Updates from: 08/04/2022 01:16:58
Category Microsoft Docs article Related commit history on GitHub Change details
threat-intelligence Gathering Vulnerability Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/gathering-vulnerability-intelligence.md
+
+ Title: 'Tutorial: Gathering vulnerability intelligence'
+description: 'In this tutorial, practice gathering vulnerability intelligence associated with the Darkside threat actor group using Microsoft Defender Threat Intelligence (Defender TI).'
++++ Last updated : 08/04/2022+++
+# Tutorial: Gathering vulnerability intelligence
+
+## In this tutorial, you will learn how to:
+
+- Learn about Microsoft Defender Threat Intelligence (Defender TI)ΓÇÖs Threat Intelligence Home Page features
+- Perform several types of indicator searches to gather vulnerability intelligence
+
+![ti Overview Home Page Chrome Screenshot](media/tiOverviewHomePageChromeScreenshot.png)
+
+## Prerequisites
+
+- An Azure Active Directory or personal Microsoft account. [Login or create an account](https://signup.microsoft.com/)
+- A Microsoft Defender Threat Intelligence (Defender TI) Premium license.
+
+ > [!NOTE]
+ > Users without a Defender TI Premium license will still be able to log into the Defender Threat Intelligence Portal and access our free Defender TI offering.
+
+## Disclaimer
+
+Microsoft Defender Threat Intelligence (Defender TI) may include live, real-time observations and threat indicators, including malicious infrastructure and adversary-threat tooling. Any IP and domain searches within our Defender TI platform are safe to search.
+Microsoft will share online resources (e.g., IP addresses, domain names) that should be considered real threats posing a clear and present danger.
+We ask that users use their best judgment and minimize unnecessary risk while interacting with malicious systems when performing the tutorial below. Please note that Microsoft has worked to minimize risk by defanging malicious IP addresses, hosts, and domains.
+
+## Before You Begin
+As the disclaimer states above, suspicious, and malicious indicators have been defanged for your safety. Please remove any brackets from IPs, domains, and hosts when searching in Defender TI. Do not search these indicators directly in your browser.
+
+## Open Defender TIΓÇÖs Threat Intelligence Home Page
+
+- Access the [Defender Threat Intelligence Portal](https://ti.defender.microsoft.com/).
+- Complete Microsoft authentication to access portal.
+
+## Learn about Defender TIΓÇÖs Threat Intelligence Home Page features
+
+1. Review the Search bar options by selecting the search bar and clicking on the All drop-down option.
+
+ ![Tutorial Vulnerability Intel Search Bar](media/tutorialVulnerabilityIntelSearchBar.png)
+
+2. Review the featured articles and articles within the Threat Intelligence Home Page.
+
+ ![Tutorial Vulnerability Intel Articles](media/tutorialVulnerabilityIntelArticles.png)
+
+## Perform several types of indicator searches to gather vulnerability intelligence
+
+1. Search ΓÇÿCVE-2020-1472' and review the associated vulnerability article, ΓÇÿCVE-2020-1472' and article, ΓÇÿRiskIQ detections into components and indicators related to FireEyeΓÇÖs breach disclosure and countermeasuresΓÇÖ.
+
+ ![Tutorial Vulnerability Intel Fire Eye Breach Article](media/tutorialVulnerabilityIntelFireEyeBreachArticle.png)
+
+2. Review the ΓÇÿRiskIQ detections into components and indicators related to FireEyeΓÇÖs breach disclosure and countermeasuresΓÇÖ articleΓÇÖs Public indicators.
+
+ ![Tutorial Vulnerability Intel Fire Eye Breach Article Indicators](media/tutorialVulnerabilityIntelFireEyeBreachArticleIndicators.gif)
+
+3. Search ΓÇÿ173.234.155[.]208ΓÇÖ IP address in the Threat Intelligence Search bar.
+
+ ![Tutorial Vulnerability Intel Ip Search](media/tutorialVulnerabilityIntelIpSearch.png)
+
+4. Review the Summary tab results that return: reputation, analyst insights, articles, services, resolutions, certificates, projects, and hashes.
+
+ ![Tutorial Vulnerability Intel Ip Summary Tab](media/tutorialVulnerabilityIntelIpSummaryTab.png)
+
+5. Navigate to the Data tab and review the data and intelligence data sets: resolutions, Whois, certificates, trackers, components, cookies, services, dns, and articles.
+
+ ![Tutorial Vulnerability Intel Ip Review](media/tutorialVulnerabilityIntelIpReview.gif)
+
+ ![Tutorial Vulnerability Intel Ip Article](media/tutorialVulnerabilityIntelIpArticle.png)
+
+6. Navigate back to the Resolutions data blade and pivot on ΓÇÿmyaeroplan[.]comΓÇÖ.
+
+ ![Tutorial Vulnerability Intel Domain Pivot](media/tutorialVulnerabilityIntelDomainPivot.png)
+
+7. Navigate to the Data tab and review the resolutions, Whois, certificates, subdomains, trackers, components, hashes, cookies, DNS, and reverse DNS data sets.
+
+ ![Tutorial Vulnerability Intel Domain Review](media/tutorialVulnerabilityIntelDomainReview.gif)
+
+8. Take note of the following artifacts from steps 5 and 7:
+
+ | | |
+ | -- | -- |
+ | Whois Address | 1928 E. Highland Ave. Ste F104 PMB# 255 |
+ | Whois City | phoenix |
+ | Whois State | az |
+ | Whois Postal Code | 85016 |
+ | Whois Country | United States |
+ | Whois Phone | 13478717726 |
+ | Whois Nameserver | ns0.1984[.]is |
+ | Whois Nameserver | ns1.1984[.]is |
+ | Whois Nameserver | ns2.1984[.]is |
+ | Whois Nameserver | ns1.1984hosting[.]com |
+ | Whois Nameserver | ns2.1984hosting[.]com |
+ | Certificate Sha1 | [ead5b033ed4fd342261f389f0930aa7de1fba33d](https://ti.defender.microsoft.com/search/certificates?query=ead5b033ed4fd342261f389f0930aa7de1fba33d&field=sha1) |
+ | Certificate Serial Number | 236976486488328334603103229327145294996 |
+ | Certificate Issuer Common Name | COMODO RSA Domain Validation Secure Server CA |
+ | Certificate Subject Common Name | myaeroplan[.]com |
+ | Certificate Subject Alternative Name | [myaeroplan[.]com](https://ti.defender.microsoft.com/search/trackers/hosts?query=www.aeroplan.com&field=MarkOfTheWebSourceHost) |
+ | Certificate Subject Alternative Name | www.myaeroplan[.]com |
+ | Tracker type | MarkOfTheWebSourceHost |
+ | Tracker value | [www.aeroplan.com](https://ti.defender.microsoft.com/search/trackers/hosts?field=MarkOfTheWebSourceHost&query=www.aeroplan.com) |
+ | Component Name + Version | [Apache (v2.4.29)](https://ti.defender.microsoft.com/search/components/hosts?category=Server&query=Apache&version=2.4.29) |
+ | Cookie Name | [PHPSESSID](https://ti.defender.microsoft.com/search/cookies/hosts?query=PHPSESSID&field=name) |
+ | Cookie Domain | [myaeroplan[.]com](https://ti.defender.microsoft.com/search/cookies/hosts?query=myaeroplan.com&field=domain) |
+ | Threat Articles | [Points Guys: Aeroplan Frequent Flyer Program Credential Harvesting Campaign](https://ti.defender.microsoft.com/articles/99527909)|
+
+9. Perform the respective artifact searches from step 8. Note: YouΓÇÖll want to reference the search options you learned from the Learn about Defender TIΓÇÖs Threat Intelligence Home Page features section.
+
+## Clean up resources
+
+There are no resources to clean up in this section.
admin Group Mailbox Size Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/group-mailbox-size-management.md
+
+ Title: Microsoft 365 Group mailbox size management
+description: Learn about the group mailbox size management in Microsoft 365.
+
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+++++
+# Microsoft 365 group mailbox size management
+
+Each Microsoft 365 group comes equipped with a dedicated mailbox that stores the emails received on the group. The group mailbox is also used by applications like SharePoint Online, Yammer, Teams etc. The group mailbox is equipped with initial storage quota of 50 GB. If the group mailbox quota is reached, then emails are sent to the groups NDR. Hence, itΓÇÖs a good practice to remove the older content from group mailboxes, to ensure the group mailbox doesnΓÇÖt reach its quota.
+
+The following ways help you understand how the quota calculation works, best practices or proactive approach taken to ensure the group mailbox doesn't reach its quota. And the course of action to be performed if the group mailbox as reached or exceeded its quota.
+
+## Proactive approach to keep group mailbox size in check
+
+You can create retention policies to ensure older email from groups are removed automatically upon reaching the specified time limit. For more information, on steps to create retention policy for Microsoft 365 Group, see [Create and configure retention policies](/microsoft-365/compliance/create-retention-policies). The retention policies take longer work cycle to clean up the data, hence must be applied during the creation of a group mailbox. The retention policies can't be used as tool to immediately flush or remove the data from a group mailbox.
+
+## To monitor the group mailbox size:
+
+Use the following command to check the current quota assigned for the group mailbox:
+
+```PowerShell
+Get-Mailbox -GroupMailbox <groupname> |ft ProhibitSendReceiveQuota,ProhibitSendQuota,IssueWarningQuota
+```
+
+And use the following command to check the current size of the group mailbox:
+
+```PowerShell
+Get-MailboxStatistics <groupname> | ft TotalDeletedItemSize,TotalItemSize
+```
+
+## Steps to follow when the group mailbox has reached its limit:
+
+As mentioned earlier, the group mailbox is used for various applications to store data. Once the group mailbox as reached its quota, it's important to identify the folders occupying more data and take the appropriate action.
+
+1. Start with the following command to confirm that the group mailbox quota has exceeded:
+
+ ```PowerShell
+ Get-MailboxStatistics <groupname> |ft TotalItemSize,TotalDeletedItemSize
+ ```
+
+ The group mailbox is distributed in various `TargetQuota`, namely System, Recoverable and User. The folders matching `TargetQuota` ΓÇ£UserΓÇ¥ is the only one considered in the calculation of the group quota.
+
+2. Use the following command to verify the folder size thatΓÇÖs occupying User data:
+
+ ```PowerShell
+ Get-MailboxFolderStatistics <groupname> | where { $_.TargetQuota -like 'User' } | ft Name,FolderPath,FolderType,FolderSize
+
+ Get-MailboxFolderStatistics <groupname> -FolderScope NonIPMRoot | where { $_.TargetQuota -like 'User' } | ft Name,FolderType,*size*
+ ```
+3. Check the folders quota or size.
+
+4. If the folder consuming the space is `SharePointWebPartsConnectorMessages`, as mentioned in [Use the Connector web part](https://support.microsoft.com/en-us/office/use-the-connector-web-part-db0756aa-f78f-4b74-8b19-be5dca0420e1?ns=spostandard&version=16&syslcid=1033&uilcid=1033&appver=spo160&helpid=wssenduser_useconnectorwebpart_fl862286&ui=en-us&rs=en-us&ad=us)then do the following:
+
+ 1. Disable the connector if not used.
+
+ 2. Wait for the messages to be cleared by default in 90 days.
+
+5. If there's no special folder occupying the group mailbox size, [apply the group mailbox retention policy,](/microsoft-365/compliance/create-retention-policies) and wait for retention policy to clean up the emails from group mailbox.
+
+
compliance Sensitivity Labels Aip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-aip.md
Remember, when you use this method to disable the AIP add-in, you can still use
Many of the labeling features supported by the AIP add-in are now supported by built-in labeling. For a more detailed list of capabilities, minimum versions that might be needed, and configuration information, see [Manage sensitivity labels in Office apps](sensitivity-labels-office-apps.md).
-More features are planned and in development. If there's a specific feature that you're interested in, check the [Microsoft 365 roadmap](https://aka.ms/MIPC/Roadmap) and consider joining the [Microsoft Information Protection in Office Private Preview](https://aka.ms/MIP/PreviewRing).
+More features are planned and in development. If there's a specific feature that you're interested in, check the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=Microsoft%20Information%20Protection&searchterms=sensitivity) and consider joining the [Microsoft Information Protection in Office Private Preview](https://aka.ms/MIP/PreviewRing).
Use the following information to help you identify if you're using a feature from the AIP add-in that isn't yet supported by built-in labeling:
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
If you can't upgrade to Microsoft 365 Apps for enterprise for the subscription v
## Support for sensitivity label capabilities in apps
-The following tables list the minimum Office version that introduced specific capabilities for sensitivity labels that are built in to Office apps. Or, if the label capability is in public preview or under review for a future release. Use the [Microsoft 365 roadmap](https://aka.ms/MIPC/Roadmap) for details about new capabilities that are planned for future releases.
+The following tables list the minimum Office version that introduced specific capabilities for sensitivity labels that are built in to Office apps. Or, if the label capability is in public preview or under review for a future release. Use the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=Microsoft%20Information%20Protection&searchterms=sensitivity) for details about new capabilities that are planned for future releases.
New versions of Office apps are made available at different times for different update channels. For Windows, you'll get the new capabilities earlier when you are on the Current Channel or Monthly Enterprise Channel, rather than Semi-Annual Enterprise Channel. The minimum version numbers can also be different from one update channel to the next. For more information, see [Overview of update channels for Microsoft 365 Apps](/deployoffice/overview-update-channels) and [Update history for Microsoft 365 Apps](/officeupdates/update-history-microsoft365-apps-by-date).
compliance Sensitivity Labels Sharepoint Default Label https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label.md
description: "Configure a default sensitivity label for a SharePoint document li
> [!NOTE] > This feature is gradually rolling out in preview and subject to change. It is also a premium feature with licensing details to be provided when the feature becomes generally available (GA). >
-> To read the preview announcement, see the [Yammer post](https://www.yammer.com/askipteam/threads/1846702701985792).
+> To read the preview announcement, see the [blog post](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/public-preview-default-label-for-a-document-library-in/ba-p/3585136).
When SharePoint is [enabled for sensitivity labels](sensitivity-labels-sharepoint-onedrive-files.md), you can configure a default label for document libraries. Then, any new files uploaded to that library, or existing files edited in the library will have that label applied if they don't already have a sensitivity label, or they have a sensitivity label but with [lower priority](sensitivity-labels.md#label-priority-order-matters).
compliance Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels.md
You can use sensitivity labels to:
In all these cases, sensitivity labels from Microsoft Purview can help you take the right actions on the right content. With sensitivity labels, you can classify data across your organization, and enforce protection settings based on that classification. That protection then stays with the content.
-For more information about these and other scenarios that are supported by sensitivity labels, see [Common scenarios for sensitivity labels](get-started-with-sensitivity-labels.md#common-scenarios-for-sensitivity-labels). New features are being developed all the time that support sensitivity labels, so you might also find it useful to reference the [Microsoft 365 roadmap](https://aka.ms/MIPC/Roadmap).
+For more information about these and other scenarios that are supported by sensitivity labels, see [Common scenarios for sensitivity labels](get-started-with-sensitivity-labels.md#common-scenarios-for-sensitivity-labels). New features are being developed all the time that support sensitivity labels, so you might also find it useful to check the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=Microsoft%20Information%20Protection&searchterms=sensitivity).
## What a sensitivity label is
enterprise Moving Data To New Datacenter Geos https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/moving-data-to-new-datacenter-geos.md
Existing customers that have their core customer data stored in an already exist
|**Norway**| European Union | Norway | April 2020 | |**Brazil**| Americas | Brazil | November 2020 | |**Sweden**| European Union | Sweden | November 2021 |
-|**Qatar**| European Union | Qatar | August 2022 |
As of October 1, 2020 customers with an Office 365 Education subscription included in the tenant are not eligible for migration.
lighthouse M365 Lighthouse Known Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-known-issues.md
This article lists the known issues for Microsoft 365 Lighthouse by feature area
| - | - | - | | **Retry provisioning error** | MSP technicians get a "You don't have permissions to do this" error message when attempting to retry provisioning of a Cloud PC. | To work around this issue, sign in to the customer tenant and then reprovision Cloud PCs from the Microsoft Endpoint Manger admin center. For instructions, see [Reprovision a Cloud PC](/windows-365/enterprise/reprovision-cloud-pc). |
-## Audit logs
--
-| Issue | Description | Solution |
-|--|--|--|
-| **Deactivate and Reactivate actions are not listed in audit logs** | The following activities are currently not reported on the Audit logs page in Lighthouse: <ul><li>Name: offboardTenant \| Action: Inactivate a customer</li> <li>Name: resetTenantOnboardingStatus \| Action: Reactive customer</li></ul> | There's no workaround, but we're working on a fix. These activities will appear in audit logs once the fix is deployed in the service. |
-| **Filter is not showing all users** | When MSP technicians try to filter by using **Initiated By**, the list of all User Principal Names (UPNs) ΓÇô corresponding to email IDs of the technicians who initiated actions generating audit logs ΓÇô isn't fully displayed under the filter.<br><br>Note that the audit logs themselves will be fully displayed; only the ability to filter them by using **Initiated By** is impacted. | There's no workaround, but we're working on a fix. The filter will revert to its expected behavior ΓÇô displaying the full list of UPNs to filter by ΓÇô once the fix is deployed in the service. |
- ## Delegated Admin Privileges (DAP) | Issue | Description | Solution |
security Mdb Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-partners.md
ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium Last updated : 08/03/2022 f1.keywords: NOCSH
Microsoft partners have access to resources, programs, and tools that empower pa
| Resource | Description | |:|:| | [Microsoft Partner Network](https://partner.microsoft.com) | Visit the Microsoft Partner Network to learn how to become a Microsoft partner and join the Microsoft Partner Network. |
-| [Microsoft 365 Business Premium and Defender for Business partner webinar series](https://aka.ms/M365MDBseries) | This webinar series provides: <ul><li>Practical guidance about how to have conversations with your customers about security and drive upsell to Business Premium. </li><li>Demos and deep dive walkthroughs for Microsoft 365 Lighthouse and Defender for Business. </li><li>A panel of experts to help answer your questions.</li></ul> |
+| [Microsoft 365 Business Premium and Defender for Business partner webinar series](https://aka.ms/M365MDBseries) | This webinar series provides: <ul><li>Practical guidance about how to have conversations with your customers about security and drive upsell to Microsoft 365 Business Premium. </li><li>Demos and deep dive walkthroughs for Microsoft 365 Lighthouse and Defender for Business. </li><li>A panel of experts to help answer your questions.</li></ul> |
| [Microsoft 365 Business Premium partner playbook and readiness series](https://aka.ms/M365BPPartnerPlaybook) | Practical guidance on building a profitable managed services practice, with: <ul><li>Examples of successful managed service offers from industry experts and peers. </li><li>Technical enablement and checklists from Microsoft experts. </li><li>Sales enablement and customer conversation aids to help you market your solution. </li></ul> | | [Defender for Business partner kit](https://aka.ms/MDBPartnerKit) | The Defender for Business partner kit provides you with practical guidance, technical information, and customer-ready resources to market and sell Defender for Business to small and medium-sized businesses. |
Use the following resources to learn more:
Microsoft Cloud Solution Providers (CSPs) can go beyond reselling licenses and be more involved in customers' business. For example, CSPs can use Microsoft 365 Lighthouse to manage small and medium-sized business customers' security settings and capabilities. CSPs can also view and manage detected threats, including running antivirus scans on devices.
-[Learn more about Microsoft 365 Lighthouse and Microsoft Defender for Business](mdb-lighthouse-integration.md).
+| Resource | Description |
+|:|:|
+| [Microsoft 365 Lighthouse and Microsoft Defender for Business](mdb-lighthouse-integration.md) | Describes how Defender for Business integrates with Microsoft 365 Lighthouse and includes links to additional information. |
++
security Configure Local Policy Overrides Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md
Previously updated : 10/18/2021 Last updated : 08/02/2022
**Platforms** - Windows
-By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
-
-For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.
+By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this configuration in some instances. For example, it might be necessary to allow certain user groups, such as security researchers and threat investigators, to have further control over individual settings on the endpoints they use.
## Configure local overrides for Microsoft Defender Antivirus settings
-The default setting for these policies is **Disabled**.
+The default setting for these local override policies is **Disabled**.
-If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](microsoft-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
+If the policies are set to **Enabled**, users can make changes to the associated settings on their devices by using the [Windows Security](microsoft-defender-security-center-antivirus.md) app, local Group Policy settings, or PowerShell cmdlets (where appropriate).
-The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting.
+The [table of settings section](#table-of-settings) lists override policy settings and the configuration instructions.
To configure these settings:
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and then select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** and then the **Location** specified in the table of settings (in this article).
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** and then the **Location** specified in the [table of settings section](#table-of-settings) (in this article).
-4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Select **OK**, and repeat for any other settings.
5. Deploy the Group Policy Object as usual. ## Table of settings
-<br/><br/>
- | Location | Setting | Article | ||||| | MAPS |Configure local setting override for reporting to Microsoft MAPS|[Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) |
To configure these settings:
You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-microsoft-defender-antivirus.md), [specified remediation lists](configure-remediation-microsoft-defender-antivirus.md), and [attack surface reduction](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction).
-By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence.
-
-You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
+By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence. You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
### Use Group Policy to disable local list merging 1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**.
+
+4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Then select **OK**.
+
+### Use Microsoft Endpoint Manager to disable local list merging
+
+1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), select **Endpoint security** > **Antivirus**.
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus**.
+2. Choose **Create Policy**, or modify an existing Microsoft Defender Antivirus policy.
-4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**.
+3. Under the **Configuration settings**, select the drop-down next to **Disable Local Admin Merge** and select **Disable Local Admin Merge**.
> [!NOTE] > If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Allow a blocked app in Windows Security](https://support.microsoft.com/help/4046851/windows-10-allow-blocked-app-windows-security).
You can disable this setting to ensure that only globally-defined lists (such as
## Related topics -- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
+- [Microsoft Defender Antivirus in Windows](microsoft-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
security Configure Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-updates.md
To create your own custom gradual rollout process for Defender updates, you can
The following table lists the available group policy settings for configuring update channels:
-<br>
-
-****
- |Setting title|Description|Location| |||| |Select gradual Microsoft Defender monthly platform update rollout channel|Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. <p> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <p> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <p> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <p> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. <p>If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus|
Example:
Use `Set-MpPreference -PlatformUpdatesChannel Beta` to configure platform updates to arrive from the Beta Channel.
-For more information on the parameters and how to configure them, see [Set-MpPreference (Microsoft Defender Antivirus)|Microsoft Docs](/powershell/module/defender/set-mppreference).
+For more information on the parameters and how to configure them, see [Set-MpPreference](/powershell/module/defender/set-mppreference) (Microsoft Defender Antivirus).
> [!TIP] > If you're looking for Antivirus related information for other platforms, see:
security Defender Endpoint Plan 1 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2.md
The following table summarizes what's included in Microsoft endpoint security pl
- Microsoft 365 E5/A5/G5/F5 Security - Microsoft 365 F5 Security & Compliance
-(<a id="fn3">3</a>) Microsoft Defender for Business is available as a standalone subscription for small and medium-sized businesses. It's also included as part of Microsoft 365 Business Premium. These plans feature advanced security capabilities with a simplified setup and configuration experience.
+(<a id="fn3">3</a>) Microsoft Defender for Business is available as a standalone subscription for small and medium-sized businesses. It's also included as part of [Microsoft 365 Business Premium](/microsoft-365/business-premium). These plans feature advanced security capabilities with a simplified setup and configuration experience. See [Compare Microsoft Defender for Business to Microsoft 365 Business Premium](/microsoft-365/security/defender-business/compare-mdb-m365-plans#compare-microsoft-defender-for-business-to-microsoft-365-business-premium).
## Options for onboarding servers
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
For more information on Microsoft Defender for Endpoint on other operating syste
- [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md) - [What's new in Microsoft Defender for Endpoint on iOS](ios-whatsnew.md)</br>
+<details>
+ <summary>Aug-2022 (Build: 101.75.90 | Release version: 20.122071.17590.0)</summary>
+
+&ensp;Released: **Aug 3, 2022**<br/>
+&ensp;Published: **Aug 3, 2022**<br/>
+&ensp;Build: **101.75.90**<br/>
+&ensp;Release version: **20.122071.17590.0**<br/>
+&ensp;Engine version: **1.1.19300.3**<br/>
+&ensp;Signature version: **1.369.395.0**<br/>
+
+**What's new**
+
+- Added a new field in the output of `mdatp health` that can be used to query the enforcement level of the network protection feature. The new field is called `network_protection_enforcement_level` and can take one of the following values: `audit`, `block`, or `disabled`.
+- Addressed a product bug where multiple detections of the same content could lead to duplicate entries in the threat history.
+- Other bug fixes.
+
+<br/>
+</details>
+ <details> <summary>Jul-2022 (Build: 101.73.77 | Release version: 20.122062.17377.0)</summary>
security Migrating Mde Server To Cloud https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud.md
Microsoft Defender for Cloud is a subscription-based service in the Microsoft Az
To enable Defender for Servers for Azure VMs and non-Azure machines connected through [Azure Arc-enabled servers](/azure/azure-arc/servers/overview), follow this guideline: 1. If you aren't already using Azure, plan your environment following the [Azure Well-Architected Framework](/azure/architecture/framework/).+ 2. Enable [Microsoft Defender for Cloud](/azure/defender-for-cloud/get-started) on your subscription(s).+ 3. Enable one of the Microsoft Defender for Server plans on your [subscription(s)](/azure/defender-for-cloud/enable-enhanced-security). In case you're using Defender for Servers Plan 2, make sure to also enable it on the Log Analytics workspace your machines are connected to; it will enable you to use optional features like File Integrity Monitoring, Adaptive Application Controls and more.+ 4. Make sure the [MDE integration](/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows) is enabled on your subscription. If you have pre-existing Azure subscriptions, you may see one (or both) of the two opt-in buttons shown in the image below.
- :::image type="content" source="images/mde-integration.png" alt-text="Screenshot that shows how to enable MDE integration.":::
-If you have any of these buttons in your environment, make sure to enable integration for both. On new subscriptions, both options will be enabled by default.
+
+ :::image type="content" source="images/mde-integration.png" alt-text="Screenshot that shows how to enable MDE integration." lightbox="images/mde-integration.png":::
+
+ If you have any of these buttons in your environment, make sure to enable integration for both. On new subscriptions, both options will be enabled by default.
+ 5. Make sure the connectivity requirements for Azure Arc are met. Microsoft Defender for Cloud requires all on-premises and non-Azure machines to be connected via the Azure Arc agent. In addition, Azure Arc doesn't support all MDE supported operating systems. So, learn how to plan for [Azure Arc deployments here](/azure/azure-arc/servers/plan-at-scale-deployment).+ 6. *Recommended:* If you want to see vulnerability findings in Defender for Cloud, make sure to enable [Microsoft Defender Vulnerability Management](/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-va) for Defender for Cloud.
- :::image type="content" source="images/enable-threat-and-vulnerability-management.png" alt-text="Screenshot that shows how to enable vulnerability management.":::
+
+ :::image type="content" source="images/enable-threat-and-vulnerability-management.png" alt-text="Screenshot that shows how to enable vulnerability management." lightbox="images/enable-threat-and-vulnerability-management.png":::
## How do I migrate existing Azure VMs to Microsoft Defender for Cloud?
For Azure VMs, no extra steps are required, these are automatically onboarded to
## How do I migrate VMs from AWS or GCP environments? 1. Create a new multi-cloud connector on your subscription. (For more information on connector, see [AWS accounts](/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings) or [GCP projects](/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=env-settings).+ 2. On your multi-cloud connector, enable Defender for Servers on [AWS](/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings#prerequisites) or [GCP](/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=env-settings#configure-the-servers-plan) connectors.+ 3. Enable auto-provisioning on the multi-cloud connector for the Azure Arc agent, Microsoft Defender for Endpoint extension, Vulnerability Assessment and, optionally, Log Analytics extension.
- :::image type="content" source="images/select-plans-aws-gcp.png" alt-text="Screenshot that shows how to enable auto-provisioning for Azure Arc agent.":::
-For more information, see [Defender for CloudΓÇÖs multicloud capabilities](https://aka.ms/mdcmc).
+
+ :::image type="content" source="images/select-plans-aws-gcp.png" alt-text="Screenshot that shows how to enable auto-provisioning for Azure Arc agent." lightbox="images/select-plans-aws-gcp.png":::
+
+ For more information, see [Defender for CloudΓÇÖs multicloud capabilities](https://aka.ms/mdcmc).
## What happens once all migration steps are completed?
security Before You Begin Defender Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-defender-experts.md
This service is currently delivered in English language only.
If you haven't done so yet, you can complete the customer interest form for Defender Experts for Hunting:
-1. Complete the customer interest form. Anyone from your company can apply, but if you're accepted, you need to work with your Commercial Executive to transact the SKU.
-2. Enter your company email ID.
+1. Complete the [customer interest form](https://aka.ms/DEX4HuntingCustomerInterestForm). Anyone from your company can apply, but if you're accepted, you need to work with your Commercial Executive to transact the SKU.
+2. Enter your name, company name, and company email ID.
3. Select **Submit**. Someone from our sales team will reach out within five business days.
security Defender Experts For Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-experts-for-hunting.md
The following capabilities included in this managed threat hunting service could
[Watch this short video](https://youtu.be/4t1JgE0X0jc) to learn more about how Microsoft Defender Experts for Hunting can help you track the latest advanced threats in your environment.
-Defender Experts for Hunting is sold separately from other Microsoft 365 Defender products. If you're a Microsoft 365 Defender customer and are interested in purchasing Defender Experts for Hunting, complete a customer interst form.
+Defender Experts for Hunting is sold separately from other Microsoft 365 Defender products. If you're a Microsoft 365 Defender customer and are interested in purchasing Defender Experts for Hunting, complete a [customer interest form](https://aka.ms/DEX4HuntingCustomerInterestForm).
### Next step
security Create Safe Sender Lists In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365.md
The following example assumes you need email from contoso.com to skip spam filte
Instead of an organizational setting, users or admins can add the sender email addresses to the Safe Senders list in the mailbox. For instructions, see [Configure junk email settings on Exchange Online mailboxes in Office 365](configure-junk-email-settings-on-exo-mailboxes.md). This method is not desirable in most situations since senders will bypass parts of the filtering stack. Although you trust the sender, the sender can still be compromised and send malicious content. Itt's better when you let our filters check every message and then [report the false positive/negative to Microsoft](report-junk-email-messages-to-microsoft.md) if we got it wrong. Bypassing the filtering stack also interferes with [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).
-By design and for increased security of Exchange Online mailboxes, only the junk email settings for safe senders, blocked senders, and blocked domains are recognized. Safe domains settings are ignored.
+By design and for increased security of Exchange Online mailboxes, only the junk email settings for safe senders and safe domains, blocked senders, and blocked domains are recognized. Safe mailing list settings are ignored.
When messages skip spam filtering due to a user's Safe Senders list, the **X-Forefront-Antispam-Report** header field will contain the value `SFV:SFE`, which indicates that filtering for spam, spoof, and phishing were bypassed.
security Utilize Microsoft Defender For Office 365 In Sharepoint Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/Utilize Microsoft Defender for Office 365 in SharePoint Online.md
+
+ Title: Use Microsoft Defender for Office 365 in SharePoint Online
+description: The steps to ensure that you can use, and get the value from, Microsoft Defender for Office 365 in SharePoint Online and OneDrive for Business
+search.product:
+search.appverid:
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
++
+ms.technology: mdo
++
+# Use Microsoft Defender for Office 365 with SharePoint Online
+
+Microsoft SharePoint Online is a widely used user collaboration and file storage tool. The following steps help reduce the attack surface area in SharePoint Online and that help keep this collaboration tool in your organization secure. However, itΓÇÖs important to note there is a balance to strike between security and productivity, and not all these steps may be relevant for your organizational risk profile. Take a look, test, and maintain that balance.
+
+## What you'll need
+
+- Microsoft Defender for Office 365 Plan 1
+- Sufficient permissions (SharePoint administrator/security administrator).
+- Microsoft SharePoint Online (part of Microsoft 365).
+- Five to ten minutes to perform these steps.
+
+## Turn on Microsoft Defender for Office 365 in SharePoint Online
+If licensed for Microsoft Defender for Office 365 **(free 90-day evaluation available at aka.ms/trymdo)** you can ensure seamless protection from zero day malware and time of click protection within Microsoft Teams.
+
+To learn more, read [Step 1: Use the Microsoft 365 Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/turn-on-mdo-for-spo-odb-and-teams#step-1-use-the-microsoft-365-defender-portal-to-turn-on-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams).
+
+1. Sign in to the [security centerΓÇÖs safe attachments configuration page](https://security.microsoft.com/safeattachmentv2).
+1. Select **Global settings**.
+1. Ensure that **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** is set to **on**.
+1. Navigate to the [security centerΓÇÖs Safe links configuration page](https://security.microsoft.com/safelinksv2).
+1. Select **Save**.
+
+## Stop infected file downloads from SharePoint Online
+
+By default, users can't open, move, copy, or share malicious files that are detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. However, the *Download* option is still available and should be *disabled*.
+
+To learn more, read [Step 2: (*Recommended*) Use SharePoint Online PowerShell to prevent users from downloading malicious files](/microsoft-365/security/office-365-security/turn-on-mdo-for-spo-odb-and-teams#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).
+
+1. Open and connect to [SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).
+1. Run the following command: **Set-SPOTenant -DisallowInfectedFileDownload $true**.
+
+### Further reading
+[Policy recommendations for securing SharePoint sites and files](/microsoft-365/security/office-365-security/sharepoint-file-access-policies)
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
Delivering user reported messages to a user submissions mailbox instead of direc
## Configuration requirements for the user submissions mailbox
-Before you get started, yu need to configure Exchange Online Protection and Defender for Office 365 so user reported messages are delivered to the user submissions mailbox without being filtered as described in the following steps:
+Before you get started, you need to configure Exchange Online Protection and Defender for Office 365 so user reported messages are delivered to the user submissions mailbox without being filtered as described in the following steps:
- Identify the user submissions mailbox as a SecOps mailbox. For instructions, see [Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy](configure-advanced-delivery.md#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
When **Microsoft Outlook Report Message button** is **On** ![Toggle on.](../../m
- **Send the reported messages to** section: Select one of the following options:
- - **Microsoft**: The user reports go directly to Microsoft for analysis. Only the metadata such as sender, recipient, reported by, and the message details from the user reports are provided to the tenant admin via the Microsoft 365 Security Center.
+ - **Microsoft**: The user reports go directly to Microsoft for analysis. Only the metadata such as sender, recipient, reported by, and the message details from the user reports are provided to the tenant admin via the Microsoft 365 Defender portal.
- **Microsoft and my organization's mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox to use as the user submissions mailbox. Distribution groups are not allowed. User submissions go to Microsoft for analysis and to the user submissions mailbox for an admin or security operations team to analyze.