Updates from: 06/24/2021 03:13:33
Category Microsoft Docs article Related commit history on GitHub Change details
admin About The Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/about-the-admin-center.md
If you found this video helpful, check out the [complete training series for sma
Here are the features and settings you'll find in the left-hand navigation of the admin center. Learn more about admin tasks in [admin help](../../business-video/admin-center-overview.md).
-|**Menu**|**What it's for**|
+| Menu | What it's for |
|--|--| |**Home** <br/> |This is the landing page in the admin center. You'll see where to manage users, billing, service health, and reports. <br/> | |**Users** <br/> |Create and manage users in your organization, like employees or students. You can also set their permission level or reset their passwords. <br/> |
admin Manage Feedback Ms Org https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-feedback-ms-org.md
Your devices must be on a minimum build number to use these policies. See the ta
## Configure policies
-1. Go to [https://config.office.com](https://config.office.com) and login as a user with global admin permissions.
+1. Go to [https://config.office.com](https://config.office.com) and login.
1. Select **Customization** then **Policy Management**. 1. Select **Create**. 1. Enter **name** and **description**.
admin Password Policy Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/password-policy-recommendations.md
Good password practices fall into a few broad categories:
The primary goal of a more secure password system is password diversity. You want your password policy to contain lots of different and hard to guess passwords. Here are a few recommendations for keeping your organization as secure as possible. -- Maintain an 8-character minimum length requirement (longer isn't necessarily better)
+- Maintain an 8-character minimum length requirement
- Don't require character composition requirements. For example, \*&amp;(^%$
Risk-based multi-factor authentication ensures that when our system detects susp
Want to know more about managing passwords? Here is some recommended reading:
+- [Forget passwords, go passwordless](https://www.microsoft.com/security/business/identity-access-management/passwordless-authentication)
+ - [Microsoft Password Guidance](https://www.microsoft.com/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf) - [Do Strong Web Passwords Accomplish Anything?](https://go.microsoft.com/fwlink/p/?linkid=861008)
compliance Archive 17A 4 Blackberry Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-blackberry-data.md
+
+ Title: "Set up a connector to archive BlackBerry data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 BlackBerry DataParser connector to import and archive BlackBerry data in Microsoft 365."
++
+# Set up a connector to archive BlackBerry data (preview)
+
+Use the [BlackBerry DataParser](https://www.17a-4.com/BlackBerry-dataparser/) from 17a-4 LLC to import and archive BlackBerry enterprise data to user mailboxes in your Microsoft 365 organization. The DataParser includes a BlackBerry connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The BlackBerry DataParser connector converts BlackBerry data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After BlackBerry data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a BlackBerry connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving BlackBerry data
+
+The following overview explains the process of using a data connector to archive BlackBerry data in Microsoft 365.
+
+![Archiving workflow for BlackBerry data from 17a-4](../media/BlackBerryDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the BlackBerry DataParser.
+
+2. On a regular basis, BlackBerry items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The BlackBerry DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **BlackBerry DataParser** is created in the user mailboxes, and the BlackBerry items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every BlackBerry item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the BlackBerry DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a BlackBerry DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for BlackBerry data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **BlackBerry DataParser**.
+
+2. On the **BlackBerry DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the BlackBerry DataParser connection wizard.
+
+## Step 2: Configure the BlackBerry DataParser connector
+
+Work with 17a-4 Support to configure the BlackBerry DataParser connector.
+
+## Step 3: Map users
+
+The BlackBerry DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the BlackBerry DataParser connector
+
+After you create a BlackBerry DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the BlackBerry DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Bloomberg Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-bloomberg-data.md
+
+ Title: "Set up a connector to archive Bloomberg data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 Bloomberg DataParser connector to import and archive Bloomberg data in Microsoft 365."
++
+# Set up a connector to archive Bloomberg data (preview)
+
+Use the [Bloomberg DataParser](https://www.17a-4.com/Bloomberg-dataparser/) from 17a-4 LLC to import and archive data from Bloomberg to user mailboxes in your Microsoft 365 organization. The DataParser includes a Bloomberg connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Bloomberg DataParser connector converts Bloomberg data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After Bloomberg data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Bloomberg connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Bloomberg data
+
+The following overview explains the process of using a data connector to archive Bloomberg data in Microsoft 365.
+
+![Archiving workflow for Bloomberg data from 17a-4](../media/BloombergDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the Bloomberg DataParser.
+
+2. On a regular basis, Bloomberg items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The Bloomberg DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **Bloomberg DataParser** is created in the user mailboxes, and the Bloomberg items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every Bloomberg item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Bloomberg DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a Bloomberg DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Bloomberg data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Bloomberg DataParser**.
+
+2. On the **Bloomberg DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the Bloomberg DataParser connection wizard.
+
+## Step 2: Configure the Bloomberg DataParser connector
+
+Work with 17a-4 Support to configure the Bloomberg DataParser connector.
+
+## Step 3: Map users
+
+The Bloomberg DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the Bloomberg DataParser connector
+
+After you create a Bloomberg DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the Bloomberg DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Cisco Jabber Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-cisco-jabber-data.md
+
+ Title: "Set up a connector to archive Cisco Jabber data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 Cisco Jabber DataParser connector to import and archive Cisco Jabber data in Microsoft 365."
++
+# Set up a connector to archive Cisco Jabber data (preview)
+
+Use the [Cisco Jabber DataParser](https://www.17a-4.com/jabber-dataparser/) from 17a-4 LLC to import and archive data from Cisco Jabber to user mailboxes in your Microsoft 365 organization. The DataParser includes a Cisco Jabber connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Cisco Jabber DataParser connector converts Cisco Jabber data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After Cisco Jabber data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Cisco Jabber connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Cisco Jabber data
+
+The following overview explains the process of using a data connector to archive Cisco Jabber data in Microsoft 365.
+
+![Archiving workflow for Cisco Jabber data from 17a-4](../media/CiscoJabberDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the Cisco Jabber DataParser.
+
+2. On a regular basis, Cisco Jabber items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The Cisco Jabber DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **Cisco Jabber DataParser** is created in the user mailboxes, and the Cisco Jabber items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every Cisco Jabber item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Cisco Jabber DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a Cisco Jabber DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Cisco Jabber data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Cisco Jabber DataParser**.
+
+2. On the **Cisco Jabber DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the Cisco Jabber DataParser connection wizard.
+
+## Step 2: Configure the Cisco Jabber DataParser connector
+
+Work with 17a-4 Support to configure the Cisco Jabber DataParser connector.
+
+## Step 3: Map users
+
+The Cisco Jabber DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the Cisco Jabber DataParser connector
+
+After you create a Cisco Jabber DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the Cisco Jabber DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Factset Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-factset-data.md
+
+ Title: "Set up a connector to archive FactSet data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 FactSet DataParser connector to import and archive FactSet data in Microsoft 365."
++
+# Set up a connector to archive FactSet data (preview)
+
+Use the [FactSet DataParser](https://www.17a-4.com/factset-dataparser/) from 17a-4 LLC to import and archive data from the FactSet platform to user mailboxes in your Microsoft 365 organization. The DataParser includes a FactSet connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The FactSet DataParser connector converts FactSet data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After FactSet data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a FactSet connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving FactSet data
+
+The following overview explains the process of using a data connector to archive FactSet data in Microsoft 365.
+
+![Archiving workflow for FactSet data from 17a-4](../media/FactSetDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the FactSet DataParser.
+
+2. On a regular basis, FactSet items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The FactSet DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **FactSet DataParser** is created in the user mailboxes, and the FactSet items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every FactSet item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the FactSet DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a FactSet DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for FactSet data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **FactSet DataParser**.
+
+2. On the **FactSet DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the FactSet DataParser connection wizard.
+
+## Step 2: Configure the FactSet DataParser connector
+
+Work with 17a-4 Support to configure the FactSet DataParser connector.
+
+## Step 3: Map users
+
+The FactSet DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the FactSet DataParser connector
+
+After you create a FactSet DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the FactSet DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Fuze Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-fuze-data.md
+
+ Title: "Set up a connector to archive Fuze data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 Fuze DataParser connector to import and archive Fuze data in Microsoft 365."
++
+# Set up a connector to archive Fuze data (preview)
+
+Use the [Fuze DataParser](https://www.17a-4.com/fuze-dataparser/) from 17a-4 LLC to import and archive data from Fuze to user mailboxes in your Microsoft 365 organization. The DataParser includes a Fuze connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Fuze DataParser connector converts Fuze data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After Fuze data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Fuze connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Fuze data
+
+The following overview explains the process of using a data connector to archive Fuze data in Microsoft 365.
+
+![Archiving workflow for Fuze data from 17a-4](../media/FuzeDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the Fuze DataParser.
+
+2. On a regular basis, Fuze items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The Fuze DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **Fuze DataParser** is created in the user mailboxes, and the Fuze items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every Fuze item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Fuze DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a Fuze DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Fuze data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Fuze DataParser**.
+
+2. On the **Fuze DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the Fuze DataParser connection wizard.
+
+## Step 2: Configure the Fuze DataParser connector
+
+Work with 17a-4 Support to configure the Fuze DataParser connector.
+
+## Step 3: Map users
+
+The Fuze DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the Fuze DataParser connector
+
+After you create a Fuze DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the Fuze DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Fxconnect Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-fxconnect-data.md
+
+ Title: "Set up a 17a-4 DataParser connector to archive FX Connect data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 FX Connect DataParser connector to import and archive FX Connect data in Microsoft 365."
++
+# Set up a connector to archive FX Connect data (preview)
+
+Use the [FX Connect DataParser](https://www.17a-4.com/dataparser-roadmap/) from 17a-4 LLC to import and archive data from FX Connect to user mailboxes in your Microsoft 365 organization. The DataParser includes a FX Connect connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The FX Connect DataParser connector converts FX Connect data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After FX Connect data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a FX Connect connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving FX Connect data
+
+The following overview explains the process of using a data connector to archive FX Connect data in Microsoft 365.
+
+![Archiving workflow for FX Connect data from 17a-4](../media/FXConnectDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the FX Connect DataParser.
+
+2. On a regular basis, FX Connect items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The FX Connect DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **FX Connect DataParser** is created in the user mailboxes, and the FX Connect items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every FX Connect item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the FX Connect DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a FX Connect DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for FX Connect data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **FX Connect DataParser**.
+
+2. On the **FX Connect DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the FX Connect DataParser connection wizard.
+
+## Step 2: Configure the FX Connect DataParser connector
+
+Work with 17a-4 Support to configure the FX Connect DataParser connector.
+
+## Step 3: Map users
+
+The FX Connect DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the FX Connect DataParser connector
+
+After you create a FX Connect DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the FX Connect DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Ice Im Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-ice-im-data.md
+
+ Title: "Set up a connector to archive ICE Connect Chat data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 ICE Connect Chat DataParser connector to import and archive ICE Connect Chat data in Microsoft 365."
++
+# Set up a connector to archive ICE Connect Chat data (preview)
+
+Use the [ICE DataParser](https://www.17a-4.com/ice-dataparser/) from 17a-4 LLC to import and archive data from ICE Connect Chat to user mailboxes in your Microsoft 365 organization. The DataParser includes an ICE Chat connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The ICE DataParser connector converts ICE Connect Chat data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After ICE Connect Chat data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using an ICE DataParser connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving ICE Chat data
+
+The following overview explains the process of using a data connector to archive ICE Connect Chat data in Microsoft 365.
+
+![Archiving workflow for ICE Connect Chat data from 17a-4](../media/ICEChatDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the ICE DataParser.
+
+2. On a regular basis, ICE Connect Chat items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The ICE DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **ICE DataParser** is created in the user mailboxes, and the ICE Connect Chat items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every ICE Connect Chat item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the ICE DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up an ICE DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for ICE Connect Chat data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **ICE DataParser**.
+
+2. On the **ICE DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the ICE DataParser connection wizard.
+
+## Step 2: Configure the ICE DataParser connector
+
+Work with 17a-4 Support to configure the ICE DataParser connector.
+
+## Step 3: Map users
+
+The ICE DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the ICE DataParser connector
+
+After you create an ICE DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the ICE DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Investedge Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-investedge-data.md
+
+ Title: "Set up a connector to archive InvestEdge data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 InvestEdge DataParser connector to import and archive InvestEdge data in Microsoft 365."
++
+# Set up a connector to archive InvestEdge data (preview)
+
+Use the [InvestEdge DataParser](https://www.17a-4.com/investedge-dataparser/) from 17a-4 LLC to import and archive data from InvestEdge to user mailboxes in your Microsoft 365 organization. The DataParser includes a InvestEdge connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The InvestEdge DataParser connector converts InvestEdge data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After InvestEdge data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a InvestEdge connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving InvestEdge data
+
+The following overview explains the process of using a data connector to archive InvestEdge data in Microsoft 365.
+
+![Archiving workflow for InvestEdge data from 17a-4](../media/InvestEdgeDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the InvestEdge DataParser.
+
+2. On a regular basis, InvestEdge items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The InvestEdge DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **InvestEdge DataParser** is created in the user mailboxes, and the InvestEdge items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every InvestEdge item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the InvestEdge DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a InvestEdge DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for InvestEdge data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **InvestEdge DataParser**.
+
+2. On the **InvestEdge DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the InvestEdge DataParser connection wizard.
+
+## Step 2: Configure the InvestEdge DataParser connector
+
+Work with 17a-4 Support to configure the InvestEdge DataParser connector.
+
+## Step 3: Map users
+
+The InvestEdge DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the InvestEdge DataParser connector
+
+After you create a InvestEdge DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the InvestEdge DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Liveperson Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-liveperson-data.md
+
+ Title: "Set up a connector to archive LivePerson Conversational Cloud data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 LivePerson Conversational Cloud DataParser connector to import and archive LivePerson Conversational Cloud data in Microsoft 365."
++
+# Set up a connector to archive LivePerson Conversational Cloud data (preview)
+
+Use the [LivePerson Conversational Cloud DataParser](https://www.17a-4.com/liveperson-dataparser/) from 17a-4 LLC to import and archive data from LivePerson Conversational Cloud to user mailboxes in your Microsoft 365 organization. The DataParser includes a LivePerson Conversational Cloud connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The LivePerson Conversational Cloud DataParser connector converts data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a LivePerson Conversational Cloud connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving LivePerson Conversational Cloud data
+
+The following overview explains the process of using a data connector to archive LivePerson Conversational Cloud data in Microsoft 365.
+
+![Archiving workflow for LivePerson Conversational Cloud data from 17a-4](../media/LiveEngageDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the the LivePerson Conversational Cloud DataParser.
+
+2. On a regular basis, LivePerson Conversational Cloud items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The LivePerson Conversational Cloud DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **LivePerson Conversational Cloud DataParser** is created in the user mailboxes, and the items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the LivePerson Conversational Cloud DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a LivePerson Conversational Cloud DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for LivePerson Conversational Cloud data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **LivePerson Conversational Cloud DataParser**.
+
+2. On the **LivePerson Conversational Cloud DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the LivePerson Conversational Cloud DataParser connection wizard.
+
+## Step 2: Configure the LivePerson Conversational Cloud DataParser connector
+
+Work with 17a-4 Support to configure the LivePerson Conversational Cloud DataParser connector.
+
+## Step 3: Map users
+
+The LivePerson Conversational Cloud DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the LivePerson Conversational Cloud DataParser connector
+
+After you create a LivePerson Conversational Cloud DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the LivePerson Conversational Cloud DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Quip Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-quip-data.md
+
+ Title: "Set up a connector to archive Quip data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 Quip DataParser connector to import and archive Quip data in Microsoft 365."
++
+# Set up a connector to archive Quip data (preview)
+
+Use the [Quip DataParser](https://www.17a-4.com/quip-dataparser/) from 17a-4 LLC to import and archive data from Quip to user mailboxes in your Microsoft 365 organization. The DataParser includes a Quip connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Quip DataParser connector converts Quip data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After Quip data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Quip connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Quip data
+
+The following overview explains the process of using a data connector to archive Quip data in Microsoft 365.
+
+![Archiving workflow for Quip data from 17a-4](../media/QuipDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the Quip DataParser.
+
+2. On a regular basis, Quip items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The Quip DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **Quip DataParser** is created in the user mailboxes, and the Quip items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every Quip item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Quip DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a Quip DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Quip data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Quip DataParser**.
+
+2. On the **Quip DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the Quip DataParser connection wizard.
+
+## Step 2: Configure the Quip DataParser connector
+
+Work with 17a-4 Support to configure the Quip DataParser connector.
+
+## Step 3: Map users
+
+The Quip DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the Quip DataParser connector
+
+After you create a Quip DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the Quip DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Refinitiv Messenger Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-refinitiv-messenger-data.md
+
+ Title: "Set up a connector to archive Refinitiv Eikon Messenger data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 Refinitiv Eikon Messenger DataParser connector to import and archive Refinitiv Eikon Messenger data in Microsoft 365."
++
+# Set up a connector to archive Refinitiv Eikon Messenger data (preview)
+
+Use the [Refinitiv Eikon Messenger DataParser](https://www.17a-4.com/refinitiv-messenger-dataparser/) from 17a-4 LLC to import and archive data from Refinitiv Eikon Messenger to user mailboxes in your Microsoft 365 organization. The DataParser includes a Refinitiv Eikon Messenger connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Refinitiv Eikon Messenger DataParser connector converts Refinitiv Eikon Messenger data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After Refinitiv Eikon Messenger data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Refinitiv Eikon Messenger connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Refinitiv Eikon Messenger data
+
+The following overview explains the process of using a data connector to archive Refinitiv Eikon Messenger data in Microsoft 365.
+
+![Archiving workflow for Refinitiv Eikon Messenger data from 17a-4](../media/RefinitivMessengerDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the Refinitiv Eikon Messenger DataParser.
+
+2. Regularly, Refinitiv Eikon Messenger items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The Refinitiv Eikon Messenger DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **Refinitiv Eikon Messenger DataParser** is created in the user mailboxes, and the Refinitiv Eikon Messenger items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every Refinitiv Eikon Messenger item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Refinitiv Eikon Messenger DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a Refinitiv Eikon Messenger DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Refinitiv Eikon Messenger data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Refinitiv Eikon Messenger DataParser**.
+
+2. On the **Refinitiv Eikon Messenger DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the Refinitiv Eikon Messenger DataParser connection wizard.
+
+## Step 2: Configure the Refinitiv Eikon Messenger DataParser connector
+
+Work with 17a-4 Support to configure the Refinitiv Eikon Messenger DataParser connector.
+
+## Step 3: Map users
+
+The Refinitiv Eikon Messenger DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the Refinitiv Eikon Messenger DataParser connector
+
+After you create a Refinitiv Eikon Messenger DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the Refinitiv Eikon Messenger DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Servicenow Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-servicenow-data.md
+
+ Title: "Set up a connector to archive ServiceNow data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 ServiceNow DataParser connector to import and archive ServiceNow data in Microsoft 365."
++
+# Set up a connector to archive ServiceNow data (preview)
+
+Use the [ServiceNow DataParser](https://www.17a-4.com/dataparser/) from 17a-4 LLC to import and archive data from ServiceNow to user mailboxes in your Microsoft 365 organization. The DataParser includes a ServiceNow connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The ServiceNow DataParser connector converts ServiceNow data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After ServiceNow data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a ServiceNow connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving ServiceNow data
+
+The following overview explains the process of using a data connector to archive ServiceNow data in Microsoft 365.
+
+![Archiving workflow for ServiceNow data from 17a-4](../media/ServiceNowDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the ServiceNow DataParser.
+
+2. On a regular basis, ServiceNow items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The ServiceNow DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **ServiceNow DataParser** is created in the user mailboxes, and the ServiceNow items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every ServiceNow item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the ServiceNow DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a ServiceNow DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for ServiceNow data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **ServiceNow DataParser**.
+
+2. On the **ServiceNow DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the ServiceNow DataParser connection wizard.
+
+## Step 2: Configure the ServiceNow DataParser connector
+
+Work with 17a-4 Support to configure the ServiceNow DataParser connector.
+
+## Step 3: Map users
+
+The ServiceNow DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the ServiceNow DataParser connector
+
+After you create a ServiceNow DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the ServiceNow DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Slack Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-slack-data.md
+
+ Title: "Set up a connector to archive Slack data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 Slack DataParser connector to import and archive Slack data in Microsoft 365."
++
+# Set up a connector to archive Slack data (preview)
+
+Use [DataParser from 17a-4 LLC](https://www.17a-4.com/slack-dataparser/) to import and archive data from the Slack platform to user mailboxes in your Microsoft 365 organization. DataParser includes a Slack connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Slack DataParser connector converts Slack data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After Slack data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Slack connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Slack data
+
+The following overview explains the process of using a data connector to archive Slack data in Microsoft 365.
+
+![Archiving workflow for Slack data from 17a-4](../media/SlackDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the Slack DataParser.
+
+2. On a regular basis, Slack items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The Slack DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **Slack DataParser** is created in the user mailboxes, and the Slack items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every Slack item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Slack DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a Slack DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Slack data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Slack DataParser**.
+
+2. On the **Slack DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the Slack DataParser connection wizard.
+
+## Step 2: Configure the Slack DataParser connector
+
+Work with 17a-4 Support to configure the Slack DataParser connector.
+
+## Step 3: Map users
+
+The Slack DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the Slack DataParser connector
+
+After you create a Slack DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the Slack DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Sql Database Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-sql-database-data.md
+
+ Title: "Set up a connector to archive SQL data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
++
+description: "Learn how to set up and use a 17a-4 SQL DataParser connector to import and archive SQL data in Microsoft 365."
++
+# Set up a connector to archive SQL data (preview)
+
+Use the [SQL DataParser](https://www.17a-4.com/sql-dataparser/) from 17a-4 LLC to import and archive data from a SQL database to user mailboxes in your Microsoft 365 organization. The DataParser includes a SQL connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The SQL DataParser connector converts SQL data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After SQL data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a SQL connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving SQL data
+
+The following overview explains the process of using a data connector to archive SQL data in Microsoft 365.
+
+![Archiving workflow for SQL data from 17a-4](../media/SQLDatabaseDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the SQL DataParser.
+
+2. On a regular basis, SQL items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The SQL DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **SQL DataParser** is created in the user mailboxes, and the SQL items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every SQL item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the SQL DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a SQL DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for SQL data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **SQL DataParser**.
+
+2. On the **SQL DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the SQL DataParser connection wizard.
+
+## Step 2: Configure the SQL DataParser connector
+
+Work with 17a-4 Support to configure the SQL DataParser connector.
+
+## Step 3: Map users
+
+The SQL DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the SQL DataParser connector
+
+After you create a SQL DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the SQL DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Symphony Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-symphony-data.md
+
+ Title: "Set up a Symphony DataParser connector to archive data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 Symphony DataParser connector to import and archive Symphony data in Microsoft 365."
++
+# Set up a connector to archive Symphony data (preview)
+
+Use the [Symphony DataParser](https://www.17a-4.com/Symphony-dataparser/) from 17a-4 LLC to import and archive Symphony communications data to user mailboxes in your Microsoft 365 organization. The DataParser includes a Symphony connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Symphony DataParser connector converts Symphony data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After Symphony data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Symphony connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Symphony data
+
+The following overview explains the process of using a data connector to archive Symphony data in Microsoft 365.
+
+![Archiving workflow for Symphony data from 17a-4](../media/SymphonyDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the Symphony DataParser.
+
+2. On a regular basis, Symphony items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The Symphony DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **Symphony DataParser** is created in the user mailboxes, and the Symphony items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every Symphony item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Symphony DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a Symphony DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Symphony data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Symphony DataParser**.
+
+2. On the **Symphony DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the Symphony DataParser connection wizard.
+
+## Step 2: Configure the Symphony DataParser connector
+
+Work with 17a-4 Support to configure the Symphony DataParser connector.
+
+## Step 3: Map users
+
+The Symphony DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the Symphony DataParser connector
+
+After you create a Symphony DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the Symphony DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Webex Teams Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-webex-teams-data.md
+
+ Title: "Set up a connector to archive Cisco Webex data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 Cisco Webex DataParser connector to import and archive Cisco Webex data in Microsoft 365."
++
+# Set up a connector to archive Cisco Webex data (preview)
+
+Use the [Cisco Webex DataParser](https://www.17a-4.com/webex-dataparser/) from 17a-4 LLC to import and archive data from the Cisco Cisco Webex platform to user mailboxes in your Microsoft 365 organization. The DataParser includes a Cisco Webex connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Cisco Webex DataParser connector converts Cisco Webex data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After Cisco Webex data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Cisco Webex connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Cisco Webex data
+
+The following overview explains the process of using a data connector to archive Cisco Webex data in Microsoft 365.
+
+![Archiving workflow for Cisco Webex data from 17a-4](../media/WebexTeamsDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the Cisco Webex DataParser.
+
+2. On a regular basis, Cisco Webex items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The Cisco Webex DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **Cisco Webex DataParser** is created in the user mailboxes, and the Cisco Webex items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every Cisco Webex item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Cisco Webex DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a Cisco Webex DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Cisco Webex data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Cisco Webex DataParser**.
+
+2. On the **Cisco Webex DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the Cisco Webex DataParser connection wizard.
+
+## Step 2: Configure the Cisco Webex DataParser connector
+
+Work with 17a-4 Support to configure the Cisco Webex DataParser connector.
+
+## Step 3: Map users
+
+The Cisco Webex DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the Cisco Webex DataParser connector
+
+After you create a Cisco Webex DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the Cisco Webex DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive 17A 4 Zoom Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-zoom-data.md
+
+ Title: "Set up a connector to archive Zoom data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 Zoom DataParser connector to import and archive Zoom data in Microsoft 365."
++
+# Set up a connector to archive Zoom data (preview)
+
+Use the [Zoom DataParser](https://www.17a-4.com/dataparser/) from 17a-4 LLC to import and archive data from the Zoom platform to user mailboxes in your Microsoft 365 organization. The DataParser includes a Zoom connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Zoom DataParser connector converts Zoom data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After Zoom data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Zoom connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Zoom data
+
+The following overview explains the process of using a data connector to archive Zoom data in Microsoft 365.
+
+![Archiving workflow for Zoom data from 17a-4](../mediataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the Zoom DataParser.
+
+2. On a regular basis, Zoom items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The Zoom DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **Zoom DataParser** is created in the user mailboxes, and the Zoom items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every Zoom item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Zoom DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a Zoom DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Zoom data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Zoom DataParser**.
+
+2. On the **Zoom DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the Zoom DataParser connection wizard.
+
+## Step 2: Configure the Zoom DataParser connector
+
+Work with 17a-4 Support to configure the Zoom DataParser connector.
+
+## Step 3: Map users
+
+The Zoom DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the Zoom DataParser connector
+
+After you create a Zoom DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the Zoom DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive Data From Celltrustsl2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-data-from-celltrustsl2.md
+
+ Title: "Archive data from the CellTrust SL2 platform to Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a CellTrust SL2 data connector to import and archive mobile communications data."
+++
+# Archive data from CellTrust SL2 to Microsoft 365 (preview)
+
+CellTrust SL2 captures mobile communications data and integrates with the leading archiving technologies to meet the electronic discovery requirements for regulations such as FINRA, HIPAA, FOIA, and TCPA. The SL2 Data Connector imports mobile communication items to Microsoft 365. This article describes the process for integrating SL2 with Microsoft 365 by using the CellTrust SL2 Data Connector for archiving. Completing this process assumes that you have subscribed to CellTrust SL2 service and are familiar with the SL2 architecture. For information about SL2, see <www.celltrust.com>.
+
+After data is imported to user mailboxes in Microsoft 365, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, Microsoft 365 retention policies, and communication compliance. Using the CellTrust SL2 Data Connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving with the CellTrust SL2 Data Connector
+
+CellTrust's SL2 platform captures communication data from multiple sources. SL2 data sources are either Person-to-Person (P2P) or Application-to-Person (A2P). The process described in this article pertains only to P2P data sources. For all P2P data sources, at least one party in the collaboration is an SL2 user who is subscribed to the SL2 service. The following overview explains the process of using the CellTrust SL2 Data Connector in Microsoft 365.
+
+![Archiving workflow for CellTrust SL2 service](../media/CellTrustSL2ConnectorWorkflow.png)
+
+1. SL2 users send and receive data to and from SL2 services in the Microsoft Azure cloud.
+
+2. Your organization has an SL2 domain in CellTrust's SL2 Cloud Service environment. Your domain may have one or more organizational units (OUs). The SL2 Cloud Service transfers your data to a highly secure area in the Microsoft Azure platform, so that your data never leaves the Microsoft Azure environment. Depending on your SL2 plan (Enterprise, SMB, or Government), your domain is either hosted on Microsoft Azure Global or Microsoft Azure Government.
+
+3. After you create the CellTrust SL2 Data Connector, your domain and OUs (regardless of your SL2 plan), begin sending data to Microsoft 365. The data feed is structured to support reporting based on data sources, OUs, or the domain by itself. As a result, your organization needs only one connector to feed all your data sources to Microsoft 365.
+
+4. The connector creates a folder under each mapped user with an appropriate Office 365 license titled **CellTrust SL2**. This mapping connects a CellTrust SL2 user to an Office 365 mailbox by using an email address. If a user ID in CellTrust SL2 has no match in Office 365, the user's data will not be archived.
+
+## Before you set up a connector
+
+- Verify that you have a domain in the CellTrust SL2 cloud service environment. For additional information on obtaining a production or trial SL2 domain, [Contact CellTrust](https://www.celltrust.com/contact-us/#form).
+
+- Obtain the credentials to access the administrator account for your SL2 domain.
+
+- The user who creates the CellTrust SL2 data connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Create a CellTrust SL2 connector
+
+The first step is to create a data connector in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** on the left navigation pane.
+
+2. On the **Overview** tab, click **Filter** and select **By CellTrust**, and then apply the filter.
+
+ ![Configure filter to display CellTrust connectors](../media/DataConnectorsFilter.png)
+
+3. Click **CellTrust SL2 (preview**).
+
+4. On the **CellTrust SL2 (preview**) product description page, click **Add connector**.
+
+5. On the **Terms of service** page, click **Accept**.
+
+6. Enter a unique name that identifies the connector and then click **Next**. The name you enter will identify the connector on the **Data connectors** page after you create it.
+
+7. On the **Sign in to your CellTrust account** page, click **Sign into CellTrust**. You'll be redirected to the **CellTrust Portal for Microsoft 365** in a new browser window.
+
+## Step 2: Select the domains or OUs to archive
+
+The next step is to sign into an administrator account for your CellTrust SL2 domain and select the domains and OUs to archive in Microsoft 365.
+
+1. On the CellTrust **Microsoft 365 Connector** page, select your environment in the SL2 cloud service to display a sign-in page.
+
+ Typically, you should see one option representing your environment. However, if you have domains in more than one environment, you will see options for each environment. After you make a selection, you'll be redirected to the SL2 login page.
+
+2. Sign in with your Domain or OU Administrator account credentials.
+
+ If you sign in as an SL2 domain administrator, you will see the name of your domain and the OUs in that domain. If you do not have OUs, you only see the name of your domain. If you log in as OU Administrator, you only see the name of your OU.
+
+3. Enable the business units you wish to archive. Selecting the domain will not automatically select the OUs. You must enable each OU separately to archive it.
+
+ ![Enable OUs to archive](../media/EnableCellTrustOUs.png)
+
+4. When you're finished with your selections, close the browser window and return to the wizard page in Microsoft 365 compliance center. After a few seconds, the wizard automatically advances to the next step of mapping users.
+
+## Step 3: Map users and complete the connector setup
+
+The last step is to map users and complete the connector setup in the Microsoft 365 compliance center.
+
+1. On the **User mapping** page, select **Enable automatic user mapping** if the email address for users is the same in both SL2 and Microsoft 365. Otherwise, you should manually user email addresses by uploading a CSV file that maps users' SL2 address to their Microsoft 365 address.
+
+2. Click **Next**, review your settings, and then click **Finish** to create the connector.
+
+ The new connector is added to the list on the **Data connectors** page.
+
+## Get help from CellTrust
+
+See the [CellTrust Customer Support page](https://www.celltrust.com/contact-us/#support) for details about contacting CellTrust for help with setting up a CellTrust SL2 data connector.
+
+## More information
+
+- A domain administrator can set up a connector for the domain or any OUs in that domain. If you use the OU Administrator account, you can only set up a connector for that specific OU.
+
+- To successfully complete the steps above, you must be assigned a Microsoft 365 E5 license and have the proper Microsoft Office admin rights.
+
+- To test the new connector, send a text message using your SL2 mobile app or from your SL2 portal. Go to your Microsoft 365 mailbox and open the **CellTrust SL2** folder in your Inbox. It may take a few minutes for the text messages to show up in your mailbox.
+
+- Many laws and regulations require electronic communication to be preserved in such a way that, when requested, it can be produced as evidence. Electronic Discovery (eDiscovery) is used to comply with the production of electronic communication. Enterprise Information Archiving (EIA) solutions are designed to perform eDiscovery, and provide features such as retention policy management, data classification, and content supervision. Microsoft 365 offers a long-term retention solution for compliance with the regulations and standards that affect your organization.
+
+- The term *archiving* as used in this document refers to archiving in the context of use within an Enterprise Information Archiving (EIA) solution. EIA solutions have eDiscovery features that produce documents for legal proceedings, litigation, audits, and investigations. Archiving in the context of backup and restore used for disaster recovery and business continuity isn't the intended use of the term within this document.
compliance Archive Xip Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-xip-data.md
description: "Admins can set up a connector to import and archive XIP source dat
# Set up a connector to archive XIP source data
-Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the XIP source platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [XIP](https://globanet.com/xip/) connector that allows using an XIP file to import items to Microsoft 365. An XIP file is similar to a ZIP file, but allows for a digital signature to be used. The digital signature is verified by the Veritas Merge 1 before the XIP source file is extracted. The connector converts the content from the XIP source file to an email message format and then imports those items to the user's mailbox in Microsoft 365.
+Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the XIP source platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [XIP](https://globanet.com/xip/) connector that allows using an XIP file to import items to Microsoft 365. An XIP file is similar to a ZIP file, but allows for a digital signature to be used. The digital signature is verified by Veritas Merge 1 before the XIP source file is extracted. The connector converts the content from the XIP source file to an email message format and then imports those items to the user mailboxes in Microsoft 365.
After XIP source data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using an XIP connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
description: "Learn how to import third-party data from social media platforms, instant messaging platforms, and document collaboration platforms to Microsoft 365 mailboxes."
-# Archive third-party data
+# Archive third-party data in Microsoft 365
Microsoft 365 lets administrators use data connectors to import and archive third-party data from social media platforms, instant messaging platforms, and document collaboration platforms, to mailboxes in your Microsoft 365 organization. One primary benefit of using data connectors to import and archive third-party data in Microsoft 365 is that you can apply various Microsoft 365 compliance solutions to that after it's been imported. This helps you ensure that your organization's non-Microsoft data is in compliance with the regulations and standards that affect your organization. ## Third-party data connectors
-The following table lists the third-party data connectors available in the Microsoft 365 compliance center. The table also summarizes the compliance solutions that you can apply to third-party data after you import and archive in Microsoft 365. See the [next section](#overview-of-compliance-solutions-that-support-third-party-data) for a more detailed description of each compliance solution and how it can benefit third-party data.
+The Microsoft 365 compliance center provides native third-party data connectors from Microsoft to import data from various data sources, such as LinkedIn, Instant Bloomberg, and Twitter and data connectors that support the Insider risk management solution. In addition to these data connectors, Microsoft works with the following partners to provide many more third part data connectors in the Microsoft 365 compliance center. Your organization works with these partners to set up their archiving service before creating a corresponding data connector in the Microsoft 365 compliance center.
-> [!TIP]
-> Click the link in the **Third-party data** column to go the step-by-step instructions for creating a connector for that data type.
+- [Veritas](#veritas-data-connectors)
+
+- [TeleMessage](#telemessage-data-connectors)
+
+- [17a-4 LLC](#17a-4-data-connectors)
+
+- [CellTrust](#celltrust-data-connectors)
+
+The third-party data listed in the next sections (except for HR data and physical badging data that is used for the Microsoft 365 Insider risk management solution) is imported into user mailboxes. The Microsoft 365 compliance solutions that support third-party data are applied to the user mailbox where the data is stored.
+
+### Microsoft data connectors
+
+The following table lists the native third-party data connectors available in the Microsoft 365 compliance center. The table also summarizes the compliance solutions that you can apply after you import and archive third-party data in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-compliance-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.
+
+Click the link in the **Third-party data** column to go the step-by-step instructions for creating a connector for that data type.
|Third-party data |Litigation hold|eDiscovery |Retention settings |Records management |Communication compliance |Insider risk management | |:|:|:|:|:|:|:|
-|[Android <sup>1</sup>](archive-android-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[AT&T Network <sup>1</sup>](archive-att-network-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Bell Network <sup>1</sup>](archive-bell-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[Bloomberg Message](archive-bloomberg-message-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[CellTrust <sup>2</sup>](archive-celltrust-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Cisco Jabber on MS SQL <sup>2</sup>](archive-ciscojabberonmssql-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Cisco Jabber on Oracle <sup>2</sup>](archive-ciscojabberonoracle-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Cisco Jabber on PostgreSQL <sup>2</sup>](archive-ciscojabberonpostgresql-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[EML <sup>2</sup>](archive-eml-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
-|[Enterprise Number <sup>1</sup>](archive-enterprise-number-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[Facebook](archive-facebook-data-with-sample-connector.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
-|[FX Connect <sup>2</sup>](archive-fxconnect-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[Human resources (HR)](import-hr-data.md) ||||||![Check mark](../media/checkmark.png) |[ICE Chat](archive-icechat-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Instant Bloomberg](archive-instant-bloomberg-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Jive <sup>2</sup>](archive-jive-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[LinkedIn](archive-linkedin-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
-|[MS SQL Database <sup>2</sup>](archive-mssqldatabaseimporter-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
-|[O2 Network <sup>1</sup>](archive-o2-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[Physical badging](import-physical-badging-data.md) ||||||![Check mark](../media/checkmark.png)|
-|[Pivot <sup>2</sup>](archive-pivot-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Redtail Speak <sup>2</sup>](archive-redtailspeak-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Reuters Dealing <sup>2</sup>](archive-reutersdealing-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Reuters Eikon <sup>2</sup>](archive-reuterseikon-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Reuters FX <sup>2</sup>](archive-reutersfx-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Salesforce Chatter <sup>2</sup>](archive-salesforcechatter-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
-|[ServiceNow <sup>2</sup>](archive-servicenow-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
-|[Signal <sup>1</sup>](archive-signal-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Skype for Business <sup>2</sup>](archive-skypeforbusiness-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Slack eDiscovery <sup>2</sup>](archive-slack-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Symphony <sup>2</sup>](archive-symphony-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Telegram <sup>1</sup>](archive-telegram-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[TELUS Network <sup>1</sup>](archive-telus-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Text-delimited <sup>2</sup>](archive-text-delimited-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
|[Twitter](archive-twitter-data-with-sample-connector.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
-|[Verizon Network <sup>1</sup>](archive-verizon-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Webex Teams <sup>2</sup>](archive-webexteams-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Webpages <sup>2</sup>](archive-webpagecapture-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
-|[WeChat <sup>1</sup>](archive-wechat-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[WhatsApp <sup>1</sup>](archive-whatsapp-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Workplace from Facebook <sup>2</sup>](archive-workplacefromfacebook-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[XIP <sup>2</sup>](archive-xip-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[XSLT/XML <sup>2</sup>](archive-xslt-xml-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
-|[Yieldbroker <sup>2</sup>](archive-yieldbroker-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Zoom Meetings <sup>2</sup>](archive-zoommeetings-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
||||||||
-> [!NOTE]
-> <sup>1</sup> Data connector provided by TeleMessage. Before you can archive data in Microsoft 365, you have to work with TeleMessage to set up their archiving service for your organization. For more information, see the prerequisite section in the step-by-step instructions for this data type. TeleMessage data connectors are also available in GCC environments in the Microsoft 365 US Government cloud. For more information, see the [Data connectors in the US Government cloud](#data-connectors-in-the-us-government-cloud) section in this article. <br/><br/><sup>2</sup> Data connector provided by Veritas. Before you can archive data in Microsoft 365, you have to work with Veritas to set up their archiving service for your organization. For more information, see the prerequisite section in the step-by-step instructions for this data type.
+### Veritas data connectors
+
+The table in this section lists the third-party data connectors available in partnership with Veritas. The table also summarizes the compliance solutions that you can apply to third-party data after you import and archive it in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-compliance-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.
+
+Before you can archive third-party data in Microsoft 365, you have to work with Veritas to set up their archiving service (called *Merge1*) for your organization. For more information, click the link in the **Third-party data** column to go the step-by-step instructions for creating a connector for that data type.
+
+|Third-party data |Litigation hold|eDiscovery |Retention settings |Records management |Communication compliance |Insider risk management |
+|:|:|:|:|:|:|:|
+|[CellTrust](archive-celltrust-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Cisco Jabber on MS SQL](archive-ciscojabberonmssql-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Cisco Jabber on Oracle](archive-ciscojabberonoracle-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Cisco Jabber on PostgreSQL](archive-ciscojabberonpostgresql-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[EML](archive-eml-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
+|[FX Connect](archive-fxconnect-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Jive](archive-jive-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[MS SQL Database](archive-mssqldatabaseimporter-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
+|[Pivot](archive-pivot-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Redtail Speak](archive-redtailspeak-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Reuters Dealing](archive-reutersdealing-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Reuters Eikon](archive-reuterseikon-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Reuters FX](archive-reutersfx-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Salesforce Chatter](archive-salesforcechatter-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
+|[ServiceNow](archive-servicenow-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
+|[Slack eDiscovery](archive-slack-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Symphony](archive-symphony-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Text-delimited](archive-text-delimited-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
+|[Webex Teams](archive-webexteams-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Webpages](archive-webpagecapture-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
+|[Workplace from Facebook](archive-workplacefromfacebook-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[XIP](archive-xip-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[XSLT/XML](archive-xslt-xml-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
+|[Yieldbroker](archive-yieldbroker-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Zoom Meetings](archive-zoommeetings-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+||||||||
+
+### TeleMessage data connectors
+
+The table in this section lists the third-party data connectors available in partnership with TeleMessage. The table also summarizes the compliance solutions that you can apply to third-party data after you import and archive it in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-compliance-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.
+
+Before you can archive third-party data in Microsoft 365, you have to work with TeleMessage to set up their archiving service for your organization. For more information, click the link in the **Third-party data** column to go the step-by-step instructions for creating a connector for that data type.
+
+TeleMessage data connectors are also available in GCC environments in the Microsoft 365 US Government cloud. For more information, see the Data connectors in the US Government cloud section in this article.
+
+|Third-party data |Litigation hold|eDiscovery |Retention settings |Records management |Communication compliance |Insider risk management |
+|:|:|:|:|:|:|:|
+|[Android ](archive-android-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[AT&T Network ](archive-att-network-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Bell Network ](archive-bell-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Enterprise Number ](archive-enterprise-number-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[O2 Network ](archive-o2-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[TELUS Network ](archive-telus-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Verizon Network ](archive-verizon-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[WeChat ](archive-wechat-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[WhatsApp ](archive-whatsapp-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+||||||||
+
+### 17a-4 data connectors
-The third-party data listed in the previous table (except for HR data and physical badging data) is imported into user mailboxes. The corresponding compliance solutions that support third-party data are applied to the user mailbox where the data is stored.
+The table in this section lists the third-party data connectors available in partnership with 17a-4 LLC. The table also summarizes the compliance solutions that you can apply to third-party data after you import and archive it in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-compliance-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.
+
+Before you can archive third-party data in Microsoft 365, you have to work with Veritas to set up their archiving service (called *DataParser*) for your organization. For more information, click the link in the **Third-party data** column to go the step-by-step instructions for creating a connector for that data type.
+
+|Third-party data |Litigation hold|eDiscovery |Retention settings |Records management |Communication compliance |Insider risk management |
+|:|:|:|:|:|:|:|
+|[BlackBerry](archive-17a-4-blackberry-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Bloomberg ](archive-17a-4-bloomberg-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Cisco Jabber ](archive-17a-4-cisco-jabber-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Cisco Webex ](archive-17a-4-webex-teams-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[FactSet ](archive-17a-4-factset-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Fuze ](archive-17a-4-fuze-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[FX Connect ](archive-17a-4-fxconnect-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[ICE Chat](archive-17a-4-ice-im-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[InvestEdge ](archive-17a-4-investedge-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[LivePerson Conversational Cloud ](archive-17a-4-liveperson-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Quip ](archive-17a-4-quip-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Refinitiv Eikon Messenger](archive-17a-4-refinitiv-messenger-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[ServiceNow ](archive-17a-4-servicenow-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Slack ](archive-17a-4-slack-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Symphony ](archive-17a-4-symphony-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Zoom ](archive-17a-4-zoom-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+||||||||
+
+### CellTrust data connectors
+
+The table in this section lists the third-party data connector available in partnership with CellTrust. The table also summarizes the compliance solutions that you can apply to third-party data after you import and archive it in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-compliance-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.
+
+Before you can archive third-party data in Microsoft 365, you have to work with CellTrust to set up their archiving service (called *CellTrust SL2*) for your organization. For more information, click the link in the **Third-party data** column to go the step-by-step instructions for creating a CellTrust SL2 connector.
+
+|Third-party data |Litigation hold|eDiscovery |Retention settings |Records management |Communication compliance |Insider risk management |
+|:|:|:|:|:|:|:|
+|[CellTrust SL2](archive-data-from-celltrustsl2.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+||||||||
## Overview of compliance solutions that support third-party data
compliance Dlp Learn About Dlp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-learn-about-dlp.md
While in test mode, monitor the outcomes of the policy and fine-tune it so that
#### Enable the control and tune your policies
-Once the policy meets all your objectives, turn it on. Continue to monitor the outcomes of the policy application and tune as needed. In general, policies take effect about an hour after being turned on. <!--See, LINK TO topic for SLAs for location specific details-- >
+Once the policy meets all your objectives, turn it on. Continue to monitor the outcomes of the policy application and tune as needed. In general, policies take effect about an hour after being turned on.
+
+<!--See, LINK TO topic for SLAs for location specific details-->
## DLP policy configuration overview
compliance Enable Mailbox Auditing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-mailbox-auditing.md
The following table describes the mailbox actions that are available in mailbox
|**SendAs**|A message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| |**SendOnBehalf**|A message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| |**SoftDelete**|A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
-|**Update**|A message or its properties was changed.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
+|**Update**|A message or any of its properties was changed.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
|**UpdateCalendarDelegation**|A calendar delegation was assigned to a mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.|![Check mark](../media/checkmark.png)<sup>\*</sup>||![Check mark](../media/checkmark.png)<sup>\*</sup>| |**UpdateComplianceTag**|A different retention label is applied to a mail item (an item can only have one retention label assigned to it).|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)| |**UpdateFolderPermissions**|A folder permission was changed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
Remember, an admin with Full Access permission to a Microsoft 365 Group mailbox
|**SendAs**|A message was sent using the SendAs permission.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| |**SendOnBehalf**|A message was sent using the SendOnBehalf permission.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| |**SoftDelete**|A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
-|**Update**|A message or its properties was changed.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
+|**Update**|A message or any of its property was changed.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
| ### Verify that default mailbox actions are being logged for each logon type
-Mailbox auditing on by defaults adds a new *DefaultAuditSet* property to all mailboxes. The value of this property indicates whether the default mailbox actions (managed by Microsoft) are being audited on the mailbox.
+Mailbox auditing on by default adds a new *DefaultAuditSet* property to all mailboxes. The value of this property indicates whether the default mailbox actions (managed by Microsoft) are being audited on the mailbox.
To display the value on user mailboxes or shared mailboxes, replace \<MailboxIdentity\> with the name, alias, email address, or user principal name (username) of the mailbox and run the following command in Exchange Online PowerShell:
compliance Sensitivity Labels Teams Groups Sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md
It wouldn't be a security concern if the document has a lower priority sensitivi
To search the audit log for this event, look for **Detected document sensitivity mismatch** from the **File and page activities** category.
-The automatically generated email has the subject **Incompatible sensitivity label detected** and the email message explains the labeling mismatch with a link to the uploaded document and site. It also contains a documentation link that explains how users can change the sensitivity label. Currently, these automated emails cannot be disabled or customized.
-
-To prevent this automatically generated email, use the following PowerShell command from [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite):
+The automatically generated email has the subject **Incompatible sensitivity label detected** and the email message explains the labeling mismatch with a link to the uploaded document and site. It also contains a documentation link that explains how users can change the sensitivity label. These automated emails cannot be customized but you can prevent them from being sent when you use the following PowerShell command from [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant):
```PowerShell Set-SPOTenant -BlockSendLabelMismatchEmail $True
compliance Turn Audit Log Search On Or Off https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/turn-audit-log-search-on-or-off.md
Audit logging is turned on by default for Microsoft 365 and Office 365 enterpris
- You have to be assigned the Audit Logs role in Exchange Online to turn auditing on or off in your Microsoft 365 organization. By default, this role is assigned to the Compliance Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online. > [!NOTE]
- > Users have to be assigned permissions in Exchange Online to turn auditing on or off. If you assign users the Audit Logs role on the **Permissions** page in the Security & Compliance Center, they won't be able to turn auditing on or off. This is because the underlying cmdlet is an Exchange Online PowerShell cmdlet.
+ > Users have to be assigned permissions in Exchange Online to turn auditing on or off. If you assign users the Audit Logs role on the **Permissions** page in the Security & Compliance Center, they won't be able to turn auditing on or off. This is because the underlying cmdlet is an Exchange Online PowerShell cmdlet.
- For step-by-step instructions on searching the audit log, see [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md). For more information about the Microsoft 365 Management Activity API, see [Get started with Microsoft 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis).
lti Teams Classes Lms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/teams-classes-lms.md
As a Blackboard Learn Ultra admin, you'll need to register 2 LTI 1.3 integration
4. Enter the first of the Client IDs provided (either Blackboard or Microsoft), and select **Submit**.
- ![the LTI register tool with a field to enter the client id](../media/lti-media/register-tool.png)
- 5. Review the pre-populated settings and ensure that the tool status is marked as approved. 6. Scroll to the bottom, and then select **Submit**.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### [Get your antivirus and antimalware updates](manage-updates-baselines-microsoft-defender-antivirus.md) ##### [Manage the sources for Microsoft Defender Antivirus protection updates](manage-protection-updates-microsoft-defender-antivirus.md) ##### [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+##### [Manage gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md)
+##### [Configure gradual rollout process for Microsoft Defender updates](configure-updates.md)
##### [Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) ##### [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) ##### [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
##### [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md) ##### [Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution](troubleshoot-microsoft-defender-antivirus-when-migrating.md) - #### [Hardware-based isolation]() ##### [Hardware-based isolation in Windows 10](overview-hardware-based-isolation.md)
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
After configuring the onboarding script, continue editing the same group policy
All policies are located under `Computer Configuration\Policies\Administrative Templates`.
-**Policy location:** \Windows Components\Windows Defender SmartScreen*
+**Policy location:** \Windows Components\Windows Defender ATP
Policy | Setting :|:
Monitor file and program activity on your computer|Enabled
<br/>
-**Policy location:** \Windows Components\Microsoft Defender AntivirusScan
+**Policy location:** \Windows Components\Microsoft Defender Antivirus\Scan
These settings configure periodic scans of the endpoint. We recommend performing a weekly quick scan, performance permitting.
security Configure Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-updates.md
+
+ Title: Create a custom gradual rollout process for Microsoft Defender updates
+description: Learn how to use supported tools to create a custom gradual rollout process for updates
+keywords: update tools, gpo, intune, mdm, microsoft endpoint manager, policy, powershell
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Create a custom gradual rollout process for Microsoft Defender updates
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+> [!NOTE]
+> This functionality requires Microsoft Defender Antivirus version 4.18.2106.X or newer.
+
+To create your own custom gradual rollout process for Defender updates, you can use Group Policy, Microsoft Endpoint Manager, and PowerShell.
+
+The following table lists the available group policy settings for configuring
+update channels:
+
+| Setting title | Description | Location |
+|-|-|-|
+| Select gradual Microsoft Defender monthly platform update rollout channel | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <br><br> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <br><br> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
+| Select gradual Microsoft Defender monthly engine update rollout channel | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. <br><br> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <br><br> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <br><br> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
+| Select gradual Microsoft Defender daily definition updates rollout channel | Enable this policy to specify when devices receive Microsoft Defender definition updates during the daily gradual rollout. <br><br> Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
+| Disable gradual rollout of Microsoft Defender updates | Enable this policy to disable gradual rollout of Defender updates. <br><br> Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates. <br><br> Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. <br><br> If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
+
+## Group Policy
+
+> [!NOTE]
+> An updated Defender ADMX template will be published together with the 21H2 release of Windows 10. A non-localized version is available for download at https://github.com/microsoft/defender-updatecontrols.
+
+You can use [Group Policy](/windows/win32/srvnodes/group-policy?redirectedfrom=MSDN) to configure and manage Microsoft Defender Antivirus on your endpoints.
+
+In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings:
+
+1. On your Group Policy management machine, open theΓÇ»**Group Policy Management Console**, right-click the **Group Policy Object** (GPO) you want to configure and clickΓÇ»**Edit**.
+
+2. Using the Group Policy Management Editor go to **Computer configuration**.
+
+3. ClickΓÇ»**Administrative templates**.
+
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus**.
+
+5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
+
+6. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+
+## Intune
+
+Follow the instructions in below link to create a custom policy in Intune:
+
+[Add custom settings for Windows 10 devices in Microsoft Intune - Azure \| Microsoft Docs](/mem/intune/configuration/custom-settings-windows-10)
+
+## PowerShell
+
+Use the `Set-MpPreference` cmdlet to configure roll out of the gradual updates.
+
+Use the following parameters:
+
+```powershell
+Set-MpPreference
+-PlatformUpdatesChannel Beta|Preview|Staged|Broad|NotConfigured
+-EngineUpdatesChannel Beta|Preview|Staged|Broad|NotConfigured
+-DisableGradualRelease True|False
+-SignaturesUpdatesChannel Staged|Broad|NotConfigured
+```
+
+Example:
+
+Use `Set-MpPreference -PlatformUpdatesChannel Beta` to configure platform updates to arrive from the Beta Channel.
+
+For more information on the parameters and how to configure them, see [Set-MpPreference (Defender) | Microsoft Docs](/powershell/module/defender/set-mppreference?view=windowsserver2019-ps&preserve-view=true).
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
Download the onboarding package from Microsoft Defender Security Center:
mdatp threat list ```
+## Experience Linux endpoint detection and response (EDR) capabilities with simulated attacks
+
+To test out the functionalities of EDR for Linux, follow the steps below to simulate a detection on your Linux server and investigate the case.
+
+1. Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
+
+2. Download and extract the [script file](https://aka.ms/LinuxDIY) to an onboarded Linux server and run the following command: `./mde_linux_edr_diy.sh`
+
+3. After a few minutes, a detection should be raised in Microsoft Defender Security Center.
+
+4. Look at the alert details, machine timeline, and perform your typical investigation steps.
++++ ## Installer script Alternatively, you can use an automated [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) provided in our [public GitHub repository](https://github.com/microsoft/mdatp-xplat/).
security Linux Static Proxy Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration.md
Note that installation and uninstallation will not necessarily fail if a proxy i
After installation, the `HTTPS_PROXY` environment variable must be defined in the Defender for Endpoint service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
+ > [!NOTE]
+ > On CentOS or RedHat Linux distributions the location of the Endpoint service file is `/usr/lib/systemd/system/mdatp.service`.
+ - Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address. - Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
security Manage Gradual Rollout https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-gradual-rollout.md
+
+ Title: Manage the gradual rollout process for Microsoft Defender updates
+description: Learn about the gradual update process and controls
+keywords: update, update process, controls, release
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Manage the gradual rollout process for Microsoft Defender updates
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
++
+It is important to ensure that client components are up-to-date to deliver critical protection capabilities and prevent attacks.
+
+Capabilities are provided through several components:
+
+- [Endpoint Detection & Response](overview-endpoint-detection-response.md)
+- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md#microsoft-defender-antivirus-your-next-generation-protection) with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md)
+- [Attack Surface Reduction](overview-attack-surface-reduction.md)
+
+Updates are released monthly using a gradual release process. This process helps to enable early failure detection to catch impact as it occurs and address it quickly before a larger rollout.
+
+> [!NOTE]
+> For more information on how to control daily definition updates, see [Schedule Microsoft Defender Antivirus definition updates - Windows security | Microsoft Docs](manage-protection-update-schedule-microsoft-defender-antivirus.md). Definition updates ensure that next-generation protection can defend against new threats, even if cloud-delivered protection is not available to the endpoint.
+
+## Microsoft gradual rollout model
+
+The following gradual rollout model is followed for monthly Defender updates:
+
+1. The first release goes out to Beta channel subscribers.
+2. After validation, feedback, and fixes, we start the gradual rollout process in a throttled way and to Preview channel subscribers first.
+3. We then proceed to release the update to the rest of the global population, scaling out from 10-100%.
+
+Our engineers continuously monitor impact and escalate any issues to create a fix as needed.
+
+## How to customize your internal deployment process
+
+If your machines are receiving Defender updates from Windows Update, the gradual rollout process may result in some of your machines receiving Defender updates sooner than others. The following section explains how to define a strategy that will allow automatic updates to flow differently to specific groups of devices by leveraging update channel configuration.
+
+> [!NOTE]
+> When planning for your own gradual release, please make sure to always have a selection of devices subscribed to the preview and staged channels. This will provide your organization as well as Microsoft the opportunity to prevent or find and fix issues specific to your environment.
+
+For machines receiving updates through, for example, Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager (MECM), more options are available to all Windows updates, including options for Microsoft Defender for Endpoint.
+
+- Read more about how to use a solution like WSUS, MECM to manage the distribution and application of updates at [Manage Microsoft Defender Antivirus updates and apply baselines - Windows security | Microsoft Docs](manage-updates-baselines-microsoft-defender-antivirus.md#product-updates).
+
+## Update channels for monthly updates
+
+You can assign a machine to an update channel to define the cadence in which a machine receives monthly engine and platform updates.
+
+For more information on how to configure updates, see [Create a custom gradual rollout process for Microsoft Defender updates](configure-updates.md).
+
+The following update channels are available:
+
+| Channel name | Description | Application |
+|-|-|-|
+| Beta Channel - Prerelease | Test updates before others | Devices set to this channel will be the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only. |
+| Current Channel (Preview) | Get Current Channel updates **earlier** during gradual release | Devices set to this channel will be offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments. |
+| Current Channel (Staged) | Get Current Channel updates later during gradual release | Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%). |
+| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+| (default) | | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+
+### Update channels for daily definition updates
+
+You can also assign a machine to a channel to define the cadence in which it receives daily definition updates. Note that unlike the monthly process, there is no Beta channel and this gradual release cycle occurs multiple times a day.
+
+| Channel name | Description | Application |
+|-|-|-|
+| Current Channel (Staged) | Get Current Channel updates later during gradual release | Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%). |
+| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates after the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: this setting applies to all Defender updates. |
+| (default) | | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices |
+
+> [!NOTE]
+> In case you wish to force an update to the newest signature instead of leveraging the time delay, you will need to remove this policy first.
+
+## Update guidance
+
+In most cases, the recommended configuration when using Windows Update is to allow endpoints to receive and apply monthly Defender updates as they arrive. This provides the best balance between protection and possible impact associated with the changes they can introduce.
+
+For environments where there is a need for a more controlled gradual rollout of automatic Defender updates, consider an approach with deployment groups:
+
+1. Participate in the Windows Insider program or assign a group of devices to the Beta Channel.
+2. Designate a pilot group that opts-in to Preview Channel, typically validation environments, to receive new updates early.
+3. Designate a group of machines that receive updates later during the gradual rollout from Staged channel. Typically, this would be a representative ~10% of the population.
+4. Designate a group of machines that receive updates after the gradual release cycle completes. These are typically important production systems.
+
+For the remainder of devices, the default setting is to receive new updates as they arrive during the Microsoft gradual rollout process and no further configuration is required.
+
+Adopting this model:
+- Allows you to test early releases before they reach a production environment
+- Ensure the production environment still receives regular updates and ensure protection against critical threats.
+
+## Management tools
+To create your own custom gradual rollout process for monthly updates, you can use the following tools:
+
+- Group policy
+- Microsoft Endpoint Manager
+- PowerShell
+
+For details on how to use these tools, see [Create a custom gradual rollout process for Microsoft Defender updates](configure-updates.md).
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 06/14/2021 Last updated : 06/23/2021 # Manage Microsoft Defender Antivirus updates and apply baselines
No known issues
### What's new - Additional behavior monitoring logic - Improved kernel mode keylogger detection
+- Added new controls to manage the gradual rollout process for [Microsoft Defender updates](manage-gradual-rollout.md)
+ ### Known Issues No known issues
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
When Microsoft Defender Antivirus isn't the active antimalware in your organizat
If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
-If you're onboarding servers and Microsoft Defender Antivirus isn't the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
+If you're onboarding servers and Microsoft Defender Antivirus isn't the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
> [!NOTE] > Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on.
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
ms.technology: mde Previously updated : 06/17/2021 Last updated : 06/23/2021 # Protect security settings with tamper protection
With tamper protection, malicious apps are prevented from taking actions such as
### How it works
-Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
+Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed through apps and methods such as:
- Configuring settings in Registry Editor on your Windows device - Changing settings through PowerShell cmdlets-- Editing or removing security settings through group policies
+- Editing or removing security settings through Group Policy
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team.
Tamper protection doesn't prevent you from viewing your security settings. And,
| Review your security recommendations | [Review security recommendations](#review-your-security-recommendations) | | Review the list of frequently asked questions (FAQs) | [Browse the FAQs](#view-information-about-tampering-attempts) |
-Depending on the method or management tool you use to enable Tamper protection, there might be a dependency on MAPS (cloud-delivered protection).
+Depending on the method or management tool you use to enable tamper protection, there might be a dependency on cloud-delivered protection.
The following table provides details on the methods, tools, and dependencies.
-| How Tamper protection is enabled | Dependency on MAPS (cloud-delivered protection) |
+| How tamper protection is enabled | Dependency on cloud-delivered protection (MAPS) |
|:-|:-| | Microsoft Intune | No | | Microsoft Endpoint Configuration Manager + Tenant Attach | No |
Tamper protection can be turned on or off for your tenant using the Microsoft De
- Currently, the option to manage tamper protection in the Microsoft Defender Security Center is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis, with plans to make opting in the default method in the near future. (To opt in, in the Microsoft Defender Security Center, choose **Settings** > **Advanced features** > **Tamper protection**.) -- When you use the Microsoft Defender Security Center to manage tamper protection, you do not have to use Intune or the tenant attach method.
+- When you use the Microsoft Defender Security Center to manage tamper protection, you do not have to use either Intune or the tenant attach method.
- When you manage tamper protection in the Microsoft Defender Security Center, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows Server 2016, or Windows Server 2019. To fine-tune tamper protection (such as having tamper protection on for some devices but off for others), use either [Intune](#manage-tamper-protection-for-your-organization-using-intune) or [Configuration Manager with tenant attach](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006).
On Windows Server 2016, the Settings app will not accurately reflect the status
2. Use the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus?preserve-view=true&view=win10-ps) PowerShell cmdlet.
-3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
- In the list of results, look for `RealTimeProtectionEnabled`. (A value of true means tamper protection is enabled.)
+3. In the list of results, look for `IsTamperProtected` or `RealTimeProtectionEnabled`. (A value of *true* means tamper protection is enabled.)
## Manage tamper protection for your organization with Configuration Manager, version 2006
If you're using [version 2006 of Configuration Manager](/mem/configmgr/core/plan
1. Set up tenant attach. To learn more, see [Microsoft Endpoint Manager tenant attach: Device sync and device actions](/mem/configmgr/tenant-attach/device-sync-actions).
-2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and then choose **+ Create Policy**.<br/>
+2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and then choose **+ Create Policy**.
+ - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**. - In the **Profile** list, select **Windows Security experience (preview)**. <br/>
security Troubleshoot Collect Support Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md
This topic provides instructions on how to run the tool via Live Response.
```console Run MDELiveAnalyzer.ps1
- GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip" -auto
+ GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
``` [ ![Image of commands](images/analyzer-commands.png) ](images/analyzer-commands.png#lightbox)
This topic provides instructions on how to run the tool via Live Response.
> ```console > PutFile MDEClientAnalyzerPreview.zip -overwrite > Run MDELiveAnalyzer.ps1
-> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip" -auto
+> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
> ``` > > - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-for-endpoint-service-urls).
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
The **Investigations** tab lists all the [automated investigations](m365d-autoir
:::image type="content" source="../../media/investigate-incidents/incident-investigations.png" alt-text="Example of an Investigations page for an incident":::
-Select an investigation to navigate to the Investigation details page to get full information on the investigation and remediation status. If there are any actions pending for approval as part of the investigation, they will appear in the Pending actions tab. Take action as part of incident remediation.
+Select an investigation to navigate to its details page for full information on the investigation and remediation status. If there are any actions pending for approval as part of the investigation, they will appear in the **Pending actions history** tab. Take action as part of incident remediation.
+
+There is also an **Investigation graph** tab that shows:
+
+- The connection of alerts to the impacted assets in your organization.
+- Which entities are related to which alerts and how they are part of the story of the attack.
+- The alerts for the incident.
+
+The investigation graph helps you quickly understand the full scope of the attack by connecting the different suspicious entities that are part of the attack with their related assets such as users, devices, and mailboxes.
For more information, see [Automated investigation and response in Microsoft 365 Defender](m365d-autoir.md).
Microsoft 365 Defender automatically investigates all the incidents' supported e
Each of the analyzed entities is marked with a verdict (Malicious, Suspicious, Clean) and a remediation status. This helps you understand the remediation status of the entire incident and what next steps can be taken.
-## Graph (in preview)
-
-With the new **Graph** tab (in preview), you can see:
--- The connection of alerts to the impacted assets in your organization.-- Which entities are related to which alerts and how they are part of the story of the attack.-- The alerts for the incident.-
-Here's an example.
--
-The incident graph helps you quickly understand the full scope of the attack by connecting the different suspicious entities that are part of the attack with their related assets such as users, devices, and mailboxes.
-
-Now you can understand how the attack spread through your network over time, where it started, and how far the attack went.
- ## Next steps As needed:
security M365d Configure Auto Investigation Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-configure-auto-investigation-response.md
Although certain alerts and security policies can trigger automated investigatio
Security settings in Office 365 help protect email and content. To view or change these settings, follow the guidance in [Protect against threats](../office-365-security/protect-against-threats.md).
-1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Policies & Rules** \> **Threat policies**.
+1. In the Microsoft 365 Defender portal (<https://security.microsoft.com>), go to **Policies & Rules** \> **Threat policies**.
2. Make sure all of the following policies are configured. To get help and recommendations, see [Protect against threats](/microsoft-365/security/office-365-security/protect-against-threats). - [Anti-malware](../office-365-security/protect-against-threats.md#part-1anti-malware-protection-in-eop)
Security settings in Office 365 help protect email and content. To view or chang
- [Safe Links](../office-365-security/protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365) - [Anti-spam](../office-365-security/protect-against-threats.md#part-3anti-spam-protection-in-eop)
-3. Make sure [Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on) is turned on.
+3. Make sure [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/mdo-for-spo-odb-and-teams.md) is turned on.
-4. Make sure [zero-hour auto purge for email](../office-365-security/protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop) protection is in effect.
+4. Make sure [Zero-hour auto purge (ZAP) in Exchange Online](../office-365-security/zero-hour-auto-purge.md) is in effect.
5. (This step is optional.) Review your [Office 365 alert policies](../../compliance/alert-policies.md) in the Microsoft 365 compliance center ([https://compliance.microsoft.com/compliancepolicies](https://compliance.microsoft.com/compliancepolicies)). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see [Default alert policies](../../compliance/alert-policies.md#default-alert-policies).
security Threat Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics.md
When looking at the threat analytics data, remember the following factors:
## Related topics - [Proactively find threats with advanced hunting](advanced-hunting-overview.md) - [Understand the analyst report section](threat-analytics-analyst-reports.md)-- [Assess and resolve security weaknesses and exposures](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Assess and resolve security weaknesses and exposures](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
RSS feed: Get notified when this page is updated by copying and pasting the foll
/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+365+defender%22&locale=en-us ```
+## May 2021
+
+- [New alert page in the Microsoft 365 Defender portal](https://techcommunity.microsoft.com/t5/microsoft-365-defender/easily-find-anomalies-in-incidents-and-alerts/ba-p/2339243) <br> Provides enhanced information for the context into an attack. You can see which other triggered alert caused the current alert and all the affected entities and activities involved in the attack, including files, users and mailboxes. See [Investigate alerts](/microsoft-365/security/defender/investigate-alerts) for more information.
+- [Trend graph for incidents and alerts in the Microsoft 365 Defender portal](https://techcommunity.microsoft.com/t5/microsoft-365-defender/new-alert-page-for-microsoft-365-defender-incident-detections/ba-p/2350425) <br> Determine if there are several alerts for a single incident or that your organization is under attack with several different incidents. See [Prioritize incidents](/microsoft-365/security/defender/incident-queue) for more information.
++ ## April 2021 - Microsoft 365 Defender<br> The improved [Microsoft 365 Defender](https://security.microsoft.com) portal is now available. This new experience brings together Defender for Endpoint, Defender for Office 365, Defender for Identity, and more into a single portal. This is the new home to manage your security controls. [Learn what's new](./overview-security-center.md).
security Address Compromised Users Quickly https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/address-compromised-users-quickly.md
ms.prod: m365-security
The compromised user security playbook enables your organization's security team to: - Speed up detection of compromised user accounts;- - Limit the scope of a breach when an account is compromised; and- - Respond to compromised users more effectively and efficiently. ## Compromised user alerts
When a user account is compromised, alerts are triggered. And in some cases, tha
### View and investigate restricted users
-You have a few options for navigating to a list of restricted users. For example, in the Security & Compliance Center, you can go to **Threat management** \> **Review** \> **Restricted Users**. The following procedure describes navigation using the **Alerts** dashboard, which is a good way to see various kinds of alerts that might have been triggered.
-
-1. Go to [https://protection.office.com](https://protection.office.com) and sign in.
-
-2. In the navigation pane, choose **Alerts** \> **Dashboard**.
+You have a few options for navigating to a list of restricted users. For example, in the Microsoft 365 Defender portal, you can go to **Email & collaboration** \> **Review** \> **Restricted Users**. The following procedure describes navigation using the **Alerts** dashboard, which is a good way to see various kinds of alerts that might have been triggered.
-3. In the **Other alerts** widget, choose **Restricted Users**.
+1. Open the Microsoft 365 Defender portal (<https://security.microsoft.com>) and go to **Incidents & alerts** \> **Alerts**. Or, to go directly to the **Alerts** page, use <https://security.microsoft.com/alerts>.
- ![Other alerts widget](/microsoft-365/media/office365atp-otheralertswidget.jpg)
+2. On the **Alerts** page, filter the results by time period and the policy named **User restricted from sending email**.
- This opens the list of restricted users.
+ ![The Alerts page in the Microsoft 365 Defender portal filtered for restricted users](../../media/m365-sc-alerts-page-with-restricted-user.png)
- ![Restricted users in Office 365](/microsoft-365/media/office365atp-restrictedusers.jpg)
+3. If you select the entry by clicking on the name, a **User restricted from sending email** page opens with additional details for you to review. Next to the **Manage alert** button, you can click ![More options icon](../../medi).
-4. Select a user account in the list to view details and take action, such as [releasing the restricted user](removing-user-from-restricted-users-portal-after-spam.md).
+ ![The User restricted from sending email page from the Alerts center](../../media/m365-sc-alerts-user-restricted-from-sending-email-page.png)
### View details about automated investigations
security Admin Review Reported Message https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-review-reported-message.md
You will only be able to mark and notify users of review results if the message
## Configure the messages used to notify users
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Others** section \> **User reported message settings**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Others** section \> **User reported message settings**.
2. On the **User submissions** page, if you want to specify the sender display name, check the box for **Specify Office 365 email address to use as sender** under the **Email notifications for admin review results** section, and enter in the name you wish to use. This is the email address that will be visible in Outlook and where replies will go to.
security Air Review Approve Pending Completed Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions.md
Title: Review and manage remediation actions in Microsoft Defender for Office 365 keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, response, remediation, threats, advanced, threat, protection
+f1.keywords:
- NOCSH
audience: ITPro localization_priority: Normal
+search.appverid:
- MET150 - MOE150-+ - M365-security-compliance - m365initiative-defender-office365 description: Learn about remediation actions in automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2.
As automated investigations on email & collaboration content result in verdicts,
These remediation actions are not taken unless and until your security operations team approves them. We recommend reviewing and approving any pending actions as soon as possible so that your automated investigations complete in a timely manner. In some cases, you can reconsider submitted actions. You need to be part of Search & purge role before taking any actions. - ## Approve (or reject) pending actions There are four different ways to find and take auto investigation actions:
There are four different ways to find and take auto investigation actions:
- [Investigation and remediation investigations queue](https://security.microsoft.com/airinvestigation) ## Incident queue
-1. Go to the [Microsoft 365 security center](https://security.microsoft.com) and sign in.
+
+1. Open the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
2. In the navigation pane, select **Incidents & alerts > Incidents**. 3. Select an incident name to open its summary page. 4. Select the **Evidence and Response** tab. 5. Select an item in the list. Its side pane opens. 6. In the side pane, take approve or reject actions.
-## Investigation queue
-1. Go to the [Microsoft 365 security center](https://security.microsoft.com) and sign in.
-2. Navigate from the alerts/incident page.
-3. On the Investigation page, go to the **pending actions** tab.
-4. Select an item in the list. Its side pane opens.
+## Investigation queue
+
+1. Open the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
+2. Navigate from the alerts/incident page.
+3. On the Investigation page, go to the **pending actions** tab.
+4. Select an item in the list. Its side pane opens.
5. In the side pane, take approve or reject actions. ## Action center
-1. Go to the [Microsoft 365 security center](https://security.microsoft.com) and sign in.
+
+1. Open the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
2. In the navigation pane, select **Action center**. 3. On the **Pending** tab, review the list of actions that are awaiting approval. - Select **Open investigation page** to view more details about the investigation.
There are four different ways to find and take auto investigation actions:
- Select **Reject** to prevent a pending action from being taken. ## Investigation and remediation investigations queue
-1. Go to the [Microsoft 365 security center](https://security.microsoft.com) and sign in.
-2. Open pending investigations.
+
+1. Open the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
+2. Open pending investigations.
3. On the Investigation page, go to the **pending actions** tab.
-4. Select an item in the list. Its side pane opens.
+4. Select an item in the list. Its side pane opens.
5. In the side pane, take approve or reject actions. ## Change or undo one remediation action There are two different ways to reconsider submitted actions:
- - Through the [unified action center](https://security.microsoft.com/action-center).
- - Though the [Office action center](https://security.microsoft.com/threatincidents).
-
+
+- Through the [unified action center](https://security.microsoft.com/action-center).
+- Though the [Office action center](https://security.microsoft.com/threatincidents).
+ ## Change or undo through the unified action center+ 1. Go to the [unified action center](https://security.microsoft.com/action-center) and sign in. 2. On the **History** tab, select an action that you want to change or undo.
-3. In the pane on the right side of the screen, select the appropriate action (**move to inbox**, **move to junk**, **move to deleted items**, **soft delete", or **hard delete**).
+3. In the pane on the right side of the screen, select the appropriate action (**move to inbox**, **move to junk**, **move to deleted items**, **soft delete**, or **hard delete**).
+
+## Change or undo through the Office action center
- ## Change or undo through the Office action center
1. Go to the [Office action center](https://security.microsoft.com/threatincidents) and sign in. 2. Select the appropriate remediation.
-3. In the side pane, click on the mail submissions entry and wait for the list to load.
-4. Wait for the Action button at the top to enable and select the Action button to change the action type.
+3. In the side pane, click on the mail submissions entry and wait for the list to load.
+4. Wait for the Action button at the top to enable and select the Action button to change the action type.
5. This will create the appropriate actions. ## Next steps -- [Use Threat Explorer](threat-explorer.md)
+- [Use Threat Explorer](threat-explorer.md)
- [Admin /Manual Actions](remediate-malicious-email-delivered-office-365.md) - [How to report false positives/negatives in automated investigation and response capabilities](air-report-false-positives-negatives.md)
security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/alerts.md
Title: Alerts in the Security & Compliance Center
+ Title: Alerts in the Microsoft 365 Defender portal
f1.keywords: - NOCSH
ms.assetid: 2bb4e7c0-5f7f-4144-b647-cc6a956aaa53
- M365-security-compliance - m365initiative-defender-office365
-description: Learn about how to use the alerts features in the Office 365 Security & Compliance Center to view and manage alerts, including managing advanced alerts.
+description: Learn about how to use the alerts features in the Microsoft 365 Defender portal to view and manage alerts, including managing advanced alerts.
ms.technology: mdo ms.prod: m365-security
-# Alerts in the Security & Compliance Center
+# Alerts in the Microsoft 365 Defender portal
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
ms.prod: m365-security
- [Exchange Online Protection](exchange-online-protection-overview.md) - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
-Use the alerts features in the Security & Compliance Center to view and manage alerts for your organization, including managing advanced alerts as part of [Microsoft Cloud App Security overview](/cloud-app-security/what-is-cloud-app-security).
+Use the alerts features in the Microsoft 365 Defender portal to view and manage alerts for your organization, including managing advanced alerts as part of [Microsoft Cloud App Security overview](/cloud-app-security/what-is-cloud-app-security).
## How to get to the alerts features
-Alerts are in the Security & Compliance Center. Here's how to get to the page.
+Alerts are in the Microsoft 365 Defender portal (<https://security.microsoft.com>). Here's how to get to the page:
-### To go directly to the Security & Compliance Center
-
-1. Go to <https://protection.office.com>.
-
-2. Sign in using your work or school account.
-
-3. In the left pane, click **Alerts** to see the alerts features.
-
-### To go to the Security & Compliance Center using the app launcher
-
-1. Sign in using your work or school account.
-
-2. Click the app launcher in the upper left corner, and then click **Security & Compliance**.
-
- Can't find the app you're looking for? From the app launcher, select **All apps** to see an alphabetical list of the Office 365 apps available to you. From there, you can search for a specific app.
-
-3. In the left pane, click **Alerts** to see the alerts features.
+In the **Microsoft 365 Defender portal**, go to **Alerts**. Or, to go direct to the **Alerts** page, use <https://security.microsoft.com/alerts>.
## Alerts features
-The following table describes the tools that are available under **Alerts** in the Security & Compliance Center.
+The following table describes the tools that are available under **Alerts** in the Microsoft 365 Defender portal.
+
+<br>
****
The following table describes the tools that are available under **Alerts** in t
||| |[Manage alerts](../../compliance/create-activity-alerts.md)|Use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. Activity alerts are similar to searching the audit log for events, except that you'll be sent an email message when an event that you've created an alert for occurs.| |[Manage advanced alerts](/cloud-app-security/what-is-cloud-app-security)|Use the **Manage advanced alerts** feature of Microsoft 365 Cloud App Security to set up policies that can alert you to suspicious and anomalous activity in Microsoft 365. After you're alerted, you can investigate situations that are potentially problematic and, if needed, take action to address security issues.|
-|
+|
security Anti Phishing Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection.md
EOP (that is, Microsoft 365 organizations without Microsoft Defender for Office
Microsoft Defender for Office 365 contains additional and more advanced anti-phishing features: - **Anti-phishing policies in Microsoft Defender for Office 365**: Configure impersonation protection settings for specific message senders and sender domains, mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md). For more information about the differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365, see [Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md).- - **Campaign Views**: Machine learning and other heuristics identify and analyze messages that are involved in coordinated phishing attacks against the entire service and your organization. For more information, see [Campaign Views in Microsoft Defender for Office 365](campaigns.md).--- **Attack simulator**: Admins can create fake phishing messages and send them to internal users as an education tool. For more information, see [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md).
+- **Attack simulation training**: Admins can create fake phishing messages and send them to internal users as an education tool. For more information, see [Simulate a phishing attack](attack-simulation-training.md).
## Other anti-phishing resources
security Attack Simulation Training Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md
If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 P
- For more information about the availability of Attack simulation training across different Microsoft 365 subscriptions, see [Microsoft Defender for Office 365 service description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description). -- You need to be assigned permissions in the Security & Compliance Center or in Azure Active Directory before you can do the procedures in this article. Specifically, you need to be a member of **Organization Management**, **Security Administrator**, or one of the following roles:
+- You need to be assigned permissions in the Microsoft 365 Defender portal or in Azure Active Directory before you can do the procedures in this article. Specifically, you need to be a member of **Organization Management**, **Security Administrator**, or one of the following roles:
- **Attack Simulator Administrators**: Create and managed all aspects of attack simulation campaigns. - **Attack Simulator Payload Authors**: Create attack payloads that an admin can initiate later.
- For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md) or [About admin roles](../../admin/add-users/about-admin-roles.md).
+ For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md) or [About admin roles](../../admin/add-users/about-admin-roles.md).
- There are no corresponding PowerShell cmdlets for Attack simulation training.
security Attack Simulator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulator.md
Title: Attack Simulator in Microsoft Defender for Office 365
+ Title: Attack Simulator in the Security & Compliance Center
f1.keywords: - NOCSH
- m365initiative-defender-office365 - seo-marvel-apr2020
-description: Admins can learn how to use Attack Simulator to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.
+description: Admins can learn how to use Attack Simulator in the Security & Complance Center to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.
ms.technology: mdo ms.prod: m365-security
-# Attack Simulator in Microsoft Defender for Office 365
+# Attack Simulator in the Security & Compliance Center
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
security Configuration Analyzer For Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md
The **Standard** and **Strict** policy setting values that are used as baselines
## Use the configuration analyzer in the Microsoft 365 Defender portal
-In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Templated policies** section \> **Configuration analyzer**.
+In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Templated policies** section \> **Configuration analyzer**.
The **Configuration analyzer** page has two main tabs:
security Configure Advanced Delivery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-advanced-delivery.md
Messages that are identified by the advanced delivery policy aren't security thr
## Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Rules** section \> **Advanced delivery**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Rules** section \> **Advanced delivery**.
2. On the **Advanced delivery** page, verify that the **SecOps mailbox** tab is selected, and then do one of the following steps: - Click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**.
The SecOps mailbox entries that you configured are displayed on the **SecOps mai
## Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Rules** section \> **Advanced delivery**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Rules** section \> **Advanced delivery**.
2. On the **Advanced delivery** page, select the **Phishing simulation** tab, and then do one of the following steps: - Click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**.
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
You can configure anti-malware policies in the Microsoft 365 Defender portal or
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creates the malware filter rule and the associated malware filter policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-Malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-Malware**.
2. On the **Anti-malware** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creat
## Use the Microsoft 365 Defender portal to view anti-malware policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, the following properties are displayed in the list of anti-malware policies: - **Name**
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creat
## Use the Microsoft 365 Defender portal to modify anti-malware policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, select a policy from the list by clicking on the name.
To enable or disable a policy or set the policy priority order, see the followin
You can't disable the default anti-malware policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the anti-malware policy after you create it. In PowerShell, you can override the default priority when you create the malware filter rule (which can affect the priority of existing rules). - Anti-malware policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-malware policy has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When you use the Microsoft 365 Defender portal to remove a custom anti-malware policy, the malware filter rule and the corresponding malware filter policy are both deleted. You can't remove the default anti-malware policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware page**, select a custom policy from the list by clicking on the name.
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
To increase the effectiveness of anti-phishing protection, you can create custom
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to view anti-phishing policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, the following properties are displayed in the list of policies:
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to modify anti-phishing policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a policy from the list by clicking on the name.
To enable or disable a policy or set the policy priority order, see the followin
You can't disable the default anti-phishing policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules). - Anti-phishing policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-phishing policy has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When you use the Microsoft 365 Defender portal to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
For detailed syntax and parameter information, see [Remove-AntiPhishRule](/power
To verify that you've successfully configured anti-phishing policies in EOP, do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
- In Exchange Online PowerShell, replace \<Name\> with the name of the policy or rule, run the following command, and verify the settings:
security Configure Global Settings For Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-global-settings-for-safe-links.md
You can configure the global Safe Links settings in the Microsoft 365 Defender p
The **Block the following URLs** list identifies the links that should always be blocked by Safe Links scanning in supported apps. For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links).
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links**.
2. On the **Safe Links** page, click **Global settings**. In the **Safe Links policy for your organization** fly out that appears, go to the **Block the following URLs** box.
You can use the **Get-AtpPolicyForO365** cmdlet to view existing entries in the
Safe Links protection for Office 365 apps applies to documents in supported Office desktop, mobile, and web apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links**.
2. On the **Safe Links** page, click **Global settings**. In the **Safe Links policy for your organization** fly out that appears, configure the following settings in the **Settings that apply to content in supported Office 365 apps** section:
For detailed syntax and parameter information, see [Set-AtpPolicyForO365](/power
To verify that you've successfully configured the global settings for Safe Links (the **Block the following URLs** list and the Office 365 app protection settings), do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links** \> click **Global settings**, and verify the settings in the fly out that appears.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links** \> click **Global settings**, and verify the settings in the fly out that appears.
- In Exchange Online PowerShell or Exchange Online Protection PowerShell, run the following command and verify the settings:
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
To increase the effectiveness of anti-phishing protection in Defender for Office
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to view anti-phishing policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, the following properties are displayed in the list of anti-phishing policies:
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to modify anti-phishing policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a policy from the list by clicking on the name.
To enable or disable a policy or set the policy priority order, see the followin
You can't disable the default anti-phishing policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules). - Anti-phishing policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-phishing policy has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When you use the Microsoft 365 Defender portal to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name of the policy.
For detailed syntax and parameter information, see [Remove-AntiPhishRule](/power
To verify that you've successfully configured anti-phishing policies in Defender for Office 365, do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
- In Exchange Online PowerShell, replace \<Name\> with the name of the policy or rule, and run the following command and verify the settings:
security Configure The Connection Filter Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-connection-filter-policy.md
This article describes how to configure the default connection filter policy in
## Use the Microsoft 365 Defender portal to modify the default connection filter policy
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select **Connection filter policy (Default)** from the list by clicking on the name of the policy.
This article describes how to configure the default connection filter policy in
## Use the Microsoft 365 Defender portal to view the default connection filter policy
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, the following properties are displayed in the list of policies:
For detailed syntax and parameter information, see [Set-HostedConnectionFilterPo
To verify that you've successfully modified the default connection filter policy, do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam** \> select **Connection filter policy (Default)** from the list by clicking on the name of the policy, and verify the settings.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam** \> select **Connection filter policy (Default)** from the list by clicking on the name of the policy, and verify the settings.
- In Exchange Online PowerShell or standalone EOP PowerShell, run the following command and verify the settings:
security Configure The Outbound Spam Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy.md
To increase the effectiveness of outbound spam filtering, you can create custom
Creating a custom outbound spam policy in the Microsoft 365 Defender portal creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create policy** and then select **Outbound** from the drop down list.
Creating a custom outbound spam policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to view outbound spam policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, look for one of the following values: - The **Type** value is **Custom outbound spam policy**
Creating a custom outbound spam policy in the Microsoft 365 Defender portal crea
## Use the Microsoft 365 Defender portal to modify outbound spam policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select an outbound spam policy from the list by clicking on the name: - A custom policy that you created where the value in the **Type** column is **Custom outbound spam policy**.
To enable or disable a policy, set the policy priority order, or configure the e
You can't disable the default outbound spam policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the outbound spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules). - Outbound spam policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default outbound spam policy has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When you use the Microsoft 365 Defender portal to remove a custom outbound spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default outbound spam policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
To increase the effectiveness of spam filtering, you can create custom anti-spam
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create policy** and then select **Inbound** from the drop down list.
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
## Use the Microsoft 365 Defender portal to view anti-spam policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, look for one of the following values: - The **Type** value is **Custom anti-spam policy**
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
## Use the Microsoft 365 Defender portal to modify anti-spam policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select an anti-spam policy from the list by clicking on the name: - A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**.
To enable or disable a policy, set the policy priority order, or configure the e
You can't disable the default anti-spam policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the anti-spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules). - Anti-spam policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-spam policy has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When a spam filtering verdict quarantines a message, you can configure end-user spam notifications to let recipients know what happened to messages that were sent to them. For more information about these notifications, see [End-user spam notifications in EOP](use-spam-notifications-to-release-and-report-quarantined-messages.md).
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select an anti-spam policy from the list by clicking on the name: - A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**.
When a spam filtering verdict quarantines a message, you can configure end-user
When you use the Microsoft 365 Defender portal to remove a custom anti-spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default anti-spam policy.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
security Create Team Sites In A Political Campaign Dev Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-team-sites-in-a-political-campaign-dev-test-environment.md
To protect a document with Azure Information Protection and this new label, you
[Cloud adoption Test Lab Guides (TLGs)](../../enterprise/cloud-adoption-test-lab-guides-tlgs.md)
-[Microsoft 365 solution and architecture center](../../solutions/index.yml)
+[Microsoft 365 solution and architecture center](../../solutions/index.yml)
security Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365.md
The following table summarizes what's included in each plan.
|Microsoft Defender for Office 365 Plan 1|Microsoft Defender for Office 365 Plan 2| |||
-|Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments.md)</li><li>[Safe Links](safe-links.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Anti-phishing in Defender for Office 365 protection](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer.md)</li></ul>|Microsoft Defender for Office 365 Plan 1 capabilities <br> plus <br> Automation, investigation, remediation, and education capabilities:<ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer.md)</li><li>[Automated investigation and response](office-365-air.md)</li><li>[Attack Simulator](attack-simulator.md)</li><li>[Campaign Views](campaigns.md)</li></ul>|
+|Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments.md)</li><li>[Safe Links](safe-links.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Anti-phishing in Defender for Office 365 protection](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer.md)</li></ul>|Microsoft Defender for Office 365 Plan 1 capabilities <br> plus <br> Automation, investigation, remediation, and education capabilities:<ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer.md)</li><li>[Automated investigation and response](office-365-air.md)</li><li>[Attack simulation training](attack-simulation-training.md)</li><li>[Campaign Views](campaigns.md)</li></ul>|
| - Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365 A5, Microsoft 365 E5 Security, and Microsoft 365 E5.
The following table summarizes what's included in each plan.
## Configure Microsoft Defender for Office 365 policies
-With Microsoft Defender for Office 365, your organization's security team can configure protection by defining policies in the Microsoft 365 Defender portal (go to <https://security.microsoft.com> \> **Email & collaboration** \> **Policies and rules**).
+With Microsoft Defender for Office 365, your organization's security team can configure protection by defining policies in the Microsoft 365 Defender portal (go to <https://security.microsoft.com> \> **Email & collaboration** \> **Policies & rules** \> **Threat policies**).
Learn more by watching [this video](https://www.youtube.com/watch?v=vivvTmWJ_3c).
Microsoft Defender for Office 365 Plan 2 includes best-of-class [threat investig
- **[Threat Explorer (or real-time detections)](threat-explorer.md)** (also referred to as Explorer) is a real-time report that allows you to identify and analyze recent threats. You can configure Explorer to show data for custom periods. -- **[Attack Simulator](attack-simulator.md)** allows you to run realistic attack scenarios in your organization to identify vulnerabilities. Simulations of current types of attacks are available, including spear phishing credential harvest and attachment attacks, and password spray and brute force password attacks.
+- **[Attack simulation training](attack-simulation-training.md)** allows you to run realistic attack scenarios in your organization to identify vulnerabilities. Simulations of current types of attacks are available, including spear phishing credential harvest and attachment attacks, and password spray and brute force password attacks.
## Save time with automated investigation and response
New features are added to Microsoft Defender for Office 365 continually. To lear
## See also - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- - [Automated investigation and response (AIR) in Microsoft 365 Defender](../defender/m365d-autoir.md)
security Detect And Remediate Illicit Consent Grants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
You need to search the **audit log** to find signs, also called Indicators of Co
### Steps for finding signs of this attack
-1. Open the **Microsoft 365 Defender** portal at <https://security.microsoft.com> and then select **Audit**.
+1. Open the **Microsoft 365 Defender portal** at <https://security.microsoft.com> and then select **Audit**. Or, to go directly to the **Audit** page, use <https://security.microsoft.com/auditlogsearch>.
-2. On the **Audit** page that opens, verify that the **Search** tab is selected, and then configure the following settings:
+2. On the **Audit** page, verify that the **Search** tab is selected, and then configure the following settings:
- **Date and time range** - **Activities**: Verify that **Show results for all activities** is selected.
The script produces one file named Permissions.csv. Follow these steps to look f
## Determine the scope of the attack
-After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Defender](../../compliance/search-the-audit-log-in-security-and-compliance.md).
+After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Defender portal](../../compliance/search-the-audit-log-in-security-and-compliance.md).
> [!IMPORTANT] > [Mailbox auditing](../../compliance/enable-mailbox-auditing.md) and [Activity auditing for admins and users](../../compliance/turn-audit-log-search-on-or-off.md) must have been enabled prior to the attack for you to get this information.
security Email Security In Microsoft Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-security-in-microsoft-defender.md
This article explains how to view and investigate malware and phishing attempts
## View malware detected in email
-To see malware detected in email sorted by Microsoft 365 technology, use the [Email > Malware](threat-explorer-views.md#email--malware) view of Explorer (or Real-time detections). Malware is the default view, so it might be selected as soon as you open Explorer.
+To see malware detected in email sorted by Microsoft 365 technology, use the [**Email \> Malware**](threat-explorer-views.md#email--malware) view of Explorer (or Real-time detections). Malware is the default view, so it might be selected as soon as you open Explorer.
1. In the Microsoft 365 Defender portal (<https://security.microsoft.com>), choose **Email & collaboration** \> **Explorer** (or **Real-time detections**; This example uses Explorer).
security Enable The Report Message Add In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/enable-the-report-message-add-in.md
ms.prod: m365-security
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) > [!NOTE]
-> If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
+> If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the **Submissions** page in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
The Report Message and Report Phishing add-ins for Outlook and Outlook on the web (formerly known as Outlook Web App) enable people to easily report false positives (good email marked as bad) or false negatives (bad email allowed) to Microsoft and its affiliates for analysis.
security Enable The Report Phish Add In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/enable-the-report-phish-add-in.md
description: "Learn how to enable the Report Phishing add-in for Outlook and Out
> [!NOTE]
-> If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
+> If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
The Report Message and Report Phishing add-ins for Outlook and Outlook on the web (formerly known as Outlook Web App) enable people to easily report false positives (good email marked as bad) or false negatives (bad email allowed) to Microsoft and its affiliates for analysis.
If you're a global administrator or an Exchange Online administrator, and Exchan
- For organizational installs, the organization needs to be configured to use OAuth authentication. For more information, see [Determine if Centralized Deployment of add-ins works for your organization](../../admin/manage/centralized-deployment-of-add-ins.md). -- Admins need to be a member of the Global admins role group. For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+- Admins need to be a member of the Global admins role group. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
## Get the Report Phishing add-in for yourself
security Impersonation Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/impersonation-insight.md
You can use the impersonation insight in the Microsoft 365 Defender portal to qu
- **Security Reader** - **Global Reader**
- For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
+ For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
**Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
You can use the impersonation insight in the Microsoft 365 Defender portal to qu
## Open the impersonation insight in the Microsoft 365 Defender portal
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, the impersonation insight looks like this:
security Integrate Office 365 Ti With Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde.md
The following image depicts what the **Devices** tab looks like when you have Mi
![When Microsoft Defender for Endpoint is enabled, you can see a list of devices with alerts.](../../media/fec928ea-8f0c-44d7-80b9-a2e0a8cd4e89.PNG)
-In this example, you can see that the recipients of the detected email message have four devices and one has an alert. Clicking the link for a device opens its page in [Microsoft 365 Defender](../defender-endpoint/microsoft-defender-security-center.md) (formerly the Microsoft Defender security center).
+In this example, you can see that the recipients of the detected email message have four devices and one has an alert. Clicking the link for a device opens its page in [the Microsoft 365 Defender portal](../defender-endpoint/microsoft-defender-security-center.md) (formerly the Microsoft Defender security center).
> [!TIP] > The Microsoft 365 Defender portal replaces the Microsoft Defender Security Center. See [Microsoft Defender for Endpoint in Microsoft 365 Defender](../defender/microsoft-365-security-center-mde.md).
In this example, you can see that the recipients of the detected email message h
Integrating Microsoft Defender for Office 365 with Microsoft Defender for Endpoint is set up in both Defender for Endpoint and Defender for Office 365.
-1. As a global administrator or a security administrator,<https://security.microsoft.com/threatexplorer>.
+1. As a global administrator or a security administrator, open the Microsoft 365 Defender portal (<https://security.microsoft.com>) and go to **Email & collaboration** \> **Explorer**. To go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorer>.
-2. In the navigation pane, choose **Email & collaboration** \> **Explorer**.
+2. On the **Explorer** page, in the upper right corner of the screen, click **MDE Settings**.
-3. On the **Explorer** page, in the upper right corner of the screen, click **MDE Settings**.
-
-4. In the **Microsoft Defender for Endpoint connection** flyout that appears, turn on **Connect to Microsoft Defender for Endpoint** (![Toggle on](../../media/scc-toggle-on.png)) and then click ![Close icon](../../media/m365-cc-sc-close-icon.png) **Close**.
+3. In the **Microsoft Defender for Endpoint connection** flyout that appears, turn on **Connect to Microsoft Defender for Endpoint** (![Toggle on](../../media/scc-toggle-on.png)) and then click ![Close icon](../../media/m365-cc-sc-close-icon.png) **Close**.
:::image type="content" source="../../mediE Connection":::
-5. Back in the navigation pane, choose **Settings**. On the **Settings** page, choose **Endpoints**
+4. Back in the navigation pane, choose **Settings**. On the **Settings** page, choose **Endpoints**
-6. On the **Endpoints** page that opens, choose **Advanced features**.
+5. On the **Endpoints** page that opens, choose **Advanced features**.
-7. Scroll down to **Office 365 Threat Intelligence connection**, and turn it on (![Toggle on](../../media/scc-toggle-on.png)).
+6. Scroll down to **Office 365 Threat Intelligence connection**, and turn it on (![Toggle on](../../media/scc-toggle-on.png)).
When you're finished, click **Save preferences**.
security Investigate Malicious Email That Was Delivered https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md
To perform certain actions, such as viewing message headers or downloading email
> > The Global Administrator role is assigned the Microsoft 365 admin center (<https://admin.microsoft.com>), and the Security Administrator and Security Reader roles are assigned in Microsoft 365 Defender (<https://security.microsoft.com>). To learn more about roles and permissions, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
-We understand previewing and downloading email are sensitive activities, and so we auditing is enabled for these. Once an admin performs these activities on emails, audit logs are generated for the same and can be seen in the Office 365 Security & Compliance Center (<https://protection.office.com>). Go to **Search** > **Audit log search** and filter on the admin name in Search section. The filtered results will show activity **AdminMailAccess**. Select a row to view details in the **More information** section about previewed or downloaded email.
+We understand previewing and downloading email are sensitive activities, and so we auditing is enabled for these. Once an admin performs these activities on emails, audit logs are generated for the same and can be seen in the Microsoft 365 Defender portal (<https://security.microsoft.com>). Go to **Audit** \> **Search** tab, and filter on the admin name in **Users** box. The filtered results will show activity **AdminMailAccess**. Select a row to view details in the **More information** section about previewed or downloaded email.
## Find suspicious email that was delivered
security Learn About Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md
The rest of this article explains how to use the spoof intelligence insight in t
## Open the spoof intelligence insight in the Microsoft 365 Defender portal
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, the spoof intelligence insight looks like this:
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
Admins of Microsoft Defender for Office 365 (or MDO) E5, and MDO P1 and P2 have
## Reach the email entity page
-Either the existing Security & Compliance center or new Microsoft 365 Defender portal will let you see and use the email entity page.
+The email entity page is available in the Microsoft 365 defender portal (<https://security.microsoft.com>) at **Email & collaboration** \> **Explorer**. Or, to go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorer>.
-<br>
+In **Explorer**, select the subject of an email you're investigating. A gold bar will display at the top of the email fly-out for that mail. This invitation to the new page, reads 'Try out our new email entity page with enriched data...'. Select to view the new page.
-****
-
-|Center|URL|Navigation|
-||||
-|Security & Compliance Center|<https://protection.office.com>|Threat Management \> Explorer|
-|Microsoft 365 Defender portal|<https://security.microsoft.com>|Email & Collaboration \> Explorer|
-|
-
-In Threat Explorer, select the subject of an email you're investigating. A gold bar will display at the top of the email fly-out for that mail. This invitation to the new page, reads 'Try out our new email entity page with enriched data...'. Select to view the new page.
- :::image type="content" source="../../media/email-entities-2-eep.png" alt-text="This graphic of the email entity page focuses on headings that you'll see. Note the email header is displayed here."::: > [!NOTE]
-> The permissions needed to view and use this page are the same as to view Threat Explorer. The admin must be a member of Global admin or global reader, or Security admin or security reader.
+> The permissions needed to view and use this page are the same as to view **Explorer**. The admin must be a member of Global admin or global reader, or Security admin or Security Reader. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
## Read the email entity page
The structure is designed to be easy to read and navigate through at a glance. V
:::image type="content" source="../../media/email-entities-3-left-panel.png" alt-text="Graphic of the email entity page with the left side highlighted. The title and facts about the mail delivery are over here.":::
-2. On the top-right corner are the actions that can be taken on an email. Any actions that can be taken through Explorer will also be available through email entity page.
+2. On the top-right corner are the actions that can be taken on an email. Any actions that can be taken through **Explorer** will also be available through email entity page.
:::image type="content" source="../../media/email-entities-5-preview.png" alt-text="Graphic of the email entity page with the *right* side highlighted, this time. Actions like 'Email preview' and 'Go to quarantine' are here.":::
The structure is designed to be easy to read and navigate through at a glance. V
The tabs along the top of the entity page will allow you to investigate email efficiently.
-1. **Timeline**: The timeline view for an email (per the Threat Explorer timeline) shows the original delivery to post-delivery events that happen on an email. For emails that have no post-delivery actions, the view shows the original delivery row in timeline view. Events like: Zero-hour auto purge (ZAP), Remediate, URL clicks, et cetera, from sources like: system, admin, and user, show up here, in the order in which they occurred.
+1. **Timeline**: The timeline view for an email (per **Explorer** timeline) shows the original delivery to post-delivery events that happen on an email. For emails that have no post-delivery actions, the view shows the original delivery row in timeline view. Events like: Zero-hour auto purge (ZAP), Remediate, URL clicks, et cetera, from sources like: system, admin, and user, show up here, in the order in which they occurred.
2. **Analysis**: Analysis shows fields that help admins analyze an email in depth. For cases where admins need to understand more about detection, sender / recipient, and email authentication details, they should use the Analysis tab. Links for Attachments and URLs are also found on this page, under 'Related Entities'. Both attachments and identified threats are numbered here, and clicking will take you straight to the Attachments and URL pages. This tab also has a View header option to *show the email header*. Admins can compare any detail from email headers, side by side with information on the main panel, for clarity. 3. **Attachments**: This examines attachments found in the email with other details found on attachments. The number of attachments shown is currently limited to 10. Notice that detonation details for attachments found to be malicious is also shown here.
-4. **URLs**: This tab lists URLs found in the email with other details about the URLs. The number of URLs is limited to 10 right now, but these 10 are prioritized to show *malicious URLs first*. Prioritization saves you time and guess-work. The URLs which were found to be malicious and detonated will also be shown here.
+4. **URLs**: This tab lists URLs found in the email with other details about the URLs. The number of URLs is limited to 10 right now, but these 10 are prioritized to show *malicious URLs first*. Prioritization saves you time and guess-work. The URLs that were found to be malicious and detonated will also be shown here.
5. **Similar emails**: This tab lists all emails similar to the *network message id + recipient* combination specific to this email. Similarity is based on the *body of the message*, only. The determinations made on mails to categorize them as 'similar' don't include a consideration of *attachments*. ## New to the email entity page
There are new capabilities that come with this email entity page. Here's the lis
### Email preview for Cloud mailboxes
-Admins can preview emails in Cloud mailboxes, ***if*** the mails are still present in the Cloud. In case of a soft delete (by an admin, or user), or ZAP (to quarantine), emails are no longer present in the Cloud location. In that case, admins won't be able to preview those specific mails. Emails that were dropped, or where delivery failed, never actually made it into the mailbox. As a result, admins won't be able to preview those emails either.
+Admins can preview emails in Cloud mailboxes, ***if*** the mails are still present in the Cloud. In case of a soft delete (by an admin, or user), or ZAP (to quarantine), emails are no longer present in the Cloud location. In that case, admins won't be able to preview those specific mails. Emails that were dropped, or where delivery failed, never made it into the mailbox. As a result, admins won't be able to preview those emails either.
> [!WARNING]
-> Previewing emails requires a special role called ***Preview*** to be assigned to admins. You can add this role by going to **Permissions & roles** > **Email & collaboration roles** in *security.microsoft.com*, or **Permissions** in *protection.office.com*. Add the ***Preview*** role to any of the role groups, or a copy of a role group that allows admins in your organization to work in Threat Explorer.
+> Previewing emails requires a special role called **Preview**. You can add this role in the Microsoft 365 Defender portal as described in [Email & collaboration roles in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md#email--collaboration-roles-in-the-microsoft-365-defender-portal). You might need to create a new **Email & collaboration** role group there and add the **Preview** role to that new role group or add the **Preview** role to a role group that allows admins in your organization to work in **Explorer**.
### Detonation details
These details are specific to email attachments and URLs. Users can see these de
Users will see enriched detonation details for known malicious attachments or URLs found in their emails, which got detonated for their specific tenant. It will comprise of Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated. 1. *Detonation chain*. A single file or URL detonation can trigger multiple detonations. The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs effected by the detonation. These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious. + > [!NOTE] > This may show just the top level item if none of the entities linked to it were found to be problematic, or were detonated. 1. *Detonation Summary* gives a basic summary for detonation such as *analysis time*, the time when detonation occurred, OS and application, the operating system and application in which the detonation occurred, file size, and verdict reason.
-1. *Screenshots* shows the screenshots captured during detonation. There can be multiple screenshots during detonation. No screenshots are captured for
+1. *Screenshots* show the screenshots captured during detonation. There can be multiple screenshots during detonation. No screenshots are captured for
- Container type files like .zip or .rar. - If a URL opens into a link that directly downloads a file. However, you will see the downloaded file in the detonation chain. 1. *Behavior Details* are an export that shows behavior details like exact events that took place during detonation, and observables that contain URLs, IPs, domains, and files that were found during detonation (and can either be problematic or benign). Be aware, there may be no behavior details for:
Users will see enriched detonation details for known malicious attachments or UR
*Email details*: Details required for a deeper understanding of email available in the *Analysis* tab. -- *Exchange Transport Rules (ETRs or mail flow rules)*: These rules are applied to a message at the transport layer and take precedence over phish and spam verdicts. These can be only created and modified in the Exchange admin center, but if any ETR applies to a message, the ETR name and GUID will be shown here. Valuable information for tracking purposes.
+- *Exchange transport rules (also known as mail flow rules or ETRs)*: These rules are applied to a message at the transport layer and take precedence over phish and spam verdicts. These can be only created and modified in the Exchange admin center, but if any ETR applies to a message, the ETR name and GUID will be shown here. Valuable information for tracking purposes.
- *System Overrides*: This is a means of making exceptions to the delivery location intended for a message by overriding the delivery location given by system (as per the threat and detection tech).
Users will see enriched detonation details for known malicious attachments or UR
- Fail (reason): Indicates the DKIM check for the message failed and why. For example, if the message was not signed or the signature was not verified. - None: Indicates that the message was not signed. This may or may not indicate that the domain has a DKIM record or the DKIM record does not evaluate to a result, only that this message was not signed. -- Domain-based Message Authentication, Reporting and Conformance (**DMARC**):
+- Domain-based Message Authentication, Reporting, and Conformance (**DMARC**):
- Pass: Indicates the DMARC check for the message passed. - Fail: Indicates the DMARC check for the message failed. - Bestguesspass: Indicates that no DMARC TXT record for the domain exists, but if one had existed, the DMARC check for the message would have passed. - None: Indicates that no DMARC TXT record exists for the sending domain in DNS.
-*Composite Authentication*: This is a value is used by Microsoft 365 to combine email authentication like SPF, DKIM, and DMARC, to determine if the message is authentic. It uses the *From:* domain of the mail as the basis of evaluation.
+*Composite Authentication*: This is a value used by Microsoft 365 to combine email authentication like SPF, DKIM, and DMARC, to determine if the message is authentic. It uses the *From:* domain of the mail as the basis of evaluation.
security Message Trace Scc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/message-trace-scc.md
Title: Message trace in the Security & Compliance Center
+ Title: Message trace in the Microsoft 365 Defender portal
f1.keywords: - NOCSH
localization_priority: Normal
ms.assetid: 3e64f99d-ac33-4aba-91c5-9cb4ca476803 - seo-marvel-apr2020
-description: Admins can use message trace in the Security & Compliance Center to find out what happened to messages.
+description: Admins can use the message trace link in the Microsoft 365 Defender portal to find out what happened to messages.
ms.technology: mdo ms.prod: m365-security
-# Message trace in the Security & Compliance Center
+# Message trace in the Microsoft 365 Defender portal
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Message trace in the Security & Compliance Center follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.
+Message trace in the Microsoft 365 Defender portal follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.
You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes.
+> [!NOTE]
+> Message trace in the Microsoft 365 Defender portal is just a pass through to Message trace in the Exchange admin center. For more information, see [Message trace in the modern Exchange admin center](/exchange/monitoring/trace-an-email-message/message-trace-modern-eac).
+ ## What do you need to know before you begin? - You need to be a member of the **Organization Management**, **Compliance Management** or **Help Desk** role groups in **Exchange Online** to use message trace. For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo). **Notes**: Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). -- The maximum number of messages that are displayed in the results of a message trace depends on the report type you selected (see the [Choose report type](#choose-report-type) section for details). The [Get-HistoricalSearch](/powershell/module/exchange/get-historicalsearch) cmdlet in Exchange Online PowerShell or standalone EOP PowerShell returns all messages in the results.
+- The maximum number of messages that are displayed in the results of a message trace depends on the report type you selected (see the [Choose report type](/exchange/monitoring/trace-an-email-message/message-trace-modern-eac#choose-report-type) section for details). The [Get-HistoricalSearch](/powershell/module/exchange/get-historicalsearch) cmdlet in Exchange Online PowerShell or standalone EOP PowerShell returns all messages in the results.
## Open message trace
-Open the Security & Compliance Center at <https://protection.office.com/>, and then go to **Mail flow** \> **Message trace**.
-
-To go directly to the **Message trace** page, open <https://protection.office.com/messagetrace>.
-
-## Message trace page
-
-From here you can start a new default trace by clicking on the **Start a trace** button. This will search for all messages for all senders and recipients for the last two days. Or you can use one of the stored queries from the available query categories and either run them as-is or use them as starting points for your own queries:
--- **Default queries**: Built-in queries provided by Microsoft 365.-- **Custom queries**: Queries saved by admins in your organization for future use.-- **Autosaved queries**: The last ten most recently run queries. This list makes it simple to pick up where you left off.-
-Also on this page is a **Downloadable reports** section for the requests you've submitted, as well as the reports themselves when they're are available for download.
-
-## Options for a new message trace
-
-### Filter by senders and recipients
-
-The default values are **All senders** and **All recipients**, but you can use the following fields to filter the results:
--- **By these people**: Click in this field to select one or more senders from your organization. You can also start to type a name and the items in the list will be filtered by what you've typed, much like how a search page behaves.-- **To these people**: Click in this field to select one or more recipients in your organization.-
-> [!NOTE]
->
-> - You can also type the email addresses of external senders and recipients. Wildcards are supported (for example, `*@contoso.com`), but you can't use multiple wildcard entries in the same field at the same time.
-> - You can paste multiple senders or recipients lists separated by semicolons (`;`). spaces (`\s`), carriage returns (`\r`), or next lines (`\n`).
-
-### Time range
-
-The default value is **2 days**, but you can specify date/time ranges of up to 90 days. When you use date/time ranges, consider these issues:
--- By default, you select the time range in **Slider** view using a time line. You can only select the day or time settings that are displayed. Trying to select an in-between value will snap the start/end bubble to the nearest displayed setting.-
- ![A Slider time range in a new message trace in the Security & Compliance Center](../../media/55a9e9c1-f7d5-4047-b217-824e8b976bcb.png)
-
- But, you can also switch to **Custom** view where you can specify the **Start date** and **End date** values (including times), and you can also select the **Time zone** for the date/time range. Note that the **Time zone** setting applies to both your query inputs and your query results.
-
- ![A Custom time range in a new message trace in the Security & Compliance Center](../../media/ed4c8d50-9ea5-4694-93f9-ee3ab6660b4f.png)
-
- For 10 days or less, the results are available instantly as a **Summary** report. If you specify a time range that's even slightly greater than 10 days, the results will be delayed as they are only available as a downloadable CSV file ( **Enhanced summary** or **Extended** reports).
-
- For more information about the different report types, see the [Choose report type](#choose-report-type) section in this article.
-
- > [!NOTE]
- > Enhanced summary and Extended reports are prepared using archived message trace data, and it can take up to several hours before your report is available for download. Depending on how many other admins have also submitted report requests around the same time, you might also notice a delay before processing starts for your queued request.
--- Saving a query in **Slider** view saves the relative time range (for example, 3 days from today). Saving a query in **Custom** view saves the absolute date/time range (for example, 2018-05-06 13:00 to 2018-05-08 18:00).-
-### More search options
-
-#### Delivery status
-
-You can leave the default value **All** selected, or you can select one of the following values to filter the results:
--- **Delivered**: The message was successfully delivered to the intended destination.-- **Pending**: Delivery of the message is being attempted or re-attempted.-- **Expanded**: A distribution group recipient was expanded before delivery to the individual members of the group.-- **Failed**: The message was not delivered.-- **Quarantined**: The message was quarantined (as spam, bulk mail, or phishing). For more information, see [Quarantined email messages in EOP](quarantine-email-messages.md).-- **Filtered as spam**: The message was identified spam, and was rejected or blocked (not quarantined).-- **Getting status:** The message was recently received by Microsoft 365, but no other status data is yet available. Check back in a few minutes.-
-> [!NOTE]
-> The values **Pending,** **Quarantined**, and **Filter as spam** are only available for searches less than 10 days. Also, there might be a 5 to 10 minute delay between the actual and reported delivery status.
-
-#### Message ID
-
-This is the internet message ID (also known as the Client ID) that's found in the **Message-ID:** header field in the message header. Users can give you this value to investigate specific messages.
-
-This value is constant for the lifetime of the message. For messages created in Microsoft 365 or Exchange, the value is in the format `<GUID@ServerFQDN>`, including the angle brackets (\< \>). For example, `<d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>`. Other messaging systems might use different syntax or values. This value is supposed to be unique, but not all email systems strictly follow this requirement. If the **Message-ID:** header field doesn't exist or is blank for incoming messages from external sources, an arbitrary value is assigned.
-
-When you use **Message ID** to filter the results, be sure to include the full string, including any angle brackets.
-
-#### Direction
-
-You can leave the default value **All** selected, or you can select **Inbound** (messages sent to recipients in your organization) or **Outbound** (messages sent from users in your organization) to filter the results.
-
-#### Original client IP address
-
-You can filer the results by client IP address to investigate hacked computers that are sending large amounts of spam or malware. Although the messages might appear to come from multiple senders, it's likely that the same computer is generating all of the messages.
-
-> [!NOTE]
-> The client IP address information is only available for 10 days, and is only available in the **Enhanced summary** or **Extended** reports (downloadable CSV files).
-
-### Choose report type
-
-The available report types are:
--- **Summary**: Available if the time range is less than 10 days, and requires no additional filtering options. The results are available almost immediately after you click **Search**. The report returns up to 20000 results.-- **Enhanced summary** or **Extended**: These reports are only available as downloadable CSV files, and require one or more of the following filtering options regardless of the time range: **By these people**, **To these people**, or **Message ID**. You can use wildcards for the senders or the recipients (for example, \*@contoso.com). The Enhanced summary report returns up to 50000 results. The Extended report returns up to 1000 results.-
-> [!NOTE]
->
-> - Enhanced summary and Extended reports are prepared using archived message trace data, and it can take up to several hours before your report is available to download. Depending on how many other admins have also submitted report requests around the same time, you might also notice a delay before your queued request starts to be processed.
-> - While you can select an Enhanced summary or Extended report for any date/time range, commonly the last four hours of archived data will not yet be available for these two types of reports.
-> - The maximum size for a downloadable report is 500 MB. If a downloadable report exceeds 500 MB, you can't open the report in Excel or Notepad.
-
-When you click **Next**, you're presented with a summary page that lists the filtering options that you selected, a unique (editable) title for the report, and the email address that receives the notification when the message trace completes (also editable, and must be in one of your organization's accepted domains). Click **Prepare report** to submit the message trace. On the main **Message trace** page, you can see the status of the report in the **Downloadable reports** section.
-
-For more information about the information that's returned in the different report types, see the next section.
-
-## Message trace results
-
-The different report types return different levels of information. The information that's available in the different reports is described in the following sections.
-
-### Summary report output
-
-After running the message trace, the results will be listed, sorted by descending date/time (most recent first).
-
-![Summary report results for message trace in the Security & Compliance Center](../../media/0664bafe-0b03-477b-b571-0b046ac8c977.png)
-
-The summary report contains the following information:
--- **Date**: The date and time at which the message was received by the service, using the configured UTC time zone.-- **Sender**: The email address of the sender (*alias*@*domain*).-- **Recipient**: The email address of the recipient or recipients. For a message sent to multiple recipients, there's one line per recipient. If the recipient is a distribution group, dynamic distribution group, or mail-enabled security group, the group will be the first recipient, and then each member of the group is on a separate line.-- **Subject**: The first 256 characters of the message's **Subject:** field.-- **Status**: These values are described in the [Delivery status](#delivery-status) section.-
-By default, the first 250 results are loaded and readily available. When you scroll down, there's a slight pause as the next batch of results are loaded. Instead of scrolling, you can click **Load all** to load all of the results up to a maximum of 10,000.
-
-You can click on the column headers to sort the results by the values in that column in ascending or descending order.
-
-You can click **Filter results** to filter the results by one or more columns.
-
-You can export the results after you've selected one or more rows by clicking **Export results** and then selecting **Export all results**, **Export loaded results**, or **Export selected**.
-
-#### Find related records for this message
-
-Related message records are records that shared the same Message ID. Remember, even a single message sent between two people can generate multiple records. The number of records increases when the message is affected by distribution group expansion, forwarding, mail flow rules (also known as transport rules), etc.
-
-After you select a row's check box, you can find related records for the message by clicking the **Find related** button that appears, or by selecting **More options** ![More](../../media/1ea52bbf-9d00-48ce-9362-307f7f6fb7fe.png) \> **Find related records for this message**).
-
-For more information about the Message ID, see the Message ID section earlier in this article.
-
-#### Message trace details
-
-In the summary report output, you can view details about a message by using either of the following methods:
--- Select the row (click anywhere in the row except the check box).-- Select the row's check box and click **More options** ![More](../../media/1ea52bbf-9d00-48ce-9362-307f7f6fb7fe.png) \> **View message details**.-
- ![Details after double-clicking a row in the summary report message trace results in the Security & Compliance Center](../../media/e50ee7cd-810a-4c06-8b58-e56ffd7028d1.png)
-
-The message trace details contain the following additional information that's not present in the summary report:
--- **Message events**: This section contains classifications that help categorize the actions that the service takes on messages. **Some of the more interesting events** that you might encounter are:
- - **Receive**: The message was received by the service.
- - **Send**: The message was sent by the service.
- - **Fail**: The message failed to be delivered.
- - **Deliver**: The message was delivered to a mailbox.
- - **Expand**: The message was sent to a distribution group that was expanded.
- - **Transfer**: Recipients were moved to a bifurcated message because of content conversion, message recipient limits, or agents.
- - **Defer**: The message delivery was postponed and might be re-attempted later.
- - **Resolved**: The message was redirected to a new recipient address based on an Active Directory look up. When this happens, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message.
-
- > [!NOTE]
- >
- > - An uneventful message that's successfully delivered will generate multiple **Event** entries in the message trace.
- > - This list is not meant to be exhaustive. For descriptions of more events, see [Event types in the message tracking log](/Exchange/mail-flow/transport-logs/message-tracking#event-types-in-the-message-tracking-log). Note that this link is an Exchange Server (on-premises Exchange) topic.
--- **More information**: This section contains the following details:
- - **Message ID**: This value is described in the [Message ID](#message-id) section earlier in this article. For example, `<d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>`.
- - **Message size**
- - **From IP**: The IP address of the computer that sent the message. For outbound messages sent from Exchange Online, this value is blank.
- - **To IP**: The IP address or addresses where the service attempted to deliver the message. If the message has multiple recipients, these are displayed. For inbound messages sent to Exchange Online, this value is blank.
-
-### Enhanced summary reports
-
-Available (completed) Enhanced summary reports are available in the **Downloadable reports** section at the beginning message trace. The following information is available in the report:
--- **origin_timestamp**<sup>*</sup>: The date and time when the message was initially received by the service, using the configured UTC time zone.-- **sender_address**: The sender's email address (*alias*@*domain*).-- **Recipient_status**: The status of the delivery of the message to the recipient. If the message was sent to multiple recipients, it will show all the recipients and the corresponding status for each, in the format: \<*email address*\>##\<*status*\>. For example:
- - **##Receive, Send** means the message was received by the service and was sent to the intended destination.
- - **##Receive, Fail** means the message was received by the service but delivery to the intended destination failed.
- - **##Receive, Deliver** means the message was received by the service and was delivered to the recipient's mailbox.
-- **message_subject**: The first 256 characters of the message's **Subject** field.-- **total_bytes**: The size of the message in bytes, including attachments.-- **message_id**: This value is described in the [Message ID](#message-id) section earlier in this article. For example, `<d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>`.-- **network_message_id**: A unique message ID value that persists across all copies of the message that might be created due to bifurcation or distribution group expansion. An example value is `1341ac7b13fb42ab4d4408cf7f55890f`.-- **original_client_ip**: The IP address of the sender's client.-- **directionality**: Indicates whether the message was sent inbound (1) to your organization, or whether it was sent outbound (2) from your organization.-- **connector_id**: The name of the source or destination connector. For more information about connectors in Exchange Online, see [Configure mail flow using connectors in Office 365](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow).-- **delivery_priority**<sup>*</sup>: Whether the message was sent with **High**, **Low**, or **Normal** priority.-
-<sup>*</sup> These properties are only available in Enhanced summary reports.
-
-### Extended reports
-
-Available (completed) Extended reports are available in the **Downloadable reports** section at the beginning of message trace. Virtually all of the information from an Enhanced summary report is available in an Extended report (with the exception of **origin_timestamp** and **delivery_priority**). The following additional information is only available in an Extended report:
--- **client_ip**: The IP address of the email server or messaging client that submitted the message.-- **client_hostname**: The host name or FQDN of the email server or messaging client that submitted the message.-- **server_ip**: The IP address of the source or destination server.-- **server_hostname**: The host name or FQDN of the destination server.-- **source_context**: Extra information associated with the **source** field. For example:
- - `Protocol Filter Agent`
- - `3489061114359050000`
-- **source**: The Exchange Online component that's responsible for the event. For example:
- - `AGENT`
- - `MAILBOXRULE`
- - `SMTP`
-- **event_id**: These correspond to the **Message event** values that are explained in the [Find related records for this message](#find-related-records-for-this-message) section.-- **internal_message_id**: A message identifier that's assigned by the Exchange Online server that's currently processing the message.-- **recipient_address**: The email addresses of the message's recipients. Multiple email addresses are separated by the semicolon character (;).-- **recipient_count**: The total number of recipients in the message.-- **related_recipient_address**: Used with `EXPAND`, `REDIRECT`, and `RESOLVE` events to display other recipient email addresses that are associated with the message.-- **reference**: This field contains additional information for specific types of events. For example:
- - **DSN**: Contains the report link, which is the **message_id** value of the associated delivery status notification (also known as a DSN, non-delivery report, NDR, or bounce message) if a DSN is generated subsequent to this event. If this is a DSN message, this field contains the **message_id** value of the original message that the DSN was generated for.
- - **EXPAND**: Contains the **related_recipient_address** value of the related messages.
- - **RECEIVE**: Might contain the **message_id** value of the related message if the message was generated by other processes (for example, Inbox rules).
- - **SEND**: Contains the **internal_message_id** value of any DSN messages.
- - **TRANSFER**: Contains the **internal_message_id** value of the message that's being forked (for example, by content conversion, message recipient limits, or agents).
- - **MAILBOXRULE**: Contains the **internal_message_id** value of the inbound message that caused the Inbox rule to generate the outbound message. For other types of events, this field is usually blank.
-- **return_path**: The return email address specified by the **MAIL FROM** command that sent the message. Although this field is never empty, it can have the null sender address value represented as `<>`.-- **message_info**: Additional information about the message. For example:
- - The message origination date-time in UTC for `DELIVER` and `SEND` events. The origination date-time is the time when the message first entered the Exchange Online organization. The UTC date-time is represented in the ISO 8601 date-time format: `yyyy-mm-ddThh:mm:ss.fffZ`, where `yyyy` = year, `mm` = month, `dd` = day, `T` indicates the beginning of the time component, `hh` = hour, `mm` = minute, `ss` = second, `fff` = fractions of a second, and `Z` signifies `Zulu`, which is another way to denote UTC.
- - Authentication errors. For example, you might see the value `11a` and the type of authentication that was used when the authentication error occurred.
-- **tenant_id**: A GUID value that represents the Exchange Online organization (for example, `39238e87-b5ab-4ef6-a559-af54c6b07b42`).-- **original_server_ip**: The IP address of the original server.-- **custom_data**: Contains data related to specific event types. For more information, see the following sections.-
-#### custom_data values
-
-The **custom_data** field for an `AGENTINFO` event is used by a variety of Exchange Online agents to log message processing details. Some of the more interesting agents are described in the following sections.
-
-#### Spam filter agent
-
-A **custom_data** value that starts with `S:SFA` is from the spam filter agent. The key details are described in the following table:
-
-<br>
-
-****
-
-|Value|Description|
-|||
-|`SFV=NSPM`|The message was marked as non-spam and was sent to the intended recipients.|
-|`SFV=SPM`|The message was marked as spam by anti-spam filtering (also known as content filtering).|
-|`SFV=BLK`|Filtering was skipped and the message was blocked because it originated from a blocked sender.|
-|`SFV=SKS`|The message was marked as spam prior to being processed by anti-spam filtering. This includes messages where the message matched a mail flow rule (also known as a transport rule) to automatically mark it as spam and bypass all additional filtering.|
-|`SCL=<number>`|For more information about the different SCL values and what they mean, see [Spam confidence levels](spam-confidence-levels.md).|
-|`PCL=<number>`|The Phishing Confidence Level (PCL) value of the message. These can be interpreted the same way as the SCL values documented in [Spam confidence levels](spam-confidence-levels.md).|
-|`DI=SB`|The sender of the message was blocked.|
-|`DI=SQ`|The message was quarantined.|
-|`DI=SD`|The message was deleted.|
-|`DI=SJ`|The message was sent to the recipient's Junk Email folder.|
-|`DI=SN`|The message was routed through the normal outbound delivery pool.|
-|`DI=SO`|The message was routed through the higher risk delivery pool. For more information, see [High-risk delivery pool for outbound messages](high-risk-delivery-pool-for-outbound-messages.md).|
-|`SFS=[a]|SFS=[b]`|This denotes that spam rules were matched.|
-|`IPV=CAL`|The message was allowed through the spam filters because the IP address was specified in an IP Allow list in the connection filter.|
-|`H=<EHLOstring>`|The HELO or EHLO string of the connecting email server.|
-|`PTR=<ReverseDNS>`|The PTR record of the sending IP address, also known as the reverse DNS address.|
-|
-
-An example **custom_data** value for a message that's filtered for spam like this:
-
-`S:SFA=SUM|SFV=SPM|IPV=CAL|SRV=BULK|SFS=470454002|SFS=349001|SCL=9|SCORE=-1|LIST=0|DI=SN|RD=ftmail.inc.com|H=ftmail.inc.com|CIP=98.129.140.74|SFP=1501|ASF=1|CTRY=US|CLTCTRY=|LANG=en|LAT=287|LAT=260|LAT=18;`
-
-#### Malware filter agent
-
-A **custom_data** value that starts with `S:AMA` is from the malware filter agent. The key details are described in the following table:
-
-<br>
-
-****
-
-|Value|Description|
-|||
-|`AMA=SUM|v=1|` or `AMA=EV|v=1`|The message was determined to contain malware. `SUM` indicates the malware could've been detected by any number of engines. `EV` indicates the malware was detected by a specific engine. When malware is detected by an engine this triggers the subsequent actions.|
-|`Action=r`|The message was replaced.|
-|`Action=p`|The message was bypassed.|
-|`Action=d`|The message was deferred.|
-|`Action=s`|The message was deleted.|
-|`Action=st`|The message was bypassed.|
-|`Action=sy`|The message was bypassed.|
-|`Action=ni`|The message was rejected.|
-|`Action=ne`|The message was rejected.|
-|`Action=b`|The message was blocked.|
-|`Name=<malware>`|The name of the malware that was detected.|
-|`File=<filename>`|The name of the file that contained the malware.|
-|
-
-An example **custom_data** value for a message that contains malware looks like this:
-
-`S:AMA=SUM|v=1|action=b|error=|atch=1;S:AMA=EV|engine=M|v=1|sig=1.155.974.0|name=DOS/Test_File|file=filename;S:AMA=EV|engine=A|v=1|sig=201707282038|name=Test_File|file=filename`
-
-#### Transport Rule agent
-
-A **custom_data** value that starts with`S:TRA` is from the Transport Rule agent for mail flow rules (also known as transport rules). The key details are described in the following table:
-
-<br>
-
-****
-
-|Value|Description|
-|||
-|`ETR|ruleId=<guid>`|The rule ID that was matched.|
-|`St=<datetime>`|The date and time in UTC when the rule match occurred.|
-|`Action=<ActionDefinition>`|The action that was applied. For a list of available actions, see [Mail flow rule actions in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions).|
-|`Mode=<Mode>`|The mode of the rule. Valid values are:<ul><li>**Enforce**: All actions on the rule will be enforced.</li><li>**Test with Policy Tips:**: Any Policy Tip actions will be sent, but other enforcement actions will not be acted on.</li><li>**Test without Policy Tips**: Actions will be listed in a log file, but senders will not be notified in any way, and enforcement actions will not be acted on.</li></ul>|
-|
-
-An example **custom_data** value for a messages that matches the conditions of a mail flow rule looks like this:
+In the Microsoft 365 Defender portal (<https://security.microsoft.com>), go to **Email & collaboration** \> **Exchange message trace**. Or, to go directly to the message trace page, use <https://admin.exchange.microsoft.com/#/messagetrace>.
-`S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2017 12:31:25 AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce`
+At this point, message trace in the EAC opens. For more information, see [Message trace in the modern Exchange admin center](/exchange/monitoring/trace-an-email-message/message-trace-modern-eac).
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
An alert is triggered, and a security playbook starts an automated investigation
1. An automated investigation is initiated in one of the following ways: - Either [an alert is triggered](#which-alert-policies-trigger-automated-investigations) by something suspicious in email (such as a message, attachment, URL, or compromised user account). An incident is created, and an automated investigation begins; or
- - A security analyst [starts an automated investigation](automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) while using [Threat Explorer](threat-explorer.md).
+ - A security analyst [starts an automated investigation](automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) while using [Explorer](threat-explorer.md).
2. While an automated investigation runs, it gathers data about the email in question and entities related to that email. Such entities can include files, URLs, and recipients. The investigation's scope can increase as new and related alerts are triggered. 3. During and after an automated investigation, [details and results](air-view-investigation-results.md) are available to view. Results include [recommended actions](air-remediation-actions.md) that can be taken to respond to and remediate any threats that were found. 4. Your security operations team reviews the [investigation results and recommendations](air-view-investigation-results.md), and [approves or rejects remediation actions](air-review-approve-pending-completed-actions.md).
AIR capabilities are included in [Microsoft Defender for Office 365](defender-fo
- [Anti-phishing protection](../office-365-security/protect-against-threats.md#part-2anti-phishing-protection-in-eop-and-defender-for-office-365) - [Anti-spam protection](protect-against-threats.md#part-3anti-spam-protection-in-eop) - [Safe Links and Safe Attachments](protect-against-threats.md#part-4protection-from-malicious-urls-and-files-safe-links-and-safe-attachments-in-defender-for-office-365)-- [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on)-- [Zero-hour auto purge for email](protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop) In addition, make sure to [review your organization's alert policies](../../compliance/alert-policies.md), especially the [default policies in the Threat management category](../../compliance/alert-policies.md#default-alert-policies).
Permissions are granted through certain roles, such as those that are described
|Task|Role(s) required| |||
-|Set up AIR features|One of the following roles: <ul><li>Global Administrator</li><li>Security Administrator</li></ul> <p> These roles can be assigned in [Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles) or in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).|
-|Start an automated investigation <p> or <p> Approve or reject recommended actions|One of the following roles, assigned in [Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles) or in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md): <ul><li>Global Administrator</li><li>Security Administrator</li><li>Security Operator</li><li>Security Reader <br> and </li><li>Search and Purge (this role is assigned only in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md). You might have to create a new role group there and add the Search and Purge role to that new role group.</li></ul>|
-|
+|Set up AIR features|One of the following roles: <ul><li>Global Administrator</li><li>Security Administrator</li></ul> <p> These roles can be assigned in [Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles) or in the [Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).|
+|Start an automated investigation <p> or <p> Approve or reject recommended actions|One of the following roles, assigned in [Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles) or in the [Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md): <ul><li>Global Administrator</li><li>Security Administrator</li><li>Security Operator</li><li>Security Reader <br> and </li><li>Search and Purge (this role is assigned only in the [Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md). You might need to create a new **Email & collaboration** role group there and add the Search and Purge role to that new role group.</li></ul>|
## Required licenses
The new and improved Microsoft 365 Defender portal brings together AIR capabilit
> [!TIP] > The new Microsoft 365 Microsoft 365 Defender portal (<https://security.microsoft.com>) replaces the following centers: >
-> - Office 365 Security & Compliance Center (<https://protection.office.com>)
+> - Security & Compliance Center (<https://protection.office.com>)
> - Microsoft Defender Security Center (<https://securitycenter.windows.com>) > > In addition to the URL changing, there's a new look and feel, designed to give your security team a more streamlined experience, with visibility to more threat detections in one place.
The following table lists changes and improvements coming to AIR in Microsoft De
|**Investigations** page|The updated **Investigations** page is more consistent with what you see in [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). You'll see some general format and styling changes that align with the new, unified **Investigations** view. For example, the investigation graph has a more unified format.| |**Users** tab|The **Users** tab is now the **Mailboxes** tab. Details about users are listed on the **Mailbox** tab.| |**Email** tab|The **Email** tab has been removed; visit the **Entities** tab to see a list of email and email cluster items.|
-|**Entities** tab|The **Entities** tab has a tab-in-tab style that includes an all-summary view, and the ability to filter by entity type. The **Entities** tab now includes a **Go hunting** option in addition to the **Open in Explorer** option. You can now use either [Threat Explorer](threat-explorer.md) or [advanced hunting](../defender-endpoint/advanced-hunting-overview.md) to find entities and threats, and filter on results.|
+|**Entities** tab|The **Entities** tab has a tab-in-tab style that includes an all-summary view, and the ability to filter by entity type. The **Entities** tab now includes a **Go hunting** option in addition to the **Open in Explorer** option. You can now use either [Explorer](threat-explorer.md) or [advanced hunting](../defender-endpoint/advanced-hunting-overview.md) to find entities and threats, and filter on results.|
|**Actions** tab|The updated **Actions** tab now includes a **Pending actions** tab and an **Actions history** tab. Actions can be approved (or rejected) in a side pane that opens when you select a pending action.| |**Evidence** tab|A new **Evidence** tab shows the key entity findings related to actions. Actions related to each piece of evidence can be approved (or rejected) in a side pane that opens when you select a pending action.|
-|**Action center**|The updated **Action center** ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) brings together pending and completed actions across email, devices, and identities. To learn more, see Action center. (To learn more, see [The Action center](../defender/m365d-action-center.md).)|
+|**Action center**|The updated **Action center** (<https://security.microsoft.com/action-center>) brings together pending and completed actions across email, devices, and identities. To learn more, see Action center. (To learn more, see [The Action center](../defender/m365d-action-center.md).)|
|**Incidents** page|The **Incidents** page now correlates multiple investigations together to provide a better consolidated view of investigations. ([Learn more about Incidents](../defender/incidents-overview.md).)| |
security Office 365 Evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-evaluation.md
Conducting a thorough security product evaluation can help give you informed dec
The [Microsoft Defender for Office 365](defender-for-office-365.md) evaluation experience is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of Microsoft Defender for Office 365. With evaluation mode, all messages sent to Exchange Online mailboxes can be evaluated without pointing MX records to Microsoft. The feature only applies to email protection and not to Office Clients like Word, SharePoint, or Teams.
-If you don't already have a license that supports Microsoft Defender for Office 365, you can start a [free 30-day evaluation](https://admin.microsoft.com/AdminPortal/Home#/catalog/offer-details/microsoft-defender-for-office-365-plan-2-/223860DC-15D6-42D9-A861-AE05473069FA) and test the capabilities in the Office 365 Security & Compliance center (https://protection.office.com/homepage). You'll enjoy the quick set-up and you can easily turn it off if necessary.
+If you don't already have a license that supports Microsoft Defender for Office 365, you can start a [free 30-day evaluation](https://admin.microsoft.com/AdminPortal/Home#/catalog/offer-details/microsoft-defender-for-office-365-plan-2-/223860DC-15D6-42D9-A861-AE05473069FA) and test the capabilities in the Microsoft 365 Defender portal at <https://security.microsoft.com>. You'll enjoy the quick set-up and you can easily turn it off if necessary.
> [!NOTE]
-> If you're in the unified Microsoft 365 security portal (security.microsoft.com) you can start a Defender for Office 365 evaluation here: Email & Collaboration > Policies & Rules > Threat Policies > Additional Policies.
+> If you're in the Microsoft 365 Defender portal (<https://security.microsoft.com>), you can start a Defender for Office 365 evaluation here: **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Others** section \> **Evaluation mode**.
## How the evaluation works Defender for Office 365 in evaluation mode creates Defender for Office 365 email policies that log verdicts, such as malware, but don't act on messages. You are not required to change your MX record configuration.
-With evaluation mode, [Safe Attachments](safe-attachments.md), [Safe Links](safe-links.md), and [mailbox intelligence based impersonation policies](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) are set up on your behalf. All Defender for Office 365 policies are created in non-enforcement mode in the background and are not visible to you.
+With evaluation mode, [Safe Attachments](safe-attachments.md), [Safe Links](safe-links.md), and [mailbox intelligence based impersonation policies](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) are set up on your behalf. All Defender for Office 365 policies is created in non-enforcement mode in the background and are not visible to you.
As part of the setup, evaluation mode also configuresΓÇ»[Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors). It improves filtering accuracy by preserving IP address and sender information, which are otherwise lost when mail passes through an email security gateway (ESG) in front of Defender for Office 365. Enhanced Filtering for Connectors also improves the filtering accuracy for your existing Exchange Online Protection (EOP) anti-spam and anti-phishing policies.
-Enabled Enhanced Filtering for Connectors improves filtering accuracy but may alter deliverability for certain messages if you have an ESG in front of Defender for Office 365, and currently do not bypass EOP filtering. The impact is limited to EOP policies; MDO policies setup as part of the evaluation are created in non-enforcement mode. To minimize potential production impact, you can bypass all EOP filtering by creating a transport rule to set the Spam Confidence Level (SCL) to -1. See [Use the EAC to create a mail flow rule that sets the SCL of a message](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl#use-the-eac-to-create-a-mail-flow-rule-that-sets-the-scl-of-a-message) for details.
+Enhanced Filtering for Connectors improves filtering accuracy but may alter deliverability for certain messages if you have an ESG in front of Defender for Office 365, and currently do not bypass EOP filtering. The impact is limited to EOP policies; MDO policies set up as part of the evaluation are created in non-enforcement mode. To minimize potential production impact, you can bypass all EOP filtering by creating a mail flow rule (also known as a transport rule) to set the spam confidence level (SCL) of messages to -1. See [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl) for details.
-When the evaluation mode is set up, you will have a report updated daily with up to 90 days of data quantifying the messages that would have been blocked if the policies were implemented (for example, delete, send to junk, quarantine). Reports are generated for all Defender for Office 365 and EOP detections. They are aggregated per detection technology (for example, impersonation) and can be filtered by time range. Additionally, message reports can be created on-demand to create custom pivots or to deep dive messages using Threat Explorer.
+When the evaluation mode is set up, you will have a report updated daily with up to 90 days of data quantifying the messages that would have been blocked if the policies were implemented (for example, delete, send to junk, quarantine). Reports are generated for all Defender for Office 365 and EOP detections. They are aggregated per detection technology (for example, impersonation) and can be filtered by time range. Additionally, message reports can be created on-demand to create custom pivots or to deep dive messages using Explorer.
With the simplified set-up experience, you can focus on:
You will be able to scope the evaluation to an inbound connector. If there's no
## Get started with the evaluation
-Find the Microsoft Defender for Office 365 evaluation set-up card in the Office 365 Security & Compliance center (https://protection.office.com/homepage) from three access points:
+Find the Microsoft Defender for Office 365 evaluation set-up card in the Microsoft 365 Defender portal (<https://security.microsoft.com>) from three access points:
-- Threat management > Dashboard-- Threat management > Policy-- Reports > Dashboard
+- **Endpoints** \> **Vulnerability Management** \> **Dashboard** (<https://security.microsoft.com/tvm_dashboard>)
+- **Email & collaboration** \> **Policies & rules** \> **Threat policies** (<https://security.microsoft.com/threatpolicy>)
+- **Reports** \> **Email & collaboration** \> **Email & collaboration reports** (<https://security.microsoft.com/emailandcollabreport>)
## Setting up the evaluation
Review your settings and edit them if necessary. Then, select **Create evaluatio
Your Microsoft Defender for Office 365 evaluation report is generated once per day. It may take up to 24 hours for the data to populate.
-### Exchange rules (optional)
+### Exchange mail flow rules (optional)
-If you have an existing gateway, enabling evaluation mode will activate enhanced filtering for connectors. This improves filtering accuracy by altering the incoming sender IP address. This may change the filter verdicts and if you are not bypassing Exchange Online Protection this may alter deliverability for certain messages. In this case you might want to temporarily bypass filtering to analyze impact. To bypass, navigate to the Exchange admin center and create a policy of SCL -1 (if you don't already have one). For details on the rule components and how they work, see Mail flow rules (transport rules) in Exchange Online.
+If you have an existing gateway, enabling evaluation mode will activate Enhanced Filtering for Connectors. This feature improves filtering accuracy by altering the incoming sender IP address. This feature might change the filter verdicts, and if you are not bypassing Exchange Online Protection, this may alter deliverability for certain messages. In this case, you might want to temporarily bypass filtering to analyze impact. To bypass filtering, open the Exchange admin center (EAC) at <https://admin.exchange.microsoft.com> and create a mail flow rule that sets the SCL of messages to -1 (if you don't already have one). For instructions, see [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).
## Evaluate capabilities
You can go to **Settings** to update your routing or turn off your evaluation at
Your feedback helps us get better at protecting your environment from advanced attacks. Share your experience and impressions of product capabilities and evaluation results.
-Select **Give feedback** to let us know what you think.
+Select **Give feedback** to let us know what you think.
security Office 365 Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md
Threat investigation and response capabilities in [Microsoft Defender for Office
- Providing insights and knowledge to help security operations prevent cyberattacks against their organization - Employing [automated investigation and response in Office 365](automated-investigation-response-office.md) for critical email-based threats
-Threat investigation and response capabilities provide insights into threats and related response actions that are available in the Security & Compliance Center. These insights can help your organization's security team protect users from email- or file-based attacks. The capabilities help monitor signals and gather data from multiple sources, such as user activity, authentication, email, compromised PCs, and security incidents. Business decision makers and your security operations team can use this information to understand and respond to threats against your organization and protect your intellectual property.
+Threat investigation and response capabilities provide insights into threats and related response actions that are available in the Microsoft 365 Defender portal. These insights can help your organization's security team protect users from email- or file-based attacks. The capabilities help monitor signals and gather data from multiple sources, such as user activity, authentication, email, compromised PCs, and security incidents. Business decision makers and your security operations team can use this information to understand and respond to threats against your organization and protect your intellectual property.
## Get acquainted with threat investigation and response tools
-Threat investigation and response capabilities surface in the Security & Compliance Center, as a set of tools and response workflows, including the following:
+Threat investigation and response capabilities surface in the Microsoft 365 Defender portal, as a set of tools and response workflows, including the following:
-- [Threat dashboard](#threat-dashboard)-- [Explorer](#threat-explorer)
+- [Explorer](#explorer)
- [Incidents](#incidents)-- [Attack Simulator](#attack-simulator)
+- [Attack simulation training](attack-simulation-training.md)
- [Automated investigation and response](automated-investigation-response-office.md)
-### Threat dashboard
+### Explorer
-Use the Threat dashboard (this is also referred to as the [Security dashboard](security-dashboard.md)) to quickly see what threats have been addressed, and as a visual way to report to business decision makers how Microsoft 365 services are securing your business.
-
-![Threat Dashboard](../../media/ce013a31-3f80-4d09-bb95-bfb7623b8bc4.png)
-
-To view and use this dashboard, in the Security & Compliance Center, go to **Threat management** \> **Dashboard**.
-
-### Threat Explorer
-
-Use [Threat Explorer (and real-time detections)](threat-explorer.md) to analyze threats, see the volume of attacks over time, and analyze data by threat families, attacker infrastructure, and more. Threat Explorer (also referred to as Explorer) is the starting place for any security analyst's investigation workflow.
+Use [Explorer (and real-time detections)](threat-explorer.md) to analyze threats, see the volume of attacks over time, and analyze data by threat families, attacker infrastructure, and more. Explorer (also referred to as Threat Explorer) is the starting place for any security analyst's investigation workflow.
![Threat explorer](../../media/7a7cecee-17f0-4134-bcb8-7cee3f3c3890.png)
-To view and use this report, in the Security & Compliance Center, go to **Threat management** \> **Explorer**.
+To view and use this report, in the Microsoft 365 Defender portal, go to **Email & collaboration** > **Explorer**.
### Incidents
Use the Incidents list (this is also called Investigations) to see a list of in
![List of current Threat Incidents in Office 365](../../media/acadd4c7-d2de-4146-aeb8-90cfad805a9c.png)
-To view the list of current incidents for your organization, in the Security & Compliance Center, go to **Threat management** \> **Review** \> **Incidents**.
+To view the list of current incidents for your organization, in the Microsoft 365 Defender portal, go to **Incidents & alerts** > **Incidents**.
![In the Security & Compliance Center, choose Threat management \> Review](../../media/e0f46454-fa38-40f0-a120-b595614d1d22.png)
-### Attack Simulator
+### Attack simulation training
+
+Use Attack simulation training to set up and run realistic cyberattacks in your organization, and identify vulnerable people before a real cyberattack affects your business. To learn more, see [Simulate a phishing attack](attack-simulation-training.md).
-Use Attack Simulator to set up and run realistic cyberattacks in your organization, and identify vulnerable people before a real cyberattack affects your business. To learn more, see [Attack Simulator in Office 365](attack-simulator.md).
+To view and use this feature in the Microsoft 365 Defender portal, go to **Email & collaboration** > **Attack simulation training**.
### Automated investigation and response
Microsoft 365 threat investigation and response capabilities are included in Mic
## Required roles and permissions
-Microsoft Defender for Office 365 uses role-based access control. Permissions are assigned through certain roles in Azure Active Directory, the Microsoft 365 admin center, or the Security & Compliance Center.
+Microsoft Defender for Office 365 uses role-based access control. Permissions are assigned through certain roles in Azure Active Directory, the Microsoft 365 admin center, or the Microsoft 365 Defender portal.
> [!TIP]
-> Although some roles, such as Security Administrator, can be assigned in the Security & Compliance Center, consider using either the Microsoft 365 admin center or Azure Active Directory instead. For information about roles, role groups, and permissions, see the following resources:
->
-> - [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md)
+> Although some roles, such as Security Administrator, can be assigned in the Microsoft 365 Defender portal, consider using either the Microsoft 365 admin center or Azure Active Directory instead. For information about roles, role groups, and permissions, see the following resources:
>
+> - [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md)
> - [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)
+<br>
+ **** |Activity|Roles and permissions| |||
-|Use the Threat dashboard (or the new [Security dashboard](security-dashboard.md)) <p> View information about recent or current threats|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <p> These roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
-|Use [Threat Explorer (and real-time detections)](threat-explorer.md) to analyze threats|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <p> These roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
+|Use the Threat & Vulnerability Management dashboard (or the new [Security dashboard](security-dashboard.md)) <p> View information about recent or current threats|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <p> These roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
+|Use [Explorer (and real-time detections)](threat-explorer.md) to analyze threats|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <p> These roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
|View Incidents (also referred to as Investigations) <p> Add email messages to an incident|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <p> These roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
-|Trigger email actions in an incident <p> Find and delete suspicious email messages|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator** plus the **Search and Purge** role</li></ul> <p> The **Global Administrator** and **Security Administrator** roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <p> The **Search and Purge** role must be assigned in the Security & Compliance Center (<https://protection.office.com>).|
-|Integrate Microsoft Defender for Office 365 Plan 2 with Microsoft Defender for Endpoint <p> Integrate Microsoft Defender for Office 365 Plan 2 with a SIEM server|Either the **Global Administrator** or the **Security Administrator** role assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <p> **plus** <p> An appropriate role assigned in additional applications (such as [Microsoft Defender Security Center](/windows/security/threat-protection/microsoft-defender-atp/user-roles) or your SIEM server).|
+|Trigger email actions in an incident <p> Find and delete suspicious email messages|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator** plus the **Search and Purge** role</li></ul> <p> The **Global Administrator** and **Security Administrator** roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <p> The **Search and Purge** role must be assigned in the **Email & collaboration roles** in the Microsoft 36 Defender portal (<https://security.microsoft.com>).|
+|Integrate Microsoft Defender for Office 365 Plan 2 with Microsoft Defender for Endpoint <p> Integrate Microsoft Defender for Office 365 Plan 2 with a SIEM server|Either the **Global Administrator** or the **Security Administrator** role assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <p> **plus** <p> An appropriate role assigned in additional applications (such as [Microsoft Defender Security Center](/windows/security/threat-protection/microsoft-defender-atp/user-roles) or your SIEM server).|
| ## Next steps - [Learn about Threat Trackers - New and Noteworthy](threat-trackers.md)- - [Find and investigate malicious email that was delivered (Office 365 Threat Investigation and Response)](investigate-malicious-email-that-was-delivered.md)- - [Integrate Office 365 Threat Investigation and Response with Microsoft Defender for Endpoint](integrate-office-365-ti-with-mde.md)--- [Learn about Attack Simulator](attack-simulator.md)
+- [Simulate a phishing attack](attack-simulation-training.md)
security Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/overview.md
This quick-reference will help you understand what capabilities come with each M
|Defender for Office 365 Plan 1|Defender for Office 365 Plan 2| |||
-|Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments.md)</li><li>[Safe Links](safe-links.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Anti-phishing protection in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer.md)</li></ul>|Defender for Office 365 Plan 1 capabilities <p> plus <p> Automation, investigation, remediation, and education capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer.md)</li><li>[Automated investigation and response](office-365-air.md)</li><li>[Attack Simulator](attack-simulator.md)</li></ul>|
+|Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments.md)</li><li>[Safe Links](safe-links.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Anti-phishing protection in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer.md)</li></ul>|Defender for Office 365 Plan 1 capabilities <p> plus <p> Automation, investigation, remediation, and education capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer.md)</li><li>[Automated investigation and response](office-365-air.md)</li><li>[Attack simulation training](attack-simulation-training.md)</li></ul>|
| - Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365 A5, and Microsoft 365 E5.
Catch up on [what's new in Microsoft Defender for Office 365 (including EOP deve
[Use Threat Explorer or Real-time detections](threat-explorer.md)
-Use [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md)
-
+Use [Attack simulation training](attack-simulation-training.md)
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
In other words, the settings of the **Strict protection** policy override the se
### Use the Microsoft 365 Defender portal to assign preset security policies to users
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & Rules** \> **Threat Policies** \> **Templated policies** section \> **Preset Security Policies**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Templated policies** section \> **Preset Security Policies**.
2. Under **Standard protection** or **Strict protection**, click **Edit**.
In other words, the settings of the **Strict protection** policy override the se
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
- - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
When you're finished, click **Next**.
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
Title: Protect against threats
+ Title: Protect against threats in Microsoft Defender for Office 365, Anti-malware, Anti-Phishing, Anti-spam, Safe links, Safe attachments, Zero-hour auto purge (ZAP), MDO security configuration
f1.keywords: - NOCSH
audience: Admin - localization_priority: Normal Previously updated : 09/08/2020 Last updated : 06/22/2021 search.appverid: - MOE150 - MET150
Here's a quick-start guide that breaks the configuration of Defender for Office
> [!IMPORTANT] > **Initial recommended settings are included for each kind of policy; however, many options are available, and you can adjust your settings to meet your specific organization's needs**. Allow approximately 30 minutes for your policies or changes to work their way through your datacenter.
+>
+> To skip manual configuration of most policies in Defender for Office 365, you can use preset security policies at the Standard or Strict level. For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).
## Requirements
Here's a quick-start guide that breaks the configuration of Defender for Office
Threat protection features are included in *all* Microsoft or Office 365 subscriptions; however, some subscriptions have advanced features. The table below lists the protection features included in this article together with the minimum subscription requirements. > [!TIP]
-> Notice that, beyond the directions to turn on auditing, *steps* start anti-malware, anti-phishing, and anti-spam, which are marked as part of Office 365 Exchange Online Protection (**EOP**). This can seem odd in an Defender for Office 365 article, until you remember (**Defender for Office 365**) contains, and builds on, EOP.
+> Notice that beyond the directions to turn on auditing, *steps* start anti-malware, anti-phishing, and anti-spam, which are marked as part of Office 365 Exchange Online Protection (**EOP**). This can seem odd in an Defender for Office 365 article, until you remember (**Defender for Office 365**) contains, and builds on, EOP.
<br>
Threat protection features are included in *all* Microsoft or Office 365 subscri
|Anti-malware protection|[Exchange Online Protection](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description) (**EOP**)| |Anti-phishing protection|[EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description)| |Anti-spam protection|[EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description)|
-|Zero-hour auto purge (for email)|[EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description)|
|Protection from malicious URLs and files in email and Office documents (Safe Links and Safe Attachments)|[Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)|
-|Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams workloads|[Microsoft Defender for Office 365](turn-on-mdo-for-spo-odb-and-teams.md)|
-|Advanced anti-phishing protection|[Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)|
### Roles and permissions
-To configure Defender for Office 365 policies, you must be assigned an appropriate role in the [Security & Compliance Center](/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center). Take a look at the table below for roles that can do these actions.
+To configure Defender for Office 365 policies, you must be assigned an appropriate role. Take a look at the table below for roles that can do these actions.
<br>
To configure Defender for Office 365 policies, you must be assigned an appropria
||| |global administrator|[About Microsoft 365 admin roles](../../admin/add-users/about-admin-roles.md)| |Security Administrator|[Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)|
-|Exchange Online Organization Management|[Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo) <p> and <p> [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell)|
+|Exchange Online Organization Management|[Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo)|
|
-To learn more, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+To learn more, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
-### Turn on Audit logging for reporting and investigation
+### Turn on audit logging for reporting and investigation
-- Start your audit logging early. You'll need auditing to be **ON** for some of the following steps. Audit logging is available in subscriptions that include [Exchange Online](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description). In order to view data in threat protection reports, such as the [Security Dashboard](security-dashboard.md), [email security reports](view-email-security-reports.md), and [Explorer](threat-explorer.md), audit logging must be *On*. To learn more, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+- Start your audit logging early. You'll need auditing to be **ON** for some of the following steps. Audit logging is available in subscriptions that include [Exchange Online](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description). In order to view data in threat protection reports, [email security reports](view-email-security-reports.md), and [Explorer](threat-explorer.md), audit logging must be *On*. To learn more, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
## Part 1 - Anti-malware protection in EOP For more information about the recommended settings for anti-malware, see [EOP anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings).
-1. Open <https://security.microsoft.com/antimalwarev2>.
+1. Open the **Anti-malware** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/antimalwarev2>.
-2. On the **Anti-malware** page, select the policy named **Default** policy by clicking on the name.
+2. On the **Anti-malware** page, select the policy named **Default (Default)** by clicking on the name.
3. In the policy details flyout that opens, click **Edit protection settings**, and then configure the following settings:
- - Select **Enable the common attachments filter** to turn on the common attachments filter. Click **Customize file types** to add more file types.
- - Verify that **Enable zero-hour auto purge for malware** is selected.
- - Verify that none of the settings in the **Notification** section are selected.
+ - **Protection settings** section:
+ - **Enable the common attachments filter**: Select (turn on). Click **Customize file types** to add more file types.
+ - **Enable zero-hour auto purge for malware**: Verify this setting is selected. For more information about ZAP for malware, see [Zero-hour auto purge (ZAP) for malware](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-for-malware).
+ - **Notification** section: Verify that none of the notification settings are selected.
When you're finished, click **Save**.
For more information about the recommended settings for anti-phishing policies,
The following procedure describes how to configure the default anti-phishing policy. Settings that are only available in Defender for Office 365 are clearly marked.
-1. Open <https://security.microsoft.com/antiphishing>.
+1. Open the **Anti-phishing** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/antiphishing>.
2. On the **Anti-phishing** page, select the policy named **Office365 AntiPhish Default (Default)** by clicking on the name. 3. In the policy details flyout that appears, configure the following settings:-
- - **Phishing threshold & protection** section: Click **Edit protection settings** and configure the following settings in the **Edit protection settings** flyout that opens:
+ - **Phishing threshold & protection** section: Click **Edit protection settings** and configure the following settings in the flyout that opens:
- **Phishing email threshold**<sup>\*</sup>: Select **2 - Aggressive** (Standard) or **3 - More Aggressive** (Strict). - **Impersonation** section<sup>\*</sup>: Configure the following values: - Select **Enable users to protect**, click the **Manage (nn) sender(s)** link that appears, and then add internal and external senders to protect from impersonation, such as your organization's board members, your CEO, CFO, and other senior leaders.
The following procedure describes how to configure the default anti-phishing pol
When you're finished, click **Save**.
- - **Actions** section: Click **Edit actions** and configure the following settings in the **Edit actions** flyout that opens:
+ - **Actions** section: Click **Edit actions** and configure the following settings in the flyout that opens:
- **Message actions** section: Configure the following settings: - **If message is detected as an impersonated user**<sup>\*</sup>: Select **Quarantine the message**. - **If message is detected as an impersonated domain**<sup>\*</sup>: Select **Quarantine the message**.
For detailed instructions for configuring anti-phishing policies, see [Configure
For more information about the recommended settings for anti-spam, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
-1. Open <https://security.microsoft.com/antispam>.
+1. Open the **Anti-spam policies** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/antispam>.
2. On the **Anti-spam policies** page, select the policy named **Anti-spam inbound policy (Default)** from the list by clicking on the name.
-3. In the policy details flyout that appears, do the following steps:
- - **Bulk email threshold & spam properties** section: Click **Edit spam threshold and properties**. In the **spam threshold and properties** flyout that appears, set the **Bulk email threshold** value to 5 (Strict) or 6 (Standard). When you're finished, click **Save**.
- - **Allowed and blocked senders and domains** section: Review or edit your allowed senders and allowed domains.
-
-4. When you're finished, click **Close**.
-
-For detailed instructions for configuring anti-spam policies, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
-
-## Part 4 - Protection from malicious URLs and files (Safe Links and Safe Attachments in Defender for Office 365)
+3. In the policy details flyout that appears, configure the following settings:
+ - **Bulk email threshold & spam properties** section: Click **Edit spam threshold and properties**. In the flyout that appears, configure the following settings:
+ - **Bulk email threshold**: Set this value to 5 (Strict) or 6 (Standard).
+ - Leave other settings at their default values (**Off** or **None**).
-Time-of-click protection from malicious URLs and files is available in subscriptions that include [Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description). It's set up through [Safe Attachments](safe-attachments.md) and [Safe Links](safe-links.md) policies.
+ When you're finished, click **Save**.
-### Safe Attachments policies in Microsoft Defender for Office 365
+ - **Actions** section: Click **Edit actions**. In the flyout that appears, configure the following settings:
+ - **Message actions** section:
+ - **Spam**: Verify **Move message to Junk Email folder** is selected (Standard) or select **Quarantine message** (Strict).
+ - **High confidence spam**: Select **Quarantine message**.
+ - **Phishing**: Select **Quarantine message**.
+ - **High confidence phishing**: Verify **Quarantine messages** is selected.
+ - **Bulk**: Verify **Move message to Junk Email folder** is selected (Standard) or select **Quarantine message** (Strict).
+ - **Retain spam in quarantine for this many days**: Verify the value **30** days.
+ - **Enable spam safety tips**: Verify this setting is selected (turned on).
+ - **Enable zero-hour auto purge (ZAP)**: Verify this setting is selected (turned on).
+ - **Enable for phishing messages**: Verify this setting is selected (turned on). For more information, see [Zero-hour auto purge (ZAP) for phishing](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-for-phishing).
+ - **Enable for spam messages**: Verify this setting is selected (turned on). For more information, see [Zero-hour auto purge (ZAP) for spam](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-for-spam).
+ - **Notifications** section:
+ - Select **Enable end-user spam notifications**.
+ - **Send end-user spam notifications every (days)**: Verify the value **3** days.
+ - **Language**: Verify the value **Default** or select a language.
-To set up [Safe Attachments](safe-attachments.md), create at least one Safe Links policy.
+ When you're finished, click **Save**.
-1. In the [Security & Compliance Center](https://protection.office.com), choose **Threat management** \> **Policy** \> **ATP Safe Attachments**, and then click **Create**.
+ - **Allowed and blocked senders and domains** section: Review or edit your allowed senders and allowed domains as described in [Create blocked sender lists in EOP](create-block-sender-lists-in-office-365.md) or [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md).
-2. In the **New Safe Attachments policy** wizard that appears, configure the following settings:
+ When you're finished, click **Save**.
- - In the **Name** box, type `Block malware`, and then click **Next**.
+4. When you're finished, click **Close**.
- - On the **Settings** page, configure the following settings:
- - In the **Safe attachments unknown malware response** section, choose **Block**.
- - In the **Redirect attachment** section, select the option **Enable redirect**. Specify the email address for your organization's security administrator or operator, who will review detected files.
+For detailed instructions for configuring anti-spam policies, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
- Click **Next**.
+## Part 4 - Protection from malicious URLs and files (Safe Links and Safe Attachments in Defender for Office 365)
-3. On the **Applied to** page, click **Add a condition**, choose **Applied if: The recipient domain is**, click **Add**, select your domain or domains, click **Add**, click **Done**, and then click **Next**.
+Time-of-click protection from malicious URLs and files is available in subscriptions that include [Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description). It's set up through [Safe Attachments](safe-attachments.md) and [Safe Links](safe-links.md) policies.
-4. Review your settings and then click **Finish**.
+### Safe Attachments policies in Microsoft Defender for Office 365
-### Safe Links policies in Microsoft Defender for Office 365
+For more information about the recommended settings for Safe Attachments, see .[Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings).
-To set up [Safe Links](safe-links.md), review and edit your global settings for Safe Links, and create at least one Safe Links policy.
+1. Open the **Safe Attachments** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/safeattachmentv2>.
-1. In the [Security & Compliance Center](https://protection.office.com), choose **Threat management** \> **Policy** \> **ATP Safe Links**, and click **Global settings**, and then configure the following settings:
+2. On the **Safe Attachments** page, click **Global settings**, and then configure the following settings on the flyout that appears:
+ - **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams**: Turn on this setting (![Toggle on](../../media/scc-toggle-on.png)).
- - Verify **Use Safe Links in: Office 365 applications** is turned on: ![Toggle on](../../media/scc-toggle-on.png).
- - **Do not track when users click Safe Links**: Turn this setting off to track user clicks: ![Toggle off](../../media/scc-toggle-off.png).
- - **Do not let users click through safe links to original URL**: Verify this setting is turned on: ![Toggle on](../../media/scc-toggle-on.png).
+ > [!IMPORTANT]
+ > **Before you turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, verify that audit logging is turned in your organization**. This action is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md)!
- When you're finished, click **Save**.
+ - **Turn on Safe Documents for Office clients**: Turn on this setting (![Toggle on](../../media/scc-toggle-on.png)). Note that this feature is available and meaningful only with Microsoft 365 E5 or Microsoft 365 E5 Security licenses.
+ - **Allow people to click through Protected View even if Safe Documents identified the file as malicious**: Verify this setting is turned off (![Toggle off](../../media/scc-toggle-off.png)).
-2. Back on the main Safe Links page, click **Create**.
+ When you're finished, click **Save**
-3. In the **Create Safe Links policy** wizard that appears, configure the following settings:
+3. Back on the **Safe Attachments** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png).
- - In the **Name** box, type a name, such as `Safe Links`, and then click **Next**.
+4. In the **Create Safe Attachments policy** wizard that opens, configure the following settings:
+ - **Name your policy** page:
+ - **Name**: Enter something unique and descriptive.
+ - **Description**: Enter an optional description.
+ - **Users and domains** page: Because this is your first policy and you likely want to maximize coverage, consider entering your [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in the **Domains** box. Otherwise, you can use the **Users** and **Groups** boxes for more granular control. You can specify exceptions by selecting **Exclude these users, groups, and domains** and entering values.
+ - **Settings** page:
+ - **Safe Attachments unknown malware response**: Select **Block**.
+ - **Redirect attachment with detected attachments** : **Enable redirect**: Turn this setting on (select) and enter an email address to receive detected messages.
+ - **Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)**: Verify this setting is selected.
- - On the **Settings** page, configure the following settings:
- - **Select the action for unknown potentially malicious URLs in messages**: Choose **On**.
- - **Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Choose **On**.
- - **Apply safe links to email messages sent within the organization**
- - **Wait for URL scanning to complete before delivering the message**
- - **Apply safe links to email messages sent within the organization**
- - **Do not allow users to click through to original URL**
+5. When you're finished, click **Submit**, and then click **Done**.
- Click **Next**
+6. (Recommended) As a global administrator or a SharePoint Online administrator, run the **[Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant)** cmdlet with the _DisallowInfectedFileDownload_ parameter set to `$true` in SharePoint Online PowerShell.
+ - `$true` blocks all actions (except Delete) for detected files. People can't open, move, copy, or share detected files.
+ - `$false` blocks all actions except Delete and Download. People can choose to accept the risk and download a detected file.
-4. On the **Applied to** page, click **Add a condition**, choose **Applied if: The recipient domain is**, click **Add**, select your domain or domains, click **Add**, click **Done**, and then click **Next**.
+7. Allow up to 30 minutes for your changes to spread to all Microsoft 365 datacenters.
-5. Review your settings and then click **Finish**.
+For detailed instructions for configuring Safe Attachments policies and global settings for Safe Attachments, see the following topics:
-To learn more, see [Set up Safe Links policies](set-up-safe-links-policies.md).
+- [Set up Safe Attachments policies in Microsoft Defender for Office 365](set-up-safe-attachments-policies.md)
+- [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](turn-on-mdo-for-spo-odb-and-teams.md)
+- [Safe Documents in Microsoft 365 E5](safe-docs.md)
-## Part 5 - Verify Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is turned on
+### Safe Links policies in Microsoft Defender for Office 365
-Workloads like SharePoint, OneDrive, and Teams are built for collaboration. Using Defender for Office 365 helps with blocking and detection of files that are identified as malicious in team sites and document libraries. You can read more about how that works [here](mdo-for-spo-odb-and-teams.md).
+For more information about the recommended settings for Safe Links, see [Safe Links settings](recommended-settings-for-eop-and-office365.md#safe-links-settings).
-> [!IMPORTANT]
-> **Before you begin this procedure, make sure that audit logging is already turned on for your Microsoft 365 environment**. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md)!
+1. Open the **Safe Links** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/safelinksv2>.
-1. In the [Security & Compliance Center](https://protection.office.com), choose **Threat management** \> **Policy** \> **ATP Safe Attachments**, and then click **Global settings**.
+2. On the **Safe Links** page, click **Global settings**, and then configure the following settings on the flyout that appears:
+ - **Settings that apply to content in supported Office 365 apps** section:
+ - **Use Safe Links in Office 365 apps**: Verify this setting is turned on (![Toggle on](../../media/scc-toggle-on.png)).
+ - **Do not track when users click protected links in Office 365 apps**: Turn this setting off (![Toggle off](../../media/scc-toggle-off.png)).
+ - **Do not let users click through to the original URL in Office 365 apps**: Verify this setting is turned on (![Toggle on](../../media/scc-toggle-on.png)).
-2. Verify the **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** toggle is to the right: ![Toggle on](../../media/scc-toggle-on.png), and then click **Save**.
+ When you're finished, click **Save**
-3. Review (and, as appropriate, edit) your organization's [Safe Attachments policies](set-up-safe-attachments-policies.md) and [Safe Links policies](set-up-safe-links-policies.md).
+3. Back on the **Safe Links** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png).
-4. (Recommended) As a global administrator or a SharePoint Online administrator, run the **[Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant)** cmdlet with the _DisallowInfectedFileDownload_ parameter set to `$true`.
+4. In the **Create Safe Links policy** wizard that opens, configure the following settings:
+ - **Name your policy** page:
+ - **Name**: Enter something unique and descriptive.
+ - **Description**: Enter an optional description.
+ - **Users and domains** page: Because this is your first policy and you likely want to maximize coverage, consider entering your [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in the **Domains** box. Otherwise, you can use the **Users** and **Groups** boxes for more granular control. You can specify exceptions by selecting **Exclude these users, groups, and domains** and entering values.
+ - **Protection settings** page:
+ - **Select the action for unknown potentially malicious URLs in messages**: Turn this setting **On**.
+ - **Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Turn this setting **On**. As of March 2020, this setting is in Preview and is available or functional only for members of the Microsoft Teams Technology Adoption Program (TAP).
+ - **Apply real-time URL scanning for suspicious links and links that point to files**: Select this setting (turn on).
+ - **Wait for URL scanning to complete before delivering the message**: Select this setting (turn on).
+ - **Apply Safe Links to email messages sent within the organization**: Select this setting (turn on).
+ - **Do not track user clicks**: Verify this setting is not selected (turned off).
+ - **Do not let users click through to the original URL**: Verify this setting is turned on (selected).
+ - **Display the organization branding on notification and warning pages**: Selecting this setting (turning it on) is meaningful only after you've followed the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.
+ - **Do not rewrite the following URLs**: We have no specific recommendation for this setting. For more information, see ["Do not rewrite the following URLs" lists in Safe Links policies](safe-links.md#do-not-rewrite-the-following-urls-lists-in-safe-links-policies).
+ - **Notification** page:
+ - **How would you like to notify users?** section: Optionally, you can select **Use custom notification text** to enter customized notification text to use. You can also select **Use Microsoft Translator for automatic localization** to translate the custom notification text into the user's language. Otherwise, leave **Use the default notification text** selected.
- - `$true` blocks all actions (except Delete) for detected files. People cannot open, move, copy, or share detected files.
- - `$false` blocks all actions except Delete and Download. People can choose to accept the risk and download a detected file.
+5. When you're finished, click **Submit**, and then click **Done**.
- > [!TIP]
- > To learn more about using PowerShell with Microsoft 365, see [Manage Microsoft 365 with PowerShell](../../enterprise/manage-microsoft-365-with-microsoft-365-powershell.md).
+For detailed instructions for configuring Safe Links policies and global settings for Safe Links, see the following topics:
-5. Allow up to 30 minutes for your changes to spread to all Microsoft 365 datacenters.
+- [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md)
+- [Configure global settings for Safe Links in Microsoft Defender for Office 365](configure-global-settings-for-safe-links.md)
-### Now set up alerts for detected files
+### Now set up alerts for detected files in SharePoint Online or OneDrive for Business
-To receive notification when a file in SharePoint Online, OneDrive for Business, or Microsoft Teams has been identified as malicious, you can set up an alert.
+To receive notification when a file in SharePoint Online or OneDrive for Business has been identified as malicious, you can set up an alert as described in this section.
-1. In the [Security & Compliance Center](https://protection.office.com), choose **Alerts** \> **Manage alerts**.
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Polices & rules** \> **Alert policy**.
-2. Choose **New alert policy**.
+2. On the **Alert policy** page, click **New alert policy**.
-3. Specify a name for the alert. For example, you could type Malicious Files in Libraries.
+3. The **New alert policy** wizard opens. On the **Name** page, configure the following settings:
+ - **Name**: Enter a unique and descriptive name. For example, you could type Malicious Files in Libraries.
+ - **Description**: Enter an optional description.
+ - **Severity**: Select **Low**, **Medium** or **High**.
+ - **Category**: Select **Threat management**.
-4. Type a description for the alert. For example, you could type Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams.
+ When you're finished, click **Next**
-5. In the **Send this alert when...** section, set:
+4. On the **Create alert settings** page, configure the following settings:
+ - **What do you want to alert on?** section: **Activity is** \> **Detected malware in file**.
+ - **How do you want the alert to be triggered** section: Verify **Every time an activity matches the rule** is selected.
- a. In the **Activities** list, choose **Detected malware in file**.
+ When you're finished, click **Next**
- b. Leave the **Users** field empty.
+5. On the **Set your recipients** page, configure the following settings:
+ - **Send email notifications**: Verify this setting is selcted.
+ - **Email recipients**: Select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.
+ - **Daily notification limit**: Verify **No limit** is selected.
-6. In the **Send this alert to...** section, select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.
+ When you're finished, click **Next**
-7. **Save**.
+6. On the **Review your settings** page, review your settings, verify **Yes, turn it on right away** is selected, and then click **Finish**
-To learn more about alerts, see [Create activity alerts in the Security & Compliance Center](../../compliance/create-activity-alerts.md).
+To learn more about alert policies, see [Alert policies in the Microsoft 365 compliance center](../../compliance/alert-policies.md).
> [!NOTE] > When you're finished configuring, use these links to start workload investigations:
To learn more about alerts, see [Create activity alerts in the Security & Compli
>- [What to do when a malicious file is found in SharePoint Online, OneDrive, or Microsoft Teams](https://support.microsoft.com/office/01e902ad-a903-4e0f-b093-1e1ac0c37ad2) >- [Manage quarantined messages and files as an administrator in Microsoft 365](manage-quarantined-messages-and-files.md)
-## Part 6 - Additional settings to configure
-
-Along with configuring protection from malware, malicious URLs and files, phishing, and spam, we recommend you configure zero-hour auto purge.
-
-### Zero-hour auto purge for email in EOP
-
-[Zero-hour auto purge](zero-hour-auto-purge.md) (ZAP) is available in subscriptions that include [EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description). This protection is turned on by default; however, the following conditions must be met for protection to be in effect:
--- Spam actions are set to **Move message to Junk Email folder** in [anti-spam policies](anti-spam-protection.md).--- Users have kept their default [junk email settings](configure-junk-email-settings-on-exo-mailboxes.md), and haven't turned off junk email protection.-
-To learn more, see [Zero-hour auto purge - protection against spam and malware](zero-hour-auto-purge.md).
- ## Post-setup tasks and next steps After configuring the threat protection features, make sure to monitor how those features are working! Review and revise your policies so that they do what you need them to. Also, watch for new features and service updates that can add value.
+<br>
+ **** |What to do|Resources to learn more| |||
-|See how threat protection features are working for your organization by viewing reports|[Security dashboard](security-dashboard.md) <p> [Email security reports](view-email-security-reports.md) <p> [Reports for Microsoft Defender for Office 365](view-reports-for-mdo.md) <p> [Threat Explorer](threat-explorer.md)|
-|Periodically review and revise your threat protection policies as needed|[Secure Score](../defender/microsoft-secure-score.md) <p> [Smart reports and insights](reports-and-insights-in-security-and-compliance.md) <p> [Microsoft 365 threat investigation and response features](./office-365-ti.md)|
+|See how threat protection features are working for your organization by viewing reports|[Email security reports](view-email-security-reports.md) <p> [Reports for Microsoft Defender for Office 365](view-reports-for-mdo.md) <p> [Threat Explorer](threat-explorer.md)|
+|Periodically review and revise your threat protection policies as needed|[Secure Score](../defender/microsoft-secure-score.md) <p> [Microsoft 365 threat investigation and response features](./office-365-ti.md)|
|Watch for new features and service updates|[Standard and Targeted release options](../../admin/manage/release-options-in-office-365.md) <p> [Message Center](../../admin/manage/message-center.md) <p> [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=advanced%2Cthreat%2Cprotection) <p> [Service Descriptions](/office365/servicedescriptions/office-365-service-descriptions-technet-library)|
-|Learn the details about recommended Standard and Strict security configurations for EOP and Defender for Office 365|[Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md)|
+|
security Real Time Detections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/real-time-detections.md
ms.technology: mdo
ms.prod: m365-security
-# Threat Explorer and Real-time detections basics
-
-In this article:
--- [Differences between Threat Explorer and Real-time detections](#differences-between-threat-explorer-and-real-time-detections)<br/>-- [Required licenses and permissions](#required-licenses-and-permissions)-
-> [!NOTE]
-> This is part of a **3-article series** on **Threat Explorer (Explorer)**, **email security**, and **Explorer and Real-time detections basics** (such as differences between the tools, and permissions needed to operate them). The other two articles in this series are [Threat hunting in Threat Explorer](threat-hunting-in-threat-explorer.md) and [Email security with Threat Explorer](email-security-in-microsoft-defender.md).
-
-This article explains the difference between threat exploration and real-time detections reporting, and the licenses and permissions that are required.
+# Explorer and Real-time detections basics
**Applies to** - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Threat Explorer** (called **Explorer**) or **Real-time detections** to detect and remediate threats.
+In this article:
-In the **Security & Compliance Center**, go to **Threat management**, and then choose **Explorer** _or_ **Real-time detections**.
+- [Differences between Explorer and Real-time detections](#differences-between-explorer-and-real-time-detections)
+- [Required licenses and permissions](#required-licenses-and-permissions)
+
+> [!NOTE]
+> This is part of a **3-article series** on **Explorer (also known as Threat Explorer)**, **email security**, and **Explorer and Real-time detections basics** (such as differences between the tools, and permissions needed to operate them). The other two articles in this series are [Threat hunting in Explorer](threat-hunting-in-threat-explorer.md) and [Email security with Explorer](email-security-in-microsoft-defender.md).
-<br>
+This article explains the difference between Explorer and real-time detections reporting, and the licenses and permissions that are required.
-****
+If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** (also known as **Threat Explorer**) or **Real-time detections** to detect and remediate threats.
-|With Microsoft Defender for Office 365 Plan 2, you see:|With Microsoft Defender for Office 365 Plan 1, you see:|
-|||
-|![Threat explorer](../../media/threatmgmt-explorer.png)|![Real-time detections](../../media/threatmgmt-realtimedetections.png)|
-|
+In the Microsoft 365 Defender portal (<https://security.microsoft.com>), go to **Email & collaboration**, and then choose **Explorer** _or_ **Real-time detections**.
With these tools, you can:
With these tools, you can:
- Start an automated investigation and response process from a view in Explorer. - Investigate malicious email, and more.
-For more information, see [Email security with Threat Explorer](email-security-in-microsoft-defender.md).
+For more information, see [Email security with Explorer](email-security-in-microsoft-defender.md).
-## Differences between Threat Explorer and Real-time detections
+## Differences between Explorer and Real-time detections
- *Real-time detections* is a reporting tool available in Defender for Office 365 Plan 1. *Threat Explorer* is a threat hunting and remediation tool available in Defender for Office 365 Plan 2. - The Real-time detections report allows you to view detections in real time. Threat Explorer does this as well, but it provides additional details for a given attack, such as highlighting attack campaigns, and gives security operations teams the ability to remediate threats (including triggering an [Automated Investigation and Response investigation](automated-investigation-response-office.md)).
For more information, see [Email security with Threat Explorer](email-security-i
You must have [Microsoft Defender for Office 365](defender-for-office-365.md) to use either of Explorer or Real-time detections: -- But Explorer is only included in Defender for Office 365 Plan 2.
+- Explorer is only included in Defender for Office 365 Plan 2.
- The Real-time detections report is included in Defender for Office 365 Plan 1. Security Operations teams need to assign licenses for all users who should be protected by Defender for Office 365 and be aware that Explorer and Real-time detections show detection data for licensed users.
-To view and use Explorer *or* Real-time detections, you must have the following:
--- For the Security & Compliance Center:
+To view and use Explorer *or* Real-time detections, you need the following permissions:
+- In Defender for Office 365:
- Organization Management - Security Administrator (this can be assigned in the Azure Active Directory admin center (<https://aad.portal.azure.com>) - Security Reader--- For Exchange Online:-
+- In Exchange Online:
- Organization Management - View-Only Organization Management - View-Only Recipients - Compliance Management
-To learn more about roles and permissions, see the following resources:
+To learn more about roles and permissions, see the following articles:
-- [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md)-- [Feature permissions in Exchange Online](/exchange/permissions-exo/feature-permissions)-- [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell)
+- [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md)
+- [Permissions in Exchange Online](/e/exchange/permissions-exo/permissions-exo)
## More information+ - [Threat Explorer collect email details on the email entity page](mdo-email-entity-page.md) - [Find and investigate malicious email that was delivered](investigate-malicious-email-that-was-delivered.md) - [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md) - [Threat protection status report](view-email-security-reports.md#threat-protection-status-report)-- [Automated investigation and response in Microsoft Threat Protection](automated-investigation-response-office.md)
+- [Automated investigation and response in Microsoft Threat Protection](automated-investigation-response-office.md)
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
To create and configure anti-spam policies, see [Configure anti-spam policies in
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
+|**Bulk email threshold & spam properties**||||
+|**Bulk email threshold** <p> _BulkThreshold_|7|6|4|For details, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md).|
+|_MarkAsSpamBulkMail_|`On`|`On`|`On`|This setting is only available in PowerShell.|
+|**Increase spam score** settings|Off|Off|Off|All of these settings are part of the Advanced Spam Filter (ASF). For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.|
+|**Mark as spam** settings|Off|Off|Off|Most of these settings are part of ASF. For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.|
+|**Contains specific languages** <p> _EnableLanguageBlockList_ <p> _LanguageBlockList_|**Off** <p> `$false` <p> Blank|**Off** <p> `$false` <p> Blank|**Off** <p> `$false` <p> Blank|We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.|
+|**From these countries** <p> _EnableRegionBlockList_ <p> _RegionBlockList_|**Off** <p> `$false` <p> Blank|**Off** <p> `$false` <p> Blank|**Off** <p> `$false` <p> Blank|We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.|
+|**Test mode** (_TestModeAction_)|**None**|**None**|**None**|This setting is part of ASF. For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.|
+|**Actions**|||||
|**Spam** detection action <p> _SpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|| |**High confidence spam** detection action <p> _HighConfidenceSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|| |**Phishing** detection action <p> _PhishSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|| |**High confidence phishing** detection action <p> _HighConfidencePhishAction_|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|| |**Bulk** detection action <p> _BulkSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`||
-|**Bulk email threshold** <p> _BulkThreshold_|7|6|4|For details, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md).|
-|_MarkAsSpamBulkMail_|On|On|On|This setting is only available in PowerShell.|
|**Retain spam in quarantine for this many days** <p> _QuarantineRetentionPeriod_|15 days|30 days|30 days||
-|**Enable spam safety tips** <p> _InlineSafetyTipsEnabled_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
+|**Enable spam safety tips** <p> _InlineSafetyTipsEnabled_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|Enable zero-hour auto purge (ZAP) for phishing messages <p> _PhishZapEnabled_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|Enable ZAP for spam messages <p> _SpamZapEnabled_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|**Enable end-user spam notifications** <p> _EnableEndUserSpamNotifications_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
+|**Send end-user spam notifications every (days)** <p> _EndUserSpamNotificationFrequency_|3 days|3 days|3 days||
+|**Allow & block list**|||||
|Allowed senders <p> _AllowedSenders_|None|None|None|| |Allowed sender domains <p> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <p> Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.| |Blocked senders <p> _BlockedSenders_|None|None|None|| |Blocked sender domains <p> _BlockedSenderDomains_|None|None|None||
-|**Enable end-user spam notifications** <p> _EnableEndUserSpamNotifications_|Disabled <p> `$false`|Enabled <p> `$true`|Enabled <p> `$true`||
-|**Send end-user spam notifications every (days)** <p> _EndUserSpamNotificationFrequency_|3 days|3 days|3 days||
-|Enable zero-hour auto purge (ZAP) for phishing messages <p> _PhishZapEnabled_|Enabled <p> `$true`|Enabled <p> `$true`|Enabled <p> `$true`||
-|Enable ZAP for spam message <p> _SpamZapEnabled_|Enabled <p> `$true`|Enabled <p> `$true`|Enabled <p> `$true`||
|
+#### ASF settings in anti-spam policies
+ There are many Advanced Spam Filter (ASF) settings in anti-spam policies that are in the process of being deprecated. More information on the timelines for the depreciation of these features will be communicated outside of this article. We recommend that you leave the following ASF settings **Off** for both **Standard** and **Strict** levels. For more information about ASF settings, see [Advanced Spam Filter (ASF) settings in EOP](advanced-spam-filtering-asf-options.md).
We recommend that you leave the following ASF settings **Off** for both **Standa
|**SPF record: hard fail** (_MarkAsSpamSpfRecordHardFail_)|| |**Sender ID filtering hard fail** (_MarkAsSpamFromAddressAuthFail_)|| |**Backscatter** (_MarkAsSpamNdrBackscatter_)||
+|**Test mode** (_TestModeAction_)|For ASF settings that support **Test** as an action, you can configure the test mode action to **None**, **Add default X-Header text**, or **Send Bcc message** (`None`, `AddXHeader`, or `BccMessage`). For more information, see [Enable, disable, or test ASF settings](advanced-spam-filtering-asf-options.md#enable-disable-or-test-asf-settings).|
| #### EOP outbound spam policy settings
For more information about the default sending limits in the service, see [Sendi
|**Set a daily message limit** <p> _RecipientLimitPerDay_|0|1000|800|The default value 0 means use the service defaults.| |**Restriction placed on users who reach the message limit** <p> _ActionWhenThresholdReached_|**Restrict the user from sending mail until the following day** <p> `BlockUserForToday`|**Restrict the user from sending mail** <p> `BlockUser`|**Restrict the user from sending mail** <p> `BlockUser`|| |**Automatic forwarding rules** <p> _AutoForwardingMode_|**Automatic - System-controlled** <p> `Automatic`|**Automatic - System-controlled** <p> `Automatic`|**Automatic - System-controlled** <p> `Automatic`|
+|**Send a copy of outbound messages that exceed these limits to these users and groups** <p> _BccSuspiciousOutboundMail_ <p> _BccSuspiciousOutboundAdditionalRecipients_|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|We have no specific recommendation for this setting. <p> This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.|
+|**Notify these users and groups if a sender is blocked due to sending outbound spam** <p> _NotifyOutboundSpam_ <p> _NotifyOutboundSpamRecipients_|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|
| ### EOP anti-malware policy settings
To create and configure anti-malware policies, see [Configure anti-malware polic
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Notify recipients when messages are quarantined as malware** <p> _Action_|No <p> _DeleteMessage_|No <p> _DeleteMessage_|No <p> _DeleteMessage_|If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.|
-|**Enable the common attachments filter** <p> _EnableFileFilter_|Off <p> `$false`|On <p> `$true`|On <p> `$true`|This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.|
-|**Enable zero-hour auto purge for malware** <p> _ZapEnabled_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
-|**Notify internal senders when messages are quarantined as malware** <p> _EnableInternalSenderNotifications_|Disabled <p> `$false`|Disabled <p> `$false`|Disabled <p> `$false`||
-|**Notify external senders when messages are quarantined as malware** <p> _EnableExternalSenderNotifications_|Disabled <p> `$false`|Disabled <p> `$false`|Disabled <p> `$false`||
+|**Protection settings**|||||
+|**Enable the common attachments filter** <p> _EnableFileFilter_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.|
+|**Enable zero-hour auto purge for malware** <p> _ZapEnabled_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|**Recipient notifications**|||||
+|**Notify recipients when messages are quarantined as malware** <p> _Action_|Not selected <p> _DeleteMessage_|Not selected <p> _DeleteMessage_|Not selected <p> _DeleteMessage_|If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.|
+|**Sender notifications**|||||
+|**Notify internal senders when messages are quarantined as malware** <p> _EnableInternalSenderNotifications_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`||
+|**Notify external senders when messages are quarantined as malware** <p> _EnableExternalSenderNotifications_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`||
+|**Admin notifications**|||||
+|**Notify an admin about undelivered messages from internal senders** <p> _EnableInternalSenderAdminNotifications_ <p> _InternalSenderAdminAddress_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|We have no specific recommendation for this setting.|
+|**Notify an admin about undelivered messages from external senders** <p> _EnableExternalSenderAdminNotifications_ <p> _ExternalSenderAdminAddress_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|We have no specific recommendation for this setting.|
+|**Customize notifications**||||We have no specific recommendations for these settings.|
+|**Use customized notification text** <p> _CustomNotifications_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`||
+|**From name** <p> _CustomFromName_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
+|**From address** <p> _CustomFromAddress_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
+|**Customize notifications for messages from internal senders**||||These settings are used only if **Notify internal senders when messages are quarantined as malware** or **Notify an admin about undelivered messages from internal senders** is selected.|
+|**Subject** <p> _CustomInternalSubject_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
+|**Message** <p> _CustomInternalBody_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
+|**Customize notifications for messages from external senders**||||These settings are used only if **Notify external senders when messages are quarantined as malware** or **Notify an admin about undelivered messages from external senders** is selected.|
+|**Subject** <p> _CustomExternalSubject_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
+|**Message** <p> _CustomExternalBody_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
| ### EOP anti-phishing policy settings
For more information about these settings, see [Spoof settings](set-up-anti-phis
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Enable spoof intelligence** <p> _EnableSpoofIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
-|**If email is detected as spoof** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md).|
-|**Show (?) for unauthenticated senders for spoof** <p> _EnableUnauthenticatedSender_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md).|
-|**Show "via" tag** <p> _EnableViaTag_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <p> If this setting isn't available to you, the question mark **and** the via tag are both controlled by the **Show (?) for unauthenticated senders for spoof** setting in your organization.|
+|**Phishing threshold & protection**|||||
+|**Enable spoof intelligence** <p> _EnableSpoofIntelligence_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|**Actions**|||||
+|**If message is detected as spoof** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md).|
+|**Show first contact safety tip** <p> _EnableFirstContactSafetyTips_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).|
+|**Show (?) for unauthenticated senders for spoof** <p> _EnableUnauthenticatedSender_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
+|**Show "via" tag** <p> _EnableViaTag_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <p> For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
| ## Microsoft Defender for Office 365 security
If your subscription includes Microsoft Defender for Office 365 or if you've pur
### Anti-phishing policy settings in Microsoft Defender for Office 365
-EOP customers get basic anti-phishing as previously described, but Microsoft Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
+EOP customers get basic anti-phishing as previously described, but Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
-#### Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
+#### Advanced settings in anti-phishing policies in Microsoft Defender for Office 365
-For more information about these settings, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure these settings, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
+For more information about this setting, see [Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure this setting, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
<br>
For more information about these settings, see [Impersonation settings in anti-p
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|Protected users (senders): **Enable users to protect** <p> _EnableTargetedUserProtection_ <p> _TargetedUsersToProtect_|Off <p> `$false` <p> none|On <p> `$true` <p> \<list of users\>|On <p> `$true` <p> \<list of users\>|Depending on your organization, we recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.|
-|Protected users: **If message is detected as an impersonated user** <p> _TargetedUserProtectionAction_|**Don't apply any action** <p> `NoAction`|**Quarantine the message** <p> `Quarantine`|**Quarantine the message** <p> `Quarantine`||
-|Protected domains: **Include domains I own** <p> _EnableOrganizationDomainsProtection_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|Protected domains: **Include custom domains** <p> _EnableTargetedDomainsProtection_ <p> _TargetedDomainsToProtect_|Off <p> `$false` <p> none|On <p> `$true` <p> \<list of domains\>|On <p> `$true` <p> \<list of domains\>|Depending on your organization, we recommend adding domains (sender domains) that you don't own, but you frequently interact with.|
-|Protected domains: **If message is detected as an impersonated domain** <p> _TargetedDomainProtectionAction_|**Don't apply any action** <p> `NoAction`|**Quarantine the message** <p> `Quarantine`|**Quarantine the message** <p> `Quarantine`||
-|**Add trusted senders and domains** <p> _ExcludedSenders_ <p> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.|
-|**Enable mailbox intelligence** <p> _EnableMailboxIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
-|**Enable intelligence for impersonation protection** <p> _EnableMailboxIntelligenceProtection_|Off <p> `$false`|On <p> `$true`|On <p> `$true`|This setting allows the specified action for impersonation detections by mailbox intelligence.|
-|**If mailbox intelligence detects and impersonated user** <p> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <p> `NoAction`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`||
-|**Show user impersonation safety tip** <p> _EnableSimilarUsersSafetyTips_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**Show domain impersonation safety tip** <p> _EnableSimilarDomainsSafetyTips_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**Show user impersonation unusual characters safety tip** <p> _EnableUnusualCharactersSafetyTips_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
+|**Phishing email threshold** <p> _PhishThresholdLevel_|**1 - Standard** <p> `1`|**2 - Aggressive** <p> `2`|**3 - More aggressive** <p> `3`||
|
-#### Spoof settings in anti-phishing policies in Microsoft Defender for Office 365
+#### Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
-Note that these are the same settings that are available in [anti-spam policy settings in EOP](#eop-anti-spam-policy-settings).
+For more information about these settings, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure these settings, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
<br>
Note that these are the same settings that are available in [anti-spam policy se
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Enable spoof intelligence** <p> _EnableSpoofIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
-|**If email is detected as spoof** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md).|
-|**Show (?) for unauthenticated senders for spoof** <p> _EnableUnauthenticatedSender_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md).|
-|**Show "via" tag** <p> _EnableViaTag_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <p> If this setting isn't available to you, the question mark **and** the via tag are both controlled by the **Show (?) for unauthenticated senders for spoof** setting in your organization.|
+|**Phishing threshold & protection**|||||
+|**Enable users to protect** (impersonated user protection)<p> _EnableTargetedUserProtection_ <p> _TargetedUsersToProtect_|Not selected <p> `$false` <p> none|Selected <p> `$true` <p> \<list of users\>|Selected <p> `$true` <p> \<list of users\>|We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.|
+|**Enable domains to protect** (impersonated domain protection)|Not selected|Selected|Selected||
+|**Include domains I own** <p> _EnableOrganizationDomainsProtection_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
+|**Include custom domains** <p> _EnableTargetedDomainsProtection_ <p> _TargetedDomainsToProtect_|Off <p> `$false` <p> none|Selected <p> `$true` <p> \<list of domains\>|Selected <p> `$true` <p> \<list of domains\>|We recommend adding domains (sender domains) that you don't own, but you frequently interact with.|
+|**Add trusted senders and domains** <p> _ExcludedSenders_ <p> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.|
+|**Enable mailbox intelligence** <p> _EnableMailboxIntelligence_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|**Enable intelligence for impersonation protection** <p> _EnableMailboxIntelligenceProtection_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|This setting allows the specified action for impersonation detections by mailbox intelligence.|
+|**Actions**|||||
+|**If message is detected as an impersonated user** <p> _TargetedUserProtectionAction_|**Don't apply any action** <p> `NoAction`|**Quarantine the message** <p> `Quarantine`|**Quarantine the message** <p> `Quarantine`||
+|**If message is detected as an impersonated domain** <p> _TargetedDomainProtectionAction_|**Don't apply any action** <p> `NoAction`|**Quarantine the message** <p> `Quarantine`|**Quarantine the message** <p> `Quarantine`||
+|**If mailbox intelligence detects and impersonated user** <p> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <p> `NoAction`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`||
+|**Show user impersonation safety tip** <p> _EnableSimilarUsersSafetyTips_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
+|**Show domain impersonation safety tip** <p> _EnableSimilarDomainsSafetyTips_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
+|**Show user impersonation unusual characters safety tip** <p> _EnableUnusualCharactersSafetyTips_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
|
-#### Advanced settings in anti-phishing policies in Microsoft Defender for Office 365
+#### EOP anti-phishing policy settings in Microsoft Defender for Office 365
-For more information about this setting, see [Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure this setting, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
+These are the same settings that are available in [anti-spam policy settings in EOP](#eop-anti-spam-policy-settings).
+
+The spoof settings are inter-related, but the **Show first contact safety tip** setting has no dependency on spoof settings.
<br>
For more information about this setting, see [Advanced phishing thresholds in an
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Phishing email threshold** <p> _PhishThresholdLevel_|**1 - Standard** <p> `1`|**2 - Aggressive** <p> `2`|**3 - More aggressive** <p> `3`||
+|**Phishing threshold & protection**|||||
+|**Enable spoof intelligence** <p> _EnableSpoofIntelligence_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|**Actions**|||||
+|**If message is detected as spoof** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md).|
+|**Show first contact safety tip** <p> _EnableFirstContactSafetyTips_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).|
+|**Show (?) for unauthenticated senders for spoof** <p> _EnableUnauthenticatedSender_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
+|**Show "via" tag** <p> _EnableViaTag_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <p> For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
|
-### Safe Links settings
+### Safe Attachments settings
-Safe Links in Defender for Office 365 includes global settings that apply to all users who are included in active Safe Links policies, and settings that are specific to each Safe Links policy. For more information, see [Safe Links in Defender for Office 365](safe-links.md).
+Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see [Safe Attachments in Defender for Office 365](safe-attachments.md).
-#### Global settings for Safe Links
+#### Global settings for Safe Attachments
-To configure these settings, see [Configure global settings for Safe Links in Defender for Office 365](configure-global-settings-for-safe-links.md).
+To configure these settings, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](turn-on-mdo-for-spo-odb-and-teams.md) and [Safe Documents in Microsoft 365 E5](safe-docs.md).
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/set-atppolicyforo365) cmdlet for these settings.
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/se
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Use Safe Links in: Office 365 apps** <p> _EnableSafeLinksForO365Clients_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).|
-|**Do not track when users click protected links in Office 365 apps** <p> _TrackClicks_|On <p> `$false`|Off <p> `$true`|Off <p> `$true`|Turning off this setting (setting _TrackClicks_ to `$true`) tracks user clicks in supported Office 365 apps.|
-|**Do not let users click through to the original URL in Office 365 apps** <p> _AllowClickThrough_|On <p> `$false`|On <p> `$false`|On <p> `$false`|Turning on this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL in supported Office 365 apps.|
+|**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** <p> _EnableATPForSPOTeamsODB_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
+|**Turn on Safe Documents for Office clients** <p> _EnableSafeDocs_|Off <p> `$false`|On <p> `$true`|On <p> `$true`|This feature is available and meaningful only with Microsoft 365 E5 or Microsoft 365 E5 Security licenses. For more information, see [Safe Documents in Microsoft Defender for Office 365](safe-docs.md).|
+|**Allow people to click through Protected View even if Safe Documents identified the file as malicious** <p> _AllowSafeDocsOpen_|Off <p> `$false`|Off <p> `$false`|Off <p> `$false`|This setting is related to Safe Documents.|
|
-#### Safe Links policy settings
+#### Safe Attachments policy settings
-To configure these settings, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md).
+To configure these settings, see [Set up Safe Attachments policies in Defender for Office 365](set-up-safe-attachments-policies.md).
-In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new-safelinkspolicy) and [Set-SafeLinksPolicy](/powershell/module/exchange/set-safelinkspolicy) cmdlets for these settings.
+In PowerShell, you use the [New-SafeAttachmentPolicy](/powershell/module/exchange/new-safeattachmentpolicy) and [Set-SafeAttachmentPolicy](/powershell/module/exchange/set-safelinkspolicy) cmdlets for these settings.
> [!NOTE]
-> As described earlier, there is no default Safe Links policy. The values in the Default column are the default values in new Safe Links policies that you create.
+> As described earlier, there is no default Safe Attachments policy. The values in the Default column are the default values in new Safe Attachments policies that you create.
<br>
In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Select the action for unknown potentially malicious URLs in messages** <p> _IsEnabled_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**Select the action for unknown or potentially malicious URLs within Microsoft Teams** <p> _EnableSafeLinksForTeams_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**Apply real-time URL scanning for suspicious links and links that point to files** <p> _ScanUrls_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**Wait for URL scanning to complete before delivering the message** <p> _DeliverMessageAfterScan_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**Apply Safe Links to email messages sent within the organization** <p> _EnableForInternalSenders_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**Do not track user clicks** <p> _DoNotTrackUserClicks_|Off <p> `$false`|Off <p> `$false`|Off <p> `$false`|Turning off this setting (setting _DoNotTrackUserClicks_ to `$false`) tracks users clicks.|
-|**Do not allow users to click through to original URL** <p> _DoNotAllowClickThrough_|Off <p> `$false`|On <p> `$true`|On <p> `$true`|Turning on this setting (setting _DoNotAllowClickThrough_ to `$true`) prevents click through to the original URL.|
+|**Safe Attachments unknown malware response** <p> _Action_|**Off** <p> `Block`|**Block** <p> `Block`|**Block** <p> `Block`||
+|**Redirect attachment with detected attachments** : **Enable redirect** <p> _Redirect_ <p> _RedirectAddress_|Not selected and no email address specified. <p> `$true` <p> none|Selected and specify an email address. <p> `$true` <p> an email address|Selected and specify an email address. <p> `$true` <p> an email address|Redirect messages to a security admin for review.|
+|**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** <p> _ActionOnError_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
|
-### Safe Attachments settings
+### Safe Links settings
-Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see [Safe Attachments in Defender for Office 365](safe-attachments.md).
+Safe Links in Defender for Office 365 includes global settings that apply to all users who are included in active Safe Links policies, and settings that are specific to each Safe Links policy. For more information, see [Safe Links in Defender for Office 365](safe-links.md).
-#### Global settings for Safe Attachments
+#### Global settings for Safe Links
-To configure these settings, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](turn-on-mdo-for-spo-odb-and-teams.md) and [Safe Documents in Microsoft 365 E5](safe-docs.md).
+To configure these settings, see [Configure global settings for Safe Links in Defender for Office 365](configure-global-settings-for-safe-links.md).
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/set-atppolicyforo365) cmdlet for these settings.
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/se
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** <p> _EnableATPForSPOTeamsODB_|On <p> `$true`|On <p> `$true`||
-|**Turn on Safe Documents for Office clients** <p> _EnableSafeDocs_|On <p> `$true`|On <p> `$true`|This setting is only available with Microsoft 365 E5 or Microsoft 365 E5 Security licenses. For more information, see [Safe Documents in Microsoft Defender for Office 365](safe-docs.md).|
-|**Allow people to click through Protected View even if Safe Documents identified the file as malicious** <p> _AllowSafeDocsOpen_|Off <p> `$false`|Off <p> `$false`|This setting is related to Safe Documents.|
+|**Block the following URLs** <p> _ExcludedUrls_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`|We have no specific recommendation for this setting. <p> For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links).
+|**Use Safe Links in Office 365 apps** <p> _EnableSafeLinksForO365Clients_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).|
+|**Do not track when users click protected links in Office 365 apps** <p> _TrackClicks_|On <p> `$false`|Off <p> `$true`|Off <p> `$true`|Turning off this setting (setting _TrackClicks_ to `$true`) tracks user clicks in supported Office 365 apps.|
+|**Do not let users click through to the original URL in Office 365 apps** <p> _AllowClickThrough_|On <p> `$false`|On <p> `$false`|On <p> `$false`|Turning on this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL in supported Office 365 apps.|
|
-#### Safe Attachments policy settings
+#### Safe Links policy settings
-To configure these settings, see [Set up Safe Attachments policies in Defender for Office 365](set-up-safe-attachments-policies.md).
+To configure these settings, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md).
-In PowerShell, you use the [New-SafeAttachmentPolicy](/powershell/module/exchange/new-safeattachmentpolicy) and [Set-SafeAttachmentPolicy](/powershell/module/exchange/set-safelinkspolicy) cmdlets for these settings.
+In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new-safelinkspolicy) and [Set-SafeLinksPolicy](/powershell/module/exchange/set-safelinkspolicy) cmdlets for these settings.
> [!NOTE]
-> As described earlier, there is no default Safe Attachments policy. The values in the Default column are the default values in new Safe Attachments policies that you create.
+> As described earlier, there is no default Safe Links policy. The values in the Default column are the default values in new Safe Links policies that you create.
<br>
In PowerShell, you use the [New-SafeAttachmentPolicy](/powershell/module/exchang
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Safe Attachments unknown malware response** <p> _Action_|Block <p> `Block`|Block <p> `Block`|Block <p> `Block`||
-|**Redirect attachment on detection** : **Enable redirect** <p> _Redirect_ <p> _RedirectAddress_|Off, and no email address specified. <p> `$true` <p> none|On, and specify an email address. <p> `$true` <p> an email address|On, and specify an email address. <p> `$true` <p> an email address|Redirect messages to a security admin for review.|
-|**Apply the above selection if malware scanning for attachments times out or error occurs.** <p> _ActionOnError_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
+|**Protection settings**|||||
+|**Select the action for unknown potentially malicious URLs in messages** <p> _IsEnabled_|**Off** <p> `$false`|**On** <p> `$true`|**On** <p> `$true`||
+|**Select the action for unknown or potentially malicious URLs within Microsoft Teams** <p> _EnableSafeLinksForTeams_|**Off** <p> `$false`|**On** <p> `$true`|**On** <p> `$true`|As of March 2020, this feature is in Preview and is available or functional only for members of the Microsoft Teams Technology Adoption Program (TAP).|
+|**Apply real-time URL scanning for suspicious links and links that point to files** <p> _ScanUrls_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
+|**Wait for URL scanning to complete before delivering the message** <p> _DeliverMessageAfterScan_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
+|**Apply Safe Links to email messages sent within the organization** <p> _EnableForInternalSenders_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
+|**Do not track user clicks** <p> _DoNotTrackUserClicks_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|Turning off this setting (setting _DoNotTrackUserClicks_ to `$false`) tracks users clicks.|
+|**Do not let users click through to the original URL** <p> _DoNotAllowClickThrough_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|Turning on this setting (setting _DoNotAllowClickThrough_ to `$true`) prevents click through to the original URL.|
+|**Display the organization branding on notification and warning pages** <p> _EnableOrganizationBranding_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|We have no specific recommendation for this setting. <p> Before you turn on this setting, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.|
+|**Do no rewrite the following URLs** <p> _DoNotRewriteUrls_|Not selected <p> `$false`|Not selected <p> `$true`|Not selected <p> `$true`|We have no specific recommendation for this setting. For more information, see ["Do not rewrite the following URLs" lists in Safe Links policies](safe-links.md#do-not-rewrite-the-following-urls-lists-in-safe-links-policies).|
+|**Notification**|||||
+|**How would you like to notify your users?**|**Use the default notification text**|**Use the default notification text**|**Use the default notification text**|We have no specific recommendation for this setting. <p> You can select **Use custom notification text** (_CustomNotificationText_) to enter customized notification text to use. You can also select **Use Microsoft Translator for automatic localization** (_UseTranslatedNotificationText_) to translate the custom notification text into the user's language.
| ## Related articles
security Remediate Malicious Email Delivered Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365.md
ms.prod: m365-security
**Applies to** - [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
-Remediation means taking a prescribed action against a threat. Malicious email sent to your organization can be cleaned up either by the system, through zero-hour auto purge (ZAP), or by security teams through remediation actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete*. Microsoft Defender for Office 365 P2/E5 enables security teams to remediate threats in email and collaboration functionality through manual and automated investigation.
+Remediation means taking a prescribed action against a threat. Malicious email sent to your organization can be cleaned up either by the system, through zero-hour auto purge (ZAP), or by security teams through remediation actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete*. Microsoft Defender for Office 365 Plan 2/E5 enables security teams to remediate threats in email and collaboration functionality through manual and automated investigation.
> [!NOTE]
-> To remediate malicious email, security teams need the *search and purge* role assigned to them. Role assignment is done through [permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+> To remediate malicious email, security teams need the *Search and Purge* role assigned to them. Role assignment is done through [permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
## What you need to know before you begin
-Admins can take required action on emails, but to get those actions approved, they must have the *search and purge* role assigned to them via **Security & Compliance Center** \> **Permissions**. Without the "search and purge" role added to one of the role-groups, they won't be able to execute the action.
+Admins can take required action on emails, but to get those actions approved, they must have the *Search and Purge* role assigned to them in the **Email & collaboration** permissions in the Microsoft 365 Defender portal. Without the *Search and purge"*role added to one of the role-groups, they won't be able to execute the action.
## Manual and automated remediation
-*Manual hunting* occurs when security teams identify threats manually by using the search and filtering capabilities in Threat Explorer. Manual email remediation can be triggered through any email view (*Malware*, *Phish*, or *All email*) after you identify a set of emails that need to be remediated.
+*Manual hunting* occurs when security teams identify threats manually by using the search and filtering capabilities in Explorer. Manual email remediation can be triggered through any email view (*Malware*, *Phish*, or *All email*) after you identify a set of emails that need to be remediated.
> [!div class="mx-imgBorder"] > [![Manual hunting in Office 365 Threat Explorer by date.](../../media/tp-RemediationArticle1.png)](../../media/tp-RemediationArticle1.png#lightbox)
-Security teams can use Threat Explorer to select emails in several ways:
+Security teams can use Explorer to select emails in several ways:
- Choose emails by hand: Use filters in various views. Select up to 100 emails to remediate.
Security teams can use Threat Explorer to select emails in several ways:
- Query selection with exclusion: Sometimes security operations teams may want to remediate emails by selecting an entire query and excluding certain emails from the query manually. To do so, an admin can use the **Select all** check box and scroll down to exclude emails manually. The query can hold a maximum of 1,000 emails. The maximum number of exclusions is 100.
-Once emails are selected through Threat Explorer, you can start remediation by taking direct action or by queuing up emails for an action:
+Once emails are selected through Explorer, you can start remediation by taking direct action or by queuing up emails for an action:
- Direct approval: When actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete* are selected by security personnel who have appropriate permissions, and the next steps in remediation are followed, the remediation process begins to execute the selected action. A temporary flyout shows remediation in progress. - Two-step approval: An "add to remediation" action can be taken by admins who don't have appropriate permissions or who need to wait to execute the action. In this case, the targeted emails are added to a remediation container. Approval is needed before the remediation is executed.
-**Automated investigation and response** actions are triggered by alerts or by security operations teams from Threat Explorer. These may include recommended remediation actions that must be approved by a security operations team. These actions are included on the **Action** tab in the automated investigation.
+**Automated investigation and response** actions are triggered by alerts or by security operations teams from Explorer. These may include recommended remediation actions that must be approved by a security operations team. These actions are included on the **Action** tab in the automated investigation.
> [!div class="mx-imgBorder"] > [![Mail with malware in "Zapped" page showing time of Zap execution.](../../media/tp-RemediationArticle3.png)](../../media/tp-RemediationArticle3.png#lightbox)
-All remediations (either direct approval or two-step approval) that were created in Threat Explorer as well as approved actions coming from automated investigations are displayed in the Action Center. Access these via the left navigation panel under **Review** \> **Action Center**.
+All remediations (either direct approval or two-step approval) that were created in Explorer as well as approved actions coming from automated investigations are displayed in the Action Center. Access these via the left navigation panel under **Review** \> **Action Center**.
> [!div class="mx-imgBorder"] > [![The action center with a list of threats by date and severity.](../../media/tp-RemediationArticle4.png)](../../media/tp-RemediationArticle4.png#lightbox)
-Action Center shows all remediation actions for the past 30 days. Actions taken through Threat Explorer are listed by the name that the security operations team provided when the remediation was created. Actions taken through automated investigations have titles that begin with the related alert that triggered the investigation, such as "Zap email cluster... ."
+Action Center shows all remediation actions for the past 30 days. Actions taken through Explorer are listed by the name that the security operations team provided when the remediation was created. Actions taken through automated investigations have titles that begin with the related alert that triggered the investigation, such as "Zap email cluster... ."
Open any remediation item to view details about it, including its name, creation date, description, threat severity, and status. It also shows the following two tabs.
Open any remediation item to view details about it, including its name, creation
- On-premises/external - Failed/dropped
- Suspicious messages are categorized as either remediable or nonremediable. In most cases, remediable and nonremediable messages combine equals total messages submitted. But in rare cases this may not be true. This can happen because of system delays, timeouts, or expired messages. Messages expire based on the Threat Explorer retention period for your organization.
+ Suspicious messages are categorized as either remediable or nonremediable. In most cases, remediable and nonremediable messages combine equals total messages submitted. But in rare cases this may not be true. This can happen because of system delays, timeouts, or expired messages. Messages expire based on the Explorer retention period for your organization.
- Unless you're remediating old messages after your organization's Threat Explorer retention period, it's advisable to retry remediating items if you see number inconsistencies. For system delays, remediation updates are typically refreshed within a few hours.
+ Unless you're remediating old messages after your organization's Explorer retention period, it's advisable to retry remediating items if you see number inconsistencies. For system delays, remediation updates are typically refreshed within a few hours.
- If your organization's retention period for email in Threat Explorer is 30 days and you're remediating emails going back 29-30 days, mail submission counts may not always add up. The emails might have started moving out of the retention period already.
+ If your organization's retention period for email in Explorer is 30 days and you're remediating emails going back 29-30 days, mail submission counts may not always add up. The emails might have started moving out of the retention period already.
If remediations are stuck in the "In progress" state for a while, it's likely due to system delays. It could take up to a few hours to remediate. You might see variations in mail submission counts, as some of the emails may not have been included the query at the start of remediation due to system delays. It is a good idea to retry remediating in such cases.
Open any remediation item to view details about it, including its name, creation
Only remediable emails are acted on during remediation. Nonremediable emails can't be remediated by the Office 365 email system, as they aren't stored in cloud mailboxes.
- Admins can take actions on emails in quarantine if necessary, but those emails will expire out of quarantine if they're not manually purged. Emails quarantined because of malicious content aren't accessible by users, so security personnel don't have to take any action to get rid of threats in quarantine. If the emails are on-premises or external, the user can be contacted to address the suspicious email. Or the admins can use separate email server/security tools for removal. These emails can be identified by applying the *delivery location = on-prem* external filter in Threat Explorer. For failed or dropped email, or email not accessible by users, there won't be any email to mitigate, since these mails don't reach the mailbox.
+ Admins can take actions on emails in quarantine if necessary, but those emails will expire out of quarantine if they're not manually purged. Emails quarantined because of malicious content aren't accessible by users, so security personnel don't have to take any action to get rid of threats in quarantine. If the emails are on-premises or external, the user can be contacted to address the suspicious email. Or the admins can use separate email server/security tools for removal. These emails can be identified by applying the *delivery location = on-prem* external filter in Explorer. For failed or dropped email, or email not accessible by users, there won't be any email to mitigate, since these mails don't reach the mailbox.
The following image shows how a submission looks in Action Center. A remediation can contain multiple submissions. If multiple actions get approved through one automated investigation, each email or email cluster action appears in the same remediation as a different submission. > [!div class="mx-imgBorder"] > [![ZAP email cluster flyout panel.](../../media/tp-RemediationArticle6.png)](../../media/tp-RemediationArticle6.png#lightbox)
- Select a mail submission item to show the details of that remediation, such as the query (when remediation is triggered through automated investigations or Threat Explorer through selecting a query) and the start and end times of remediation. It also displays a list of messages that were submitted for remediation. As messages move out of the Threat Explorer retention period, the messages disappear from this list. The list also shows individual messages that are remediable.
+ Select a mail submission item to show the details of that remediation, such as the query (when remediation is triggered through automated investigations or Explorer through selecting a query) and the start and end times of remediation. It also displays a list of messages that were submitted for remediation. As messages move out of the Explorer retention period, the messages disappear from this list. The list also shows individual messages that are remediable.
- **Action logs**: This tab shows the messages remediated, including approved date, admin who approved the action, action, status, and counts. Status can be: - **Started**: Remediation is triggered.
- - **Queued**: Remediation is queued up for mitigation of emails.
- - **In progress**: Mitigation is in progress.
- - **Completed**: Mitigation on all remediable emails either completed successfully or with some failures.
- - **Failed**: No remediations were successful.
+ - **Queued**: Remediation is queued up for mitigation of emails.
+ - **In progress**: Mitigation is in progress.
+ - **Completed**: Mitigation on all remediable emails either completed successfully or with some failures.
+ - **Failed**: No remediations were successful.
As only remediable emails can be acted on, each email's cleanup is shown as successful or failed. From the total remediable emails, successful and failed mitigations are reported.
Open any remediation item to view details about it, including its name, creation
- **Failure**: The desired action on remediable emails failed. For example: An admin wants to remove emails from mailboxes, so the admin takes the action of soft-deleting emails. If a remediable email is still found in the mailbox after the action is taken, status will show as failed.
- - **Already in destination**: The desired action was already taken on the email OR the email already existed in the destination location. For example: An email was soft deleted by the admin through Explorer on day one. Then similar emails show up on day 2, which are again soft deleted by the admin. While selecting these emails, admin ends up picking some emails from day one which are already soft deleted. Now these emails will not be acted upon again, they will just show as "already in destination", since no action was taken on them as they existed in the destination location.
+ - **Already in destination**: The desired action was already taken on the email OR the email already existed in the destination location. For example: An email was soft deleted by the admin through Explorer on day one. Then similar emails show up on day 2, which are again soft deleted by the admin. While selecting these emails, admin ends up picking some emails from day one that are already soft deleted. Now these emails will not be acted upon again, they will just show as "already in destination", since no action was taken on them as they existed in the destination location.
Select any item in the action log to display remediation details. If the details say "successful" or "not found in mailbox," that item was already removed from the mailbox. Sometimes there's a systemic error during remediation. In those cases, it's a good idea to retry remediation.
- In case of remediating large batches, you can also export the messages send for remediation via Mail Submission and messages which got remediated via Action Logs. The export limit is increased to 100k records.
+ In case of remediating large batches, you can also export the messages send for remediation via Mail Submission and messages that got remediated via Action Logs. The export limit is increased to 100k records.
Security team can take up to 50 concurrent manual remediations; however, there is no limit set for automated investigation and response actions.
security Removing User From Restricted Users Portal After Spam https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md
Title: Remove blocked users from the Restricted Users portal
+ Title: Remove blocked users from the Restricted users portal
f1.keywords: - NOCSH
search.appverid:
ms.assetid: 712cfcc1-31e8-4e51-8561-b64258a8f1e5 - M365-security-compliance
-description: Admins can learn how to remove users from the Restricted Users portal in Office 365. Users are added to the Restricted Users portal for sending outbound spam, typically as a result of account compromise.
+description: Admins can learn how to remove users from the Restricted users page in the Microsoft 365 Defender portal. Users are added to the Restricted users portal for sending outbound spam, typically as a result of account compromise.
ms.technology: mdo ms.prod: m365-security
-# Remove blocked users from the Restricted Users portal in Office 365
+# Remove blocked users from the Restricted users portal in Microsoft 365
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
ms.prod: m365-security
If a user exceeds one of the outbound sending limits as specified in [the service limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or in [outbound spam policies](configure-the-outbound-spam-policy.md), the user is restricted from sending email, but they can still receive email.
-The user is added to the Restricted Users portal in the Security & Compliance Center. When they try to send email, the message is returned in a non-delivery report (also known as an NDR or bounce messages) with the error code [5.1.8](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-1-8-in-exchange-online) and the following text:
+The user is added to the **Restricted users** page in the Microsoft 365 Defender portal. When they try to send email, the message is returned in a non-delivery report (also known as an NDR or bounce messages) with the error code [5.1.8](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-1-8-in-exchange-online) and the following text:
> "Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that > your email address is suspected of sending spam and it's no longer allowed to send email. Contact your email admin for > assistance. Remote Server returned '550 5.1.8 Access denied, bad outbound sender."
-Admins can remove users from the Restricted Senders portal in the Security & Compliance Center or in Exchange Online PowerShell.
+Admins can remove users from the Restricted users page in the Microsoft 365 Defender or in Exchange Online PowerShell.
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Restricted Users** page, use <https://protection.office.com/restrictedusers>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. Too go directly to the **Restricted users** page, use <https://security.microsoft.com/restrictedusers>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions in **Exchange Online** before you can do the procedures in this article:
- - To remove users from the Restricted Users portal, you need to be a member of the **Organization Management** or **Security Administrator** role groups.
- - For read-only access to the Restricted Users portal, you need to be a member of the **Global Reader** or **Security Reader** role groups.
+ - To remove users from the Restricted users portal, you need to be a member of the **Organization Management** or **Security Administrator** role groups.
+ - For read-only access to the Restricted users portal, you need to be a member of the **Global Reader** or **Security Reader** role groups.
For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
Admins can remove users from the Restricted Senders portal in the Security & Com
> > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature. -- A sender exceeding the outbound email limits is an indicator of a compromised account. Before you remove the user from the Restricted Users portal, be sure to follow the required steps to regain control of their account. For more information, see [Responding to a compromised email account in Office 365](responding-to-a-compromised-email-account.md).
+- A sender exceeding the outbound email limits is an indicator of a compromised account. Before you remove the user from the Restricted users portal, be sure to follow the required steps to regain control of their account. For more information, see [Responding to a compromised email account in Office 365](responding-to-a-compromised-email-account.md).
-## Use the Security & Compliance Center to remove a user from the Restricted Users list
+## Use the Microsoft 365 Defender portal to remove a user from the Restricted users list
-1. In the Security & Compliance Center, go to **Threat management** \> **Review** \> **Restricted users**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** > **Review** > **Restricted users**.
-2. Find and select the user that you want to unblock. In the **Actions** column, click **Unblock**.
+2. On the **Restricted users** page, find and select the user that you want to unblock by clicking on the user.
-3. A fly-out will go into the details about the account whose sending is restricted. You should go through the recommendations to ensure you're taking the proper actions in case the account is actually compromised. Click **Next** when done.
+3. Click the **Unblock** action that appears.
-4. The next screen has recommendations to help prevent future compromise. Enabling multi-factor authentication (MFA) and changing the passwords are a good defense. Click **Unblock user** when done.
+4. In the **Unblock user** flyout that appears, read the details about the restricted account. You should go through the recommendations to ensure you're taking the proper actions in case the account is compromised.
-5. Click **Yes** to confirm the change.
+ When you're finished, click **Next**.
+
+5. The next screen has recommendations to help prevent future compromise. Enabling multi-factor authentication (MFA) and resetting the password are a good defense.
+
+ When you're finished, click **Submit**.
+
+6. Click **Yes** to confirm the change.
> [!NOTE] > It might take up to 24 hours for all restrictions to be removed from the user.
The default alert policy named **User restricted from sending email** will autom
> [!IMPORTANT] > For alerts to work, audit log search must to be turned on. For more information, see [Turn the audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
-1. In the Security & Compliance Center, go to **Alerts** \> **Alert policies**.
-
-2. Find and select the **User restricted from sending email** alert.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**.
-3. In the flyout that appears, verify or configure the following settings:
+2. On the **Alert policy** page, find and select the alert named **User restricted from sending email**. You can sort the policies by name, or use the **Search box** to find the policy.
+3. In the **User restricted from sending email** flyout that appears, verify or configure the following settings:
- **Status**: Verify the alert is turned on ![Toggle on](../../media/scc-toggle-on.png).- - **Email recipients**: Click **Edit** and verify or configure the following settings in the **Edit recipients** flyout that appears:-
- - **Send email notifications**: Verify the check box is selected (**On**).
-
- - **Email recipients**: The default value is **TenantAdmins** (meaning, **Global admin** members). To add more recipients, click in a blank area of the box. A list of recipients will appear, and you can start typing a name to filter and select a recipient. You can remove an existing recipient from the box by clicking ![Remove icon](../../media/scc-remove-icon.png) next to their name.
-
+ - **Send email notifications**: Verify this is selected (**On**).
+ - **Email recipients**: The default value is **TenantAdmins** (meaning, **Global admin** members). To add more recipients, click in a blank area of the box. A list of recipients will appear, and you can start typing a name to filter and select a recipient. You can remove an existing recipient from the box by clicking ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to their name.
- **Daily notification limit**: The default value is **No limit** but you can select a limit for the maximum number of notifications per day. When you're finished, click **Save**. 4. Back on the **User restricted from sending email** flyout, click **Close**.
-## Use Exchange Online PowerShell to view and remove users from the Restricted Users list
+## Use Exchange Online PowerShell to view and remove users from the Restricted users list
To view this list of users that are restricted from sending email, run the following command:
Get-BlockedSenderAddress -SenderAddress <emailaddress>
For detailed syntax and parameter information, see [Get-BlockedSenderAddress](/powershell/module/exchange/get-blockedsenderaddress).
-To remove a user from the Restricted Users list, replace \<emailaddress\> with their email address and run the following command:
+To remove a user from the Restricted users list, replace \<emailaddress\> with their email address and run the following command:
```powershell Remove-BlockedSenderAddress -SenderAddress <emailaddress> ```
-For detailed syntax and parameter information, see [Remove-BlockedSenderAddress](/powershell/module/exchange/remove-blockedsenderaddress).
+For detailed syntax and parameter information, see [Remove-BlockedSenderAddress](/powershell/module/exchange/remove-blockedsenderaddress).
security Report False Positives And False Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-false-positives-and-false-negatives.md
ms.prod: m365-security
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) > [!NOTE]
-> If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
+> If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the **Submissions** page in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises mailboxes using hybrid modern authentication, you can submit false positives (good email that was blocked or sent to junk folder) and false negatives (unwanted email or phish that was delivered to the inbox) to Exchange Online Protection (EOP).
In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises
> [!IMPORTANT] > The built-in experience for reporting junk or phishing in Outlook can't use the [user submission policy](./user-submission.md). We recommend using the Report Message add-in or the Report Phishing add-in instead. -- The the Report Message add-in and the Report Phishing add-in work for Outlook in all platforms (Outlook on the web, iOS, Android, and Desktop).
+- The Report Message add-in and the Report Phishing add-in work for Outlook in all platforms (Outlook on the web, iOS, Android, and Desktop).
-- If you're an admin in an organization with Exchange Online mailboxes, use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
+- If you're an admin in an organization with Exchange Online mailboxes, use the Submissions portal in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
- You can configure to send messages directly to Microsoft, a mailbox you specify, or both. For more information, see [User submissions policies](user-submission.md).
For messages in the Inbox or any other email folder except Junk Email, use the f
1. Select the **More actions** ellipses on the top-right corner of the selected message, select **Report message** from the dropdown menu, and then select **Junk** or **Phishing**. ![Report Message - More actions](../../media/report-message-more-actions.png)
-
+ ![Report Message - Junk and Phishing](../../media/report-message-junk-phishing.png) 2. The selected messages will be sent to Microsoft for analysis and:
For messages in the Inbox or any other email folder except Junk Email, use the f
1. Select the **More actions** ellipses on the top-right corner of the selected message, select **Report message** from the dropdown menu, and then select **Not Junk**. ![Report Message - More actions](../../media/report-message-more-actions.png)
-
+ ![Report Message - Not junk](../../media/report-message-not-junk.png) 2. The selected message will be sent to Microsoft for analysis and moved to Inbox or any other specified folder.
For messages in the Inbox or any other email folder except Junk Email, use the f
To review messages that users report to Microsoft, you have these options: -- Use the Admin Submissions portal. For more information, see [View user submissions to Microsoft](admin-submission.md#view-user-submissions-to-microsoft).
+- Use the **Submissions** page in the Microsoft 365 Defender portal. For more information, see [View user submissions to Microsoft](admin-submission.md#view-user-submissions-to-microsoft).
- Create a mail flow rule (also known as a transport rule) to send copies of reported messages. For instructions, see [Use mail flow rules to see what users are reporting to Microsoft](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-see-what-users-are-reporting-to-microsoft).
security Report Junk Email Messages To Microsoft https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
|Method|Description| ||| |[Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md)|The recommended reporting method for admins in organizations with Exchange Online mailboxes (not available in standalone EOP).|
-|[Enable the Report Message or the Report Phishing add-ins](enable-the-report-message-add-in.md)|Works with Outlook and Outlook on the web (formerly known as Outlook Web App). <p> Depending on your subscription, messages that users reported with the add-ins are available in [the Admin Submissions portal](admin-submission.md), [Automated investigation and response (AIR) results](air-view-investigation-results.md), the [User-reported messages report](view-email-security-reports.md#user-reported-messages-report), and [Threat Explorer](threat-explorer-views.md#email--submissions). <p> You can configure reported messages to be copied or redirected to a mailbox that you specify. For more information, see [User submissions policies](user-submission.md).
+|[Enable the Report Message or the Report Phishing add-ins](enable-the-report-message-add-in.md)|Works with Outlook and Outlook on the web (formerly known as Outlook Web App). <p> Depending on your subscription, messages that users reported with the add-ins are available in [the Admin Submissions portal](admin-submission.md), [Automated investigation and response (AIR) results](air-view-investigation-results.md), the [User-reported messages report](view-email-security-reports.md#user-reported-messages-report), and [Explorer](threat-explorer-views.md#email--submissions). <p> You can configure reported messages to be copied or redirected to a mailbox that you specify. For more information, see [User submissions policies](user-submission.md).
|[Report false positives and false negatives in Outlook](report-false-positives-and-false-negatives.md)|Submit false positives (good email that was blocked or sent to junk folder) and false negatives (unwanted email or phish that was delivered to the inbox) to Exchange Online Protection (EOP) using the Report Message feature.| |[Manually submit messages to Microsoft for analysis](submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis.md)|Manually send attached messages to specific Microsoft email addresses for spam, not spam, and phishing.| |[Use mail flow rules to see what users are reporting to Microsoft](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-see-what-users-are-reporting-to-microsoft)|Learn how to create a mail flow rule (also known as a transport rule) that notifies you when users report messages to Microsoft for analysis.| |[Submit malware and non-malware to Microsoft for analysis](submitting-malware-and-non-malware-to-microsoft-for-analysis.md)|Use the Microsoft Security Intelligence site to submit attachments and other files.| |
-If the spam or phishing messages were quarantined instead of delivered, users can report the messages to Microsoft from the Quarantine portal in the Security & Compliance Center. For details, see [Find and release quarantined messages as a user in Microsoft 365](find-and-release-quarantined-messages-as-a-user.md).
+If the spam or phishing messages were quarantined instead of delivered, users can report the messages to Microsoft from Quarantine in the Microsoft 365 Defender portal. For details, see [Find and release quarantined messages as a user in Microsoft 365](find-and-release-quarantined-messages-as-a-user.md).
> [!NOTE] > Data from submissions to Microsoft resides in the Office 365 compliance boundary in North American data centers. The data is reviewed by analysts on the engineering team to help improve the effectiveness of the filters.
security Reports And Insights In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance.md
A wide variety of reports are available in the Security & Compliance Center. (Go
|Type of information|How to get there|Where to go to learn more| ||||
-|**Microsoft 365 Defender reports** (all up) <p> Top insights and recommendations, and links to Microsoft 365 Defender reports, including data loss prevention reports, labels, email security reports, Defender for Office 365 reports, and more|In the Security & Compliance Center, go to **Reports** > **Email & collaboration** > **[Email & collaboration reports](https://security.microsoft.com/emailandcollabreport)**|[Monitor and view reports in the Microsoft 365 security center](../defender/overview-security-center.md)|
+|**Security & Compliance Center reports** (all up) <p> Top insights and recommendations, and links to Security & Compliance reports, including data loss prevention reports, labels, email security reports, Defender for Office 365 reports, and more|In the Security & Compliance Center, go to **Reports** \> **Dashboard**|[Reports in the Security & Compliance Center](../../compliance/reports-in-security-and-compliance.md)|
|**Data loss prevention** <p> Data loss prevention policy matches, false positives and overrides, and links to create or edit policies|In the Security & Compliance Center, go to **Data loss prevention** \> **Policy**|[View the reports for data loss prevention](../../compliance/view-the-dlp-reports.md)| |**Data governance** <p> Information about how labels are applied, labels classified as records, label trends, and more|In the Security & Compliance Center, go to **Information governance** \> **Dashboard**|[View the data governance reports](../../compliance/view-the-data-governance-reports.md)| |**Threat management dashboard** (this is also referred to as the Security dashboard) <p> Threat detections, malware trends, top targeted users, details about sent and received email messages, and more|In the Security & Compliance Center, go to **Vulnerability Management** \> **Dashboard**|[View reports for Defender for Office 365](view-reports-for-mdo.md)|
security Safe Docs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-docs.md
Files sent by Safe Documents are not retained in Defender beyond the time needed
## Use the Microsoft 365 Defender to configure Safe Documents
-1. Open the Microsoft 365 Defender portal and go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
+1. Open the Microsoft 365 Defender portal and go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
2. On the **Safe Attachments** page, click **Global settings**.
To learn more, see [Onboard to the Microsoft Defender for Endpoint service](/mic
To verify that you've enabled and configured Safe Documents, do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments** \> **Global settings**, and verify the **Turn on Safe Documents for Office clients** and **Allow people to click through Protected View even if Safe Documents identifies the file as malicious** settings.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments** \> **Global settings**, and verify the **Turn on Safe Documents for Office clients** and **Allow people to click through Protected View even if Safe Documents identifies the file as malicious** settings.
- Run the following command in Exchange Online PowerShell and verify the property values:
security Security Roadmap https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-roadmap.md
These tasks take a bit more time to plan and implement but greatly increase your
|Area|Task| |||
-|Security management|<ul><li>Check Secure Score for recommended actions for your environment (<https://securescore.office.com>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Cloud App Security, and SIEM tools.</li><li>Look for and implement software updates.</li><li>Conduct attack simulations for spear-phishing, password-spray, and brute-force password attacks using [Attack Simulator](attack-simulator.md) (included with [Office 365 Threat Intelligence](office-365-ti.md)).</li><li>Look for sharing risk by reviewing the built-in reports in Cloud App Security (on the Investigate tab).</li><li>Check [Compliance Manager](../../compliance/compliance-manager.md) to review status for regulations that apply to your organization (such as GDPR, NIST 800-171).</li></ul>|
+|Security management|<ul><li>Check Secure Score for recommended actions for your environment (<https://securescore.office.com>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Cloud App Security, and SIEM tools.</li><li>Look for and implement software updates.</li><li>Conduct attack simulations for spear-phishing, password-spray, and brute-force password attacks using [Attack simulation training](attack-simulation-training.md) (included with [Office 365 Threat Intelligence](office-365-ti.md)).</li><li>Look for sharing risk by reviewing the built-in reports in Cloud App Security (on the Investigate tab).</li><li>Check [Compliance Manager](../../compliance/compliance-manager.md) to review status for regulations that apply to your organization (such as GDPR, NIST 800-171).</li></ul>|
|Threat protection|Implement enhanced protections for admin accounts: <ul><li>Configure [Privileged Access Workstations](/security/compass/privileged-access-devices) (PAWs) for admin activity.</li><li>Configure [Azure AD Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure).</li><li>Configure a security information and event management (SIEM) tool to collect logging data from Office 365, Cloud App Security, and other services, including AD FS. The audit log stores data for only 90 days. Capturing this data in SIEM tool allows you to store data for a longer period.</li></ul>| |Identity and access management|<ul><li>Enable and enforce MFA for all users.</li><li>Implement a set of [conditional access and related policies](microsoft-365-policies-configurations.md).</li></ul>| |Information protection| Adapt and implement information protection policies. These resources include examples: <ul><li>[Office 365 Information Protection for GDPR](/compliance/regulatory/gdpr)</li><li>[Configure Teams with three tiers of protection](../../solutions/configure-teams-three-tiers-protection.md)</li></ul> <p> Use data loss prevention policies and monitoring tools in Microsoft 365 for data stored in Microsoft 365 (instead of Cloud App Security). <p> Use Cloud App Security with Microsoft 365 for advanced alerting features (other than data loss prevention).|
security Set Up Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md
For more information, see [Identify suspicious messages in Outlook.com and Outlo
The **Show first contact safety tip** settings is available in EOP and Defender for Office 365 organizations, and has no dependency on spoof intelligence or impersonation protection settings. The safety tip is shown to recipients in the following scenarios: - The first time they get a message from a sender-- If they don't often get messages from the sender.
+- They don't often get messages from the sender.
-![The text of the safety tip for impersonation protection with multiple recipients.](../../media/safety-tip-first-contact-multiple-recipients.png)
+![First contact safety tip for messages with one recipient.](../../media/safety-tip-first-contact-one-recipient.png)
+
+![First contact safety tip for messages with with multiple recipients.](../../media/safety-tip-first-contact-multiple-recipients.png)
This capability adds an extra layer of security protection against potential impersonation attacks, so we recommend that you turn it on.
security Set Up Safe Attachments Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-attachments-policies.md
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the polic
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal creates the safe attachment rule and the associated safe attachment policy at the same time using the same name for both.
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
2. On the **Safe Attachments** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal c
## Use the Microsoft 365 Defender portal to view Safe Attachments policies
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
2. On the **Safe Attachments** page, the following properties are displayed in the list of policies: - **Name**
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal c
## Use the Microsoft 365 Defender portal to modify Safe Attachments policies
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
To enable or disable a policy or set the policy priority order, see the followin
### Enable or disable Safe Attachments policies
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
Safe Attachments policies are displayed in the order they're processed (the firs
To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
## Use the Microsoft 365 Defender portal to remove Safe Attachments policies
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**.
2. On the **Safe Attachments** page, select a custom policy from the list by clicking on the name of the policy.
For detailed syntax and parameter information, see [Remove-SafeAttachmentRule](/
To verify that you've successfully created, modified, or removed Safe Attachments policies, do any of the following steps: -- In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name, and view the details in the fly out.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Attachments**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name, and view the details in the fly out.
- In Exchange Online PowerShell or Exchange Online Protection PowerShell, replace \<Name\> with the name of the policy or rule, run the following command, and verify the settings:
security Set Up Safe Links Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-links-policies.md
The basic elements of a Safe Links policy are:
- **The safe links policy**: Turn on Safe Links protection, turn on real-time URL scanning, specify whether to wait for real-time scanning to complete before delivering the message, turn on scanning for internal messages, specify whether to track user clicks on URLs, and specify whether to allow users to click trough to the original URL. - **The safe links rule**: Specifies the priority and recipient filters (who the policy applies to).
-The difference between these two elements isn't obvious when you manage Safe Links polices in the Microsoft 365 Defender portal:
+The difference between these two elements isn't obvious when you manage Safe Links policies in the Microsoft 365 Defender portal:
- When you create a Safe Links policy, you're actually creating a safe links rule and the associated safe links policy at the same time using the same name for both. - When you modify a Safe Links policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the safe links rule. All other settings modify the associated safe links policy.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the polic
- To create, modify, and delete Safe Links policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Microsoft 365 Defender portal **and** a member of the **Organization Management** role group in Exchange Online. - For read-only access to Safe Links policies, you need to be a member of the **Global Reader** or **Security Reader** role groups.
- For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
+ For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
> [!NOTE] >
Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates
Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
- - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
When you're finished, click **Next**.
Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates
6. On the **Notification** page that appears, select one of the following values for **How would you like to notify your users?**: - **Use the default notification text**
- - **Use custom notification text**: If you select this value (the lenght cannot exceed 200 characters), the following settings appear:
+ - **Use custom notification text**: If you select this value (the length cannot exceed 200 characters), the following settings appear:
- **Use Microsoft Translator for automatic localization** - **Custom notification text**: Enter the custom notification text in this box.
To enable or disable a policy or set the policy priority order, see the followin
### Enable or disable Safe Links policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links**.
2. On the **Safe Links** page, select a policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the Microsoft 365 Defender portal, you can only change the priority of the Safe Links policy after you create it. In PowerShell, you can override the default priority when you create the safe links rule (which can affect the priority of existing rules). - Safe Links policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links**.
2. On the **Safe Links** page, select a policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
## Use the Microsoft 365 Defender portal to remove Safe Links policies
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Safe Links**.
2. On the **Safe Links** page, select a policy from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
security Siem Integration With Office 365 Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti.md
If your organization is using a security information and event management (SIEM)
SIEM integration enables you to view information, such as malware or phish detected by Microsoft Defender for Office 365, in your SIEM server reports. - To see an example of SIEM integration with Microsoft Defender for Office 365, see [Tech Community blog: Improve the Effectiveness of your SOC with Defender for Office 365 and the O365 Management API](https://techcommunity.microsoft.com/t5/microsoft-security-and/improve-the-effectiveness-of-your-soc-with-office-365-atp-and/ba-p/1525185).- - To learn more about the Office 365 Management APIs, see [Office 365 Management APIs overview](/office/office-365-management-api/office-365-management-apis-overview). ## How SIEM integration works
The SIEM server or other similar system polls the **audit.general** workload to
The following table summarizes the values of **AuditLogRecordType** that are relevant for Microsoft Defender for Office 365 events:
+<br>
+
+****
+ |Value|Member name|Description| |||| |28|ThreatIntelligence|Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365.|
The following table summarizes the values of **AuditLogRecordType** that are rel
| > [!IMPORTANT]
-> You must be a global administrator or have the security administrator role assigned for the Microsoft 365 Defender portal to set up SIEM integration with Microsoft Defender for Office 365.
+> You must be a global administrator or have the Security Administrator role assigned in the Microsoft 365 Defender portal to set up SIEM integration with Microsoft Defender for Office 365. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
> > Audit logging must be turned on for your Microsoft 365 environment. To get help with this, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
security Siem Server Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-server-integration.md
Is your organization using or planning to get a Security Information and Event M
Whether you need a SIEM server depends on many factors, such as your organization's security requirements and where your data resides. Microsoft 365 includes a wide variety of security features that meet many organizations' security needs without additional servers, such as a SIEM server. Some organizations have special circumstances that require the use of a SIEM server. Here are some examples: - *Fabrikam* has some content and applications on premises, and some in the cloud (they have a hybrid cloud deployment). To get security reports across all their content and applications, Fabrikam has implemented a SIEM server.- - *Contoso* is a financial services organization that has particularly stringent security requirements. They have added a SIEM server to their environment to take advantage of the extra security protection they require. ## SIEM server integration with Microsoft 365 A SIEM server can receive data from a wide variety of Microsoft 365 services and applications. The following table lists several Microsoft 365 services and applications, along with SIEM server inputs and resources to learn more.
+<br>
+ **** |Microsoft 365 Service or Application|SIEM server inputs/methods|Resources to learn more|
A SIEM server can receive data from a wide variety of Microsoft 365 services and
Make sure that audit logging is turned on before you configure SIEM server integration. -- For SharePoint Online, OneDrive for Business, and Azure Active Directory, [audit logging is turned on in the Microsoft 365 Defender portal](../../compliance/turn-audit-log-search-on-or-off.md).-
+- For SharePoint Online, OneDrive for Business, and Azure Active Directory, see [Turn auditing on or off](../../compliance/turn-audit-log-search-on-or-off.md).
- For Exchange Online, see [Manage mailbox auditing](../../compliance/enable-mailbox-auditing.md). ## More resources [Integrate security solutions in Azure Defender](/azure/security-center/security-center-partner-integration#exporting-data-to-a-siem)
-[Integrate Microsoft Graph Security API alerts with a SIEM](/graph/security-integration)
+[Integrate Microsoft Graph Security API alerts with a SIEM](/graph/security-integration)
security Submit Spam Non Spam And Phishing Scam Messages To Microsoft For Analysis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis.md
ms.prod: m365-security
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) > [!NOTE]
-> If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
+> If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the **Submissions** page in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
It can be frustrating when users in your organization receive junk messages (spam) or phishing messages in their Inbox, or if they don't receive a legitimate email message because it's marked as junk. We're constantly fine-tuning our spam filters to be more accurate.
If you receive a message that passed through spam filtering that should have bee
## Submit false positives to Microsoft > [!TIP]
-> Instead of using the following procedures to report false positives, users in Outlook and Outlook on the web (formerly known as Outlook Web App) can use the Report Message add-in or the Report Phishing add-in. For information about how to install and use these tools, see [Enable the Report Message add-in](enable-the-report-message-add-in.md) and [Enable the Report Phishing add-in](enable-the-report-phish-add-in.md).
+> Instead of using the following procedures to report false positives, users in Outlook and Outlook on the web can use the Report Message add-in or the Report Phishing add-in. For information about how to install and use these tools, see [Enable the Report Message add-in](enable-the-report-message-add-in.md) and [Enable the Report Phishing add-in](enable-the-report-phish-add-in.md).
If a message was incorrectly identified as spam, you can submit the message to the Microsoft Spam Analysis Team. The analysts will evaluate the message, and (depending on the results of the analysis) the service-wide filters can be adjusted to allow the message through.
security Submitting Malware And Non Malware To Microsoft For Analysis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis.md
ms.prod: m365-security
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) > [!NOTE]
-> If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
+> If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the **Submissions** page in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP includes anti-malware protection that's automatically enabled. For more information, see [Anti-malware protection in EOP](anti-malware-protection.md).
security Tenant Wide Setup For Increased Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
Office 365 Secure Score analyzes your organization's security based on your regu
## Tune threat management policies in the Microsoft 365 Defender portal
-The Microsoft 365 Defender portal includes capabilities that protect your environment. It also includes reports and dashboards you can use to monitor and take action. Some areas come with default policy configurations. Some areas do not include default policies or rules. Visit these policies under threat management to tune threat management settings for a more secure environment.
+The Microsoft 365 Defender portal includes capabilities that protect your environment. It also includes reports and dashboards you can use to monitor and take action. Some areas come with default policy configurations. Some areas do not include default policies or rules. Visit these policies under **Email & collaboration** \> **Policies & rules** \> **Threat policies** to tune threat management settings for a more secure environment.
<br> ****
-|Area|Includes a default policy|Recommendation|
+|Area|Default policy?|Recommendation|
||||
-|**Anti-phishing**|Yes|<ul><li>Impersonation protection ΓÇö If you have Defender for Office 365 and a custom domain, configure the impersonation protection settings in the default anti-phishing policy to protect the email accounts of your most valuable users, such as your CEO, and to protect your domain. More information: [Impersonation settings in anti-phishing policies](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) and [Impersonation insight](impersonation-insight.md)</li><li>Spoof intelligence ΓÇö Review senders who are spoofing your domain. Block or allow these senders. More information: [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md) and [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).</li></ul>|
-|**Anti-Malware Engine**|Yes|Edit the default policy: <ul><li>Select **Enable the common attachments filter**</li></ul> <p> You can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization. <p> More information: <ul><li>[Anti-malware protection](anti-malware-protection.md)</li><li>[Configure anti-malware policies](configure-anti-malware-policies.md)</li></ul>|
-|**Safe Attachments in Microsoft Defender for Office 365**|No|On the main page for Safe Attachments, click **Global settings** and turn on this setting: <ul><li>**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams**</li></ul> <p> Create a Safe Attachments policy with these settings: <ul><li> **Block**: Select **Block** as the unknown malware response.</li><li>**Enable redirect**: Check this box and enter an email address, such as an admin or quarantine account.</li><li>**Apply the above selection if malware scanning for attachments times out or error occurs**: Check this box.</li><li>***Applied to**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md) and [Set up Safe Attachments policies](set-up-safe-attachments-policies.md)|
-|**Safe Links in Microsoft Defender for Office 365**|Yes|On the main page for Safe Links, click **Global settings**: <ul><li>**Use Safe Links in: Office 365 applications**: Verify this setting is turned on.</li><li>**Do not track when users click Safe Links**: Turn this setting off to track user clicks.</li></ul> <p> Create a Safe Links policy with these settings: <ul><li>**Select the action for unknown potentially malicious URLs in messages**: Verify this setting is **On**.</li><li>**Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Verify this setting is **On**.</li><li>**Apply real-time URL scanning for suspicious links and links that point to files**: Check this box.</li><li>**Wait for URL scanning to complete before delivering the message**: Check this box.</li><li>**Apply Safe Links to email messages sent within the organization**: Check this box</li><li>**Do not allow users to click through to original URL**: Check this box.</li><li>**Applied To**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Set up Safe Links policies](set-up-safe-links-policies.md).|
-|**Anti-Spam (Mail filtering)**|Yes| What to watch for: Too much spam ΓÇö Choose the Custom settings and edit the Default spam filter policy. More information: [Microsoft 365 Email Anti-Spam Protection](anti-spam-protection.md).|
-|***Email Authentication***|Yes|Email authentication uses a Domain Name System (DNS) to add verifiable information to email messages about the sender of an email. Microsoft 365 sets up email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also use email authentication for custom domains. Three authentication methods are used: <ul><li>Sender Policy Framework (or SPF).</li><ul><li>For setup, see [Set up SPF in Microsoft 365 to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md).</li></ul> <li>DomainKeys Identified Mail (DKIM).</li><ul><li>See [Use DKIM to validate outbound email sent from your custom domain](use-dkim-to-validate-outbound-email.md).</li><li>After you've configured DKIM, enable it in the Microsoft 365 Defender portal.</li></ul><li>Domain-based Message Authentication, Reporting, and Conformance (DMARC).</li><ul><li>For DMARC setup [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).</li></ul></ul>|
+|**Anti-phishing**|Yes|Configure the default anti-phishing policy as described here: [Configure anti-phishing protection settings in EOP and Defender for Office 365](protect-against-threats.md#part-2anti-phishing-protection-in-eop-and-defender-for-office-365). <p> More information: <ul><li>[Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md)</li><li>[Recommended anti-phishing policy settings in Microsoft Defender for Office 365](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365)</li><li> [Impersonation insight](impersonation-insight.md)</li><li>[Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md)</li><li>[Manage the Tenant Allow/Block List](tenant-allow-block-list.md).</li></ul>|
+|**Anti-Malware Engine**|Yes|Configure the default anti-malware policy as described here: [Configure anti-malware protection settings in EOP](protect-against-threats.md#part-1anti-malware-protection-in-eop). <p> More information: <ul><li>[Anti-malware protection](anti-malware-protection.md)</li><li>[Recommended anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings)</li><li>[Configure anti-malware policies](configure-anti-malware-policies.md)</li></ul>|
+|**Safe Attachments in Defender for Office 365**|No|Configure the global settings for Safe Attachments and create a Safe Attachments policy as described here: [Configure Safe Attachments settings in Microsoft Defender for Office 365](protect-against-threats.md#safe-attachments-policies-in-microsoft-defender-for-office-365). <p> More information: <ul><li>[Recommended Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings)</li><li>[Safe Attachments in Microsoft Defender for Office 365](safe-attachments.md)</li><li>[Set up Safe Attachments policies](set-up-safe-attachments-policies.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Safe Documents in Microsoft 365 E5](safe-docs.md)</li></ul>|
+|**Safe Links in Microsoft Defender for Office 365**|No|Configure the global settings for Safe Links and create a Safe Links policy as described here: [Configure Safe Links settings in Microsoft Defender for Office 365](protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365). <p> More information: <ul><li>[Recommended Safe Links settings](recommended-settings-for-eop-and-office365.md#safe-links-settings)</li><li>[Set up Safe Links policies](set-up-safe-links-policies.md)</li><li>[Safe Links in Microsoft Defender for Office 365](safe-links.md)</li><li>[Configure global settings for Safe Links in Microsoft Defender for Office 365](configure-global-settings-for-safe-links.md)</li></ul>|
+|**Anti-spam (mail filtering)**|Yes|Configure the default anti-spam policy as described here: [Configure anti-spam protection settings in EOP](protect-against-threats.md#part-3anti-spam-protection-in-eop) <p> More information: <ul><li>[Recommended anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings)</li><li>[Anti-spam protection in EOP](anti-spam-protection.md)</li><li>[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)</li></ul>|
+|***Email Authentication***|Yes|Email authentication uses DNS records to add verifiable information to email messages about the message source and sender. Microsoft 365 automatically configures email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also configure email authentication for custom domains. Three authentication methods are used: <ul><li>Sender Policy Framework (or SPF).</li><ul><li>For setup, see [Set up SPF in Microsoft 365 to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md).</li></ul> <li>DomainKeys Identified Mail (DKIM).</li><ul><li>See [Use DKIM to validate outbound email sent from your custom domain](use-dkim-to-validate-outbound-email.md).</li><li>After you've configured DKIM, enable it in the Microsoft 365 Defender portal.</li></ul><li>Domain-based Message Authentication, Reporting, and Conformance (DMARC).</li><ul><li>For DMARC setup [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).</li></ul></ul>|
| > [!NOTE]
The Microsoft 365 Defender portal includes capabilities that protect your enviro
## View dashboards and reports in the Microsoft 365 Defender portal
-Visit these reports and dashboards to learn more about the health of your environment. The data in these reports will become richer as your organization uses Office 365 services. For now, be familiar with what you can monitor and take action on. For more information, see [Reports in the Microsoft 365 Defender portal](../../compliance/reports-in-security-and-compliance.md).
+Visit these reports and dashboards to learn more about the health of your environment. The data in these reports will become richer as your organization uses Office 365 services. For now, be familiar with what you can monitor and take action on.
<br>
Visit these reports and dashboards to learn more about the health of your enviro
|Dashboard|Description| |||
-|[Threat management dashboard](security-dashboard.md)|In the **Threat management** section of the Microsoft 365 Defender portal, use this dashboard to see threats that have already been handled, and as a handy tool for reporting out to business decision makers on what threat investigation and response capabilities have already done to secure your business.|
-|[Threat Explorer (or real-time detections)](threat-explorer.md)|This is also in the **Threat management** section of the Microsoft 365 Defender portal. If you are investigating or experiencing an attack against your tenant, use Explorer (or real-time detections) to analyze threats. Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list.|
-|Reports ΓÇö Dashboard|In the **Reports** section of Microsoft 365 Defender portal, view audit reports for your SharePoint Online and Exchange Online organizations. You can also access Azure Active Directory (Azure AD) user sign-in reports, user activity reports, and the Azure AD audit log from the **View reports** page.|
+|Email security reports|These reports are available in Exchange Online Protection. For more information, see [View email security reports in the Microsoft 365 Defender portal](view-email-security-reports.md).|
+|Defender for Office 365 reports|The reports are available only in Defender for Office 365. For more information, see [View Defender for Office 365 reports in the Microsoft 365 Defender portal](view-reports-for-mdo.md).|
+|Mail flow reports and insights|These reports and insights are available in the Exchange admin center (EAC). For more information, see [Mail flow reports](/exchange/monitoring/mail-flow-reports/mail-flow-reports) and [Mail flow insights](/exchange/monitoring/mail-flow-insights/mail-flow-insights).|
+|[Threat Explorer (or real-time detections)](threat-explorer.md)|If you are investigating or experiencing an attack against your tenant, use Explorer (or real-time detections) to analyze threats. Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list.|
|
-![Microsoft 365 Defender portal Dashboard](../../media/870ab776-36d2-49c7-b615-93b2bc42fce5.png)
- ## Configure additional Exchange Online tenant-wide settings Here are a couple of additional settings that are recommended.
Here are a couple of additional settings that are recommended.
****
-|Area|Includes a default policy|Recommendation|
-||||
-|**Mail Flow** (mail flow rules, also known as transport rules)|No|Add a mail flow rule to help protect against ransomware by blocking executable file types and Office file types that contain macros. For more information, see [Use mail flow rules to inspect message attachments in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments). <p> See these additional topics: <ul><li>[Protect against ransomware](../../admin/security-and-compliance/secure-your-business-data.md#5-protect-against-ransomware)</li><li>[Malware and Ransomware Protection in Microsoft 365](/compliance/assurance/assurance-malware-and-ransomware-protection)</li><li>[Recover from a ransomware attack in Office 365](recover-from-ransomware.md)</li></ul> <p> Create a mail flow rule to prevent auto-forwarding of email to external domains. For more information, see [Mitigating Client External Forwarding Rules with Secure Score](/archive/blogs/office365security/mitigating-client-external-forwarding-rules-with-secure-score). <p> More information: [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules)|
-|**Enable modern authentication**|No|Modern authentication is a prerequisite for using multi-factor authentication (MFA). MFA is recommended for securing access to cloud resources, including email. <p> See these topics: <ul><li>[Enable or disable modern authentication in Exchange Online](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online)</li><li>[Skype for Business Online: Enable your tenant for modern authentication](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx)</li></ul> <p> Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business. <p> More information: [How modern authentication works for Office 2013 and Office 2016 client apps](../../enterprise/modern-auth-for-office-2013-and-2016.md)|
+|Area|Recommendation|
+|||
+|**Mail flow rules** (also known as transport rules)|Add a mail flow rule to help protect against ransomware by blocking executable file types and Office file types that contain macros. For more information, see [Use mail flow rules to inspect message attachments in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments). <p> See these additional topics: <ul><li>[Protect against ransomware](../../admin/security-and-compliance/secure-your-business-data.md#5-protect-against-ransomware)</li><li>[Malware and Ransomware Protection in Microsoft 365](/compliance/assurance/assurance-malware-and-ransomware-protection)</li><li>[Recover from a ransomware attack in Office 365](recover-from-ransomware.md)</li></ul> <p> Create a mail flow rule to prevent auto-forwarding of email to external domains. For more information, see [Mitigating Client External Forwarding Rules with Secure Score](/archive/blogs/office365security/mitigating-client-external-forwarding-rules-with-secure-score). <p> More information: [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules)|
+|**Modern authentication**|Modern authentication is a prerequisite for using multi-factor authentication (MFA). MFA is recommended for securing access to cloud resources, including email. <p> See these topics: <ul><li>[Enable or disable modern authentication in Exchange Online](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online)</li><li>[Skype for Business Online: Enable your tenant for modern authentication](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx)</li></ul> <p> Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business. <p> More information: [How modern authentication works for Office 2013 and Office 2016 client apps](../../enterprise/modern-auth-for-office-2013-and-2016.md)|
| ## Configure tenant-wide sharing policies in SharePoint admin center
For secure environments, be sure to disable authentication for apps that do not
In the meantime, use one of the following methods to accomplish this for SharePoint Online and OneDrive for Business: - Use PowerShell, see [Block apps that do not use modern authentication (ADAL)](/mem/intune/protect/app-modern-authentication-block).- - Configure this in the SharePoint admin center on the "device access' page ΓÇö "Control access from apps that don't use modern authentication." Choose Block. ## Get started with Cloud App Security or Office 365 Cloud App Security
security Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer.md
ms.assetid: 82ac9922-939c-41be-9c8a-7c75b0a4e27d
- M365-security-compliance - m365initiative-defender-office365
-description: Use Explorer and Real-time detections in the Microsoft 365 security center to investigate and respond to threats efficiently.
+description: Use Explorer and Real-time detections in the Microsoft 365 Defender portal to investigate and respond to threats efficiently.
ms.technology: mdo ms.prod: m365-security
To view and use Explorer or Real-time detections, you must have appropriate perm
To learn more about roles and permissions, see the following resources: -- [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md)
+- [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md)
- [Feature permissions in Exchange Online](/exchange/permissions-exo/feature-permissions) ## Differences between Threat Explorer and Real-time detections
security Threat Hunting In Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-hunting-in-threat-explorer.md
In this article:
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** or **Real-time detections** to detect and remediate threats.
+If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** or **Real-time detections** to detect and remediate threats.
-In the **Microsoft 365 Defender portal**, go to **Email & collaboration**, and then choose **Explorer**.
-
-<br>
-
-****
-
-|With Microsoft Defender for Office 365 Plan 2, you see:|With Microsoft Defender for Office 365 Plan 1, you see:|
-|||
-|![Threat explorer](../../media/path-to-explorer.png)|![Real-time detections](../../media/threatmgmt-realtimedetections.png)|
-|
+In the Microsoft 365 Defender portal (<https://security.microsoft.com>), go to **Email & collaboration**, and then choose **Explorer** or **Real-time detections**. To do directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>
With these tools, you can:
With these tools, you can:
- Start an automated investigation and response process from a view in Explorer - Investigate malicious email, and more
-For more information, see [Email security with Threat Explorer](email-security-in-microsoft-defender.md).
+For more information, see [Email security with Threat Explorer](email-security-in-microsoft-defender.md).
## Threat Explorer walk-through
In Microsoft Defender for Office 365, there are two subscription plansΓÇöPlan 1
Defender for Office 365 Plan 1 uses *Real-time detections*, which is a subset of the *Threat Explorer* (also called *Explorer*) hunting tool in Plan 2. In this series of articles, most of the examples were created using the full Threat Explorer. Admins should test any steps in Real-time detections to see where they apply.
-To open the Explorer tool, go to **Microsoft 365 Defender portal** > **Email & collaboration** > **Explorer**. By default, youΓÇÖll arrive on the **Malware** page, but use the **View** drop down to get familiar with your options. If youΓÇÖre hunting Phish, or digging into a threat campaign, choose those views.
+After you go to **Explorer**, by default, you'll arrive on the **Malware** page, but use the **View** drop down to get familiar with your options. If you're hunting Phish, or digging into a threat campaign, choose those views.
> [!div class="mx-imgBorder"] > ![View drop down in Threat Explorer](../../media/view-drop-down.png)
Once a security operations (Sec Ops) person selects the data they want to see, w
Refining focus in Explorer or Real-time detection can be thought of in layers. The first is **View**. The second can be thought of as a *filtered focus*. For example, you can retrace the steps you took in finding a threat by recording your decisions like this: To find the issue in Explorer, **I chose the Malware View with a Recipient filter focus**. This makes retracing your steps easier. > [!TIP]
-> If Sec Ops uses **Tags** to mark accounts they consider high valued targets, they can make selections like *Phish View with a Tags filter focus (include a date range if used)*. This will show them any phishing attempts directed at their high value user targets during a time-range (like dates when certain phishing attacks are happening a lot for their industry).
+> If Sec Ops uses **Tags** to mark accounts they consider high valued targets, they can make selections like *Phish View with a Tags filter focus (include a date range if used)*. This will show them any phishing attempts directed at their high value user targets during a time-range (like dates when certain phishing attacks are happening a lot for their industry).
-Refinements can be made on date ranges by using the date range controls. Here you can see Explorer in **Malware** view, with a **Detection Technology** filter focus. But itΓÇÖs the **Advanced filter** button that lets Sec Ops teams dig deep.
+Refinements can be made on date ranges by using the date range controls. Here you can see Explorer in **Malware** view, with a **Detection Technology** filter focus. But it's the **Advanced filter** button that lets Sec Ops teams dig deep.
> [!div class="mx-imgBorder"] > ![Advanced filter in Threat Explorer](../../media/advanced-filter.png)
-Clicking the **Advanced filter** pops a panel that will let Sec Ops hunters build queries themselves, letting them include or exclude the information they need to see. Both the chart and table on the Explorer page will reflect their results.
+Clicking the **Advanced filter** pops a panel that will let Sec Ops hunters build queries themselves, letting them include or exclude the information they need to see. Both the chart and table on the Explorer page will reflect their results.
> [!div class="mx-imgBorder"] > ![Results from a query](../../media/threat-explorer-chart-table.png)
-Use the **Column options** button to get the kind of information on the table that would be most helpful:
+Use the **Column options** button to get the kind of information on the table that would be most helpful:
> [!div class="mx-imgBorder"] > ![Column options button highlighted](../../media/threat-explorer-column-options.png)
Use the **Column options** button to get the kind of information on the table th
> [!div class="mx-imgBorder"] > ![Available options in Columns](../../media/column-options.png)
-In the same mien, make sure to test your display options. Different audiences will react well to different presentations of the same data. For some viewers, the **Email Origins** map can show that a threat is widespread or discreet more quickly than the **Campaign display** option right next to it. Sec Ops can make use of these displays to best make points that underscore the need for security and protection, or for later comparison, to demonstrate the effectiveness of their actions.
+In the same mien, make sure to test your display options. Different audiences will react well to different presentations of the same data. For some viewers, the **Email Origins** map can show that a threat is widespread or discreet more quickly than the **Campaign display** option right next to it. Sec Ops can make use of these displays to best make points that underscore the need for security and protection, or for later comparison, to demonstrate the effectiveness of their actions.
> [!div class="mx-imgBorder"] > ![Email Origins map](../../media/threat-explorer-email-origin-map.png)
In the same mien, make sure to test your display options. Different audiences wi
When you see a suspicious email, click the name to expand the flyout on the right. Here, the banner that lets Sec Ops see the [email entity page](mdo-email-entity-page.md) is available.
-The email entity page pulls together contents that can be found under **Details**, **Attachments**, **Devices**, but includes more organized data. This includes things like DMARC results, plain text display of the email header with a copy option, verdict information on attachments that were securely detonated, and files those detonations dropped (can include IP addresses that were contacted and screenshots of pages or files). URLs and their verdicts are also listed with similar details reported.
+The email entity page pulls together contents that can be found under **Details**, **Attachments**, **Devices**, but includes more organized data. This includes things like DMARC results, plain text display of the email header with a copy option, verdict information on attachments that were securely detonated, and files those detonations dropped (can include IP addresses that were contacted and screenshots of pages or files). URLs and their verdicts are also listed with similar details reported.
-When you reach this stage, the email entity page will be critical to the final stepΓÇö*remediation*.
+When you reach this stage, the email entity page will be critical to the final stepΓÇö*remediation*.
> [!div class="mx-imgBorder"] > ![The email entity page](../../media/threat-explorer-email-entity-page.png)
Finally, alert ID is included in the URL, for example: `https://https://security
> [!div class="mx-imgBorder"] > ![Alert ID in details flyout](../../media/AlertID-DetailsFlyout.png)
-### Extending Explorer (and Real-time detections) data retention and search limit for trial tenants
+### Extending Explorer (and Real-time detections) data retention and search limit for trial tenants
-As part of this change, analysts will be able to search for, and filter email data across 30 days (increased from seven days) in Threat Explorer and Real-time detections for both Defender for Office P1 and P2 trial tenants. This doesnΓÇÖt impact any production tenants for both P1 and P2 E5 customers, where the retention default is already 30 days.
+As part of this change, analysts will be able to search for, and filter email data across 30 days (increased from seven days) in Threat Explorer and Real-time detections for both Defender for Office P1 and P2 trial tenants. This doesn't impact any production tenants for both P1 and P2 E5 customers, where the retention default is already 30 days.
-### Updated Export limit
+### Updated Export limit
-The number of Emails records that can be exported from Threat Explorer is now 200,000 (was 9990). The set of columns that can be exported is unchanged.
+The number of Emails records that can be exported from Threat Explorer is now 200,000 (was 9990). The set of columns that can be exported is unchanged.
### Tags in Threat Explorer
When analysts look at the **Tags** column the email grid, they are seeing all ta
#### Filtering
-Tags can be used as filters. Hunt among priority accounts only, or use specific user tags scenarios this way. You can also exclude results that have certain tags. Combine Tags with other filters and date ranges to narrow your scope of investigation.
+Tags can be used as filters. Hunt among priority accounts only, or use specific user tags scenarios this way. You can also exclude results that have certain tags. Combine Tags with other filters and date ranges to narrow your scope of investigation.
[![Filter tags](../../media/tags-filter-normal.png)](../../media/tags-filter-normal.png#lightbox)
Tags can be used as filters. Hunt among priority accounts only, or use specific
#### Email detail flyout
-To view the individual tags for sender and recipient, select an email to open the message details flyout. On the **Summary** tab, the sender and recipient tags are shown separately. The information about individual tags for sender and recipient can be exported as CSV data.
+To view the individual tags for sender and recipient, select an email to open the message details flyout. On the **Summary** tab, the sender and recipient tags are shown separately. The information about individual tags for sender and recipient can be exported as CSV data.
> [!div class="mx-imgBorder"] > ![Email Details tags](../../media/tags-flyout.png)
Learn more by watching [this video](https://www.youtube.com/watch?v=UoVzN0lYbfY&
### Top targeted users
-Top Malware Families shows the **top targeted users** in the Malware section. Top targeted users will be extended through Phish and All Email views too. Analysts will be able to see the top-five targeted users, along with the number of attempts for each user in each view.
+Top Malware Families shows the **top targeted users** in the Malware section. Top targeted users will be extended through Phish and All Email views too. Analysts will be able to see the top-five targeted users, along with the number of attempts for each user in each view.
-Security operations people be able to export the list of targeted users, up to a limit of 3,000, along with the number of attempts made, for offline analysis for each email view. Also, selecting the number of attempts (for example, 13 attempts in the image below) will open a filtered view in Threat Explorer, so you can see more details across emails, and threats for that user.
+Security operations people be able to export the list of targeted users, up to a limit of 3,000, along with the number of attempts made, for offline analysis for each email view. Also, selecting the number of attempts (for example, 13 attempts in the image below) will open a filtered view in Threat Explorer, so you can see more details across emails, and threats for that user.
> [!div class="mx-imgBorder"] > ![Top targeted users](../../media/Top_Targeted_Users.png) ### Exchange transport rules
-The security operations team will be able to see all the Exchange transport rules (or Mail flow rules) applied to a message, in the Email grid view. Select **Column options** in the grid and then **Add Exchange Transport Rule** from the column options. The Exchange transport rules option is also visible on the **Details** flyout in the email.
+The security operations team will be able to see all the Exchange transport rules (or Mail flow rules) applied to a message, in the Email grid view. Select **Column options** in the grid and then **Add Exchange Transport Rule** from the column options. The Exchange transport rules option is also visible on the **Details** flyout in the email.
-Names and GUIDs of the transport rules applied to the message appear. Analysts will be able to search for messages by using the name of the transport rule. This is a CONTAINS search, which means you can do partial searches as well.
+Names and GUIDs of the transport rules applied to the message appear. Analysts will be able to search for messages by using the name of the transport rule. This is a CONTAINS search, which means you can do partial searches as well.
> [!IMPORTANT] > Exchange transport rule search and name availability depend on the specific role assigned to you. You need to have one of the following roles or permissions to view the transport rule names and search. However, even without the roles or permissions below, an analyst may see the transport rule label and GUID information in the Email Details. Other record-viewing experiences in Email Grids, Email flyouts, Filters, and Export are not affected.
Names and GUIDs of the transport rules applied to the message appear. Analysts w
### Inbound connectors
-Connectors are a collection of instructions that customize how your email flows to and from your Microsoft 365 or Office 365 organization. They enable you to apply any security restrictions or controls. In Threat Explorer, you can view the connectors that are related to an email and search for emails using connector names.
+Connectors are a collection of instructions that customize how your email flows to and from your Microsoft 365 or Office 365 organization. They enable you to apply any security restrictions or controls. In Threat Explorer, you can view the connectors that are related to an email and search for emails using connector names.
-The search for connectors is a CONTAINS query, which means partial keyword searches can work:
+The search for connectors is a CONTAINS query, which means partial keyword searches can work:
> [!div class="mx-imgBorder"] > ![Connector details](../../media/Connector_Details.png)
You must have [Microsoft Defender for Office 365](defender-for-office-365.md) to
- The Real-time detections report is included in Defender for Office 365 Plan 1. - Plan to assign licenses for all users who should be protected by Defender for Office 365. Explorer and Real-time detections show detection data for licensed users.
-To view and use Explorer or Real-time detections, you must have the following:
+To view and use Explorer or Real-time detections, you must have the following permissions:
- For the Microsoft 365 Defender portal:- - Organization Management - Security Administrator (this can be assigned in the Azure Active Directory admin center (<https://aad.portal.azure.com>) - Security Reader- - For Exchange Online:- - Organization Management - View-Only Organization Management - View-Only Recipients
To view and use Explorer or Real-time detections, you must have the following:
To learn more about roles and permissions, see the following resources: -- [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md)
+- [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md)
- [Feature permissions in Exchange Online](/exchange/permissions-exo/feature-permissions) - [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell) ## More information -- [Find and investigate malicious email that was delivered](investigate-malicious-email-that-was-delivered.md) -- [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md) -- [Get an overview of the views in Threat Explorer (and Real-time detections)](threat-explorer-views.md) -- [Threat protection status report](view-email-security-reports.md#threat-protection-status-report) -- [Automated investigation and response in Microsoft Threat Protection](automated-investigation-response-office.md) -- [Investigate emails with the Email Entity Page](mdo-email-entity-page.md)
+- [Find and investigate malicious email that was delivered](investigate-malicious-email-that-was-delivered.md)
+- [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)
+- [Get an overview of the views in Threat Explorer (and Real-time detections)](threat-explorer-views.md)
+- [Threat protection status report](view-email-security-reports.md#threat-protection-status-report)
+- [Automated investigation and response in Microsoft Threat Protection](automated-investigation-response-office.md)
+- [Investigate emails with the Email Entity Page](mdo-email-entity-page.md)
security Threat Trackers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-trackers.md
Trackers are just a few of the many great features you get with [Microsoft Defen
To view and use your Threat Trackers for your organization, go to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and choose **Email & collaboration** \> **Threat tracker**. > [!NOTE]
-> To use Threat Trackers, you must be a global administrator, security administrator, or security reader. See [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
+> To use Threat Trackers, you must be a global administrator, security administrator, or security reader. See [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
### Noteworthy trackers
The new Noteworthy threat filter highlights items that were recently detected th
- If your organization doesn't already have these Office 365 Threat Investigation and Response capabilities, see [How do we get Office 365 Threat Investigation and Response capabilities?](office-365-ti.md). -- Make sure that your security team has the correct roles and permissions assigned. You must be a global administrator, or have the Security Administrator or Search and Purge role assigned in the Microsoft 365 Defender portal. See [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
+- Make sure that your security team has the correct roles and permissions assigned. You must be a global administrator, or have the Security Administrator or Search and Purge role assigned in the Microsoft 365 Defender portal. See [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
- Watch for the new Trackers to show up in your Microsoft 365 environment. When available, you'll find your Trackers [here](https://https://security.microsoft.com/). Go to **Email & collaboration** \> **Threat tracker**.
security Turn On Mdo For Spo Odb And Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/turn-on-mdo-for-spo-odb-and-teams.md
This article contains the steps for enabling and configuring Safe Attachments fo
- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Safe Attachments** page, open <https://security.microsoft.com/safeattachmentv2>. -- To turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
+- To turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
- To use SharePoint Online PowerShell to prevent people from downloading malicious files, you need to be member of the [Global Administrator](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#global-administrator--company-administrator) or [SharePoint Administrator](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#sharepoint-administrator) roles in Azure AD.
security Use Dkim To Validate Outbound Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md
ms.prod: m365-security
In this article: -- [How DKIM works better than SPF alone to prevent malicious spoofing](use-dkim-to-validate-outbound-email.md#HowDKIMWorks)--- [Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys](use-dkim-to-validate-outbound-email.md#1024to2048DKIM)--- [Steps to manually set up DKIM](use-dkim-to-validate-outbound-email.md#SetUpDKIMO365)--- [Steps to configure DKIM for more than one custom domain](use-dkim-to-validate-outbound-email.md#DKIMMultiDomain)--- [Disabling the DKIM signing policy for a custom domain](use-dkim-to-validate-outbound-email.md#DisableDKIMSigningPolicy)--- [Default behavior for DKIM and Microsoft 365](use-dkim-to-validate-outbound-email.md#DefaultDKIMbehavior)--- [Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain](use-dkim-to-validate-outbound-email.md#SetUp3rdPartyspoof)--- [Next steps: After you set up DKIM for Microsoft 365](use-dkim-to-validate-outbound-email.md#DKIMNextSteps)
+- [How DKIM works better than SPF alone to prevent malicious spoofing](#how-dkim-works-better-than-spf-alone-to-prevent-malicious-spoofing)
+- [Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys](#steps-to-manually-upgrade-your-1024-bit-keys-to-2048-bit-dkim-encryption-keys)
+- [Steps to manually set up DKIM](#steps-to-manually-set-up-dkim)
+- [Steps to configure DKIM for more than one custom domain](#to-configure-dkim-for-more-than-one-custom-domain)
+- [Disabling the DKIM signing policy for a custom domain](#disabling-the-dkim-signing-policy-for-a-custom-domain)
+- [Default behavior for DKIM and Microsoft 365](#default-behavior-for-dkim-and-microsoft-365)
+- [Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain](#set-up-dkim-so-that-a-third-party-service-can-send-or-spoof-email-on-behalf-of-your-custom-domain)
+- [Next steps: After you set up DKIM for Microsoft 365](#next-steps-after-you-set-up-dkim-for-microsoft-365)
> [!NOTE] > Microsoft 365 automatically sets up DKIM for its initial 'onmicrosoft.com' domains. That means you don't need to do anything to set up DKIM for any initial domain names (for example, litware.onmicrosoft.com). For more information about domains, see [Domains FAQ](../../admin/setup/domains-faq.yml#why-do-i-have-an--onmicrosoft-com--domain).
In basic, a private key encrypts the header in a domain's outgoing email. The pu
Microsoft-365's built-in DKIM configuration is sufficient coverage for most customers. However, you should manually configure DKIM for your custom domain in the following circumstances: - You have more than one custom domain in Microsoft 365- - You're going to set up DMARC too (**recommended**)- - You want control over your private key- - You want to customize your CNAME records- - You want to set up DKIM keys for email originating out of a third-party domain, for example, if you use a third-party bulk mailer. - ## How DKIM works better than SPF alone to prevent malicious spoofing <a name="HowDKIMWorks"> </a>
For detailed syntax and parameter information, see the following articles: [Rota
To configure DKIM, you will complete these steps: - [Publish two CNAME records for your custom domain in DNS](use-dkim-to-validate-outbound-email.md#Publish2CNAME)- - [Enable DKIM signing for your custom domain](use-dkim-to-validate-outbound-email.md#EnableDKIMinO365) ### Publish two CNAME records for your custom domain in DNS
TTL: 3600
Where: - For Microsoft 365, the selectors will always be "selector1" or "selector2".- - _domainGUID_ is the same as the _domainGUID_ in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the _domainGUID_ is contoso-com: > contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com
TTL: 3600
> [!NOTE] > It's important to create the second record, but only one of the selectors may be available at the time of creation. In essence, the second selector might point to an address that hasn't been created yet. We still recommended that you create the second CNAME record, because your key rotation will be seamless. - ### Steps to enable DKIM signing for your custom domain <a name="EnableDKIMinO365"> </a> Once you have published the CNAME records in DNS, you are ready to enable DKIM signing through Microsoft 365. You can do this either through the Microsoft 365 admin center or by using PowerShell.
-#### To enable DKIM signing for your custom domain through the admin center
+#### To enable DKIM signing for your custom domain in the Microsoft 365 Defender portal
-1. [Sign in to Microsoft 365](https://support.microsoft.com/office/e9eb7d51-5430-4929-91ab-6157c5a050b4) with your work or school account.
+1. Open the Microsoft 365 Defender portal [using your work or school account](https://support.microsoft.com/office/e9eb7d51-5430-4929-91ab-6157c5a050b4).
-2. Go to [security.microsoft.com](https://security.microsoft.com) and follow the path below.
+2. Go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Rules** section \> **DKIM**. Or, to go directly to the DKIM page, use <https://security.microsoft.com/dkimv2>.
-3. Go to **Email & Collaboration > Policies & rules > Threat policies > DKIM**.
+3. On the **DKIM** page, select the domain by clicking on the name.
-4. Select the domain for which you want to enable DKIM and then, for **Sign messages for this domain with DKIM signatures**, choose **Enable**. Repeat this step for each custom domain.
+4. In the details flyout that appears, chang the **Sign messages for this domain with DKIM signatures** setting to **Enabled** (![Toggle on](../../media/scc-toggle-on.png))
+
+ When you're finished, click **Rotate DKIM keys**.
+
+5. Repeat these step for each custom domain.
#### To enable DKIM signing for your custom domain by using PowerShell > [!IMPORTANT]
->:::image type="content" source="../../media/dkim.png" alt-text="The 'No DKIM keys saved for this domain.' error.":::
-> If you are configuring DKIM for the first time and see the error 'No DKIM keys saved for this domain.' complete the command in step 2, below (for example, *Set-DkimSigningConfig -Identity contoso.com -Enabled $true*) to see the key.
+> :::image type="content" source="../../media/dkim.png" alt-text="The 'No DKIM keys saved for this domain.' error.":::
+> If you are configuring DKIM for the first time and see the error 'No DKIM keys saved for this domain' complete the command in step 2 below (for example, `Set-DkimSigningConfig -Identity contoso.com -Enabled $true`) to see the key.
1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
-2. Run the following command:
+2. Use the following syntax:
```powershell
- Set-DkimSigningConfig -Identity <domain> -Enabled $true
+ Set-DkimSigningConfig -Identity <Domain> -Enabled $true
```
- Where _domain_ is the name of the custom domain that you want to enable DKIM signing for.
+ \<Domain\> is the name of the custom domain that you want to enable DKIM signing for.
- For example, for the domain contoso.com:
+ This example enables DKIM signing for the domain contoso.com:
```powershell Set-DkimSigningConfig -Identity contoso.com -Enabled $true
Once you have published the CNAME records in DNS, you are ready to enable DKIM s
Wait a few minutes before you follow these steps to confirm that you have properly configured DKIM. This allows time for the DKIM information about the domain to be spread throughout the network. - Send a message from an account within your Microsoft 365 DKIM-enabled domain to another email account such as outlook.com or Hotmail.com.- - Do not use an aol.com account for testing purposes. AOL may skip the DKIM check if the SPF check passes. This will nullify your test.- - Open the message and look at the header. Instructions for viewing the header for the message will vary depending on your messaging client. For instructions on viewing message headers in Outlook, see [View internet message headers in Outlook](https://support.microsoft.com/office/cd039382-dc6e-4264-ac74-c048563d212c). The DKIM-signed message will contain the host name and domain you defined when you published the CNAME entries. The message will look something like this example:
Disabling the signing policy does not completely disable DKIM. After a period of
2. Run one of the following commands for each domain for which you want to disable DKIM signing. ```powershell
- $p = Get-DkimSigningConfig -Identity <domain>
+ $p = Get-DkimSigningConfig -Identity <Domain>
$p[0] | Set-DkimSigningConfig -Enabled $false ```
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
After you've verified that your mailbox meets all applicable prerequisites, you
- To modify the configuration for User submissions, you need to be a member of one of the following role groups:
- - **Organization Management** or **Security Administrator** in the [Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
+ - **Organization Management** or **Security Administrator** in the [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
- **Organization Management** in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups). - You need access to Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that looks like this when specify the submissions mailbox:
security User Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags.md
To see how user tags are part of the strategy to help protect high-impact user a
- To add and remove members from existing user tags, you need to be a member of the **Organization Management**, **Security Administrator**, or **Security Operator** role groups - For read-only access to user tags, you need to be a member of the **Global Reader** or **Security Reader** role groups.
- For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
+ For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
> [!NOTE] >
security View Email Security Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md
In order to view and use the reports described in this article, you need to be a
- **Security Reader** - **Global Reader**
-For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
+For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
**Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
security View Reports For Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-reports-for-mdo.md
In order to view and use the reports described in this article, you need to be a
- **Security Reader** - **Global Reader**
-For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
+For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
**Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
security Zero Hour Auto Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md
Title: Zero-hour auto purge (ZAP)
+ Title: Zero-hour auto purge in Microsoft Defender for Office 365
f1.keywords: - NOCSH Previously updated : Last updated : 06/22/2021 audience: Admin
- M365-security-compliance - seo-marvel-apr2020
-description: Admins can learn about how zero-hour auto purge (ZAP) can retroactively move delivered messages in an Exchange Online mailbox to the Junk Email folder or quarantine that are retroactively found to be spam or phishing.
+description: Zero-hour auto purge (ZAP) retroactively moves delivered messages in an Exchange Online mailbox to the Junk Email folder or quarantine that are found to be spam or phishing after delivery.
ms.technology: mdo ms.prod: m365-security
ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)] -
-## Basic features of ZAP
+## Zero-hour auto purge (ZAP) basics
In Microsoft 365 organizations with mailboxes in Exchange Online, zero-hour auto purge (ZAP) is an email protection feature that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes.
The ZAP action is seamless for the user; they aren't notified if a message is de
[Safe sender lists](create-safe-sender-lists-in-office-365.md), mail flow rules (also known as transport rules), Inbox rules, or additional filters take precedence over ZAP. Similar to what happens in mail flow, this means that even if the service determines the delivered message needs ZAP, the message is not acted on because of the the safe senders configuration. This is another reason to be careful about configuring messages to bypass filtering.
-### ZAP for malware
+### Zero-hour auto purge (ZAP) for malware
For **read or unread messages** that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. Only admins can view and manage malware messages from quarantine. ZAP for malware is enabled by default in anti-malware policies. For more information, see [Configure anti-malware policies in EOP](configure-anti-malware-policies.md).
-### ZAP for phishing
+### Zero-hour auto purge (ZAP) for phishing
For **read or unread messages** that are identified as phishing after delivery, the ZAP outcome depends on the action that's configured for a **Phishing email** filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for phishing and their possible ZAP outcomes are described in the following list:
By default, ZAP for phishing is enabled in anti-spam policies, and the default a
For more information about configuring spam filtering verdicts, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md).
-### ZAP for high confidence phishing
+### Zero-hour auto purge (ZAP) for high confidence phishing
-For **read or unread messages** that are identified as high confidence phishing after delivery, ZAP quarantines the message. Only admins can view and manage high confidence phish messages from quarantine.
+For **read or unread messages** that are identified as high confidence phishing after delivery, ZAP quarantines the message. Only admins can view and manage high confidence phish messages from quarantine.
ZAP for high confidence phish is enabled by default. For more information, see [Secure by Default in Office 365](secure-by-default.md).
-### ZAP for spam
+### Zero-hour auto purge (ZAP) for spam
For **unread messages** that are identified as spam after delivery, the ZAP outcome depends on the action that's configured for the **Spam** filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for spam and their possible ZAP outcomes are described in the following list:
By default, spam ZAP is enabled in anti-spam policies, and the default action fo
For more information about configuring spam filtering verdicts, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md).
-### ZAP considerations for Microsoft Defender for Office 365
+### Zero-hour auto purge (ZAP) considerations for Microsoft Defender for Office 365
ZAP will not quarantine any message that's in the process of [Dynamic Delivery](safe-attachments.md#dynamic-delivery-in-safe-attachments-policies) in Safe Attachments scanning, or where EOP malware filtering has already replaced the attachment with the **Malware Alert Text.txt** file. If a phishing or spam signal is received for these types of messages, and the filtering verdict in the anti-spam policy is set to take some action on the message (Move to Junk, Redirect, Delete, or Quarantine) then ZAP will default to a 'Move to Junk' action.
ZAP will not quarantine any message that's in the process of [Dynamic Delivery](
To determine if ZAP moved your message, you can use either the [Threat Protection Status report](view-email-security-reports.md#threat-protection-status-report) or [Threat Explorer (and real-time detections)](threat-explorer.md). Note that as a system action, ZAP is not logged in the Exchange mailbox audit logs.
-## ZAP FAQ
+## Zero-hour auto purge (ZAP) FAQ
### What happens if a legitimate message is moved to the Junk Email folder?
ZAP will take action on a message based on the configuration your anti-spam poli
Safe senders, mail flow rules, or block and allow organizational settings take precedence. These messages are excluded from ZAP since the service is doing what you configured it to do. This is another reason to be careful about configuring messages to bypass filtering.
-### What are the licensing Requirements for ZAP to work?
+### What are the licensing Requirements for Zero-hour auto purge (ZAP) to work?
There are no limitations on licenses. ZAP works on all mailboxes hosted on Exchange online. ZAP doesn't work in standalone Exchange Online Protection (EOP) environments that protect on-premises Exchange mailboxes. ### What if a message is moved to another folder (e.g. Inbox rules)?
-ZAP still works as long as the message has not been deleted, or as long as the same, or stronger, action has not already been applied. For example, if the anti-phishing policy is set to quarantine and message is already in the Junk Email, then ZAP will take action to quarantine the message.
+Zero-hour auto purge still works as long as the message has not been deleted, or as long as the same, or stronger, action has not already been applied. For example, if the anti-phishing policy is set to quarantine and message is already in the Junk Email, then ZAP will take action to quarantine the message.
### How does ZAP affect mailboxes on hold?
-ZAP will quarantine messages from mailboxes on hold. ZAP can move messages to the Junk Email folder based on the action that's configured for a spam or phishing verdict in anti-spam policies.
+Zero-hour auto purge will quarantine messages from mailboxes on hold. ZAP can move messages to the Junk Email folder based on the action that's configured for a spam or phishing verdict in anti-spam policies.
For more information about holds in Exchange Online, see [In-Place Hold and Litigation Hold in Exchange Online](/Exchange/security-and-compliance/in-place-and-litigation-holds).
solutions Deploy Threat Protection Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/deploy-threat-protection-configure.md
Follow these steps to configure threat protection across Microsoft 365.
[Multi-factor authentication](/azure/active-directory/authentication/concept-mfa-howitworks) (MFA) requires users to verify their identity with a phone call or an authenticator app. [Conditional access policies](/azure/active-directory/conditional-access/overview) define certain requirements that must be met in order for users to access apps and data in Microsoft 365. MFA and Conditional Access policies work together to protect your organization. For example, if someone attempts to sign in from a mobile device using an account that is not enabled for MFA, and a Conditional Access policy requires MFA to be in effect, that user is prevented from signing in.
-Microsoft has tested and recommends a specific set of Conditional Access and related policies for protecting access to all of your SaaS applications, especially Microsoft 365. Policies are recommended for baseline, sensitive, and highly regulated protection. Begin by implementing the policies for baseline protection.
-
+Microsoft has tested and recommends a specific set of Conditional Access and related policies for protecting access to all of your SaaS applications, especially Microsoft 365. Policies are recommended for baseline, sensitive, and highly regulated protection. Begin by implementing the policies for baseline protection.
[![Common policies for configuring identity and device access](../media/microsoft-365-policies-configurations/identity-device-access-policies-byplan.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/microsoft-365-policies-configurations/identity-device-access-policies-byplan.png) [See a larger version of this image](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/microsoft-365-policies-configurations/identity-device-access-policies-byplan.png)
Microsoft has tested and recommends a specific set of Conditional Access and rel
[Microsoft Defender for Identity](/defender-for-identity/what-is) is a cloud-based security solution that works with your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Defender for Identity enables security operations (SecOps) analysts and security professionals struggling to detect advanced attacks in hybrid environments to:+ - Monitor users, entity behavior, and activities with learning-based analytics. - Protect user identities and credentials stored in Active Directory. - Identify and investigate suspicious user activities and advanced attacks throughout the kill chain.
Microsoft 365 Defender unifies alerts, incidents, automated investigation and re
[Microsoft Defender for Office 365](../security/office-365-security/defender-for-office-365.md) safeguards your organization against malicious threats in email messages (attachments and URLs), Office documents, and collaboration tools. The following table lists Microsoft Defender for Office 365 features and capabilities that are included in Microsoft 365 E5:
+<br>
+
+****
+ |Configuration, protection, and detection capabilities|Automation, investigation, remediation, and education capabilities|
-|:|:|
-|[Safe Attachments](../security/office-365-security/safe-attachments.md)<br/>[Safe Links](../security/office-365-security/safe-links.md)<br/>[Safe Documents](../security/office-365-security/safe-docs.md)<br/>[ATP for SharePoint, OneDrive, and Microsoft Teams](../security/office-365-security/mdo-for-spo-odb-and-teams.md)<br/> [Anti-phishing protection in Microsoft 365](../security/office-365-security/anti-phishing-protection.md)|[Threat Trackers](../security/office-365-security/threat-trackers.md)<br/>[Threat Explorer](../security/office-365-security/threat-explorer.md)<br/>[Automated investigation and response](../security/office-365-security/office-365-air.md)<br/>[Attack Simulator](../security/office-365-security/attack-simulator.md)|
+|||
+|[Safe Attachments](../security/office-365-security/safe-attachments.md) <p> [Safe Links](../security/office-365-security/safe-links.md) <p> [Safe Documents](../security/office-365-security/safe-docs.md) <p> [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](../security/office-365-security/mdo-for-spo-odb-and-teams.md) <p> [Anti-phishing protection in Microsoft 365](../security/office-365-security/anti-phishing-protection.md)|[Threat Trackers](../security/office-365-security/threat-trackers.md) <p> [Threat Explorer](../security/office-365-security/threat-explorer.md) <p> [Automated investigation and response](../security/office-365-security/office-365-air.md) <p> [Attack simulation training](../security/office-365-security/attack-simulation-training.md)|
| With Microsoft Defender for Office 365, people across your organization can communicate and collaborate more securely, with threat protection for their email content and Office documents.
With Microsoft Defender for Office 365, people across your organization can comm
## Step 5: Configure Microsoft Defender for Endpoint
-[Microsoft Defender for Endpoint](/windows/security/threat-protection) protects your organizations devices (also referred to as endpoints) from cyberthreats, advanced attacks, and data breaches. Security teams can be more efficient in managing the security of their endpoints. Robust tools help organizations keep up with unpatched systems using vulnerability detection with [Threat and Vulnerability management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Automated detection and remediation capabilities, such as [attack surface reduction](/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction), [next-generation protection](/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10), [endpoint detection and response](/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), and [automated investigation and remediation](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) help keep your devices safe from malware. On top of these capabilities, customers can get proactive notifications and consult with Microsoft Threat Experts on demand, as part of the opt-in managed hunting service.
-
+[Microsoft Defender for Endpoint](/windows/security/threat-protection) protects your organizations devices (also referred to as endpoints) from cyberthreats, advanced attacks, and data breaches. Security teams can be more efficient in managing the security of their endpoints. Robust tools help organizations keep up with unpatched systems using vulnerability detection with [Threat and Vulnerability management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Automated detection and remediation capabilities, such as [attack surface reduction](/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction), [next-generation protection](/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10), [endpoint detection and response](/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), and [automated investigation and remediation](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) help keep your devices safe from malware. On top of these capabilities, customers can get proactive notifications and consult with Microsoft Threat Experts on demand, as part of the opt-in managed hunting service.
### Set up Microsoft Defender for Endpoint
With Microsoft Defender for Office 365, people across your organization can comm
## Step 7: Monitor status and take actions
-After you have set up and deployed your threat protection services and capabilities, your next step is to monitor threat detections, and take appropriate actions. Your best starting point is the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), where you can monitor and managing security across your Microsoft identities, data, devices, apps, and infrastructure.
+After you have set up and deployed your threat protection services and capabilities, your next step is to monitor threat detections, and take appropriate actions. Your best starting point is the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), where you can monitor and managing security across your Microsoft identities, data, devices, apps, and infrastructure.
![Microsoft 365 security center](../media/solutions-architecture-center/m365-security-center.png) The Microsoft 365 security center is intended for security admins and security operations teams. In the Microsoft 365 security center, you can:+ - View the overall security health of your organization with [Secure Score](/microsoft-365/security/defender/microsoft-secure-score). - [Monitor and view reports](../security/defender-endpoint/threat-protection-reports.md) on the status of your identities, data, devices, apps, and infrastructure. - Connect the dots on alerts through [incidents](/microsoft-365/security/defender/incident-queue).
The Harvard Kennedy School [Cybersecurity Campaign Handbook](https://go.microsof
Microsoft 365 provides the following resources to help inform users in your organization:
-|Concept |Resources |
-|||
-|Microsoft 365 |[Customizable learning pathways](/office365/customlearning/) <p>These resources can help you put together training for end users in your organization |
-|Microsoft 365 security |[Learning module: Secure your organization with built-in, intelligent security from Microsoft 365](/learn/modules/security-with-microsoft-365) <p>This module enables you to describe how Microsoft 365 security features work together and to articulate the benefits of these security features. |
-|Multi-factor authentication | [Two-step verification: What is the additional verification page?](/azure/active-directory/user-help/multi-factor-authentication-end-user-first-time) <p>This article helps end users understand what multi-factor authentication is and why it's being used at your organization. |
+<br>
+
+****
+
+|Concept|Resources|
+|||
+|Microsoft 365|[Customizable learning pathways](/office365/customlearning/) <p> These resources can help you put together training for end users in your organization|
+|Microsoft 365 security|[Learning module: Secure your organization with built-in, intelligent security from Microsoft 365](/learn/modules/security-with-microsoft-365) <p> This module enables you to describe how Microsoft 365 security features work together and to articulate the benefits of these security features.|
+|Multi-factor authentication|[Two-step verification: What is the additional verification page?](/azure/active-directory/user-help/multi-factor-authentication-end-user-first-time) <p> This article helps end users understand what multi-factor authentication is and why it's being used at your organization.|
+|
In addition to this guidance, Microsoft recommends that your users take the actions described in this article: [Protect your account and devices from hackers and malware](https://support.office.com/article/066d6216-a56b-4f90-9af3-b3a1e9a327d6.aspx). These actions include:+ - Using strong passwords-- Protecting devices
+- Protecting devices
- Enabling security features on Windows 10 and Mac PCs (for unmanaged devices)
-
+ Microsoft also recommends that users protect their personal email accounts by taking the actions recommended in the following articles:+ - [Help protect your Outlook.com email account](https://support.microsoft.com/office/help-protect-your-outlook-com-email-account-a4f20fc5-4307-4ece-8231-6d4d4bd8a9ba) - [Protect your Gmail account with 2-step verification](https://go.microsoft.com/fwlink/?linkid=2015688&amp;clcid=0x409)