Updates from: 07/24/2021 03:11:02
Category Microsoft Docs article Related commit history on GitHub Change details
admin Manage Addins In The Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-addins-in-the-admin-center.md
You can also delete an add-in that was deployed.
1. In the admin center, go to the **Settings** > **Services & add-ins** page. > [!NOTE]
- > The admin center is getting updated to deployment experience with Integrated Apps . If you don't see the above steps, go to Centralized Deployment section by going to **Settings** > **Integrated apps**. On the top of the **Integrated apps** page, choose **Add-ins**.
+ > You can also deploy add-ins in the admin center through [Integrated Apps](test-and-deploy-microsoft-365-apps.md). Integrated Apps is visible to Global and Exchange administrators. If you don't see the above steps, go to the Centralized Deployment section by going to **Settings** > **Integrated apps**. On the top of the **Integrated apps** page, choose **Add-ins**.
2. Select the deployed add-in.
Post deployment, admins can also manage user access to add-ins.
1. In the admin center, go to the **Settings** > **Services & add-ins** page. > [!NOTE]
- > The admin center is getting updated to deployment experience with Integrated Apps . If you don't see the above steps, go to Centralized Deployment section by going to **Settings** > **Integrated apps**. On the top of the **Integrated apps** page, choose **Add-ins**.
+ > You can also deploy add-ins in the admin center through [Integrated Apps](test-and-deploy-microsoft-365-apps.md). Integrated Apps is visible to Global and Exchange administrators. If you don't see the above steps, go to the Centralized Deployment section by going to **Settings** > **Integrated apps**. On the top of the **Integrated apps** page, choose **Add-ins**.
+ 2. Select the deployed add-in.
As an organization you may wish to prevent the download of new Office add-ins fr
1. In the admin center, go to the **Settings** \> [Services & add-ins](https://go.microsoft.com/fwlink/p/?linkid=2053743) page. > [!NOTE]
- > The admin center is getting updated to deployment experience with Integrated Apps. If you don't see the above steps, go to Centralized Deployment section by going to **Settings** > **Integrated apps**. On the top of the **Integrated apps** page, choose **Add-ins**.
+ > You can also deploy add-ins in the admin center through [Integrated Apps](test-and-deploy-microsoft-365-apps.md). Integrated Apps is visible to Global and Exchange administrators. If you don't see the above steps, go to the Centralized Deployment section by going to **Settings** > **Integrated apps**. On the top of the **Integrated apps** page, choose **Add-ins**.
+ 3. Select **User owned apps and services**.
admin Manage Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-deployment-of-add-ins.md
Before you begin, see [Determine if Centralized Deployment of add-ins works for
2. Select **Deploy Add-in** at the top of the page, and then select **Next**. > [!NOTE]
- > The admin center is getting updated to deployment experience with Integrated Apps. Integrated Apps is only visible to Global administrators, while for others the old experience still exists. If you don't see the above steps, go to the Centralized Deployment section by going to **Settings** > **Integrated apps**. On the top of the **Integrated apps** page, choose **Add-ins**.
+ > You can also deploy add-ins in the admin center through [Integrated Apps](test-and-deploy-microsoft-365-apps.md). Integrated Apps is visible to Global and Exchange administrators. If you don't see the above steps, go to the Centralized Deployment section by going to **Settings** > **Integrated apps**. On the top of the **Integrated apps** page, choose **Add-ins**.
3. Select an option and follow the instructions.
admin Content Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/productivity/content-collaboration.md
Understand how many users are attaching physical files in email rather than link
:::image type="content" source="../../media/emailattachments.png" alt-text="Use of email attachments.":::
-1. **Header:** Highlights the percentage of people who use attachments in emails that were not saved to OneDrive or SharePoint.
+1. **Header:** Highlights the percentage of people who use attachments in emails that were not saved to online files.
2. **Body:** Provides information about the value of sharing links to online files from a collaboration and security perspective.
-3. **Visualization:** The breakdown in the visualization is meant to represent the extent to which people who are attaching content in emails are using different modes (files not on OneDrive or SharePoint; links to online files; and links embedded in the email):
+3. **Visualization:** The breakdown in the visualization is meant to represent the extent to which people who are attaching content in emails are using different modes (files not saved to online files, links to online files):
- **Attach files:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represents the percentage of people using attachments in emails.
- - Numerator: The number of people who attach files to email that weren't saved to OneDrive or SharePoint within the last 28 days.
- - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both within the last 28 days.
+ - Numerator: The number of people who attach files to email that weren't saved to online file within the last 28 days.
+ - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both within the last 28 days.
- **Links to online files:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represent the percentage of people using attachments and attaching links to files in emails. - Numerator: The number of people attaching links to online files to emails within the last 28 days.
- - Denominator: The number of people who have access to Exchange and OneDrive, SharePoint, or both within the last 28 days.
+ - Denominator: The number of people who have access to Exchange and OneDrive, SharePoint, or both within the last 28 days.
4. **Link to resources:** Select this link to view help content. ### Sharing of online files
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
description: "Create alert policies in the Microsoft 365 compliance center or the Microsoft 365 Defender portal to monitor potential threats, data loss, and permissions issues."
-# Alert policies in the Microsoft 365
+# Alert policies in Microsoft 365
You can use the alert policy and alert dashboard tools in the Microsoft 365 compliance center or the Microsoft 365 Defender portal to create alert policies and then view the alerts generated when users perform activities that match the conditions of an alert policy. There are several default alert policies that help you monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.
compliance Dlp Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-configure-endpoints-vdi.md
description: Deploy the configuration package on virtual desktop infrastructure
-# Onboard non-persistent virtual desktop infrastructure (VDI) devices
+# Onboard non-persistent virtual desktop infrastructure devices
**Applies to:** - [Microsoft 365 Endpoint data loss prevention (DLP)](./endpoint-dlp-learn-about.md)
description: Deploy the configuration package on virtual desktop infrastructure
## Onboard VDI devices
-Microsoft 365 Endpoint data loss prevention supports non-persistent VDI session onboarding.
+Microsoft 365 Endpoint data loss prevention supports non-persistent virtual desktop infrastructure (VDI) session onboarding.
> [!NOTE] > To onboard non-persistent VDI sessions, VDI devices must be on Windows 10 1809 or higher.
compliance Ediscovery Decryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-decryption.md
Prior to this new capability, only the content of an email message protected by
Microsoft eDiscovery tools support items encrypted with Microsoft encryption technologies. These technologies are Azure Rights Management and Microsoft Information Protection (specifically sensitivity labels). For more information about Microsoft encryption technologies, see [Encryption](encryption.md). Content encrypted by third-party encryption technologies isn't supported. For example, previewing or exporting content encrypted with non-Microsoft technologies isn't supported.
+> [!NOTE]
+> The decryption of email messages encrypted with Office 365 Message Encryption (OME) is not supported by Microsoft eDiscovery tools.
+ ## eDiscovery activities that support encrypted items The following table identifies the supported tasks that can be performed in Microsoft 365 eDiscovery tools on encrypted files attached to email messages and encrypted documents in SharePoint and OneDrive. These supported tasks can be performed on encrypted files that match the criteria of a search. A value of `N/A` indicates the functionality isn't available in the corresponding eDiscovery tool.
compliance Hold Distribution Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/hold-distribution-errors.md
To reduce the number of errors related to eDiscovery holds, we recommend the fol
- Check whether a hold policy is pending before you make any further updates to it. Run the following commands or save them to a PowerShell script. ```powershell
- $status = Get-CaseHoldPolicy -Identity <policyname>
+ $status = Get-CaseHoldPolicy -Identity <policyname> -DistributionDetail
if($status.DistributionStatus -ne "Pending"){ # policy no longer pending Set-CaseHoldPolicy -Identity <policyname> -AddExchangeLocation $user1
compliance Identify A Hold On An Exchange Online Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/identify-a-hold-on-an-exchange-online-mailbox.md
Get-Mailbox <username> | FL LitigationHoldEnabled,InPlaceHolds
The following table describes how to identify different types of holds based on the values in the *InPlaceHolds* property when you run the **Get-Mailbox** cmdlet.
-|Hold type |Example value |How to identify the hold |
-||||
-|Litigation Hold | `True` | Litigation Hold is enabled for a mailbox when the *LitigationHoldEnabled* property is set to `True`. |
-|eDiscovery hold | `UniH7d895d48-7e23-4a8d-8346-533c3beac15d` | The *InPlaceHolds property* contains the GUID of any hold associated with an eDiscovery case in the security and compliance center. You can tell this is an eDiscovery hold because the GUID starts with the `UniH` prefix (which denotes a Unified Hold). |
-|In-Place Hold | `c0ba3ce811b6432a8751430937152491` <br/> or <br/> `cld9c0a984ca74b457fbe4504bf7d3e00de` | The *InPlaceHolds* property contains the GUID of the In-Place Hold that's placed on the mailbox. You can tell this is an In-Place Hold because the GUID either doesn't start with a prefix or it starts with the `cld` prefix. |
-|Microsoft 365 retention policy specifically applied to the mailbox | `mbxcdbbb86ce60342489bff371876e7f224:1` <br/> or <br/> `skp127d7cf1076947929bf136b7a2a8c36f:3` | The InPlaceHolds property contains GUIDs of any specific location retention policy that's applied to the mailbox. You can identify retention policies because the GUID starts with the `mbx` or the `skp` prefix. The `skp` prefix indicates that the retention policy is applied to Skype for Business conversations in the user's mailbox. |
-|Excluded from an organization-wide Microsoft 365 retention policy | `-mbxe9b52bf7ab3b46a286308ecb29624696` | If a mailbox is excluded from an organization-wide Microsoft 365 retention policy, the GUID for the retention policy that the mailbox is excluded from is displayed in the InPlaceHolds property and is identified by the `-mbx` prefix. |
+| Hold type | Example value | How to identify the hold |
+| | - | -- |
+| Litigation Hold | `True` | Litigation Hold is enabled for a mailbox when the *LitigationHoldEnabled* property is set to `True`. |
+| eDiscovery hold | `UniH7d895d48-7e23-4a8d-8346-533c3beac15d` | The *InPlaceHolds property* contains the GUID of any hold associated with an eDiscovery case in the security and compliance center. You can tell this is an eDiscovery hold because the GUID starts with the `UniH` prefix (which denotes a Unified Hold). |
+| In-Place Hold | `c0ba3ce811b6432a8751430937152491` <br/> or <br/> `cld9c0a984ca74b457fbe4504bf7d3e00de` | The *InPlaceHolds* property contains the GUID of the In-Place Hold that's placed on the mailbox. You can tell this is an In-Place Hold because the GUID either doesn't start with a prefix or it starts with the `cld` prefix. |
+| Microsoft 365 retention policy specifically applied to the mailbox | `mbxcdbbb86ce60342489bff371876e7f224:1` <br/> or <br/> `skp127d7cf1076947929bf136b7a2a8c36f:3` | The InPlaceHolds property contains GUIDs of any specific location retention policy that's applied to the mailbox. You can identify retention policies because the GUID starts with the `mbx` or the `skp` prefix. The `skp` prefix indicates that the retention policy is applied to Skype for Business conversations in the user's mailbox. |
+| Excluded from an organization-wide Microsoft 365 retention policy | `-mbxe9b52bf7ab3b46a286308ecb29624696` | If a mailbox is excluded from an organization-wide Microsoft 365 retention policy, the GUID for the retention policy that the mailbox is excluded from is displayed in the InPlaceHolds property and is identified by the `-mbx` prefix. |
### Get-OrganizationConfig If the *InPlaceHolds* property is empty when you run the **Get-Mailbox** cmdlet, there still may be one or more organization-wide Microsoft 365 retention policies applied to the mailbox. Run the following command in Exchange Online PowerShell to get a list of GUIDs for organization-wide Microsoft 365 retention policies.
Get-OrganizationConfig | FL InPlaceHolds
The following table describes the different types of organization-wide holds and how to identify each type based on the GUIDs contained in *InPlaceHolds* property when you run the **Get-OrganizationConfig** cmdlet.
-|Hold type |Example value |Description |
-||||
-|Microsoft 365 retention policies applied to Exchange mailboxes, Exchange public folders, and Teams chats | `mbx7cfb30345d454ac0a989ab3041051209:2` | Organization-wide retention policies applied to Exchange mailboxes, Exchange public folders, and 1xN chats in Microsoft Teams are identified by GUIDs that start with the `mbx` prefix. Note 1xN chats are stored in the mailbox of the individual chat participants. |
-|Microsoft 365 retention policy applied to Microsoft 365 Groups and Teams channel messages | `grp1a0a132ee8944501a4bb6a452ec31171:3` | Organization-wide retention policies applied to Microsoft 365 groups and channel messages in Microsoft Teams are identified by GUIDs that start with the `grp` prefix. Note channel messages are stored in the group mailbox that is associated with a Microsoft Team. |
+| Hold type | Example value | Description |
+| -- | | - |
+| Microsoft 365 retention policies applied to Exchange mailboxes, Exchange public folders, and Teams chats | `mbx7cfb30345d454ac0a989ab3041051209:2` | Organization-wide retention policies applied to Exchange mailboxes, Exchange public folders, and 1xN chats in Microsoft Teams are identified by GUIDs that start with the `mbx` prefix. Note 1xN chats are stored in the mailbox of the individual chat participants. |
+| Microsoft 365 retention policy applied to Microsoft 365 Groups and Teams channel messages | `grp1a0a132ee8944501a4bb6a452ec31171:3` | Organization-wide retention policies applied to Microsoft 365 groups and channel messages in Microsoft Teams are identified by GUIDs that start with the `grp` prefix. Note channel messages are stored in the group mailbox that is associated with a Microsoft Team. |
For more information about retention policies applied to Microsoft Teams, see [Learn about retention policies for Microsoft Teams](retention-policies-teams.md).
In addition to the prefix (mbx, skp, or grp) that identifies an item in the InPl
The following table defines the three possible retention actions:
-|Value |Description |
-|||
-|**1** | Indicates that the retention policy is configured to delete items. The policy doesn't retain items. |
-|**2** | Indicates that the retention policy is configured to hold items. The policy doesn't delete items after the retention period expires. |
-|**3** | Indicates that the retention policy is configured to hold items and then delete them after the retention period expires. |
+| Value | Description |
+| -- | |
+| **1** | Indicates that the retention policy is configured to delete items. The policy doesn't retain items. |
+| **2** | Indicates that the retention policy is configured to hold items. The policy doesn't delete items after the retention period expires. |
+| **3** | Indicates that the retention policy is configured to hold items and then delete them after the retention period expires. |
For more information about retention actions, see the [Retaining content for a specific period of time](create-retention-policies.md#retaining-content-for-a-specific-period-of-time) section.
Keep the following things in mind when managing a mailbox on delay hold:
- As previous stated, a mailbox is considered to be on hold for an unlimited hold duration if either the DelayHoldApplied or DelayReleaseHoldApplied property is set to **True**. However, that doesn't mean that *all* content in the mailbox is preserved. It depends on the value that's set to each property. For example, let's say both properties are set to **True** because holds are removed from the mailbox. Then you remove only the delay hold that's applied to non-Outlook cloud data (by using the *RemoveDelayReleaseHoldApplied* parameter). The next time the Managed Folder Assistant processes the mailbox, the non-Outlook items marked for removal are purged. Any Outlook items marked for removal won't be purged because the DelayHoldApplied property is still set to **True**. The opposite would also be true: if DelayHoldApplied is set to **False** and DelayReleaseHoldApplied is set to **True**, then only Outlook items marked for removal would be purged.
+## How to confirm that an organization-wide retention policy is applied to a mailbox
+
+When an organization-wide retention policy is applied or removed to a mailbox, exporting the mailbox diagnostics logs can help you be certain that Exchange Online has actually applied or removed the retention policy to the mailbox. To view this information, you first need to validate a few things using [Exchange Online Powershell](/powershell/exchange/connect-to-exchange-online-powershell).
+
+### Obtain the GUIDs for any retention policies explicitly applied to a mailbox
+
+```powershell
+Get-Mailbox <username> | Select-Object -ExpandProperty InPlaceHolds
+```
+
+### Obtain the GUIDs for any organization-wide retention policies appled to mailboxes
+
+```powershell
+Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds
+```
+
+### Get the Mailbox Diagnostics for HoldTracking
+
+The Hold Tracking Mailbox Diagnostics logs maintain a history of the holds applied to a user mailbox.
+
+```powershell
+$ht = Export-MailboxDiagnosticLogs <username> -ComponentName HoldTracking
+$ht.MailboxLog | Convertfrom-Json
+```
+
+### Review the results of the Mailbox Diagnostics logs
+
+If you gather data from the previous step, the resulting data may look something like this:
+
+> **ed**` : 0001-01-01T00:00:00.0000000`
+> **hid**` : mbx7cfb30345d454ac0a989ab3041051209:1`
+> **ht**` : 4`
+> **lsd**` : 2020-03-23T18:24:37.1884606Z`
+> **osd**` : 2020-03-23T18:24:37.1884606Z`
+
+Use the following table to help you understand each of the previous values listed in the diagnostics log.
+
+| Value | Description |
+|:- |:-- |
+| **ed** | Indicates the End date, which is the date the retention policy was disabled. MinValue means the policy is still assigned to the mailbox. |
+| **hid** | Indicates the GUID for the retention policy. This value will correlate to the GUIDs that you collected for the explicit or organization-wide retention policies assigned to the mailbox.|
+| **lsd** | Indicates the Last start date, which is the date the retention policy was assigned to the mailbox.|
+| **osd** | Indicates the Original start date, which is the date that Exchange first recorded information about the retention policy. |
+|||
+
+When a retention policy is no longer applied to a mailbox, we will place a temporary delay hold on the user to prevent purging content. A delay hold can be disabled by running the `Set-Mailbox -RemoveDelayHoldApplied` command.
+ ## Next steps After you identify the holds that are applied to a mailbox, you can perform tasks such as changing the duration of the hold, temporarily or permanently removing the hold, or excluding an inactive mailbox from a Microsoft 365 retention policy. For more information about performing tasks related to holds, see one of the following topics:
After you identify the holds that are applied to a mailbox, you can perform task
- [Delete an inactive mailbox](delete-an-inactive-mailbox.md) -- [Delete items in the Recoverable Items folder of cloud-based mailboxes on hold](delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold.md)
+- [Delete items in the Recoverable Items folder of cloud-based mailboxes on hold](delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold.md)
compliance Non Custodial Data Sources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/non-custodial-data-sources.md
Follow these steps to add and manage non-custodial data sources in an Advanced e
- **Exchange** - Click **Edit** to add mailboxes. Type a name or alias (a minimum of three characters) in the search box for mailboxes or distribution groups. Select the mailboxes that you want to add as non-custodian data sources and click **Add**. > [!NOTE]
- > You can use the **SharePoint** and **Exchange** sections to add sites and mailboxes associated with a Team or Yammer group as non-custodial data sources. You have to separately add the mailbox and site associated with a Team or Yammer group.
+ > You can use the **SharePoint** and **Exchange** sections to add sites and mailboxes associated with a Team or Yammer group as non-custodial data sources. You have to separately add the mailbox and site associated with a Team or Yammer group.<br/><br/> Also, adding a root site URL (such as `https://contoso-my.sharepoint.com/personal/` or `https://contoso-my.sharepoint.com/`) as a SharePoint data source isn't supported. You have to add specific sites.
4. After you add non-custodial data sources, you have the option to place those locations on hold or not. Select or unselect the **Hold** checkbox next to the data source to place it on hold.
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
With retention labels, you can:
- Specific keywords that match a query you create. - Pattern matches for a trainable classifier. -- **Start the retention period from when the content was labeled** for documents in SharePoint sites and OneDrive accounts, and to email items with the exception of calendar items. If you apply a retention label with this configuration to a calendar item, the retention period starts from when it is sent.
+- **Start the retention period from when the content was labeled** for documents in SharePoint sites and OneDrive accounts, and to email items except calendar items. If you apply a retention label with this configuration to a calendar item, the retention period starts from when it is sent.
- **Start the retention period when an event occurs**, such as employees leave the organization, or contracts expire.
Use the following flow to understand the retention and deletion outcomes for a s
> If you are using retention labels: Before using this flow to determine the outcome of multiple retention settings on the same item, make sure you know [which retention label is applied](#only-one-retention-label-at-a-time). ![Diagram of the principles of retention](../media/principles-of-retention.png)
-
+
+Before explaining each principle in more detail, it's important to understand the difference between the retention period for the item vs. the specified retention period in the retention policy or retention label. That's because although the default configuration is to start the retention period when an item is created, so that the end of the retention period is fixed for the item, files also support the configuration to start the retention period from when the file is last modified. With this alternative configuration, every time the file is modified, the start of the retention period is reset, which extends the end of the retention period for the item. Retention labels also support starting the retention period when labeled and at the start of an event.
+ Explanation for the four different principles: 1. **Retention wins over deletion.** Content won't be permanently deleted when it also has retention settings to retain it. While this principle ensures that content is preserved for compliance reasons, the delete process is still initiated and can remove the content from user view and searches. For SharePoint, for example, a document moves from the original folder to the Preservation Holds folder. However, permanent deletion is suspended. For more information about how and where content is retained, use the following links for each workload:
Explanation for the four different principles:
- [How retention works with Yammer](retention-policies-yammer.md#how-retention-works-with-yammer) - [How retention works for Exchange](retention-policies-exchange.md#how-retention-works-for-exchange)
- Example: An email message is subject to a retention policy for Exchange that is configured to delete items after three years and it also has a retention label applied that is configured to retain items for five years.
+ **Example for this first principle**: An email message is subject to a retention policy for Exchange that is configured to delete items three years after they are created, and it also has a retention label applied that is configured to retain items five years after they are created.
The email message is retained for five years because this retention action takes precedence over deletion. The email message is permanently deleted at the end of the five years because of the delete action that was suspended while the retention action was in effect. 2. **The longest retention period wins.** If content is subject to multiple retention settings that retain content for different periods of time, the content will be retained until the end of the longest retention period for the item.
- Example: Documents in the Marketing SharePoint site are subject to two retention policies. The first retention policy is configured for all SharePoint sites to retain items for five years. The second retention policy is configured for specific SharePoint sites to retain items for ten years.
+ > [!NOTE]
+ > It's possible for a retention period of 5 years in a retention policy or label wins over a retention period of 7 years in a retention policy or label, because the 5-year period is configured to start based on when the file is last modified, and the 7-year period is configured to start from when the file is created.
- Documents in this Marketing SharePoint site are retained for ten years because that's the longest retention period.
+ **Example for this second principle**: Documents in the Marketing SharePoint site are subject to two retention policies. The first retention policy is configured for all SharePoint sites to retain items for five years after they are created. The second retention policy is configured for specific SharePoint sites to retain items for ten years after they are created.
+
+ Documents in this Marketing SharePoint site are retained for ten years because that's the longest retention period for the item.
3. **Explicit wins over implicit for deletions.** With conflicts now resolved for retention, only conflicts for deletions remain: 1. A retention label (however it was applied) provides explicit retention in comparison with retention policies, because the retention settings are applied to an individual item rather than implicitly assigned from a container. This means that a delete action from a retention label always takes precedence over a delete action from any retention policy.
- Example: A document is subject to two retention policies that have a delete action of five years and ten years respectively, and also a retention label that has a delete action of seven years.
+ **Example for this third principle (label)**: A document is subject to two retention policies that have a delete action of five years and ten years respectively, and also a retention label that has a delete action of seven years.
The document is permanently deleted after seven years because the delete action from the retention label takes precedence. 2. When you have retention policies only: If a retention policy for a location is scoped to use an include configuration (such as specific users for Exchange email) that retention policy takes precedence over unscoped retention policies for the same location.
- An unscoped retention policy is where a location is selected without specifying specific instances. For example, **Exchange email** and the default setting of **All recipients** is an unscoped retention policy. Or, **SharePoint sites** and the default setting of **All sites**. When retention policies are scoped, they have equal precedence at this level.
+ An unscoped retention policy is where a location is selected without specifying specific instances. For example, Exchange email and the default setting of all recipients is an unscoped retention policy. Or, SharePoint sites and the default setting of all sites. When retention policies are scoped, they have equal precedence at this level.
- Example 1: An email message is subject to two retention policies. The first retention policy is unscoped and deletes items after ten years. The second retention policy is scoped to specific mailboxes and deletes items after five years.
+ **Example 1 for this third principle (policies)**: An email message is subject to two retention policies. The first retention policy is unscoped and deletes items after ten years. The second retention policy is scoped to specific mailboxes and deletes items after five years.
The email message is permanently deleted after five years because the deletion action from the scoped retention policy takes precedence over the unscoped retention policy.
- Example 2: A document in a user's OneDrive account is subject to two retention policies. The first retention policy is scoped to include this user's OneDrive account and has a delete action after 10 years. The second retention policy is scoped to include this user's OneDrive account and has a delete action after seven years.
+ **Example 2 for this third principle (policies)**: A document in a user's OneDrive account is subject to two retention policies. The first retention policy is scoped to include this user's OneDrive account and has a delete action after 10 years. The second retention policy is scoped to include this user's OneDrive account and has a delete action after seven years.
When this document will be permanently deleted can't be determined at this level because both retention policies are scoped. 4. **The shortest deletion period wins.** Applicable to determine when items will be deleted from retention policies and the outcome couldn't be resolved from the previous level: Content is permanently deleted at the end of the shortest retention period for the item.
- Example: A document in a user's OneDrive account is subject to two retention policies. The first retention policy is scoped to include this user's OneDrive account and has a delete action after 10 years. The second retention policy is scoped to include this user's OneDrive account and has a delete action after seven years.
+ > [!NOTE]
+ > It's possible that a retention policy that has a retention period of 7 years wins over a retention policy of 5 years because the first policy is configured to start the retention period based on when the file is created, and the second retention policy from when the file is last modified.
+
+ **Example for this fourth principle**: A document in a user's OneDrive account is subject to two retention policies. The first retention policy is scoped to include this user's OneDrive account and has a delete action of 10 years after the file is created. The second retention policy is scoped to include this user's OneDrive account and has a delete action of seven years after the file is created.
- This document will be permanently deleted after seven years because that's the shortest retention period for these two scoped retention policies.
+ This document will be permanently deleted after seven years because that's the shortest retention period for the item from these two scoped retention policies.
+
+Items subject to eDiscovery hold also fall under the first principle of retention; they cannot be permanently deleted by any retention policy or retention label. When that hold is released, the principles of retention continue to apply to them. For example, they could then be subject to an unexpired retention period or a delete action.
-Note that items subject to eDiscovery hold also fall under the first principle of retention; they cannot be permanently deleted by any retention policy or retention label. When that hold is released, the principles of retention continue to apply to them. For example, they could then be subject to an unexpired retention period or a delete action.
+### Principles of retention examples that combine retain and delete actions
-More complex examples that combine retain and delete actions:
+The following examples are more complex to illustrate the principles of retention when different retain and delete actions are combined. To make the examples easier to follow, all retention policies and labels use the default setting of starting the retention period when the item is created so the end of the retention period is the same for the item.
1. An item has the following retention settings applied to it:
More complex examples that combine retain and delete actions:
- A retention policy that retains for three years and then deletes - A retention label that retains-only for seven years
- **Outcome**: The item is retained for seven years because retention takes precedence over deletion and seven years is the longest retention period. At the end of this retention period, the item is permanently deleted because of the delete action from the retention policies.
+ **Outcome**: The item is retained for seven years because retention takes precedence over deletion and seven years is the longest retention period for the item. At the end of this retention period, the item is permanently deleted because of the delete action from the retention policies.
Although the two retention policies have different dates for the delete actions, the earliest the item can be permanently deleted is at the end of the longest retention period, which is longer than both deletion dates.
More complex examples that combine retain and delete actions:
- A scoped retention policy that retains for five years and then deletes - A retention label that retains for three years and then deletes
- **Outcome**: The item is retained for five years because that's the longest retention period. At the end of that retention period, the item is permanently deleted because of the delete action of three years from the retention label. Deletion from retention labels takes precedence over deletion from all retention policies. In this example, all conflicts are resolved by the third level.
+ **Outcome**: The item is retained for five years because that's the longest retention period for the item. At the end of that retention period, the item is permanently deleted because of the delete action of three years from the retention label. Deletion from retention labels takes precedence over deletion from all retention policies. In this example, all conflicts are resolved by the third level.
## Use Preservation Lock to restrict changes to policies
When [auditing is enabled](turn-audit-log-search-on-or-off.md), auditing events
### Auditing retention configuration
-Administrator configuration for retention policies and retention labels are logged as auditing events when a retention policy or label is created, reconfigured, or deleted.
+Administrator configuration for retention policies and retention labels is logged as auditing events when a retention policy or label is created, reconfigured, or deleted.
For the full list of auditing events, see [Retention policy and retention label activities](search-the-audit-log-in-security-and-compliance.md#retention-policy-and-retention-label-activities).
If you are using older eDiscovery tools to preserve data, see the following reso
If you need to proactively retain or delete content in Microsoft 365 for information governance, we recommend that you use retention policies and retention labels instead of the following older features.
-If you currently use these older features, they will continue to work side-by-side with retention policies and retention labels. However, we recommend that going forward, you use retention policies and retention labels instead. They provide you with a single mechanism to centrally manage both retention and deletion of content across Microsoft 365.
+If you currently use these older features, they will continue to work side by side with retention policies and retention labels. However, we recommend that going forward, you use retention policies and retention labels instead. They provide you with a single mechanism to centrally manage both retention and deletion of content across Microsoft 365.
**Older features from Exchange Online:**
If you have configured SharePoint sites for content type policies or information
## Configuration guidance
-See [Get started with retention policies and retention labels](get-started-with-retention.md). This article has information about subscriptions, permissions, and links to end-to-end configuration guidance for retention scenarios.
+See [Get started with retention policies and retention labels](get-started-with-retention.md). This article has information about subscriptions, permissions, and links to end-to-end configuration guidance for retention scenarios.
compliance Turn Audit Log Search On Or Off https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/turn-audit-log-search-on-or-off.md
description: How to turn on or off the Audit log search feature in the Microsoft
# Turn auditing on or off
-Audit logging is turned on by default for Microsoft 365 and Office 365 enterprise organizations. When auditing in the Microsoft 365 compliance center is turned on, user and admin activity from your organization is recorded in the audit log and retained for 90 days, and up to one year depending on the license assigned to users. However, your organization may have reasons for not wanting to record and retain audit log data. In those cases, a global admin may decide to turn off auditing in Microsoft 365.
+Audit logging will be turned on by default for Microsoft 365 and Office 365 enterprise organizations. However, when setting up a new Microsoft 365 or Office 365 organization, you should verify the auditing status for your organization. For instructions, see the [Verify the auditing status for your organization](#verify-the-auditing-status-for-your-organization) section in this article.
-When setting up a new Microsoft 365 or Office 365 organization, you can verify the auditing status for your organization. For instructions, see the [Verify the auditing status for your organization](#verify-the-auditing-status-for-your-organization) section in this article.
+When auditing in the Microsoft 365 compliance center is turned on, user and admin activity from your organization is recorded in the audit log and retained for 90 days, and up to one year depending on the license assigned to users. However, your organization may have reasons for not wanting to record and retain audit log data. In those cases, a global admin may decide to turn off auditing in Microsoft 365.
> [!IMPORTANT] > If you turn off auditing in Microsoft 365, you can't use the Office 365 Management Activity API or Azure Sentinel to access auditing data for your organization. Turning off auditing by following the steps in this article means that no results will be returned when you search the audit log using the Microsoft 365 compliance center or when you run the **Search-UnifiedAuditLog** cmdlet in Exchange Online PowerShell. This also means that audit logs won't be available through the Office 365 Management Activity API or Azure Sentinel.
contentunderstanding Create An Extractor https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/create-an-extractor.md
Title: "Create an extractor"--
+ Title: Create an extractor Microsoft SharePoint Syntex
++ + audience: admin ms.prod: microsoft-365-enterprise
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn how to create an extractor in Microsoft SharePoint Syntex."
+description: Learn how to create an extractor in Microsoft SharePoint Syntex.
# Create an extractor in Microsoft SharePoint Syntex
description: "Learn how to create an extractor in Microsoft SharePoint Syntex."
</br>
-Before or after you create a classifier model to automate identification and classification of specific document types, you can optionally choose to add extractors to your model to pull out specific information from these documents. For example, you may want your model not only to identify all *Contract Renewal* documents added to your document library, but also to display the *Service Start date* for each document as a column value in the document library.
+Before or after you create a classifier model to automate identification and classification of specific document types, you can optionally choose to add extractors to your model to pull out specific information from these documents. For example, you might want your model not only to identify all *Contract Renewal* documents added to your document library, but also to display the *Service Start date* for each document as a column value in the document library.
You need to create an extractor for each entity in the document that you want to extract. In our example, we want to extract the **Service Start Date** for each **Contract Renewal** document that is identified by the model. We want to be able to see a view in the document library of all **Contract Renewal** documents, with a column that shows the **Service Start** date value of each document. > [!NOTE]
-> In order to create an extractor, you use the same files you previously uploaded to train the classifier.
+> To create an extractor, you use the same files you previously uploaded to train the classifier.
## Name your extractor
Creating the extractor opens the extractor page. Here you see a list of your sam
Once you labeled five files, a notification banner displays informing you to move to training. You can choose to more label more documents or advance to training. ### Use Find to search your file
-You can use the <b>Find</b> feature to search for an entity in your document that you want to label.
- ![Find in file](../media/content-understanding/find-feature.png)
+You can use the **Find** feature to search for an entity in your document that you want to label.
+
+ ![Find in file.](../media/content-understanding/find-feature.png)
The Find feature is useful if you are searching a large document or if there are multiple instances of the entity in the document. If you find multiple instances, you can select the one you need in the search results to go to that location in the viewer to label it. ## Add an explanation
-For our example, we are going to create an explanation that provides a hint about the entity format itself and variations it may have in the sample documents. For example, a date value can be in a number of different formats, such as:
+For our example, we are going to create an explanation that provides a hint about the entity format itself and variations it might have in the sample documents. For example, a date value can be in a number of different formats, such as:
- 10/14/2019 - October 14, 2019 - Monday, October 14, 2019
For the *Service Start Date* sample, it is more efficient to use the pre-built e
2. From the explanation library, select **Date**. You can view all variations of date that are recognized. 3. Select **Add**.</br>
- ![Explanation library](../media/content-understanding/explanation-library.png)
+ ![Explanation library.](../media/content-understanding/explanation-library.png)
4. On the **Create an explanation** page, the *Date* information from the explanation library auto fills the fields. Select **Save**.</br>
- ![Date](../media/content-understanding/date-explanation-library.png)
+ ![Date.](../media/content-understanding/date-explanation-library.png)
## Train the model Saving your explanation start the training. If your model has enough information to extract the data from your labeled example files, you will see each file labeled with **Match**.
-![Match](../media/content-understanding/match2.png)
+![Match.](../media/content-understanding/match2.png)
If the explanation does not have enough information to find the data you want to extract, each file will be labeled with **Mismatch**. You can click on the **Mismatched** files to see more information about why there was a mismatch. ## Add another explanation
-Often the mismatch is an indication that the explanation we provided did not provide enough information to extract the service start date value to match our labeled files. You may need to edit it, or add another explanation.
+Often the mismatch is an indication that the explanation we provided did not provide enough information to extract the service start date value to match our labeled files. You might need to edit it, or add another explanation.
For our example, notice that the text string *Start Service date of* always precedes the actual value. To help identify the Service Start Date, you need to create a phrase explanation.
For our example, notice that the text string *Start Service date of* always prec
3. Use *Service Start Date of* as the value. 4. Select **Save**.
- ![Prefix string](../media/content-understanding/prefix-string.png)
+ ![Prefix string.](../media/content-understanding/prefix-string.png)
## Train the model again
If you receive a match on your labeled sample files, you can now test your model
1. From the model home page, click the **Test** tab. This runs the model on your unlabeled sample files. 2. In the **Test files** list, your example files display to show if the model is able to extract the information you need. Use this information to help determine the effectiveness of your classifier in identifying your documents.
- ![Test on your files](../media/content-understanding/test-filies-extractor.png)
+ ![Test on your files.](../media/content-understanding/test-filies-extractor.png)
## See Also [Create a classifier](create-a-classifier.md)
contentunderstanding Difference Between Document Understanding And Form Processing Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/difference-between-document-understanding-and-form-processing-model.md
Title: Difference between document understanding and form processing models
-+ audience: admin ms.prod: microsoft-365-enterprise
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: Learn about key difference between document understanding and form processing models.
+description: Learn about key difference between a document understanding model and a form processing model.
# Difference between document understanding and form processing models
contentunderstanding Document Understanding Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/document-understanding-overview.md
Title: "Document understanding overview"
+ Title: Document understanding overview in Microsoft SharePoint Syntex
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Get an overview of the document understanding in Microsoft SharePoint Syntex."
+description: Learn about document understanding in Microsoft SharePoint Syntex.
-# Document understanding overview
+# Document understanding overview in Microsoft SharePoint Syntex
</br>
contentunderstanding Duplicate A Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/duplicate-a-model.md
Title: "Duplicate a model in Microsoft SharePoint Syntex"
+ Title: Duplicate a model in Microsoft SharePoint Syntex
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn how and why to duplicate a model in Microsoft SharePoint Syntex."
+description: Learn how and why to duplicate a model in Microsoft SharePoint Syntex.
# Duplicate a model in Microsoft SharePoint Syntex
contentunderstanding Explanation Types Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/explanation-types-overview.md
Title: "Explanation types in Microsoft SharePoint Syntex"
+ Title: Explanation types in Microsoft SharePoint Syntex
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn more about phrase list, regular expression, and proximity explanation types in Microsoft SharePoint Syntex."
+description: Learn more about phrase list, regular expression, and proximity explanation types in Microsoft SharePoint Syntex.
# Explanation types in Microsoft SharePoint Syntex
contentunderstanding Form Processing Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/form-processing-overview.md
Title: "Form processing overview"--
+ Title: Form processing overview in Microsoft SharePoint Syntex
++ + audience: admin ms.prod: microsoft-365-enterprise
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn about form processing in Microsoft SharePoint Syntex"
+description: Learn about form processing in Microsoft SharePoint Syntex.
-# Form processing overview
+# Form processing overview in Microsoft SharePoint Syntex
![AI Builder](../media/content-understanding/ai-builder.png)</br> Microsoft SharePoint Syntex uses Microsoft PowerApps [AI Builder](/ai-builder/overview) form processing to create models within SharePoint document libraries.
-You can use AI Builder form processing to create AI models that use machine learning technology to identify and extract key-value pairs and table data from structured or semi-structured documents, like forms and invoices.
+You can use AI Builder form processing to create AI models that use machine learning technology to identify and extract key-value pairs and table data from structured or semi-structured documents, like forms and invoices.
Organizations often receive invoices in large quantities from a variety of sources, such as mail, fax, email, etc. Processing these documents and manually entering them into a database can take a considerable amount of time. By using AI to extract the text, key/value pairs, and tables from your documents, form processing automates this process.
contentunderstanding Learn About Document Understanding Models Through The Sample Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/learn-about-document-understanding-models-through-the-sample-model.md
Title: "Learn about document understanding models through the sample model"--
+ Title: Learn about document understanding models through the sample model
++ + audience: admin ms.prod: microsoft-365-enterprise
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn about document understanding models through the sample model"
+description: Learn about document understanding models through the sample model.
# Learn about document understanding models through a sample model
contentunderstanding Leverage Term Store Taxonomy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/leverage-term-store-taxonomy.md
Title: "Leverage term store taxonomy when creating an extractor"--
+ Title: Leverage term store taxonomy when creating an extractor in Microsoft SharePoint Syntex
++ + audience: admin ms.prod: microsoft-365-enterprise
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Use term store taxonomy when creating an extractor in your document understanding model in Microsoft SharePoint Syntex."
+description: Use term store taxonomy when creating an extractor in your document understanding model in Microsoft SharePoint Syntex.
-# Leverage term store taxonomy when creating an extractor
+# Leverage term store taxonomy when creating an extractor in Microsoft SharePoint Syntex
</br>
To make the managed metadata field available to select when you create your extr
![Contract service](../media/content-understanding/contract-services.png)</br> - After applying your model to the document library, when documents are uploaded to library, the *Creative Services* column will display the preferred term (*Creative*) when the extractor finds any of the synonym values (*Design*, *Graphics*, and *Topography*). ![Contract service column](../media/content-understanding/creative.png)</br>
contentunderstanding Model Usage Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/model-usage-analytics.md
Title: "Document understanding model usage analytics"--
+ Title: Document understanding model usage analytics in Microsoft SharePoint Syntex
++ + audience: admin ms.prod: microsoft-365-enterprise
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn how to apply a retention label to a document understanding model"
+description: Learn how to find and use usage analytics for a document understanding model.
-# Document understanding model usage analytics
+# Document understanding model usage analytics in Microsoft SharePoint Syntex
</br>
description: "Learn how to apply a retention label to a document understanding m
</br>
-Your Microsoft SharePoint Syntex content center provides you model usage analytics to provide more information about how your models that have been published from the content center are being used. The <b>How your models are performing in the last 30 days</b> section of the content center includes a 30 day roll-up of usage analytics data provided in the following charts and lists:
+Your SharePoint Syntex content center provides you model usage analytics to provide more information about how your models that have been published from the content center are being used. The <b>How your models are performing in the last 30 days</b> section of the content center includes a 30 day roll-up of usage analytics data provided in the following charts and lists:
- Classification by model - Classification by library
enterprise Microsoft 365 Vpn Implement Split Tunnel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel.md
description: "How to implement VPN split tunneling for Office 365"
For many years, enterprises have been using VPNs to support remote experiences for their users. Whilst core workloads remained on-premises, a VPN from the remote client routed through a datacenter on the corporate network was the primary method for remote users to access corporate resources. To safeguard these connections, enterprises build layers of network security solutions along the VPN paths. This security was built to protect internal infrastructure and to safeguard mobile browsing of external web sites by rerouting traffic into the VPN and then out through the on-premises Internet perimeter. VPNs, network perimeters, and associated security infrastructure were often purpose-built and scaled for a defined volume of traffic, typically with most connectivity being initiated from within the corporate network, and most of it staying within the internal network boundaries.
-For quite some time, VPN models where all connections from the remote user device are routed back into the on-premises network (known as **forced tunneling**) were largely sustainable as long as the concurrent scale of remote users was modest and the traffic volumes traversing VPN were low. Some customers continued to use VPN force tunneling as the status quo even after their applications moved from inside the corporate perimeter to public SaaS clouds, Office 365 being a prime example.
+For quite some time, VPN models where all connections from the remote user device are routed back into the on-premises network (known as _forced tunneling_) were largely sustainable as long as the concurrent scale of remote users was modest and the traffic volumes traversing VPN were low. Some customers continued to use VPN force tunneling as the status quo even after their applications moved from inside the corporate perimeter to public SaaS clouds, Office 365 being a prime example.
The use of forced tunneled VPNs for connecting to distributed and performance-sensitive cloud applications is suboptimal, but the negative effect of that may have been accepted by some enterprises so as to maintain the status quo from a security perspective. An example diagram of this scenario can be seen below:
URLs in this category have the following characteristics:
- Are able to have required security elements provided in the service rather than inline on the network - Account for around 70-80% of the volume of traffic to the Office 365 service
-For more information about Office 365 endpoints and how they are categorized and managed, see the article [Managing Office 365 endpoints](managing-office-365-endpoints.md).
+For more information about Office 365 endpoints and how they are categorized and managed, see [Managing Office 365 endpoints](managing-office-365-endpoints.md).
#### Optimize URLs
In the above examples, **tenant** should be replaced with your Office 365 tenant
#### Optimize IP address ranges
-At the time of writing the IP ranges that these endpoints correspond to are as follows. It is **very strongly** advised you use a [script such as this](https://github.com/microsoft/Office365NetworkTools/tree/master/Scripts/Display%20URL-IPs-Ports%20per%20Category) example, the [Office 365 IP and URL web service](microsoft-365-ip-web-service.md) or the [URL/IP page](urls-and-ip-address-ranges.md) to check for any updates when applying the configuration, and put a policy in place to do so regularly.
+At the time of writing the IP address ranges that these endpoints correspond to are as follows. It is **very strongly** advised you use a [script such as this](https://github.com/microsoft/Office365NetworkTools/tree/master/Scripts/Display%20URL-IPs-Ports%20per%20Category) example, the [Office 365 IP and URL web service](microsoft-365-ip-web-service.md) or the [URL/IP page](urls-and-ip-address-ranges.md) to check for any updates when applying the configuration, and put a policy in place to do so regularly.
``` 104.146.128.0/17
At the time of writing the IP ranges that these endpoints correspond to are as f
132.245.0.0/16 150.171.32.0/22 150.171.40.0/22
-191.234.140.0/22
204.79.197.215/32 23.103.160.0/20 40.104.0.0/15
Once you have added the routes, you can confirm that the route table is correct
![Route print output](../media/vpn-split-tunneling/vpn-route-print.png)
-To add routes for **all** current IP address ranges in the Optimize category, you can use the following script variation to query the [Office 365 IP and URL web service](microsoft-365-ip-web-service.md) for the current set of Optimize IP subnets and add them to the route table.
+To add routes for _all_ current IP address ranges in the Optimize category, you can use the following script variation to query the [Office 365 IP and URL web service](microsoft-365-ip-web-service.md) for the current set of Optimize IP subnets and add them to the route table.
#### Example: Add all Optimize subnets into the route table
Once the policy is in place, you should confirm it is working as expected. There
- Run the [Microsoft 365 connectivity test](https://aka.ms/netonboard) that will run connectivity tests for you including trace routes as above. We're also adding in VPN tests into this tooling that should also provide additional insights. -- A simple tracert to an endpoint within scope of the split tunnel should show the path taken, for example:
+- A simple **tracert** to an endpoint within scope of the split tunnel should show the path taken, for example:
```powershell tracert worldaz.tr.teams.microsoft.com
This section provides links to detailed guides for implementing split tunneling
## FAQ
-The Microsoft Security Team has published [an article](https://www.microsoft.com/security/blog/2020/03/26/alternative-security-professionals-it-achieve-modern-security-controls-todays-unique-remote-work-scenarios/) that outlines key ways for security professionals and IT can achieve modern security controls in today's unique remote work scenarios. In addition, below are some of the common customer questions and answers on this subject.
+The Microsoft Security Team has published [Alternative ways for security professionals and IT to achieve modern security controls in todayΓÇÖs unique remote work scenarios](https://www.microsoft.com/security/blog/2020/03/26/alternative-security-professionals-it-achieve-modern-security-controls-todays-unique-remote-work-scenarios/), a blog post, that outlines key ways for security professionals and IT can achieve modern security controls in today's unique remote work scenarios. In addition, below are some of the common customer questions and answers on this subject.
### How do I stop users accessing other tenants I do not trust where they could exfiltrate data?
We can then trigger policy such as approve, trigger MFA or block authentication
### How do I protect against viruses and malware?
-Again, Office 365 provides protection for the Optimize marked endpoints in various layers in the service itself, [outlined in this document](/office365/Enterprise/office-365-malware-and-ransomware-protection). As noted, it is vastly more efficient to provide these security elements in the service itself rather than try to do it in line with devices that may not fully understand the protocols/traffic.By default, SharePoint Online [automatically scans file uploads](../security/office-365-security/virus-detection-in-spo.md) for known malware
+Again, Office 365 provides protection for the Optimize marked endpoints in various layers in the service itself, [outlined in this document](/office365/Enterprise/office-365-malware-and-ransomware-protection). As noted, it is vastly more efficient to provide these security elements in the service itself rather than try to do it in line with devices that may not fully understand the protocols/traffic. By default, SharePoint Online [automatically scans file uploads](../security/office-365-security/virus-detection-in-spo.md) for known malware
For the Exchange endpoints listed above, [Exchange Online Protection](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description) and [Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) do an excellent job of providing security of the traffic to the service.
There are also various vendors who offer cloud-based proxy/security solutions ca
Even with these solutions in place however, Microsoft still strongly recommends that Optimize marked Office 365 traffic is sent direct to the service.
-For guidance on allowing direct access to an Azure Virtual Network, see the article [Remote work using Azure VPN Gateway Point-to-site](/azure/vpn-gateway/work-remotely-support).
+For guidance on allowing direct access to an Azure Virtual Network, see [Remote work using Azure VPN Gateway Point-to-site](/azure/vpn-gateway/work-remotely-support).
### Why is port 80 required? Is traffic sent in the clear?
enterprise Ms Cloud Germany Transition Azure Ad https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-azure-ad.md
description: "Summary: Additional Azure Active Directory information when moving
# Additional Azure Active Directory information for the migration from Microsoft Cloud Deutschland
-To complete the move from the Azure German cloud to the Azure public cloud we recommend that the authentication endpoint, Azure Active Directory (Azure AD) Graph, and MS Graph endpoints for your applications be updated to those of the commercial cloud when the OpenID Connect (OIDC) endpoint, `https://login.microsoftonline.com/\<TenantIdOrDomain\>/.well-known/openid-configuration`, starts reporting commercial cloud endpoints.
+To complete the move from the Azure German cloud to the Azure public cloud we recommend that the authentication endpoint, Azure Active Directory (Azure AD) Graph, and MS Graph endpoints for your applications be updated to those of the commercial cloud when the OpenID Connect (OIDC) endpoint, `https://login.microsoftonline.com/<TenantIdOrDomain>/.well-known/openid-configuration`, starts reporting commercial cloud endpoints.
**When should I make this change?**
You'll receive a notification in Azure/Office portal when your tenant completes
There are three preconditions to updating your sign-in authority:
+ - OIDC discovery endpoint for your tenant `https://login.microsoftonline.com/<TenantIdOrDomain>/.well-known/openid-configuration` returns Azure AD public cloud endpoints.
- If your tenant is set up for federation, Active Directory Federation Services (AD FS) is updated to sync with Azure AD Public. You can follow instructions to update Azure AD Connect settings for making this change.
An application could be any of the following:
2. Update Azure AD Graph endpoint to be `https://graph.windows.net`.
-3. Update MS Graph endpoint to be `https://graph.microsoft.com`.
+3. Update Microsoft Graph endpoint to be `https://graph.microsoft.com`.
4. Update any German cloud endpoints (such as those for Exchange Online and SharePoint Online) that are used by your applications to be those of the public cloud.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
####### [Get alert related IPs information](get-alert-related-ip-info.md) ####### [Get alert related device information](get-alert-related-machine-info.md) ####### [Get alert related user information](get-alert-related-user-info.md)
+####### [Alerts queue in Microsoft 365 Defender](alerts-queue-endpoint-detection-response.md)
###### [Assessments of vulnerabilities and secure configurations]() ####### [Export assessment methods and properties](get-assessment-methods-properties.md)
security Access Mssp Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/access-mssp-portal.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
---
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
>[!NOTE] >These set of steps are directed towards the MSSP.
-By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
+By default, MSSP customers access their Microsoft 365 Defender tenant through the following URL: `https://securitycenter.windows.com/`.
- MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage. - Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
-1. As an MSSP, login to Azure AD with your credentials.
+1. As an MSSP, log in to Azure AD with your credentials.
2. Switch directory to the MSSP customer's tenant.
-3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
+3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
-4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
+4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com/?tid=customer_tenant_id`.
## Related topics
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
Depending on the Microsoft security products that you use, some advanced feature
## Enable advanced features
-1. In the navigation pane, select **Preferences setup** > **Advanced features**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. 3. Click **Save preferences**.
For more information about role assignments, see [Create and manage roles](user-
Enabling this feature allows you to run unsigned scripts in a live response session. ## Always remediate PUA
-Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted.
+Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software, which might be unexpected or unwanted.
Turn on this feature so that potentially unwanted applications (PUA) are remediated on all devices in your tenant even if PUA protection is not configured on the devices. This will help protect users from inadvertently installing unwanted applications on their device. When turned off, remediation is dependent on the device configuration. ## Restrict correlation to within scoped device groups
-This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning this setting on, an incident composed of alerts that cross device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We do not recommend turning this setting on unless doing so outweighs the benefits of incident correlation across the entire organization
+This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization
>[!NOTE] >Changing this setting impacts future alert correlations only.
Endpoint detection and response (EDR) in block mode provides protection from mal
## Autoresolve remediated alerts
-For tenants created on or after Windows 10, version 1809, the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
+For tenants created on or after Windows 10, version 1809, the automated investigation, and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
> [!TIP]
-> For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
+> For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://security.microsoft.com//preferences2/integration) page.
> [!NOTE] >
To turn **Allow or block** files on:
1. In the navigation pane, select **Settings** > **Endpoints** > **General** > **Advanced features** > **Allow or block file**. 1. Toggle the setting between **On** and **Off**.-
- ![Image of advanced settings for block file feature](images/atp-preferences-setup.png)
+
+ :::image type="content" source="../../media/alloworblockfile.png" alt-text="Image of advanced settings for block file feature":::
1. Select **Save preferences** at the bottom of the page.
After turning on this feature, you can [block files](respond-file-alerts.md#allo
## Custom network indicators
-Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they will be allowed or blocked based on your custom indicator list.
+Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they'll be allowed or blocked based on your custom indicator list.
To use this feature, devices must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834). For more information, see [Manage indicators](manage-indicators.md). > [!NOTE]
-> Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data.
+> Network protection leverages reputation services that process requests in locations that might be outside of the location you've selected for your Defender for Endpoint data.
## Tamper protection During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices.
Enabling the Skype for Business integration gives you the ability to communicate
## Microsoft Defender for Identity integration
-The integration with Microsoft Defender for Identity allows you to pivot directly into another Microsoft Identity security product. Microsoft Defender for Identity augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.
+The integration with Microsoft Defender for Identity allows you to pivot directly into another Microsoft Identity security product. Microsoft Defender for Identity augments an investigation with more insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.
> [!NOTE] > You'll need to have the appropriate license to enable this feature. ## Office 365 Threat Intelligence connection
-This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
+This feature is only available if you've an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
-When you turn this feature on, you'll be able to incorporate data from Microsoft Defender for Office 365 into Microsoft 365 Defender to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
+When you turn on this feature, you'll be able to incorporate data from Microsoft Defender for Office 365 into Microsoft 365 Defender to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
> [!NOTE] > You'll need to have the appropriate license to enable this feature.
To receive contextual device integration in Office 365 Threat Intelligence, you'
## Microsoft Threat Experts - Targeted Attack Notifications
-Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it.
+Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you've applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it.
> [!NOTE] > The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
To receive contextual device integration in Microsoft Defender for Identity, you
After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page. ## Web content filtering
-Block access to websites containing unwanted content and track web activity across all domains. To specify the web content categories you want to block, create a [web content filtering policy](https://security.microsoft.com/preferences2/web_content_filtering_policy). Ensure you have network protection in block mode when deploying the [Microsoft Defender for Endpoint security baseline](https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityBaselineSummaryMenu/overview/templateType/2).
+Block access to websites containing unwanted content and track web activity across all domains. To specify the web content categories you want to block, create a [web content filtering policy](https://security.microsoft.com/preferences2/web_content_filtering_policy). Ensure you've network protection in block mode when deploying the [Microsoft Defender for Endpoint security baseline](https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityBaselineSummaryMenu/overview/templateType/2).
## Share endpoint alerts with Microsoft Compliance Center
Defender for Endpoint can be integrated with [Microsoft Intune](/intune/what-is-
> [!IMPORTANT] > You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md).
-This feature is only available if you have the following:
+This feature is only available if you've the following:
- A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5) - An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](/azure/active-directory/devices/concept-azure-ad-join/).
This feature is only available if you have the following:
### Conditional Access policy
-When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted.
+When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It shouldn't be deleted.
> [!NOTE] > The classic CA policy created by Intune is distinct from modern [Conditional Access policies](/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
Learn about new features in the Defender for Endpoint preview release. Try upcom
You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available. --- ## Related topics - [Update data retention settings](data-retention-settings.md)
security Api Portal Mapping https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-portal-mapping.md
Field numbers match the numbers in the images below.
> [!div class="mx-tableFixed"] >
-> | Portal label | SIEM field name | ArcSight field | Example value | Description |
-> |||||--|
-> | 1 | AlertTitle | name | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. |
-> | 2 | Severity | deviceSeverity | High | Value available for every Detection. |
-> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
-> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Defender for Endpoint. Value available for every Detection. |
-> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
-> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
-> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
-> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Defender for Endpoint behavioral based detections. |
-> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Defender for Endpoint behavioral based detections. |
-> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. |
-> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Microsoft Defender AV detections. |
-> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Microsoft Defender AV detections. |
-> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Microsoft Defender AV detections. |
-> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. |
-> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. |
-> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. |
-> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined devices. Value available for every Detection. |
-> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
-> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The device fully qualified domain name. Value available for every Detection. |
-> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. |
-> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
-> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
-| | LinkToMTP | No mapping | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection.
-| | IncidentLinkToMTP | No mapping | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
-| | IncidentLinkToWDATP | No mapping | `https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
-> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
-> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
-> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |
-> | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
--
-![Image of alert with numbers](images/atp-alert-page.png)
-
-![Image of alert details pane with numbers](images/atp-siem-mapping13.png)
-
-![Image of artifact timeline with numbers1](images/atp-siem-mapping3.png)
-
-![Image of artifact timeline with numbers2](images/atp-siem-mapping4.png)
-
-![Image machine view](images/atp-mapping6.png)
-
-![Image browser URL](images/atp-mapping5.png)
-
-![Image actor alert](images/atp-mapping7.png)
+> | Portal label | SIEM field name | ArcSight field | Example value | Description |
+> ||-|||--|
+> | 1 | AlertTitle | name | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. |
+> | 2 | Severity | deviceSeverity | High | Value available for every Detection. |
+> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
+> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Defender for Endpoint. Value available for every Detection. |
+> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
+> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
+> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
+> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Defender for Endpoint behavioral based detections. |
+> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Defender for Endpoint behavioral based detections. |
+> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. |
+> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Microsoft Defender AV detections. |
+> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Microsoft Defender AV detections. |
+> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Microsoft Defender AV detections. |
+> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
+> | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
+> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
+> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
+> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. |
+> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. |
+> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. |
+> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined devices. Value available for every Detection. |
+> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
+> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The device fully qualified domain name. Value available for every Detection. |
+> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. |
+> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
+> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
+| | LinkToMTP | No mapping | `https://securitycenter.windows.com/alert/da637370718981685665_16349121` | Value available for every Detection.
+| | IncidentLinkToMTP | No mapping | `"https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
+| | IncidentLinkToWDATP | No mapping | `https://securitycenter.windows.com/preferences2/integration/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
+> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
+> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
+> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |
+> | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions. |
++++++++ ## Related topics
security Attack Simulations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-simulations.md
Read the walkthrough document provided with each attack scenario. Each document
2. Download and read the corresponding walkthrough document provided with your selected scenario.
-3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test device but it's not mandatory.
+3. Download the simulation file or copy the simulation script by navigating to **Evaluation & tutorials** > **Tutorials & simulations**. You can choose to download the file or script on the test device but it's not mandatory.
4. Run the simulation file or script on the test device as instructed in the walkthrough document.
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
Warn mode is supported on devices running the following versions of Windows:
Microsoft Defender Antivirus must be running with real-time protection in [Active mode](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state).
-In addition, make sure [Microsoft Defender Antivirus and antimalware updates](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed.
+Also, make sure [Microsoft Defender Antivirus and antimalware updates](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed.
- Minimum platform release requirement: `4.18.2008.9` - Minimum engine release requirement: `1.1.17400.5`
For more information and to get your updates, see [Update for Microsoft Defender
### Cases where warn mode is not supported
-Warn mode is not supported for three attack surface reduction rules when you configure them in Microsoft Endpoint Manager. (If you use Group Policy to configure your attack surface reduction rules, warn mode is supported.) The three rules that do not support warn mode when you configure them in Microsoft Endpoint Manager are as follows:
+Warn mode isn't supported for three attack surface reduction rules when you configure them in Microsoft Endpoint Manager. (If you use Group Policy to configure your attack surface reduction rules, warn mode is supported.) The three rules that do not support warn mode when you configure them in Microsoft Endpoint Manager are as follows:
- [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction-rules.md#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`) - [Block persistence through WMI event subscription](attack-surface-reduction-rules.md#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`) - [Use advanced protection against ransomware](attack-surface-reduction-rules.md#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`)
-In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.
+Also, warn mode isn't supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.
## Notifications and alerts Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
-In addition, when certain attack surface reduction rules are triggered, alerts are generated.
+Also, when certain attack surface reduction rules are triggered, alerts are generated.
-Notifications and any alerts that are generated can be viewed in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) (formerly called the [Microsoft Defender Security Center](microsoft-defender-security-center.md)).
+Notifications and any alerts that are generated can be viewed in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) (formerly called [Microsoft 365 Defender](microsoft-defender-security-center.md)).
## Advanced hunting and attack surface reduction events
security Behavioral Blocking Containment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md
ms.technology: mde
## Overview
-Today's threat landscape is overrun by [fileless malware](/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Defender for Endpoint](/windows/security).
+Today's threat landscape is overrun by [fileless malware](/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions aren't sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Defender for Endpoint](/windows/security).
Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities.
With these capabilities, more threats can be prevented or blocked, even if they
The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities: ## Components of behavioral blocking and containment -- **On-client, policy-driven [attack surface reduction rules](attack-surface-reduction.md)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in Microsoft 365 Defender <https://security.microsoft.com> as informational alerts. Attack surface reduction rules are not enabled by default; you configure your policies in the [Microsoft 365 Defender](microsoft-defender-security-center.md).
+- **On-client, policy-driven [attack surface reduction rules](attack-surface-reduction.md)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft 365 Defender portal([https://security.microsoft.com](https://security.microsoft.com)) as informational alerts. Attack surface reduction rules aren't enabled by default; you configure your policies in the [Microsoft 365 Defender portal](microsoft-defender-security-center.md).
- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) - **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) -- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode is not enabled by default; you turn it on in Microsoft 365 Defender.)
+- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus isn't the primary antivirus solution. (EDR in block mode isn't enabled by default; you turn it on in Microsoft 365 Defender.)
Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap).
Behavior-based device learning models in Defender for Endpoint caught and stoppe
- The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. - The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot).
-While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the [Microsoft 365 Defender portal](microsoft-defender-security-center.md) (formerly the Microsoft Defender Security Center):
+While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the [Microsoft 365 Defender portal](microsoft-defender-security-center.md).
:::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft 365 Defender portal":::
This example shows how behavior-based device learning models in the cloud add ne
As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Defender for Endpoint detected a privilege escalation activity on a device in an organization. An alert called "Possible privilege escalation using NTLM relay" was triggered. The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device. Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image:
-A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing additional attackers or other malware from deploying on the device.
+A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing more attackers or other malware from deploying on the device.
This example shows that with behavioral blocking and containment capabilities, threats are detected, contained, and blocked automatically.
security Client Behavioral Blocking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md
ms.technology: mde
Client behavioral blocking is a component of [behavioral blocking and containment capabilities](behavioral-blocking-containment.md) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. Antivirus protection works best when paired with cloud protection.
Antivirus protection works best when paired with cloud protection.
[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
-Whenever a suspicious behavior is detected, an [alert](alerts-queue.md) is generated, and is visible in the [Microsoft 365 Defender portal](microsoft-defender-security-center.md) (formerly the Microsoft Defender Security Center).
+Whenever a suspicious behavior is detected, an [alert](alerts-queue.md) is generated, and is visible in the [Microsoft 365 Defender portal](microsoft-defender-security-center.md) (formerly Microsoft 365 Defender).
Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization.
security Community https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/community.md
There are several spaces you can explore to learn about specific information:
- What's new - Threat Intelligence - There are several ways you can access the Community Center:-- In the Microsoft Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Defender for Endpoint Tech Community page.
+- In the Microsoft 365 Defender portal navigation pane, select **Community center**. A new browser tab opens and takes you to the Defender for Endpoint Tech Community page.
- Access the community through the [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page
security Configure Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-conditional-access.md
Take the following steps to enable Conditional Access:
### Step 1: Turn on the Microsoft Intune connection+ 1. In the navigation pane, select **Settings** > **Endpoints** > **General** > **Advanced features** > **Microsoft Intune connection**. 2. Toggle the Microsoft Intune setting to **On**. 3. Click **Save preferences**.
security Configure Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-discovery.md
Take the following configuration steps in Microsoft 365 security center:
## Exclude devices from being actively probed in standard discovery
-If there are devices on your network which should not be actively scanned (for example, devices used as honeypots for another security tool), you can also define a list of exclusions to prevent them from being scanned. Note that devices can still be discovered using Basic discovery mode. Those devices will be passively discovered but won't be actively probed.
+If there are devices on your network which shouldn't be actively scanned (for example, devices used as honeypots for another security tool), you can also define a list of exclusions to prevent them from being scanned. Note that devices can still be discovered using Basic discovery mode. Those devices will be passively discovered but won't be actively probed.
## Select networks to monitor-
- Microsoft Defender for Endpoint analyzes a network and determines if it is a corporate network that needs to be monitored or a non-corporate network that can be ignored. Corporate networks are typically chosen to be monitored. However, you can override this decision by choosing to monitor non-corporate networks where onboarded devices are found.
+ Microsoft Defender for Endpoint analyzes a network and determines if it's a corporate network that needs to be monitored or a non-corporate network that can be ignored. Corporate networks are typically chosen to be monitored. However, you can override this decision by choosing to monitor non-corporate networks where onboarded devices are found.
You can configure where device discovery can be performed by specifying which networks to monitor. When a network is monitored, device discovery can be performed on it.
The list of monitored networks is sorted based upon the total number of devices
You can apply a filter to view any of the following network discovery states: - **Monitored networks** - Networks where device discovery is performed.-- **Ignored networks** - This network will be ignored and device discovery will not be performed on it.-- **All** - Both monitored and ignored networks will be displayed.
+- **Ignored networks** - This network will be ignored and device discovery won't be performed on it.
+- **All** - Both monitored and ignored networks will be displayed.
### Configure the network monitor state
Choosing the initial discovery classification means applying the default system-
5. Choose whether you want to monitor, ignore, or use the initial discovery classification. > [!WARNING]
- >
- > - Choosing to monitor a network that was not identified by Microsoft Defender for Endpoint as a corporate network can cause device discovery outside of your corporate network, and may therefore detect home or other non-corporate devices.
- > - Choosing to ignore a network will stop monitoring and discovering devices in that network. Devices that were already discovered will not be removed from the inventory, but will no longer be updated, and details will be retained until the data retention period of the Defender for Endpoint expires.
- > - Before choosing to monitor non-corporate networks, you must ensure you have permission to do so.
+ > - Choosing to monitor a network that was not identified by Microsoft Defender for Endpoint as a corporate network can cause device discovery outside of your corporate network, and may therefore detect home or other non-corporate devices.
+ > - Choosing to ignore a network will stop monitoring and discovering devices in that network. Devices that were already discovered won't be removed from the inventory, but will no longer be updated, and details will be retained until the data retention period of the Defender for Endpoint expires.
+ > - Before choosing to monitor non-corporate networks, you must ensure you have permission to do so. <br>
6. Confirm that you want to make the change.
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
Last updated 04/24/2018
ms.technology: mde + # Onboard the Windows 10 devices using Group Policy [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/publ
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
+1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender](https://security.microsoft.com/):
+
1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**. 1. Select Windows 10 as the operating system.
You can use Group Policy (GP) to configure settings, such as settings for the sa
- Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
- If you are using a [Central Store for Group Policy Administrative Templates](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra), copy the following files from the
+ If you're using a [Central Store for Group Policy Administrative Templates](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra), copy the following files from the
configuration package: - Copy _AtpConfiguration.admx_ into _\\\\\<forest.root\>\\SysVol\\\<forest.root\>\\Policies\\PolicyDefinitions_
Configure Controlled folder access| Enabled, Audit Mode
## Offboard devices using Group Policy
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you'll be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. + 1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/): 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
security Configure Endpoints Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md
Title: Onboard Windows 10 devices using Mobile Device Management tools
-description: Use Mobile Device Management tools to deploy the configuration package on devices so that the devices are onboarded to the service.
+description: Use Mobile Device Management tools to deploy configuration package on devices so that they're onboarded to the service.
keywords: onboard devices using mdm, device management, onboard Microsoft Defender for Endpoint devices, mdm search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde + # Onboard the Windows 10 devices using Mobile Device Management tools [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
You can use mobile device management (MDM) solutions to configure devices. Defen
For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). ## Before you begin
-If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.
+If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings won't be applied successfully.
For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](/mem/intune/enrollment/device-enrollment).
For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThr
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint. ## Offboard and monitor devices using Mobile Device Management tools
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you'll be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. + 1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/): 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
security Configure Endpoints Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md
ms.technology: mde
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
-Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft 365 Defender and better protect your organization's network.
+Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft 365 Defender and better protect your organization's network.
You'll need to know the exact Linux distros and macOS versions that are compatible with Defender for Endpoint for the integration to work. For more information, see: - [Microsoft Defender for Endpoint on Linux system requirements](microsoft-defender-endpoint-linux.md#system-requirements)
You'll need to take the following steps to onboard non-Windows devices:
- For macOS devices, you can choose to onboard through Microsoft Defender for Endpoint or through a third-party solution. For more information, see [Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac).
- - For other non-Windows devices, choose **Onboard non-Windows devices through third-party integration**.
- 1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed.
- 2. In the **Partner Applications** tab, select the partner that supports your non-Windows devices.
- 3. Select **Open partner page** to open the partner's page. Follow the instructions provided on the page.
- 4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it is aligned with the service that you require.
-
+ - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**.
+ 1. In the navigation pane, select **Partners and APIs** > **Partner Applications** . Make sure the third-party solution is listed.
+ 2. In the **Partner Applications** page, select the partner that supports your non-Windows devices.
+ 3. Click **View** to open the partner's page. Follow the instructions provided on the page.
+ 4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
2. Run a detection test by following the instructions of the third-party solution. ## Offboard non-Windows devices
-1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender for Endpoint.
+1. Follow the third party's documentation to disconnect the third-party solution from Microsoft Defender for Endpoint.
2. Remove permissions for the third-party solution in your Azure AD tenant. 1. Sign in to the [Azure portal](https://portal.azure.com).
security Configure Endpoints Sccm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md
Starting in Configuration Manager version 2002, you can onboard the following op
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint. - 1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/): 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/publ
>[!TIP] > After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md). >
-> Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program.
+> Note that it's possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program.
> If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change. > > This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1.
If you use Microsoft Endpoint Manager current branch, see [Create an offboarding
### Offboard devices using System Center 2012 R2 Configuration Manager + 1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/): 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
security Configure Endpoints Script https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md
ms.technology: mde + # Onboard the Windows 10 devices using a local script [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
For information on how you can manually validate that the device is compliant an
>[!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint](run-detection-test.md).
+> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint](run-detection-test.md).
## Configure sample collection settings For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft 365 Defender to submit a file for deep analysis.
The default value in case the registry key doesnΓÇÖt exist is 1.
## Offboard devices using a local script
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** >**Offboarding**.
+ 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
1. Select Windows 10 as the operating system.
Monitoring can also be done directly on the portal, or by using the different de
3. Verify that devices are appearing. - ## Related topics - [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
security Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md
ms.technology: mde
Defender for Endpoint supports non-persistent VDI session onboarding. - There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: -- Instant early onboarding of a short-lived sessions, which must be onboarded to Defender for Endpoint prior to the actual provisioning.
+- Instant early onboarding of a short-lived session, which must be onboarded to Defender for Endpoint prior to the actual provisioning.
- The device name is typically reused for new sessions. VDI devices can appear in Defender for Endpoint portal as either:
The following steps will guide you through onboarding VDI devices and will highl
2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
- 1. If you are not implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.
+ 1. If you aren't implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.
- 1. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
+ 1. If you're implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
> [!NOTE] > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
The following steps will guide you through onboarding VDI devices and will highl
- For single entry for each device:
- Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There is no need to specify the other file, as it will be triggered automatically.
+ Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it will be triggered automatically.
- For multiple entries for each device:
The following steps will guide you through onboarding VDI devices and will highl
1. Create a pool with one device.
- 1. Logon to device.
+ 1. Log on to device.
- 1. Logoff from device.
+ 1. Log off from device.
- 1. Logon to device with another user.
+ 1. Log on to device with another user.
1. Depending on the method you'd like to implement, follow the appropriate steps:
-
- - For single entry for each device:
-
- Check only one entry in Microsoft 365 Defender.
- - For multiple entries for each device:
-
- Check multiple entries in Microsoft 365 Defender.
+ - For single entry for each device:
+
+ Check only one entry in Microsoft 365 Defender portal.
+
+ - For multiple entries for each device:
+
+ Check multiple entries in Microsoft 365 Defender portal.
6. Click **Devices list** on the Navigation pane.
DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\
DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit ```
-For more information on DISM commands and offline servicing, please refer to the articles below:
+For more information on DISM commands and offline servicing, refer to the articles below:
- [Modify a Windows image using DISM](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) - [DISM Image Management Command-Line Options](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14) - [Reduce the Size of the Component Store in an Offline Windows Image](/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
-If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:
+If offline servicing isn't a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:
1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Defender for Endpoint sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script).
If offline servicing is not a viable option for your non-persistent VDI environm
exit ```
-5. Re-seal the golden/master image as you normally would.
+5. Reseal the golden/master image as you normally would.
## Related topics - [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
security Configure Machines Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md
ms.technology: mde
[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
-![Attack surface management card](images/secconmgmt_asr_card.png)<br>
+
+<br>
*Attack surface management card* The *Attack surface management card* is an entry point to tools in Microsoft 365 security center that you can use to:
The *Attack surface management card* is an entry point to tools in Microsoft 365
* Review ASR detections and identify possible incorrect detections. * Analyze the impact of exclusions and generate the list of file paths to exclude.
-Select **Go to attack surface management** > **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
+Select **Go to attack surface management** > **Reports** > **Attack surface reduction rules** > **Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center](images/secconmgmt_asr_m365exlusions.png)<br> The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 security center*
security Threat Protection Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-reports.md
The report is made up of cards that display the following alert attributes:
- **Classification & determination**: shows how you have classified alerts upon resolution, whether you have classified them as actual threats (true alerts) or as incorrect detections (false alerts). These cards also show the determination of resolved alerts, providing additional insight like the types of actual threats found or the legitimate activities that were incorrectly detected. -
-
- ## Filter data Use the provided filters to include or exclude alerts with certain attributes.
Use the provided filters to include or exclude alerts with certain attributes.
For example, to show data about high-severity alerts only:
-1. Under **Filters > Severity**, select **High**
+1. Under **Incidents & alerts** > **Alerts** > **Filters > Severity**, select **High**.
2. Ensure that all other options under **Severity** are deselected.
-3. Select **Apply**.
+3. Select **Apply**.
## Related topic - [Device health and compliance report](machine-reports.md)
security Time Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/time-settings.md
Title: Microsoft Defender Security Center time zone settings
-description: Use the info contained here to configure the Microsoft Defender Security Center time zone settings and view license information.
+ Title: Microsoft 365 Defender time zone settings
+description: Use the info contained here to configure the Microsoft 365 Defender time zone settings and view license information.
keywords: settings, Microsoft Defender, cybersecurity threat intelligence, Microsoft Defender for Endpoint, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Microsoft Defender Security Center time zone settings
+# Microsoft 365 Defender time zone settings
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Troubleshoot Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md
The Microsoft 365 security center is the new interface for monitoring and managi
In Microsoft 365 security center, we offer you a complete look at the current ASR rules configuration and events in your estate. Note that your devices must be onboarded into the Microsoft Defender for Endpoint service for these reports to be populated. Here's a screenshot from the Microsoft 365 security center (under **Reports** > **Devices** > **Attack surface reduction**). At the device level, select **Configuration** from the **Attack surface reduction rules** pane. The following screen is displayed, where you can select a specific device and check its individual ASR rule configuration. ## Microsoft Defender for Endpoint ΓÇô Advanced hunting
Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool tha
Through advanced hunting, it's possible to extract ASR rules information, create reports, and get in-depth information on the context of a given ASR rule audit or block event.
-ASR rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft Defender Security Center. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule.
+ASR rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft 365 Defender. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule.
:::image type="content" source="images/adv-hunt-querynew.png" alt-text="Advanced hunting query"::: With advanced hunting you can shape the queries to your liking, so that you can see what is happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment. ## Microsoft Defender for Endpoint machine timeline
-An alternative to advanced hunting, but with a narrower scope, is the Microsoft Defender for Endpoint machine timeline. You can view all the collected events of a device, for the past six months, in the Microsoft Defender Security Center, by going to the Machines list, select a given machine, and then click on the Timeline tab.
+An alternative to advanced hunting, but with a narrower scope, is the Microsoft Defender for Endpoint machine timeline. You can view all the collected events of a device, for the past six months, in the Microsoft 365 Defender, by going to the Machines list, select a given machine, and then click on the Timeline tab.
Pictured below is a screenshot of the Timeline view of these events on a given endpoint. From this view, you can filter the events list based on any of the Event Groups along the right-side pane. You can also enable or disable Flagged and Verbose events while viewing alerts and scrolling through the historical timeline. ## How to troubleshoot ASR rules?
Here are a few other sources of information that Windows offers, to troubleshoot
One of the easiest ways to determine if ASR rules are already enabledΓÇöand, is through a PowerShell cmdlet, Get-MpPreference. Here's an example: There are multiple ASR rules active, with different configured actions.
ASR rule events can be viewed within the Windows Defender log.
To access it, open Windows Event Viewer, and browse to **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**. ## Microsoft Defender Malware Protection Logs You can also view rule events through the Microsoft Defender Antivirus dedicated command-line tool, called `*mpcmdrun.exe*`, that can be used to manage and configure, and automate tasks if needed.
Extract that archive and you'll have many files available for troubleshooting pu
The most relevant files are as follows: - **MPOperationalEvents.txt** - This file contains same level of information found in Event Viewer for Windows DefenderΓÇÖs Operational log.-- **MPRegistry.txt** ΓÇô In this file you will can analyze all the current Windows Defender configurations, from the moment the support logs were captured.
+- **MPRegistry.txt** ΓÇô In this file you can analyze all the current Windows Defender configurations, from the moment the support logs were captured.
- **MPLog.txt** ΓÇô This log contains more verbose information about all the actions/operations of the Windows Defender.
security Troubleshoot Mdatp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-mdatp.md
If you encounter a server error when trying to access the service, youΓÇÖll need
Configure your browser to allow cookies. ## Elements or data missing on the portal
-If some elements or data is missing on Microsoft Defender Security Center itΓÇÖs possible that proxy settings are blocking it.
+If some elements or data is missing on Microsoft 365 Defender itΓÇÖs possible that proxy settings are blocking it.
-Make sure that `*.securitycenter.windows.com` is included the proxy allowlist.
+Make sure that `*.security.microsoft.com` is included the proxy allowlist.
> [!NOTE]
Support of use of comma as a separator in numbers are not supported. Regions whe
## Microsoft Defender for Endpoint tenant was automatically created in Europe When you use Azure Defender to monitor servers, a Microsoft Defender for Endpoint tenant is automatically created. The Microsoft Defender for Endpoint data is stored in Europe by default. ---- ## Related topics - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) - [Review events and errors using Event Viewer](event-error-codes.md)
security Troubleshoot Onboarding Error Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages.md
ms.technology: mde
This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender for Endpoint service.
-If you receive an error message, Microsoft Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied.
+If you receive an error message, Microsoft 365 Defender will provide a detailed explanation on what the issue is and relevant links will be supplied.
## No subscriptions found
-If while accessing Microsoft Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (Azure AD) used to log in the user to the portal, does not have a Microsoft Defender for Endpoint license.
+If while accessing Microsoft 365 Defender you get a **No subscriptions found** message, it means the Azure Active Directory (Azure AD) used to log in the user to the portal, does not have a Microsoft Defender for Endpoint license.
Potential reasons: - The Windows E5 and Office E5 licenses are separate licenses.
For both cases, you should contact Microsoft support at [General Microsoft Defen
## Your subscription has expired
-If while accessing Microsoft Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender for Endpoint subscription, like any other online service subscription, has an expiration date.
+If while accessing Microsoft 365 Defender you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender for Endpoint subscription, like any other online service subscription, has an expiration date.
You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the device offboarding package, should you choose to not renew the license.
If the portal dashboard and other sections show an error message such as "Data c
![Image of data currently isn't available](images/atp-data-not-available.png)
-You'll need to allow the `securitycenter.windows.com` and all subdomains under it. For example, `*.securitycenter.windows.com`.
+You'll need to allow the `security.windows.com` and all subdomains under it. For example, `*.security.windows.com`.
## Portal communication issues
security Tvm Dashboard Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-dashboard-insights.md
Threat and vulnerability management is a component of Defender for Endpoint, and
- Invaluable device vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager
-You can use the threat and vulnerability management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
+You can use the threat and vulnerability management capability in [Microsoft 365 Defender portal](https://security.microsoft.com/) to:
- View you exposure score and Microsoft Secure Score for Devices, along with top security recommendations, software vulnerability, remediation activities, and exposed devices - Correlate EDR insights with endpoint vulnerabilities and process them
Watch this video for a quick overview of what is in the threat and vulnerability
## Threat and vulnerability management dashboard
- ![Microsoft Defender for Endpoint portal](images/tvm-dashboard-devices.png)
Area | Description :|:
security Tvm Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-exposure-score.md
ms.technology: mde
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-Your exposure score is visible in the [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation.
+Your exposure score is visible in the [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) of the Microsoft 365 Defender portal. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation.
- Quickly understand and identify high-level takeaways about the state of security in your organization. - Detect and respond to areas that require investigation or action to improve the current state.
security Tvm Hunt Exposed Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-hunt-exposed-devices.md
Advanced hunting is a query-based threat-hunting tool that lets you explore up t
## Check which devices are involved in high severity alerts
-1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center.
+1. Go to **Hunting** > **Advanced hunting** from the left-hand navigation pane of the Microsoft 365 Defender portal.
2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
security Tvm Microsoft Secure Score Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices.md
Forward Microsoft Defender for Endpoint signals, giving Microsoft Secure Score v
Changes might take up to a few hours to reflect in the dashboard. + 1. In the navigation pane, go to **Settings** > **Endpoints** > **General** > **Advanced features** 2. Scroll down to **Microsoft Secure Score** and toggle the setting to **On**.
security Tvm Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-prerequisites.md
ms.technology: mde
Ensure that your devices: - Are onboarded to Microsoft Defender for Endpoint+ - Run [supported operating systems and platforms](tvm-supported-os.md)+ - Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
-> Release | Security update KB number and link
-> :|:
-> Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
-> Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
-> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
-> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
+ > Release | Security update KB number and link
+ > :|:
+ > Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
+ > Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
+ > Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
+ > Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
- Are onboarded to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection-configure) to help remediate threats found by threat and vulnerability management. If you're using Configuration Manager, update your console to the latest version.
- - **Note**: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.
+
+ > [!NOTE]
+ > If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.
+ - Have at least one security recommendation that can be viewed in the device page+ - Are tagged or marked as co-managed ## Relevant permission options
-1. Log in to Microsoft Defender Security Center using account with a Security administrator or Global administrator role assigned.
-2. In the navigation pane, select **Settings > Roles**.
+1. Log in to Microsoft 365 Defender portal using account with a Security administrator or Global administrator role assigned.
+2. In the navigation pane, select **Settings > Endpoints > Roles**.
-For more information, see [Create and manage roles for role-based access control](user-roles.md)
+For more information, see [Create and manage roles for role-based access control](user-roles.md).
### View data
security Tvm Remediation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-remediation.md
The threat and vulnerability management capability in Microsoft Defender for End
### Enable Microsoft Intune connection
-To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.
+To use this capability, enable your Microsoft Intune connections. In the Microsoft 365 Defender portal, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.
**Note**: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.
See [Use Intune to remediate vulnerabilities identified by Microsoft Defender fo
### Remediation request steps
-1. Go to the threat and vulnerability management navigation menu in the Microsoft Defender Security Center, and select [**Security recommendations**](tvm-security-recommendation.md).
+1. Go to the threat and **Vulnerability management** navigation menu in the Microsoft 365 Defender portal, and select **Recommendations** [**Security recommendations**](tvm-security-recommendation.md).
2. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
When you submit a remediation request from the Security recommendations page, it
If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor. Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
-![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png)
+ >[!NOTE] > There is a 180 day retention period for completed remediation activities. To keep the Remediation page performing optimally, the remediation activity will be removed 6 months after its completion.
Track who closed the remediation activity with the "Completed by" column on the
- **System confirmation**: The task was automatically completed (all devices remediated) - **N/A**: Information is not available because we don't know how this older task was completed
-![Created by and completed by columns with two rows. One row for completed by has example of an email, the other row says system confirmation.](images/tvm-completed-by.png)
### Top remediation activities in the dashboard
-View **Top remediation activities** in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
+View **Top remediation activities** in the [threat and **Vulnerability management** dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
![Example of Top remediation activities card with a table that lists top activities that were generated from security recommendations.](images/tvm-remediation-activities-card.png)
security Tvm Security Recommendation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-security-recommendation.md
Each security recommendation includes actionable remediation steps. To help with
Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time. -- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
+- **Threat**ΓÇöCharacteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
-- **Breach likelihood** - Your organization's security posture and resilience against threats
+- **Breach likelihood**ΓÇöYour organization's security posture and resilience against threats
-- **Business value** - Your organization's assets, critical processes, and intellectual properties
+- **Business value**ΓÇöYour organization's assets, critical processes, and intellectual properties
## Navigate to the Security recommendations page Access the Security recommendations page a few different ways: -- Threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
+- Threat and vulnerability management navigation menu in the [Microsoft 365 Defender portal](portal-overview.md)
- Top security recommendations in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) View related security recommendations in the following places:
View related security recommendations in the following places:
### Navigation menu
-Go to the threat and vulnerability management navigation menu and select **Security recommendations**. The page contains a list of security recommendations for the threats and vulnerabilities found in your organization.
+Go to the **Vulnerability management** navigation menu and select **Recommendations**. The page contains a list of security recommendations for the threats and vulnerabilities found in your organization.
### Top security recommendations in the threat and vulnerability management dashboard
Useful icons also quickly call your attention to:
Select the security recommendation that you want to investigate or process.
-![Example of a security recommendation flyout page.](images/secrec-flyouteolsw.png)
From the flyout, you can choose any of the following options:
security Tvm Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-software-inventory.md
Since it's real time, in a matter of minutes, you'll see vulnerability informati
## Navigate to the Software inventory page
-Access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md).
+Access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft 365 Defender portal](portal-overview.md).
View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md).
The **Software inventory** page opens with a list of software installed in your
You can filter the list view based on weaknesses found in the software, threats associated with them, and tags like whether the software has reached end-of-support.
-![Example of the landing page for software inventory.](images/tvm-software-inventory.png)
Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
Select the software that you want to investigate. A flyout panel will open with
Software that isn't currently supported by threat & vulnerability management may be present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section.
-![Unsupported software filter.](images/tvm-unsupported-software-filter.png)
-The following indicates that a software is not supported:
+The following indicates that software is not supported:
- Weaknesses field shows "Not available" - Exposed devices field shows a dash
Currently, products without a CPE are not shown in the software inventory page,
## Software inventory on devices
-From the Microsoft Defender Security Center navigation panel, go to the **[Devices list](machines-view-overview.md)**. Select the name of a device to open the device page (like Computer1), then select the **Software inventory** tab to see a list of all the known software present on the device. Select a specific software entry to open the flyout with more information.
+From the Microsoft 365 Defender portal navigation panel, go to the **[Device inventory](machines-view-overview.md)**. Select the name of a device to open the device page (like Computer1), then select the **Software inventory** tab to see a list of all the known software present on the device. Select a specific software entry to open the flyout with more information.
Software may be visible at the device level even if it is currently not supported by threat and vulnerability management. However, only limited data will be available. You'll know if software is unsupported because it will say "Not available" in the "Weakness" column.
-Software with no CPE can also show up under this device specific software inventory.
+Software with no CPE can also show up under this device-specific software inventory.
### Software evidence
See evidence of where we detected a specific software on a device from the regis
Select a software name to open the flyout, and look for the section called "Software Evidence."
-![Software evidence example of Windows 10 from the devices list, showing software evidence registry path.](images/tvm-software-evidence.png)
## Software pages
You can view software pages a few different ways:
- Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices). ![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png)
+ :::image type="content" alt-text="Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more." source="images/tvm-software-page-example.png" lightbox="images/tvm-software-page-example.png":::
## Report inaccuracy
security Tvm Vulnerable Devices Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-vulnerable-devices-report.md
ms.technology: mde
The report shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
-Access the report in the Microsoft Defender Security Center by going to **Reports > Vulnerable devices**
+Access the report in the Microsoft 365 Defender portal by going to **Reports > Vulnerable devices**
There are two columns: - Trends (over time). Can show the past 30 days, 3 months, 6 months, or a custom date range.-- Today (current information)
+- Status (current information)
**Filter**: You can filter the data by vulnerability severity levels, exploit availability, vulnerability age, operating system platform, Windows 10 version, or device group.
There are two columns:
Each device is counted only once according to the most severe vulnerability found on that device.
-![One graph of current device vulnerability severity levels, and one graph showing levels over time.](images/tvm-report-severity.png)
## Exploit availability graphs Each device is counted only once based on the highest level of known exploit.
-![One graph of current device exploit availability, and one graph showing availability over time.](images/tvm-report-exploit-availability.png)
## Vulnerability age graphs Each device is counted only once under the oldest vulnerability publication date. Older vulnerabilities have a higher chance of being exploited.
-![One graph of current device vulnerability age, and one graph showing age over time.](images/tvm-report-age.png)
## Vulnerable devices by operating system platform graphs The number of devices on each operating system that are exposed due to software vulnerabilities.
-![One graph of current vulnerable devices by operating system platform, and one graph showing vulnerable devices by OS platforms over time.](images/tvm-report-os.png)
## Vulnerable devices by Windows 10 version graphs The number of devices on each Windows 10 version that are exposed due to vulnerable applications or OS.
-![One graph of current vulnerable devices by Windows 10 version, and one graph showing vulnerable devices by Windows 10 version over time.](images/tvm-report-version.png)
+![One graph of current vulnerable devices by Windows 10 version, and one graph showing vulnerable devices by Windows 10 version over time.](images/tvm-report-version.png)lightbox="images/tvm-report-version.png":::
## Related topics
security Tvm Weaknesses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-weaknesses.md
The **Weaknesses** page lists the software vulnerabilities your devices are expo
Access the Weaknesses page a few different ways: -- Selecting **Weaknesses** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
+- Selecting **Weaknesses** from the **Vulnerability management** navigation menu in the [Microsoft 365 Defender portal] (portal-overview.md)
- Global search ### Navigation menu
-Go to the threat and vulnerability management navigation menu and select **Weaknesses** to open the list of CVEs.
+Go to the **Vulnerability management** navigation menu and select **Weaknesses** to open the list of CVEs.
### Vulnerabilities in global search
CVEs for software that isn't currently supported by threat & vulnerability manag
Exposed device information will not be available for CVEs with unsupported software. Filter by unsupported software by selecting the "Not available" option in the "Exposed devices" section.
- ![Exposed devices filter.](images/tvm-exposed-devices-filter.png)
## View Common Vulnerabilities and Exposures (CVE) entries in other places
Exposed device information will not be available for CVEs with unsupported softw
![Top vulnerable software card with four columns: software, weaknesses, threats, exposed devices.](images/tvm-top-vulnerable-software500.png) 2. Select the software you want to investigate to go to a drilldown page.+ 3. Select the **Discovered vulnerabilities** tab.+ 4. Select the vulnerability you want to investigate for more information on vulnerability details ![Windows Server 2019 drill down overview.](images/windows-server-drilldown.png)
Exposed device information will not be available for CVEs with unsupported softw
View related weaknesses information in the device page.
-1. Go to the Microsoft Defender Security Center navigation menu bar, then select the device icon. The **Devices list** page opens.
-2. In the **Devices list** page, select the device name that you want to investigate.
+1. Go to the Microsoft 365 Defender navigation menu bar, then select the device icon. The **Device inventory** page opens.
+
+2. In the **Device inventory** page, select the device name that you want to investigate.
![Device list with selected device to investigate.](images/tvm_machinetoinvestigate.png) 3. The device page will open with details and response options for the device you want to investigate.+ 4. Select **Discovered vulnerabilities**.
- ![Device page with details and response options.](images/tvm-discovered-vulnerabilities.png)
+ :::image type="content" alt-text="Device page with details and response options." source="images/tvm-discovered-vulnerabilities.png" lightbox="images/tvm-discovered-vulnerabilities.png":::
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
Similar to the software evidence, we now show the detection logic we applied on
The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, weΓÇÖll only attach this CVE to the Windows Server 2019 devices with the DNS capability enabled in their OS.
-![Detection Logic example which lists the software detected on the device and the KBs.](images/tvm-cve-detection-logic.png)
## Report inaccuracy
security Tvm Zero Day Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-zero-day-vulnerabilities.md
Threat and vulnerability management will only display zero-day vulnerabilities i
## Find information about zero-day vulnerabilities
-Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft Defender Security Center.
+Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft 365 Defender portal.
>[!NOTE] > 0-day vulnerability capability is currently available only for Windows products.
Look for the named zero-day vulnerability along with a description and details.
- If this vulnerability has no CVE-ID assigned, you'll find it under an internal, temporary name that looks like ΓÇ£TVM-XXXX-XXXXΓÇ¥. The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel.
-![Zero day example for CVE-2020-17087 in weaknesses page.](images/tvm-zero-day-weakness-name.png)
### Software inventory page Look for software with the zero-day tag. Filter by the "zero day" tag to only see software with zero-day vulnerabilities.
-![Zero day example of Windows Server 2016 in the software inventory page.](images/tvm-zero-day-software-inventory.png)
### Software page Look for a zero-day tag for each software that has been affected by the zeroΓÇôday vulnerability.
-![Zero day example for Windows Server 2016 software page.](images/tvm-zero-day-software-page.png)
### Security recommendations page
View clear suggestions about remediation and mitigation options, including worka
If there's software with a zero-day vulnerability and additional vulnerabilities to address, you'll get one recommendation about all vulnerabilities.
-![Zero day example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-security-recommendation.png)
## Addressing zero-day vulnerabilities
security User Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/user-roles.md
Title: Create and manage roles for role-based access control
-description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation in the Microsoft Defender Security Center
+description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation in the Microsoft 365 Defender
keywords: user roles, roles, access rbac search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
## Create roles and assign the role to an Azure Active Directory group
-The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
+The following steps guide you on how to create roles in Microsoft 365 Defender. It assumes that you have already created Azure Active Directory user groups.
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with a Security administrator or Global administrator role assigned.
+1. Log in to [Microsoft 365 Defender](https://security.microsoft.com/) using account with a Security administrator or Global administrator role assigned.
-2. In the navigation pane, select **Settings > Roles**.
+2. In the navigation pane, select **Settings** > **Endpoints** > **Roles** (under **Permissions**).
3. Select **Add item**.
The following steps guide you on how to create roles in Microsoft Defender Secur
- **Live response capabilities** - **Basic** commands:
- - Start a live response session
- - Perform read only live response commands on remote device (excluding file copy and execution
+ - Start a live-response session
+ - Perform read-only live-response commands on remote device (excluding file copy and execution)
- **Advanced** commands: - Download a file from the remote device via live response - Download PE and non-PE files from the file page
For more information on the available commands, see [Investigate devices using L
## Edit roles
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
+1. Log in to [Microsoft 365 Defender](https://security.microsoft.com/) using account with Security administrator or Global administrator role assigned.
-2. In the navigation pane, select **Settings > Roles**.
+2. In the navigation pane, select **Settings** > **Endpoints** > **Roles** (under **Permissions**).
3. Select the role you'd like to edit.
For more information on the available commands, see [Investigate devices using L
## Delete roles
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
+1. Log in to [Microsoft 365 Defender](https://security.microsoft.com/) using account with Security administrator or Global administrator role assigned.
-2. In the navigation pane, select **Settings > Roles**.
+2. In the navigation pane, select **Settings** > **Endpoints** > **Roles** (under **Permissions**).
3. Select the role you'd like to delete.
security Web Content Filtering https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md
The blocking experience for 3rd party supported browsers is provided by Network
Before trying out this feature, make sure you meet the following requirements: - Windows 10 Enterprise E5, Microsoft 365 E5, Microsoft 365 E5 Security, Microsoft 365 E3 + Microsoft 365 E5 Security add-on or the Microsoft Defender for Endpoint standalone license. -- Access to Microsoft Defender Security Center portal (https://securitycenter.windows.com).
+- Access to Microsoft 365 Defender portal (https://security.microsoft.com).
- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update. - Windows Defender SmartScreen and Network protection enabled.
Data is stored in the region that was selected as part of your [Microsoft Defend
## Turn on web content filtering
-From the left-hand navigation menu, select **Settings** > **General** > **Advanced Features**. Scroll down until you see the entry for **Web content filtering**. Switch the toggle to **On** and **Save preferences**.
+From the left-hand navigation menu, select **Settings** > **Endpoints** > **General** > **Advanced Features**. Scroll down until you see the entry for **Web content filtering**. Switch the toggle to **On** and **Save preferences**.
### Configure web content filtering policies
-Web content filtering policies specify which site categories are blocked on which device groups. To manage the policies, go to **Settings** > **Rules** > **Web content filtering**.
+Web content filtering policies specify which site categories are blocked on which device groups. To manage the policies, go to **Settings** > **Endpoints** > **Web content filtering** (under **Rules**).
Use the filter to locate policies that contain certain blocked categories or are applied to specific device groups.
To add a new policy:
It's possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it's applied to the device group in question.
-1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item**.
+1. Create a custom indicator in the Microsoft 365 Defender portal by going to **Settings** > **Endpoints** > **Indicators** > **URL/Domain** > **Add Item**.
2. Enter the domain of the site.
security Web Protection Monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-monitoring.md
ms.technology: mde
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-Web protection lets you monitor your organizationΓÇÖs web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics.
+Web protection lets you monitor your organizationΓÇÖs web browsing security through reports under **Reports > Web protection** in the Microsoft 365 Defender portal. The report contains cards that provide web threat detection statistics.
- **Web threat protection detections over time** - this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
- ![Image of the card showing web threats protection detections over time](images/wtp-blocks-over-time.png)
+ :::image type="content" alt-text="Image of the card showing web threats protection detections over time" source="images/wtp-blocks-over-time.png" lightbox="images/wtp-blocks-over-time.png":::
- **Web threat protection summary** - this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites.
- ![Image of the card showing web threats protection summary](images/wtp-summary.png)
+ :::image type="content" alt-text="Image of the card showing web threats protection summary" source="images/wtp-summary.png" lightbox="images/wtp-summary.png":::
>[!Note] >It can take up to 12 hours before a block is reflected in the cards or the domain list.
security Web Protection Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-overview.md
ms.technology: mde
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-Web protection in Microsoft Defender for Endpoint is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**.
+Web protection in Microsoft Defender for Endpoint is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft 365 Defender portal by going to **Reports > Web protection**.
-![Image of all web protection cards](images/web-protection.png)
## Web threat protection
security Eval Defender Promote To Production https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-promote-to-production.md
After successfully evaluating or piloting MDO, it can be promoted to your entire
5. Decommission any third-party SMTP gateways and disable or delete any EXO connectors associated with this relay. ## Microsoft Defender for Endpoint
-To promote Microsoft Defender for Endpoint evaluation environment from a pilot to production, simply onboard more endpoints to the service using any of the [supported tools and methods](/defender-endpoint/onboard-configure).
+To promote Microsoft Defender for Endpoint evaluation environment from a pilot to production, simply onboard more endpoints to the service using any of the [supported tools and methods](onboard-configure.md).
Use the following general guidelines to onboard more devices to Microsoft Defender for Endpoint.
-1. Verify that the device fulfills the [minimum requirements](/defender-endpoint/minimum-requirements).
+1. Verify that the device fulfills the [minimum requirements](minimum-requirements.md).
2. Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal. 3. Use the appropriate management tool and deployment method for your devices. 4. Run a detection test to verify that the devices are properly onboarded and reporting to the service.
security About Defender For Office 365 Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/about-defender-for-office-365-trial.md
Microsoft Defender for Office 365 safeguards your organization against malicious
- **Threat investigation and response capabilities**: Use leading-edge tools to investigate, understand, simulate, and prevent threats. - **Automated investigation and response capabilities**: Save time and effort investigating and mitigating threats.
-A Microsoft Defender for Office 365 trial is the easiest way to try the capabilities of Defender for Office 365, and setting it up only takes a couple of clicks. After the trial setup is complete, all Defender for Office 365 Plan 1 and Plan 2 capabilities are available in the organization for up to 90 days.
+A Microsoft Defender for Office 365 trial is the easiest way to try the capabilities of Defender for Office 365, and setting it up only takes a couple of clicks. After the trial setup is complete, all Defender for Office 365 Plan 1 and Plan 2 capabilities are available in the organization for up to 90 days. These high level features are described in the following list:
+
+<br>
+
+****
+
+|Feature|Description|
+|||
+|[Exclusive settings in anti-phishing policies](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)|Get user impersonation protection, domain impersonation protection, mailbox intelligence, and advanced phishing thresholds.|
+|[Safe Attachments](safe-attachments.md)|Inspect email attachments and other files in a controlled detonation environment to catch new and evasive malware.|
+|[Safe Links](safe-links.md)|Perform time-of-click checks to ensure URLs that might have passed initial inspection have not been weaponized.|
+|[Threat Trackers](threat-trackers.md)<sup>\*</sup>|Use informative widgets and views to identify cybersecurity issues that might impact your organization.|
+|[Threat Explorer](threat-explorer.md)<sup>\*</sup>|Hunt with near real-time information about threats in your Office 365 email.|
+|[Automated investigation and response (AIR)](office-365-air.md)<sup>\*</sup>|Automatically locate and remediate threat objects as alerts are triggered.|
+|[Attack simulation training](attack-simulation-training.md)<sup>\*</sup>|Train your users to identify phishing attacks and respond appropriately.|
+|[Campaign Views](campaigns.md)<sup>\*</sup>|Investigate and respond to large-scale malicious email activity.|
+|[Reports using Defender for Office 365 capabilities](view-reports-for-mdo.md)|View reports including threat protection status, URL threat protection, mail latency, and more.|
+
+<sup>\*</sup> Defender for Office 365 Plan 2 features that are available as part of the trial.
> [!NOTE]
-> The automated configuration that's described in this article is currently in Public Preview and might not be available in your location.
+> The automated configuration that's described in this article is currently in Public Preview and might not be available in your organization.
## Terms and conditions
Rich simulation and training capabilities along with integrated experiences with
- [Get started using Attack simulation training](attack-simulation-training-get-started.md)
-### Secure posture
+### Security posture
Recommended templates and configuration insights help customers get and stay secure.
security Set Up Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md
The following impersonation settings are only available in anti-phishing policie
- **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered** -- **Add trusted senders and domains**: Exceptions to the impersonation protection settings. Messages from the specified senders and sender domains are never classified as impersonation-based attacks by the policy. In other words, the action for protected senders, protected domains, or mailbox intelligence protection aren't applied to these trusted senders or sender domains. The maximum limit for these lists is approximately 1000 entries.
+- **Add trusted senders and domains**: Exceptions to the impersonation protection settings. Messages from the specified senders and sender domains are never classified as impersonation-based attacks by the policy. In other words, the action for protected senders, protected domains, or mailbox intelligence protection aren't applied to these trusted senders or sender domains. The maximum limit for these lists is 1024 entries.
### Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365
test-base Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/overview.md
Title: 'Overview'
-description: Understanding TEst Base
+description: Understanding Test Base
search.appverid: MET150
With Test Base, SVs are provided with more visibility into potential issues that
This new service will help SVs make testing efforts simpler and more efficient. Enterprise customers will benefit from SV and Microsoft testing together in a collaborative environment and gain more confidence that their applications will work as expected.
-### Advantages Test Base offers Eenterprises and their SV partners include:
+### Advantages Test Base offers Enterprises and their SV partners include:
* Faster rollout of security updates to secure your devices; * Lowered update validation costs by hosting the OS changes and application in the same environment;
- * World-class intelligence report from Microsoft about your apps (code coverage, API impact analysis etc.);
+ * World-class intelligence report from Microsoft about your apps (code coverage, API impact analysis, and so on);
* Microsoft's expertise in shifting test content and harnesses to Azure.
This guide is divided into four (4) parts to ensure a hitch free experience whil
1. The **Overview** which provides detailed, step-by-step guidelines on how to upload your application via our self-serve onboarding portal.
-2. The **Quickstarts** section which provides information on the format for the zippped folder structure and what you need to know when preparing your test scripts.
+2. The **Quickstarts** section, which provides information on the format for the zipped folder structure and what you need to know when preparing your test scripts.
3. The **How-to guide** which provides detailed outline on how to use Test Base to infer test results.
This means anyone with a valid enterprise Azure account is able to onboard their
### Who should onboard?
-We are encouraging all Software Vendors (SVs), System Integrators (SIs) to onboard their applications, binaries and test scripts onto the service.
+We're encouraging all Software Vendors (SVs), System Integrators (SIs) to onboard their applications, binaries, and test scripts onto the service.
## Next steps