Updates from: 07/23/2021 03:09:52
Category Microsoft Docs article Related commit history on GitHub Change details
admin Use Qr Code Download Outlook https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/use-qr-code-download-outlook.md
audience: Admin
-localization_priority: Normal
+localization_priority: Priority
- Adm_O365 - Adm_TOC
description: "Learn how to use a QR code to authenticate and download Outlook mo
As the Microsoft 365 administrator, you can enable your users to sign in to Outlook for Android or iOS app on their mobile devices without having to enter their username and password. By scanning a QR code, users can securely authenticate and sign in to Outlook mobile.
-In Outlook on the web or other desktop Outlook applications, users may see notifications informing them that they can use Outlook on their mobile device. These notifications can be managed by the administrator using Exchange Powershell. If users choose to send themselves an SMS text message to download the app on their mobile device, a QR code will appear on their computer. They will be able to scan the QR code to log into Outlook on their phone or tablet. This QR code is a short lived token that can only be redeemed once.
+In Outlook on the web or other desktop Outlook applications, users may see notifications informing them that they can use Outlook on their mobile device. These notifications can be managed by the administrator using Exchange PowerShell. If users choose to send themselves an SMS text message to download the app on their mobile device, a QR code will appear on their computer. They will be able to scan the QR code to log into Outlook on their phone or tablet. This QR code is a short lived token that can only be redeemed once.
The notification is only generated if the following conditions are met:
Set-OrganizationConfig -MobileAppEducationEnabled <Boolean>
## Related content [Set up the Standard or Targeted release options](release-options-in-office-365.md) (article)\
-[Set-OrganizationConfig](/powershell/module/exchange/set-organizationconfig) (article)
+[Set-OrganizationConfig](/powershell/module/exchange/set-organizationconfig) (article)
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
search.appverid:
- MOE150 - seo-marvel-apr2020
-description: "Create alert policies in the Microsoft 365 compliance center to monitor potential threats, data loss, and permissions issues."
+description: "Create alert policies in the Microsoft 365 compliance center or the Microsoft 365 Defender portal to monitor potential threats, data loss, and permissions issues."
-# Alert policies in the Microsoft 365 compliance center
+# Alert policies in the Microsoft 365
-You can use the alert policy and alert dashboard tools in the Microsoft 365 compliance center to create alert policies and then view the alerts generated when users perform activities that match the conditions of an alert policy. There are several default alert policies that help you monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.
+You can use the alert policy and alert dashboard tools in the Microsoft 365 compliance center or the Microsoft 365 Defender portal to create alert policies and then view the alerts generated when users perform activities that match the conditions of an alert policy. There are several default alert policies that help you monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.
-Alert policies let you categorize the alerts that are triggered by a policy, apply the policy to all users in your organization, set a threshold level for when an alert is triggered, and decide whether to receive email notifications when alerts are triggered. There's also a **Alerts** page in the compliance center where you can view and filter alerts, set an alert status to help you manage alerts, and then dismiss alerts after you've addressed or resolved the underlying incident.
+Alert policies let you categorize the alerts that are triggered by a policy, apply the policy to all users in your organization, set a threshold level for when an alert is triggered, and decide whether to receive email notifications when alerts are triggered. There's also a **Alerts** page where you can view and filter alerts, set an alert status to help you manage alerts, and then dismiss alerts after you've addressed or resolved the underlying incident.
> [!NOTE] > Alert policies are available for organizations with a Microsoft 365 Enterprise, Office 365 Enterprise, or Office 365 US Government E1/F1/G1, E3/F3/G3, or E5/G5 subscription. Advanced functionality is only available for organizations with an E5/G5 subscription, or for organizations that have an E1/F1/G1 or E3/F3/G3 subscription and a Microsoft Defender for Office 365 P2 or a Microsoft 365 E5 Compliance or an E5 eDiscovery and Audit add-on subscription. The functionality that requires an E5/G5 or add-on subscription is highlighted in this topic. Also note that alert policies are available in Office 365 GCC, GCC High, and DoD US government environments.
Alert policies let you categorize the alerts that are triggered by a policy, app
Here's a quick overview of how alert policies work and the alerts that are triggers when user or admin activity matches the conditions of an alert policy.
-![Overview of how alert policies work](../media/M365-AlertPolicies-Overview.png)
+![Overview of how alert policies work](../media/M365ComplianceDefender-AlertPolicies-Overview.png)
-1. An admin in your organization creates, configures, and turns on an alert policy by using the **Alert policies** page in the compliance center. You can also create alert policies by using the [New-ProtectionAlert](/powershell/module/exchange/new-protectionalert) cmdlet in Security & Compliance Center PowerShell.
+1. An admin in your organization creates, configures, and turns on an alert policy by using the **Alert policies** page in the Microsoft 365 compliance center or the Microsoft 365 Defender portal. You can also create alert policies by using the [New-ProtectionAlert](/powershell/module/exchange/new-protectionalert) cmdlet in Security & Compliance Center PowerShell.
- To create alert policies, you have to be assigned the Manage Alerts role or the Organization Configuration role in the compliance center.
+ To create alert policies, you have to be assigned the Manage Alerts role or the Organization Configuration role in the Microsoft 365 compliance center or the Defender portal.
> [!NOTE] > It takes up to 24 hours after creating or updating an alert policy before alerts can be triggered by the policy. This is because the policy has to be synced to the alert detection engine. 2. A user performs an activity that matches the conditions of an alert policy. In the case of malware attacks, infected email messages sent to users in your organization trigger an alert.
-3. Microsoft 365 generates an alert that's displayed on the **Alerts** page in Microsoft 365 compliance center. Also, if email notifications are enabled for the alert policy, Microsoft sends a notification to a list of recipients. The alerts that an admin or other users can see that on the Alerts page is determined by the roles assigned to the user. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts).
+3. Microsoft 365 generates an alert that's displayed on the **Alerts** page in Microsoft 365 compliance center or Defender portal. Also, if email notifications are enabled for the alert policy, Microsoft sends a notification to a list of recipients. The alerts that an admin or other users can see that on the Alerts page is determined by the roles assigned to the user. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts).
4. An admin manages alerts in the compliance center. Managing alerts consists of assigning an alert status to help track and manage any investigation.
Here's a quick overview of how alert policies work and the alerts that are trigg
An alert policy consists of a set of rules and conditions that define the user or admin activity that generates an alert, a list of users who trigger the alert if they perform the activity, and a threshold that defines how many times the activity has to occur before an alert is triggered. You also categorize the policy and assign it a severity level. These two settings help you manage alert policies (and the alerts that are triggered when the policy conditions are matched) because you can filter on these settings when managing policies and viewing alerts in the compliance center. For example, you can view alerts that match the conditions from the same category or view alerts with the same severity level.
-**To view and create alert policies:**
+To view and create alert policies:
+
+### Microsoft 365 compliance center
Go to <https://compliance.microsoft.com> and then select **Policies** > **Alert** > **Alert policies**. Alternatively, you can go directly to <https://compliance.microsoft.com/alertpolicies>. ![In the compliance center, select Policies,and under Alert, select Alert policies to view and create alert policies](../media/LaunchAlertPoliciesMCC.png)
+### Microsoft 365 Defender portal
+
+Go to <https://security.microsoft.com> and under **Email & collaboration** select **Policies & rules** > **Alert policy**. Alternatively, you can go directly to <https://security.microsoft.com/alertpolicies>.
+
+![In the Defender portal, select Policies & rules under Email & collaboration, and then select Alert policy to view and create alert policies](../media/LaunchAlertPoliciesDefenderPortal.png)
+ > [!NOTE]
-> You have to be assigned the View-Only Manage Alerts role to view alert policies in the Microsoft 365 compliance center. You have to be assigned the Manage Alerts role to create and edit alert policies. For more information, see [Permissions in the security and compliance center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
+> You have to be assigned the View-Only Manage Alerts role to view alert policies in the compliance center or Defender portal. You have to be assigned the Manage Alerts role to create and edit alert policies. For more information, see [Permissions in the security and compliance center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
An alert policy consists of the following settings and conditions.
The table also indicates the Office 365 Enterprise and Office 365 US Government
|**User impersonation phish delivered to inbox/folder**<sup>1,</sup><sup>2</sup>|Generates an alert when Microsoft detects that an admin or user override has allowed the delivery of a user impersonation phishing message to the inbox (or other user-accessible folder) of a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **Medium** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription| |**User restricted from sending email**|Generates an alert when someone in your organization is restricted from sending outbound mail. This typically results when an account is compromised, and the user is listed on the **Restricted Users** page in the Microsoft 365 compliance center. (To access this page, go to **Threat management > Review > Restricted Users**). This policy has a **High** severity setting. For more information about restricted users, see [Removing a user, domain, or IP address from a block list after sending spam email](/office365/securitycompliance/removing-user-from-restricted-users-portal-after-spam).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5| |**User restricted from sharing forms and collecting responses**|Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior. This policy has a **High** severity setting.|Threat management|E1, E3/F3, or E5|
-|||||
> [!NOTE]
-> <sup>1</sup> We've temporarily removed this default alert policy based on customer feedback. We're working to improve it, and will replace it with a new version in the near future. Until then, you can create a custom alert policy to replace this functionality by using the following settings:<br/>&nbsp; * Activity is Phish email detected at time of delivery<br/>&nbsp; * Mail is not ZAP'd<br/>&nbsp; * Mail direction is Inbound<br/>&nbsp; * Mail delivery status is Delivered<br/>&nbsp; * Detection technology is Malicious URL retention, URL detonation, Advanced phish filter, General phish filter, Domain impersonation, User impersonation, and Brand impersonation<br/><br/>&nbsp;&nbsp;&nbsp;For more information about anti-phishing in Office 365, see [Set up anti-phishing and anti-phishing policies](../security/office-365-security/set-up-anti-phishing-policies.md).<br/><br/><sup>2</sup> To recreate this alert policy, follow the guidance in the previous footnote, but choose User impersonation as the only Detection technology.
+> <sup>1</sup> We've temporarily removed this default alert policy based on customer feedback. We're working to improve it, and will replace it with a new version in the near future. Until then, you can create a custom alert policy to replace this functionality by using the following settings: <ul><li>Activity is Phish email detected at time of delivery</li> <li>Mail is not ZAP'd</li> <li>Mail direction is Inbound</li> <li>Mail delivery status is Delivered</li> <li>Detection technology is Malicious URL retention, URL detonation, Advanced phish filter, General phish filter, Domain impersonation, User impersonation, and Brand impersonation</li></ul> For more information about anti-phishing in Office 365, see [Set up anti-phishing and anti-phishing policies](../security/office-365-security/set-up-anti-phishing-policies.md).<br/><br/><sup>2</sup> To recreate this alert policy, follow the guidance in the previous footnote, but choose User impersonation as the only Detection technology.
The unusual activity monitored by some of the built-in policies is based on the same process as the alert threshold setting that was previously described. Microsoft establishes a baseline value that defines the normal frequency for "usual" activity. Alerts are then triggered when the frequency of activities tracked by the built-in alert policy greatly exceeds the baseline value. ## Viewing alerts
-When an activity performed by users in your organization matches the settings of an alert policy, an alert is generated and displayed on the **Alerts** page in the compliance center. Depending on the settings of an alert policy, an email notification is also sent to a list of specified users when an alert is triggered. For each alert, the dashboard on the **Alerts** page displays the name of the corresponding alert policy, the severity and category for the alert (defined in the alert policy), and the number of times an activity has occurred that resulted in the alert being generated. This value is based on the threshold setting of the alert policy. The dashboard also shows the status for each alert. For more information about using the status property to manage alerts, see [Managing alerts](#managing-alerts).
+When an activity performed by users in your organization matches the settings of an alert policy, an alert is generated and displayed on the **Alerts** page in the compliance center or the Defender portal. Depending on the settings of an alert policy, an email notification is also sent to a list of specified users when an alert is triggered. For each alert, the dashboard on the **Alerts** page displays the name of the corresponding alert policy, the severity and category for the alert (defined in the alert policy), and the number of times an activity has occurred that resulted in the alert being generated. This value is based on the threshold setting of the alert policy. The dashboard also shows the status for each alert. For more information about using the status property to manage alerts, see [Managing alerts](#managing-alerts).
+
+To view alerts:
+
+### Microsoft 365 compliance center
-To view alerts, go to <https://compliance.microsoft.com> and then select **Alerts**. Alternatively, you can go directly to <https://compliance.microsoft.com/compliancealerts>.
+ Go to <https://compliance.microsoft.com> and then select **Alerts**. Alternatively, you can go directly to <https://compliance.microsoft.com/compliancealerts>.
![In the Microsoft 365 compliance center, select Alerts](../media/ViewAlertsMCC.png)
+### Microsoft 365 Defender portal
+
+Go to <https://security.microsoft.com> and then select **Incidents & alerts** > **Alerts**. Alternatively, you can go directly to <https://security.microsoft.com/alerts>.
+
+![In the Microsoft 365 Defender portal, select Incidents & alerts and then select Alerts](../media/ViewAlertsDefenderPortal.png)
+ You can use the following filters to view a subset of all the alerts on the **Alerts** page. - **Status.** Use this filter to show alerts that are assigned a particular status. The default status is **Active**. You or other administrators can change the status value.
The length of the aggregation interval depends on your Office 365 or Microsoft 3
|E5 Compliance add-on or E5 Discovery and Audit add-on|1 minute| |Office 365 or Microsoft 365 E1/F1/G1 or E3/F3/G3|15 minutes| |Defender for Office 365 Plan 1 or Exchange Online Protection|15 minutes|
-|||
+ When events that match the same alert policy occur within the aggregation interval, details about the subsequent event are added to the original alert. For all events, information about aggregated events is displayed in the details field and the number of times an event occurred with the aggregation interval is displayed in the activity/hit count field. You can view more information about all aggregated events instances by viewing the activity list.
Keep the following things in mind about alert aggregation:
## RBAC permissions required to view alerts
-The Role Based Access Control (RBAC) permissions assigned to users in your organization determine which alerts a user can see on the **Alerts** page. How is this accomplished? The management roles assigned to users (based on their membership in role groups in the Microsoft 365 compliance center) determine which alert categories a user can see on the **Alerts** page. Here are some examples:
+The Role Based Access Control (RBAC) permissions assigned to users in your organization determine which alerts a user can see on the **Alerts** page. How is this accomplished? The management roles assigned to users (based on their membership in role groups in the Microsoft 365 compliance center or the Microsoft 365 Defender portal) determine which alert categories a user can see on the **Alerts** page. Here are some examples:
- Members of the Records Management role group can view only the alerts that are generated by alert policies that are assigned the **Information governance** category.
The Role Based Access Control (RBAC) permissions assigned to users in your organ
This design (based on RBAC permissions) lets you determine which alerts can be viewed (and managed) by users in specific job roles in your organization.
-The following table lists the roles that are required to view alerts from the six different alert categories. The first column in the tables lists all roles in the Microsoft 365 compliance center. A check mark indicates that a user who is assigned that role can view alerts from the corresponding alert category listed in the top row.
+The following table lists the roles that are required to view alerts from the six different alert categories. The first column in the tables lists all roles in the Microsoft 365 compliance center or the Microsoft 365 Defender portal. A check mark indicates that a user who is assigned that role can view alerts from the corresponding alert category listed in the top row.
To see which category a default alert policy is assigned to, see the table in [Default alert policies](#default-alert-policies).
To see which category a default alert policy is assigned to, see the table in [D
|View-Only Recipients|||![Check mark](../media/checkmark.png)|||| |View-Only Record Management|![Check mark](../media/checkmark.png)|||||| |View-Only Retention Management|![Check mark](../media/checkmark.png)||||||
-|||||||
+ > [!TIP] > To view the roles that are assigned to each of the default role groups, run the following commands in Security & Compliance Center PowerShell:
To see which category a default alert policy is assigned to, see the table in [D
> $RoleGroups | foreach {Write-Output -InputObject `r`n,$_.Name,"--"; Get-RoleGroup $_.Identity | Select-Object -ExpandProperty Roles} > ``` >
-> You can also view the roles assigned to a role group in the Microsoft 365 compliance center. Go to the **Permissions** page, and select a role group. The assigned roles are listed on the flyout page.
+> You can also view the roles assigned to a role group in the Microsoft 365 compliance center or the Microsoft 365 Defender portal. Go to the **Permissions** page, and select a role group. The assigned roles are listed on the flyout page.
## Managing alerts
-After alerts have been generated and displayed on the **Alerts** page in the compliance center, you can triage, investigate, and resolve them. Here are some tasks you can perform to manage alerts.
+After alerts have been generated and displayed on the **Alerts** page in the compliance center, you can triage, investigate, and resolve them. The same [RBAC permissions](#rbac-permissions-required-to-view-alerts) that give users access to alerts also give them the ability to manage alerts.
+
+Here are some tasks you can perform to manage alerts.
- **Assign a status to alerts.** You can assign one of the following statuses to alerts: **Active** (the default value), **Investigating**, **Resolved**, or **Dismissed**. Then, you can filter on this setting to display alerts with the same status setting. This status setting can help track the process of managing alerts.
After alerts have been generated and displayed on the **Alerts** page in the com
Alerts that are triggered by Office 365 Cloud App Security policies are now displayed on the **Alerts** page in the compliance center. This includes alerts that are triggered by activity policies and alerts that are triggered by anomaly detection policies in Office 365 Cloud App Security. This means you can view all alerts in the compliance center. Office 365 Cloud App Security is only available for organizations with an Office 365 Enterprise E5 or Office 365 US Government G5 subscription. For more information, see [Overview of Cloud App Security](/cloud-app-security/what-is-cloud-app-security).
-Organizations that have Microsoft Cloud App Security as part of an Enterprise Mobility + Security E5 subscription or as a standalone service can also view Cloud App Security alerts that are related to Microsoft 365 apps and services in the Microsoft 365 compliance center.
+Organizations that have Microsoft Cloud App Security as part of an Enterprise Mobility + Security E5 subscription or as a standalone service can also view Cloud App Security alerts that are related to Microsoft 365 apps and services in the Microsoft 365 compliance center or the Microsoft 365 Defender portal.
-To display only Cloud App Security alerts in the compliance center, use the **Source** filter and select **Cloud App Security**.
+To display only Cloud App Security alerts in the compliance center or the Defender portal, use the **Source** filter and select **Cloud App Security**.
![Use the Source filter to display only Cloud App Security alerts](../media/FilterCASAlerts.png)
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
When you select the **Trainable classifiers** option, select one or more of the
![Options for trainable classifiers and sensitivity labels](../media/sensitivity-labels-classifers.png)
-> [!CAUTION]
-> We are deprecating the **Offensive Language** built-in classifier because it has been producing a high number of false positives. Don't use this built-in classifier and if you are currently using it, you should move your business processes off it. We recommend using the **Targeted Harassment**, **Profanity**, and **Threat** built-in classifiers instead.
- For more information about these classifiers, see [Learn about trainable classifiers](classifier-learn-about.md). During the preview period for this option, the following apps support trainable classifiers for sensitivity labels:
compliance Audit Log Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-retention-policies.md
Audit log retention policies are listed on the **Audit retention policies** tab
### View policies in the dashboard
-Audit log retention policies are listed in the dashboard. One advantage of viewing policies in the dashboard is that you can click the **Priority** column to list the policies in the priority in which they are applied. As previously explained, a higher value indicates a higher priority.
+Audit log retention policies are listed in the dashboard. One advantage of viewing policies in the dashboard is that you can click the **Priority** column to list the policies in the priority in which they are applied. As previously explained, a lower value indicates a higher priority.
![Priority column in the Audit retention policies dashboard](../media/AuditLogRetentionDashboardPriority.png)
compliance Collection Statistics Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/collection-statistics-reports.md
The **Indexing** section on the **Summary** tab of a committed review set contai
**New indexed items**. The number of items that were newly indexed before they were added to the review set. An example of a newly indexed item are child items that are extracted from a parent item then indexed before they're added to the review set. Also, items that aren't located in custodial data sources and non-custodial content locations listed on the **Data sources** tab in the case are indexed before they're added to the review. For example, newly indexed items would include items collected from additional locations.
-**Updated indexed items**. The number of partially indexed items that were successfully indexed and added to the review set. This would partially indexed items from custodial and non-custodial content locations **Data sources** tab that were successfully indexed when the collection was committed to the review set.
+**Updated indexed items**. The number of partially indexed items that were successfully indexed and added to the review set. This statistic indicates the partially indexed items from custodial and non-custodial content locations **Data sources** tab that were successfully indexed when the collection was committed to the review set.
**Indexing errors**. The number of partially indexed items that couldn't be indexed before they were added to the review set. These items might require error remediation.
compliance Create Activity Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-activity-alerts.md
You can create an activity alert that will send you an email notification when u
4. Complete the following fields to create an activity alert:
- a. **Name** - Type a name for the alert. Alert names must be unique within your organization.
+ 1. **Name** - Type a name for the alert. Alert names must be unique within your organization.
- b. **Description** (Optional) - Describe the alert, such as the activities and users being tracked and the users that email notifications are sent to. Descriptions provide a quick and easy way to describe the purpose of the alert to other admins.
+ 1. **Description** (Optional) - Describe the alert, such as the activities and users being tracked and the users that email notifications are sent to. Descriptions provide a quick and easy way to describe the purpose of the alert to other admins.
- c. **Alert type** - Make sure the **Custom** option is selected.
+ 1. **Alert type** - Make sure the **Custom** option is selected.
- d. **Send this alert when** - Click **Send this alert when** and then configure these two fields:
+ 1. **Send this alert when** - Click **Send this alert when** and then configure these two fields:
- - **Activities** - Click the drop-down list to display the activities that you can create an alert for. This is the same activities list that's displayed when you search the audit log. You can select one or more specific activities, or you can click the activity group name to select all activities in the group. For a description of these activities, see the "Audited activities" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#audited-activities). When a user performs any of the activities that you've added to the alert, an email notification is sent.
+ - **Activities** - Click the drop-down list to display the activities that you can create an alert for. This is the same activities list that's displayed when you search the audit log. You can select one or more specific activities, or you can click the activity group name to select all activities in the group. For a description of these activities, see the "Audited activities" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#audited-activities). When a user performs any of the activities that you've added to the alert, an email notification is sent.
- - **Users** - Click this box and then select one or more users. If the users in this box perform the activities that you added to the **Activities** box, an alert will be sent. Leave the **Users** box blank to send an alert when any user in your organization performs the activities specified by the alert.
+ - **Users** - Click this box and then select one or more users. If the users in this box perform the activities that you added to the **Activities** box, an alert will be sent. Leave the **Users** box blank to send an alert when any user in your organization performs the activities specified by the alert.
- e. **Send this alert to** - Click **Send this alert**, and then click in the **Recipients** box and type a name to add users who will receive an email notification when a user (specified in the **Users** box) performs an activity (specified in the **Activities** box). Note that you are added to the list of recipients by default. You can remove your name from this list.
+ 1. **Send this alert to** - Click **Send this alert**, and then click in the **Recipients** box and type a name to add users who will receive an email notification when a user (specified in the **Users** box) performs an activity (specified in the **Activities** box). Note that you are added to the list of recipients by default. You can remove your name from this list.
5. Click **Save** to create the alert.
To turn an activity alert back on, just repeat these steps and click the **Off**
![Example of an email notification sent for an activity alert](../media/a5f91611-fae6-4fe9-82f5-58521a2e2541.png) -- Here's are some common document and email activities that you can create activity alerts for. The tables describe the activity, the name of the activity to create an alert for, and the name of the activity group that the activity is listed under in the **Activities** drop-down list. To see a complete list of the activities that you can create activity alerts for, see the "Audited activities" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#audited-activities).
+- Here are some common document and email activities that you can create activity alerts for. The tables describe the activity, the name of the activity to create an alert for, and the name of the activity group that the activity is listed under in the **Activities** drop-down list. To see a complete list of the activities that you can create activity alerts for, see the "Audited activities" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#audited-activities).
> [!TIP] > You might want to create an activity alert for just one activity that's performed by any user. Or you might want to create an activity alert that tracks multiple activities performed by one or more users. The following table lists some common document-related activities in SharePoint or OneDrive for Business.
- |**When a user does this...**|**Create an alert for this activity**|**Activity group**|
+ | When a user does this... | Create an alert for this activity | Activity group |
|:--|:--|:--|
- |Views a document on a site. <br/> |Accessed file <br/> |File and folder activities <br/> |
- |Edits or changes a document. <br/> |Modified file <br/> |File and folder activities <br/> |
- |Shares a document with a user outside of your organization. <br/> |Share file, folder, or site <br/> And <br/> Created sharing invitation <br/> For more information, see [Use sharing auditing in the audit log](use-sharing-auditing.md). <br/> |Sharing and access request activities <br/> |
- |Uploads or downloads a document. <br/> |Uploaded file <br/> And/or <br/> Downloaded file <br/> |File and folder activities <br/> |
- |Changes the access permissions to a site. <br/> |Modified site permissions <br/> |Site administration activities <br/> |
+ |Views a document on a site. |Accessed file |File and folder activities |
+ |Edits or changes a document. |Modified file |File and folder activities |
+ |Shares a document with a user outside of your organization. |Share file, folder, or site <br/> And <br/> Created sharing invitation <br/> For more information, see [Use sharing auditing in the audit log](use-sharing-auditing.md). |Sharing and access request activities |
+ |Uploads or downloads a document. |Uploaded file <br/> And/or <br/> Downloaded file |File and folder activities |
+ |Changes the access permissions to a site. |Modified site permissions |Site administration activities |
The following table lists some common email-related activities in Exchange Online.
- |**When a user does this...**|**Create an alert for this activity**|**Activity group**|
+ | When a user does this... | Create an alert for this activity | Activity group |
|:--|:--|:--|
- |Permanently deletes (purges) an email message from their mailbox. <br/> |Purged messages from mailbox <br/> | Exchange mailbox activities <br/> |
- |Sends an email message from a shared mailbox. <br/> |Sent message using Send As permissions <br/> And <br/> Sent message using Send On Behalf permissions <br/> | Exchange mailbox activities <br/> |
+ |Permanently deletes (purges) an email message from their mailbox. |Purged messages from mailbox | Exchange mailbox activities |
+ |Sends an email message from a shared mailbox. |Sent message using Send As permissions <br/> And <br/> Sent message using Send On Behalf permissions | Exchange mailbox activities |
- You can also use the **New-ActivityAlert** and **Set-ActivityAlert** cmdlets in Security & Compliance Center PowerShell to create and edit activity alerts. Keep the following things in mind if you use these cmdlets to create or edit activity alerts:
compliance Prepare Tls 1.2 In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/prepare-tls-1.2-in-office-365.md
The following resources provide guidance to help make sure that your clients are
- [New IIS functionality](https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/) makes it easier to find clients on [Windows Server 2012 R2](https://support.microsoft.com/help/4025335/windows-8-1-windows-server-2012-r2-update-kb4025335) and [Windows Server 2016](https://support.microsoft.com/help/4025334/windows-10-update-kb4025334) that connect to the service by using weak security protocols. - Get more information about how to [solve the TLS 1.0 problem](https://www.microsoft.com/download/details.aspx?id=55266). - For general information about our approach to security, go to the [Office 365 Trust Center](https://www.microsoft.com/trustcenter/cloudservices/office365).
+- To identify the TLS version that is used by SMTP clients, see [SMTP Auth clients insight and report in the Security & Compliance Center](../security/office-365-security/mfi-smtp-auth-clients-report.md).
- [Preparing for TLS 1.0/1.1 Deprecation - Office 365 Skype for Business](https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Preparing-for-TLS-1-0-1-1-Deprecation-O365-Skype-for-Business/ba-p/222247) - [Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/ba-p/607649) - [Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and/ba-p/607761)
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
Explanation for the four different principles:
The email message is retained for five years because this retention action takes precedence over deletion. The email message is permanently deleted at the end of the five years because of the delete action that was suspended while the retention action was in effect.
-2. **The longest retention period wins.** If content is subject to multiple retention settings that retain content for different periods of time, the content will be retained until the end of the longest retention period.
+2. **The longest retention period wins.** If content is subject to multiple retention settings that retain content for different periods of time, the content will be retained until the end of the longest retention period for the item.
Example: Documents in the Marketing SharePoint site are subject to two retention policies. The first retention policy is configured for all SharePoint sites to retain items for five years. The second retention policy is configured for specific SharePoint sites to retain items for ten years.
Explanation for the four different principles:
When this document will be permanently deleted can't be determined at this level because both retention policies are scoped.
-4. **The shortest deletion period wins.** Applicable to determine when items will be deleted from retention policies and the outcome couldn't be resolved from the previous level: Content is permanently deleted at the end of the shortest retention period.
+4. **The shortest deletion period wins.** Applicable to determine when items will be deleted from retention policies and the outcome couldn't be resolved from the previous level: Content is permanently deleted at the end of the shortest retention period for the item.
Example: A document in a user's OneDrive account is subject to two retention policies. The first retention policy is scoped to include this user's OneDrive account and has a delete action after 10 years. The second retention policy is scoped to include this user's OneDrive account and has a delete action after seven years.
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Let users assign permissions: <br /> - Do Not Forward](encryption-sensitivity-labels.md#let-users-assign-permissions) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Let users assign permissions: <br /> - Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) |2011+ | 16.48+ <sup>\*</sup> | 4.2112.0+ | 4.2112.0+ | Yes | |[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes |
-|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | Under review | Under review | Under review | Under review |
+|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | Rolling out: 16.51+ <sup>\*</sup> | Rolling out: 4.2126+ | Rolling out: 4.2126+ | Under review |
|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ <sup>\*</sup> | Under review | Under review | Yes |
-|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | 2105+ | 16.43.1108+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes |
+|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | 2105+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes |
| **Footnotes:**
When you configure a sensitivity label for content markings, you can use the fol
| `${Item.Location}` | Path and file name of the document being labeled, or the email subject for an email being labeled | **\\\Sales\2020\Q3\Report.docx**| | `${User.Name}` | Display name of the user applying the label | **Richard Simone** | | `${User.PrincipalName}` | Azure AD user principal name (UPN) of the user applying the label | **rsimone\@contoso.com** |
-| `${Event.DateTime}` | Date and time when the content is labeled, in the local time zone of the user applying the label | **8/10/2020 1:30 PM** |
+| `${Event.DateTime}` | Date and time when the content is labeled, in the local time zone of the user applying the label in Microsoft 365 apps, or UTC (Coordinated Universal Time) for Office Online and auto-labeling policies | **8/10/2020 1:30 PM** |
> [!NOTE] > The syntax for these variables is case-sensitive.
knowledge Plan Topic Experiences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/plan-topic-experiences.md
Security and privacy of your data is respected, and topic experiences does not g
To learn more about the AI technology behind Viva Topics, read [Alexandria in Microsoft Viva Topics: from big data to big knowledge](https://www.microsoft.com/research/blog/alexandria-in-microsoft-viva-topics-from-big-data-to-big-knowledge).
+Keep in mind that Viva Topics needs access to the sites and files that your users use every day. Deploying Viva Topics in a test or development environment may not yield useful results.
+ ## Requirements You must be [subscribed to Viva Topics](https://www.microsoft.com/microsoft-viva/topics) and be a global administrator or SharePoint administrator to access the Microsoft 365 admin center and set up Topics.
lighthouse M365 Lighthouse Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-overview.md
Microsoft 365 Lighthouse simplifies onboarding of Microsoft 365 Business Premium
No additional costs are associated with using Microsoft 365 Lighthouse to manage Microsoft 365 services and connected devices. Microsoft 365 Lighthouse is currently in Preview and available to MSPs enrolled in the Cloud Solution Provider (CSP) program and serving SMB customers with a Microsoft 365 Business Premium subscription.
-Note that CSP indirect providers aren't currently supported by Microsoft 365 Lighthouse.
+Use of Microsoft 365 Lighthouse by Microsoft CSP channel partners that have customers using Microsoft 365 Business Premium is supported. This includes CSP partners transacting directly with Microsoft and those transacting through an indirect provider (distributor).
> [!IMPORTANT] > To use Microsoft 365 Lighthouse, MSPs and their customer tenants must meet the requirements listed in [Microsoft 365 Lighthouse requirements](m365-lighthouse-requirements.md).
lighthouse M365 Lighthouse Sign Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-sign-up.md
description: "For Managed Service Providers (MSPs), learn how to sign up for Mic
## Before you begin -- Make sure you and your customer tenants meet the requirements listed in [Microsoft 365 Lighthouse requirements](m365-lighthouse-requirements.md).
+- Microsoft 365 Lighthouse is deployed in the partner tenant only&mdash;not in the customer tenants, but make sure you and your customer tenants meet the requirements listed in [Microsoft 365 Lighthouse requirements](m365-lighthouse-requirements.md).
- You must be a Global Administrator in the partner tenant you're signing into. ## Steps to sign up for Microsoft 365 Lighthouse
-1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.
+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and log in using your partner tenant credentials.
1. Go to **Billing** > **Purchase Services** > **Other Services**.
managed-desktop Win11 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/win11-overview.md
For specific steps to follow to get Windows 11 installed on your Microsoft Manag
Windows 11 preview builds are available starting June 28, 2021 through the [Windows Insider Program](/windows-insider/). We expect release builds to be generally available by the end of calendar year 2021.
-You are welcome to install preview builds on devices whether they are managed by Microsoft Managed Desktop or not. WeΓÇÖll continue to support Windows 10 in parallel until it reaches end of support.
+You are welcome to install preview builds on devices whether they are managed by Microsoft Managed Desktop or not. WeΓÇÖll continue to support Windows 10 in parallel until it reaches end of enterprise support. Please see [Windows 10 release information](/windows/release-health/release-information) for life cycle information.
When Windows 11 is generally available, we'll do more validation testing. We expect that January 2022 will be the soonest that Windows 11 will be offered to Microsoft Managed Desktop production devices through our standard deployment groups.
Application compatibility is one of the most common concerns in any platform mig
**Common apps:** Microsoft is extensively testing the most common enterprise applications and suites deployed on builds of Windows 11. We work with external software publishers and internal product teams to resolve any issues discovered during testing. For more information about our proactive compatibility testing effort, see the [Application Compatibility blog](https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/).
-**Line-of-business apps:** [Test Base](https://www.microsoft.com/testbase) is a resource that app publishers and IT admins can use to submit apps and test cases for Microsoft to run on a virtual machine running Windows 11 builds in a secure Azure environment. Results, test insights, and regression analysis for each test execution are available to you on a private Azure portal. Microsoft Managed Desktop will help you prioritize your line-of-business apps for validation based on app usage and reliability data. For more information about Test Base, see [Test Base for Microsoft 365](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/test-base-for-microsoft-365-microsoft-ignite-2021-updates/ba-p/2185566).
+**Line-of-business apps:** [Test Base](https://www.microsoft.com/en-us/testbase) is a resource that app publishers and IT admins can use to submit apps and test cases for Microsoft to run on a virtual machine running Windows 11 builds in a secure Azure environment. Results, test insights, and regression analysis for each test execution are available to you on a private Azure portal. Microsoft Managed Desktop will help you prioritize your line-of-business apps for validation based on app usage and reliability data. For more information about Test Base, see [Test Base for Microsoft 365](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/test-base-for-microsoft-365-microsoft-ignite-2021-updates/ba-p/2185566).
### Reactive measures
+If you encounter app compatibility issues in test or production environments, you can receive no-cost support by engaging [App Assure](/fasttrack/products-and-capabilities#app-assure) or FastTrack, as appropriate. For Windows 11, this includes any functionality with Office, Microsoft Edge, Teams, and line-of-business applications running on the latest operating system builds. App Assure directly engages app publishers to prioritize and resolve app compatibility issues.
-If you encounter app compatibility issues in test or production environments, you can get support by engaging [App Assure](/fasttrack/products-and-capabilities) or FastTrack, as appropriate. For Windows 11, this includes any functionality with Office, Microsoft Edge, and Teams applications running on the latest operating system builds. App Assure directly engages app publishers to prioritize and resolve app compatibility issues.
managed-desktop Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/reports.md
# Work with reports
-Microsoft Managed Desktop provides several reports and dashboards that IT admins in your organization can use to understand various aspects of the population of devices.ΓÇ»
+The Microsoft Endpoint Manager console brings together reporting from several products into a single location to help you monitor and investigate issues with your Azure AD organization ("tenant") configuration and devices. Microsoft Managed desktop has a section in the **Reports** menu where you can find reports specific to Microsoft Managed Desktop's management of the devices you’ve registered. Additionally, in several locations throughout Microsoft Endpoint Manager you can filter reports from other product groups to specifically include or exclude your devices that are managed by Microsoft Managed Desktop. 
-## Reports in Microsoft Endpoint Manager
+## Microsoft Managed Desktop reports
+Microsoft Managed Desktop provides several reports and dashboards that IT admins in your organization can use to understand various aspects of the population of devices. You can find these reports by navigating to **Managed devices** under the *Microsoft Managed Desktop* section of the **Reports** menu in Microsoft Endpoint Manager.
-The Microsoft Endpoint Manager console brings together reporting from several products into a single location to help you monitor and investigate issues with your Azure AD organization ("tenant") configuration and devices. Microsoft Managed desktop has a section under **Reports** in the main menu where you can find reports specific to Microsoft Managed Desktop's management of the devices you’ve registered.
+On the **Summary** tab, you'll find quick metrics about device updates. Selecting **View details** of any metric will allow you to download additional information for offline analysis, including the underlying dataset for the metric.
-These reports include:
-- **Managed devices** > **Feature updates**: This view shows the overall status of feature updates across your Microsoft Managed Desktop devices.-- **Managed devices** > **Office updates**: This view shows the overall status of Office updates across your Microsoft Managed Desktop devices.-
-Additionally, in several locations throughout Microsoft Endpoint Manager you can filter reports from other product groups to specifically include or exclude your devices that are managed by Microsoft Managed Desktop. These reports have integrated this filtering capability:
--- [All devices](/mem/intune/remote-actions/device-management#get-to-your-devices)-- [Device compliance](/mem/intune/fundamentals/reports#device-compliance-report-organizational)-- [Noncompliant devices](/mem/intune/fundamentals/reports#noncompliant-devices-report-operational)
+When you select the **Reports** tab, you will see descriptions for the available detailed reports. These reports are more comprehensive and support visualization and filtering of the data in the portal as well as exporting the underlying data for offline analysis or distribution. The following reports are available today:
+- The **Device status** *(preview)* shows your use of the Microsoft Managed Desktop service based on device activity and usage.
+- You can use **Device status trend** *(preview)* to monitor trends in device status over the last 60 days for your Microsoft Managed Desktop devices. Trends can help you associate device status with other changes over time, for example, new deployments.
+- The **Windows security updates** *(preview)* report shows how Windows security updates are released across your Microsoft Managed Desktop devices.
> [!NOTE]
-> Custom Microsoft Managed Desktop roles guarantee access only to the Microsoft Managed Desktop reports. To access other parts of Microsoft Endpoint Manager, such as **All devices**, see [Role-based access control with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
+> Reports in *(preview)* can change with limited notice as we make improvements based on feedback we receive during the public preview.
## Endpoint analytics Microsoft Managed Desktop is now integrated with [Endpoint analytics](/mem/analytics/overview). These reports give you insights for measuring how your organization is working and the quality of the experience delivered to your users. Endpoint analytics is in the **Reports** menu of [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). To pivot a score to only include devices being managed by Microsoft Managed Desktop go to any report, select the **Filter** drop down, and then select **Microsoft Managed Desktop devices**.
-If Endpoint analytics wasn't automatically configured for your Azure AD organization ("tenant") during enrollment, you can do that yourself. For more information, see [Onboard in the Endpoint analytics portal](/mem/analytics/enroll-intune#bkmk_onboard). You can enroll all your devices or, if you want to include only Microsoft Managed Desktop devices, select the **modern workplace device** groups for Test, First, Fast, and Broad. These reports might require different permissions. For more information, see [Permissions](/mem/analytics/overview#permissions) to ensure you have roles appropriately assigned.
+If Endpoint analytics wasn't automatically configured for your Azure AD organization ("tenant") during enrollment, you can do that yourself. For more information, see [Onboard in the Endpoint analytics portal](/mem/analytics/enroll-intune#bkmk_onboard). You can enroll all of your devices or, if you want to include only Microsoft Managed Desktop devices, select the **modern workplace device** groups for Test, First, Fast, and Broad. These reports might require different permissions. For more information, see [Permissions](/mem/analytics/overview#permissions) to ensure you have roles appropriately assigned.
> [!NOTE] > To better respect privacy user privacy, there must be more than 10 Microsoft Managed Desktop devices enrolled with Endpoint analytics to use this filter.
- ## Inventory data
+## Intune reports
+Microsoft Intune is one of the services we use to manage devices on your behalf. In some cases, it can be helpful to use Intune reports to specifically monitor administration of your Microsoft Managed Desktop devices. Or you might want to exclude the devices we manage from a report you use to manage other devices. The following reports let you filter capability to include or exclude Microsoft Managed Desktop devices.
+
+- [All devices](/mem/intune/remote-actions/device-management#get-to-your-devices)
+- [Device compliance](/mem/intune/fundamentals/reports#device-compliance-report-organizational)
+- [Noncompliant devices](/mem/intune/fundamentals/reports#noncompliant-devices-report-operational)
+
+> [!NOTE]
+> Custom Microsoft Managed Desktop roles guarantee access only to the Microsoft Managed Desktop reports. To access other parts of Microsoft Endpoint Manager, such as **All devices**, see [Role-based access control with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
+
+## Microsoft Managed Desktop inventory data
In addition to the other reports, you can export information about the devices managed by Microsoft Managed Desktop. In the **Devices** view of the **Devices** area of Microsoft Endpoint Manager, use the **Export all** tab to [download a detailed inventory report](device-inventory-report.md).
security Onboard Windows 10 Multi Session Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Onboard-Windows-10-multi-session-device.md
There are several ways to onboard a WVD host machine:
- Run the script in the golden image (or from a shared location) during startup. - Use a management tool to run the script.
+- Through [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender)
#### *Scenario 1: Using local group policy* This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process.
-Use the instructions in [Onboard the non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md#onboard-the-non-persistent-virtual-desktop-infrastructure-vdi-devices).
+Use the instructions in [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices).
+ Follow the instructions for a single entry for each device.
security Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md
Last updated 04/16/2020
ms.technology: mde
-# Onboard the non-persistent virtual desktop infrastructure (VDI) devices
+# Onboarding non-persistent virtual desktop infrastructure devices
+ [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
The following steps will guide you through onboarding VDI devices and will highl
### For Windows 10 or Windows Server 2019
-1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
+1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft 365 Defender portal](https://security.microsoft.com/):
1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
The following steps will guide you through onboarding VDI devices and will highl
- For single entry for each device:
- Check only one entry in Microsoft 365 Defender portal.
+ Check only one entry in Microsoft 365 Defender.
- For multiple entries for each device:
- Check multiple entries in Microsoft 365 Defender portal.
+ Check multiple entries in Microsoft 365 Defender.
6. Click **Devices list** on the Navigation pane.
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
If you're already using System Center Operations Manager (SCOM) or Azure Monitor
In general, you'll need to take the following steps:
-1. Fulfill the onboarding requirements outlined in **Before you begin** section.
-2. Turn on server monitoring from Microsoft 365 Defender portal.
-3. Install and configure MMA for the server to report sensor data to Defender for Endpoint.
-4. Configure and update System Center Endpoint Protection clients.
+ 1. Fulfill the onboarding requirements outlined in **Before you begin** section.
+ 2. Turn on server monitoring from Microsoft 365 Defender.
+ 3. Install and configure MMA for the server to report sensor data to Defender for Endpoint.
+ 4. Configure and update System Center Endpoint Protection clients.
> [!TIP] > After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md).
Once completed, you should see onboarded Windows servers in the portal within an
### Option 2: Onboard Windows servers through Azure Security Center
-1. In the Microsoft 365 Defender navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
+In the Microsoft 365 Defender navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
The following capabilities are included in this integration:
> The integration between Azure Defender for Servers and Microsoft Defender for Endpoint has been expanded to support [Windows Server 2019 and Windows Virtual Desktop (WVD)](/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview). - Windows servers monitored by Azure Defender will also be available in Defender for Endpoint - Azure Defender seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Defender console.-- Server investigation - Azure Defender customers can access Microsoft 365 Defender portal to perform detailed investigation to uncover the scope of a potential breach.+
+- Server investigation - Azure Defender customers can access Microsoft 365 Defender to perform detailed investigation to uncover the scope of a potential breach.
> [!IMPORTANT] > - When you use Azure Defender to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).<br>
security Connected Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/connected-applications.md
Applications use standard OAuth 2.0 protocol to authenticate and provide tokens
You'll need to follow [these steps](/microsoft-365/security/defender-endpoint/apis-intro) to use the APIs with the connected application.
-## Access the connected application page
-From the left navigation menu, select **Endpoints** > **Partners and APIs** > **Connected applications**.
-
+From the left navigation menu, select **Partners & APIs** (under **Endpoints**) > **Connected applications**.
## View connected application details The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days.
security Contact Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md
ms.technology: mde
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
-Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience.
+Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience.
The new widget allows customers to:- - Find solutions to common problems - Submit a support case to the Microsoft support team ## Prerequisites- It's important to know the specific roles that have permission to open support cases. At a minimum, you must have a Service Support Administrator **OR** Helpdesk Administrator role. + For more information on which roles have permission see, [Security Administrator permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator-permissions). Roles that include the action `microsoft.office365.supportTickets/allEntities/allTasks` can submit a case.
-For general information on admin roles, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles).
+For general information on admin roles, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true).
+ ## Access the widget Accessing the new support widget can be done in one of two ways:
-1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support":
+1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support":
+
+ :::image type="content" source="../../media/contactsupport.png" alt-text="Microsoft support":::
- ![Image of widget when question mark is selected](images/support-widget.png)
2. Clicking on the **Need help?** button in the bottom right of the Microsoft 365 Defender portal:
Accessing the new support widget can be done in one of two ways:
In the widget you will be offered two options: -- Find solutions to common problems-- Open a service request
+- Find solutions to common problems
+- Open a service request
## Find solutions to common problems This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced.
-![Image of need help widget](images/information-on-help-screen.png)
In case the suggested articles are not sufficient, you can open a service request. ## Open a service request
-Learn how to open support tickets by contacting Defender for Endpoint support.
+Learn how to open support tickets by contacting Defender for Endpoint support.
> [!Note] > If you have a permier support contract with Microsoft, you will see the premier tag on the widget. If not, contact your Microsoft account manager. ### Contact support- This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case: ![Image of the open a service request widget](images/contact-support-screen.png) 1. Fill in a title and description for the issue you are facing, as well as a phone number and email address where we may reach you.
-2. (Optional) Include up to five attachments that are relevant to the issue in order to provide additional context for the support case.
+2. (Optional) Include up to five attachments that are relevant to the issue in order to provide additional context for the support case.
3. Select your time zone and an alternative language, if applicable. The request will be sent to Microsoft Support Team. The team will respond to your service request shortly.
-## Related topics
+## Related topics
- [Troubleshoot service issues](troubleshoot-mdatp.md) - [Check service health](service-status.md)
security Data Retention Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-retention-settings.md
After completing the onboarding, you can verify your selection in the data reten
## Verify data storage location During the [Set up phase](production-deployment.md), you would have selected the location to store your data.
-You can verify the data location by navigating to **Settings** > **Endpoints** > **Data retention**.
+
+You can verify the data location by navigating to **Settings** > **Endpoints** > **Data retention** (under **General**).
+ ## Update data retention settings You can update the data retention settings. By default, the retention period is 180 days.
-1. In the navigation pane, select **Settings** > **Endpoints** > **Data retention**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Data retention** (under **General**).
2. Select the data retention duration from the drop-down list.
You can update the data retention settings. By default, the retention period is
3. Click **Save preferences**. - ## Related topics - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications in Defender for Endpoint](configure-email-notifications.md)
security Deployment Strategy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md
ms.technology: mde
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) - Plan your Microsoft Defender for Endpoint deployment so that you can maximize the security capabilities within the suite and better protect your enterprise from cyber threats. - This solution provides guidance on how to identify your environment architecture, select the type of deployment tool that best fits your needs, and guidance on how to configure capabilities. - ![Image of deployment flow](images/deployment-guide-plan.png)
Use the following material to select the appropriate Defender for Endpoint archi
|:--|:--| |[![Thumb image for Defender for Endpoint deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li> -- ## Step 2: Select deployment method Defender for Endpoint supports a variety of endpoints that you can onboard to the service.
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
The following example shows the usage of GroupID:
**Property name: ExcludedIDList**
-Description: The group(s) that the policy will not be applied to.
+Description: The group(s) that the policy won't be applied to.
Options: The Group ID/GUID must be used at this instance.
Description: Defines whether to display notification or not.
Options: 0-4. When Type Allow or Deny is selected: - 0: nothing
- - 4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the **AuditDenied** is setting configured, the system will not show notification.
+ - 4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the **AuditDenied** is setting configured, the system won't show notification.
When Type **AuditAllowed** or **AuditDenied** is selected:
Before you get started with Removable Storage Access Control, you must confirm y
2. Combine all rules within `<PolicyRules>` `</PolicyRules>` into one xml file.
- If you want to restrict a specific user, then use SID property into the Entry. If there is no SID in the policy Entry, the Entry will be applied to everyone login instance for the machine.
+ If you want to restrict a specific user, then use SID property into the Entry. If there's no SID in the policy Entry, the Entry will be applied to everyone login instance for the machine.
The following image illustrates the usage of SID property, and an example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs).
For policy deployment in Intune, the account must have permissions to create, ed
## Deploying and managing policy by using Intune user interface
-This capability (in Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com/) > Devices > Configuration profiles > Create profile > Platform: Windows 10 and later & Profile: Device Control) is not yet available.
+This capability (in Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com/) > Devices > Configuration profiles > Create profile > Platform: Windows 10 and later & Profile: Device Control) isn't yet available.
## View Device Control Removable Storage Access Control data in Microsoft Defender for Endpoint
The Microsoft 365 security portal shows removable storage blocked by the Device
```kusto //events triggered by RemovableStoragePolicyTriggered DeviceEvents
-| where ActionType == &quot;RemovableStoragePolicyTriggered&quot;
+| where ActionType == "RemovableStoragePolicyTriggered"
| extend parsed=parse_json(AdditionalFields) | extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)  | extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) 
DeviceEvents
**What is the removable storage media limitation for the maximum number of USBs?**
-We have validated one USB group with 100,000 media - up to 7 MB in size. The policy works in both Intune and GPO without performance issues.
+We've validated one USB group with 100,000 media - up to 7 MB in size. The policy works in both Intune and GPO without performance issues.
**Why does the policy not work?**
-The most common reason is there is no required [antimalware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints).
+The most common reason is there's no required [antimalware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints).
-Another reason could be that the XML file is not correctly formatted, for example, not using the correct markdown formatting for the "&" character in the XML file, or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files which causes the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**) and then update.
+Another reason could be that the XML file isn't correctly formatted, for example, not using the correct markdown formatting for the "&" character in the XML file, or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files, which causes the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**) and then update.
-If there is a value and the policy is managed via Group Policy, check whether the client device can access the policy XML path.
+If there's a value and the policy is managed via Group Policy, check whether the client device can access the policy XML path.
**How can I know which machine is using out of date antimalware client version in the organization?**
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
The following image shows an instance of unwanted software that was detected and
2. Choose **Settings** > **Endpoints** > **General** > **Advanced features**.
-3. Scroll down, and then urn on **Enable EDR in block mode**.
+3. Scroll down, and then turn on **Enable EDR in block mode**.
> [!NOTE] > EDR in block mode can be turned on only in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or the former Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). You cannot use registry keys, Microsoft Intune, or Group Policy to enable or disable EDR in block mode.
security Enable Siem Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-siem-integration.md
ms.technology: mde
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
-Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center. Pull detections using your SIEM solution or by connecting directly to the detections REST API.
+Enable security information and event management (SIEM) integration so you can pull detections from Microsoft 365 Defender. Pull detections using your SIEM solution or by connecting directly to the detections REST API.
>[!NOTE] >- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
Enable security information and event management (SIEM) integration so you can p
- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site. ## Enabling SIEM integration
-1. In the navigation pane, select **Settings** > **SIEM**.
- ![Image of SIEM integration from Settings menu1](images/enable_siem.png)
+1. In the navigation pane, select **Settings** > **Endpoints** > **APIs** > **SIEM**.
+
+ :::image type="content" source="../../media/enable_siemnew.png" alt-text="Image of SIEM integration from Settings menu1":::
>[!TIP] >If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
Enable security information and event management (SIEM) integration so you can p
6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts.
-You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
+You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft 365 Defender.
## Integrate Microsoft Defender for Endpoint with IBM QRadar You can configure IBM QRadar to collect detections from Microsoft Defender for Endpoint. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
security Evaluation Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md
Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
## Get started with the lab+ You can access the lab from the menu. In the navigation menu, select **Evaluation and tutorials > Evaluation lab**.
-![Image of the evaluation lab on the menu](images/evaluation-lab-menu.png)
+ >[!NOTE] >- Depending the type of environment structure you select, devices will be available for the specified number of hours from the day of activation.
Already have a lab? Make sure to enable the new threat simulators and have activ
## Setup the evaluation lab
-1. In the navigation pane, select **Evaluation and tutorials** > **Evaluation lab**, then select **Setup lab**.
+1. In the navigation pane, select **Evaluation & tutorials** > **Evaluation lab**, then select **Setup lab**.
- ![Image of the evaluation lab welcome page](images/evaluation-lab-setup.png)
+ :::image type="content" source="../../media/evaluationtutormenu.png" alt-text="Image of evaluation lab welcome page":::
2. Depending on your evaluation needs, you can choose to setup an environment with fewer devices for a longer period or more devices for a shorter period. Select your preferred lab configuration then select **Next**.
Automated investigation settings will be dependent on tenant settings. It will b
2. Choose the type of device to add. You can choose to add Windows 10 or Windows Server 2019.
- ![Image of lab setup with device options](images/add-machine-options.png)
-
+ :::image type="content" source="../../media/add-machine-optionsnew.png" alt-text="lab setup with device options":::
>[!NOTE] >If something goes wrong with the device creation process, you'll be notified and you'll need to submit a new request. If the device creation fails, it will not be counted against the overall allowed quota.
Automated investigation settings will be dependent on tenant settings. It will b
>[!NOTE] >The password is only displayed once. Be sure to save it for later use.
- ![Image of device added with connection details](images/add-machine-eval-lab.png)
+ :::image type="content" source="../../media/add-machine-eval-labnew.png" alt-text="Image of device added with connection details":::
4. Device set up begins. This can take up to approximately 30 minutes.
When approved, the requested devices will be added to your lab set up and youΓÇÖ
Use the test devices to run your own attack simulations by connecting to them. You can simulate attack scenarios using:-- The ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials)
+- The ["Do It Yourself" attack scenarios](https://security.microsoft.com/tutorials/all)
- Threat simulators You can also use [Advanced hunting](advanced-hunting-overview.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats. ### Do-it-yourself attack scenarios
-If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Defender for Endpoint capabilities and walk you through investigation experience.
+If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://security.microsoft.com/tutorials/all). These scripts are safe, documented, and easy to use. These scenarios will reflect Defender for Endpoint capabilities and walk you through investigation experience.
>[!NOTE]
security Fetch Alerts Mssp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fetch-alerts-mssp.md
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
-Step 3: allow your application on Microsoft Defender Security Center
-
+Step 3: allow your application on Microsoft 365 Defender
+ ### Step 1: Create an application in Azure Active Directory (Azure AD) You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender for Endpoint tenant.
After providing your credentials, you'll need to grant consent to the applicatio
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
-### Step 3: Allow your application on Microsoft Defender Security Center
-You'll need to allow the application you created in Microsoft Defender Security Center.
+### Step 3: Allow your application on Microsoft 365 Defender
+You'll need to allow the application you created in Microsoft 365 Defender.
You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
-1. Go to `https://securitycenter.windows.com?tid=<customer_tenant_id>` (replace \<customer_tenant_id\> with the customer's tenant ID.
+1. Go to `https://security.microsoft.com?tid=<customer_tenant_id>` (replace \<customer_tenant_id\> with the customer's tenant ID.
-2. Click **Settings** > **SIEM**.
+2. Click **Settings** > **Endpoints** > **APIs** > **SIEM**.
3. Select the **MSSP** tab.
security Find Machines By Ip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-machines-by-ip.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Find [Machines](machine.md) seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.
+Find [Machines](machine.md) seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.
## Limitations+ 1. The given timestamp must be in the past 30 days. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+Application|Machine.Read.All|'Read all machine profiles'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
+Delegated (work or school account)|Machine.Read|'Read machine information'
+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
+>
> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) > - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) > - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request
-```
+
+```http
GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp}) ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response+ If successful - 200 OK with list of the machines in the response body. If the timestamp is not in the past 30 days - 400 Bad Request. ## Example
-**Request**
+### Request
Here is an example of the request.
security Find Machines By Tag https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-machines-by-tag.md
Title: Find devices by tag API
-description: Find all devices that contain specifc tag
+description: Find all devices that contain specifc tag
keywords: apis, supported apis, get, device, find, find device, by tag, tag search.product: eADQiWindows 10XVcnh ms.prod: w10
localization_priority: Normal audience: ITPro-+ MS.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description+ Find [Machines](machine.md) by [Tag](machine-tags.md).
-<br>```startswith``` query is supported.
+
+`startswith` query is supported.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+Application|Machine.Read.All|'Read all machine profiles'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
+Delegated (work or school account)|Machine.Read|'Read machine information'
+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
+>
> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) > - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) > - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request
-```
+
+```http
GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false} ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
+Authorization|String|Bearer {token}. **Required**.
## Request URI parameters
-Name | Type | Description
+Name|Type|Description
:|:|:
-tag | String | The tag name. **Required**.
-useStartsWithFilter | Boolean | When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**.
+tag|String|The tag name. **Required**.
+useStartsWithFilter|Boolean|When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**.
## Request body+ Empty ## Response
If successful - 200 OK with list of the machines in the response body.
## Example
-**Request**
+### Request
Here is an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true
-```
+```
security Get Alert Info By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-info-by-id.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves specific [Alert](alerts.md) by its ID.
+Retrieves specific [Alert](alerts.md) by its ID.
## Limitations+ 1. You can get alerts last updated according to your configured retention period. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+Application|Alert.Read.All|'Read all alerts'
+Application|Alert.ReadWrite.All|'Read and write all alerts'
+Delegated (work or school account)|Alert.Read|'Read alerts'
+Delegated (work or school account)|Alert.ReadWrite|'Read and write alerts'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET /api/alerts/{id} ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response+ If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body. If alert with the specified id was not found - 404 Not Found.
security Get Alert Related Domain Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-domain-info.md
# Get alert related domain information API
-**Applies to:**
+**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves all domains related to a specific alert.
+Retrieves all domains related to a specific alert.
## Limitations+ 1. You can query on alerts last updated according to your configured retention period. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | URL.Read.All | 'Read URLs'
-Delegated (work or school account) | URL.Read.All | 'Read URLs'
+Application|URL.Read.All|'Read URLs'
+Delegated (work or school account)|URL.Read.All|'Read URLs'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET /api/alerts/{id}/domains ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response+ If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found. ## Example
-**Request**
+### Request
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains ```
-**Response**
+### Response:
Here is an example of the response.
Here is an example of the response.
{ "host": "www.example.com" },
- {
+ {
"host": "www.example2.com" }
- ...
+ ...
] }- ```
security Get Started Partner Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-started-partner-integration.md
Title: Become a Microsoft Defender for Endpoint partner-+ description: Learn the steps and requirements to integrate your solution with Microsoft Defender for Endpoint and be a partner keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal search.product: eADQiWindows 10XVcnh
localization_priority: Normal audience: ITPro--++ # Become a Microsoft Defender for Endpoint partner
To become a Defender for Endpoint solution partner, you'll need to follow and complete the following steps. ## Step 1: Subscribe to a Microsoft Defender for Endpoint Developer license
-Subscribe to the [Microsoft Defender for Endpoint Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9). Subscribing allows you to use a Microsoft Defender for Endpoint tenant with up to 10 devices to developing solutions that integrate with Microsoft Defender for Endpoint.
+
+Subscribe to the [Microsoft Defender for Endpoint Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9). Subscribing allows you to use a Microsoft Defender for Endpoint tenant with up to 10 devices to developing solutions that integrate with Microsoft Defender for Endpoint.
## Step 2: Fulfill the solution validation and certification requirements+ The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option in the [Partner Application page](https://securitycenter.microsoft.com/interoperability/partners) in the Microsoft Defender Security Center) and have it tested and demoed to the Microsoft Defender for Endpoint team. Once the Microsoft Defender for Endpoint team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association. ## Step 3: Become a Microsoft Intelligent Security Association member+ [Microsoft Intelligent Security Association](https://www.microsoft.com/security/partnerships/intelligent-security-association) is a program specifically for Microsoft security partners to help enrich your security products and improve customer discoverability of your integrations to Microsoft security products. ## Step 4: Get listed in the Microsoft Defender for Endpoint partner application portal
-Microsoft Defender for Endpoint supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender for Endpoint management portal.
+
+Microsoft Defender for Endpoint supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender for Endpoint management portal.
To have your company listed as a partner in the in-product partner page, you will need to provide the following information:
To have your company listed as a partner in the in-product partner page, you wil
2. Name of the product to be presented. 3. Provide a 15-word product description. 4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Any press release including the Microsoft Defender for Endpoint product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done.
-5. If you use a multi-tenant Azure AD approach, we will need the Azure AD application name to track usage of the application.
+5. If you use a multi-tenant Azure AD approach, we will need the Azure AD application name to track usage of the application.
6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
- Follow these steps:
-
- - Set the User-Agent field in each HTTP request header to the below format.
+ Follow these steps:
+
+ - Set the User-Agent field in each HTTP request header to the below format.
- - `MdePartner-{CompanyName}-{ProductName}/{Version}`
-
- - For example, User-Agent: `MdePartner-Contoso-ContosoCognito/1.0.0`
-
- - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43).
+ ```http
+ MdePartner-{CompanyName}-{ProductName}/{Version}
+ ```
+
+ For example, User-Agent:
+
+ ```http
+ MdePartner-Contoso-ContosoCognito/1.0.0
+ ```
+
+ - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43).
Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. ## Related topics+ - [Technical partner opportunities](partner-integration.md)
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
Microsoft Defender for Endpoint for US Government customers requires one of the
### Desktop licensing GCC | GCC High | DoD :|:|:
-Windows 10 Enterprise E5 GCC | Windows 10 Enterprise E5 for GCC High | Windows 10 Enterprise E5 for DOD
-| | Microsoft 365 E5 for GCC High | Microsoft 365 G5 for DOD
-| | Microsoft 365 G5 Security for GCC High | Microsoft 365 G5 Security for DOD
+Microsoft 365 GCC G5 | Microsoft 365 E5 for GCC High | Microsoft 365 G5 for DOD
+Microsoft 365 G5 Security GCC | Microsoft 365 G5 Security for GCC High | Microsoft 365 G5 Security for DOD
Microsoft Defender for Endpoint - GCC | Microsoft Defender for Endpoint for GCC High | Microsoft Defender for Endpoint for DOD
+Windows 10 Enterprise E5 GCC | Windows 10 Enterprise E5 for GCC High | Windows 10 Enterprise E5 for DOD
### Server licensing GCC | GCC High | DoD
Windows 7 SP1 Enterprise | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/
Windows 7 SP1 Pro | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Linux | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) macOS | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Android | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
-iOS | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
+Android | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+iOS | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
> [!NOTE] > Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.
These are the known gaps:
Feature name | GCC | GCC High | DoD :|:|:|:
-Management and APIs: Streaming API | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Network discovery | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
Web content filtering | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development Integrations: Azure Sentinel | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Alerts <br /> ![No](images/svg/check-no.svg) Incidents & Raw data: In development | ![Yes](images/svg/check-yes.svg) Alerts <br /> ![No](images/svg/check-no.svg) Incidents & Raw data: In development Integrations: Microsoft Cloud App Security | ![Yes](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
-Integrations: Microsoft Compliance Manager | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
-Integrations: Microsoft Defender for Identity | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+Integrations: Microsoft Compliance Manager | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Integrations: Microsoft Defender for Identity | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out
Integrations: Microsoft Endpoint DLP | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
-Integrations: Microsoft Intune | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Integrations: Microsoft Power Automate & Azure Logic Apps | ![Yes](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+Integrations: Microsoft Power Automate & Azure Logic Apps | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Azure Logic Apps <br /> ![No](images/svg/check-no.svg) Power Automate: In development
Microsoft Threat Experts | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
security Grant Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/grant-mssp-access.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink).
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
To implement a multi-tenant delegated access solution, take the following steps:
To implement a multi-tenant delegated access solution, take the following steps:
These groups will be linked to the Roles you create in Defender for Endpoint. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
- - Tier 1 Analyst
- - Tier 2 Analyst
- - MSSP Analyst Approvers
-
+ - Tier 1 Analyst
+ - Tier 2 Analyst
+ - MSSP Analyst Approvers
2. Create Defender for Endpoint roles for appropriate access levels in Customer Defender for Endpoint.
To implement a multi-tenant delegated access solution, take the following steps:
Two possible roles:
- - **Tier 1 Analysts** <br>
+ - **Tier 1 Analysts**
+ Perform all actions except for live response and manage security settings.
- - **Tier 2 Analysts** <br>
+ - **Tier 2 Analysts**
+ Tier 1 capabilities with the addition to [live response](live-response.md) For more information, see [Use role-based access control](rbac.md). -- ## Configure Governance Access Packages
-1. **Add MSSP as Connected Organization in Customer AAD: Identity Governance**
-
- Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.
+1. **Add MSSP as Connected Organization in Customer AAD: Identity Governance**
+
+ Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.
To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
To implement a multi-tenant delegated access solution, take the following steps:
Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
- To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
+ To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
![Image of new catalog](images/goverance-catalog.png) Further more information, see [Create a catalog of resources](/azure/active-directory/governance/entitlement-management-catalog-create). - 3. **Create access packages for MSSP resources Customer AAD: Identity Governance**
- Access packages are the collection of rights and accesses that a requestor will be granted upon approval.
+ Access packages are the collection of rights and accesses that a requestor will be granted upon approval.
To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
To implement a multi-tenant delegated access solution, take the following steps:
For more information, see [Create a new access package](/azure/active-directory/governance/entitlement-management-access-package-create). - 4. **Provide access request link to MSSP resources from Customer AAD: Identity Governance** The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
To implement a multi-tenant delegated access solution, take the following steps:
The link is located on the overview page of each access package.
-## Manage access
+## Manage access
1. Review and authorize access requests in Customer and/or MSSP myaccess. Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
- To do so, access the customer's myaccess using:
- `https://myaccess.microsoft.com/@<Customer Domain >`.
+ To do so, access the customer's myaccess using: `https://myaccess.microsoft.com/@<Customer Domain>`.
+
+ Example: `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/`
- Example: `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/`
2. Approve or deny requests in the **Approvals** section of the UI. At this point, analyst access has been provisioned, and each analyst should be able to access the customer's Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=<CustomerTenantId>` ## Related topics+ - [Access the MSSP customer portal](access-mssp-portal.md) - [Configure alert notifications](configure-mssp-notifications.md) - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)---
-
-
security Indicator Certificates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-certificates.md
It's important to understand the following requirements prior to creating indica
>[!IMPORTANT] > It can take up to 3 hours to create and remove a certificate IoC.
-1. In the navigation pane, select **Settings** > **Indicators**.
+1. In the navigation pane, select **Settings** > **Endpoints** >
+**Indicators** (under **Rules**).
-2. Select the **Certificate** tab.
-3. Select **Add indicator**.
+2. Select the **Certificates** tab.
+
+3. Select **Add item**.
4. Specify the following details: - Indicator - Specify the entity details and define the expiration of the indicator. - Action - Specify the action to be taken and provide a description. - Scope - Define the scope of the machine group.
-5. Review the details in the Summary tab, then click **Save**.
+5. Review the details in the **Summary** tab, then click **Save**.
## Related topics - [Create indicators](manage-indicators.md)
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
This feature is designed to prevent suspected malware (or potentially malicious
## Create an indicator for files from the settings page
-1. In the navigation pane, select **Settings > Indicators**.
+1. In the navigation pane, selectΓÇ»**Settings** > **Endpoints** >
+**Indicators** (under **Rules**).
-2. Select the **File hash** tab.
+2. Select the **File hashes** tab.
3. SelectΓÇ»**Add indicator**.
security Indicator Ip Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-ip-domain.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- > [!TIP] > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
It's important to understand the following prerequisites prior to creating indic
- URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). - The Antimalware client version must be 4.18.1906.x or later. - Supported on machines on Windows 10, version 1709 or later. -- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security CenterΓÇ»> Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
+- Ensure that **Custom network indicators** is enabled in **Microsoft 365 DefenderΓÇ»> Settings > Endpoints > Advanced features**. For more information, see [Advanced features](advanced-features.md).
- For support of indicators on iOS, see [Configure custom indicators](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-custom-indicators).
It's important to understand the following prerequisites prior to creating indic
### Create an indicator for IPs, URLs, or domains from the settings page
-1. In the navigation pane, select **Settings** > **Indicators**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Indicators** (under **Rules**).
2. Select the **IP addresses or URLs/Domains** tab.
security Indicator Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-manage.md
ms.technology: mde
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) -
-1. In the navigation pane, select **Settings** > **Indicators**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Indicators** (under **Rules**).
2. Select the tab of the entity type you'd like to manage.
You can also choose to upload a CSV file that defines the attributes of indicato
Download the sample CSV to know the supported column attributes.
-1. In the navigation pane, select **Settings** > **Indicators**.
+1. In the navigation pane, select **Settings** > **Endpoints** >
+**Indicators** (under **Rules**).
2. Select the tab of the entity type you'd like to import indicators for.
security Information Protection Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-investigation.md
Learn how to use data sensitivity labels to prioritize incident investigation.
>[!NOTE] >Labels are detected for Windows 10, version 1809 or later.
-1. In Microsoft Defender Security Center, select **Incidents**.
+1. In Microsoft 365 Defender portal, select **Incidents & alerts** > **Incidents**.
2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
security Initiate Autoir Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/initiate-autoir-investigation.md
Start automated investigation on a device. <br>See [Overview of automated investigations](automated-investigations.md) for more information. - ## Limitations 1. Rate limitations for this API are 50 calls per hour. - ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
## HTTP request ```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/startInvestigation
+POST https://api.security.microsoft.com/api/machines/{id}/startInvestigation
``` ## Request headers
If successful, this method returns 201 - Created response code and [Investigatio
Here is an example of the request. ```https
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation
+POST https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation
``` ```json
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
Admins can configure auto-setup of VPN profile. This will automatically setup th
2. Tap the Defender for Endpoint app icon (MSDefender) and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint on iOS.
-3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center.
+3. Upon successful onboarding, the device will start showing up on the Devices list in the Microsoft 365 Defender portal.
> [!div class="mx-imgBorder"]
- > ![A screenshot of a cell phone Description automatically generated](images/e07f270419f7b1e5ee6744f8b38ddeaf.png)
+ > ![A screenshot of a cell phone Description automatically generated](images/device-inventory-screen.png)
## Configure Microsoft Defender for Endpoint for Supervised Mode
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
In order to preview new features and provide early feedback, it is recommended t
In the below commands, replace *[distro]* and *[version]* with the information you've identified: > [!NOTE]
- > In case of Oracle Linux, replace *[distro]* with ΓÇ£rhelΓÇ¥.
+ > In case of Oracle Linux, replace *[distro]* with "rhel".
```bash sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
In order to preview new features and provide early feedback, it is recommended t
```bash sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list ```+ For example, if you chose *prod* channel: ```bash
In order to preview new features and provide early feedback, it is recommended t
# list all repositories yum repolist ```+ ```Output ... packages-microsoft-com-prod packages-microsoft-com-prod 316 packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2 ... ```+ ```bash # install the package from the production repository sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
In order to preview new features and provide early feedback, it is recommended t
XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ... XX | packages-microsoft-com-prod | microsoft-prod | ... ...+ ```+ ```bash sudo zypper install packages-microsoft-com-prod:mdatp ```
In order to preview new features and provide early feedback, it is recommended t
```bash cat /etc/apt/sources.list.d/* ```+ ```Output deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main ```+ ```bash sudo apt -t bionic install mdatp ```
Download the onboarding package from Microsoft 365 Defender portal:
```bash unzip WindowsDefenderATPOnboardingPackage.zip ```+ ```Output Archive: WindowsDefenderATPOnboardingPackage.zip inflating: MicrosoftDefenderATPOnboardingLinuxServer.py ``` - ## Client configuration 1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target device.
Download the onboarding package from Microsoft 365 Defender portal:
mdatp health --field org_id ```
-2. Run MicrosoftDefenderATPOnboardingLinuxServer.py.
-
- >[!NOTE]
- >To run this command, you must have `python` installed on the device. If you're running RHEL 8.x or Ubuntu 20.04 or higher, then you will need to use Python 3 instead of Python.
-
+2. Run MicrosoftDefenderATPOnboardingLinuxServer.py.
+ > [!NOTE]
+ > To run this command, you must have `python` installed on the device. If you're running RHEL 8.x or Ubuntu 20.04 or higher, then you will need to use Python 3 instead of Python.
```bash python MicrosoftDefenderATPOnboardingLinuxServer.py
Download the onboarding package from Microsoft 365 Defender portal:
> [!IMPORTANT] > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `false`. You can check the status of the definition update using the following command:
+ >
> ```bash > mdatp health --field definitions_status > ```
+ >
> Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Defender for Endpoint on Linux for static proxy discovery: Post-installation configuration](/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration#post-installation-configuration). 5. Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
Download the onboarding package from Microsoft 365 Defender portal:
## Experience Linux endpoint detection and response (EDR) capabilities with simulated attacks
-To test out the functionalities of EDR for Linux, follow the steps below to simulate a detection on your Linux server and investigate the case.
+To test out the functionalities of EDR for Linux, follow the steps below to simulate a detection on your Linux server and investigate the case.
-1. Verify that the onboarded Linux server appears in Microsoft 365 Defender. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
-
-2. Download and extract the [script file](https://aka.ms/LinuxDIY) to an onboarded Linux server and run the following command: `./mde_linux_edr_diy.sh`
-
-3. After a few minutes, a detection should be raised in Microsoft 365 Defender.
-
-4. Look at the alert details, machine timeline, and perform your typical investigation steps.
+1. Verify that the onboarded Linux server appears in Microsoft 365 Defender. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
+2. Download and extract the [script file](https://aka.ms/LinuxDIY) to an onboarded Linux server and run the following command: `./mde_linux_edr_diy.sh`
+3. After a few minutes, a detection should be raised in Microsoft 365 Defender.
+4. Look at the alert details, machine timeline, and perform your typical investigation steps.
## Installer script
When upgrading your operating system to a new major version, you must first unin
## How to migrate from Insiders-Fast to Production channel
-1. Uninstall the ΓÇ£Insiders-Fast channelΓÇ¥ version of Defender for Endpoint on Linux.
+1. Uninstall the "Insiders-Fast channel" version of Defender for Endpoint on Linux.
- ``
+ ```bash
sudo yum remove mdatp
- ``
+ ```
1. Disable the Defender for Endpoint on Linux Insiders-Fast repo
- ``
+
+ ```bash
sudo yum repolist
- ``
+ ```
> [!NOTE]
- > The output should show ΓÇ£packages-microsoft-com-fast-prodΓÇ¥.
+ > The output should show "packages-microsoft-com-fast-prod".
- ``
+ ```bash
sudo yum-config-manager --disable packages-microsoft-com-fast-prod
- ``
-1. Redeploy MDE for Linux using the ΓÇ£Production channelΓÇ¥.
+ ```
+1. Redeploy MDE for Linux using the "Production channel".
## Uninstallation See [Uninstall](linux-resources.md#uninstall) for details on how to remove Defender for Endpoint on Linux from client devices. ## See also+ - [Investigate agent health issues](health-status.md)
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
In addition, for Ansible deployment, you need to be familiar with Ansible admini
## Download the onboarding package
-Download the onboarding package from Microsoft Defender Security Center:
+Download the onboarding package from Microsoft 365 Defender portal:
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
+1. In Microsoft 365 Defender portal, go to **Settings > Endpoints > Device management > Onboarding**.
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
- ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
+ ![Microsoft 365 Defender portal screenshot](images/portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
security Linux Install With Puppet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md
In addition, for Puppet deployment, you need to be familiar with Puppet administ
## Download the onboarding package
-Download the onboarding package from Microsoft Defender Security Center:
+Download the onboarding package from Microsoft 365 Defender portal:
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
+1. In Microsoft 365 Defender portal, go to **Settings > Endpoints > Device management > Onboarding**.
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
- ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
+ ![Microsoft 365 Defender portal screenshot](images/portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file.
security Linux Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-pua.md
These applications can increase the risk of your network being infected with mal
Defender for Endpoint on Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.
-When a PUA is detected on an endpoint, Defender for Endpoint on Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application".
+When a PUA is detected on an endpoint, Defender for Endpoint on Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft 365 Defender Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application".
## Configure PUA protection PUA protection in Defender for Endpoint on Linux can be configured in one of the following ways: - **Off**: PUA protection is disabled.-- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product.-- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. A record of the infection is stored in the threat history and action is taken by the product.
+- **Audit**: PUA files are reported in the product logs, but not in Microsoft 365 Defender. No record of the infection is stored in the threat history and no action is taken by the product.
+- **Block**: PUA files are reported in the product logs and in Microsoft 365 Defender. A record of the infection is stored in the threat history and action is taken by the product.
>[!WARNING] >By default, PUA protection is configured in **Audit** mode.
security Linux Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-resources.md
In the Defender for Endpoint portal, you'll see two categories of information:
### Known issues -- You might see "No sensor data, impaired communications" in the machine information page of the Microsoft Defender Security Center portal, even though the product is working as expected. We are working on addressing this issue.-- Logged on users do not appear in the Microsoft Defender Security Center portal.
+- You might see "No sensor data, impaired communications" in the machine information page of the Microsoft 365 Defender portal, even though the product is working as expected. We are working on addressing this issue.
+- Logged on users do not appear in the Microsoft 365 Defender portal.
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: ```bash
security Linux Support Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-events.md
ms.technology: mde
- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
-This article provides some general steps to mitigate missing events or alerts in the [security center](https://securitycenter.windows.com/) portal.
+This article provides some general steps to mitigate missing events or alerts in the [Microsoft 365 Defender portal](https://security.microsoft.com/).
Once **Microsoft Defender for Endpoint** has been installed properly on a device, a _device page_ will be generated in the portal. You can review all recorded events in the timeline tab in the device page, or in advanced hunting page. This section troubleshoots the case of some or all expected events are missing. For instance, if all _CreatedFile_ events are missing.
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
The dashboard also gives you access to:
## Initiate a live response session on a device
-1. Sign in to Microsoft Defender Security Center.
+1. Sign in to Microsoft 365 Defender portal.
-2. Navigate to the devices list page and select a device to investigate. The devices page opens.
+2. Navigate to **Endpoints > Device inventory** and select a device to investigate. The devices page opens.
3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device.
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink).
This topic describes how to deploy Microsoft Defender for Endpoint on macOS manually. A successful deployment requires the completion of all of the following steps:+ - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) - [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions) - [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions)
Before you get started, see [the main Microsoft Defender for Endpoint on macOS p
## Download installation and onboarding packages
-Download the installation and onboarding packages from Microsoft Defender Security Center:
+Download the installation and onboarding packages from Microsoft 365 Defender portal:
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
+1. In Microsoft 365 Defender portal, go to **Settings > Endpoints > Device management > Onboarding**.
2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
- ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-page.png)
+ ![Microsoft 365 Defender portal screenshot](images/portal-onboarding-macos.png)
5. From a command prompt, verify that you have the two files.
-
+ ## Application installation (macOS 10.15 and older versions) To complete this process, you must have admin privileges on the device.
To complete this process, you must have admin privileges on the device.
5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender for Endpoint on Mac.
-6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**.
+6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on Mac inspects socket traffic and reports this information to the Microsoft 365 Defender portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**.
![System extension security preferences2](images/big-sur-install-4.png)
To complete this process, you must have admin privileges on the device.
``` After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
-
+ > [!div class="mx-imgBorder"] > ![Microsoft Defender icon in status bar screenshot](images/mdatp-icon-bar.png) - ## How to Allow Full Disk Access > [!CAUTION]
To complete this process, you must have admin privileges on the device.
> [!TIP] > If you double-click, you will get the following message:
- >
+ >
> > **"MDATP MacOS DIY" cannot be opened because the developer cannot be verifier.**<br/> > > macOS cannot verify that this app is free from malware.<br/>
- > > **\[Move to Trash\]** **\[Cancel\]**
-
+ > > **\[Move to Trash\]** **\[Cancel\]**
+ 7. Click **Cancel**.
-8. Right-click **MDATP MacOS DIY**, and then click **Open**.
+8. Right-click **MDATP MacOS DIY**, and then click **Open**.
The system should display the following message:
- > **macOS cannot verify the developer of **MDATP MacOS DIY**. Are you sure you want to open it?**<br/>
- > By opening this app, you will be overriding system security which can expose your computer and personal information to malware that may harm your Mac or compromise your privacy.
+ > **macOS cannot verify the developer of MDATP MacOS DIY. Are you sure you want to open it?**<br/>
+ > By opening this app, you will be overriding system security which can expose your computer and personal information to malware that may harm your Mac or compromise your privacy.
-10. Click **Open**.
+9. Click **Open**.
The system should display the following message:
- > Microsoft Defender for Endpoint - macOS EDR DIY test file<br/>
- > Corresponding alert will be available in the MDATP portal.
+ > Microsoft Defender for Endpoint - macOS EDR DIY test file<br/>
+ > Corresponding alert will be available in the MDATP portal.
-11. Click **Open**.
+10. Click **Open**.
In a few minutes an alert named "macOS EDR Test Alert" should be raised.
-12. Go to Microsoft Defender Security Center (https://SecurityCenter.microsoft.com).
+11. Go to Microsoft 365 Defender portal (https://security.microsoft.com/).
+
+12. Go to the Alert Queue.
-13. Go to the Alert Queue.
+ :::image type="content" source="images/b8db76c2-c368-49ad-970f-dcb87534d9be.png" alt-text="Example of a macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions.":::
- :::image type="content" source="images/b8db76c2-c368-49ad-970f-dcb87534d9be.png" alt-text="Example of a macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions.":::
-
- Look at the alert details and the device timeline, and perform the regular investigation steps.
+ Look at the alert details and the device timeline, and perform the regular investigation steps.
## Logging installation issues
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
The following table summarizes the steps you would need to take to deploy and ma
## Download the onboarding package
-Download the onboarding packages from Microsoft Defender Security Center:
+Download the onboarding packages from Microsoft 365 Defender portal:
-1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
+1. In Microsoft 365 Defender portal, go to **Settings** > **Endpoints** > **Device management** > **Onboarding**.
2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
- ![Onboarding settings screenshot](images/atp-mac-install.png)
+ ![Onboarding settings screenshot](images/macos-install-with-intune.png)
3. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
Follow the instructions for [Onboarding blob](#onboarding-blob) from above, usin
### Network Filter
-As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Defender portal. The following policy allows the network extension to perform this functionality.
Download [**netfilter.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
security Mac Install With Other Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm.md
Grant Full Disk Access to the following components:
### Network extension policy
-As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Security Center portal. The following policy allows the network extension to perform this functionality.
- Filter type: Plugin - Plugin bundle identifier: `com.microsoft.wdav`
security Mac Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-pua.md
When a PUA is detected on an endpoint, Microsoft Defender for Endpoint on macOS
PUA protection in Microsoft Defender for Endpoint on macOS can be configured in one of the following ways: - **Off**: PUA protection is disabled.-- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No notification is presented to the user and no action is taken by the product.-- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. The user is presented with a notification and action is taken by the product.
+- **Audit**: PUA files are reported in the product logs, but not in Microsoft 365 Defender portal. No notification is presented to the user and no action is taken by the product.
+- **Block**: PUA files are reported in the product logs and in Microsoft 365 Defender portal. The user is presented with a notification and action is taken by the product.
>[!WARNING] >By default, PUA protection is configured in **Audit** mode.
security Mac Sysext Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-policies.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
If you have deployed Microsoft Defender for Endpoint on macOS in a managed envir
## JAMF
-### System Extensions Policy
+### JAMF System Extensions Policy
To approve the system extensions, create the following payload:
Add the following JAMF payload to grant Full Disk Access to the Microsoft Defend
### Network Extension Policy
-As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Defender portal. The following policy allows the network extension to perform this functionality.
>[!NOTE] >JAMF doesnΓÇÖt have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender for Endpoint on macOS installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
As part of the Endpoint Detection and Response capabilities, Microsoft Defender
```bash $ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig ```
-
+ Verify that the command outputs `OK`.
-
+ ```bash <PathToFile>/com.microsoft.network-extension.mobileconfig: OK ```
-
+ 3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMFΓÇÖs built-in certificate authority. 4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file:
As part of the Endpoint Detection and Response capabilities, Microsoft Defender
```bash $ security cms -S -N "<CertificateName>" -i <PathToFile>/com.microsoft.network-extension.mobileconfig -o <PathToSignedFile>/com.microsoft.network-extension.signed.mobileconfig ```
-
+ For example, if the certificate name is **SigningCertificate** and the signed file is going to be stored in Documents:
-
+ ```bash $ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig ```
-
+ 5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.microsoft.network-extension.signed.mobileconfig` when prompted for the file. ## Intune
-### System Extensions Policy
+### Intune System Extensions Policy
To approve the system extensions:
To approve the system extensions:
### Create and deploy the Custom Configuration Profile
-The following configuration profile enables the network extension and grants Full Disk Access to the Endpoint Security system extension.
+The following configuration profile enables the network extension and grants Full Disk Access to the Endpoint Security system extension.
Save the following content to a file named **sysext.xml**:
sysext.xml: OK
To deploy this custom configuration profile:
-1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create profile**.
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create profile**.
2. Choose a name for the profile. Change **Platform=macOS** and **Profile type=Custom**. Select **Configure**.
-3. Open the configuration profile and upload **sysext.xml**. This file was created in the preceding step.
-4. Select **OK**.
+3. Open the configuration profile and upload **sysext.xml**. This file was created in the preceding step.
+4. Select **OK**.
![System extension in Intune screenshot](images/mac-system-extension-intune.png)
security Machineaction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machineaction.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)] -- For more information, see [Response Actions](respond-machine-alerts.md). -
-| Method | Return Type | Description |
-|:|:--|:|
-| [List MachineActions](get-machineactions-collection.md) | [Machine Action](machineaction.md) | List [Machine Action](machineaction.md) entities. |
-| [Get MachineAction](get-machineaction-object.md) | [Machine Action](machineaction.md) | Get a single [Machine Action](machineaction.md) entity. |
-| [Collect investigation package](collect-investigation-package.md) | [Machine Action](machineaction.md) | Collect investigation package from a [machine](machine.md). |
-| [Get investigation package SAS URI](get-package-sas-uri.md) | [Machine Action](machineaction.md) | Get URI for downloading the investigation package. |
-| [Isolate machine](isolate-machine.md) | [Machine Action](machineaction.md) | Isolate [machine](machine.md) from network. |
-| [Release machine from isolation](unisolate-machine.md) | [Machine Action](machineaction.md) | Release [machine](machine.md) from Isolation. |
-| [Restrict app execution](restrict-code-execution.md) | [Machine Action](machineaction.md) | Restrict application execution. |
-| [Remove app restriction](unrestrict-code-execution.md) | [Machine Action](machineaction.md) | Remove application execution restriction. |
-| [Run antivirus scan](run-av-scan.md) | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable). |
-| [Offboard machine](offboard-machine-api.md) | [Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender for Endpoint. |
-| [Stop and quarantine file](stop-and-quarantine-file.md) | [Machine Action](machineaction.md) | Stop execution of a file on a machine and delete it. |
-| [Run live response](run-live-response.md) | [Machine Action](machineaction.md) | Runs a sequence of live response commands on a device |
-| [Get live response result](get-live-response-result.md) | URL entity | Retrieves specific live response command result download link by its index. |
-|[Cancel machine action](cancel-machine-action.md) | [Machine Action](machineaction.md) | Cancel an active machine action. |
+- For more information, see [Response Actions](respond-machine-alerts.md).
+
+|Method|Return Type|Description|
+||||
+|[List MachineActions](get-machineactions-collection.md)|[Machine Action](machineaction.md)|List [Machine Action](machineaction.md) entities.|
+|[Get MachineAction](get-machineaction-object.md)|[Machine Action](machineaction.md)|Get a single [Machine Action](machineaction.md) entity.|
+|[Collect investigation package](collect-investigation-package.md)|[Machine Action](machineaction.md)|Collect investigation package from a [machine](machine.md).|
+|[Get investigation package SAS URI](get-package-sas-uri.md)|[Machine Action](machineaction.md)|Get URI for downloading the investigation package.|
+|[Isolate machine](isolate-machine.md)|[Machine Action](machineaction.md)|Isolate [machine](machine.md) from network.|
+|[Release machine from isolation](unisolate-machine.md)|[Machine Action](machineaction.md)|Release [machine](machine.md) from Isolation.|
+|[Restrict app execution](restrict-code-execution.md)|[Machine Action](machineaction.md)|Restrict application execution.|
+|[Remove app restriction](unrestrict-code-execution.md)|[Machine Action](machineaction.md)|Remove application execution restriction.|
+|[Run antivirus scan](run-av-scan.md)|[Machine Action](machineaction.md)|Run an AV scan using Windows Defender (when applicable).|
+|[Offboard machine](offboard-machine-api.md)|[Machine Action](machineaction.md)|Offboard [machine](machine.md) from Microsoft Defender for Endpoint.|
+|[Stop and quarantine file](stop-and-quarantine-file.md)|[Machine Action](machineaction.md)|Stop execution of a file on a machine and delete it.|
+|[Run live response](run-live-response.md)|[Machine Action](machineaction.md)|Runs a sequence of live response commands on a device|
+|[Get live response result](get-live-response-result.md)|URL entity|Retrieves specific live response command result download link by its index.|
+|[Cancel machine action](cancel-machine-action.md)|[Machine Action](machineaction.md)|Cancel an active machine action.|
<br> ## Properties
-| Property | Type | Description |
-|:--|:|:|
-| ID | Guid | Identity of the [Machine Action](machineaction.md) entity. |
-| type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" |
-| scope | string | Scope of the action. "Full" or "Selective" for Isolation, "Quick" or "Full" for Anti-Virus scan. |
-| requestor | String | Identity of the person that executed the action. |
-| requestorComment | String | Comment that was written when issuing the action. |
-| status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Canceled". |
-| machineId | String | ID of the [machine](machine.md) on which the action was executed. |
-| machineId | String | Name of the [machine](machine.md) on which the action was executed. |
-| creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. |
-| lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. |
-| relatedFileInfo | Class | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1", "Sha256" and "Md5". |
--
+|Property|Type|Description|
+||||
+|ID|Guid|Identity of the [Machine Action](machineaction.md) entity.|
+|type|Enum|Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"|
+|scope|string|Scope of the action. "Full" or "Selective" for Isolation, "Quick" or "Full" for Anti-Virus scan.|
+|requestor|String|Identity of the person that executed the action.|
+|requestorComment|String|Comment that was written when issuing the action.|
+|status|Enum|Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Canceled".|
+|machineId|String|ID of the [machine](machine.md) on which the action was executed.|
+|machineId|String|Name of the [machine](machine.md) on which the action was executed.|
+|creationDateTimeUtc|DateTimeOffset|The date and time when the action was created.|
+|lastUpdateTimeUtc|DateTimeOffset|The last date and time when the action status was updated.|
+|relatedFileInfo|Class|Contains two Properties. string `fileIdentifier`, Enum `fileIdentifierType` with the possible values: "Sha1", "Sha256" and "Md5".|
## Json representation
ms.technology: mde
{ "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", "type": "Isolate",
- "scope": "Selective",
+ "scope": "Selective",
"requestor": "Analyst@TestPrd.onmicrosoft.com", "requestorComment": "test for docs", "status": "Succeeded",
security Manage Outdated Endpoints Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus.md
Last updated 09/03/2018-+ ms.technology: mde
If Microsoft Defender Antivirus did not download protection updates for a specif
### Use Configuration Manager to configure catch-up protection updates
-1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
-2. Go to the **Security intelligence updates** section and configure the following settings:
+2. Go to the **Security intelligence updates** section and configure the following settings:
1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**. 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order). 3. Click **OK**.
-4. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+4. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
### Use Group Policy to enable and configure the catch-up update feature
SignatureUpdateCatchupInterval
``` See the following for more information and allowed parameters:-- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
## Set the number of days before protection is reported as out-of-date
You can also specify the number of days after which Microsoft Defender Antivirus
### Use Group Policy to specify the number of days before protection is considered out-of-date
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
-4. Click **Policies** then **Administrative templates**.
+3. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings:
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings:
- 1. Double-click **Define the number of days before spyware definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to consider spyware Security intelligence to be out-of-date.
+ 1. Double-click **Define the number of days before spyware definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to consider spyware Security intelligence to be out-of-date.
2. Click **OK**.
- 3. Double-click **Define the number of days before virus definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to consider virus Security intelligence to be out-of-date.
+ 3. Double-click **Define the number of days before virus definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to consider virus Security intelligence to be out-of-date.
4. Click **OK**. - ## Set up catch-up scans for endpoints that have not been scanned for a while You can set the number of consecutive scheduled scans that can be missed before Microsoft Defender Antivirus will force a scan.
This feature can be enabled for both full and quick scans.
### Use Group Policy to enable and configure the catch-up scan feature
-1. Ensure you have set up at least one scheduled scan.
+1. Ensure you have set up at least one scheduled scan.
-2. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
-4. Click **Policies** then **Administrative templates**.
+4. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Scan** and configure the following settings:
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Scan** and configure the following settings:
- 1. If you have set up scheduled quick scans, double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
+ 1. If you have set up scheduled quick scans, double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
2. If you have set up scheduled full scans, double-click the **Turn on catch-up full scan** setting and set the option to **Enabled**. Click **OK**.
- 3. Double-click the **Define the number of days after which a catch-up scan is forced** setting and set the option to **Enabled**.
+ 3. Double-click the **Define the number of days after which a catch-up scan is forced** setting and set the option to **Enabled**.
4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic). Click **OK**. > [!NOTE]
DisableCatchupQuickScan
``` See the following for more information and allowed parameters:-- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
### Use Configuration Manager to configure catch-up scans
-1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
-2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**.
+2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**.
3. Click **OK**.
-4. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+4. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
## Related articles
See the following for more information and allowed parameters:
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) - [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Manage Protection Update Schedule Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus.md
ms.technology: mde
Microsoft Defender Antivirus lets you determine when it should look for and download updates.
-You can schedule updates for your endpoints by:
+You can schedule updates for your endpoints by:
-- Specifying the day of the week to check for protection updates
+- Specifying the day of the week to check for protection updates
- Specifying the interval to check for protection updates - Specifying the time to check for protection updates
You can also randomize the times when each endpoint checks and downloads protect
## Use Configuration Manager to schedule protection updates
-1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
-2. Go to the **Security intelligence updates** section.
+2. Go to the **Security intelligence updates** section.
3. To check and download updates at a certain time: 1. Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to **0**.
You can also randomize the times when each endpoint checks and downloads protect
3 4. To check and download updates on a continual interval, Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to the number of hours that should occur between updates.
-5. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+5. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
## Use Group Policy to schedule protection updates > [!IMPORTANT] > By default, Microsoft Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
-4. Click **Policies** then **Administrative templates**.
+3. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Intelligence Updates** and configure the following settings:
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Intelligence Updates** and configure the following settings:
1. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. 2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. 3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. - ## Use PowerShell cmdlets to schedule protection updates Use the following cmdlets:
SignatureUpdateInterval
``` See the following for more information and allowed parameters:-- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
## Related articles
See the following for more information and allowed parameters:
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) - [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Onboarding Notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-Create a notification rule so that when a local onboarding or offboarding script is used, you'll be notified.
+Create a notification rule so that when a local onboarding or offboarding script is used, you'll be notified.
## Before you begin+ You'll need to have access to:+
+- Microsoft Flow (Flow Plan 1 at a minimum). For more information, see [Flow pricing page](https://flow.microsoft.com/pricing/).
+- Azure Table or SharePoint List or Library / SQL DB.
## Create the notification flow 1. In [flow.microsoft.com](https://flow.microsoft.com/).
-2. Navigate to **My flows > New > Scheduled - from blank**.
+2. Navigate to **My flows > New > Scheduled - from blank**.
![Image of flow](images/new-flow.png) - 3. Build a scheduled flow. 1. Enter a flow name. 2. Specify the start and time.
You'll need to have access to:
![Image of the notification flow](images/build-flow.png)
-4. Select the + button to add a new action. The new action will be an HTTP request to the Defender for Endpoint security center device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
+4. Select the + button to add a new action. The new action will be an HTTP request to the Defender for Endpoint security center device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
![Image of recurrence and add action](images/recurrence-add.png) - 5. Enter the following HTTP fields: - Method: "GET" as a value to get the list of devices.
You'll need to have access to:
![Image of the HTTP conditions](images/http-conditions.png) -
-6. Add a new step by selecting **Add new action** then search for **Data Operations** and select
+6. Add a new step by selecting **Add new action** then search for **Data Operations** and select
**Parse JSON**. ![Image of data operations](images/data-operations.png)
You'll need to have access to:
9. Copy and paste the following JSON snippet:
- ```
+ ```json
{ "type": "object", "properties": {
You'll need to have access to:
```
-10. Extract the values from the JSON call and check if the onboarded device(s) is / are already registered at the SharePoint list as an example:
-- If yes, no notification will be triggered-- If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Defender for Endpoint admin
+10. Extract the values from the JSON call and check if the onboarded device(s) is / are already registered at the SharePoint list as an example:
+
+ - If yes, no notification will be triggered
+ - If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Defender for Endpoint admin
![Image of apply to each](images/flow-apply.png)
You'll need to have access to:
11. Under **Condition**, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0.
- ![Image of apply to each condition](images/apply-to-each-value.png)
- ![Image of condition1](images/conditions-2.png)
- ![Image of condition2](images/condition3.png)
+ ![Image of apply to each condition](images/apply-to-each-value.png)
+ ![Image of condition1](images/conditions-2.png)
+ ![Image of condition2](images/condition3.png)
![Image of send email](images/send-email.png) ## Alert notification+ The following image is an example of an email notification. ![Image of email notification](images/alert-notification.png) - ## Tips - You can filter here using lastSeen only:
- - Every 60 min:
- - Take all devices last seen in the past 7 days.
+ - Every 60 min:
+ - Take all devices last seen in the past 7 days.
-- For each device:
- - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility.
- - If first seen is on the past hour -> Alert for onboarding.
+- For each device:
+ - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility.
+ - If first seen is on the past hour -> Alert for onboarding.
In this solution you will not have duplicate alerts: There are tenants that have numerous devices. Getting all those devices might be very expensive and might require paging.
-You can split it to two queries:
-1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
-2. Take all devices last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).
+You can split it to two queries:
+1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
+2. Take all devices last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
Last updated 06/02/2021
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink).
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Defender for Endpoint includes several capabilities to help reduce your attack surfaces. Watch the following video to learn more about attack surface reduction.
security Printer Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection.md
If the device isn't Intune joined, you can also deploy the policy via Group Poli
The [Microsoft 365 security center](https://security.microsoft.com) shows printing blocked by the Device Control Printer Protection policy above.
-```sql
+```kusto
DeviceEvents-
-|where ActionType == 'PrintJobBlocked'
-
+| where ActionType == 'PrintJobBlocked'
| extend parsed=parse_json(AdditionalFields)- | extend PrintedFile=tostring(parsed.JobOrDocumentName)- | extend PrintPortName=tostring(parsed.PortName)- | extend PrinterName=tostring(parsed.PrinterName)- | extend Policy=tostring(parsed.RestrictionReason) -
-| project Timestamp, DeviceId, DeviceName, ActionType, InitiatingProcessAccountName,Policy, PrintedFile, PrinterName, PrintPortName, AdditionalFields
-
+| project Timestamp, DeviceId, DeviceName, ActionType, InitiatingProcessAccountName, Policy, PrintedFile, PrinterName, PrintPortName, AdditionalFields
| order by Timestamp desc ```
security Troubleshoot Collect Support Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md
ms.technology: mde
-# Collect support logs in Microsoft Defender for Endpoint using live response
+# Collect support logs in Microsoft Defender for Endpoint using live response
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
When contacting support, you may be asked to provide the output package of the Microsoft Defender for Endpoint Client Analyzer tool.
When contacting support, you may be asked to provide the output package of the M
This topic provides instructions on how to run the tool via Live Response. 1. Download the appropriate script
- * Microsoft Defender for Endpoint client sensor logs only: [LiveAnalyzer.ps1 script](https://aka.ms/MDELiveAnalyzer).
- - Result package approximate size: ~100Kb
- * Microsoft Defender for Endpoint client sensor and Antivirus logs: [LiveAnalyzer+MDAV.ps1 script](https://aka.ms/MDELiveAnalyzerAV).
- - Result package approximate size: ~10Mb
-
-2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate.
+ - Microsoft Defender for Endpoint client sensor logs only: [LiveAnalyzer.ps1 script](https://aka.ms/MDELiveAnalyzer).
+ - Result package approximate size: ~100Kb
+ - Microsoft Defender for Endpoint client sensor and Antivirus logs: [LiveAnalyzer+MDAV.ps1 script](https://aka.ms/MDELiveAnalyzerAV).
+ - Result package approximate size: ~10Mb
-3. Select **Upload file to library**.
+2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate.
+
+3. Select **Upload file to library**.
![Image of upload file](images/upload-file.png)
This topic provides instructions on how to run the tool via Live Response.
5. Select the downloaded file named MDELiveAnalyzer.ps1 and then click on **Confirm** - ![Image of choose file button2](images/analyzer-file.png) - 6. While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file: ```console
This topic provides instructions on how to run the tool via Live Response.
GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip" ```
- [ ![Image of commands](images/analyzer-commands.png) ](images/analyzer-commands.png#lightbox)
-
+ [![Image of commands](images/analyzer-commands.png)](images/analyzer-commands.png#lightbox)
->[!NOTE]
+> [!NOTE]
+>
> - The latest preview version of MDEClientAnalyzer can be downloaded here: [https://aka.ms/Betamdeanalyzer](https://aka.ms/Betamdeanalyzer).
->
+>
> - The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: https://mdatpclientanalyzer.blob.core.windows.net.
->
+>
> If you cannot allow the machine to reach the above URL, then upload MDEClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script: > > ```console > PutFile MDEClientAnalyzerPreview.zip -overwrite > Run MDELiveAnalyzer.ps1
-> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
+> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
> ```
->
+>
> - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-for-endpoint-service-urls).
security Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/notifications.md
Title: Microsoft Defender for Identity notifications in Microsoft 365 Defender
-description: Learn how to set Microsoft Defender for Identity notifications in Microsoft 365 Defender
+ Title: Microsoft Defender for Identity notifications in Microsoft 365 Defender
+description: Learn how to set Microsoft Defender for Identity notifications in Microsoft 365 Defender.
Last updated 05/20/2021
This article explains how to work with [Microsoft Defender for Identity](/defender-for-identity) notifications in [Microsoft 365 Defender](/microsoft-365/security/defender/overview-security-center).
->[!IMPORTANT]
->As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
+> [!IMPORTANT]
+> As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
## Health issues notifications
In Microsoft 365 Defender, you can add recipients for email notifications of hea
![Example of health issue email](../../media/defender-identity/health-email.png)
- >[!NOTE]
- >The email provides two links for further details about the issue. You can either go to the **MDI Health Center** or the new **Health Center in M365D**.
+ > [!NOTE]
+ > The email provides two links for further details about the issue. You can either go to the **MDI Health Center** or the new **Health Center in M365D**.
## Alert notifications
Defender for Identity can notify you when it detects suspicious activities by se
1. Enter the following details: - **Sensor** - From the drop-down list, choose the sensor that will send the alerts.
- - **Service endpoint** and **Port** - Enter the IP address or fully qualified domain name (ΓÇïFQDN) for the syslog server and specify the port number.
+ - **Service endpoint** and **Port** - Enter the IP address or fully qualified domain name (FQDN) for the syslog server and specify the port number.
- **Transport** - Select the **Transport** protocol (TCP or UDP). - **Format** - Select the format (RFC 3164 or RFC 5424).
security Api List Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-list-incidents.md
lastUpdateTime | Time when the incident was last updated on the backend.<br /><b
assignedTo | Owner of the incident, or *null* if no owner is assigned. | secop2@contoso.com classification | The specification for the incident. The property values are: *Unknown*, *FalsePositive*, *TruePositive* | Unknown determination | Specifies the determination of the incident. The property values are: *NotAvailable*, *Apt*, *Malware*, *SecurityPersonnel*, *SecurityTesting*, *UnwantedSoftware*, *Other* | NotAvailable
+detectionSource | Specifies source of detection. | MCAS
status | Categorize incidents (as *Active*, or *Resolved*). It can help you organize and manage your response to incidents. | Active severity | Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.<br /><br />One of the following values: *Informational*, *Low*, *Medium, and *High*. | Medium tags | Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic. | \[\]
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detection-rules.md
Simple queries, such as those that don't use the `project` or `summarize` operat
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by entity under a column such as `DeviceId`, you can still return `Timestamp` and `ReportId` by getting it from the most recent event involving each unique `DeviceId`.
+> [!IMPORTANT]
+> Avoid filtering custom detections using the `Timestamp` column. The data used for custom detections is pre-filtered based on the detection frequency.
+ The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. ```kusto
security Eval Defender Office 365 Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-enable-eval.md
This article is [Step 2 of 3](eval-defender-office-365-overview.md) in the proce
Use the following steps to enable the evaluation for Microsoft Defender for Office 365. - ![Steps to enable Microsoft Defender for Office 365 in the Microsoft Defender evaluation environment](../../media/defender/m365-defender-office-eval-enable-steps.png) - [Step 1: Activate trial licenses](#step-1-activate-trial-licenses)
Log on to your existing Microsoft Defender for Office 365 environment or tenant
1. Navigate to the administration portal. 2. Select Purchase Services from the quick launch.
+ :::image type="content" source="../../media/mdo-eval/1_m365-purchase-services.png" alt-text="Click Purchase services on the navigation pane of Office 365.":::
-3. Scroll down to the Add-On section (or search for "Defender") to locate the Microsoft Defender for Office 365 plans.
-4. Click Details next the plan you want to evaluate.
+3. Scroll down to the Add-On section (or search for "Defender") to locate the Microsoft Defender for Office 365 plans.
+4. Click Details next the plan you want to evaluate.
+ :::image type="content" source="../../medio-eval-license-details.png" alt-text="Click the Details button, next.":::
5. Click the *Start free trial* link.
+ :::image type="content" source="../../media/mdo-eval/3-m365-purchase-button.png" alt-text="Click the Start free trial *hyperlink* on this panel.":::
6. Confirm your request and click the *Try now* button.
+ :::image type="content" source="../../medio-trial-order.png" alt-text="Now click the Try now *button*.":::
## Step 2: Audit and verify the public MX record
Use the instructions here to activate your Microsoft Defender for Office 365 eva
1. Log on to your tenant with an account that has access to the Microsoft 365 Defender portal. 2. Choose whether you want to make the **Microsoft 365 Defender portal** your default interface for Microsoft Defender for Office 365 administration (recommended).
+ :::image type="content" source="../../medio-eval-activate-eval.png" alt-text="Click the Turn on settings button to use the centralized and improved Microsoft 365 Defender portal for administration.":::
3. From the navigation menu, select **Policies & Rules** under *Email & Collaboration*.
+ :::image type="content" source="../../medio-eval-activate-eval.png" alt-text="Here's an Email & Collaboration menu picture pointing at Policies & rules. Click that!":::
4. On the *Policy & Rules* dashboard, click **Threat Policies**.
+ :::image type="content" source="../../medio-eval-activate-eval.png" alt-text="Picture of the Policy & Rules dashboard and an arrow pointing at Threat policies. Click that next!":::
5. Scroll down to *Additional Policies* and select the **Evaluate Defender for Office 365** tile.
+ :::image type="content" source="../../medio-eval-activate-eval.png" alt-text="The Eval Defender for Office 365 tile saying it's a 30 day trial across email & collaboration vectors. Click through.":::
6. Now choose whether external email routes to Exchange Online directly, or to a third-party gateway or service, and click Next.
+ :::image type="content" source="../../medio-eval-activate-eval.png" alt-text="Defender for Office 365 will evaluate mail send to your Exchange Online mailboxes. Give the details of how your mail is routed now, including the name of the outbound connector that routs your mail. If you only use Exchange Online Protection (EOP) you won't have a connector. Choose one of I'm using a 3rd-party or on-premises provider, or I only use EOP.":::
7. If you use a third-party gateway, select the vendor name from the drop-down along with the inbound connector associated with that solution. When you've listed your answers, click Next.
+ :::image type="content" source="../../medio-eval-activate-eval-settings.png" alt-text="In this dialog, you choose the 3rd-party vendor service your organization is using, or select *Other*. In the next dialog down, select the inbound connector. Then click Next.":::
8. Review your settings and click the **Create Evaluation** button.
-| | |
-|||
-| :::image type="content" source="../../medio-eval-activate-complete.png" alt-text="And now the set up is complete. The blue button on this page says 'Go to Evaluation'."::: |
+ |Before|After|
+ |::|::|
+ |:::image type="content" source="../../medio-eval-activate-complete.png" alt-text="And now the set up is complete. The blue button on this page says 'Go to Evaluation'.":::|
+ |
## Next steps
Step 3 of 3: Set up the pilot for Microsoft Defender for Office 365
Return to the overview for [Evaluate Microsoft Defender for Office 365](eval-defender-office-365-overview.md)
-Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)
security Admin Review Reported Message https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-review-reported-message.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can now send templated messages back to end users after they review reported messages. This can be customized for your organization and based on your admin's verdict as well.
+In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can now send templated messages back to end users after they review reported messages. The templates can be customized for your organization and based on your admin's verdict as well.
-This feature is designed to give feedback to your users but does not change the verdicts of messages in the system. To help Microsoft update and improve its filters, you will need to submit messages for analysis using [Admin submission](admin-submission.md).
+The feature is designed to give feedback to your users but doesn't change the verdicts of messages in the system. To help Microsoft update and improve its filters, you need to submit messages for analysis using [Admin submission](admin-submission.md).
You will only be able to mark and notify users of review results if the message was reported as a [false positives or false negatives](report-false-positives-and-false-negatives.md).
You will only be able to mark and notify users of review results if the message
- [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell) - [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules)
-## Configure the messages used to notify users
+## Notify users from within the portal
+
+1. In the Microsoft 365 Defender portal, go directly to the **Submissions** page: [https://security.microsoft.com/reportsubmission}(https://security.microsoft.com/reportsubmission).
+
+2. Click **User reported messages**, and then select the message you want to mark and notify.
+
+3. Select the **Mark as and notify** drop-down, and then select **No threats found**, **Phishing**, or **Junk**.
+
+ > [!div class="mx-imgBorder"]
+ > ![Send messages from portal](../../media/admin-review-send-message-from-portal.png)
+
+The reported message will be marked as either false positive or false negative, and an email will be automatically sent from within the portal notifying the user who reported the message.
+
+## Customize the messages used to notify users
1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Others** section \> **User reported message settings**.
-2. On the **User submissions** page, if you want to specify the sender display name, check the box for **Specify Office 365 email address to use as sender** under the **Email notifications for admin review results** section, and enter in the name you wish to use. This is the email address that will be visible in Outlook and where replies will go to.
+2. On the **User submissions** page, if you want to specify the sender display name, check the box for **Specify Office 365 email address to use as sender** under the **Email notifications for admin review results** section, and enter in the name you wish to use. The email address that will be visible in Outlook and all the replies will go there.
+
+3. If you want to customize any of the templates, click **Customize email notification** at the bottom of the page. In the flyout that opens, you can customize only the following:
-3. If you want to customize any of the templates, click **Customize email notification**. In this flyout, you will be able to customize only the following:
- Phishing - Junk - No threats found
- - Awareness training
- Footer
+ > [!div class="mx-imgBorder"]
+ > ![Customize messages send to users](../../media/admin-review-customize-message.png)
+ 4. When you're finished, click **Save**. To clear these values, click **Discard** on the User submissions page.
security Configure The Outbound Spam Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy.md
Creating a custom outbound spam policy in the Microsoft 365 Defender portal crea
For all actions, the recipients specified in the **User restricted from sending email** alert policy (and in the now redundant **Notify these users and groups if a sender is blocked due to sending outbound spam** setting later on this page) receive email notifications. - **Restrict the user from sending mail until the following day**: This is the default value. Email notifications are sent, and the user will be unable to send any more messages until the following day, based on UTC time. There is no way for the admin to override this block.
- - The activity alert named **User restricted from sending email** notifies admins (via email and on the **View alerts** page).
+ - The alert policy named **User restricted from sending email** notifies admins (via email and on the **Incidents & alerts** \> **View alerts** page).
- Any recipients specified in the **Notify specific people if a sender is blocked due to sending outbound spam** setting in the policy are also notified. - The user will be unable to send any more messages until the following day, based on UTC time. There is no way for the admin to override this block. - **Restrict the user from sending mail**: Email notifications are sent, the user is added to **Restricted users** <https://security.microsoft.com/restrictedusers> in the Microsoft 365 Defender portal, and the user can't send email until they're removed from **Restricted users** by an admin. After an admin removes the user from the list, the user won't be restricted again for that day. For instructions, see [Removing a user from the Restricted Users portal after sending spam email](removing-user-from-restricted-users-portal-after-spam.md).
security Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/overview.md
Title: Office 365 Security, Microsoft Defender for Office 365, EOP, MSDO
+ Title: Office 365 Security including Microsoft Defender for Office 365 and Exchange Online Protection
Previously updated : 06/11/2021 Last updated : 07/21/2021 audience: Admin - localization_priority: Normal search.appverid: - MET150
security Turn On Mdo For Spo Odb And Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/turn-on-mdo-for-spo-odb-and-teams.md
For detailed syntax and parameter information, see [Set-SPOTenant](/powershell/m
## Step 3 (Recommended) Use the Microsoft 365 Defender portal to create an alert policy for detected files
-You can create an alert policy that notifies you and other admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alerts, see [Create activity alerts in the Microsoft 365 Defender portal](../../compliance/create-activity-alerts.md).
+You can create an alert policy that notifies you and other admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alerts, see [Alert policies](../../compliance/alert-policies.md).
1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Alert policy** or open <https://security.microsoft.com/alertpolicies>.