| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| compliance | Create A Report On Holds In Ediscovery Cases | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-report-on-holds-in-ediscovery-cases.md | After you've connected to Security & Compliance PowerShell, the next step is to if($cc.status -eq 'Closed') { $cmembers = ((Get-ComplianceCaseMember -Case $cc.name).windowsLiveID)-join ';'- add-tocasereport -casename $cc.name -casestatus -casetype $cc.casetype $cc.Status -caseclosedby $cc.closedby -caseClosedDateTime $cc.ClosedDateTime -casemembers $cmembers + add-tocasereport -casename $cc.name -casestatus $cc.Status -casetype $cc.casetype -caseclosedby $cc.closedby -caseClosedDateTime $cc.ClosedDateTime -casemembers $cmembers } else{ $cmembers = ((Get-ComplianceCaseMember -Case $cc.name).windowsLiveID)-join ';' |
| security | Indicator Manage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-manage.md | description|String| Description of the indicator. **Required** expirationTime|DateTimeOffset|The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value. **Optional** severity|Enum|The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional** recommendedActions|String|TI indicator alert recommended actions. **Optional**-rbacGroupNames|String|Comma-separated list of RBAC group names the indicator would be applied to. **Optional** +rbacGroups|String|Comma-separated list of RBAC groups the indicator would be applied to. **Optional** category|String|Category of the alert. Examples include: Execution and credential access. **Optional** mitretechniques|String|MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It is recommended to add a value in category when a MITRE technique. GenerateAlert|String|Whether the alert should be generated. Possible Values are: True or False. **Optional** |
| security | Anti Spam Message Headers | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-message-headers.md | The individual fields and values are described in the following table. |Field|Description| ||| |`ARC`|The `ARC` protocol has the following fields: <ul><li>`AAR`: Records the content of the **Authentication-results** header from DMARC.</li><li>`AMS`: Includes cryptographic signatures of the message.</li><li>`AS`: Includes cryptographic signatures of the message headers. This field contains a tag of a chain validation called `"cv="`, which includes the outcome of the chain validation as **none**, **pass**, or **fail**.</li></ul>|-|`CAT:`|The category of protection policy, applied to the message: <ul><li>`BULK`: Bulk</li><li>`DIMP`: Domain Impersonation</li><li>`GIMP`: [Mailbox intelligence based impersonation](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>`HPHSH` or `HPHISH`: High confidence phishing</li><li>`HSPM`: High confidence spam</li><li>`MALW`: Malware</li><li>`PHSH`: Phishing</li><li>`SPM`: Spam</li><li>`SPOOF`: Spoofing</li><li>`UIMP`: User Impersonation</li><li>`AMP`: Anti-malware</li><li>`SAP`: Safe attachments</li><li>`OSPM`: Outbound spam</li></ul> <p> An inbound message may be flagged by multiple forms of protection and multiple detection scans. Policies have different priorities, and the policy with the highest priority is applied first. For more information, see [What policy applies when multiple protection methods and detection scans run on your email](how-policies-and-protections-are-combined.md).| +|`CAT:`|The category of protection policy, applied to the message: <ul><li>`BULK`: Bulk</li><li>`DIMP`: Domain Impersonation</li><li>`GIMP`: [Mailbox intelligence based impersonation](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>`HPHSH` or `HPHISH`: High confidence phishing</li><li>`HSPM`: High confidence spam</li><li>`MALW`: Malware</li><li>`PHSH`: Phishing</li><li>`SPM`: Spam</li><li>`SPOOF`: Spoofing</li><li>`UIMP`: User Impersonation</li><li>`AMP`: Anti-malware</li><li>`SAP`: Safe attachments</li><li>`FTBP`: Anti-malware filetype policy</li><li>`OSPM`: Outbound spam</li></ul> <p> An inbound message may be flagged by multiple forms of protection and multiple detection scans. Policies have different priorities, and the policy with the highest priority is applied first. For more information, see [What policy applies when multiple protection methods and detection scans run on your email](how-policies-and-protections-are-combined.md).| |`CIP:[IP address]`|The connecting IP address. You can use this IP address in the IP Allow List or the IP Block List. For more information, see [Configure connection filtering](configure-the-connection-filter-policy.md).| |`CTRY`|The source country as determined by the connecting IP address, which may not be the same as the originating sending IP address.| |`H:[helostring]`|The HELO or EHLO string of the connecting email server.| |