Updates from: 09/08/2021 03:13:36
Category Microsoft Docs article Related commit history on GitHub Change details
admin Mailbox Usage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/mailbox-usage.md
You can get a view into your organization's **Mailbox usage** by looking at the
|5. <br/> | The **Quota** chart shows you the number of user mailboxes in each quota category. There are four quota categories: <br/> Good - number of users whose storage used is below the issue warning quota. <br/> Warning - number of users whose storage used is at or above issue warning, but below prohibit send quota <br/> Can't send - number of users whose storage used is at or above the prohibit send quota, but below prohibit send/receive quota <br/> Can't send/receive - number of users whose storage used is at or above prohibit send/receive quota <br/> | |6. <br/> | On the **Mailbox** chart, the Y axis is the count of user mailboxes. <br/> On the **Storage** chart, the Y axis is the amount of storage being used by user mailboxes in your organization. <br/> On the **Quota** chart, the Y axis is the number of user mailboxes in each storage quota. <br/> The X axis on the Mailbox and Storage charts is the selected date range for this specific report. <br/> The X axis on the Quota charts is the quota category. <br/> | |7. <br/> |You can filter charts you see by selecting an item in the legend. <br/> |
-|8. <br/> | The table shows you a breakdown of mailbox usage at the per-user level. You can add additional columns to the table. <br/> **User name** is the email address of the user. <br/> **Display Name** is the full name if the user. <br/> **Deleted** refers to the mailbox whose current state is deleted, but was active during some part of the reporting period of the report. <br/> **Deleted date** is the date the mailbox was deleted. <br/> **Create date** is the date the mailbox was created. <br/> **Last activity date** refers to the date the mailbox had an email send or read activity. <br/> **Item count** refers to the total number of items in the mailbox. <br/> **Storage used (MB)** refers to the total storage used. <br/> **Deleted Item Count** refers to the total number of deleted items in the mailbox. <br/> **Deleted Item Size (MB)** refers to the total size of all deleted items in the mailbox. <br/> **Issue warning quota (MB)** refers to the storage limit when the mailbox owner will receive a warning that it's about to hit the storage quota. <br/> **Prohibit send quota (MB)** refers to the storage limit when the mailbox can no longer send emails. <br/> **Prohibit send receive quota (MB)** refers to the storage limit when the mailbox can no longer send or receive emails. <br/> If your organization's policies prevents you from viewing reports where user information is identifiable, you can change the privacy setting for all these reports. Check out the **Hide user details in the reports** section in the [Activity Reports in the Microsoft 365 admin center](activity-reports.md). <br/> |
-|9. <br/> |Select **Choose columns** to add or remove columns from the report. <br/> ![Mailbox usage report - choose columns.](../../media/ea3d0b18-6ac6-41b0-9bb9-4844f040ea75.png)|
+|8. <br/> | The table shows you a breakdown of mailbox usage at the per-user level. You can add additional columns to the table. <br/> **User name** is the email address of the user. <br/> **Display Name** is the full name if the user. <br/> **Deleted** refers to the mailbox whose current state is deleted, but was active during some part of the reporting period of the report. <br/> **Deleted date** is the date the mailbox was deleted. <br/> **Create date** is the date the mailbox was created. <br/> **Last activity date** refers to the date the mailbox had an email send or read activity. <br/> **Item count** refers to the total number of items in the mailbox. <br/> **Storage used (MB)** refers to the total storage used. <br/> **Deleted Item Count** refers to the total number of deleted items in the mailbox. <br/> **Deleted Item Size (MB)** refers to the total size of all deleted items in the mailbox. <br/> **Issue warning quota (MB)** refers to the storage limit when the mailbox owner will receive a warning that it's about to hit the storage quota. <br/> **Prohibit send quota (MB)** refers to the storage limit when the mailbox can no longer send emails. <br/> **Prohibit send receive quota (MB)** refers to the storage limit when the mailbox can no longer send or receive emails. <br/> **Recoverable Item Quota (MB)** refers to the storage limit for recoverable (deleted) items in the mailbox when the mailbox can no longer delete emails. <br/> **Has Archive** shows if the mailbox has an online archive enabled. <br/> If your organization's policies prevents you from viewing reports where user information is identifiable, you can change the privacy setting for all these reports. Check out the **Hide user details in the reports** section in the [Activity Reports in the Microsoft 365 admin center](activity-reports.md). <br/> |
+|9. <br/> |Select **Choose columns** to add or remove columns from the report. <br/> ![Mailbox usage report - choose columns.](https://user-images.githubusercontent.com/34358966/132123544-20321d4f-ecd2-4787-b8fc-2fcda3a63781.png)|
|10. <br/> |You can also export the report data into an Excel .csv file, by selecting the **Export** link. <br/> | |||
admin Configure Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/configure-email-forwarding.md
You must be an Exchange administrator or Global administrator in Microsoft 365 t
[Create a shared mailbox](../email/create-a-shared-mailbox.md) (article)\ [Send email from a different address](https://support.microsoft.com/office/ccba89cb-141c-4a36-8c56-6d16a8556d2e) (article)\
+[Control automatic external email forwarding in Microsoft 365](/security/office-365-security/external-email-forwarding?view=o365-worldwide) (article)\
[Change a user name and email address](../add-users/change-a-user-name-and-email-address.md) (article)
admin Business Assist https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/business-assist.md
description: "Learn about the Business Assist program and how it can help your o
Get the most out of your subscription with expert advice from small business specialists.
-**Business Assist for Microsoft 365** is designed for businesses with fewer than 5 users to give you and your employees around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.
+**Business Assist for Microsoft 365** is designed for small businesses to give you and your employees around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.
### Watch: Business Assist for Microsoft 365
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
TeleMessage data connectors are also available in GCC environments in the Micros
The table in this section lists the third-party data connectors available in partnership with 17a-4 LLC. The table also summarizes the compliance solutions that you can apply to third-party data after you import and archive it in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-compliance-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.
-Before you can archive third-party data in Microsoft 365, you have to work with Veritas to set up their archiving service (called *DataParser*) for your organization. For more information, click the link in the **Third-party data** column to go the step-by-step instructions for creating a connector for that data type.
+Before you can archive third-party data in Microsoft 365, you have to work with 17a-4 LLC to set up their archiving service (called *DataParser*) for your organization. For more information, click the link in the **Third-party data** column to go the step-by-step instructions for creating a connector for that data type.
|Third-party data |Litigation hold|eDiscovery |Retention settings |Records management |Communication compliance |Insider risk management | |:|:|:|:|:|:|:|
compliance Create A Dlp Policy From A Template https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-dlp-policy-from-a-template.md
Last updated 6/29/2018 audience: Admin-+ f1_keywords: - 'ms.o365.cc.NewPolicyFromTemplate'
description: In this article, you'll learn about how to create DLP policies usin
# Create a DLP policy from a template
-The easiest, most common way to get started with DLP policies is to use one of the templates included in Office 365. You can use one of these templates as is, or customize the rules to meet your organization's specific compliance requirements.
+The easiest, most common way to get started with DLP policies is to use one of the templates included in the Microsoft 365 Compliance center. You can use one of these templates as is, or customize the rules to meet your organization's specific compliance requirements.
-Microsoft 365 includes over 40 ready-to-use templates that can help you meet a wide range of common regulatory and business policy needs. For example, there are DLP policy templates for:
+Microsoft 365 includes over 40 ready-to-use templates that can help you meet a wide range of common regulatory and business policy needs. See; [Policy templates](dlp-policy-reference.md#policy-templates) for a complete list.
-- Gramm-Leach-Bliley Act (GLBA)-- Payment Card Industry Data Security Standard (PCI-DSS)-- United States Personally Identifiable Information (U.S. PII)-- United States Health Insurance Act (HIPAA)-
-You can fine tune a template by modifying any of the existing rules or adding new ones. For example, you can add new types of sensitive information to a rule, modify the counts in a rule to make it harder or easier to trigger, allow people to override the actions in a rule by providing a business justification, or change who notifications and incident reports are sent to. A DLP policy template is a flexible starting point for many common compliance scenarios.
+You can fine tune a template by modifying any of its existing rules or adding new ones. For example, you can add new types of sensitive information to a rule, modify the counts in a rule to make it harder or easier to trigger, allow people to override the actions in a rule by providing a business justification, or change who notifications and incident reports are sent to. A DLP policy template is a flexible starting point for many common compliance scenarios.
You can also choose the Custom template, which has no default rules, and configure your DLP policy from scratch, to meet the specific compliance requirements for your organization.
-## Example: Identify sensitive information across all OneDrive for Business sites and restrict access for people outside your organization
-
-OneDrive for Business accounts make it easy for people across your organization to collaborate and share documents. But a common concern for compliance officers is that sensitive information stored in OneDrive for Business accounts may be inadvertently shared with people outside your organization. A DLP policy can help mitigate this risk.
-
-In this example, you'll create a DLP policy that identifies U.S. PII data, which includes Individual Taxpayer Identification Numbers (ITIN), Social Security Numbers, and U.S. passport numbers. You'll get started by using a template, and then you'll modify the template to meet your organization's compliance requirementsΓÇöspecifically, you'll:
--- Add a couple of types of sensitive informationΓÇöU.S. bank account numbers and U.S. driver's license numbersΓÇöso that the DLP policy protects even more of your sensitive data.--- Make the policy more sensitive, so that a single occurrence of sensitive information is enough to restrict access for external users.--- Allow users to override the actions by providing a business justification or reporting a false positive. This way, your DLP policy won't prevent people in your organization from getting their work done, provided they have a valid business reason for sharing the sensitive information.- ### Create the DLP policy from a template
-1. Go to <https://compliance.microsoft.com>.
+1. Sign in at <https://compliance.microsoft.com>.
-2. Sign in using your work or school account. You're now in the Security &amp; Compliance Center.
-
-3. In the Security &amp; Compliance Center \> left navigation \> **Data loss prevention** \> **Policy** \> **+ Create a policy**.
+2. In the Compliance Center \> left navigation \> **Data loss prevention** \> **Policy** \> **+ Create a policy**.
![Create a policy button.](../media/b1e48a08-92e2-47ca-abdc-4341694ddc7c.png)
+
+3. Choose the DLP policy template that protects the types of sensitive information that you need \> **Next**.
-4. Choose the DLP policy template that protects the types of sensitive information that you need \> **Next**.
-
- In this example, you'll select **Privacy** \> **U.S. Personally Identifiable Information (PII) Data** because it already includes most of the types of sensitive information that you want to protect - you'll add a couple later.
+4. Name the policy \> **Next**.
+
+<!--In this example, you'll select **Privacy** \> **U.S. Personally Identifiable Information (PII) Data** because it already includes most of the types of sensitive information that you want to protect - you'll add a couple later.
When you select a template, you can read the description on the right to learn what types of sensitive information the template protects.
- ![Page for choosing a DLP policy template.](../media/775266f6-ad87-4080-8d7c-97f2e7403b30.png)
+ ![Page for choosing a DLP policy template.](../media/775266f6-ad87-4080-8d7c-97f2e7403b30.png)-->
-5. Name the policy \> **Next**.
+5. To choose the locations that you want the DLP policy to protect and either accept the default scope for each location or customize the scope. See, [Locations](dlp-policy-reference.md#locations) for scoping options.
-6. To choose the locations that you want the DLP policy to protect, do one of the following:
+6. Choose \> **Next**.
+
+1. <!-->, do one of the following:
- Choose **All locations in Office 365** \> **Next**. - Choose **Let me choose specific locations** \> **Next**. For this example, choose this.
In this example, you'll create a DLP policy that identifies U.S. PII data, which
![Options for locations where a DLP policy can be applied.](../media/ee50a61a-e867-4571-a150-3eec8d83650f.png)
- In this example, to protect sensitive information stored in all OneDrive for Business accounts, turn off the **Status** for both **Exchange email** and **SharePoint sites**, and leave the **Status** on for **OneDrive accounts**.
+ In this example, to protect sensitive information stored in all OneDrive for Business accounts, turn off the **Status** for both **Exchange email** and **SharePoint sites**, and leave the **Status** on for **OneDrive accounts**.-->
-7. Choose **Use advanced settings** \> **Next**.
+7. Choose **Review and customize default settings from the template** \> **Next**.
8. A DLP policy template contains predefined rules with conditions and actions that detect and act upon specific types of sensitive information. You can edit, delete, or turn off any of the existing rules, or add new ones. When done, click **Next**. ![Rules expanded in US PII policy template.](../media/3bc9f1b6-f8ad-4334-863a-24448bb87687.png)
- In this example, the U.S. PII Data template includes two predefined rules:
+9. Choose to detect when this content is shared inside your organization or outside your organization if you have selected any of these locations:
+ 1. Exchange
+ 1. SharePoint
+ 1. OneDrive
+ 1. Teams Chat and Channel Messages
+
+10. Choose **Next**.
+
+11. On the **Protection actions** page if you want, you can customize the policy tip notifications and notification emails. Enable **When content matches the policy conditions, show policy tips to users and sen them an email notification**, then choose **Customize the tip and email**.
+1. c
+1.
+1.
+1.
+1. hoose **Next**.
++
+<!-- In this example, the U.S. PII Data template includes two predefined rules:
- **Low volume of content detected U.S. PII** This rule looks for files containing between 1 and 10 occurrences of each of three types of sensitive information (ITIN, SSN, and U.S. passport numbers), where the files are shared with people outside the organization. If found, the rule sends an email notification to the primary site collection administrator, document owner, and person who last modified the document.
In this example, you'll create a DLP policy that identifies U.S. PII data, which
After you create and turn on a DLP policy, it's deployed to any content sources that it includes, such as SharePoint Online sites or OneDrive for Business accounts, where the policy begins automatically enforcing its rules on that content. +
+## Example: Identify sensitive information across all OneDrive for Business sites and restrict access for people outside your organization
+
+OneDrive for Business accounts make it easy for people across your organization to collaborate and share documents. But a common concern for compliance officers is that sensitive information stored in OneDrive for Business accounts may be inadvertently shared with people outside your organization. A DLP policy can help mitigate this risk.
+
+In this example, you'll create a DLP policy that identifies U.S. PII data, which includes Individual Taxpayer Identification Numbers (ITIN), Social Security Numbers, and U.S. passport numbers. You'll get started by using a template, and then you'll modify the template to meet your organization's compliance requirementsΓÇöspecifically, you'll:
+
+- Add a couple of types of sensitive informationΓÇöU.S. bank account numbers and U.S. driver's license numbersΓÇöso that the DLP policy protects even more of your sensitive data.
+
+- Make the policy more sensitive, so that a single occurrence of sensitive information is enough to restrict access for external users.
+
+- Allow users to override the actions by providing a business justification or reporting a false positive. This way, your DLP policy won't prevent people in your organization from getting their work done, provided they have a valid business reason for sharing the sensitive information.
++ ## View the status of a DLP policy At any time, you can view the status of your DLP policies on the **Policy** page in the **Data loss prevention** section of the Security &amp; Compliance Center. Here you can find important information, such as whether a policy was successfully enabled or disabled, or whether the policy is in test mode.
compliance Create Apply Retention Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-apply-retention-labels.md
When you publish retention labels to Microsoft 365 groups ([formerly Office 365
To retain content for a Microsoft 365 group, use the **Microsoft 365 Groups** location. Even though a Microsoft 365 group has an Exchange mailbox, a retention policy that includes the entire Exchange location won't include content in Microsoft 365 group mailboxes. In addition, it's not possible to use the Exchange location to include or exclude a specific group mailbox. Although the Exchange location initially allows a group mailbox to be selected, when you try to save the retention policy, you receive an error that "RemoteGroupMailbox" is not a valid selection for the Exchange location.
-
-First, create and configure the sensitivity labels that you want to make available for apps and other services. For example, the labels you want users to see and apply from Office apps.
-
-Then, create one or more label policies that contain the labels and policy settings that you configure. It's the label policy that publishes the labels and settings for your chosen users and locations.
### Applying a default retention label to all content in a SharePoint library, folder, or document set
compliance Dlp Policy Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-reference.md
for where they are used/expected behavior-->
<!--You can use notifications and overrides to educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification.-->
-When a user attempts an action on a sensitive item in a context that meets the conditions and exceptions of a rule, you can let them know about it through user notification emails and in context policy tips popups. These notifications are useful because they increase awareness and help educate people about your organization's DLP policies.
+When a user attempts an action on a sensitive item in a context that meets the conditions and exceptions of a rule, you can let them know about it through user notification emails and in context policy tip popups. These notifications are useful because they increase awareness and help educate people about your organization's DLP policies.
For example, content like an Excel workbook on a OneDrive for Business site that contains personally identifiable information (PII) and is shared with an external user.
The user notifications and policy tips configuration options vary depending on t
You can enable/disable user notifications for various Microsoft apps, see [Data Loss Prevention policy tips reference](dlp-policy-tips-reference.md#data-loss-prevention-policy-tips-reference)-- You can enable/disable **Notifying users in Office 365 service with a policy tip.
- - email notifications to the user who sen, shared, or last modified the content
+
+- You can enable/disable **Notifying users in Office 365 service** with a policy tip.
+ - email notifications to the user who sent, shared, or last modified the content
OR - notify specific people
If you selected Devices only, you will get all the same options that are availab
![User notification and policy tip configuration options that are available for Devices](../media/dlp-user-notification-devices.png)
+You can customize the title and body of text with using these parameters. The body text supports these:
+
+|common name |parameter |example
+||||
+|file name |%%FileName%% | Contoso doc 1 |
+|process name |%%ProcessName%% | Word |
+|policy name |%%PolicyName%%| Contoso highly confidential |
+|action | %%AppliedActions%% | pasting document content from the clipboard to another app |
+
+**%%AppliedActions%%** substitutes these values into the message body:
++
+|action common name |value substituted in for %%AppliedActions%% parameter |
+|||
+|copy to removeable storage |*writing to removable storage* |
+|copy to network share |*writing to a network share* |
+|print |*printing* |
+|paste from clipboard |*pasting from the clipboard* |
+|copy via bluetooth |*transferring via Bluetooth* |
+|open with an unallowed app |*opening with this app* |
+|copy to a remote desktop (RDP) |*transferring to remote desktop* |
+|uploading to an unallowed website |*uploading to this site* |
+|accessing the item via an unallowed browser |*opening with this browser* |
+
+Using this customized text
+
+*%%AppliedActions%% File name %%FileName%% via %%ProcessName%% is not allowed by your organization. Click 'Allow' if you want to bypass the policy %%PolicyName%%*
+
+produces this text in the customized notification:
+
+*pasting from the clipboard File Name: Contoso doc 1 via WINWORD.EXE is not allowed by your organization. Click 'Allow' button if you want to bypass the policy Contoso highly confidential*
+
+++ > [!NOTE] > User notifications and policy tips are not available for the On-premises location
If you selected Devices only, you will get all the same options that are availab
To learn more about user notification and policy tip configuration and use, including how to customize the notification and tip text, see - [Send email notifications and show policy tips for DLP policies](use-notifications-and-policy-tips.md#send-email-notifications-and-show-policy-tips-for-dlp-policies)-- [Data Loss Prevention policy reference](dlp-policy-reference.md#data-loss-prevention-policy-reference)-- <!--The email can notify the person who sent, shared, or last modified the content and, for site content, the primary site collection administrator and document owner. In addition, you can add or remove whomever you choose from the email notification.
compliance Ediscovery Troubleshooting Common Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-troubleshooting-common-issues.md
When running an eDiscovery search that includes SharePoint Online and OneDrive f
You may see that error when running an eDiscovery search that includes SharePoint Online and OneDrive for Business locations. eDiscovery relies on the SPO index to identify the file locations. If the file was deleted but the SPO index was not yet updated this error may occur. ### Resolution + Open the SPO location and verify that this file indeed is not there. Suggested solution is to manually reindex the site, or wait until the site reindexes by the automatic background process. - ## Error/issue: This search result was not downloaded as it is a folder or other artifact that can't be downloaded by itself, any items inside the folder or library will be downloaded. You may see that error when running an eDiscovery search that includes SharePoint Online and OneDrive for Business locations. It means that we were going to try and export the item reported in the index, but it turned out to be a folder so we did not export it. As mentioned in the error, we don't export folder items but we do export their contents.
An eDiscovery search fails with error the `recipient not found`. This error may
3. There should be a mail user object for the user question. If nothing is returned, investigate the user object. Contact Microsoft Support if the object can't be synced.
+## Issue/Error: Search fails with error CS007
+
+When performing a Content search or a search associated with a Core eDiscovery case, a transient error occurs and the search fails with a CS007 error.
+
+### Resolution
+
+1. Update the search and reduce the complexity of the search query. For example, a wildcard search may return too many results for the system to process, which causes a CS007 error.
+
+2. Rerun the updated search.
+ ## Error/issue: Exporting search results is slow When exporting search results from Core eDiscovery or Content search in the Microsoft 365 compliance center, the download takes longer than expected. You can check to see the amount of data to be download and possibly increase the export speed.
compliance Endpoint Dlp Using https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-using.md
You can use auto-quarantine to prevent an endless chain of DLP notifications for
Prevent people from transferring files protected by your policies via specific Bluetooth apps.
-### Browser and domain restrictions
+### Browser and domain restrictions to sensitive data
Restrict sensitive files that match your policies from being shared with unrestricted cloud service domains.
+#### Unallowed browsers
+
+You add browsers, identified by their executable names, that will be blocked from accessing files that match the conditions of an enforced a DLP policy where the upload to cloud services restriction is set to block or block override. When these browsers are blocked from accessing a file, the end users will see a toast notification asking them to open the file through Edge Chromium.
+ #### Service domains You can control whether sensitive files protected by your policies can be uploaded to specific service domains from Microsoft Edge.
If the list mode is set to **Allow**, then users will be able to upload sensitiv
> [!IMPORTANT] > When the service restriction mode is set to "Allow", you must have at least one service domain configured before restrictions are enforced.
-#### Unallowed browsers
+### Additional settings for endpoint DLP
-You add browsers, identified by their executable names, that will be blocked from accessing files that match the conditions of an enforced a DLP policy where the upload to cloud services restriction is set to block or block override. When these browsers are blocked from accessing a file, the end users will see a toast notification asking them to open the file through Edge Chromium.
+#### Business justification in policy tips
+
+You can control how users interact with the business justification option in DLP policy tip notifications. This option appears when users perform an activity that's protected by the **Block with override** setting in a DLP policy. This is a global setting. You can choose from one the following options:
-### Business justification in policy tips
+- **Show default options and custom text box**: By default, users can select either a built-in justification, or enter their own text.
+- **Only show default options**: Users can only select a built-in justification.
+- **Only show custom text box**: Users can only enter their own justification. Only the text box will appear in the end user policy tip notification.
-You can control how users interact with the business justification option in DLP policy tip notifications. This option appears when users perform an activity that's protected by the **Block with override** setting in a DLP policy. You can choose from one the following options:
+##### Customizing the options in the drop-down menu
-- By default, users can select either a built-in justification, or enter their own text.-- Users can only select a built-in justification.-- Users can only enter their own justification.
+You can create up to five customized options that will appear when users interact with the policy notification tip by selecting the **Customize the options drop-down menu**.
++
+|Option |default text |
+|||
+|option 1 | **This is part of an established business workflow** or you can enter customized text |
+|option 2 |**My manager has approved this action** or you can enter customized text |
+|option 3 |**Urgent access required; I'll notify my manager separately** or you can enter customized text |
+|Show false positive option |**The information in these files is not sensitive** or you can enter customized text |
+|option 5 |**Other** or you can enter customized text |
+
+<!--See, [Scenario 5: Configure a policy to use the customized business justification](#scenario-5-configure-a-policy-to-use-the-customized-business-justification)-->
### Always audit file activity for devices
The message reads:
9. Check Activity explorer for the event.
+### Scenario 5: Configure a policy to use the customized business justification
+++ ## See also - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)
compliance Indexing Custodian Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/indexing-custodian-data.md
description: "When a custodian is added to an Advanced eDiscovery case, any cont
# Advanced indexing of custodian data
-When a custodian is added to an Advanced eDiscovery case, any content that was deemed as partially indexed or had indexing errors with is reindexed to make it fully searchable. This reindexing process is called *Advanced indexing*. There are a number of reasons that content is partially indexed or has indexing errors. This includes image files or the presence of images in a file, unsupported file types, or file sized indexing limits. For SharePoint files, Advanced indexing only runs on items are marked as partially indexed or that have indexing errors. In Exchange, email messages that have image attachments are not marked as partially indexed or with indexing errors. This means that those files will not be reindexed by the Advanced indexing process.
+When a custodian is added to an Advanced eDiscovery case, any content that was deemed as partially indexed or had indexing errors is reindexed to make it fully searchable. This reindexing process is called *Advanced indexing*. There are many reasons that content is partially indexed or has indexing errors. This includes image files or the presence of images in a file, unsupported file types, or file sized indexing limits. For SharePoint files, Advanced indexing only runs on items are marked as partially indexed or that have indexing errors. In Exchange, email messages that have image attachments are not marked as partially indexed or with indexing errors. This means that those files will not be reindexed by the Advanced indexing process.
To learn more about processing support and partially indexed items, see: - [Supported file types in Advanced eDiscovery](supported-filetypes-ediscovery20.md) -- [Partially indexed items in Content Search in Office 365](partially-indexed-items-in-content-search.md)
+- [Partially indexed items in eDiscovery](partially-indexed-items-in-content-search.md)
- [File formats indexed by Exchange Search](/exchange/file-formats-indexed-by-exchange-search-exchange-2013-help)
compliance Insider Risk Management Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policies.md
When cumulative exfiltration detection is enabled for data theft or data leak po
To learn more about the User activity management, see [Insider risk management cases: User activities](insider-risk-management-cases.md#user-activity).
-## Policy health (preview)
+## Policy health
The policy health status gives you insights into potential issues with your insider risk management policies. The Status column on the Policies tab can alert you to policies issues that may prevent user activity from being reported or why the number of activity alerts is unusual. The policy health status can also confirm that the policy is healthy and doesn't need attention or configuration changes.
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Whether it be adding new solutions to the [Microsoft 365 compliance center](micr
### Communication compliance - [Communication compliance feature reference](communication-compliance-feature-reference.md) added new preview feature support for modern attachments scanning in Teams private chats and channels.
+### Compliance & service assurance
+
+- [Service assurance](https://docs.microsoft.com/en-us/compliance/) has been updated with quarterly review content updates for certifications and statements of applicability:
+ - Architecture
+ - Audit logging
+ - Encryption and key management
+ - Identity and access management
+ - Microsoft 365 access management
+ - Network security
+ - Privacy
+ - Resiliency and continuity
+ - Risk management
+ - Security development and operation
+ - Security monitoring
+ - Supplier management
+ - Vulnerability management
+ ### Data Loss Prevention - [Data loss prevention policy reference](dlp-policy-reference.md). Added a new policy reference page to assist you in creating policies.
contentunderstanding Adoption Getstarted https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-getstarted.md
To get ready for implementing SharePoint Syntex, you need to:
## See also [Scenarios and use cases for SharePoint Syntex](adoption-scenarios.md)
+[Manage contracts using a Microsoft 365 solution](solution-manage-contracts-in-microsoft-365.md)
contentunderstanding Difference Between Document Understanding And Form Processing Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/difference-between-document-understanding-and-form-processing-model.md
Form processing models also create new [SharePoint content types](https://suppor
You can apply document understanding models to SharePoint document libraries that you have access to. Use the content center to create a document understanding model, and apply it to different document libraries. The content center gives you a more central control for how document understanding models are used and where they're applied. Note this information must also roll up to a content center.
-Form processing models can currently only be applied to the SharePoint document library from which you created them. This allows licensed users with access to the site to create a form processing model. Note that an admin needs to enable form processing on a SharePoint document library for it to be available to licensed users.
+Form processing models can currently be applied only to the SharePoint document library from which you created them. This allows licensed users with access to the site to create a form processing model. Note that an admin needs to enable form processing on a SharePoint document library for it to be available to licensed users.
## Comparison of forms processing and document understanding
-Use the following table to understand when to use forms processing and when to use document understanding:
+Use the following table to understand when to use forms processing and when to use document understanding.
| Feature | Forms processing | Document understanding | | - | - | - |
-| Model Type - when to use each | Used for semi-structured file formats, for example PDFs for forms content such as invoices or purchase orders where the layout and formatting is similar. | Used for semi-structured file formats ΓÇô for example, Office documents where there are differences in the layout, but still similar information to be extracted. |
+| Model type - when to use each | Used for semi-structured file formats, for example PDFs for forms content such as invoices or purchase orders where the layout and formatting is similar. | Used for semi-structured file formats ΓÇô for example, Office documents where there are differences in the layout, but still similar information to be extracted. |
| Model creation | Model created in AI builder with seamless access from SharePoint document library.| Model created in SharePoint in a new site, the content center. | | Classification type| Settable classifier is used to give clues to the system on what data to extract.| Trainable classifier with optional extractors using machine teaching to assign document location on what data to extract.| | Locations | Trained for a single document library.| Can be applied to multiple libraries.|
Use the following table to understand when to use forms processing and when to u
| Integrate with Managed Metadata | No | Yes, by training entity extractor referencing a configured managed metadata field.| | Compliance feature integration when Microsoft Information Protection is enabled | Set published Retention labels.<br>Set Sensitivity labels is coming. | Set published Retention labels.<br>Set published Sensitivity labels. | | Supported regions| Form processing relies on Power Platform. For information about global availability for Power Platform and AI Builder, see [Power Platform availability](https://dynamics.microsoft.com/geographic-availability/). | Available in all regions.|
-| Transactional cost | Uses AI Builder credits.<br>Credits can be purchased in batches of 1M.<br>1M credits are included when 300+ SharePoint Syntex licenses are purchased.<br>1M credits will allow processing of 2000 file pages.<br>| N/A |
+| Transactional cost | Uses AI Builder credits.<br>Credits can be purchased in batches of 1M.<br>1M credits are included when 300+ SharePoint Syntex licenses are purchased.<br>1M credits will allow processing of 2,000 file pages.<br>| N/A |
| Capacity | Uses the default Power Platform environment (custom environments with Dataverse database supported). | Does not have capacity restrictions.| | Supported languages| English <br>Coming later in 2021: Latin alphabet languages | Models work on all latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese.| ## See Also
-[Training: Improve business performance with AI Builder](/learn/paths/improve-business-performance-ai-builder/?source=learn)
-
+[Training: Improve business performance with AI Builder](/learn/paths/improve-business-performance-ai-builder/?source=learn)
[Document understanding overview](document-understanding-overview.md)
enterprise Microsoft 365 Vpn Implement Split Tunnel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel.md
Once the policy is in place, you should confirm it is working as expected. There
### Additional support logs
-If you need further data to troubleshoot, or are requesting assistance from Microsoft support, obtaining the following information should allow you to expedite finding a solution. Microsoft support's **TSS Windows CMD-based universal TroubleShooting Script toolset** can help you to collect the relevant logs in a simple manner. The tool and instructions on use can be found at <https://aka.ms/TssTools.>
+If you need further data to troubleshoot, or are requesting assistance from Microsoft support, obtaining the following information should allow you to expedite finding a solution. Microsoft support's **TSS Windows CMD-based universal TroubleShooting Script toolset** can help you to collect the relevant logs in a simple manner. The tool and instructions on use can be found at <https://aka.ms/TssTools>.
## HOWTO guides for common VPN platforms
enterprise Monitor Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/monitor-connectivity.md
Once you've deployed Microsoft 365, you can maintain Microsoft 365 connectivity
|Type of monitoring |Description | |:--|:--| |**Getting notified of new Microsoft 365 endpoints** <br/> |If you're [Managing Microsoft 365 endpoints](https://support.office.com/article/99cab9d4-ef59-4207-9f2b-3728eb46bf9a), you'll want to receive notifications when we publish new endpoints, you can subscribe to our RSS feed using your favorite RSS reader. Here is how to [subscribe via Outlook](https://go.microsoft.com/fwlink/p/?LinkId=532416) or you can [have the RSS feed updates emailed to you](https://go.microsoft.com/fwlink/p/?LinkId=532417). <br/> |
-|**Use System Center to Monitor Microsoft 365** <br/> |If you're using Microsoft System Center, you can download the [System Center Management Pack for Office 365](https://www.microsoft.com/download/details.aspx?id=43708) to begin monitoring Microsoft 365 today. For more detailed guidance, please see the management pack operations guide. <br/> |
+|**Use System Center to Monitor Microsoft 365** <br/> |If you're using Microsoft System Center, you can download the [Microsoft System Center Operations Manager Management Pack for Microsoft 365](https://www.microsoft.com/download/details.aspx?id=103379) to begin monitoring Microsoft 365 today. For more detailed guidance, please see the management pack operations guide. <br/> |
|**Monitoring the health of Azure ExpressRoute** <br/> |If you are connecting to Microsoft 365 using Azure ExpressRoute for Microsoft 365, you'll want to ensure that you're using both the Microsoft 365 Service Health Dashboard as well as the Azure [Reducing troubleshooting time with Azure Resource health](https://azure.microsoft.com/blog/reduce-troubleshooting-time-with-azure-resource-health/) <br/> | |**Using Azure AD Connect Health with AD FS** <br/> |If you're using AD FS for Single Sign-On with Microsoft 365, you'll want to begin [using Azure AD Connect Health to monitor your AD FS infrastructure](/azure/active-directory/hybrid/how-to-connect-health-adfs). <br/> | |**Programmatically monitor Microsoft 365** <br/> |Refer to our guidance on the [Microsoft 365 Management API](/office/office-365-management-api/office-365-management-apis-overview). <br/> |
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
##### [Schedule scans using PowerShell](schedule-antivirus-scans-powershell.md) ##### [Schedule scans using WMI](schedule-antivirus-scans-wmi.md) #### [Use limited periodic scanning in Microsoft Defender Antivirus](limited-periodic-scanning-microsoft-defender-antivirus.md)
+#### [Tune performance of Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
#### [Compatibility with other security products](microsoft-defender-antivirus-compatibility.md) #### [Get your antivirus and antimalware updates](manage-updates-baselines-microsoft-defender-antivirus.md)
security Advanced Hunting Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-overview.md
Time information in advanced hunting is currently in the UTC time zone.
- [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) - [Custom detections overview](overview-custom-detections.md)
+- [Storage account overview](/azure/storage/common/storage-account-overview)
+- [Azure Event Hubs ΓÇö A big data streaming platform and event ingestion service](/azure/event-hubs/event-hubs-about)
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
The most common reason is there's no required [antimalware client version](/micr
Another reason could be that the XML file isn't correctly formatted, for example, not using the correct markdown formatting for the "&" character in the XML file, or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files, which causes the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**) and then update.
-If you are deploying and managing the policy via Group Policy, please make sure combine all PolicyRule into one XML file within a parant node called PolicyRules and all Group into one XML file within a parant node called Groups; if you manage through Intune, keep one PolicyRule one XML file, same thing, one Group one XML file.
+If you are deploying and managing the policy via Group Policy, please make sure combine all PolicyRule into one XML file within a parent node called PolicyRules and all Group into one XML file within a parent node called Groups; if you manage through Intune, keep one PolicyRule one XML file, same thing, one Group one XML file.
### There is no configuration UX for 'Define device control policy groups' and 'Define device control policy rules' on my Group Policy
security Exposed Apis Odata Samples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-odata-samples.md
Not all properties are filterable.
## Properties that support $filter - [Alert](alerts.md): `alertCreationTime`, `lastUpdateTime`, `incidentId`,`InvestigationId`, `status`, `severity` and `category`.-- [Machine](machine.md): `ComputerDnsName`, `LastSeen`, `HealthStatus`, `OsPlatform`, `RiskScore` and `RbacGroupId`.
+- [Machine](machine.md): `ComputerDnsName`, `LastSeen`, `HealthStatus`, `OsPlatform`, `onboardingStatus`, `RiskScore` and `RbacGroupId`.
- [MachineAction](machineaction.md): `Status`, `MachineId`, `Type`, `Requestor` and `CreationDateTimeUtc`. - [Indicator](ti-indicator.md): `indicatorValue`, `indicatorType`, `creationTimeDateTimeUtc`, `createdBy`, `severity` and `action`.
security Overview Hardware Based Isolation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](/security/defender-endpoint)
+- [Microsoft 365 Defender](/security/defender/microsoft-365-defender)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Tune Performance Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md
+
+ Title: Performance analyzer for Microsoft Defender Antivirus
+description: Describes the procedure to tune the performance of Microsoft Defender Antivirus.
+keywords: tune, performance, microsoft defender for endpoint, defender antivirus
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+# Performance analyzer for Microsoft Defender Antivirus
+
+**What is Microsoft Defender Antivirus performance analyzer?**
+
+In some cases, you might need to tune the performance of Microsoft Defender Antivirus as it scans specific files and folders. Performance analyzer is a PowerShell command-line tool that helps determine which files, file extensions, and processes might be causing performance issues on individual endpoints. This information can be used to better assess performance issues and apply remediation actions.
+
+Some options to analyze include:
+
+- Top files that impact scan time
+- Top processes that impact scan time
+- Top file extensions that impact scan time
+- Combinations ΓÇô for example, top files per extension, top scans per file, top scans per file per process
+
+## Running performance analyzer
+
+The high-level process for running performance analyzer involves the following steps:
+
+1. Run performance analyzer to collect a performance recording of Microsoft Defender Antivirus events on the endpoint.
+
+> [!NOTE]
+> Performance of Microsoft Defender Antivirus events of the type **Microsoft-Antimalware-Engine** are recorded through the performance analyzer.
+
+2. Analyze the scan results using different recording reports.
+
+## Using performance analyzer
+
+To start recording system events, open Powershell in administrative mode and perform the following steps:
+
+1. Run the following command to start the recording:
+
+`New-MpPerformanceRecording -RecordTo <recording.etl>`
+
+ where `-RecordTo` parameter specifies full path location in which the trace file is saved. For more cmdlet information, see [Defender](/powershell/module/defender).
+
+2. If there are processes or services thought to be affecting performance, reproduce the situation by carrying out the relevant tasks.
+3. Press **ENTER** to stop and save recording, or **Ctrl+C** to cancel recording.
+4. Analyze the results using the performance analyzerΓÇÖs `Get-MpPerformanceReport`parameter. For example, on executing the command `Get-MpPerformanceReport -Path <recording.etl> -TopFiles 3 -TopScansPerFile 10`, the user is provided with a list of top-ten scans for the top 3 files affecting performance.
+
+For more information on command-line parameters and options, see the [New-MpPerformanceRecording](#new-mpperformancerecording) and [Get-MpPerformanceReport](#get-mpperformancereport).
+
+### Performance tuning data and information
+
+Based on the query, the user will be able to view data for scan counts, duration (total/min/average/max/median), path, process, and reason for scan. The image below shows sample output for a simple query of the top 10 files for scan impact.
++
+### Additional functionality: exporting and converting to CSV and JSON
+
+The results of the perfomance analyzer can also be exported and converted to a CSV or JSON file.
+For examples that describe the process of "export" and "convert" through sample codes, see below.
+
+#### For CSV
+
+- **To export**:
+`(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | Export-CSV -Path:.\Repro-Install-Scans.csv -Encoding:UTF8 -NoTypeInformation`
+
+- **To convert**:
+`(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:100). TopScans | ConvertTo-Csv -NoTypeInformation`
+
+#### For JSON
+
+- **To convert**:
+`(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | ConvertTo-Json -Depth:1`
+
+### Requirements
+Microsoft Defender Antivirus performance analyzer has the following prerequisites:
+
+- Supported Windows versions: Windows 10, Windows 11, and Windows Server 2016 and above
+- Platform Version: 4.18.2108.X+
+- PowerShell Version: PowerShell Version 5.1
+
+## PowerShell reference
+There are two new PowerShell cmdlets used to tune performance of Microsoft Defender Antivirus:
+
+- [New-MpPerformanceRecording](#new-mpperformancerecording)
+- [Get-MpPerformanceReport](#get-mpperformancereport)
++
+### New-MpPerformanceRecording
+
+The following section describes the reference for the new PowerShell cmdlet New-MpPerformanceRecording. This cmdlet Collects a performance recording of Microsoft Defender Antivirus scans.
+
+#### Syntax: New-MpPerformanceRecording
+
+```powershell
+New-MpPerformanceRecording -RecordTo <String >
+```
+
+#### Description: New-MpPerformanceRecording
+The `New-MpPerformanceRecording` cmdlet collects a performance recording of Microsoft Defender Antivirus scans. These performance recordings contain Microsoft-Antimalware-Engine and NT kernel process events and can be analyzed after collection using the [Get-MpPerformanceReport](#get-mpperformancereport) cmdlet.
+
+This `New-MpPerformanceRecording` cmdlet provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided ΓÇ£AS ISΓÇ¥, and is not intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution.
+
+For more information on the performance analyzer, see [Performance Analyzer](/windows-hardware/test/wpt/windows-performance-analyzer) docs.
+
+> [!IMPORTANT]
+> This cmdlet requires elevated administrator privileges.
+
+**Supported OS versions**
+
+Windows Version 10 and later.
+
+> [!NOTE]
+> This feature is available starting with platform version 4.18.2108.X and later.
+
+#### Examples: New-MpPerformanceRecording
+
+##### Example 1: Collect a performance recording and save it
+
+```powershell
+New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl
+```
+
+The above command collects a performance recording and saves it to the specified path: **.\Defender-scans.etl**.
+
+#### Parameters: New-MpPerformanceRecording
+
+##### -RecordTo
+Specifies the location in which to save the Microsoft Defender Antimalware performance recording.
+
+```yaml
+Type: String
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### Get-MpPerformanceReport
+
+The following section describes the Get-MpPerformanceReport PowerShell cmdlet. Analyzes and reports on Microsoft Defender Antivirus (MDAV) performance recording.
+
+#### Syntax: Get-MpPerformanceReport
+
+```powershell
+Get-MpPerformanceReport [-Path] <String>
+[-TopScans <Int32>]
+[-TopFiles <Int32>
+ [-TopScansPerFile <Int32>]
+ [-TopProcessesPerFile <Int32>
+ [-TopScansPerProcessPerFile <Int32>]
+ ]
+]
+[-TopExtensions <Int32>
+ [-TopScansPerExtension <Int32>]
+ [-TopProcessesPerExtension <Int32>
+ [-TopScansPerProcessPerExtension <Int32>]
+ ]
+ [-TopFilesPerExtension <Int32>
+ [-TopScansPerFilePerExtension <Int32>]
+ ]
+ ]
+]
+[-TopProcesses <Int32>
+ [-TopScansPerProcess <Int32>]
+ [-TopExtensionsPerProcess <Int32>
+ [-TopScansPerExtensionPerProcess <Int32>]
+ ]
+]
+[-TopFilesPerProcess <Int32>
+ [-TopScansPerFilePerProcess <Int32>]
+]
+[-MinDuration <String>]
+```
+
+#### Description: Get-MpPerformanceReport
+The `Get-MpPerformanceReport` cmdlet analyzes a previously collected Microsoft Defender Antivirus performance recording ([New-MpPerformanceRecording](#new-mpperformancerecording)) and reports the file paths, file extensions, and processes that cause the highest impact to Microsoft Defender Antivirus scans.
+
+The performance analyzer provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided "AS IS" and is not intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution.
+
+For more information on the performance analyzer, see [Performance Analyzer](/windows-hardware/test/wpt/windows-performance-analyzer) docs.
+
+**Supported OS versions**
+
+Windows Version 10 and later.
+
+> [!NOTE]
+> This feature is available starting with platform version 4.18.2108.X and later.
+
+#### Examples: Get-MpPerformanceReport
+
+##### Example 1: Single query
+
+```powershell
+Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:20
+```
+
+##### Example 2: Multiple queries
+
+```powershell
+Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10 -TopExtensions:10 -TopProcesses:10 -TopScans:10
+```
+
+##### Example 3: Nested queries
+
+```powershell
+Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopExtensionsPerProcess:3 -TopScansPerExtensionPerProcess:3
+```
+
+##### Example 4: Using -MinDuration parameter
+
+```powershell
+Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:100 -MinDuration:100ms
+```
+
+#### Parameters: Get-MpPerformanceReport
+
+##### -MinDuration
+Specifies the minimum duration of any scan or total scan durations of files, extensions, and processes included in the report; accepts values like **0.1234567sec**, **0.1234ms**, **0.1us**, or a valid TimeSpan.
+
+```yaml
+Type: String
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+##### -Path
+Specifies the path(s) to one or more locations.
+
+```yaml
+Type: String
+Position: 0
+Default value: None
+Accept pipeline input: True
+Accept wildcard characters: False
+```
+
+### -TopExtensions
+Specifies how many top extensions to output, sorted by "DurationΓÇ¥.
+
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopExtensionsPerProcess
+Specifies how many top extensions to output for each top process, sorted by "DurationΓÇ¥.
+
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopFiles
+Requests a top-files report and specifies how many top files to output, sorted by "Duration".
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopFilesPerExtension
+Specifies how many top files to output for each top extension, sorted by "Duration".
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopFilesPerProcess
+Specifies how many top files to output for each top process, sorted by "Duration".
+
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopProcesses
+Requests a top-processes report and specifies how many of the top processes to output, sorted by "DurationΓÇ¥.
+
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopProcessesPerExtension
+Specifies how many top processes to output for each top extension, sorted by "DurationΓÇ¥.
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
++
+### -TopProcessesPerFile
+Specifies how many top processes to output for each top file, sorted by "Duration ΓÇ£.
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopScans
+Requests a top-scans report and specifies how many top scans to output, sorted by "Duration".
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
++
+### -TopScansPerExtension
+Specifies how many top scans to output for each top extension, sorted by "Duration".
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
++
+### -TopScansPerExtensionPerProcess
+Specifies how many top scans to output for each top extension for each top process, sorted by "DurationΓÇ¥.
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
++
+### -TopScansPerFile
+Specifies how many top scans to output for each top file, sorted by "DurationΓÇ¥.
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopScansPerFilePerExtension
+Specifies how many top scans to output for each top file for each top extension, sorted by "Duration".
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
++
+### -TopScansPerFilePerProcess
+Specifies how many top scans for output for each top file for each top process, sorted by "DurationΓÇ¥.
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
++
+### -TopScansPerProcess
+Specifies how many top scans to output for each top process in the Top Processes report, sorted by "DurationΓÇ¥.
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopScansPerProcessPerExtension
+Specifies how many top scans for output for each top process for each top extension, sorted by "DurationΓÇ¥.
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopScansPerProcessPerFile
+Specifies how many top scans for output for each top process for each top file, sorted by "DurationΓÇ¥.
++
+```yaml
+Type: Int32
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
security Api Create App User Context https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-create-app-user-context.md
$redirectUri = '' # Paste your app's redirection URI
$authority = "https://login.windows.net/$tenantId" $resourceUrl = 'https://api.security.microsoft.com'
-$response = Get-ADALToken -Resource $resourceUrl -ClientId $cleintId -RedirectUri $redirectUri -Authority $authority -PromptBehavior:Always
+$response = Get-ADALToken -Resource $resourceUrl -ClientId $clientId -RedirectUri $redirectUri -Authority $authority -PromptBehavior:Always
$response.AccessToken | clip $response.AccessToken
The following example shows how to send a request to get a list of incidents **u
- [Create an app with multi-tenant partner access to Microsoft 365 Defender APIs](api-partner-access.md) - [Learn about API limits and licensing](api-terms.md) - [Understand error codes](api-error-codes.md)-- [OAuth 2.0 authorization for user sign in and API access](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code)
+- [OAuth 2.0 authorization for user sign in and API access](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code)
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
From the **Graph** tab, you can:
1. Play the alerts and the nodes on the graph as they occurred over time to understand the chronology of the attack.
-<!--
- :::image type="content" source="../../media/investigate-incidents/incident-graph-play.png" alt-text="Example of playing the alerts and nodes on the Graph page":::
> +
+ :::image type="content" source="../../media/investigate-incidents/incident-graph-play.gif" alt-text="Example of playing the alerts and nodes on the Graph page":::
+
2. Open an entity pane, allowing you to review the entity details and act on remediation actions, such as deleting a file or isolating a device.
security Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md
With the integrated Microsoft 365 Defender solution, security professionals can
<center><h2>Microsoft 365 Defender services</center></h2>
-<table><tr><td><center><b><a href="/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection"><b>Microsoft Defender for Endpoint</b></center></a></td>
-<td><center><b><a href="/office365/securitycompliance/office-365-atp"><b>Microsoft Defender for Office 365</b></center></a></td>
-<td><center><b><a href="/azure-advanced-threat-protection/"><b>Microsoft Defender for Identity</b></a></center></td>
+<table><tr><td><center><b><a href="/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint"><b>Microsoft Defender for Endpoint</b></center></a></td>
+<td><center><b><a href="/microsoft-365/security/office-365-security/overview"><b>Microsoft Defender for Office 365</b></center></a></td>
+<td><center><b><a href="/defender-for-identity/"><b>Microsoft Defender for Identity</b></a></center></td>
<td><center><b><a href="/cloud-app-security/"><b>Microsoft Cloud App Security</b></a></center></td> </tr> </table>
In this interactive guide, you'll learn how to protect your organization with Mi
Microsoft 365 Defender suite protects: -- **Endpoints with Microsoft Defender for Endpoint** - Microsoft Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response. -- **Email and collaboration with Microsoft Defender for Office 365** - Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. -- **Identities with Microsoft Defender for Identity and Azure AD Identity Protection** - Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
+- **Endpoints with Defender for Endpoint** - Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
+- **Email and collaboration with Defender for Office 365** - Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools.
+- **Identities with Defender for Identity and Azure Active Directory (Azure AD) Identity Protection** - Defender for Identity uses your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure AD Identity Protection automates the detection and remediation of identity-based risks in your cloud-based Azure AD.
- **Applications with Microsoft Cloud App security** - Microsoft Cloud App security is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4Bzww] Microsoft 365 Defender's unique cross-product layer augments the individual suite components to:-- Help protect against attacks and coordinate defensive responses across the suite through signal sharing and automated actions-- Narrate the full story of the attack across product alerts, behaviors, and context for security teams by joining data on alerts, suspicious events and impacted assets to 'incidents'-- Automate response to compromise by triggering self-healing for impacted assets through automated remediation-- Enable security teams to perform detailed and effective threat hunting across endpoint and Office data
-![Image of incident overview page.](../../media/overview-incident.png) <br>
-Cross-product incident (Overview)
+- Help protect against attacks and coordinate defensive responses across the suite through signal sharing and automated actions.
+- Narrate the full story of the attack across product alerts, behaviors, and context for security teams by joining data on alerts, suspicious events and impacted assets to 'incidents'.
+- Automate response to compromise by triggering self-healing for impacted assets through automated remediation.
+- Enable security teams to perform detailed and effective threat hunting across endpoint and Office data.
-![Image of alerts queue.](../../media/incident-list.png)<br>
-All related alerts across the suite products correlated together into a single incident (alerts view)
+Here's an example of how the Microsoft 365 Defender portal correlates all related alerts across the suite of products into a single incident.
-![Image of incident queue.](../../media/advanced-hunting.png)<br>
-Query-based hunting on top of email and endpoint raw data
+![Example of an incident overview page.](../../media/overview-incident.png) <br>
+Here's an example of the list of related alerts for an incident.
+
+![Example of the list of alerts for an incident](../../media/incident-list.png)<br>
+
+Here's an example of query-based hunting on top of email and endpoint raw data.
+
+![Example of advanced hunting and a query](../../media/advanced-hunting.png)<br>
Microsoft 365 Defender cross-product features include: + - **Cross-product single pane of glass** - Central view for all information on detections, impacted assets, automated actions taken, and related evidence in a single queue and a single pane in [security.microsoft.com](https://security.microsoft.com). - **Combined incidents queue** - To help security professionals focus on what is critical by ensuring the full attack scope, impacted assets and automated remediation actions are grouped together and surfaced in a timely manner. -- **Automatic response to threats** - Critical threat information is shared in real time between the Microsoft 365 Defender products to help stop the progression of an attack. For example, if a malicious file is detected on an endpoint protected by Microsoft Defender for Endpoint, it will instruct Defender for Office 365 to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite.-- **Self-healing for compromised devices, user identities, and mailboxes** - Microsoft 365 Defender uses AI-powered automatic actions and playbooks to remediate impacted assets back to a secure state. Microsoft 365 Defender leverages automatic remediation capabilities of the suite products to ensure all impacted assets related to an incident are automatically remediated where possible.-- **Cross-product threat hunting** - Security teams can leverage their unique organizational knowledge to hunt for signs of compromise by creating their own custom queries over the raw data collected by the various protection products. Microsoft 365 Defender provides query-based access to 30 days of historic raw signals and alert data across endpoint and Microsoft Defender for Office 365 data.
+- **Automatic response to threats** - Critical threat information is shared in real time between the Microsoft 365 Defender products to help stop the progression of an attack.
+ For example, if a malicious file is detected on an endpoint protected by Defender for Endpoint, it will instruct Defender for Office 365 to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite.
+- **Self-healing for compromised devices, user identities, and mailboxes** - Microsoft 365 Defender uses AI-powered automatic actions and playbooks to remediate impacted assets back to a secure state. Microsoft 365 Defender leverages automatic remediation capabilities of the suite products to ensure all impacted assets related to an incident are automatically remediated where possible.
+- **Cross-product threat hunting** - Security teams can leverage their unique organizational knowledge to hunt for signs of compromise by creating their own custom queries over the raw data collected by the various protection products. Microsoft 365 Defender provides query-based access to 30 days of historic raw signals and alert data across endpoint and Defender for Office 365 data.
## Get started
-Microsoft 365 Defender licensing requirements must be met before you can enable the service in the Microsoft 365 Defender portal at [security.microsoft.com](https://security.microsoft.com). For more information, read:
+
+Microsoft 365 Defender licensing requirements must be met before you can enable the service in the Microsoft 365 Defender portal at [security.microsoft.com](https://security.microsoft.com). For more information, see:
+ - [Licensing requirements](prerequisites.md#licensing-requirements) - [Turn on Microsoft 365 Defender](m365d-enable.md)
+## Training for security analysts
+
+With this learning path from Microsoft Learn, you can understand Microsoft 365 Defender and how it can help identify, control, and remediate security threats.
+
+|Training:|Detect and respond to cyber attacks with Microsoft 365 Defender|
+|||
+|![Microsoft 365 Defender training icon.](../../media/microsoft-365-defender/m365-defender-training.png)|Microsoft 365 Defender unifies threat signals across endpoints, identities, email, and applications to provide integrated protection against sophisticated cyber attacks. Microsoft 365 Defender is the central experience to investigate and respond to incidents and proactively search for ongoing malicious cyber security activities.<p> 1 hr 38 min - Learning Path - 5 Modules|
+
+> [!div class="nextstepaction"]
+> [Start >](/learn/paths/defender-detect-respond/)
+ ## See also - [Deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection)
security Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365.md
Microsoft Defender for Office 365 safeguards your organization against malicious
- **[Automated investigation and response capabilities](office-365-air.md)**: Save time and effort investigating and mitigating threats. ## Interactive guide to Microsoft Defender for Office 365+ In this interactive guide you'll learn how to safeguard your organization with Microsoft Defender for Office 365. You'll see how Defender for Office 365 can help you define protection policies, analyze threats to your organization, and respond to attacks. [Check out the interactive guide](https://aka.ms/MSDO-IG)
If you're new to Microsoft Defender for Office 365 or learn best by *doing*, you
- Safe Links - Safe Attachments - Defend the workloads (ex. SharePoint Online, OneDrive, and Teams)-- Protect with Zero-Hour auto purge
+- Protect with zero-hour auto purge (ZAP).
To learn by doing, [click this link](protect-against-threats.md).
security Email Analysis Investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-analysis-investigations.md
The automated investigationΓÇÖs email analysis identifies email clusters using a
- The email analysis creates queries (clusters) of emails using attributes from the original email ΓÇô sender values (IP address, sending domain) and contents (subject, cluster ID) in order to find emails that are related. - If analysis of the original emailΓÇÖs URLs and files identifies that some are malicious (that is, malware or phish), then it will also create queries or clusters of emails containing the malicious URL or file.-- Email clustering analysis counts the threats associated with the matching emails in the cluster to determine whether the emails are malicious, suspicious, or have no clear threats. If the cluster of emails matching the query has a sufficient amount of spam, normal phish, high confidence phish or malware threats, the email cluster gets that threat type applied to it. -- The email clustering analysis also checks the latest delivery location of the original email and emails in the email clusters to help identify if the emails potentially still need removal or have already been remediated or prevented. This analysis is important because attackers morph malicious content plus security policies and protection may vary between mailboxes. This capability leads to situations where malicious content may still sit in mailboxes, even though one or more malicious emails has been detected and removed by Zero-hour Auto Protection (ZAP).
+- Email clustering analysis counts the threats associated with the matching emails in the cluster to determine whether the emails are malicious, suspicious, or have no clear threats. If the cluster of emails matching the query has a sufficient amount of spam, normal phish, high confidence phish or malware threats, the email cluster gets that threat type applied to it.
+- The email clustering analysis also checks the latest delivery location of the original email and emails in the email clusters to help identify if the emails potentially still need removal or have already been remediated or prevented. This analysis is important because attackers morph malicious content plus security policies and protection may vary between mailboxes. This capability leads to situations where malicious content may still sit in mailboxes, even though one or more malicious emails has been detected and removed by zero-hour auto purge (ZAP).
- Email clusters that are considered malicious due to malware, high confidence phish, malicious files, or malicious URLs threats will get a pending action to soft delete the emails when there are still in the cloud mailbox (inbox or junk folder). If malicious emails or email clusters are only "Not In Mailbox" (blocked, quarantined, failed, soft deleted, etc.) or "On-premises/External" with none in the cloud mailbox, then no pending action will be set up to remove them. - If any of the email clusters are determined to be malicious, then the threat identified by the cluster will get applied back to the original email involved in the investigation. This behavior is similar to a security operations analyst using email hunting results to determine the verdict of an original email based on matching emails. This result ensures that regardless of whether an original emailΓÇÖs URLs, files, or source email indicators are detected or not, the system can identify malicious emails that are potentially evading detection through personalization, morphing, evasion, or other attacker techniques. - In the user compromise investigation, additional email clusters are created to identify potential email issues created by the mailbox. This process includes a clean email cluster (good emails from user, potential data exfiltration, and potential command/control emails), suspicious email clusters (emails containing spam or normal phish) and malicious email clusters (emails containing malware or high confidence phish). These email clusters provide security operations analysts data to determine what other problems may need to be addressed from a compromise,and visibility on which emails may have triggered the original alerts (for example, phish/spam that triggered user sending restrictions)
During the email clustering analysis, all clustering queries will ignore securit
## AIR updates pending email action status
-The investigation email analysis calculates email threats and locations at the time of the investigation to create the investigation evidence and actions. This data can get stale and outdated when actions outside of the investigation affect the emails involved in the investigation. For example, security operations manual hunting and remediation may clean up emails included in an investigation. Likewise, deletion actions approved in parallel investigations or Zero-hour Auto Protection (ZAP) automatic quarantine actions may have removed emails. In addition, delayed detections of threats after email delivery may change the number of threats included in the investigationΓÇÖs email queries/clusters.
+The investigation email analysis calculates email threats and locations at the time of the investigation to create the investigation evidence and actions. This data can get stale and outdated when actions outside of the investigation affect the emails involved in the investigation. For example, security operations manual hunting and remediation may clean up emails included in an investigation. Likewise, deletion actions approved in parallel investigations or zero-hour auto protection (ZAP) automatic quarantine actions may have removed emails. In addition, delayed detections of threats after email delivery may change the number of threats included in the investigationΓÇÖs email queries/clusters.
To ensure investigation actions are up to date, any investigation that has pending actions will periodically re-run the email analysis queries to update the email locations and threats.
security Investigate Malicious Email That Was Delivered https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md
We understand previewing and downloading email are sensitive activities, and so
Threat Explorer is a powerful report that can serve multiple purposes, such as finding and deleting messages, identifying the IP address of a malicious email sender, or starting an incident for further investigation. The following procedure focuses on using Explorer to find and delete malicious email from recipient's mailboxes. > [!NOTE]
-> Default searches in Explorer don't currently include delivered items that were removed from the cloud mailbox by zero-hour auto protection (ZAP). This limitation applies to all views (for example, the **Email \> Malware** or **Email \> Phish** views). To include items removed by ZAP, you need to add a **Delivery action** set to include **Removed by ZAP**. If you include all options, you'll see all delivery action results, including items removed by ZAP.
+> Default searches in Explorer don't currently include delivered items that were removed from the cloud mailbox by zero-hour auto purge (ZAP). This limitation applies to all views (for example, the **Email \> Malware** or **Email \> Phish** views). To include items removed by ZAP, you need to add a **Delivery action** set to include **Removed by ZAP**. If you include all options, you'll see all delivery action results, including items removed by ZAP.
1. Open the Microsoft 365 Defender portal <https://security.microsoft.com> and sign in using your work or school account for Office 365.
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
Microsoft 365 provides many built-in alert policies that help identify Exchange
|||| |A potentially malicious URL click was detected|**High**|This alert is generated when any of the following occurs: <ul><li>A user protected by [Safe Links](safe-links.md) in your organization clicks a malicious link</li><li>Verdict changes for URLs are identified by Microsoft Defender for Office 365</li><li>Users override Safe Links warning pages (based on your organization's [Safe Links policy](set-up-safe-links-policies.md)).</li></ul> <p> For more information on events that trigger this alert, see [Set up Safe Links policies](set-up-safe-links-policies.md).| |An email message is reported by a user as malware or phish|**Informational**|This alert is generated when users in your organization report messages as phishing email using the [Report Message add-in](enable-the-report-message-add-in.md) or the [Report Phishing add-in](enable-the-report-phish-add-in.md).|
-|Email messages containing malware are removed after delivery|**Informational**|This alert is generated when any email messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](zero-hour-auto-purge.md).|
-|Email messages containing phish URLs are removed after delivery|**Informational**|This alert is generated when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](zero-hour-auto-purge.md).|
+|Email messages containing malware are removed after delivery|**Informational**|This alert is generated when any email messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).|
+|Email messages containing phish URLs are removed after delivery|**Informational**|This alert is generated when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [ZAP](zero-hour-auto-purge.md).|
|Suspicious email sending patterns are detected|**Medium**|This alert is generated when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. The alert is an early warning for behavior that might indicate that the account is compromised, but not severe enough to restrict the user. <p> Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](responding-to-a-compromised-email-account.md).| |A user is restricted from sending email|**High**|This alert is generated when someone in your organization is restricted from sending outbound mail. This alert typically results when an [email account is compromised](responding-to-a-compromised-email-account.md). <p> For more information about restricted users, see [Remove blocked users from the Restricted Users portal in Microsoft 365](removing-user-from-restricted-users-portal-after-spam.md).| |
security Protection Stack Microsoft Defender For Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md
The last stage takes place after mail or file delivery, acting on mail that is i
1. **Safe Links** is Defender for Office 365's time-of-click protection. Every URL in every message is wrapped to point to Microsoft Safe Links servers. When a URL is clicked it is checked against the latest reputation, before the user is redirected to the target site. The URL is asynchronously sandboxed to update its reputation.
-2. **Zero-Hour Auto-purge (ZAP) for phishing** retroactively detects and neutralizes malicious phishing messages that have already been delivered to Exchange Online mailboxes.
+2. **Zero-hour auto purge (ZAP) for phishing** retroactively detects and neutralizes malicious phishing messages that have already been delivered to Exchange Online mailboxes.
3. **ZAP for malware** retroactively detects and neutralizes malicious malware messages that have already been delivered to Exchange Online mailboxes.
security Security Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-dashboard.md
The metrics are calculated as described in the following table:
|Messages scanned|Number of email messages scanned multiplied by the number of recipients| |Threats stopped|Number of email messages identified as containing malware multiplied by the number of recipients| |Blocked by [Defender for Office 365](defender-for-office-365.md)|Number of email messages blocked by Defender for Office 365 multiplied by the number of recipients|
-|Removed after delivery|Number of messages removed by [zero-hour auto purge](zero-hour-auto-purge.md) multiplied by the number of recipients|
+|Removed after delivery|Number of messages removed by [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md) multiplied by the number of recipients|
| ## Malware