create an Azure Active Directory native application. 2. Assign the desired permission to the application. 3. Get a security token using the user credentials for the application.
-4. Use the token to access Microsoft 365 Defender API.
+4. Use the token to access the Microsoft 365 Defender API.
For more information, see **[Create an app to access Microsoft 365 Defender APIs on behalf of a user](api-create-app-user-context.md)**.
Use this context when you need to provide an app to many users across [multiple
2. Assign the desired permission to the application. 3. Get [admin consent](/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant) for the app from each tenant. 4. Get a security token using user credentials based on a customer's tenant ID.
-5. Use the token to access Microsoft 365 Defender API.
+5. Use the token to access the Microsoft 365 Defender API.
For more information, see **[Create an app with partner access to Microsoft 365 Defender APIs](api-partner-access.md)**.
For more information, see **[Create an app with partner access to Microsoft 365
- [Microsoft 365 Defender APIs overview](api-overview.md) - [OAuth 2.0 authorization for user sign in and API access](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code) - [Manage secrets in your server apps with Azure Key Vault](/learn/modules/manage-secrets-with-azure-key-vault/)-- [Create a 'Hello world' application that accesses the Microsoft 365 APIs](api-hello-world.md)
+- [Create a 'Hello world' application that accesses the Microsoft 365 APIs](api-hello-world.md)
security Api Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-overview.md
search.appverid:
ms.technology: m365d
-# Overview of Microsoft 365 Defender APIs
+# Overview of Microsoft 365 Defender APIs
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
Use the Microsoft 365 Defender APIs to automate workflows based on the shared in
Use the [Streaming API](../defender-endpoint/raw-data-export.md) to ship real-time events and alerts from instances as they occur within a single data stream. - Along with these Microsoft 365 Defender-specific APIs, each of our other security products expose [additional APIs](api-articles.md) to help you take advantage of their unique capabilities. - > [!NOTE] > The transition to the unified portal should not affect the PowerBi dashboards based on Microsoft Defender for Endpoint APIs. You can continue to work with the existing APIs regardless of the interactive portal transition. - ## Learn more | **Understand how to access the APIs** |
security Incident Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md
Microsoft 365 Defender applies correlation analytics and aggregates related aler
The **Incident queue** shows a collection of incidents that were created across devices, users, and mailboxes. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
-You get to the incident queue from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
+You get to the incident queue from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 Defender portal ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
:::image type="content" source="../../media/incidents-queue/incidents-ss-incidents.png" alt-text="Example of the incident queue"::: The **Most recent incidents and alerts** section shows a graph of the number of alerts received and incidents created in the last 24 hours.
-By default, the incident queue in the Microsoft 365 security center displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first.
+By default, the incident queue in the Microsoft 365 Defender portal displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first.
The incident queue has customizable columns (select **Choose columns**) that give you visibility into different characteristics of the incident or the impacted entities. This helps you make an informed decision regarding the prioritization of incidents for analysis.
Once you have configured a useful filter in the incidents queue, you can bookmar
- Incidents with a specific associated threat - Incidents with a specific actor
-Once you have compiled and stored your list of useful filter views as URLs, you can use it quickly process and prioritize the incidents in your queue and [manage](manage-incidents.md) them for subsequent analysis.
+Once you have compiled and stored your list of useful filter views as URLs, you can use it to quickly process and prioritize the incidents in your queue and [manage](manage-incidents.md) them for subsequent assignment and analysis.
## Next steps
security Incidents Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md
Title: Incidents in Microsoft 365 Defender
-description: Investigate incidents seen across devices, users, and mailboxes in the Microsoft 365 security center.
+description: Investigate incidents seen across devices, users, and mailboxes in the Microsoft 365 Defender portal.
keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack search.product: eADQiWindows 10XVcnh ms.prod: m365-security
Grouping related alerts into an incident gives you a comprehensive view of an at
If [enabled](m365d-enable.md), Microsoft 365 Defender can [automatically investigate and resolve](m365d-autoir.md) alerts through automation and artificial intelligence. You can also perform additional remediation steps to resolve the attack.
-## Incidents and alerts in the Microsoft 365 security center
+## Incidents and alerts in the Microsoft 365 Defender portal
-You manage incidents from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
+You manage incidents from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 Defender portal ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
Selecting an incident name displays a summary of the incident and provides access to tabs with additional information. The additional tabs for an incident are:
The additional tabs for an incident are:
A figure showing the connection of alerts to the impacted assets in your organization.
-Here's the relationship between an incident and its data and the tabs of an incident in the Microsoft 365 security center.
+Here's the relationship between an incident and its data and the tabs of an incident in the Microsoft 365 Defender portal.
## Example incident response workflow for Microsoft 365 Defender
-Here's an example workflow for responding to incidents in Microsoft 365 with the Microsoft 365 security center.
+Here's an example workflow for responding to incidents in Microsoft 365 with the Microsoft 365 Defender portal.
:::image type="content" source="../../media/incidents-overview/incidents-example-workflow.png" alt-text="Example of an incident response workflow for Microsoft 365":::
On an ongoing basis, identify the highest priority incidents for analysis and re
1. For each incident, begin an [attack and alert investigation and analysis](investigate-incidents.md):
- a. View the summary of the incident to understand it's scope and severity and what entities are affected (the **Summary** tab).
+ 1. View the summary of the incident to understand it's scope and severity and what entities are affected (the **Summary** tab).
- b. Begin analyzing the alerts to understand their origin, scope, and severity (the **Alerts** tab).
+ 1. Begin analyzing the alerts to understand their origin, scope, and severity (the **Alerts** tab).
- c. As needed, gather information on impacted devices, users, and mailboxes (the **Devices**, **Users**, and **Mailboxes** tabs).
+ 1. As needed, gather information on impacted devices, users, and mailboxes (the **Devices**, **Users**, and **Mailboxes** tabs).
- d. See how Microsoft 365 Defender has [automatically resolved some alerts](m365d-autoir.md) (the **Investigations** tab).
+ 1. See how Microsoft 365 Defender has [automatically resolved some alerts](m365d-autoir.md) (the **Investigations** tab).
- e. As needed, use information in the data set for the incident for more information (the **Evidence and Response** tab).
+ 1. As needed, use information in the data set for the incident for more information (the **Evidence and Response** tab).
2. After or during your analysis, perform containment to reduce any additional impact of the attack and eradication of the security threat.
On an ongoing basis, identify the highest priority incidents for analysis and re
If you are new to security analysis, see the [introduction to responding to your first incident](incidents-overview.md) for additional information and to step through an example incident.
+For more information about incident response across Microsoft products, see [this article](/security/compass/incident-response-overview).
+ ## Example security operations for Microsoft 365 Defender
-Here's an example of security operations for Microsoft 365 Defender.
+Here's an example of security operations (SecOps) for Microsoft 365 Defender.
:::image type="content" source="../../media/incidents-overview/incidents-example-operations.png" alt-text="An example of security operations for Microsoft 365 Defender":::
Annual tasks can include conducting a major incident or breach exercise to test
Daily, monthly, quarterly, and annual tasks can be used to update or refine processes, policies, and security configurations.
+### SecOps resources across Microsoft products
+
+For more information about SecOps across Microsoft's products, see these resources:
+
+- [Capabilities](/security/compass/security-operations-capabilities)
+- [Best practices](/security/compass/security-operations)
+- [Videos and slides](/security/compass/security-operations-videos-and-decks)
+ ## Next steps **If you are new** to security analysis and incident response: -- See the [Respond to your first incident walkthrough](first-incident-overview.md) to get a guided tour of a typical process of analysis, remediation, and post-incident review in the Microsoft 365 security center with an example of an attack.
+- See the [Respond to your first incident walkthrough](first-incident-overview.md) to get a guided tour of a typical process of analysis, remediation, and post-incident review in the Microsoft 365 Defender portal with an example attack.
**If you have experience** with security analysis and incident response: -- Get started with the incident queue from the **Incidents** page of the Microsoft 365 security center. From here, you can:
+- Get started with the incident queue from the **Incidents** page of the Microsoft 365 Defender portal. From here, you can:
- See which incidents should be [prioritized](incident-queue.md) based on severity and other factors.
- - [Manage incidents](manage-incidents.md), which includes renaming, assignment, classifying, and adding tags and comments based on your incident management workflow.
+ - [Manage incidents](manage-incidents.md), which includes renaming, assigning, classifying, and adding tags and comments based on your incident management workflow.
- Perform [investigations](investigate-incidents.md) of incidents.
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
Alerts are the basis of all incidents and indicate the occurrence of malicious o
In Microsoft 365 Defender, related alerts are aggregated together to form [incidents](incidents-overview.md). Incidents will always provide the broader context of an attack, however, analyzing alerts can be valuable when deeper analysis is required.
-The **Alerts queue** shows the current set of alerts. You get to the alerts queue from **Incidents & alerts > Alerts** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)).
+The **Alerts queue** shows the current set of alerts. You get to the alerts queue from **Incidents & alerts > Alerts** on the quick launch of the Microsoft 365 Defender portal ([security.microsoft.com](https://security.microsoft.com)).
Alerts from different Microsoft security solutions like Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft 365 Defender appear here.
-By default, the alerts queue in the Microsoft 365 security center displays the new and in progress alerts from the last 30 days. The most recent alert is at the top of the list so you can see it first.
+By default, the alerts queue in the Microsoft 365 Defender portal displays the new and in progress alerts from the last 30 days. The most recent alert is at the top of the list so you can see it first.
From the default alerts queue, you can select **Filters** to see a **Filters** pane, from which you can specify a subset of the alerts. Here's an example.
You can filter alerts according to these criteria:
To see the main alert page, select the name of the alert. Here's an example. You can also select the **Open the main alert page** action from the **Manage alert** pane.
An alert page is composed of these sections:
- Alert story, which is the chain of events and alerts related to this alert in chronological order - Summary details Throughout an alert page, you can select the ellipses (**...**) beside any entity to see available actions, such as opening the alert page or linking the alert to another incident.
Microsoft Defender for Endpoint | `da` or `ed` for custom detection alerts <br>
Microsoft Defender for Identity | `aa{GUID}` <br> Example: `aa123a456b-c789-1d2e-12f1g33h445h6i` Microsoft Cloud App Security |`ca{GUID}` <br> Example: `ca123a456b-c789-1d2e-12f1g33h445h6i` -- ### Analyze affected assets The **Actions taken** section has a list of impacted assets, such as mailboxes, devices, and users affected by this alert.
-You can also select **View in action center** to view the **History** tab of the **Action center** in the Microsoft 365 security center.
+You can also select **View in action center** to view the **History** tab of the **Action center** in the Microsoft 365 Defender portal.
### Trace an alert's role in the alert story
From this pane, you can also perform these additional actions:
Here's an example. The list of additional actions depends on the type of alert.
security M365d Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-action-center.md
The unified Action center ([https://security.microsoft.com/action-center](https:
For example: -- If you were previously using the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), try the unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).-- If you were using the Action center in the Microsoft Defender Security Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)), try the unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).-- If you were already using the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), you'll see several improvements in the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
+- If you were previously using the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), try the unified Action center in the Microsoft 365 Defender portal ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
+- If you were using the Action center in the Microsoft Defender Security Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)), try the unified Action center in the Microsoft 365 Defender portal ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
+- If you were already using the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), you'll see several improvements in the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions and provides a unified investigation experience. Your security operations team has a "single pane of glass" experience to view and manage remediation actions.
security M365d Autoir Report False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-report-false-positives-negatives.md
If a remediation action was taken on an entity (such as a device or an email mes
- [View the details and results of an automated investigation](m365d-autoir-results.md) - [Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](advanced-hunting-overview.md)-- [Address false positives/negatives in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives)
security M365d Autoir Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-results.md
With Microsoft 365 Defender, when an [automated investigation](m365d-autoir.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the [necessary permissions](m365d-action-center.md#required-permissions-for-action-center-tasks), you can view those details in an investigation details view. This view provides you with up-to-date status and the ability to approve any pending actions.
-![Investigation details](../../media/mtp-air-investdetails.png)
## (NEW!) Unified investigation page
The investigation page has recently been updated to include information across y
- Any investigation page in the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)) - Any investigation page in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com))-- Any incident or Action center experience in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com))
+- Any incident or Action center experience in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com))
## Open the investigation details view
Use an incident details page to view detailed information about an incident, inc
Here's an example.
-![Incident details](../../media/mtp-incidentdetails-tabs.png)
## Investigation details Use the investigation details view to see past, current, and pending activity pertaining to an investigation. Here's an example.
-![Investigation details](../../media/mtp-air-investdetails.png)
In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
security M365d Configure Auto Investigation Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-configure-auto-investigation-response.md
Then, after you're all set up, you can [view and manage remediation actions in t
Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, such as your organization's device group policies. Review the configured automation level for your device group policies. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.+ 2. Go to **Settings** > **Permissions** > **Device groups**.+ 3. Review your device group policies. In particular, look at the **Remediation level** column. We recommend using **Full - remediate threats automatically**. You might need to create or edit your device groups to get the level of automation you want. To get help with this task, see the following articles: - [How threats are remediated](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated) - [Create and manage device groups](/windows/security/threat-protection/microsoft-defender-atp/machine-groups)
Although certain alerts and security policies can trigger automated investigatio
Security settings in Office 365 help protect email and content. To view or change these settings, follow the guidance in [Protect against threats](../office-365-security/protect-against-threats.md).
-1. In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Policies & Rules** \> **Threat policies**.
+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Policies & Rules** \> **Threat policies**.
+ 2. Make sure all of the following policies are configured. To get help and recommendations, see [Protect against threats](/microsoft-365/security/office-365-security/protect-against-threats). - [Anti-malware](../office-365-security/protect-against-threats.md#part-1anti-malware-protection-in-eop) - [Anti-phishing](../office-365-security/protect-against-threats.md#part-2anti-phishing-protection-in-eop-and-defender-for-office-365) - [Safe Attachments](../office-365-security/protect-against-threats.md#safe-attachments-policies-in-microsoft-defender-for-office-365) - [Safe Links](../office-365-security/protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365) - [Anti-spam](../office-365-security/protect-against-threats.md#part-3anti-spam-protection-in-eop)+ 3. Make sure [Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on) is turned on.+ 4. Make sure [zero-hour auto purge for email](../office-365-security/protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop) protection is in effect.+ 5. (This step is optional.) Review your [Office 365 alert policies](../../compliance/alert-policies.md) in the Microsoft 365 compliance center ([https://compliance.microsoft.com/compliancepolicies](https://compliance.microsoft.com/compliancepolicies)). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see [Default alert policies](../../compliance/alert-policies.md#default-alert-policies). ## Make sure Microsoft 365 Defender is turned on :::image type="content" source="../../media/mtp-enable/mtp-on.png" alt-text="MTP on":::
-1. Sign in to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)).
-2. In the navigation pane, look for **Incidents**, **Action center**, and **Hunting**, as shown in the preceding image.
- - If you see **Incidents**, **Action center**, and **Hunting**, Microsoft 365 Defender is turned on. See the [Review or change the automation level for device groups](#review-or-change-the-automation-level-for-device-groups) section of this article.
+1. Sign in to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
+
+2. In the navigation pane, look for **Incidents & Alerts**, **Hunting**, and **Action center** as shown in the preceding image.
+ - If you see **Incidents & Alerts**, **Hunting**, and **Action center**, Microsoft 365 Defender is turned on. See the [Review or change the automation level for device groups](#review-or-change-the-automation-level-for-device-groups) section of this article.
- If you do *not* see **Incidents**, **Action center**, or **Hunting**, Microsoft 365 Defender might not be turned on. In this case, [visit the Action center](m365d-action-center.md)).+ 3. In the navigation pane, choose **Settings** > **Microsoft 365 Defender**. Confirm that Microsoft 365 Defender is turned on. > [!TIP]
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
Title: Microsoft Defender for Office 365 in Microsoft 365 Defender
-description: Learn about changes from the Office 365 Security and Compliance center to Microsoft 365 Defender.
+description: Learn about changes from the Security & Compliance Center to Microsoft 365 Defender.
keywords: Microsoft 365 security, Getting started with Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, MDO, MDE, single pane of glass, new security portal, new defender security portal Last updated 02/21/2021
ms.technology: m365d
## Quick reference
-The table below lists the changes in navigation between the Office 365 Security & Compliance Center and the Microsoft 365 Defender.
+The table below lists the changes in navigation between the Security & Compliance Center and Microsoft 365 Defender.
<br> ****
-|[Office 365 Security & Compliance](https://protection.office.com)|[Microsoft 365 Defender](https://security.microsoft.com)|[Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)|[Exchange admin center](https://admin.exchange.microsoft.com/#/)|
+|[Security & Compliance Center](https://protection.office.com)|[Microsoft 365 Defender](https://security.microsoft.com)|[Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)|[Exchange admin center](https://admin.exchange.microsoft.com)|
||||| |Alerts|<ul><li>[Alert Policies](https://security.microsoft.com/alertpolicies)</li><li>[Incidents & alerts](https://security.microsoft.com/alerts)</li></ul>|[Alerts page](https://compliance.microsoft.com/homepage)|| |Classification||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
The table below lists the changes in navigation between the Office 365 Security
|Service assurance||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)|| |Supervision||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)|| |eDiscovery||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
+|||||
-[Microsoft 365 Defender](./overview-security-center.md) at <https://security.microsoft.com> combines security capabilities from existing Microsoft security portals, including the Office 365 Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.
+[Microsoft 365 Defender](./overview-security-center.md) at <https://security.microsoft.com> combines security capabilities from existing Microsoft security portals, including the Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.
-If you are familiar with the Office 365 Security and Compliance portal (protection.office.com), this article describes some of the changes and improvements in Microsoft 365 Defender.
+If you are familiar with the Security & Compliance Center (protection.office.com), this article describes some of the changes and improvements in Microsoft 365 Defender.
Learn more about the benefits: [Overview of Microsoft 365 Defender](overview-security-center.md)
Proactively search for threats, malware, and malicious activity across your endp
[Custom detection rules](/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.
-Here is an [example on advanced hunting](advanced-hunting-example.md) in Microsoft Defender for Office 365.
+Here is an [example on advanced hunting](advanced-hunting-example.md) in Microsoft Defender for Office 365.
### Action center
Learn more about how to [track and respond to emerging threats with threat analy
### Email & collaboration
-Track and investigate threats to your users' email, track campaigns, and more. If you've used the Office 365 Security and Compliance center, this will be familiar.
+Track and investigate threats to your users' email, track campaigns, and more. If you've used the Security & Compliance Center, this will be familiar.
:::image type="content" source="../../media/converge-3-email-and-collab-new.png" alt-text="The quick launch menu for Email & Collab (or MSDO), on the left side of Microsoft 365 Defender.":::
-#### Email entity page
+#### Email entity page
The [Email entity page](../office-365-security/mdo-email-entity-page.md) *unifies* email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is *centralized*. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling.
View reports, change your settings, and modify user roles.
> [!NOTE] > DomainKeys Identified Mail (DKIM) ensures that destination email systems trust messages sent outbound from your custom domain.
-> For Defender for Office 365 users, you can now *manage and rotate* DKIM keys through Microsoft 365 Defender: <https://security.microsoft.com/threatpolicy>, or navigate to **Policy & rules** \> **Threat policies** \> **DKIM**.
->
+> For Defender for Office 365 users, you can now *manage and rotate* DKIM keys through Microsoft 365 Defender: <https://security.microsoft.com/threatpolicy>, or navigate to **Policy & rules** \> **Threat policies** \> \> **Rules** section \> **DKIM**.
+>
> For more information, see [Use DKIM to validate outbound email sent from your custom domain](/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email). ## What's changed
This table is a quick reference of Threat management where change has occurred b
|Area|Description of change| ||| |[Investigation](../office-365-security/office-365-air.md#changes-are-coming-soon-in-your-microsoft-365-defender-portal)|Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.|
-|[Alert queue](../../compliance/alert-policies.md)|The **View alerts** flyout pane in the Office Security and Compliance center now includes links to Microsoft 365 Defender. Click on the **Open Alert Page** link and Microsoft 365 Defender opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue.|
+|[Alert queue](../../compliance/alert-policies.md)|The **View alerts** flyout pane in the Security & Compliance Center now includes links to Microsoft 365 Defender. Click on the **Open Alert Page** link and Microsoft 365 Defender opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue.|
|[Attack Simulation training](../office-365-security/attack-simulation-training-insights.md)|Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage.| |
The Home page of the portal surfaces important summary information about the sec
Using the **Guided tour** you can take a quick tour of Endpoint or Email & collaboration pages. Note that what you see here will depend on if you have license for Defender for Office 365 and/or Defender for Endpoint.
-Also included is a link to the **Office 365 Security and Compliance center** for comparison. The last link is to the **What's New** page that describes recent updates.
+Also included is a link to the **Security & Compliance Center** for comparison. The last link is to the **What's New** page that describes recent updates.
## Related information -- [Redirecting Office 365 Security and Compliance Center to Microsoft 365 Defender](microsoft-365-security-mdo-redirection.md)
+- [Redirecting Security & Compliance Center to Microsoft 365 Defender](microsoft-365-security-mdo-redirection.md)
- [The Action center](./m365d-action-center.md) - [Email & collaboration alerts](../../compliance/alert-policies.md#default-alert-policies) - [Custom detection rules](/microsoft-365/security/defender-endpoint/custom-detection-rules)
security Streaming Api Storage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-storage.md
Title: Stream Microsoft 365 Defender events to your Storage account
-description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account.
+description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account.
keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account
+# Configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
[!include[Prerelease information](../../includes/prerelease.md)] -
-## Before you begin:
+## Before you begin
1. Create a [Storage account](/azure/storage/common/storage-account-overview) in your tenant. 2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
-## Enable raw data streaming:
-
-1. Log in to [Microsoft 365 Defender security center](https://security.microsoft.com) as a ***Global Administrator*** or ***Security Administrator***.
+## Enable raw data streaming
-2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender Security Center.
+1. Log in to the Microsoft 365 Defender portal (<https://security.microsoft.com>) as a ***Global Administrator*** or ***Security Administrator***.
-3. Click on **Add data export settings**.
+2. Go to **Settings** \> **Microsoft 365 Defender** \> **Streaming API**. To go directly to the **Streaming API** page, use <https://security.microsoft.com/settings/mtp_settings/raw_data_export>.
-4. Choose a name for your new settings.
+3. Click **Add**.
-5. Choose **Forward events to Azure Storage**.
+4. In the **Add new Streaming API settings** flyout that appears, configure the following settings:
+ 1. **Name**: Choose a name for your new settings.
+ 2. Select **Forward events to Azure Storage**.
+ 3. In the **Storage Account Resource ID** box that appears, type your **Storage Account Resource ID**. To get your **Storage Account Resource ID**, open the Azure portal at <https://portal.azure.com>, click **Storage accounts** \> go to the properties tab \> copy the text under **Storage Account Resource ID**.
-6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage Account Resource ID**:
+ ![Image of event hub resource ID1](../defender-endpoint/images/storage-account-resource-id.png)
- ![Image of event hub resource ID1](../defender-endpoint/images/storage-account-resource-id.png)
+ 4. Back on the **Add new Streaming API settings** flyout, choose the **Event types** that you want to stream.
-7. Choose the events you want to stream and click **Save**.
+ When you're finished, click **Submit**.
-## The schema of the events in the Storage account:
+## The schema of the events in the Storage account
-- A blob container will be created for each event type:
+- A blob container will be created for each event type:
![Image of event hub resource ID2](../defender-endpoint/images/storage-account-event-schema.png) -- The schema of each row in a blob is the following JSON:
+- The schema of each row in a blob is the following JSON:
- ```
+ ```JSON
{ "time": "<The time Microsoft 365 Defender received the event>" "tenantId": "<Your tenant ID>" "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>" "properties": { <Microsoft 365 Defender Advanced Hunting event as Json> }
- }
+ }
``` - Each blob contains multiple rows.
ms.technology: mde
- For more information about the schema of Microsoft 365 Defender events, see [Advanced Hunting overview](../defender/advanced-hunting-overview.md). - ## Data types mapping In order to get the data types for our events properties do the following:
-1. Log in to [Microsoft 365 security center](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
+1. Log in to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and go to **Hunting** \> **Advanced hunting**. To go directly to the **Advanced hunting** page, use <security.microsoft.com/advanced-hunting>.
-2. Run the following query to get the data types mapping for each event:
+2. On the **Query** tab, run the following query to get the data types mapping for each event:
- ```
+ ```text
{EventType} | getschema
- | project ColumnName, ColumnType
+ | project ColumnName, ColumnType
``` -- Here is an example for Device Info event:
+- Here is an example for Device Info event:
![Image of event hub resource ID3](../defender-endpoint/images/machine-info-datatype-example.png) ## Related topics+ - [Overview of Advanced Hunting](../defender/advanced-hunting-overview.md) - [Microsoft 365 Defender Streaming API](streaming-api.md) - [Stream Microsoft 365 Defender events to your Azure storage account](streaming-api-storage.md)
security Top Scoring Industry Tests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/top-scoring-industry-tests.md
Title: Top scoring in industry tests - Microsoft 365 Defender-+ description: View the latest scores and analysis of Microsoft 365 Defender. It consistently achieves high scores in independent tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK). View the latest scores and analysis. keywords: Microsoft Defender Antivirus, Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, Microsoft Defender for Endpoint, Microsoft 365 Defender, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success ms.prod: m365-security
Microsoft 365 Defender combines the capabilities of [Microsoft Defender for Endp
### MITRE: Demonstrated real-world detection, response, and protection from advanced attacks
-Core to MITREΓÇÖs testing approach is emulating real-world attacks to understand whether solutions can adequately detect and respond to them. While the test focused on endpoint detection and response, MITREΓÇÖs simulated APT29 attack spans multiple attack domains, creating opportunities to empower defenders beyond just endpoint protection. Microsoft expanded defendersΓÇÖ visibility beyond the endpoint with Microsoft 365 Defender.
+Core to MITRE's testing approach is emulating real-world attacks to understand whether solutions can adequately detect and respond to them. While the test focused on endpoint detection and response, MITRE's simulated APT29 attack spans multiple attack domains, creating opportunities to empower defenders beyond just endpoint protection. Microsoft expanded defenders' visibility beyond the endpoint with Microsoft 365 Defender.
- ATT&CK-based evaluation of Microsoft 365 Defender - May 2020: [Leading in real-world detection](https://www.microsoft.com/security/blog/2020/05/01/microsoft-threat-protection-leads-real-world-detection-mitre-attck-evaluation/)
- Microsoft 365 Defender provided nearly 100 percent coverage across the attack chain stages. It delivered leading out-of-box visibility into attacker activities. The visibility dramatically reduces manual work for the security operations center and vendor solutions that relied on specific configuration changes. Microsoft 365 Defender also had the fewest gaps in visibility, diminishing attacker ability to operate undetected.
+ Microsoft 365 Defender provided nearly 100 percent coverage across the attack chain stages. It delivered leading out-of-box visibility into attacker activities. The visibility dramatically reduces manual work for the security operations center and vendor solutions that relied on specific configuration changes. Microsoft 365 Defender also had the fewest gaps in visibility, diminishing attacker ability to operate undetected.
## Next generation protection
Business Security Test consists of three main parts: the Real-World Protection T
- Business Security Test 2020 (March - June): [Real-World Protection Rate 99.7%](https://www.av-comparatives.org/tests/business-security-test-2020-march-june/) -- Business Security Test 2019 (August - November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/)
+- Business Security Test 2019 (August - November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/)
- Business Security Test 2019 (March - June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
security Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/troubleshoot.md
Title: Troubleshoot Microsoft 365 Defender service issues description: Find solutions and workarounds to known Microsoft 365 Defender issues
-keywords: troubleshoot Microsoft 365 Defender, troubleshoot, Microsoft Defender for Identity, issues, add-on, settings page
+keywords: troubleshoot Microsoft 365 Defender, troubleshoot, Microsoft Defender for Identity, issues, add-on, settings page
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH
audience: ITPro
+search.appverid:
- MOE150 - MET150 ms.technology: m365d
To turn on Microsoft 365 Defender, access **Settings** from the navigation pane
## How do I create an exception for my file/URL? A false positive is a file or URL that is detected as malicious but is not a threat. You can create indicators and define exclusions to unblock and allow certain files/URLs. See [Address false positives/negatives in Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives).--
security Air Review Approve Pending Completed Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions.md
Last updated 06/10/2021
**Applies to** - [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) As automated investigations on email & collaboration content result in verdicts, such as *Malicious* or *Suspicious*, certain remediation actions are created. In Microsoft Defender for Office 365, remediation actions can include: -- Blocking a URL (time-of-click) - Soft deleting email messages or clusters-- Quarantining email or email attachments - Turning off external mail forwarding
-These remediation actions are not taken unless and until your security operations team approves them. We recommend reviewing and approving any pending actions as soon as possible so that your automated investigations complete in a timely manner. In some cases, you can undo a remediation action.
+These remediation actions are not taken unless and until your security operations team approves them. We recommend reviewing and approving any pending actions as soon as possible so that your automated investigations complete in a timely manner. In some cases, you can reconsider submitted actions. You need to be part of Search & purge role before taking any actions.
-## Approve (or reject) pending actions
-1. Go to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
+## Approve (or reject) pending actions
+There are four different ways to find and take auto investigation actions:
+
+- [Incident queue](https://security.microsoft.com/incidents)
+- [Action center](https://security.microsoft.com/action-center/pending)
+- Investigation itself (accessed via Incident or from an alert)
+- [Investigation and remediation investigations queue](https://security.microsoft.com/airinvestigation)
+
+## Incident queue
+1. Go to the [Microsoft 365 security center](https://security.microsoft.com) and sign in.
+2. In the navigation pane, select **Incidents & alerts > Incidents**.
+3. Select an incident name to open its summary page.
+4. Select the **Evidence and Response** tab.
+5. Select an item in the list. Its side pane opens.
+6. In the side pane, take approve or reject actions.
+
+## Investigation queue
+1. Go to the [Microsoft 365 security center](https://security.microsoft.com) and sign in.
+2. Navigate from the alerts/incident page.
+3. On the Investigation page, go to the **pending actions** tab.
+4. Select an item in the list. Its side pane opens.
+5. In the side pane, take approve or reject actions.
+
+## Action center
+1. Go to the [Microsoft 365 security center](https://security.microsoft.com) and sign in.
2. In the navigation pane, select **Action center**. 3. On the **Pending** tab, review the list of actions that are awaiting approval.
-4. Select an item in the list. Its flyout pane opens.
-5. Review the information in the flyout pane, and then take one of the following steps:
- Select **Open investigation page** to view more details about the investigation. - Select **Approve** to initiate a pending action. - Select **Reject** to prevent a pending action from being taken.
+## Investigation and remediation investigations queue
+1. Go to the [Microsoft 365 security center](https://security.microsoft.com) and sign in.
+2. Open pending investigations.
+3. On the Investigation page, go to the **pending actions** tab.
+4. Select an item in the list. Its side pane opens.
+5. In the side pane, take approve or reject actions.
+ ## Change or undo one remediation action
-1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
+There are two different ways to reconsider submitted actions:
+ - Through the [unified action center](https://security.microsoft.com/action-center).
+ - Though the [Office action center](https://security.microsoft.com/threatincidents).
+
+## Change or undo through the unified action center
+1. Go to the [unified action center](https://security.microsoft.com/action-center) and sign in.
2. On the **History** tab, select an action that you want to change or undo.
-3. In the pane on the right side of the screen, select **Undo**.
-
-## Change or undo multiple remediation actions
-
-1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
-2. On the **History** tab, select the actions that you want to change or undo. Make sure to select items that have the same Action type. A flyout pane opens.
-3. In the flyout pane, select Undo.
-
-## To remove a file from quarantine across multiple devices
+3. In the pane on the right side of the screen, select the appropriate action (**move to inbox**, **move to junk**, **move to deleted items**, **soft delete", or **hard delete**).
-1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
-2. On the **History** tab, select a file that has the Action type **Quarantine file**.
-3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
+ ## Change or undo through the Office action center
+1. Go to the [Office action center](https://security.microsoft.com/threatincidents) and sign in.
+2. Select the appropriate remediation.
+3. In the side pane, click on the mail submissions entry and wait for the list to load.
+4. Wait for the Action button at the top to enable and select the Action button to change the action type.
+5. This will create the appropriate actions.
## Next steps -- [Use Threat Explorer](threat-explorer.md)
+- [Use Threat Explorer](threat-explorer.md)
+- [Admin /Manual Actions](remediate-malicious-email-delivered-office-365.md)
- [How to report false positives/negatives in automated investigation and response capabilities](air-report-false-positives-negatives.md) ## See also
security Anti Phishing Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection.md
EOP (that is, Microsoft 365 organizations without Microsoft Defender for Office
Microsoft Defender for Office 365 contains additional and more advanced anti-phishing features: -- **Anti-phishing policies in Microsoft Defender for Office 365**: Configure impersonation protection settings for specific message senders and sender domains, mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md). For more information about the differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365, see [Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md).
+- **Anti-phishing policies in Microsoft Defender for Office 365**: Configure impersonation protection settings for specific message senders and sender domains, mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md). For more information about the differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365, see [Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md).
- **Campaign Views**: Machine learning and other heuristics identify and analyze messages that are involved in coordinated phishing attacks against the entire service and your organization. For more information, see [Campaign Views in Microsoft Defender for Office 365](campaigns.md).
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
Admins can view, edit, and configure (but not delete) the default anti-phishing
Organizations with Exchange Online mailboxes can configure anti-phishing policies in the Microsoft 365 Defender portal or in Exchange Online PowerShell. Standalone EOP organizations can only use the Microsoft 365 Defender portal.
-For information about creating and modifying the more advanced anti-phishing policies that are available in Microsoft Defender for Office 365, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+For information about creating and modifying the more advanced anti-phishing policies that are available in Microsoft Defender for Office 365, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md).
The basic elements of an anti-phishing policy are:
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
- **Show (?) for unauthenticated senders for spoof**: Adds a question mark to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication). - **Show "via" tag**: Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address.
- > [!NOTE]
- > Currently, the **Show "via" tag** setting is not available in all organizations. If you don't have the **Show "via" tag** setting, the the question mark **and** the via tag are both controlled by the **Show (?) for unauthenticated senders for spoof** setting in your organization.
- To turn on a setting, select the check box. To turn it off, clear the check box. When you're finished, click **Next**.
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
- **Quarantine the message** - **Safety tips & indicators**: Configure the following settings:
+ - **Show first contact safety tip**: This safety tip replaces the need to create mail flow rules (also known as transport rules) that add the header named **X-MS-Exchange-EnableFirstContactSafetyTip** with the value **Enable** to messages.
- **Show user impersonation safety tip**: This setting is available only if you selected **Enable users to protect** on the previous page. - **Show domain impersonation safety tip**: This setting is available only if you selected **Enable domains to protect** on the previous page. - **Show user impersonation unusual characters safety tip** This setting is available only if you selected **Enable users to protect** or **Enable domains to protect** on the previous page.
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
- **Show "via" tag**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. The default value is on (selected). To turn it off, clear the check box. > [!NOTE]
- > Currently, the **Show "via" tag** setting is not available in all organizations. If you don't have the **Show "via" tag** setting, the question mark **and** the via tag are both controlled by the **Show (?) for unauthenticated senders for spoof** setting in your organization.
+ > If you don't have the **Show "via" tag** setting, the question mark **and** the via tag are both controlled by the **Show (?) for unauthenticated senders for spoof** setting in your organization.
To turn on a setting, select the check box. To turn it off, clear the check box.
security Create Team Sites In A Political Campaign Dev Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-team-sites-in-a-political-campaign-dev-test-environment.md
Title: Create team sites - Political campaign dev environment
+f1.keywords:
- NOCSH
Last updated 05/21/2018 audience: ITPro -+ - Ent_O365 - Strat_O365_Enterprise localization_priority: Priority
+search.appverid:
- MET150 ms.assetid: c2112ce8-1c4b-424f-b200-59e161db2d21
ms.prod: m365-security
**Applies to** - [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)--
- **Summary:** Create public, private, sensitive, and highly confidential SharePoint Online team sites in your political campaign dev/test environment.
-
+
+ **Summary:** Create public, private, sensitive, and highly confidential SharePoint Online team sites in your political campaign dev/test environment.
+ Use the instructions in this article to create a dev/test environment that includes the four different types of SharePoint Online team sites for the [Microsoft Security Guidance for Political Campaigns, Nonprofits, and Other Agile Organizations](microsoft-security-guidance-for-political-campaigns-nonprofits-and-other-agile-o.md) solution. These sites are described in detail on Topic 10, titled **SharePoint and OneDrive for Business**. ## Phase 1: Create your political campaign dev/test environment
First, follow the instructions in [Configure groups and users for a political ca
In this phase, you create the labels for the different levels of security for SharePoint Online team site document folders.
-1. If needed, sign in to the admin center with the credentials of the global administrator account of your trial subscription. For help, see [Where to sign in to Microsoft 365](https://support.microsoft.com/office/e9eb7d51-5430-4929-91ab-6157c5a050b4).
+1. If needed, sign in to the Microsoft 365 admin center (<https://admin.microsoft.com>) with the credentials of the global administrator account of your trial subscription. For help, see [Where to sign in to Microsoft 365](https://support.microsoft.com/office/e9eb7d51-5430-4929-91ab-6157c5a050b4).
-2. From the **Microsoft Office Home** tab, click the **Admin** tile.
+2. From the **Home** page where you start, click **Show all**. In the **Admin centers** section that appears, click **Compliance**.
-3. From the new **Microsoft 365 admin center** tab of your browser, click **Admin centers > Security & Compliance**.
+3. From the **Home** page of the Microsoft 365 compliance center, go to the **Solutions** section \> **Information protection**. To go directly to the **Information protection** page, use <https://compliance.microsoft.com//informationprotection>.
-4. From the new **Home - Security & Compliance** tab of your browser, click **Classifications > Labels**.
+4. On the **Information protection** page, verify that the **Label** tag is selected, and then click ![Create a label icon](../../media/m365-cc-sc-create-icon.png) **Create a label**.
-5. From the **Home > Labels** pane, click **Create a label**.
+5. The **New sensitivity label** wizard opens. On the **Name & description** step, enter the following values:
+ - **Name**: Type **Internal**.
+ - **Display name**
+ - **Description for users**
-6. On the **Name your label** pane, type **Internal**, and then click **Next**.
+ When you're finished, click **Next**.
-7. On the **Label settings** pane, click **Next**.
+6. On the **Label settings** pane, click **Next**.
-8. On the **Review your settings** pane, click **Create this label**, and then click **Close**.
+7. On the **Review your settings** pane, click **Create this label**, and then click **Close**.
-9. Repeat steps 5-8 for these additional labels:
+8. Repeat steps 5-8 for these additional labels:
- Private - Sensitive - Highly Confidential
-10. From the **Home > Labels** pane, click **Publish labels**.
+9. From the **Home > Labels** pane, click **Publish labels**.
-11. On the **Choose labels to publish** pane, click **Choose labels to publish**.
+10. On the **Choose labels to publish** pane, click **Choose labels to publish**.
-12. On the **Choose labels** pane, click **Add** and select all four labels.
+11. On the **Choose labels** pane, click **Add** and select all four labels.
-13. Click **Done**.
+12. Click **Done**.
-14. On the **Choose labels to publish** pane, click **Next**.
+13. On the **Choose labels to publish** pane, click **Next**.
-15. On the **Choose locations** pane, click **Next**.
+14. On the **Choose locations** pane, click **Next**.
-16. On the **Name your policy** pane, type **Campaign** in **Name**, and then click **Next**.
+15. On the **Name your policy** pane, type **Campaign** in **Name**, and then click **Next**.
-17. On the **Review your settings** pane, click **Publish labels**, and then click **Close**.
+16. On the **Review your settings** pane, click **Publish labels**, and then click **Close**.
## Phase 3: Create your SharePoint Online team sites
security Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365.md
Title: Microsoft Defender for Office 365
+f1.keywords:
- CSH Previously updated : Last updated : audience: Admin localization_priority: Priority
+search.appverid:
- MET150 - MOE150 ms.assetid: e100fe7c-f2a1-4b7d-9e08-622330b83653-+ - M365-security-compliance - m365initiative-defender-office365-+ - seo-marvel-apr2020 description: Microsoft Defender for Office 365 includes Safe Attachments, Safe Links, advanced anti-phishing tools, reporting tools and threat intelligence capabilities. ms.technology: mdo
The following table summarizes what's included in each plan.
## Configure Microsoft Defender for Office 365 policies
-With Microsoft Defender for Office 365, your organization's security team can configure protection by defining policies in the Security & Compliance Center (Go to <https://protection.office.com> \> **Threat management** \> **Policy**.)
+With Microsoft Defender for Office 365, your organization's security team can configure protection by defining policies in the Microsoft 365 Defender portal (go to <https://security.microsoft.com> \> **Email & collaboration** \> **Policies and rules**).
-Learn more by watching [this video](https://www.youtube.com/watch?v=vivvTmWJ_3c).
+Learn more by watching [this video](https://www.youtube.com/watch?v=vivvTmWJ_3c).
> [!TIP] > For a quick list of policies to define, see [Protect against threats](protect-against-threats.md).
The policies that are defined for your organization determine the behavior and p
- **[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)**: Protects your organization when users collaborate and share files, by identifying and blocking malicious files in team sites and document libraries. To learn more, see [Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](turn-on-mdo-for-spo-odb-and-teams.md). -- **[Anti-phishing protection in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)**: Detects attempts to impersonate your users and internal or custom domains. It applies machine learning models and advanced impersonation-detection algorithms to avert phishing attacks. To learn more, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+- **[Anti-phishing protection in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)**: Detects attempts to impersonate your users and internal or custom domains. It applies machine learning models and advanced impersonation-detection algorithms to avert phishing attacks. To learn more, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md).
## View Microsoft Defender for Office 365 reports
-Microsoft Defender for Office 365 includes an advanced [reporting dashboard](view-reports-for-mdo.md) to monitor your Defender for Office 365 performance. You can access it at **Reports** \> **Dashboard** in the Security & Compliance Center.
+Microsoft Defender for Office 365 includes [reports](view-reports-for-mdo.md) to monitor Defender for Office 365. You can access the reports in the Microsoft 365 Defender portal at **Reports** \> **Email & collaboration** \> **Email & collaboration reports** or directly at <https://security.microsoft.com/securityreports>.
Reports update in real-time, providing you with the latest insights. These reports also provide recommendations and alert you to imminent threats. Predefined reports include the following: - [Threat Explorer (or real-time detections)](threat-explorer.md)- - [Threat protection status report](view-reports-for-mdo.md#threat-protection-status-report)--- [Defender for Office 365 file types report](view-reports-for-mdo.md#defender-for-office-365-file-types-report)--- [Defender for Office 365 message disposition report](view-reports-for-mdo.md#defender-for-office-365-message-disposition-report)- - ... and several more. ## Use threat investigation and response capabilities
Microsoft Defender for Office 365 Plan 2 includes best-of-class [threat investig
## Permissions required to use Microsoft Defender for Office 365 features
-To access Microsoft Defender for Office 365 features in the Security & Compliance Center, you must be assigned an appropriate role. The following table includes some examples:
+To access Microsoft Defender for Office 365 features, you must be assigned an appropriate role. The following table includes some examples:
+
+<br>
+
+****
|Role or role group|Resources to learn more| |||
-|global administrator (this can be assigned in either Azure Active Directory or in the Security & Compliance Center)|[About Microsoft 365 admin roles](../../admin/add-users/about-admin-roles.md)|
-|Security Administrator (this can be assigned in either Azure Active Directory or the Security & Compliance Center)|[Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles) <p> [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md)|
-|Exchange Online Organization Management (this is assigned in Exchange Online)|[Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo) <p> [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell)|
-|Search and Purge (this is assigned only in the Security & Compliance Center)|[Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md)|
-
-For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+|global administrator (Organization Management)|You can assign this role in Azure Active Directory or in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).|
+|Security Administrator|You can assign this role in Azure Active Directory or in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).|
+|Organization Management in Exchange Online|[Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo) <p> [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell)|
+|Search and Purge|This role is available only in the Microsoft 365 Defender portal or the Microsoft 365 compliance center. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md) and [Permissions in the Microsoft 365 compliance center](../../compliance/microsoft-365-compliance-center-permissions.md).|
+|||
## Get Microsoft Defender for Office 365
New features are added to Microsoft Defender for Office 365 continually. To lear
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) - [Automated investigation and response (AIR) in Microsoft 365 Defender](../defender/m365d-autoir.md)
-1
security Detect And Remediate Illicit Consent Grants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
Title: Detect and Remediate Illicit Consent Grants
+f1.keywords:
- NOCSH Previously updated : Last updated : audience: ITPro -+ - o365_security_incident_response - M365-security-compliance localization_priority: Normal
+search.appverid:
- MET150
-description: Learn how to recognize and remediate the illicit consent grants attack in Microsoft Office 365.
+description: Learn how to recognize and remediate the illicit consent grants attack in Microsoft 365.
ms.technology: mdo ms.prod: m365-security
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-**Summary** Learn how to recognize and remediate the illicit consent grants attack in Office 365.
+**Summary** Learn how to recognize and remediate the illicit consent grants attack in Microsoft 365.
-## What is the illicit consent grant attack in Office 365?
+## What is the illicit consent grant attack in Microsoft 365?
In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.
These attacks leverage an interaction model which presumes the entity that is ca
> [!IMPORTANT] > Do you suspect you're experiencing problems with illicit consent-grants from an app, right now? Microsoft Cloud App Security (MCAS) has tools to detect, investigate, and remediate your OAuth apps. This MCAS article has a tutorial that outlines how to go about [investigating risky OAuth apps](/cloud-app-security/investigate-risky-oauth). You can also set [OAuth app policies](/cloud-app-security/app-permission-policy) to investigate app-requested permissions, which users are authorizing these apps, and widely approve or ban these permissions requests.
-## What does an illicit consent grant attack look like in Office 365?
+## What does an illicit consent grant attack look like in Microsoft 365?
You need to search the **audit log** to find signs, also called Indicators of Compromise (IOC) of this attack. For organizations with many Azure-registered applications and a large user base, the best practice is to review your organizations consent grants on a weekly basis. ### Steps for finding signs of this attack
-1. Open the **Security & Compliance Center** at <https://protection.office.com>.
+1. Open the **Microsoft 365 Defender** portal at <https://security.microsoft.com> and then select **Audit**.
-2. Navigate to **Search** and select **Audit log search**.
+2. On the **Audit** page that opens, verify that the **Search** tab is selected, and then configure the following settings:
+ - **Date and time range**
+ - **Activities**: Verify that **Show results for all activities** is selected.
-3. Search (all activities and all users) and enter the start date and end date if required and then click **Search**.
+ When you're finished, click **Search**.
-4. Click **Filter results** and enter Consent to application in the **Activity** field.
+3. Click the **Activity** column to sort the results and look for **Consent to application**.
-5. Click on the result to see the details of the activity. Click **More Information** to get details of the activity. Check to see if IsAdminContent is set to True.
+4. Select an entry from the list to see the details of the activity. Check to see if IsAdminContent is set to True.
> [!NOTE] >
You need to search the **audit log** to find signs, also called Indicators of Co
If you have one or more instances of the IOCs listed above, you need to do further investigation to positively confirm that the attack occurred. You can use any of these three methods to confirm the attack: - Inventory applications and their permissions using the Azure Active Directory portal. This method is thorough, but you can only check one user at a time which can be very time consuming if you have many users to check.- - Inventory applications and their permissions using PowerShell. This is the fastest and most thorough method, with the least amount of overhead.- - Have your users individually check their apps and permissions and report the results back to the administrators for remediation. ## Inventory apps with access in your organization
You can do this for your users with either the Azure Active Directory Portal, or
### Steps for using the Azure Active Directory Portal
-You can look up the applications to which any individual user has granted permissions by using the [Azure Active Directory Portal](https://portal.azure.com/).
+You can look up the applications to which any individual user has granted permissions by using the Azure Active Directory Portal at <https://portal.azure.com>.
1. Sign in to the Azure portal with administrative rights.- 2. Select the Azure Active Directory blade.- 3. Select **Users**.- 4. Select the user that you want to review.- 5. Select **Applications**. This will show you the apps that are assigned to the user and what permissions the applications have. ### Steps for having your users enumerate their application access
-Have your users go to https://myapps.microsoft.com and review their own application access there. They should be able to see all the apps with access, view details about them (including the scope of access), and be able to revoke privileges to suspicious or illicit apps.
+Have your users go to <https://myapps.microsoft.com> and review their own application access there. They should be able to see all the apps with access, view details about them (including the scope of access), and be able to revoke privileges to suspicious or illicit apps.
### Steps for doing this with PowerShell
The simplest way to verify the Illicit Consent Grant attack is to run [Get-Azure
#### Pre-requisites - The Azure AD PowerShell library installed.- - Global administrator rights on the tenant that the script will be run against.- - Local Administrator on the computer from which will run the scripts. > [!IMPORTANT]
The simplest way to verify the Illicit Consent Grant attack is to run [Get-Azure
2. Download or copy the [Get-AzureADPSPermissions.ps1](https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09) script from GitHub to a folder from which you will run the script. This will be the same folder to which the output "permissions.csv" file will be written.
-3. Open a PowerShell instance as an administrator and open to the folder you saved the script to.
+3. Open a PowerShell session as an administrator and open to the folder where you saved the script to.
4. Connect to your directory using the [Connect-AzureAD](/powershell/module/azuread/connect-azuread) cmdlet.
The script produces one file named Permissions.csv. Follow these steps to look f
## Determine the scope of the attack
-After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Security & Compliance Center](../../compliance/search-the-audit-log-in-security-and-compliance.md).
+After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Defender](../../compliance/search-the-audit-log-in-security-and-compliance.md).
> [!IMPORTANT] > [Mailbox auditing](../../compliance/enable-mailbox-auditing.md) and [Activity auditing for admins and users](../../compliance/turn-audit-log-search-on-or-off.md) must have been enabled prior to the attack for you to get this information.
After you have finished inventorying application access, review the **audit log*
After you have identified an application with illicit permissions, you have several ways to remove that access. - You can revoke the application's permission in the Azure Active Directory Portal by:-
- - Navigate to the affected user in the **Azure Active Directory User** blade.
-
- - Select **Applications**.
-
- - Select the illicit application.
-
- - Click **Remove** in the drill down.
+ 1. Navigate to the affected user in the **Azure Active Directory User** blade.
+ 2. Select **Applications**.
+ 3. Select the illicit application.
+ 4. Click **Remove** in the drill down.
- You can revoke the OAuth consent grant with PowerShell by following the steps in [Remove-AzureADOAuth2PermissionGrant](/powershell/module/azuread/Remove-AzureADOAuth2PermissionGrant).
After you have identified an application with illicit permissions, you have seve
Your Microsoft 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. Use the [Microsoft 365 security roadmap - Top priorities for the first 30 days, 90 days, and beyond](security-roadmap.md) to implement Microsoft recommended best practices for securing your Microsoft 365 tenant. - Tasks to accomplish in the first 30 days. These have immediate affect and are low-impact to your users.- - Tasks to accomplish in 90 days. These take a bit more time to plan and implement but greatly improve your security posture.- - Beyond 90 days. These enhancements build in your first 90 days work.
-## See also:
+## See also
- [Unexpected application in my applications list](/azure/active-directory/application-access-unexpected-application) walks administrators through various actions they may want to take after realizing there are unexpected applications with access to data.- - [Integrating applications with Azure Active Directory](/azure/active-directory/active-directory-apps-permissions-consent) is a high-level overview of consent and permissions.- - [Problems developing my application](/azure/active-directory/active-directory-application-dev-development-content-map) provides links to various consent related articles.- - [Application and service principal objects in Azure Active Directory (Azure AD)](/azure/active-directory/develop/active-directory-application-objects) provides an overview of the Application and Service principal objects that are core to the application model.- - [Manage access to apps](/azure/active-directory/active-directory-managing-access-to-apps) is an overview of the capabilities that administrators have to manage user access to apps.
security Email Security In Microsoft Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-security-in-microsoft-defender.md
In this article:
- [Start automated investigation and response](#start-automated-investigation-and-response) > [!NOTE]
-> This is part of a **3-article series** on **Threat Explorer (Explorer)**, **email security**, and **Explorer and Real-time detections basics** (such as differences between the tools, and permissions needed to operate them). The other two articles in this series are [Threat hunting in Threat Explorer](threat-hunting-in-threat-explorer.md) and [Threat Explorer and Real-time detections basics](real-time-detections.md).
+> This is part of a **3-article series** on **Threat Explorer (Explorer)**, **email security**, and **Explorer and Real-time detections basics** (such as differences between the tools, and permissions needed to operate them). The other two articles in this series are [Threat hunting in Threat Explorer](threat-hunting-in-threat-explorer.md) and [Threat Explorer and Real-time detections basics](real-time-detections.md).
-This article explains how to view and investigate malware and phishing attempts that are detected in email by Microsoft 365 security features.
+This article explains how to view and investigate malware and phishing attempts that are detected in email by Microsoft 365 security features.
-**Applies to**
+**Applies to:**
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ## View malware detected in email
-To see malware detected in email sorted by Microsoft 365 technology, use the [Email > Malware](threat-explorer-views.md#email--malware) view of Explorer (or Real-time detections). Malware is the default view, so it may be selected as soon as you open Explorer.
+To see malware detected in email sorted by Microsoft 365 technology, use the [Email > Malware](threat-explorer-views.md#email--malware) view of Explorer (or Real-time detections). Malware is the default view, so it might be selected as soon as you open Explorer.
-1. In the Security & Compliance Center (<https://protection.office.com>), choose **Threat management** \> **Explorer** (or **Real-time detections**). (This example uses Explorer.)
-
- If you're in the converged Microsoft 365 Defender portal (<https://security.microsoft.com>) scroll to **Email & collaboration** > **Explorer**.
+1. In the Microsoft 365 Defender portal (<https://security.microsoft.com>), choose **Email & collaboration** \> **Explorer** (or **Real-time detections**; This example uses Explorer).
From here, start at the View, choose a particular frame of time to investigate (if needed), and focus your filters, as per the [Explorer walk- through](threat-hunting-in-threat-explorer.md#threat-explorer-walk-through).
-2. In the **View** menu, choose **Email** \> **Malware**.
+2. In the **View** drop down list, verify that **Email** \> **Malware** is selected.
- > [!div class="mx-imgBorder"]
- > ![View menu for Explorer](../../media/ExplorerViewEmailMalwareMenu.png)
+3. Click **Sender**, and then choose **Basic** \> **Detection technology** in the drop down list.
-3. Click **Sender**, and then choose **Basic** \> **Detection technology**.
+ :::image type="content" source="../../media/exploreremailmalwaredetectiontech-newimg.png" alt-text="malware detection technology":::
Your detection technologies are now available as filters for the report.
- > [!div class="mx-imgBorder"]
- > ![Malware detection technologies](../../media/ExplorerEmailMalwareDetectionTech.png)
+4. Choose an option, and then click **Refresh** to apply that filter (don't refresh your browser window).
-4. Choose an option. Then select the **Refresh** button to apply that filter.
+ :::image type="content" source="../../media/exploreremailmalwaredetectiontech2-new.png" alt-text="selected detection technology":::
- > [!div class="mx-imgBorder"]
- > ![Selected detection technology](../../media/ExplorerEmailMalwareDetectionTechATP.png)
-
- The report refreshes to show the results that malware detected in email, using the technology option you selected. From here, you can conduct further analysis.
+ The report refreshes to show the results that malware detected in email, using the technology option you selected. From here, you can conduct further analysis.
## View phishing URL and click verdict data You can view phishing attempts through URLs in email, including a list of URLs that were allowed, blocked, and overridden. To identify URLs that were clicked, [Safe Links](safe-links.md) must be configured. Make sure that you set up [Safe Links policies](set-up-safe-links-policies.md) for time-of-click protection and logging of click verdicts by Safe Links.
-To review phish URLs in messages and clicks on URLs in phish messages, use the [**Email** > **Phish**](threat-explorer-views.md#email--phish) view of Explorer or Real-time detections.
-
-1. In the Security & Compliance Center (<https://protection.office.com>), choose **Threat management** \> **Explorer** (or **Real-time detections**). (This example uses Explorer.)
+1. In the Microsoft 365 Defender portal (<https://security.microsoft.com>), choose **Email & collaboration** \> **Explorer** (or **Real-time detections**; This example uses Explorer).
-2. In the **View** menu, choose **Email** \> **Phish**.
+2. In the **View** drop down list, choose **Email** \> **Phish**.
> [!div class="mx-imgBorder"] > ![View menu for Explorer in phishing context](../../media/ExplorerViewEmailPhishMenu.png)
-3. Click **Sender**, and then choose **URLs** \> **Click verdict**.
+3. Click **Sender**, and then choose **URLs** \> **Click verdict** in the drop down list.
-4. Select one or more options, such as **Blocked** and **Block overridden**, and then select the **Refresh** button on the same line as the options to apply that filter. (Don't refresh your browser window.)
+4. In options that appear, select one or more options, such as **Blocked** and **Block overridden**, and then click **Refresh** (don't refresh your browser window).
- > [!div class="mx-imgBorder"]
- > ![URLs and click verdicts](../../media/ThreatExplorerEmailPhishClickVerdictOptions.png)
+ :::image type="content" source="../../media/threatexploreremailphishclickverdict-new.png" alt-text="URLs and click verdicts":::
- The report refreshes to show two different URL tables on the URL tab under the report:
+ The report refreshes to show two different URL tables on the **URLs** tab under the report:
- **Top URLs** are the URLs in the messages that you filtered down to and the email delivery action counts for each URL. In the Phish email view, this list typically contains legitimate URLs. Attackers include a mix of good and bad URLs in their messages to try to get them delivered, but they make the malicious links look more interesting. The table of URLs is sorted by total email count, but this column is hidden to simplify the view.
security Enable The Report Message Add In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/enable-the-report-message-add-in.md
Title: Enable the Report Message or the Report Phishing add-ins
+f1.keywords:
- NOCSH
audience: Admin
localization_priority: Normal
+search.appverid:
- MET150 - MOE150 ms.assetid: 4250c4bc-6102-420b-9e0a-a95064837676-+ - M365-security-compliance description: Learn how to enable the Report Message or the Report Phishing add-ins for Outlook and Outlook on the web, for individual users or for your entire organization. ms.technology: mdo
ms.prod: m365-security
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) > [!NOTE]
-> If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
+> If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
-The Report Message and Report Phishing add-ins for Outlook and Outlook on the web (formerly known as Outlook Web App) enable people to easily report false positives (good email marked as bad) or false negatives (bad email allowed) to Microsoft and its affiliates for analysis.
+The Report Message and Report Phishing add-ins for Outlook and Outlook on the web (formerly known as Outlook Web App) enable people to easily report false positives (good email marked as bad) or false negatives (bad email allowed) to Microsoft and its affiliates for analysis.
-Microsoft uses these submissions to improve the effectiveness of email protection technologies. For example, suppose that people are reporting many messages using the Report Phishing add-in. This information surfaces in the Security Dashboard and other reports. Your organization's security team can use this information as an indication that anti-phishing policies might need to be updated.
+Microsoft uses these submissions to improve the effectiveness of email protection technologies. For example, suppose that people are reporting many messages using the Report Phishing add-in. This information surfaces in the Security Dashboard and other reports. Your organization's security team can use this information as an indication that anti-phishing policies might need to be updated.
-You can install either the Report Message or Report Phishing add-in. If you want your users to report both spam and phishing messages, deploy the Report Message add-in in your organization. For more information, see Enable the Report Message add-in.
+You can install either the Report Message or Report Phishing add-in. If you want your users to report both spam and phishing messages, deploy the Report Message add-in in your organization. For more information, see Enable the Report Message add-in.
-The Report Message add-in provides the option to report both spam and phishing messages. Admins can enable the Report Message add-in for the organization, and individual users can install it for themselves.
+The Report Message add-in provides the option to report both spam and phishing messages. Admins can enable the Report Message add-in for the organization, and individual users can install it for themselves.
-The Report Phishing add-in provides the option to report only phishing messages. Admins can enable the Report Phishing add-in for the organization, and individual users can install it for themselves.
+The Report Phishing add-in provides the option to report only phishing messages. Admins can enable the Report Phishing add-in for the organization, and individual users can install it for themselves.
If you're an individual user, you can enable both the add-ins for yourself.
If you're a global administrator or an Exchange Online administrator, and Exchan
- For organizational installs, the organization needs to be configured to use OAuth authentication. For more information, see [Determine if Centralized Deployment of add-ins works for your organization](../../admin/manage/centralized-deployment-of-add-ins.md). -- Admins need to be a member of the Global admins role group. For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+- Admins need to be a member of the Global admins role group. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
- For more information on how to report a message using the Report Message feature, see [Report false positives and false negatives in Outlook](report-false-positives-and-false-negatives.md).
If you're a global administrator or an Exchange Online administrator, and Exchan
## Get the Report Message add-in
-### Get the add-in for yourself
+### Get the Report Message add-in for yourself
1. Go to the Microsoft AppSource at <https://appsource.microsoft.com/marketplace/apps> and search for the Report Message add-in. To go directly to the Report Message add-in, go to <https://appsource.microsoft.com/product/office/wa104381180>.
After the add-in is installed and enabled, you'll see the following icons:
> [!div class="mx-imgBorder"] > ![Outlook on the web Report Message add-in icon](../../media/owa-report-message-icon.png)
-### Get the add-in for your organization
+### Get the Report Message add-in for your organization
> [!NOTE] > It could take up to 12 hours for the add-in to appear in your organization.
-1. In the Microsoft 365 admin center, go to the go to the **Settings** \> **Add-ins** page at <https://admin.microsoft.com/AdminPortal/Home#/Settings/AddIns>. If you don't see the **Add-in** Page, go to the **Settings** \> **Integrated apps** \> **Add-ins** link on the top of the **Integrated apps** page.
+1. In the Microsoft 365 admin center, go to the **Settings** \> **Add-ins** page at <https://admin.microsoft.com/AdminPortal/Home#/Settings/AddIns>. If you don't see the **Add-in** Page, go to the **Settings** \> **Integrated apps** \> **Add-ins** link on the top of the **Integrated apps** page.
2. Select **Deploy Add-in** at the top of the page, and then select **Next**.
After the add-in is installed and enabled, you'll see the following icons:
7. In the **Configure add-in** page that appears, configure the following settings: - **Assigned users**: Select one of the following values:- - **Everyone** (default) - **Specific users / groups** - **Just me** - **Deployment method**: Select one of the following values:- - **Fixed (Default)**: The add-in is automatically deployed to the specified users and they can't remove it. - **Available**: Users can install the add-in at **Home** \> **Get add-ins** \> **Admin-managed**. - **Optional**: The add-in is automatically deployed to the specified users, but they can choose to remove it.
After the add-in is installed and enabled, you'll see the following icons:
## Get the Report Phishing add-in
-### Get the add-in for yourself
+### Get the Report Phishing add-in for yourself
1. Go to the Microsoft AppSource at <https://appsource.microsoft.com/marketplace/apps> and search for the Report Phishing add-in.
After the add-in is installed and enabled, you'll see the following icons:
> [!div class="mx-imgBorder"] > ![Outlook on the web Report Phishing add-in icon](../../media/OWA-ReportPhishing.png)
-### Get the add-in for your organization
+### Get the Report Phishing add-in for your organization
> [!NOTE] > It could take up to 12 hours for the add-in to appear in your organization.
After the add-in is installed and enabled, you'll see the following icons:
7. In the **Configure add-in** page that appears, configure the following settings: - **Assigned users**: Select one of the following values:- - **Everyone** (default) - **Specific users / groups** - **Just me** - **Deployment method**: Select one of the following values:- - **Fixed (Default)**: The add-in is automatically deployed to the specified users and they can't remove it. - **Available**: Users can install the add-in at **Home** \> **Get add-ins** \> **Admin-managed**. - **Optional**: The add-in is automatically deployed to the specified users, but they can choose to remove it.
security Find And Release Quarantined Messages As A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md
ms.prod: m365-security
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see [Quarantine in EOP](quarantine-email-messages.md).
-As a recipient of a quarantined message, what you can do to the message as a regular user is described in the following table:
+As a recipient of a quarantined message, what you can do to the message as a non-admin user is described in the following table:
<br>
security How Policies And Protections Are Combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
There are two major factors that determine which policy is applied to a message:
|2|Phishing|CAT:PHSH|[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)| |3|High confidence spam|CAT:HSPM|[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)| |4|Spoofing|CAT:SPOOF|[Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md)|
- |5<sup>\*</sup>|User impersonation (protected users)|UIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md)|
- |6<sup>\*</sup>|Domain impersonation (protected domains)|DIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md)|
+ |5<sup>\*</sup>|User impersonation (protected users)|UIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md)|
+ |6<sup>\*</sup>|Domain impersonation (protected domains)|DIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md)|
|7|Spam|CAT:SPM|[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)| |8|Bulk|CAT:BULK|[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)| |
security Impersonation Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/impersonation-insight.md
You can use the impersonation insight in the Microsoft 365 Defender portal to qu
**Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). -- You enable and configure impersonation protection in anti-phishing policies in Microsoft Defender for Office 365. Impersonation protection is not enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+- You enable and configure impersonation protection in anti-phishing policies in Microsoft Defender for Office 365. Impersonation protection is not enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md).
## Open the impersonation insight in the Microsoft 365 Defender portal
security Integrate Office 365 Ti With Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde.md
Title: Use Microsoft Defender for Office 365 together with Microsoft Defender for Endpoint
+f1.keywords:
- NOCSH keywords: integrate, Microsoft Defender, Microsoft Defender for Endpoint
Last updated 06/10/2021
audience: ITPro localization_priority: Normal
+search.appverid:
- MET150 - MOE150-+ - M365-security-compliance description: Use Microsoft Defender for Office 365 together with Microsoft Defender for Endpoint to get more detailed information about threats against your devices and email content.
The following image depicts what the **Devices** tab looks like when you have Mi
![When Microsoft Defender for Endpoint is enabled, you can see a list of devices with alerts.](../../media/fec928ea-8f0c-44d7-80b9-a2e0a8cd4e89.PNG)
-In this example, you can see that the recipients of the detected email message have four devices and one has an alert. Clicking the link for a device opens its page in [Microsoft 365 Defender](../defender-endpoint/microsoft-defender-security-center.md) (formerly the Microsoft Defender Security Center).
+In this example, you can see that the recipients of the detected email message have four devices and one has an alert. Clicking the link for a device opens its page in [Microsoft 365 Defender](../defender-endpoint/microsoft-defender-security-center.md) (formerly the Microsoft Defender security center).
> [!TIP] > The Microsoft 365 Defender portal replaces the Microsoft Defender Security Center. See [Microsoft Defender for Endpoint in Microsoft 365 Defender](../defender/microsoft-365-security-center-mde.md).
In this example, you can see that the recipients of the detected email message h
- Your organization must have Microsoft Defender for Office 365 (or Office 365 E5) and Microsoft Defender for Endpoint. -- You must be a global administrator or have a security administrator role (such as Security Administrator) assigned in Microsoft 365. (See [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md))
+- You must be a global administrator or have a security administrator role (such as Security Administrator) assigned in Microsoft 365. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
- You must have access to [Explorer (or real-time detections)](threat-explorer.md).
In this example, you can see that the recipients of the detected email message h
Integrating Microsoft Defender for Office 365 with Microsoft Defender for Endpoint is set up in both Defender for Endpoint and Defender for Office 365.
-1. As a global administrator or a security administrator, go to [https://protection.office.com](https://protection.office.com) and sign in. (This takes you to the Office 365 Security & Compliance Center.)
+1. As a global administrator or a security administrator,<https://security.microsoft.com/threatexplorer>.
-2. In the navigation pane, choose **Threat management** \> **Explorer**.
+2. In the navigation pane, choose **Email & collaboration** \> **Explorer**.
- ![Explorer in Threat Management menu](../../media/ThreatMgmt-Explorer-nav.png)
+3. On the **Explorer** page, in the upper right corner of the screen, click **MDE Settings**.
-3. In the upper right corner of the screen, choose **Defender for Endpoint Settings (MDE Settings)**.
+4. In the **Microsoft Defender for Endpoint connection** flyout that appears, turn on **Connect to Microsoft Defender for Endpoint** (![Toggle on](../../media/scc-toggle-on.png)) and then click ![Close icon](../../media/m365-cc-sc-close-icon.png) **Close**.
-4. In the Microsoft Defender for Endpoint connection dialog box, turn on **Connect to Microsoft Defender for Endpoint**.
+ :::image type="content" source="../../mediE Connection":::
- ![Microsoft Defender for Endpoint connection](../../media/Explorer-WDATPConnection-dialog.png)
+5. Back in the navigation pane, choose **Settings**. On the **Settings** page, choose **Endpoints**
-5. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com).
+6. On the **Endpoints** page that opens, choose **Advanced features**.
-6. In the navigation bar, choose **Settings**. Then, under **General**, choose **Advanced features**.
+7. Scroll down to **Office 365 Threat Intelligence connection**, and turn it on (![Toggle on](../../media/scc-toggle-on.png)).
-7. Scroll down to **Office 365 Threat Intelligence connection**, and turn the connection on.
-
- ![Office 365 threat intelligence connection](../../media/mdatp-oatptoggle.png)
+ When you're finished, click **Save preferences**.
## Related articles
security Investigate Malicious Email That Was Delivered https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md
Title: Investigate malicious email that was delivered in Office 365, Find and investigate malicious email
+ Title: Investigate malicious email that was delivered in Microsoft 365, Find and investigate malicious email
keywords: TIMailData-Inline, Security Incident, incident, Microsoft Defender for Endpoint PowerShell, email malware, compromised users, email phish, email malware, read email headers, read headers, open email headers,special actions f1.keywords: - NOCSH
ms.technology: mdo
ms.prod: m365-security
-# Investigate malicious email that was delivered in Office 365
+# Investigate malicious email that was delivered in Microsoft 365
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
-**Applies to**
+**Applies to:**
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
Make sure that the following requirements are met:
- Your organization has [Microsoft Defender for Office 365](defender-for-office-365.md) and [licenses are assigned to users](../../admin/manage/assign-licenses-to-users.md). -- [audit logging](../../compliance/turn-audit-log-search-on-or-off.md) is turned on for your organization.
+- [Audit logging](../../compliance/turn-audit-log-search-on-or-off.md) is turned on for your organization.
- Your organization has policies defined for anti-spam, anti-malware, anti-phishing, and so on. See [Protect against threats in Office 365](protect-against-threats.md). -- You are a global administrator, or you have either the Security Administrator or the Search and Purge role assigned in the Security & Compliance Center. See [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md). For some actions, you must also have a new Preview role assigned.
+- You are a global administrator, or you have either the Security Administrator or the Search and Purge role assigned in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md). For some actions, you must also have the Preview role assigned.
### Preview role permissions
-To perform certain actions, such as viewing message headers or downloading email message content, you must have a new role called *Preview* added to another appropriate role group. The following table clarifies required roles and permissions.
+To perform certain actions, such as viewing message headers or downloading email message content, you must have the *Preview* role added to another appropriate role group. The following table clarifies required roles and permissions.
+
+<br>
**** |Activity|Role group|Preview role needed?| ||||
-|Use Threat Explorer (and real-time detections) to analyze threats |Global Administrator <p> Security Administrator <p> Security Reader|No|
-|Use Threat Explorer (and real-time detections) to view headers for email messages as well as preview and download quarantined email messages|Global Administrator <p> Security Administrator <p> Security Reader|No|
+|Use Threat Explorer (and Real-time detections) to analyze threats |Global Administrator <p> Security Administrator <p> Security Reader|No|
+|Use Threat Explorer (and Real-time detections) to view headers for email messages as well as preview and download quarantined email messages|Global Administrator <p> Security Administrator <p> Security Reader|No|
|Use Threat Explorer to view headers, preview email (only in the email entity page) and download email messages delivered to mailboxes|Global Administrator <p> Security Administrator <p> Security Reader <p> Preview|Yes| | > [!NOTE]
-> *Preview* is a role and not a role group; the Preview role must be added to an existing role group for Office 365 (at <https://protection.office.com>). Go to **Permissions**, and then either edit an existing role group or add a new role group with the **Preview** role assigned.
-> The Global Administrator role is assigned the Microsoft 365 admin center (<https://admin.microsoft.com>), and the Security Administrator and Security Reader roles are assigned in the Security & Compliance Center (<https://protection.office.com>). To learn more about roles and permissions, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+> *Preview* is a role, not a role group. The Preview role must be added to an existing role group in the Microsoft 365 Defender portal (<https://security.microsoft.com>). Go to **Permissions**, and then either edit an existing role group or add a new role group with the **Preview** role assigned.
+>
+> The Global Administrator role is assigned the Microsoft 365 admin center (<https://admin.microsoft.com>), and the Security Administrator and Security Reader roles are assigned in Microsoft 365 Defender (<https://security.microsoft.com>). To learn more about roles and permissions, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
We understand previewing and downloading email are sensitive activities, and so we auditing is enabled for these. Once an admin performs these activities on emails, audit logs are generated for the same and can be seen in the Office 365 Security & Compliance Center (<https://protection.office.com>). Go to **Search** > **Audit log search** and filter on the admin name in Search section. The filtered results will show activity **AdminMailAccess**. Select a row to view details in the **More information** section about previewed or downloaded email.
We understand previewing and downloading email are sensitive activities, and so
Threat Explorer is a powerful report that can serve multiple purposes, such as finding and deleting messages, identifying the IP address of a malicious email sender, or starting an incident for further investigation. The following procedure focuses on using Explorer to find and delete malicious email from recipient's mailboxes. > [!NOTE]
-> Default searches in Explorer don't currently include Zapped items. This applies to all views, for example malware or phish views. To include Zapped items you need to add a **Delivery action** set to include **Removed by ZAP**. If you include all options, you'll see all delivery action results, including Zapped items.
-
-1. **Navigate to Threat Explorer**: Go to <https://protection.office.com> and sign in using your work or school account for Office 365. This takes you to the Security & Compliance Center.
+> Default searches in Explorer don't currently include delivered items that were removed from the cloud mailbox by zero-hour auto protection (ZAP). This limitation applies to all views (for example, the **Email \> Malware** or **Email \> Phish** views). To include items removed by ZAP, you need to add a **Delivery action** set to include **Removed by ZAP**. If you include all options, you'll see all delivery action results, including items removed by ZAP.
-2. In the left navigation quick-launch, choose **Threat management** \> **Explorer**.
+1. Open the Microsoft 365 Defender portal <https://security.microsoft.com> and sign in using your work or school account for Office 365.
- ![Explorer with Delivery Action and Delivery Location fields.](../../media/ThreatExFields.PNG)
+2. Go to **Threat Explorer** by choosing **Email & collaboration** \> **Explorer** in the left navigation. To go to **Threat Explorer** directly, use <https://security.microsoft.com/threatexplorer>.
- You may notice the new **Special actions** column. This feature is aimed at telling admins the outcome of processing an email. The **Special actions** column can be accessed in the same place as **Delivery action** and **Delivery location**. Special actions might be updated at the end of Threat Explorer's email timeline, which is a new feature aimed at making the hunting experience better for admins.
+ On the **Explorer** page, the **Additional actions** column shows admins the outcome of processing an email. The **Additional actions** column can be accessed in the same place as **Delivery action** and **Delivery location**. Special actions might be updated at the end of Threat Explorer's email timeline, which is a new feature aimed at making the hunting experience better for admins.
-3. **Views in Threat Explorer**: In the **View** menu, choose **All email**.
+3. In the **View** menu, choose **Email** \> **All email** from the drop down list.
![Threat explorer View menu, and Email - Malware, Phish, Submissions and All Email options, also Content - Malware.](../../media/tp-InvestigateMalEmail-viewmenu.png)
Threat Explorer is a powerful report that can serve multiple purposes, such as f
5. **Advanced filters**: With these filters, you can build complex queries and filter your data set. Clicking on *Advanced Filters* opens a flyout with options.
- Advanced filtering is a great addition to search capabilities. A boolean **NOT** filter has been introduced on *Recipient*, *Sender* and *Sender domain* to allow admins to investigate by excluding values. This option appears under selection parameter *Contains none of*. **NOT** will let admins exclude alert mailboxes, default reply mailboxes from their investigations, and is useful for cases where admins search for a specific subject (subject="Attention") where the Recipient can be set to *none of defaultMail\@contoso.com*. This is an exact value search.
+ Advanced filtering is a great addition to search capabilities. A boolean NOT on the **Recipient**, **Sender** and **Sender domain** filters allows admins to investigate by excluding values. This option is the **Equals none of** selection. This option allows admins to exclude unwanted mailboxes from investigations (for example, alert mailboxes and default reply mailboxes), and is useful for cases where admins search for a specific subject (for example, Attention) where the Recipient can be set to *Equals none of: defaultMail@contoso.com*. This is an exact value search.
![The Recipients - 'Contains none of' Advanced filter.](../../media/tp-InvestigateMalEmail-AdvancedFilter.png)
- *Filtering by hours* will help your organization's security team drill down quickly. The shortest allowed time duration is 30 minutes. If you can narrow the suspicious action by time-frame (e.g. it happened 3 hours ago), this will limit the context and help pinpoint the problem.
+ Adding a time filter to the start date and end date helps your security team to drill down quickly. The shortest allowed time duration is 30 minutes. If you can narrow the suspicious action by time-frame (e.g., it happened 3 hours ago), this will limit the context and help pinpoint the problem.
![The filtering by hours option to narrow the amount of data security teams have to process, and whose shortest duration is 30 minutes.](../../media/tp-InvestigateMalEmail-FilterbyHours.png)
Threat Explorer is a powerful report that can serve multiple purposes, such as f
**Overrides**: This filter takes information that appears on the mail's details tab and uses it to expose where organizational, or user policies, for allowing and blocking mails have been *overridden*. The most important thing about this filter is that it helps your organization's security team see how many suspicious emails were delivered due to configuration. This gives them an opportunity to modify allows and blocks as needed. This result set of this filter can be exported to spreadsheet.
+ <br>
+ **** |Threat Explorer Overrides|What they mean|
In [Threat Explorer (and real-time detections)](threat-explorer.md), you now hav
Delivery Status is now broken out into two columns: - **Delivery action** - What is the status of this email?- - **Delivery location** - Where was this email routed as a result? Delivery action is the action taken on an email due to existing policies or detections. Here are the possible actions an email can take: - **Delivered** ΓÇô email was delivered to inbox or folder of a user and the user can directly access it.- - **Junked** ΓÇô email was sent to either user's junk folder or deleted folder, and the user has access to email messages in their Junk or Deleted folder.- - **Blocked** ΓÇô any email messages that are quarantined, that failed, or were dropped. (This is completely inaccessible by the user.)- - **Replaced** ΓÇô any email where malicious attachments are replaced by .txt files that state the attachment was malicious. Delivery location shows the results of policies and detections that run post-delivery. It's linked to a Delivery Action. This field was added to give insight into the action taken when a problem mail is found. Here are the possible values of delivery location: - **Inbox or folder** ΓÇô The email is in the inbox or a folder (according to your email rules).- - **On-prem or external** ΓÇô The mailbox doesn't exist on cloud but is on-premises.- - **Junk folder** ΓÇô The email is in a user's Junk folder.- - **Deleted items folder** ΓÇô The email is in a user's Deleted items folder.- - **Quarantine** ΓÇô The email in quarantine, and not in a user's mailbox.- - **Failed** ΓÇô The email failed to reach the mailbox.- - **Dropped** ΓÇô The email gets lost somewhere in the mail flow. ### View the timeline of your email
security Learn About Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md
The rest of this article explains how to use the spoof intelligence insight in t
- Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature. -- You enable and disable spoof intelligence in anti-phishing policies in EOP and Microsoft Defender for Office 365. Spoof intelligence is enabled by default. For more information, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) or [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+- You enable and disable spoof intelligence in anti-phishing policies in EOP and Microsoft Defender for Office 365. Spoof intelligence is enabled by default. For more information, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) or [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md).
- For our recommended settings for spoof intelligence, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365-atp.md#eop-anti-phishing-policy-settings).
On the **Spoof intelligence insight** page that appears after you click **View s
- **External**: The spoofed sender is in an external domain. - **Action**: This value is **Allowed** or **Blocked**: - **Allowed**: The domain failed explicit email authentication checks [SPF](how-office-365-uses-spf-to-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md)). However, the domain passed our implicit email authentication checks ([composite authentication](email-validation-and-authentication.md#composite-authentication)). As a result, no anti-spoofing action was taken on the message.
- - **Blocked**: Messages from the combination of the spoofed domain _and_ sending infrastructure are marked as bad by spoof intelligence. The action that's taken on the spoofed messages is controlled by the default anti-phishing policy or custom anti-phishing policies (the default value is **Move message to Junk Email folder**). For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+ - **Blocked**: Messages from the combination of the spoofed domain _and_ sending infrastructure are marked as bad by spoof intelligence. The action that's taken on the spoofed messages is controlled by the default anti-phishing policy or custom anti-phishing policies (the default value is **Move message to Junk Email folder**). For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md).
You can click selected column headings to sort the results.
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
The following procedure describes how to configure the default anti-phishing pol
- **If mailbox intelligence detects an impersonated user**<sup>\*</sup>: Select **Move message to the recipients' Junk Email folders** (Standard) or **Quarantine the message** (Strict). - **If message is detected as spoof**: Select **Move message to the recipients' Junk Email folders** (Standard) or **Quarantine the message** (Strict). - **Safety tips & indicators** section: Configure the following settings:
+ - **Show first contact safety tip**: Select (turn on).
- **Show user impersonation safety tip**<sup>\*</sup>: Select (turn on). - **Show domain impersonation safety tip**<sup>\*</sup>: Select (turn on). - **Show user impersonation unusual characters safety tip**<sup>\*</sup>: Select (turn on). - **Show (?) for unauthenticated senders for spoof**: Select (turn on).
- - **Show "via" tag**: Select (turn on) if this setting is available.
+ - **Show "via" tag**: Select (turn on).
When you're finished, click **Save**.
The following procedure describes how to configure the default anti-phishing pol
4. Click **Save** and then click **Close**
-For detailed instructions for configuring anti-phishing policies, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) and [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+For detailed instructions for configuring anti-phishing policies, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) and [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md).
## Part 3 - Anti-spam protection in EOP
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
If your subscription includes Microsoft Defender for Office 365 or if you've pur
### Anti-phishing policy settings in Microsoft Defender for Office 365
-EOP customers get basic anti-phishing as previously described, but Microsoft Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see [Configure anti-phishing policies in Defender for Office 365](configure-atp-anti-phishing-policies.md).
+EOP customers get basic anti-phishing as previously described, but Microsoft Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
#### Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
-For more information about these settings, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure these settings, see [Configure anti-phishing policies in Defender for Office 365](configure-atp-anti-phishing-policies.md).
+For more information about these settings, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure these settings, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
<br>
Note that these are the same settings that are available in [anti-spam policy se
#### Advanced settings in anti-phishing policies in Microsoft Defender for Office 365
-For more information about this setting, see [Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure this setting, see [Configure anti-phishing policies in Defender for Office 365](configure-atp-anti-phishing-policies.md).
+For more information about this setting, see [Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure this setting, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
<br>
security Set Up Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md
To configure anti-phishing policies, see the following articles:
- [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) -- [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md)
+- [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md)
The rest of this article describes the settings that are available in anti-phishing policies in EOP and Defender for Office 365.
Unauthenticated sender settings are part of the [Spoof settings](#spoof-settings
- **Enable "via" tag?**<sup>\*</sup>: When this setting is turned on, the via tag (chris@contoso.com <u>via</u> fabrikam.com) is added in the From box if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the **MAIL FROM** address. For more information about these addresses, see [An overview of email message standards](how-office-365-validates-the-from-address.md#an-overview-of-email-message-standards).
-> [!NOTE]
-> Currently, the **Enable "via" tag?** setting is not available in all organizations. If you don't have the **Enable "via" tag?** setting, the question mark **and** the via tag are both controlled by the **Enable unauthenticated sender question mark (?) symbol?** setting in your organization.
- To prevent the question mark or via tag from being added to messages from specific senders, you have the following options: - Allow the spoofed sender in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually in the [Tenant Allow/Block List](tenant-allow-block-list.md). Allowing the spoofed sender will prevent the via tag from appearing in messages from the sender when unauthenticated sender identification is disabled.
security Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer.md
Suppose that you want to see email messages that users in your organization repo
> [!div class="mx-imgBorder"] > ![User-reported phish](../../media/EmailUserReportedReportType.png)
-The report refreshes to show data about email messages that people in your organization reported as a phishing attempt. You can use this information to conduct further analysis, and, if necessary, adjust your [anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+The report refreshes to show data about email messages that people in your organization reported as a phishing attempt. You can use this information to conduct further analysis, and, if necessary, adjust your [anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md).
## Start automated investigation and response
security Tuning Anti Phishing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tuning-anti-phishing.md
If your subscription includes Microsoft Defender for Office 365, you can use [Of
- [Safe Attachments in Microsoft Defender for Office 365](set-up-safe-attachments-policies.md) -- [Anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md). Note that you can temporarily increase the **Advanced phishing thresholds** in the policy from **Standard** to **Aggressive**, **More aggressive**, or **Most aggressive**.
+- [Anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md). Note that you can temporarily increase the **Advanced phishing thresholds** in the policy from **Standard** to **Aggressive**, **More aggressive**, or **Most aggressive**.
Verify these Defender for Office 365 features are turned on.
security View Email Security Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md
Title: View email security reports in the Microsoft 365 Defender portal
+ Title: View email security reports
f1.keywords: - NOCSH
search.appverid:
ms.assetid: 3a137e28-1174-42d5-99af-f18868b43e86 - M365-security-compliance
-description: Learn how to find and use email security reports for your organization. Email security reports are available in the Microsoft 365 Defender portal.
+description: Admins can learn how to find and use the email security reports that are available in the Microsoft 365 Defender portal.
ms.technology: mdo ms.prod: m365-security
The **Compromised users** report shows shows the number of user accounts that we
The aggregate view shows data for the last 90 days and the detail view shows data for the last 30 days.
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Compromised users**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/CompromisedUsers>.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Compromised users** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/CompromisedUsers>.
-After you click **View details**, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+On the **Compromised users** page, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
- **Date (UTC)**: **Start date** and **End date**. - **Activity**: - **Suspicious**: The user account has sent suspicious email and is at risk of being restricted from sending email. - **Restricted**: The user account has been restricted from sending email due to highly suspicious patterns.
-When you're finished filtering, click **Apply** or **Cancel**.
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
![Report view in the Compromised users report](../../media/compromised-users-report-activity-view.png)
-In the table below the graph, you can see the following details:
+In the details table below the graph, you can see the following details:
- **Creation time** - **User ID**
In the table below the graph, you can see the following details:
The **Exchange transport rule** report shows the effect of mail flow rules (also known as transport rules) on incoming and outgoing messages in your organization.
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Exchange transport rule**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/ETRRuleReport>.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Exchange transport rule** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/ETRRuleReport>.
![Exchange transport rule widget on the Email & collaboration reports page](../../media/transport-rule-report-widget.png)
-After you click **View details**, the following charts and data are available:
+On the **Exchange transport rule report** page, the available charts and data are described in the following sections.
-- **View data by Exchange transport rules** \> **Chart breakdown by Direction**: This chart shows the number of **Inbound** and **Outbound** messages that were affected by mail flow rules.
+### Chart breakdown by Direction
-- **View data by Exchange transport rules** \> **Chart breakdown by Severity**: This chart shows the number of **High severity**, **Medium severity**, and **Low severity** messages. You set the severity level as an action in the rule (**Audit this rule with severity level** or _SetAuditSeverity_). For more information, see [Mail flow rule actions in Exchange Online](/Exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions).
+![Direction view for Exchange Transport rules in the Exchange transport rule report](../../media/transport-rule-report-etr-direction-view.png)
-- **View data by DLP Exchange transport rules** \> **Chart breakdown by Direction**: This chart shows the number of **Inbound** and **Outbound** messages that were affected by data loss prevention (DLP) mail flow rules.
+If you select **Chart breakdown by Direction**, the follow charts are available:
-- **View data by DLP Exchange transport rules** \> **Chart breakdown by Severity**: This view shows the number of **High severity**, **Medium severity**, and **Low severity** messages that were affected by DLP mail flow rules.
+- **View data by Exchange transport rules**: The number of **Inbound** and **Outbound** messages that were affected by mail flow rules.
+- **View data by DLP Exchange transport rules**: The number of **Inbound** and **Outbound** messages that were affected by data loss prevention (DLP) mail flow rules.
-For **View data by Exchange transport rules** selections, the following information is shown in the details table below the graph:
+The following information is shown in the details table below the graph:
- **Date**
+- **DLP policy** (**View data by DLP Exchange transport rules** only)
- **Transport rule** - **Subject** - **Sender address**
For **View data by Exchange transport rules** selections, the following informat
- **Severity** - **Direction**
-For **View data by DLP Exchange transport rules** selections, the following information is shown in the details table below the graph:
+You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+
+- **Date (UTC)** **Start date** and **End date**
+- **Direction**: **Outbound** and **Inbound**
+- **Severity**: **High severity**, **Medium severity**, and **Low severity**
+
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+
+### Chart breakdown by Severity
+
+![Severity view for Exchange Transport rules in the Exchange transport rule report](../../media/transport-rule-report-etr-severity-view.png)
+
+If you select **Chart breakdown by Severity**, the follow charts are available:
+
+- **View data by Exchange transport rules**: The number of **High severity**, **Medium severity**, and **Low severity** messages. You set the severity level as an action in the rule (**Audit this rule with severity level** or _SetAuditSeverity_). For more information, see [Mail flow rule actions in Exchange Online](/Exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions).
+
+- **View data by DLP Exchange transport rules**: The number of **High severity**, **Medium severity**, and **Low severity** messages that were affected by DLP mail flow rules.
+
+The following information is shown in the details table below the graph:
- **Date**-- **DLP policy**
+- **DLP policy** (**View data by DLP Exchange transport rules** only)
- **Transport rule** - **Subject** - **Sender address**
For **View data by DLP Exchange transport rules** selections, the following info
You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears: -- **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Direction**: **Outbound** and **Inbound** - **Severity**: **High severity**, **Medium severity**, and **Low severity**
-![Report view in the Exchange transport rule report](../../media/transport-rule-report-report-view.png)
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+
+## Forwarding report
+
+> [!NOTE]
+> The **Forwarding report** is now available in the EAC. For more information, see [Auto forwarded messages report in the new EAC](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report).
## Mailflow status report The **Mailflow status report** is a smart report that shows information about incoming and outgoing email, spam detections, malware, email identified as "good", and information about email allowed or blocked on the edge. This is the only report that contains edge protection information, and shows just how much email is blocked before being allowed into the service for evaluation by Exchange Online Protection (EOP). It's important to understand that if a message is sent to five recipients we count it as five different messages and not one message.
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Mailflow status summary**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/mailflowStatusReport>.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Mailflow status summary** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/mailflowStatusReport>.
![Mailflow status summary widget on the Email & collaboration reports page](../../media/mail-flow-status-report-widget.png) ### Type view for the Mailflow status report
-When you open the report, the **Type** tab is selected by default. By default, this view contains a chart and a data table that's configured with the following filters:
+![Type view in the Mailflow status report](../../media/mail-flow-status-report-type-view.png)
-- **Date**: The last 7 days.
+On the **Mailflow status report** page, the **Type** tab is selected by default. By default, this view contains a chart and a details table that's configured with the following filters:
+
+- **Date (UTC)** The last 7 days.
- **Mail direction**: - **Inbound** - **Outbound**
When you open the report, the **Type** tab is selected by default. By default, t
The chart is organized by the **Type** values.
-You can change these filters by clicking **Filter** or by clicking a value in the chart legend.
+You can change these filters by clicking **Filter**.
-The data table contains the following information:
+The following information is shown in the details table below the graph:
- **Direction** - **Type**
For the detail view, you can only export data for one day. So, if you want to ex
Each exported .csv file is limited to 150,000 rows. If the data for that day contains more than 150,000 rows, then multiple .csv files will be created.
-![Type view in the Mailflow status report](../../media/mail-flow-status-report-type-view.png)
- ### Direction view for the Mailflow status report
+![Direction view in the Mailflow status report](../../media/mail-flow-status-report-direction-view.png)
+ If you click the **Direction** tab, the same default filters from the **Type** view are used. The chart is organized by **Direction** values.
-You can change these filters by clicking **Filter** or by clicking a value in the chart legend. The same filters from the **Type** view are used.
+You can change these filters by clicking **Filter**. The same filters from the **Type** view are used.
-The data table contains same information from the **Type** view.
+The details table contains same information from the **Type** view.
The **Choose a category for more details** available selections and behavior are the same as the **Type** view.
For the detail view, you can only export data for one day. So, if you want to ex
Each exported .csv file is limited to 150,000 rows. If the data for that day contains more than 150,000 rows, then multiple .csv files will be created.
-![Direction view in the Mailflow status report](../../media/mail-flow-status-report-direction-view.png)
- ### Funnel view for the Mailflow status report The **Funnel** view shows you how Microsoft's email threat protection features filter incoming and outgoing email in your organization. It provides details on the total email count, and how the configured threat protection features, including edge protection, anti-malware, anti-phishing, anti-spam, and anti-spoofing affect this count.
-If you click the **Funnel** tab, by default, this view contains a chart and a data table that's configured with the following filters:
+![Funnel view in the Mailflow status report](../../media/mail-flow-status-report-funnel-view.png)
+
+If you click the **Funnel** tab, by default, this view contains a chart and a details table that's configured with the following filters:
- **Date**: The last 7 days. - **Direction**:- - **Inbound** - **Outbound** - **Intra-org**: This count is for messages sent within a tenant; i.e, sender abc@domain.com sends to recipient xyz@domain.com (counted separately from Inbound and Outbound).
-The aggregate view and data table view allow for 90 days of filtering.
+The aggregate view and details table view allow for 90 days of filtering.
-If you click **Filter**, you can filter both the chart and the data table.
+You can change these filters by clicking **Filter**. The same filters from the **Type** view are used.
This chart shows the email count organized by:
This chart shows the email count organized by:
To view the email filtered by EOP or Defender for Office 365 separately, click on the value in the chart legend.
-The data table contains the following information, shown in descending date order:
+The details table contains the following information, shown in descending date order:
- **Date** - **Total email**
The data table contains the following information, shown in descending date orde
- **URL detonation**: Message filtered by a Safe Links policy. - **Post-delivery protection and ZAP (ATP), or ZAP (EOP)**: Zero-hour auto purge (ZAP) for malware, spam, and phishing.
-If you select a row in the data table, a further breakdown of the email counts are shown in the flyout.
+If you select a row in the details table, a further breakdown of the email counts are shown in the flyout.
#### Export from Funnel view
Under **Date**, choose a range, and then click **Apply**. Data for the current f
Each exported .csv file is limited to 150,000 rows. If the data contains more than 150,000 rows, then multiple .csv files will be created.
-![Funnel view in the Mailflow status report](../../media/mail-flow-status-report-funnel-view.png)
- ### Tech view for the Mailflow status report The **Tech view** is similar to the **Funnel** view, providing more granular details for the configured threat protections features. From the chart, you can see how messages are categorized at the different stages of threat protection.
-If you click the **Tech view** tab, by default, this view contains a chart and a data table that's configured with the following filters:
+If you click the **Tech view** tab, by default, this view contains a chart and a details table that's configured with the following filters:
- **Date**: The last 7 days. - **Direction**:- - **Inbound** - **Outbound** - **Intra-org**: this count is for messages within a tenant i.e sender abc@domain.com sends to recipient xyz@domain.com (counted separately from Inbound and Outbound)
-The aggregate view and data table view allow for 90 days of filtering.
+The aggregate view and details table view allow for 90 days of filtering.
-If you click **Filter**, you can filter both the chart and the data table.
+You can change these filters by clicking **Filter**. The same filters from the **Type** view are used.
This chart shows messages organized into the following categories:
This chart shows messages organized into the following categories:
When you hover over a category in the chart, you can see the number of messages in that category.
-The data table contains the following information, shown in descending date order:
+The details table contains the following information, shown in descending date order:
-- **Date**
+- **Date (UTC)**
- **Total email** - **Edge filtered** - **Rule messages**: Messages filtered due to mail flow rules (also known as transport rules).
The data table contains the following information, shown in descending date orde
<sup>\*</sup> Defender for Office 365
-If you select a row in the data table, a further breakdown of the email counts are shown in the flyout.
+If you select a row in the details table, a further breakdown of the email counts are shown in the flyout.
#### Export from Tech view
The **Malware detections report** report shows information about malware detecti
The aggregate view filter allows for 90 days, while the details table filter only allows for 10 days.
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Malware detected in email**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/MalwareDetections>.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Malware detected in email** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/MalwareDetections>.
![Malware detections in email widget on the Email & collaboration reports page](../../media/malware-detections-widget.png)
-After you click **View details**, you can filter both the chart and the details table by clicking **Filter** and selecting:
+On the **Malware detections report** page, you can filter both the chart and the details table by clicking **Filter** and selecting one of the following values:
-- **Date**: **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Direction**: **Inbound** and **Outbound** ![Report view in the Malware detection in email report](../../media/malware-detections-report-view.png)
The **Mail latency report** in Defender for Office 365 contains information on t
## Spam detections report > [!NOTE]
-> The **Spam detections report** will go away on June 30, 2021. The same information is available in the [Threat protection status report](#threat-protection-status-report).
+> The **Spam detections report** will eventually go away. The same information is available in the [Threat protection status report](#threat-protection-status-report).
## Spoof detections report
The aggregate view of the report allows for 45 days of filtering<sup>\*</sup>, w
<sup>\*</sup> Eventually, you'll be able to use up to 90 days of filtering.
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Spoof detections**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/SpoofMailReportV2>.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Spoof detections** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/SpoofMailReportV2>.
![Spoof detections widget on the Email & collaboration reports page](../../media/spoof-detections-widget.png)
+The chart shows the following information:
+
+- **Pass**
+- **Fail**
+- **SoftPass**
+- **None**
+- **Other**
+ When you hover over a day (data point) in the chart, you can see how many spoofed messages were detected and why.
-After you click **View details**, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values:
+On the **Spoof mail report** page, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values:
-- **Date**: **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Result**: - **Pass** - **Fail**
After you click **View details**, you can filter both the chart and the details
![Spoof mail report page in the Microsoft 365 Defender portal](../../media/spoof-detections-report-page.png)
-In the table below the graph, you can see the following details:
+In the details table below the graph, you can see the following details:
- **Date** - **Spoofed user**
In the table below the graph, you can see the following details:
For more information about composite authentication result codes, see [Anti-spam message headers in Microsoft 365](anti-spam-message-headers.md).
+## Submissions report
+
+The **Submissions** report shows information about items that admins have reported to Microsoft for analysis. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
+
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Submissions** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/adminSubmissionReport>. To go to [admin submissions in the Microsoft 365 Defender portal](admin-submission.md), click **Go to Submissions**.
+
+![Submissions widget on the Email & collaboration reports page](../../media/submissions-report-widget.png)
+
+The chart shows the following information:
+
+- **Pending**
+- **Completed**
+
+On the **Submissions** page, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values:
+
+- **Date reported**: **Start time** and **End time**
+- **Submission type**:
+ - **Email**
+ - **URL**
+ - **File**
+- **Submission ID**
+- **Network Message ID**
+- **Sender**
+- **Name**
+- **Submitted by**
+- **Reason for submitting**:
+ - **Not junk**
+ - **Phish**
+ - **Malware**
+ - **Spam**
+- **Rescan status**:
+ - **Pending**
+ - **Completed**
+
+The details table below the graph shows the same information and has the same **Group** or **Customize columns** options as on the **Submitted for analysis** tab at **Email & collaboration** \> **Submissions**. For more information, see [View admin submissions to Microsoft](admin-submission.md#view-admin-submissions-to-microsoft).
+
+![Submissions report page in the Microsoft 365 Defender portal](../../media/submissions-report-page.png)
+ ## Threat protection status report The **Threat protection status** report is available in both EOP and Defender for Office 365; however, the reports contain different data. For example, EOP customers can view information about malware detected in email, but not information about malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md).
The report provides the count of email messages with malicious content, such as
**Note**: It's important to understand that if a message is sent to five recipients we count it as five different messages and not one message.
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Threat protection status**, click **View details**. To go directly to the report, open one of the following URLs:
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Threat protection status** and then click **View details**. To go directly to the report, open one of the following URLs:
- Defender for Office 365: <https://security.microsoft.com/reports/TPSAggregateReportATP> - EOP: <https://security.microsoft.com/reports/TPSAggregateReport> ![Threat protection status widget on the Email & collaboration reports page](../../media/threat-protection-status-report-widget.png)
-By default, after you click **View details**, the chart shows data for the past 7 days. If you click **Filter**, you can select a 90 day date range (trial subscriptions might be limited to 30 days). The details table allows filtering for 30 days.
+By default, the chart shows data for the past 7 days. If you click **Filter** on the **Threat protection status report** page, you can select a 90 day date range (trial subscriptions might be limited to 30 days). The details table allows filtering for 30 days.
The available views are described in the following sections.
No details table is available below the chart.
If you click **Filter**, the following filters are available: -- **Date**: **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Detection**: **Email malware**, **Email phish**, or **Content malware** - **Protected by**: **MDO** (Defender for Office 365) or **EOP** - **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
In the details table below the chart, the following information is available:
If you click **Filter**, the following filters are available: -- **Date**: **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Detection** - **Protected by**: **MDO** (Defender for Office 365) or **EOP** - **Direction**
In the details table below the chart, the following information is available:
If you click **Filter**, the following filters are available: -- **Date**: **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Detection** - **Protected by**: **MDO** (Defender for Office 365) or **EOP** - **Direction**
In the details table below the chart, the following information is available:
If you click **Filter**, the following filters are available: -- **Date**: **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Detection** - **Protected by**: **MDO** (Defender for Office 365) or **EOP** - **Direction**
In the details table below the chart, the following information is available:
If you click **Filter**, the following filters are available: -- **Date**: **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Detection** - **Protected by**: **MDO** (Defender for Office 365) or **EOP** - **Direction**
In the **View data by Content \> Malware** view, the following information is sh
In the details table below the chart, the following information is available: -- **Date**: **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Location** - **Detected by** - **Malware name** If you click **Filter**, the following filters are available: -- **Date**: **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Detection**: **Anti-malware engine** or **File detonation** When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
In the details table below the chart, the following information is available:
If you click **Filter**, the following filters are available: -- **Date**: **Start date** and **End date**
+- **Date (UTC)** **Start date** and **End date**
- **Detection** - **Protected by**: **MDO** (Defender for Office 365) or **EOP** - **Direction**
When you're finished configuring the filters, click **Apply**, **Cancel**, or **
The **Top malware** report shows the various kinds of malware that was detected by [anti-malware protection in EOP](anti-malware-protection.md).
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On **Top malware**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/TopMalware>.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Top malware** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/TopMalware>.
![Top malware widget on the Email & collaboration reports page](../../media/top-malware-report-widget.png) When you hover over a wedge in the pie chart, you can see the name of a kind of malware and how many messages were detected as having that malware.
-After you click **View details**, a larger version of the pie chart is displayed on the report page.The details table below the chart shows the following information:
+On the **Top malware report** page, a larger version of the pie chart is displayed on the report page.The details table below the chart shows the following information:
- **Top malware** - **Count**
If you click **Filter**, you can specify a date range with **Start date** and **
## URL threat protection report
-The **URL threat protection report** is available in Microsoft Defender for Office 365. For more information, see [URL threat protection report](view-reports-for-mdo.md#url-threat-protection-report).
+The **URL threat protection report** is available only in Microsoft Defender for Office 365. For more information, see [URL threat protection report](view-reports-for-mdo.md#url-threat-protection-report).
## User reported messages report
The **URL threat protection report** is available in Microsoft Defender for Offi
The **User reported messages** report shows information about email messages that users have reported as junk, phishing attempts, or good mail by using the [Report Message add-in](enable-the-report-message-add-in.md) or the [Report Phishing add-in](enable-the-report-phish-add-in.md).
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \>**Email & collaboration reports** \> **User reported messages**. On **User reported messages**, click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/userSubmissionReport>. To go to [admin submissions in the Microsoft 365 Defender portal](admin-submission.md), click **Go to Submissions**.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **User reported messages** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/userSubmissionReport>. To go to [admin submissions in the Microsoft 365 Defender portal](admin-submission.md), click **Go to Submissions**.
![User reported messages widget on the Email & collaboration reports page](../../media/user-reported-messages-widget.png)
-After you click **View details**, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+On the **User reported messages** page, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
- **Date reported**: **Start time** and **End time** - **Reported by**
To group the entries, click **Group** and select one of the following values fro
![User reported messages report](../../media/user-reported-messages-report.png)
-In the table below the graph, you can see the following details:
+In the details table below the graph, you can see the following details:
- **Email subject** - **Reported by**
security View Mail Flow Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-mail-flow-reports.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+> [!NOTE]
+> The majority of the reports that are described in this topic are available in the Exchange admin center (EAC). For more information, see [Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports). The [Exchange transport rule report](view-email-security-reports.md#exchange-transport-rule-report) is available in the Microsoft 365 Defender portal.
+ In addition to the mail flow reports that are available in the [Mail flow dashboard](mail-flow-insights-v2.md) in the Security & Compliance Center, a variety of additional mail flow reports are available in the Reports dashboard to help you monitor your Microsoft 365 organization. If you have the [necessary permissions](#what-permissions-are-needed-to-view-these-reports), you can view these reports in the [Security & Compliance Center](https://protection.office.com) by going to **Reports** \> **Dashboard**. To go directly to the Reports dashboard, open <https://protection.office.com/insightdashboard>.
Each exported .csv file is limited to 150,000 rows. If the data contains more th
## Sent and received email report
-The **Sent and received email** report is a smart report that shows information about incoming and outgoing email, including spam detections, malware, and email identified as "good." The difference between this report and the [Mailflow status report](#mailflow-status-report) is: this report doesn't include data about messages blocked by edge protection.It's important to understand that if a message is sent to five recipients we count it as one message.
+The **Sent and received email** report is a smart report that shows information about incoming and outgoing email, including spam detections, malware, and email identified as "good." The difference between this report and the [Mailflow status report](#mailflow-status-report) is: this report doesn't include data about messages blocked by edge protection.
+
+**Note**: It's important to understand that if a message is sent to five recipients we count it as one message.
The aggregate view and the detail view of the report allow for 90 days of filtering.
security View Reports For Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-reports-for-mdo.md
Title: View Defender for Office 365 reports in the Reports dashboard
+ Title: View Defender for Office 365 reports
f1.keywords: - CSH
ms.assetid: e47e838c-d99e-4c0b-b9aa-e66c4fae902f
- M365-security-compliance - m365initiative-defender-office365
-description: Find and use reports for Microsoft Defender for Office 365 in the Microsoft 365 Defender portal.
+description: Admins can learn how to find and use the Defender for Office 365 reports that are available in the Microsoft 365 Defender portal.
ms.technology: mdo ms.prod: m365-security
-# View Defender for Office 365 reports in the Reports dashboard in the Microsoft 365 Defender portal
+# View Defender for Office 365 reports in the Microsoft 365 Defender portal
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Microsoft Defender for Office 365 organizations (for example, Microsoft 365 E5 subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for Office 365 Plan 2 add-ons) contain a variety of security-related reports. If you have the [necessary permissions](#what-permissions-are-needed-to-view-the-defender-for-office-365-reports), you can view these reports in the Microsoft 365 Defender portal by going to **Reports** \> **Email collaboration** \> **Email collaboration reports**. To go directly to the Reports dashboard, open <https://security.microsoft.com/emailandcollabreport>.
+Microsoft Defender for Office 365 organizations (for example, Microsoft 365 E5 subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for Office 365 Plan 2 add-ons) contain a variety of security-related reports. If you have the [necessary permissions](#what-permissions-are-needed-to-view-the-defender-for-office-365-reports), you can view these reports in the Microsoft 365 Defender portal by going to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. To go directly to the **Email & collaboration reports** page, open <https://security.microsoft.com/emailandcollabreport>.
-![The Reports dashboard in the Microsoft 365 Defender portal](../../media/user-reported-messages.png)
-
-## Defender for Office 365 file types report
-
-The **Defender for Office 365 file types report** report shows you the type of files detected as malicious by [Safe Attachments](safe-attachments.md).
-
- The aggregate view of the report allows for 90 days of filtering, while the detail view only allows for 10 days of filtering.
-
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Dashboard** and select **Defender for Office 365 file types**. To go directly to the report, open <https://protection.office.com/reportv2?id=ATPFileReport>.
-
-![Defender for Office 365 file types widget in the Reports dashboard](../../media/atp-file-types-report-widget.png)
+![Email & collaboration reports page in the Microsoft 365 Defender portal](../../media/email-collaboration-reports.png)
> [!NOTE]
-> The information in this report is also available in the [Defender for Office 365 message disposition report](#defender-for-office-365-message-disposition-report).
-
-### Report view for the Defender for Office 365 file types report
-
-The following views are available:
--- **View data by: File**: The chart contains the following information:-
- - **Malicious Excel attachments**
- - **Malicious Flash attachments**
- - **Malicious PDF attachments**
- - **Malicious PowerPoint attachments**
- - **Malicious URLs**
- - **Malicious Word attachments**
- - **Malicious executable attachments**
- - **Others**
-
- When you hover over a particular day (data point), you can see the breakdown of types of malicious files that were detected by [Safe Attachments](safe-attachments.md) and [anti-malware protection in EOP](anti-malware-protection.md).
-
- ![File view in the Defender for Office 365 file types report](../../media/atp-file-types-report-file-view.png)
-
- If you click **Filters**, you can modify the report with the following filters:
-
- - **Start date** and **End date**
- - The same file type values that are visible in the chart.
--- **View data by: Message**: The chart contains the following information:-
- - **Block access**
- - **Messages replaced**
- - **Messages monitored**
- - **Replaced by Dynamic Email Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments.md#dynamic-delivery-in-safe-attachments-policies).
-
- ![Message view in the Defender for Office 365 file types report](../../media/atp-file-types-report-message-view.png)
-
- If you click **Filters**, you can modify the report with the following filters:
-
- - **Start date** and **End date**
- - The same message disposition values that are available in the chart, and the additional **Messages passed** value.
-
-### Details table view for the Defender for Office 365 file types report
-
-If you click **View details table**, the report provides a near-real-time view of all clicks that happen within the organization for the last 10 days. The information that's shown depends on the chart you were looking at:
--- **View data by: File**:
+>
+> Email security reports that don't require Defender for Office 365 are described in [View email security reports in the Microsoft 365 Defender portal](view-email-security-reports.md).
+>
+> Reports that are related to mail flow are now in the Exchange admin center (EAC). For more information about these reports, see [Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports).
- - **Date**
- - **Recipient address**
- - **Sender address**
- - **Message ID**: Available in the **Message-ID** header field in the message header and should be unique. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets).
- - **File**
-
- If you click **Filters**, you can modify the report with the following filters:
-
- - **Start date** and **End date**
- - The same file type values that are visible in the chart.
--- **View data by: Message**:-
- - **Date**
- - **Recipient address**
- - **Sender address**
- - **Message ID**
- - **File**
- - **Subject**
-
- If you click **Filters**, you can modify the results with the following filters:
-
- - **Start date** and **End date**
- - The same message disposition values that are available in the chart, and the additional **Messages passed** value.
-
-To get back to the reports view, click **View report**.
-
-## Defender for Office 365 message disposition report
-
-The **ATP Message Disposition** report shows you the actions that were taken for email messages that were detected as having malicious content.
-
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and select **Defender for Office 365 message disposition**. To go directly to the report, open <https://protection.office.com/reportv2?id=ATPMessageReport>.
-
-![Defender for Office 365 message disposition widget in the Reports dashboard](../../media/atp-message-disposition-report-widget.png)
+## Safe Attachments file types report
> [!NOTE]
-> The information in this report is also available in the [Defender for Office 365 file types report](#defender-for-office-365-file-types-report).
-
-### Report view for the Defender for Office 365 message disposition report
-
-The following views are available:
--- **View data by: Message**: The chart contains the following information:-
- - **Block access**
- - **Messages replaced**
- - **Messages monitored**
- - **Replaced by Dynamic Email Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments.md#dynamic-delivery-in-safe-attachments-policies).
-
- ![Message view in the Defender for Office 365 file types report](../../media/atp-file-types-report-message-view.png)
-
- If you click **Filters**, you can modify the report with the following filters:
-
- - **Start date** and **End date**
- - The same message disposition values that are available in the chart, and the additional **Messages passed** value.
--- **View data by: File**: The chart contains the following information:-
- - **Malicious Excel attachments**
- - **Malicious Flash attachments**
- - **Malicious PDF attachments**
- - **Malicious PowerPoint attachments**
- - **Malicious URLs**
- - **Malicious Word attachments**
- - **Malicious executable attachments**
- - **Others**
+> The **Safe Attachments file types report** will eventually go away. The same information is available in the [Threat protection status report](#threat-protection-status-report).
- When you hover over a particular day (data point), you can see the breakdown of types of malicious files that were detected by [Safe Attachments](safe-attachments.md) and [anti-malware protection in EOP](anti-malware-protection.md).
+## Safe Attachments message disposition report
- ![File view in the Defender for Office 365 file types report](../../media/atp-file-types-report-file-view.png)
-
- If you click **Filters**, you can modify the report with the following filters:
-
- - **Start date** and **End date**
- - The same file type values that are visible in the chart.
-
-### Details table view for the Defender for Office 365 message disposition report
-
-If you click **View details table**, the report provides a near-real-time view of all clicks that happen within the organization for the last 10 days. The information that's shown depends on the chart you were looking at:
--- **View data by: Message**:-
- - **Date**
- - **Recipient address**
- - **Sender address**
- - **Message ID**
- - **File**
- - **Subject**
-
- If you click **Filters**, you can modify the results with the following filters:
-
- - **Start date** and **End date**
- - The same message disposition values that are available in the chart, and the additional **Messages passed** value.
--- **View data by: File**:-
- - **Date**
- - **Recipient address**
- - **Sender address**
- - **Message ID**
- - **File**
-
- If you click **Filters**, you can modify the report with the following filters:
-
- - **Start date** and **End date**
- - The same file type values that are visible in the chart.
-
-To get back to the reports view, click **View report**.
+> [!NOTE]
+> The **Safe Attachments message disposition report** will eventually go away. The same information is available in the [Threat protection status report](#threat-protection-status-report).
## Mail latency report
-The **Mail latency report** shows you an aggregate view of the mail delivery and detonation latency experienced within your organization. Mail delivery times in the service are affected by a number of factors, and the absolute delivery time in seconds is often not a good indicator of success or a problem. A slow delivery time on one day might be considered an average delivery time on another day, or vice-versa. The **Mail latency report** tries to qualify message delivery based on statistical data about the observed delivery times of other messages:
--- **50th percentile**: This is the middle for message delivery times. You can consider this value as an average delivery time.-- **90th percentile**: This indicates a high latency for message delivery. Only 10% of messages took longer than this value to deliver.-- **99th percentile**: This indicates the highest latency for message delivery.
+The **Mail latency report** shows you an aggregate view of the mail delivery and detonation latency experienced within your organization. Mail delivery times in the service are affected by a number of factors, and the absolute delivery time in seconds is often not a good indicator of success or a problem. A slow delivery time on one day might be considered an average delivery time on another day, or vice-versa. This tries to qualify message delivery based on statistical data about the observed delivery times of other messages.
Client side and network latency are not included.
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Mail latency report**. To go directly to the report, open <https://security.microsoft.com/mailLatencyReport>.
-
-![Mail latency report widget in the Reports dashboard](../../media/mail-latency-report-widget.png)
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Mail latency report** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/mailLatencyReport>.
-### Report view for the Mail latency report
+![Mail latency report widget on the Email & collaboration reports page](../../media/mail-latency-report-widget.png)
-When you open the report, the **50th percentiles** tab is selected by default.
+On the **Mail latency report** page, the following tabs are available on the **Mail latency report** page:
-By default, this view contains a chart that's configured with the following filters:
--- **Date**: The last 7 days-- **Message View**:
- - Detonated messages
+- **50th percentile**: This is the middle for message delivery times. You can consider this value as an average delivery time. This tab is selected by default.
+- **90th percentile**: This indicates a high latency for message delivery. Only 10% of messages took longer than this value to deliver.
+- **99th percentile**: This indicates the highest latency for message delivery.
-This chart shows messages organized into the following categories:
+Regardless of the tab you select, the chart shows messages organized into the following categories:
- **Mail delivery latency**-- **Detonation latency**
+- **Detonations**
When you hover over a category in the chart, you can see a breakdown of the latency in each category.
-![Mail latency report](../../media/mail-latency-report.png)
-
-If you click **Filter** in the report view, you can modify the results with the following filters:
+![50th percentiles view of the Mail latency report](../../media/mail-latency-report-50th-percentile-view.png)
-- All messages-- Messages that contain attachments or URLs
+If you click **Filter**, you can filter both the chart and the details table by the following values:
-If you click the **90th percentiles** tab or the **99th percentiles** tab, the same default filters from the **50th percentiles** view are used.
+- **Date (UTC)**: **Start date** and **End date**
+- **Message view**: One of the following values:
+ - **All messages**
+ - **Messages that contain attachments or URLs**
+ - **Detonated messages**
-### Details table view for the Mail latency report
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
-The following information is shown in the details table view:
+In the details table below the chart, the following information is available:
-- **Date**-- **Percentiles**
+- **Date (UTC)**
+- **Percentiles**: **50**, **90**, or **99**
- **Message count** - **Overall latency**
-![Mail latency report details](../../media/mail-latency-report-details.png)
-
-The above shows that on November 14 the average latency experienced for all messages delivered and detonated was **108.033** seconds.
-
-The details table contains the same information on each tab.
- ## Threat protection status report The **Threat protection status** report is a single view that brings together information about malicious content and malicious email detected and blocked by [Exchange Online Protection](exchange-online-protection-overview.md) (EOP) and Microsoft Defender for Office 365. For more information, see [Threat protection status report](view-email-security-reports.md#threat-protection-status-report).
The **Threat protection status** report is a single view that brings together in
The **URL threat protection report** provides summary and trend views for threats detected and actions taken on URL clicks as part of [Safe Links](safe-links.md). This report will not have click data from users where the Safe Links policy applied has the **Do not track user clicks** option selected.
-To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **URL protection report**. To go directly to the report, open <https://security.microsoft.com/reports/URLProtectionActionReport>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **URL protection page** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/URLProtectionActionReport>.
-![URL protection report widget in the Reports dashboard](../../media/url-protection-report-widget.png)
+![URL protection report widget on the Email & collaboration reports page](../../media/url-protection-report-widget.png)
+
+The available views on the **URL threat protection** report page are described in the following sections.
> [!NOTE]
-> This is a *protection trend report*, meaning data represents trends in a larger dataset. As a result, the data in the aggregate view is not available in real time here, but the data in the details table view is, so you may see a slight discrepancy between the two views.
+> This is a *protection trend report*, meaning data represents trends in a larger dataset. As a result, the data in the charts is not available in real time here, but the data in the details table is, so you may see a slight discrepancy between the two. The charts are refreshed once every four hours and contain data for the last 90 days.
+
+### View data by URL click protection action
+
+![URL click protection action view in the URL threat protection report](../../media/url-threat-protection-report-url-click-protection-action-view.png)
+
+The **View data by URL click protection action** view shows the number of URL clicks by users in the organization and the results of the click:
+
+- **Allowed**: The user was allowed to navigate to the URL.
+- **Blocked**: The user was blocked from navigating to the URL.
+- **Blocked and clicked through**: The user has chosen to continue navigating to the URL.
+- **Clicked through during scan**: The user has clicked on the link before the scan was complete.
-### Report view for the URL threat protection report
+A click indicates that the user has clicked through the block page to the malicious website (admins can disable click through in Safe Links policies).
-The **URL threat protection** report has two aggregated views that are refreshed once every four hours that shows data for the last 90 days:
+If you click **Filters**, you can modify the report and the details table by selecting one or more of the following values in the flyout that appears:
-- **URL click protection action**: Shows the number of URL clicks by users in the organization and the results of the click:
+- **Date (UTC)**: **Start date** and **End date**
+- **Detection**:
+ - **Allowed**
+ - **Blocked**
+ - **Blocked and clicked through**
+ - **Clicked through during scan**
+- **Domains**: The URL domains listed in the report results.
+- **Recipients**
- - **Blocked** (the user was blocked from navigating to the URL)
- - **Blocked and clicked through** (the user has chosen to continue navigating to the URL)
- - **Clicked through during scan** (the user has clicked on the link before the scan was complete)
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
- A click indicates that the user has clicked through the block page to the malicious website (admins can disable click through in Safe Links policies).
+The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last 7 days:
- If you click **Filters**, you can modify the report with the following filters:
+- **Click time**
+- **User**
+- **URL**
+- **Action**
+- **App**
- - **Start date** and **End date**
- - The available click protection actions, plus the value **Allowed** (the user was allowed to navigate to the URL).
+### View data by URL click by application
- ![URL click protection action view in the URL threat protection report](../../media/url-threat-protection-report-url-click-protection-action-view.png)
+![URL click by application view in the URL threat protection report](../../media/url-threat-protection-report-url-click-by-application-view.png)
-- **URL click by application**: Shows the number of URL clicks by applications that support Safe Links:
+The **View data by URL click by application** view shows the number of URL clicks by apps that support Safe Links:
- - **Email client**
- - **PowerPoint**
- - **Word**
- - **Excel**
- - **OneNote**
- - **Visio**
- - **Teams**
- - **Other**
+- **Email client**
+- **PowerPoint**
+- **Word**
+- **Excel**
+- **OneNote**
+- **Visio**
+- **Teams**
+- **Others**
- If you click **Filters**, you can modify the report with the following filters:
+If you click **Filters**, you can modify the report and the details table by selecting one or more of the following values in the flyout that appears:
- - **Start date** and **End date**
- - The available applications.
+- **Date (UTC)**: **Start date** and **End date**
+- **Detection**: Available apps from the chart.
+- **Domains**: The URL domains listed in the report results.
+- **Recipients**
-### Details table view for the URL threat protection report
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
-If you click **View details table**, the report provides a near-real-time view of all clicks that happen within the organization for the last 7 days with the following details:
+The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last 7 days:
- **Click time** - **User**
If you click **View details table**, the report provides a near-real-time view o
- **Action** - **App**
-If you click **Filters** in the details table view, you can filter by the same criteria as in the report view, and also by **Domains** or **Recipients** separated by commas.
-
-> [!NOTE]
-> The **Domains** filter refers to the URL domain listed in the report results.
-
-To get back to the reports view, click **View report**.
- ## Additional reports to view In addition to the reports described in this article, several other reports are available, as described in the following table:
+<br>
+ **** |Report|Topic| ||| |**Explorer** (Microsoft Defender for Office 365 Plan 2) or **real-time detections** (Microsoft Defender for Office 365 Plan 1)|[Threat Explorer (and real-time detections)](threat-explorer.md)| |**Email security reports**, such as the Top senders and recipients report, the Spoof mail report, and the Spam detections report.|[View email security reports in the Microsoft 365 Defender portal](view-email-security-reports.md)|
-|**Mail flow reports**, such as the Forwarding report, the Mailflow status report, and the Top senders and recipients report.|[View mail flow reports in the Microsoft 365 Defender portal](view-mail-flow-reports.md)|
+|**Mail flow reports**, such as the Forwarding report, the Mailflow status report, and the Top senders and recipients report.|[Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports)|
|**URL trace for Safe Links** (PowerShell only). The output of this cmdlet shows you the results of Safe Links actions over the past seven days.|[Get-UrlTrace](/powershell/module/exchange/get-urltrace)| |**Mail traffic results for EOP and Microsoft Defender for Office 365** (PowerShell only). The output of this cmdlet contains information about Domain, Date, Event Type, Direction, Action, and Message Count.|[Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport)| |**Mail detail reports for EOP and Defender for Office 365 detections** (PowerShell only). The output of this cmdlet contains details about malicious files or URLs, phishing attempts, impersonation, and other potential threats in email or files.|[Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|
security Walkthrough Spoof Intelligence Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight.md
You can manage spoof intelligence in the Security & Compliance Center, or in Pow
- You can enable, disable, and configure the spoof intelligence settings in anti-phishing policies. For instructions based on your subscription, see one of the following topics: - [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
- - [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+ - [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md).
- For our recommended settings for spoof intelligence, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings).