Updates from: 08/03/2022 01:34:43
Category Microsoft Docs article Related commit history on GitHub Change details
index Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/business-assist-api/index.md
+# Welcome to business-assist-api!
index Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/index.md
- Title: Defender Threat Intelligence
-description: Defender Threat Intelligence
------
-# Welcome to Defender-Threat-Intelligence!
threat-intelligence Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/index.md
+
+ Title: 'What is Microsoft Defender Threat Intelligence (Defender TI)?'
+description: 'In this overview article, learn about the main features that come with Microsoft Defender Threat Intelligence (Defender TI).'
++++ Last updated : 08/02/2022+ Title: Defender Threat Intelligence
-description: Defender Threat Intelligence
-----
-# Welcome to Defender-Threat-Intelligence!
+# What is Microsoft Defender Threat Intelligence (Defender TI)?
+
+Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. Analysts spend a significant amount of time on data discovery, collection, and parsing, instead of focusing on what actually helps their organization defend themselves--deriving insights about the actors through analysis and correlation.?
+
+Often, analysts must go to multiple repositories to obtain the critical data sets they need to assess a suspicious domain, host, or IP address. DNS data, WHOIS information, malware, and SSL certificates provide important context to indicators of compromise (IOCs), but these repositories are widely distributed and donΓÇÖt always share a common data structure, making it difficult to ensure analysts have all relevant data needed to make a proper and timely assessment of suspicious infrastructure.
+
+Interacting with these data sets can be cumbersome and pivoting between these repositories is time-consuming, draining the resources of security operations groups that constantly need to re-prioritize their response efforts.
+
+Cyber Threat Intelligence Analysts struggle with balancing a breadth of threat intelligence ingestion with the analysis of which threat intelligence poses the biggest threats to their organization and/or industry.
+
+In the same breadth, Vulnerability Intelligence Analysts battle correlating their asset inventory with CVE information to prioritize the investigation and remediation of the most critical vulnerabilities associated with their organization.
+
+MicrosoftΓÇÖs goal is to re-imagine the analyst workflow by developing a platform, Defender TI, that aggregates and enriches critical data sources and displays data in an innovative, easy to use interface to correlate when indicators are linked to articles and vulnerabilities, infrastructure chain together indicators of compromise (IOCs), and collaborate on investigations with fellow Defender TI licensed users within their tenant. With security organizations actioning an ever-increasing amount of intelligence and alerts within their environment, having a Threat Analysis & Intelligence Platform that allows for accurate and timely assessments of alerting is important.
+
+Below is a screenshot of Defender TIΓÇÖs Threat Intelligence Home Page. Analysts can quickly scan new featured articles as well as begin their intelligence gathering, triage, incident response, and hunting efforts by performing a keyword, artifact or CVE-ID search.
+
+![TI Overview Edge Screenshot](media/tiOverviewEdgeScreenshot.png)
+
+## Defender TI articles
+Articles are narratives by Microsoft that provide insight into threat actors, tooling, attacks, and vulnerabilities. Defender TI featured and articles are not blog posts about threat intelligence; while they summarize different threats, they also link to actionable content and key indicators of compromise to help users take action. By including this technical information in the threat summaries, we enable users to continually track threat actors, tooling, attacks, and vulnerabilities as they change.
+
+## Featured articles
+
+The featured article section of the Defender TI Threat Intelligence Home Page (right below the search bar) shows you the featured Microsoft content:
+
+![TI Overview Featured Articles](media/tiOverviewFeaturedArticles.png)
+
+Clicking the article takes you to the underlying article content. The article synopsis gives the user a quick understanding of the article. The Indicators call-out shows how many Public and Defender TI indicators are associated with the article.
+
+![TI Overview Featured Article](media/tiOverviewFeaturedArticle.png)
+
+## Articles
+
+All articles (including featured articles) are listed under the Microsoft Defender TI Threat Intelligence Home Page articles section, ordered by their creation date (descending):
+
+![TI Overview Articles](media/tiOverviewArticles.png)
+
+## Article descriptions
+
+The description section of the article detail screen contains information about the attack or attacker profiled. The content can range from very short (in the case of OSINT bulletins) or quite long (for long-form reporting ΓÇô especially when Microsoft has augmented the report with content). The longer descriptions may contain images, links to the underlying content, links to searches within Defender TI, attacker code snippets, and firewall rules to block the attack:
+
+![TI Overview Article Description](media/tiOverviewArticleDescription.png)
+
+## Public indicators
+
+The public indicators section of the screen shows the previously published indicators related to the article. The links in the public indicators take one to the underlying Defender TI data or relevant external sources (e.g., VirusTotal for hashes).
+
+![TI Overview Article Public Indicators](media/tiOverviewArticlePublicIndicators.png)
+
+## Defender TI indicators
+
+The Defender TI indicators section covers the indicators that Defender TIΓÇÖs research team has found and added to the articles.
+
+These links also pivot into the relevant Defender TI data or the corresponding external source.
+
+![TI Overview Article Defender TI Indicators](media/tiOverviewArticleDefenderTiIndicators.png)
+
+## Vulnerability articles
+
+Defender TI offers CVE-ID searches to help users identify critical information about the CVE. CVE-ID searches result in Vulnerability Articles.
+
+Vulnerability Articles provide key context behind CVEs of interest. Each article contains a description of the CVE, a list of affected components, tailored mitigation procedures and strategies, related intelligence articles, references in Deep & Dark Web chatter, and other key observations. These articles provide deeper context and actionable insights behind each CVE, enabling users to more quickly understand these vulnerabilities and quickly mitigate them.
+
+Vulnerability Articles also include a Defender TI Priority Score and severity indicator. The Defender TI Priority Score is a unique algorithm which reflects the priority of a CVE based on the CVSS score, exploits, chatter, and linkage to malware. Furthermore, the Defender TI Priority Score evaluates the recency of these components so users can understand which CVEs should be remediated first.
+
+## Reputation scoring
+
+Defender TI provides proprietary reputation scores for any Host, Domain, or IP Address. Whether validating the reputation of a known or unknown entity, this score helps users quickly understand any detected ties to malicious or suspicious infrastructure. The platform provides quick information about the activity of these entities, such as First and Last Seen timestamps, ASN, country, associated infrastructure, and a list of rules that impact the reputation score when applicable.
+
+![Reputation Summary Card](media/reputationSummaryCard.png)
+
+IP reputation data is important to understanding the trustworthiness of your own attack surface and is also useful when assessing unknown hosts, domains or IP addresses that appear in investigations. These scores will uncover any prior malicious or suspicious activity that impacted the entity, or other known indicators of compromise that should be considered.
+
+For more information, see [Reputation scoring](reputation-scoring.md).
+
+## Analyst insights
+
+Analyst insights distill MicrosoftΓÇÖs vast data set into a handful of observations that simplify the investigation and make it more approachable to analysts of all levels.
+
+Insights are meant to be small facts or observations about a domain or IP address and provide Defender TI users with the ability to make an assessment about the artifact queried and improve a user's ability to determine if an indicator being investigated is malicious, suspicious, or benign.
+
+For more information, see [Analyst insights](analyst-insights.md).
+
+![Summary Tab Analyst Insights](media/summaryTabAnalystInsights.png)
+
+## Data sets
+Microsoft centralizes numerous data sets into a single platform, Defender TI, making it easier for MicrosoftΓÇÖs community and customers to conduct infrastructure analysis. MicrosoftΓÇÖs primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases.
+
+Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversariesΓÇÖ infrastructure associated with actor groups targeting their organization. Microsoft collects internet data via itsΓÇÖ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data.
+
+This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, WHOIS, SSL Certificates, Subdomains, Hashes, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific artifact type or time in history.
+
+For more information, see:
+
+- [Sorting, filtering, and downloading data](sorting-filtering-and-downloading-data.md)
+- [Data sets](data-sets.md)
+
+![ti Overview Data Sets](media/tiOverviewDataSets.png)
+
+## Tags
+
+Defender TI tags are used to provide quick insight about an artifact, whether derived by the system or generated by other users. Tags aid analysts in connecting the dots between current incidents and investigations and their historical context for improved analysis.
+
+The Defender TI platform offers two types of tags: system tags and custom tags.
+
+For more information, see [Using tags](using-tags.md).
+
+![Tags Custom](media/tagsCustom.png)
+
+## Projects
+
+MicrosoftΓÇÖs Defender TI platform allows users to develop multiple project types for organizing indicators of interest and indicators of compromise from an investigation. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, and collaborators.
+
+When a user searches an IP address, domain, or host in Defender TI, if that indicator is listed within a project the user has access to, the user can see a link to the project from the Projects sections in the Summary tab as well as Data tab. From here, the user can navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information. This helps analysts to avoid reinventing the wheel of an investigation one of their Defender TI tenant users may have already started or add onto that investigation by adding new artifacts (indicators of compromise) related to that project (if they have been added as a collaborator to the project).
+
+For more information, see [Using projects](using-projects.md).
+
+![Defender TI Overview Projects](media/defenderTIOverviewProjects.png)
+
+## Data residency, availability, and privacy
+
+Microsoft Defender Threat Intelligence contains both global data and customer-specific data. The underlying internet data is global Microsoft data; labels applied by customers are considered customer data. All customer data is stored in the region of the customerΓÇÖs choosing.
+
+For security purposes, Microsoft collects users' IP addresses when they log in. This data is stored for up to 30 days but may be stored longer if needed to investigate potential fraudulent or malicious use of the product.
+
+In the case of a region down scenario, customers should see no downtime as Defender TI uses technologies that replicate data to a backup regions.
+
+Defender TI processes customer data. By default, customer data is replicated to the paired region.
+
+## Next steps
+
+For more information, see:
+
+- [Quickstart: Learn how to access Microsoft Defender Threat Intelligence and make customizations in your portal](learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal.md)
+- [Data sets](data-sets.md)
+- [Searching and pivoting](searching-and-pivoting.md)
+- [Sorting, filtering, and downloading data](sorting-filtering-and-downloading-data.md)
+- [Infrastructure chaining](infrastructure-chaining.md)
+- [Reputation scoring](reputation-scoring.md)
+- [Analyst insights](analyst-insights.md)
+- [Using projects](using-projects.md)
+- [Using tags](using-tags.md)
threat-intelligence Infrastructure Chaining https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/infrastructure-chaining.md
We see attack campaigns employ a wide array of obfuscation techniques such as si
An adversaryΓÇÖs outside-in perspective enables them to take advantage of your continually expanding web and mobile presence that operates outside of your firewall.
-Approaching and interacting with the web and mobile properties as a real user enables MicrosoftΓÇÖs crawling, scanning, and machine-learning technology to disarm adversariesΓÇÖ evasion techniques by collecting user session data, detecting phishing, malware, rogue apps, unwanted content, and domain infringement at scale. This helps deliver actionable, event-based threat alerts and workflows in the form of [threat intelligence](what-is-microsoft-defender-threat-intelligence-defender-tI.md), [system tags](using-tags.md), [analyst insights](analyst-insights.md), and [reputation scores](reputation-scoring.md) associated with adversariesΓÇÖ infrastructure.
+Approaching and interacting with the web and mobile properties as a real user enables MicrosoftΓÇÖs crawling, scanning, and machine-learning technology to disarm adversariesΓÇÖ evasion techniques by collecting user session data, detecting phishing, malware, rogue apps, unwanted content, and domain infringement at scale. This helps deliver actionable, event-based threat alerts and workflows in the form of [threat intelligence](index.md), [system tags](using-tags.md), [analyst insights](analyst-insights.md), and [reputation scores](reputation-scoring.md) associated with adversariesΓÇÖ infrastructure.
As more threat data becomes available, more tools, education, and effort are required for analysts to understand the data sets and their corresponding threats. Microsoft Defender Threat Intelligence (Defender TI) unifies these efforts by providing a single view into multiple data sources. ## Next steps
-For more information, see [Tutorial: Gathering threat intelligence and infrastructure chaining](gathering-threat-intelligence-and-infrastructure-chaining.md).
+For more information, see [Tutorial: Gathering threat intelligence and infrastructure chaining](gathering-threat-intelligence-and-infrastructure-chaining.md).
threat-intelligence Learn How To Access Microsoft Defender Threat Intelligence And Make Customizations In Your Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal.md
There are no resources to clean up in this section.
For more information, see:
-[ΓÇÿWhat is Microsoft Defender Threat Intelligence (Defender TI)?ΓÇÖ](what-is-microsoft-defender-threat-intelligence-defender-tI.md)
+[ΓÇÿWhat is Microsoft Defender Threat Intelligence (Defender TI)?ΓÇÖ](index.md)
threat-intelligence Searching And Pivoting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/searching-and-pivoting.md
For more information, see [Analyst insights](analyst-insights.md).
The Articles section displays any articles that may provide insight on how to best investigate and ultimately disarm the impacted artifact. These articles are written by researchers who study the behavior of known threat actors and their infrastructure, surfacing key findings that can help others mitigate risk to their organization. In this example, the searched IP Address has been identified as an IOC that relates to the findings within the article.
-For more information, see [What is Microsoft Defender Threat Intelligence (Defender TI)?](what-is-microsoft-defender-threat-intelligence-defender-tI.md)
+For more information, see [What is Microsoft Defender Threat Intelligence (Defender TI)?](index.md)
![Summary Tab Articles](media/summaryTabArticles.png)
The intelligence section highlights any curated insights in the Defender TI plat
The Articles section displays any articles that may provide insight on how to best investigate and ultimately disarm the impacted artifact. These articles are written by researchers who study the behavior of known threat actors and their infrastructure, surfacing key findings that can help others mitigate risk to their organization. In this example, the searched IP Address has been identified as an IOC that relates to the findings within the article.
-For more information, see [What is Microsoft Defender Threat Intelligence (Defender TI)?](what-is-microsoft-defender-threat-intelligence-defender-tI.md)
+For more information, see [What is Microsoft Defender Threat Intelligence (Defender TI)?](index.md)
![Data Tab Intelligence Articles](media/dataTabIntelligenceArticles.png)
For more information, see:
- [Data sets](data-sets.md) - [Reputation scoring](reputation-scoring.md) - [Analyst insights](analyst-insights.md)-- [What is Microsoft Defender Threat Intelligence (Defender TI)?](what-is-microsoft-defender-threat-intelligence-defender-tI.md)-- [Using projects](using-projects.md)
+- [What is Microsoft Defender Threat Intelligence (Defender TI)?](index.md)
+- [Using projects](using-projects.md)
threat-intelligence Using Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/using-tags.md
LetΓÇÖs say a triage analyst investigates an incident and finds that it is relat
For more information, see: -- [What is Microsoft Defender Threat Intelligence (Defender TI)?](what-is-microsoft-defender-threat-intelligence-defender-tI.md)
+- [What is Microsoft Defender Threat Intelligence (Defender TI)?](index.md)
- [Data sets](data-sets.md) - [Sorting, filtering, and downloading data](sorting-filtering-and-downloading-data.md) - [Reputation scoring](reputation-scoring.md) - [Analyst insights](analyst-insights.md)-- [Using projects](using-projects.md)
+- [Using projects](using-projects.md)
threat-intelligence What Is Microsoft Defender Threat Intelligence Defender Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-tI.md
-
Title: 'What is Microsoft Defender Threat Intelligence (Defender TI)?'
-description: 'In this overview article, learn about the main features that come with Microsoft Defender Threat Intelligence (Defender TI).'
---- Previously updated : 08/02/2022---
-# What is Microsoft Defender Threat Intelligence (Defender TI)?
-
-Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. Analysts spend a significant amount of time on data discovery, collection, and parsing, instead of focusing on what actually helps their organization defend themselves--deriving insights about the actors through analysis and correlation.?
-
-Often, analysts must go to multiple repositories to obtain the critical data sets they need to assess a suspicious domain, host, or IP address. DNS data, WHOIS information, malware, and SSL certificates provide important context to indicators of compromise (IOCs), but these repositories are widely distributed and donΓÇÖt always share a common data structure, making it difficult to ensure analysts have all relevant data needed to make a proper and timely assessment of suspicious infrastructure.
-
-Interacting with these data sets can be cumbersome and pivoting between these repositories is time-consuming, draining the resources of security operations groups that constantly need to re-prioritize their response efforts.
-
-Cyber Threat Intelligence Analysts struggle with balancing a breadth of threat intelligence ingestion with the analysis of which threat intelligence poses the biggest threats to their organization and/or industry.
-
-In the same breadth, Vulnerability Intelligence Analysts battle correlating their asset inventory with CVE information to prioritize the investigation and remediation of the most critical vulnerabilities associated with their organization.
-
-MicrosoftΓÇÖs goal is to re-imagine the analyst workflow by developing a platform, Defender TI, that aggregates and enriches critical data sources and displays data in an innovative, easy to use interface to correlate when indicators are linked to articles and vulnerabilities, infrastructure chain together indicators of compromise (IOCs), and collaborate on investigations with fellow Defender TI licensed users within their tenant. With security organizations actioning an ever-increasing amount of intelligence and alerts within their environment, having a Threat Analysis & Intelligence Platform that allows for accurate and timely assessments of alerting is important.
-
-Below is a screenshot of Defender TIΓÇÖs Threat Intelligence Home Page. Analysts can quickly scan new featured articles as well as begin their intelligence gathering, triage, incident response, and hunting efforts by performing a keyword, artifact or CVE-ID search.
-
-![TI Overview Edge Screenshot](media/tiOverviewEdgeScreenshot.png)
-
-## Defender TI articles
-Articles are narratives by Microsoft that provide insight into threat actors, tooling, attacks, and vulnerabilities. Defender TI featured and articles are not blog posts about threat intelligence; while they summarize different threats, they also link to actionable content and key indicators of compromise to help users take action. By including this technical information in the threat summaries, we enable users to continually track threat actors, tooling, attacks, and vulnerabilities as they change.
-
-## Featured articles
-
-The featured article section of the Defender TI Threat Intelligence Home Page (right below the search bar) shows you the featured Microsoft content:
-
-![TI Overview Featured Articles](media/tiOverviewFeaturedArticles.png)
-
-Clicking the article takes you to the underlying article content. The article synopsis gives the user a quick understanding of the article. The Indicators call-out shows how many Public and Defender TI indicators are associated with the article.
-
-![TI Overview Featured Article](media/tiOverviewFeaturedArticle.png)
-
-## Articles
-
-All articles (including featured articles) are listed under the Microsoft Defender TI Threat Intelligence Home Page articles section, ordered by their creation date (descending):
-
-![TI Overview Articles](media/tiOverviewArticles.png)
-
-## Article descriptions
-
-The description section of the article detail screen contains information about the attack or attacker profiled. The content can range from very short (in the case of OSINT bulletins) or quite long (for long-form reporting ΓÇô especially when Microsoft has augmented the report with content). The longer descriptions may contain images, links to the underlying content, links to searches within Defender TI, attacker code snippets, and firewall rules to block the attack:
-
-![TI Overview Article Description](media/tiOverviewArticleDescription.png)
-
-## Public indicators
-
-The public indicators section of the screen shows the previously published indicators related to the article. The links in the public indicators take one to the underlying Defender TI data or relevant external sources (e.g., VirusTotal for hashes).
-
-![TI Overview Article Public Indicators](media/tiOverviewArticlePublicIndicators.png)
-
-## Defender TI indicators
-
-The Defender TI indicators section covers the indicators that Defender TIΓÇÖs research team has found and added to the articles.
-
-These links also pivot into the relevant Defender TI data or the corresponding external source.
-
-![TI Overview Article Defender TI Indicators](media/tiOverviewArticleDefenderTiIndicators.png)
-
-## Vulnerability articles
-
-Defender TI offers CVE-ID searches to help users identify critical information about the CVE. CVE-ID searches result in Vulnerability Articles.
-
-Vulnerability Articles provide key context behind CVEs of interest. Each article contains a description of the CVE, a list of affected components, tailored mitigation procedures and strategies, related intelligence articles, references in Deep & Dark Web chatter, and other key observations. These articles provide deeper context and actionable insights behind each CVE, enabling users to more quickly understand these vulnerabilities and quickly mitigate them.
-
-Vulnerability Articles also include a Defender TI Priority Score and severity indicator. The Defender TI Priority Score is a unique algorithm which reflects the priority of a CVE based on the CVSS score, exploits, chatter, and linkage to malware. Furthermore, the Defender TI Priority Score evaluates the recency of these components so users can understand which CVEs should be remediated first.
-
-## Reputation scoring
-
-Defender TI provides proprietary reputation scores for any Host, Domain, or IP Address. Whether validating the reputation of a known or unknown entity, this score helps users quickly understand any detected ties to malicious or suspicious infrastructure. The platform provides quick information about the activity of these entities, such as First and Last Seen timestamps, ASN, country, associated infrastructure, and a list of rules that impact the reputation score when applicable.
-
-![Reputation Summary Card](media/reputationSummaryCard.png)
-
-IP reputation data is important to understanding the trustworthiness of your own attack surface and is also useful when assessing unknown hosts, domains or IP addresses that appear in investigations. These scores will uncover any prior malicious or suspicious activity that impacted the entity, or other known indicators of compromise that should be considered.
-
-For more information, see [Reputation scoring](reputation-scoring.md).
-
-## Analyst insights
-
-Analyst insights distill MicrosoftΓÇÖs vast data set into a handful of observations that simplify the investigation and make it more approachable to analysts of all levels.
-
-Insights are meant to be small facts or observations about a domain or IP address and provide Defender TI users with the ability to make an assessment about the artifact queried and improve a user's ability to determine if an indicator being investigated is malicious, suspicious, or benign.
-
-For more information, see [Analyst insights](analyst-insights.md).
-
-![Summary Tab Analyst Insights](media/summaryTabAnalystInsights.png)
-
-## Data sets
-Microsoft centralizes numerous data sets into a single platform, Defender TI, making it easier for MicrosoftΓÇÖs community and customers to conduct infrastructure analysis. MicrosoftΓÇÖs primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases.
-
-Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversariesΓÇÖ infrastructure associated with actor groups targeting their organization. Microsoft collects internet data via itsΓÇÖ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data.
-
-This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, WHOIS, SSL Certificates, Subdomains, Hashes, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific artifact type or time in history.
-
-For more information, see:
--- [Sorting, filtering, and downloading data](sorting-filtering-and-downloading-data.md)-- [Data sets](data-sets.md)-
-![ti Overview Data Sets](media/tiOverviewDataSets.png)
-
-## Tags
-
-Defender TI tags are used to provide quick insight about an artifact, whether derived by the system or generated by other users. Tags aid analysts in connecting the dots between current incidents and investigations and their historical context for improved analysis.
-
-The Defender TI platform offers two types of tags: system tags and custom tags.
-
-For more information, see [Using tags](using-tags.md).
-
-![Tags Custom](media/tagsCustom.png)
-
-## Projects
-
-MicrosoftΓÇÖs Defender TI platform allows users to develop multiple project types for organizing indicators of interest and indicators of compromise from an investigation. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, and collaborators.
-
-When a user searches an IP address, domain, or host in Defender TI, if that indicator is listed within a project the user has access to, the user can see a link to the project from the Projects sections in the Summary tab as well as Data tab. From here, the user can navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information. This helps analysts to avoid reinventing the wheel of an investigation one of their Defender TI tenant users may have already started or add onto that investigation by adding new artifacts (indicators of compromise) related to that project (if they have been added as a collaborator to the project).
-
-For more information, see [Using projects](using-projects.md).
-
-![Defender TI Overview Projects](media/defenderTIOverviewProjects.png)
-
-## Data residency, availability, and privacy
-
-Microsoft Defender Threat Intelligence contains both global data and customer-specific data. The underlying internet data is global Microsoft data; labels applied by customers are considered customer data. All customer data is stored in the region of the customerΓÇÖs choosing.
-
-For security purposes, Microsoft collects users' IP addresses when they log in. This data is stored for up to 30 days but may be stored longer if needed to investigate potential fraudulent or malicious use of the product.
-
-In the case of a region down scenario, customers should see no downtime as Defender TI uses technologies that replicate data to a backup regions.
-
-Defender TI processes customer data. By default, customer data is replicated to the paired region.
-
-## Next steps
-
-For more information, see:
--- [Quickstart: Learn how to access Microsoft Defender Threat Intelligence and make customizations in your portal](learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal.md)-- [Data sets](data-sets.md)-- [Searching and pivoting](searching-and-pivoting.md)-- [Sorting, filtering, and downloading data](sorting-filtering-and-downloading-data.md)-- [Infrastructure chaining](infrastructure-chaining.md)-- [Reputation scoring](reputation-scoring.md)-- [Analyst insights](analyst-insights.md)-- [Using projects](using-projects.md)-- [Using tags](using-tags.md)
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
The table also indicates the Office 365 Enterprise and Office 365 US Government
| Default alert policy | Description | Category | Automated investigation | Enterprise subscription | |:--|:--|:--|:--|:--|
+|**A potentially malicious URL click was detected**|Generates an alert when a user protected by [Safe Links](/microsoft-365/security/office-365-security/safe-links) in your organization clicks a malicious link. This alert is generated when a user clicks on a link and this event triggers a URL verdict change identification by Microsoft Defender for Office 365. This alert policy has a **High** severity setting For Defender for Office 365 P2, E5, G5 customers. This alert automatically triggers [automated investigation and response in Office 365](/microsoft-365/security/office-365-security/office-365-air). For more information on events that trigger this alert, see [Set up Safe Links policies](/microsoft-365/security/office-365-security/set-up-safe-links-policies).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|
|**A user clicked through to a potentially malicious URL**|Generates an alert when a user protected by [Safe Links](/microsoft-365/security/office-365-security/safe-links) in your organization clicks a malicious link. This event is triggered when user clicks on a URL (which is identified as malicious or pending validation) and overrides the Safe Links warning page (based on your organization's Microsoft 365 for business Safe Links policy) to continue to the URL hosted page / content. This alert policy has a **High** severity setting. For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](/microsoft-365/security/office-365-security/office-365-air). For more information on events that trigger this alert, see [Set up Safe Links policies](/microsoft-365/security/office-365-security/set-up-safe-links-policies).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription| |**Admin Submission result completed**|Generates an alert when an [Admin Submission](../security/office-365-security/admin-submission.md) completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission. These alerts are meant to remind you to [review the results of previous submissions](https://compliance.microsoft.com/reportsubmission), submit user reported messages to get the latest policy check and rescan verdicts, and help you determine if the filtering policies in your organization are having the intended impact. This policy has a **Informational** severity setting.|Threat management|No|E1/F1, E3/F3, or E5| |**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has an **Informational** severity setting.|Threat management|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
compliance Detailed Properties In The Office 365 Audit Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log.md
The following table describes the properties that are included (depending on the
|UserDomain|Identity information about the tenant organization of the user (actor) who performed the action.|Azure Active Directory| |UserId|The user who performed the action (specified in the **Operation** property) that resulted in the record being logged. Audit records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included in the audit log. Another common value for the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. <br/><br/>For more information, see:<br/> [The app\@sharepoint user in audit records](search-the-audit-log-in-security-and-compliance.md#the-appsharepoint-user-in-audit-records)<br/> or <br/>[System accounts in Exchange mailbox audit records](search-the-audit-log-in-security-and-compliance.md#system-accounts-in-exchange-mailbox-audit-records). |All| |UserKey|An alternative ID for the user identified in the **UserID** property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint. This property also might specify the same value as the **UserID** property for events occurring in other services and events performed by system accounts.|All|
-|UserSharedWith|The user that a resource was shared with. This property is included if the value for the **Operation** property is **SharingSet**. This user is also listed in the **Shared with** column in the report.|SharePoint|
|UserType|The type of user that performed the operation. The following values indicate the user type. <br/> <br/> **0** - A regular user. <br/>**2** - An administrator in your Microsoft 365 organization.<sup>1</sup> <br/>**3** - A Microsoft datacenter administrator or datacenter system account. <br/>**4** - A system account. <br/>**5** - An application. <br/>**6** - A service principal.<br/>**7** - A custom policy.<br/>**8** - A system policy.|All| |Version|Indicates the version number of the activity (identified by the **Operation** property) that's logged.|All| |Workload|The Microsoft 365 service where the activity occurred.|All|
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application versions required for each
|[Manually apply, change, or remove label](https://support.microsoft.com/en-us/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Multi-language support](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | Under review | |[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to new documents | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
-|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to existing documents | Preview: Rolling out to [Beta Channel](https://office.com/insider) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
+|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to existing documents | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider)) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
|[Require a justification to change a label](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Provide help link to a custom help page](sensitivity-labels.md#what-label-policies-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Mark the content](sensitivity-labels.md#what-sensitivity-labels-can-do) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
security Mdb View Tvm Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-tvm-dashboard.md
Title: View your Threat & Vulnerability Management dashboard in Microsoft Defender for Business
-description: Use your threat & Threat & Threat & Vulnerability Management dashboard to see important items to address in Defender for Business.
+description: Use your Threat & Vulnerability Management dashboard to see important items to address in Defender for Business.
search.appverid: MET150
ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium Last updated : 08/02/2022 f1.keywords: NOCSH
# Use your vulnerability management dashboard in Microsoft Defender for Business
-Defender for Business includes a vulnerability management dashboard that is designed to save your security team time and effort. In addition to providing an exposure score, you can also view information about exposed devices and security recommendations. You can use your threat & vulnerability management dashboard to:
+Defender for Business includes a vulnerability management dashboard that is designed to save your security team time and effort. In addition to providing an exposure score, that dashboard enables you to view information about exposed devices and see relevant security recommendations. You can use your threat & vulnerability management dashboard to:
-- View your exposure score, which is associated with devices in your company-- View your top security recommendations, such as addressing impaired communications with devices, turning on firewall protection, or updating Microsoft Defender Antivirus definitions-- View remediation activities, such as any files that were sent to quarantine, or vulnerabilities found on devices
+- View your exposure score, which is associated with devices in your company.
+- View your top security recommendations, such as addressing impaired communications with devices, turning on firewall protection, or updating Microsoft Defender Antivirus definitions.
+- View remediation activities, such as any files that were sent to quarantine, or vulnerabilities found on devices.
+
+## Vulnerability management features and capabilities
+
+Vulnerability management features and capabilities in Microsoft Defender for Business include:
+
+- **Dashboard**: Provides information about vulnerabilities, exposure, and recommendations. You can see recent remediation activities, exposed devices, and ways to improve your company's overall security. Each card in the dashboard includes a link to more detailed information or to a page where you can take a recommended action.
+
+ :::image type="content" source="medivm-dashboard.png":::
+
+- **Recommendations**: Lists current security recommendations and related threat information to review and consider. When you select an item in the list, a flyout panel opens with more details about threats and actions you can take.
+
+- **Remediation**: Lists any remediation actions and their status. Remediation activities can include sending a file to quarantine, stopping a process from running, and blocking a detected threat from running. Remediation activities can also include updating a device, running an antivirus scan, and more.
+
+ :::image type="content" source="medivm-remediation.png":::
+
+- **Inventories**: Lists software and apps currently in use in your organization. You'll see browsers, operating systems, and other software on devices, along with identified weaknesses and threats.
+
+- **Weaknesses**: Lists vulnerabilities along with the number of exposed devices in your organization. If you see "0" in the Exposed devices column, you do not have to take any immediate action. However, you can learn more about each vulnerability listed on this page. Select an item to learn more about it and what you can do to mitigate the potential threat to your company.
+
+ :::image type="content" source="medivm-weakness-details.png":::
+
+- **Event timeline**: Lists vulnerabilities that affect your organization in a timeline view.
[Learn more about Microsoft Defender Vulnerability Management](../defender-vulnerability-management/defender-vulnerability-management.md). ## Next steps -- [Tutorials and simulations in Defender for Business](mdb-tutorials.md)
+- [Try tutorials and simulations in Defender for Business](mdb-tutorials.md)
- [Onboard devices to Defender for Business](mdb-onboard-devices.md) - [View or edit policies in Defender for Business](mdb-view-edit-create-policies.md)
security Android Configure Mam https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md
Select **Setting > Max allowed device threat level** in **Device Conditions** an
6. Select **Continue** to log into the managed application.
+### Configure privacy controls
+Admins can use the following steps to enable privacy and not collect the domain name, app details and network information as part of the alert report for corresponding threats.
+1. In Microsoft Endpoint Manager admin center, go to **Apps > App configuration policies > Add > Managed apps**.
+
+2. Give the policy a **name**.
+
+3. Under the Select Public Apps, choose **Microsoft Defender for Endpoint** as the target app.
+
+4. In Settings page, under the General Configuration Settings add **DefenderExcludeURLInReport**, **DefenderExcludeAppInReport** as the keys and value as true.
+
+5. Assign this policy to users. By default, this value is set to false.
+
+6. Review and create the policy.
+
+## Optional permissions
+
+Microsoft Defender for Endpoint on Android enables Optional Permissions in the onboarding flow. Currently the permissions required by MDE are mandatory in the onboarding flow. With this feature, admin can deploy MDE on Android devices with MAM policies without enforcing the mandatory VPN and Accessibility Permissions during onboarding. End Users can onboard the app without the mandatory permissions and can later review these permissions.
+
+### Configure optional permission
+
+Use the following steps to enable Optional permissions for devices.
+
+1. In Microsoft Endpoint Manager admin center, go to **Apps > App configuration policies > Add > Managed apps**.
+
+2. Give the policy a **name**.
+
+3. Select **Microsoft Defender for Endpoint*** in public apps.
+
+4. In Settings page, select **Use configuration designer** and add **DefenderOptionalVPN** or **DefenderOptionalAccessibility** or **both** as the key and value type as Boolean.
+
+5. To enable Optional permissions, enter value as **true** and assign this policy to users. By default, this value is set to false.
+For users with key set as true, the users will be able to onboard the app without giving these permission.
+
+6. Select **Next** and assign this profile to targeted devices/users.
+
+### User flow
+
+Users can install and open the app to start the onboarding process.
+
+1. If an admin has setup Optional permissions, then users can choose to skip the VPN or accessibility permission or both and complete onboarding.
+2. Even if the user has skipped these permissions, the device will be able to onboard, and a heartbeat will be sent.
+3. Since permissions are disabled, Web protection will not be active. It will be partially active if one of the permissions is given.
+4. Later, users can enable Web protection from within the app. This will install the VPN configuration on the device.
+
+>[!NOTE]
+> The Optional permissions setting is different from the Disable Web protection setting. Optional permissions only help to skip the permissions during onboarding but it's available for the end user to later review and enable while Disable Web protection allows users to onboard the Microsoft Defender for Endpoint app without the Web Protection. It cannot be enabled later.
## Related topics
security Android Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md
Network protection in Microsoft Defender for endpoint is enabled by default. Adm
## Privacy Controls
-> [!IMPORTANT]
-> Privacy Controls for Microsoft Defender for Endpoint on Android is in preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
- Following privacy controls are available for configuring the data that is sent by Defender for Endpoint from Android devices: |Threat Report |Details |
Following privacy controls are available for configuring the data that is sent b
|Vulnerability assessment of apps (Android-only) |By default only information about apps installed in the work profile is sent for vulnerability assessment. Admins can disable privacy to include personal apps| |Network Protection (preview)| Admins can enable or disable privacy in network protection - If enabled, then Defender will not send network details.|
+### Configure privacy alert report
+Admins can now enable privacy control for the phish report, malware report and network report sent by Microsoft Defender for Endpoint on android. This will ensure that the domain name, app details and network details respectively are not sent as part of the alert whenever a corresponding threat is detected.
+
+Admin Privacy Controls (MDM) Use the following steps to enable privacy.
+
+1. In Microsoft Endpoint Manager admin center, go to **Apps > App configuration policies > Add > Managed devices**.
+
+2. Give the policy a **name, Platform > Android enterprise, select the profile type**.
+
+3. Select **Microsoft Defender for Endpoint** as the target app.
+
+4. In Settings page, select **Use configuration designer** and add click on **Add**.
+5. Select the required privacy setting -
+ - Hide URLs in report
+ - Hide URLs in report for personal profile
+ - Hide app details in report
+ - Hide app details in report for personal profile
+ - Enable Network Protection Privacy
+
+6. To enable privacy, enter integer value as 1 and assign this policy to users. By default, this value is set to 0 for MDE in work profile and 1 for MDE on personal profile.
+
+7. Review and assign this profile to targeted devices/users.
+
+**End user privacy controls**
+
+These controls help the end user to configure the information shared to their organization.
+
+1. For **Android Enterprise work profile**, end user controls will not be visible. Admins controls these settings.
+2. For **Android Enterprise personal profile**, the control is displayed under **Settings> Privacy**.
+3. Users will see a toggle for Unsafe Site Info, malicious application, and network protection.
+
+These toggles will only be visible if enabled by the admin. Users can decide if they want to send the information to their organization or not.
+
+Enabling/disabling the above privacy controls will not impact the device compliance check or conditional access.
++ ## Configure vulnerability assessment of apps for BYOD devices From version 1.0.3425.0303 of Microsoft Defender for Endpoint on Android, you'll be able to run vulnerability assessments of OS and apps installed on the onboarded mobile devices.
security Android Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-whatsnew.md
ms.technology: mde
Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+>[!NOTE]
+> Microsoft Defender for Endpoint's **Anti malware engine** is now generally available. All the users are required to have a Microsoft Defender for Endpoint version above **1.0.3815.0000** to utilize this new malware protection capability. Users on Microsoft Defender for Endpoint version below 1.0.3815.0000 will be sent notifications and in-app overlay messages to update their Microsoft Defender for Endpoint application. Users can click on the link provided in the overlay message to go to the managed play store and update the application.
+>
+> If users can't access the play store, the app can be updated through the company portal.
++ ## Microsoft defender on Android enterprise BYOD personal profile Microsoft Defender for Endpoint is now supported on Android Enterprise personal profile (BYOD only) with all the key features including malware scanning, protection from phishing links, network protection and vulnerability management. This support is coupled with [privacy controls](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) to ensure user privacy on personal profile. For more information, read the [announcement](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-the-public-preview-of-defender-for-endpoint-personal/ba-p/3370979) and the [deployment guide](/microsoft-365/security/defender-endpoint/android-intune#set-up-microsoft-defender-in-personal-profile-on-android-enterprise-in-byod-mode).
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
Create a subtask or role files that contribute to a playbook or task.
In the following commands, replace *[distro]* and *[version]* with the information you've identified. > [!NOTE]
- > In case of Oracle Linux and Amazon Linux 2, replace *[distro]* with "rhel".
+ > In case of Oracle Linux and Amazon Linux 2, replace *[distro]* with "rhel". For Amazon Linux 2, replace *[version]* with "7". For Oracle utilize, replace *[version]* with the version of Oracle Linux.
```bash - name: Add Microsoft APT key
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
The hardware requirements for Defender for Endpoint on devices are the same for
> Cores: 2 minimum, 4 preferred > Memory: 1 GB minimum, 4 preferred
-For more information on supported versions of Windows 10, see (/windows/release-health/release-information).
+For more information on supported versions of Windows 10, see [Windows 10 release information](/windows/release-health/release-information).
> [!NOTE] > - Endpoints running mobile versions of Windows (such as Windows CE and Windows 10 Mobile) aren't supported.
security Switch To Mde Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-overview.md
ms.technology: mde
- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)++ If you are considering switching from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint), or you are in the planning phase, use this article as a guide. This article describes the overall process of moving to Defender for Endpoint. :::image type="content" source="images/nonms-mde-migration.png" alt-text="The migration process to switch your endpoint protection solution to Defender for Endpoint" lightbox="images/nonms-mde-migration.png":::
security Onboarding Defender Experts For Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/onboarding-defender-experts-for-hunting.md
The option to **Ask Defender Experts** is available in several places throughout
### Alert information - We saw a new type of alert for a living-off-the-land binary. We can provide the alert ID. Can you tell us more about this alert and if it's related to any incident and how we can investigate it further?-- We've observed two similar attacks, which both try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
+- We've observed two similar attacks, which both try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by Office 365." What is the difference?
- We received an odd alert today about an abnormal number of failed logins from a high profile user's device. We can't find any further evidence for these attempts. How can Microsoft 365 Defender see these attempts? What type of logins are being monitored? - Can you give more context or insight about the alert and any related incidents, "Suspicious behavior by a system utility was observed"? - I observed an alert titled "Creation of forwarding/redirect rule". I believe the activity is benign. Can you tell me why I received an alert?
The option to **Ask Defender Experts** is available in several places throughout
### Microsoft Defender Experts for Hunting' alert communications -- Can your incident response team help us address the targeted attack notification that we got?
+- Can your incident response team help us address the Defender Experts Notification that we got?
- We received this Defender Experts Notification from Microsoft Defender Experts for Hunting. We don't have our own incident response team. What can we do now, and how can we contain the incident? - We received a Defender Experts Notification from Microsoft Defender Experts for Hunting. What data can you provide to us that we can pass on to our incident response team?
security Allow Block Email Spoof https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/allow-block-email-spoof.md
You can use the Microsoft 365 Defender portal or PowerShell to allow or block em
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.
-2. On the **Tenant Allow/Block List** page, verify that the **Senders** tab is selected, and then click ![Block icon.](../../media/m365-cc-sc-create-icon.png) **Block**.
+2. On the **Tenant Allow/Block List** page, verify that the **Domains & addresses** tab is selected, and then click ![Block icon.](../../media/m365-cc-sc-create-icon.png) **Block**.
-3. In the **Block senders** flyout that appears, configure the following settings:
- - **Sender email addresses or domains**: Enter one sender (email address or domain) per line, up to a maximum of 20.
+3. In the **Block domains & addresses** flyout that appears, configure the following settings:
+ - **Email addresses or domains**: Enter one email address or domain per line, up to a maximum of 20.
- **Never expire**: Do one of the following steps: - Verify the setting is turned off (![Toggle off.](../../media/scc-toggle-off.png)) and use the **Remove on** box to specify the expiration date for the entries.
You can use the Microsoft 365 Defender portal or PowerShell to allow or block em
> [!NOTE] > The emails from these senders will be blocked as _high confidence spam_ (SCL = 9).
+> Users in the organization won't be able to send emails to these blocked domains and addresses. They will receive a non-delivery report which will state the following: "5.7.1 Your message can't be delivered because one or more recipients are blocked by your organizationΓÇÖs tenant allow/block list policy."
### Use PowerShell
Only messages from that domain _and_ sending infrastructure pair are allowed to
1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
-2. On the **Tenant Allow/Block List** page, select the **Spoofing** tab, and then click ![Block icon.](../../media/m365-cc-sc-create-icon.png) **Add**.
+2. On the **Tenant Allow/Block List** page, select the **Spoofed senders** tab, and then click ![Block icon.](../../media/m365-cc-sc-create-icon.png) **Add**.
3. In the **Add new domain pairs** flyout that appears, configure the following settings: - **Add new domain pairs with wildcards**: Enter one domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoo
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
-2. On the **Tenant Allow/Block List** page, select the **Spoofing** tab, and then click ![Add icon.](../../media/m365-cc-sc-create-icon.png) **Add**.
+2. On the **Tenant Allow/Block List** page, select the **Spoofed senders** tab, and then click ![Add icon.](../../media/m365-cc-sc-create-icon.png) **Add**.
3. In the **Add new domain pairs** flyout that appears, configure the following settings: - **Add new domain pairs with wildcards**: Enter one domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
Use [admin submissions](admin-submission.md) to submit the blocked message. This
> [!NOTE] >
-> - The spoofed sender domain pair will be created and visible in the **Spoofed** tab under the **Tenant allow/block list** page.
+> - The spoofed sender domain pair will be created and visible in the **Spoofed senders** tab under the **Tenant allow/block list** page.
### Use PowerShell
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way
- URLs to block. - Files to block.-- Sender emails or domains to block.
+- Email domains or addresses to block.
- Spoofed senders to allow or block. If you override the allow or block verdict in the [spoof intelligence insight](learn-about-spoof-intelligence.md), the spoofed sender becomes a manual allow or block entry that only appears on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders here before they're detected by spoof intelligence. - URLs to allow. - Files to allow.-- Sender emails or domains to allow.
+- Email domains or addresses to allow.
This article describes how to configure entries in the Tenant Allow/Block List in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
This article describes how to configure entries in the Tenant Allow/Block List i
- You specify files by using the SHA256 hash value of the file. To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt:
- ```console
+ ```DOS
certutil.exe -hashfile "<Path>\<Filename>" SHA256 ```
This article describes how to configure entries in the Tenant Allow/Block List i
- The available URL values are described in the [URL syntax for the Tenant Allow/Block List](#url-syntax-for-the-tenant-allowblock-list) section later in this article. -- The Tenant Allow/Block List allows a maximum of 500 entries for senders, 500 entries for URLs, 500 entries for file hashes, and 1024 entries for spoofing (spoofed senders).
+- The Tenant Allow/Block List has the following limits:
+ - 500 entries for domains & addresses.
+ - 500 entries for URLs.
+ - 500 entries for file hashes.
+ - 1024 entries for spoofing (spoofed senders).
-- The maximum number of characters for each entry is:
- - File hashes = 64
- - URL = 250
+- Entries in the Tenant Allow/Block List have the following limits:
+ - 64 character for file hashes.
+ - 250 characters for URLs.
-- An entry should be active within 30 minutes.
+- 99.99% of entries should be active within 30 minutes. Entries that aren't active within 30 minutes can take up to 24 hours.
- By default, entries in the Tenant Allow/Block List will expire after 30 days. You can specify a date or set them to never expire (for blocks only).
To manage all allows and blocks, see [Add blocks in the Tenant Allow/Block List]
2. Select the tab you want. The columns that are available depend on the tab you selected:
- - **Senders**:
- - **Value**: The sender domain or email address.
+ - **Domains & addresses**:
+ - **Value**: The domain or email address.
- **Action**: The value **Allow** or **Block**. - **Modified by** - **Last updated** - **Remove on** - **Notes**
- - **Spoofing**
+ - **Spoofed senders**
- **Spoofed user** - **Sending infrastructure** - **Spoof type**: The value **Internal** or **External**.
To manage all allows and blocks, see [Add blocks in the Tenant Allow/Block List]
You can click **Group** to group the results. The values that are available depend on the tab you selected:
- - **Senders**: You can group the results by **Action**.
- - **Spoofing**: You can group the results by **Action** or **Spoof type**.
+ - **Domains & addresses**: You can group the results by **Action**.
+ - **Spoofed senders**: You can group the results by **Action** or **Spoof type**.
- **URLs**: You can group the results by **Action**. - **Files**: You can group the results by **Action**.
To manage all allows and blocks, see [Add blocks in the Tenant Allow/Block List]
Click **Filter** to filter the results. The values that are available in **Filter** flyout that appears depend on the tab you selected:
- - **Senders**
+ - **Domains & addresses**
- **Action** - **Never expire** - **Last updated date** - **Remove on**
- - **Spoofing**
+ - **Spoofed senders**
- **Action** - **Spoof type** - **URLs**
To manage all allows and blocks, see [Add blocks in the Tenant Allow/Block List]
3. When you're finished, click **Add**.
-## View sender, file or URL entries in the Tenant Allow/Block List
+## View domains & addresses, file or URL entries in the Tenant Allow/Block List
-To view block sender, file or URL entries in the Tenant Allow/Block List, use the following syntax:
+To view block domains & addresses, file or URL entries in the Tenant Allow/Block List, use the following syntax:
```powershell Get-TenantAllowBlockListItems -ListType <Sender | FileHash | URL> [-Entry <SenderValue | FileHashValue | URLValue>] [<-ExpirationDate Date | -NoExpiration>]
Only messages from that domain *and* sending infrastructure pair are allowed to
## What to expect after you add an allow or block entry
-After you add an allow entry through the Submissions portal or a block entry in the Tenant Allow/Block List, the entry should start working immediately once the entry in active. The entry will mostly be active within 30 minutes, but sometimes it can take upto 24 hours.
+After you add an allow entry through the Submissions portal or a block entry in the Tenant Allow/Block List, the entry should start working immediately once the entry is active. 99.99% of entries should be active within 30 minutes. Entries that aren't active within 30 minutes can take up to 24 hours.
We recommend letting entries automatically expire after 30 days to see if the system has learned about the allow or block. If not, you should make another entry to give the system another 30 days to learn.
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
When **Microsoft Outlook Report Message button** is **On** ![Toggle on.](../../m
- **Send the reported messages to** section: Select one of the following options:
- - **Microsoft**: The user submissions mailbox isn't used (all reported messages go to Microsoft for analysis).
+ - **Microsoft**: The user reports go directly to Microsoft for analysis. Only the metadata such as sender, recipient, reported by, and the message details from the user reports are provided to the tenant admin via the Microsoft 365 Security Center.
- **Microsoft and my organization's mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox to use as the user submissions mailbox. Distribution groups are not allowed. User submissions go to Microsoft for analysis and to the user submissions mailbox for an admin or security operations team to analyze.
solutions Financial Services Secure Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/financial-services-secure-collaboration.md
Upon request, Microsoft will provide an attestation letter of compliance with SE
In addition, these capabilities also help Microsoft 365 meet storage requirements for [CFTC Rule 1.31(c)-(d)](https://www.cftc.gov/sites/default/files/opa/press99/opa4266-99-attch.htm) from the **U.S. Commodity Futures Trading Commission** and [FINRA Rule Series 4510](https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511) from the **Financial Industry Regulatory Authority.** Collectively, these rules represent the most-prescriptive guidance globally for financial institutions to retain records.
-Additional details about how Microsoft 365 complies with SEC rule 17a-4 and other regulations is available at [Assessment of Office 365 Exchange Online SEC 17a-4(f) / CFTC 1.31(c)-(d) by Cohasset Associates](https://servicetrust.microsoft.com/ViewPage/TrustDocuments?command=Download&downloadType=Document&downloadId=9fa8349d-a0c9-47d9-93ad-472aa0fa44ec&docTab=6d000410-c9e9-11e7-9a91-892aae8839ad_FAQ_and_White_Papers).
+Additional details about how Microsoft 365 complies with SEC rule 17a-4 and other regulations is available with the [Office 365 - Cohasset Assessment - SEC Rule 17a-4(f) - Immutable Storage for SharePoint, OneDrive, Exchange, Teams, and Yammer (2022)](https://servicetrust.microsoft.com/ViewPage/TrustDocuments?command=Download&downloadType=Document&downloadId=9fa8349d-a0c9-47d9-93ad-472aa0fa44ec&docTab=6d000410-c9e9-11e7-9a91-892aae8839ad_FAQ_and_White_Papers) download document.
## Establish ethical walls with information barriers
whiteboard Manage Sharing Gcc High https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/whiteboard/manage-sharing-gcc-high.md
The sharing experience differs based on the device and client being used.
## Share in Teams meetings
-When you share a whiteboard in a Teams meeting, Whiteboard creates a sharing link thatΓÇÖs accessible by anyone within the organization. It then automatically shares the whiteboard with any in-tenant users in the meeting.
+When you share a whiteboard in a Teams meeting, Whiteboard creates a sharing link thatΓÇÖs accessible by anyone within the organization and automatically shares the whiteboard with any in-tenant users in the meeting. Whiteboards are shared using company-shareable links, regardless of the default setting. Support for the default sharing link type is planned.
+
+There's additional capability for temporary collaboration by most external and shared device accounts during a meeting. This allows users to temporarily view and collaborate on whiteboards when theyΓÇÖre shared in a Teams meeting, similar to PowerPoint Live sharing.
>[!NOTE] > External sharing during a Teams meeting is not yet available, but will be added in a future release.
whiteboard Manage Sharing Organizations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/whiteboard/manage-sharing-organizations.md
The sharing experience differs based on whether youΓÇÖre in a Teams meeting, if
## Share in Teams meetings
-When you share a whiteboard in a Teams meeting, Whiteboard creates a sharing link thatΓÇÖs accessible by anyone within the organization. It then automatically shares the whiteboard with any in-tenant users in the meeting.
+When you share a whiteboard in a Teams meeting, Whiteboard creates a sharing link thatΓÇÖs accessible by anyone within the organization. Also, whiteboards are shared automatically with any in-tenant users in the meeting. Whiteboards are shared using company-shareable links, regardless of the default setting. Support for the default sharing link type is planned.
-ThereΓÇÖs an additional capability for temporary collaboration by external and shared device accounts during a meeting. This capability allows these users to temporarily view and collaborate on whiteboards when theyΓÇÖre shared in a Teams meeting, similar to PowerPoint Live sharing.
+ThereΓÇÖs an additional capability for temporary collaboration by external and shared device accounts during a Teams meeting. Users can temporarily view and collaborate on whiteboards that are shared in a meeting, in a similar way to PowerPoint Live sharing.
>[!NOTE] > This isn't a share link and doesn't grant access to the file. It provides temporary viewing and collaboration on the whiteboard for the duration of the Teams meeting only.
If you restrict external sharing for OneDrive for Business, you can keep it rest
This setting applies only to whiteboards and replaces the previously shared settings, **OneDriveLoopSharingCapability** and **CoreLoopSharingCapability**. Those settings are no longer applicable and can be disregarded. >[!NOTE]
-> By default, the Teams meeting setting **Anonymous users can interact with apps in meetings** is enabled. If you have disabled it, any anonymous users (as opposed to guests or federated users) won't have access to the whiteboard during the meeting.
+> This applies only to guests and federated users. It does not apply to anonymous meeting users at this time.
These changes should take approximately 60 minutes to apply across your tenancy.