From 04a2315e2de8ddba4a0e2db4ec1b0ead7dab05f9 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Tue, 15 Aug 2023 14:59:21 -0700 Subject: [PATCH] compliance to purview link updates 1 --- microsoft-365/security/office-365-security/air-about.md | 8 ++++---- .../office-365-security/air-remediation-actions.md | 2 +- .../office-365-security/air-view-investigation-results.md | 2 +- .../office-365-security/attack-simulation-training-faq.md | 2 +- .../office-365-security/azure-ip-protection-features.md | 2 +- .../connectors-detect-respond-to-compromise.md | 2 +- .../office-365-security/connectors-remove-blocked.md | 4 ++-- .../defender-for-office-365-whats-new.md | 2 +- .../detect-and-remediate-illicit-consent-grants.md | 6 +++--- microsoft-365/security/office-365-security/eop-about.md | 4 ++-- .../office-365-security/identity-access-prerequisites.md | 2 +- .../investigate-malicious-email-that-was-delivered.md | 2 +- .../office-365-security/mdo-portal-permissions.md | 2 +- .../security/office-365-security/mdo-sec-ops-guide.md | 2 +- .../mdo-sec-ops-manage-incidents-and-alerts.md | 2 +- .../migrate-to-defender-for-office-365-onboard.md | 2 +- .../outbound-spam-policies-configure.md | 6 +++--- .../office-365-security/outbound-spam-protection-about.md | 2 +- .../priority-accounts-security-recommendations.md | 4 ++-- .../office-365-security/protect-against-threats.md | 6 +++--- .../security/office-365-security/quarantine-policies.md | 2 +- .../recommended-settings-for-eop-and-office365.md | 2 +- ...moving-user-from-restricted-users-portal-after-spam.md | 4 ++-- 23 files changed, 36 insertions(+), 36 deletions(-) diff --git a/microsoft-365/security/office-365-security/air-about.md b/microsoft-365/security/office-365-security/air-about.md index 275ca3403df..4e2dd001e17 100644 --- a/microsoft-365/security/office-365-security/air-about.md +++ b/microsoft-365/security/office-365-security/air-about.md @@ -75,17 +75,17 @@ During and after each automated investigation, your security operations team can AIR capabilities are included in [Microsoft Defender for Office 365](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2), provided your policies and alerts are configured. Need some help? Follow the guidance in [Protect against threats](protect-against-threats.md) to set up or configure the following protection settings: -- [Verify audit logging is turned on](../../compliance/audit-log-enable-disable.md) +- [Verify audit logging is turned on](/purview/audit-log-enable-disable) - [Anti-malware protection](protect-against-threats.md#part-1---anti-malware-protection-in-eop) - [Anti-phishing protection](../office-365-security/protect-against-threats.md#part-2---anti-phishing-protection-in-eop-and-defender-for-office-365) - [Anti-spam protection](protect-against-threats.md#part-3---anti-spam-protection-in-eop) - [Safe Links and Safe Attachments](protect-against-threats.md#part-4---protection-from-malicious-urls-and-files-safe-links-and-safe-attachments-in-defender-for-office-365) -In addition, make sure to [review your organization's alert policies](../../compliance/alert-policies.md), especially the [default policies in the Threat management category](../../compliance/alert-policies.md#default-alert-policies). +In addition, make sure to [review your organization's alert policies](/purview/alert-policies), especially the [default policies in the Threat management category](/purview/alert-policies#default-alert-policies). ## Which alert policies trigger automated investigations? -Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](../../compliance/alert-policies.md#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 Defender portal, and how they're generated: +Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](/purview/alert-policies#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 Defender portal, and how they're generated: |Alert|Severity|How the alert is generated| |---|---|---| @@ -101,7 +101,7 @@ Microsoft 365 provides many built-in alert policies that help identify Exchange |Admin triggered user compromise investigation|**Medium**|This alert is generated when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. This alert notifies your organization that the user compromise investigation was started.| > [!TIP] -> To learn more about alert policies or edit the default settings, see [Alert policies in the Microsoft Purview compliance portal](../../compliance/alert-policies.md). +> To learn more about alert policies or edit the default settings, see [Alert policies in the Microsoft Purview compliance portal](/purview/alert-policies). ## Required permissions to use AIR capabilities diff --git a/microsoft-365/security/office-365-security/air-remediation-actions.md b/microsoft-365/security/office-365-security/air-remediation-actions.md index 787764ad2e0..9ad5fa3a139 100644 --- a/microsoft-365/security/office-365-security/air-remediation-actions.md +++ b/microsoft-365/security/office-365-security/air-remediation-actions.md @@ -58,7 +58,7 @@ Microsoft Defender for Office 365 includes remediation actions to address variou |User|A user is sending malware/phish|Automated investigation doesn't result in a specific pending action.

The user might be reporting malware/phish, or someone could be [spoofing the user](anti-phishing-protection-spoofing-about.md) as part of an attack. Use [Threat Explorer](threat-explorer-about.md) to view and handle email containing [malware](threat-explorer-views.md#malware) or [phish](threat-explorer-views.md#phish).| |User|Email forwarding
(Mailbox forwarding rules are configured, chch could be used for data exfiltration.)|Remove forwarding rule

Use the [Autofowarded messages report](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report) to view specific details about forwarded email.| |User|Email delegation rules
(A user's account has delegations set up.)|Remove delegation rule

If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) who's getting the delegation permission.| -|User|Data exfiltration
(A user violated email or file-sharing [DLP policies](../../compliance/dlp-learn-about-dlp.md) |Automated investigation doesn't result in a specific pending action.

[Get started with Activity Explorer](../../compliance/data-classification-activity-explorer.md#get-started-with-activity-explorer).| +|User|Data exfiltration
(A user violated email or file-sharing [DLP policies](/purview/dlp-learn-about-dlp) |Automated investigation doesn't result in a specific pending action.

[Get started with Activity Explorer](/purview/data-classification-activity-explorer#get-started-with-activity-explorer).| |User|Anomalous email sending
(A user recently sent more email than during the previous 7-10 days.)|Automated investigation doesn't result in a specific pending action.

Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use the [New users forwarding email insight in the EAC](/exchange/monitoring/mail-flow-insights/mfi-new-users-forwarding-email-insight) and [Outbound message report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-inbound-messages-and-outbound-messages-reports) to determine what's going on and take action.| ## Next steps diff --git a/microsoft-365/security/office-365-security/air-view-investigation-results.md b/microsoft-365/security/office-365-security/air-view-investigation-results.md index 135528ee314..cf4f96c0de8 100644 --- a/microsoft-365/security/office-365-security/air-view-investigation-results.md +++ b/microsoft-365/security/office-365-security/air-view-investigation-results.md @@ -41,7 +41,7 @@ The investigation status indicates the progress of the analysis and actions. As |**Starting**|The investigation has been triggered and waiting to start running.| |**Running**|The investigation process has started and is underway. This state also occurs when [pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions) are approved.| |**No Threats Found**|The investigation has finished and no threats (user account, email message, URL, or file) were identified.

**TIP**: If you suspect something was missed (such as a false negative), you can take action using [Threat Explorer](threat-explorer-about.md).| -|**Partially Investigated**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues.

The **Partially Investigated** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities:


**Note**: This **Partially Investigated** status used to be labeled as **Threats Found**.

The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation.

**TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer-about.md)| +|**Partially Investigated**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues.

The **Partially Investigated** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities:


**Note**: This **Partially Investigated** status used to be labeled as **Threats Found**.

The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation.

**TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer-about.md)| |**Terminated By System**|The investigation stopped. An investigation can stop for several reasons:


**TIP**: If an investigation halts before actions were taken, try using [Threat Explorer](threat-explorer-about.md) to find and address threats.| |**Pending Action**|The investigation has found a threat, such as a malicious email, a malicious URL, or a risky mailbox setting, and an action to remediate that threat is [awaiting approval](air-review-approve-pending-completed-actions.md).

The **Pending Action** state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. View investigation details to see if other items are still pending completion.| |**Remediated**|The investigation finished and all remediation actions were approved (noted as fully remediated).

**NOTE**: Approved remediation actions can have errors that prevent the actions from being taken. Regardless of whether remediation actions are successfully completed, the investigation status doesn't change. View investigation details.| diff --git a/microsoft-365/security/office-365-security/attack-simulation-training-faq.md b/microsoft-365/security/office-365-security/attack-simulation-training-faq.md index 1b5c4cd77d8..99afd9c9ac1 100644 --- a/microsoft-365/security/office-365-security/attack-simulation-training-faq.md +++ b/microsoft-365/security/office-365-security/attack-simulation-training-faq.md @@ -86,7 +86,7 @@ Audit logging is required by Attack simulation training so events can be capture - Reporting data isn't available across all reports. The reports appear empty. - Training assignments are blocked, because data isn't available. -To verify that audit logging is on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md). +To verify that audit logging is on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable). > [!NOTE] > Empty activity details can also be caused by no E5 licenses being assigned to users. Verify at least one E5 license is assigned to an active user to ensure that reporting events are captured and recorded. diff --git a/microsoft-365/security/office-365-security/azure-ip-protection-features.md b/microsoft-365/security/office-365-security/azure-ip-protection-features.md index 41b8b9b8933..04be2a057ab 100644 --- a/microsoft-365/security/office-365-security/azure-ip-protection-features.md +++ b/microsoft-365/security/office-365-security/azure-ip-protection-features.md @@ -91,4 +91,4 @@ Once this is enabled, provided you haven't opted out, you can start using the ne :::image type="content" source="../../media/599ca9e7-c05a-429e-ae8d-359f1291a3d8.png" alt-text="An OME protected message in Outlook on the web" lightbox="../../media/599ca9e7-c05a-429e-ae8d-359f1291a3d8.png"::: -For more information about the new enhancements, see [Office 365 Message Encryption](../../compliance/ome.md). +For more information about the new enhancements, see [Office 365 Message Encryption](/purview/ome). diff --git a/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md b/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md index 8771f3c1a29..58f5e77bcdb 100644 --- a/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md +++ b/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md @@ -103,7 +103,7 @@ In [Microsoft Defender for Office 365 Plan 1](defender-for-office-365.md) or [Ex #### Investigate and validate connector-related activity -In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), replace \ and \ with your values, and then run the following command to find and validate admin-related connector activity in the audit log. For more information, see [Use a PowerShell script to search the audit log](/compliance/audit-log-search-script). +In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), replace \ and \ with your values, and then run the following command to find and validate admin-related connector activity in the audit log. For more information, see [Use a PowerShell script to search the audit log](/purview/audit-log-search-script). ```powershell Search-UnifiedAuditLog -StartDate "" -EndDate "" -Operations "New-InboundConnector","Set-InboundConnector","Remove-InboundConnector diff --git a/microsoft-365/security/office-365-security/connectors-remove-blocked.md b/microsoft-365/security/office-365-security/connectors-remove-blocked.md index 519f114e4c6..c108488d60b 100644 --- a/microsoft-365/security/office-365-security/connectors-remove-blocked.md +++ b/microsoft-365/security/office-365-security/connectors-remove-blocked.md @@ -82,10 +82,10 @@ For more information about compromised _user accounts_ and how to remove them fr ## Verify the alert settings for restricted connectors -The default alert policy named **Suspicious connector activity** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md). +The default alert policy named **Suspicious connector activity** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](/purview/alert-policies). > [!IMPORTANT] -> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md). +> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable). 1. In the Microsoft 365 Defender portal at , go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. Or, to go directly to the **Alert policy** page, use . diff --git a/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md b/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md index 528849764c7..935c9dbb42e 100644 --- a/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md +++ b/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md @@ -185,7 +185,7 @@ For more information on what's new with other Microsoft Defender security produc - User restricted from sharing forms and collecting responses - Form blocked due to potential phishing attempt - Form flagged and confirmed as phishing - - [New alert policies for ZAP](../../compliance/new-defender-alert-policies.md) + - [New alert policies for ZAP](/purview/new-defender-alert-policies) - Microsoft Defender for Office 365 alerts is now integrated into Microsoft 365 Defender - [Microsoft 365 Defender Unified Alerts Queue and Unified Alerts Queue](../defender/investigate-alerts.md) - [User Tags](user-tags-about.md) are now integrated into Microsoft Defender for Office 365 alerting experiences, including: the alerts queue and details in Office 365 Security & Compliance, and scoping custom alert policies to user tags to create targeted alert policies. - Tags are also available in the unified alerts queue in the Microsoft 365 Defender portal (Microsoft Defender for Office 365 Plan 2) diff --git a/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md b/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md index 3ab39cc25a4..aee615891e1 100644 --- a/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md +++ b/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md @@ -61,7 +61,7 @@ You need to search the **audit log** to find signs, also called Indicators of Co > > It can take from 30 minutes up to 24 hours for the corresponding audit log entry to be displayed in the search results after an event occurs. > -> The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 subscription, and specifically the type of the license that is assigned to a specific user. For more information, see [Audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md). +> The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 subscription, and specifically the type of the license that is assigned to a specific user. For more information, see [Audit log](/purview/audit-log-search). > > If this value is true, it indicates that someone with Global Administrator access may have granted broad access to data. If this is unexpected, take steps to [confirm an attack](#how-to-confirm-an-attack). @@ -132,10 +132,10 @@ The script produces one file named Permissions.csv. Follow these steps to look f ## Determine the scope of the attack -After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Defender portal](../../compliance/search-the-audit-log-in-security-and-compliance.md). +After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Defender portal](/purview/audit-log-search). > [!IMPORTANT] -> [Mailbox auditing](../../compliance/audit-mailboxes.md) and [Activity auditing for admins and users](../../compliance/audit-log-enable-disable.md) must have been enabled prior to the attack for you to get this information. +> [Mailbox auditing](/purview/audit-mailboxes) and [Activity auditing for admins and users](/purview/audit-log-enable-disable) must have been enabled prior to the attack for you to get this information. ## How to stop and remediate an illicit consent grant attack diff --git a/microsoft-365/security/office-365-security/eop-about.md b/microsoft-365/security/office-365-security/eop-about.md index 414d594ca1a..ef096b2b118 100644 --- a/microsoft-365/security/office-365-security/eop-about.md +++ b/microsoft-365/security/office-365-security/eop-about.md @@ -110,7 +110,7 @@ For information about requirements, important limits, and feature availability a |Mail flow reports|[Mail flow reports in the Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports)| |Mail flow insights|[Mail flow insights in the Exchange admin center](/exchange/monitoring/mail-flow-insights/mail-flow-insights)| |Auditing reports|[Auditing reports in the Exchange admin center](/exchange/security-and-compliance/exchange-auditing-reports/exchange-auditing-reports)| -|Alert policies|[Alert policies](../../compliance/alert-policies.md)| +|Alert policies|[Alert policies](/purview/alert-policies)| |**Service Level Agreements (SLAs) and support**|| |Spam effectiveness SLA|\> 99%| |False positive ratio SLA|\< 1:250,000| @@ -120,5 +120,5 @@ For information about requirements, important limits, and feature availability a |**Other features**|| |A geo-redundant global network of servers|EOP runs on a worldwide network of datacenters that are designed to help provide the best availability. For more information, see the [EOP datacenters](#eop-datacenters) section earlier in this article.| |Message queuing when the on-premises server can't accept mail|Messages in deferral remain in our queues for one day. Message retry attempts are based on the error we get back from the recipient's mail system. On average, messages are retried every 5 minutes. For more information, see [EOP queued, deferred, and bounced messages FAQ](mail-flow-delivery-faq.yml).| -|Office 365 Message Encryption available as an add-on|For more information, see [Encryption in Office 365](../../compliance/encryption.md).| +|Office 365 Message Encryption available as an add-on|For more information, see [Encryption in Office 365](/purview/encryption).| ||| diff --git a/microsoft-365/security/office-365-security/identity-access-prerequisites.md b/microsoft-365/security/office-365-security/identity-access-prerequisites.md index d60206db688..02eb508509d 100644 --- a/microsoft-365/security/office-365-security/identity-access-prerequisites.md +++ b/microsoft-365/security/office-365-security/identity-access-prerequisites.md @@ -115,7 +115,7 @@ For editions of Microsoft 365 or Office 365 that do not support Conditional Acce Here are some additional recommendations: - Use [Azure AD Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-getting-started) to reduce the number of persistent administrative accounts. -- [Use privileged access management](../../compliance/privileged-access-management-overview.md) to protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. +- [Use privileged access management](/purview/privileged-access-management) to protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. - Create and use separate accounts that are assigned [Microsoft 365 administrator roles](../../admin/add-users/about-admin-roles.md) *only for administration*. Admins should have their own user account for regular non-administrative use and only use an administrative account when necessary to complete a task associated with their role or job function. - Follow [best practices](/azure/active-directory/roles/best-practices) for securing privileged accounts in Azure AD. diff --git a/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md b/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md index 4e479bc68a2..12ed0a5d104 100644 --- a/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md +++ b/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md @@ -43,7 +43,7 @@ Make sure that the following requirements are met: - Your organization has [Microsoft Defender for Office 365](defender-for-office-365.md) and [licenses are assigned to users](../../admin/manage/assign-licenses-to-users.md). -- [Audit logging](../../compliance/audit-log-enable-disable.md) is turned on for your organization (it's on by default). +- [Audit logging](/purview/audit-log-enable-disable) is turned on for your organization (it's on by default). - Your organization has policies defined for anti-spam, anti-malware, anti-phishing, and so on. See [Protect against threats in Office 365](protect-against-threats.md). diff --git a/microsoft-365/security/office-365-security/mdo-portal-permissions.md b/microsoft-365/security/office-365-security/mdo-portal-permissions.md index 47de2b00215..700a2728042 100644 --- a/microsoft-365/security/office-365-security/mdo-portal-permissions.md +++ b/microsoft-365/security/office-365-security/mdo-portal-permissions.md @@ -42,7 +42,7 @@ You need to be member of the **Global Administrator** role in Azure AD or a memb > > In the Microsoft 365 Defender preview program, a different Microsoft Defender 365 RBAC model is also available. The permissions in this RBAC model are different from the Defender for Office 365 permissions as described in this article. For more information, see [Microsoft 365 Defender role-based access control (RBAC)](../defender/manage-rbac.md). > -> For information about permissions in the Microsoft Purview compliance portal, see [Permissions in the Microsoft Purview compliance portal](../../compliance/microsoft-365-compliance-center-permissions.md). +> For information about permissions in the Microsoft Purview compliance portal, see [Permissions in the Microsoft Purview compliance portal](/purview/microsoft-365-compliance-center-permissions). ## Relationship of members, roles, and role groups diff --git a/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md b/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md index 4b6b9172d92..cf51332ee16 100644 --- a/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md +++ b/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md @@ -45,7 +45,7 @@ For a video about this information, see . The **Incidents** page in the Microsoft 365 Defender portal at (also known as the _Incidents queue_) allows you to manage and monitor events from the following sources in Defender for Office 365: -- [Alerts](../../compliance/alert-policies.md#default-alert-policies). +- [Alerts](/purview/alert-policies#default-alert-policies). - [Automated investigation and response (AIR)](air-about-office.md). For more information about the Incidents queue, see [Prioritize incidents in Microsoft 365 Defender](../defender/incident-queue.md). diff --git a/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md b/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md index 7543c84387b..99d76165f1c 100644 --- a/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md +++ b/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md @@ -28,7 +28,7 @@ appliesto: [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -An [incident](/microsoft-365/security/defender/incidents-overview) in Microsoft 365 Defender is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/microsoft-365/compliance/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft 365 Defender at . We refer to this page as the _Incidents queue_. +An [incident](/microsoft-365/security/defender/incidents-overview) in Microsoft 365 Defender is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/purview/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft 365 Defender at . We refer to this page as the _Incidents queue_. Alerts are created when malicious or suspicious activity affects an entity (for example, email, users, or mailboxes). Alerts provide valuable insights about in-progress or completed attacks. However, an ongoing attack can affect multiple entities, which results in multiple alerts from different sources. Some built-in alerts automatically trigger AIR playbooks. These playbooks do a series of investigation steps to look for other impacted entities or suspicious activity. diff --git a/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md b/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md index 1f9a27059e4..a17f0bf162c 100644 --- a/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md +++ b/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md @@ -55,7 +55,7 @@ If your organization has a security response team, now is the time to begin inte - Admin management of quarantined messages is important. For instructions, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md). - Message trace allows you to see what happened to messages as they enter or leave Microsoft 365. For more information, see [Message trace in the modern Exchange admin center in Exchange Online](/exchange/monitoring/trace-an-email-message/message-trace-modern-eac). - Identify risks that may have been let into the organization. -- Tune and customize [alerts](../../compliance/alert-policies.md) for organizational processes. +- Tune and customize [alerts](/purview/alert-policies) for organizational processes. - Manage the incident queue and remediate potential risks. If your organization has purchased Microsoft Defender for Office 365 Plan 2, they should begin familiarizing themselves with and using features such as Threat Explorer, Advanced Hunting, and Incidents. For relevant trainings, see . diff --git a/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md b/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md index b0c4b77fa06..71a82a6591d 100644 --- a/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md +++ b/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md @@ -32,7 +32,7 @@ appliesto: In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, outbound email messages that are sent through EOP are automatically checked for spam and unusual sending activity. -Outbound spam from a user in your organization typically indicates a compromised account. Suspicious outbound messages are marked as spam (regardless of the spam confidence level or SCL) and are routed through the [high-risk delivery pool](outbound-spam-high-risk-delivery-pool-about.md) to help protect the reputation of the service (that is, to keep Microsoft 365 source email servers off of IP block lists). Admins are automatically notified of suspicious outbound email activity and blocked users via [alert policies](../../compliance/alert-policies.md). +Outbound spam from a user in your organization typically indicates a compromised account. Suspicious outbound messages are marked as spam (regardless of the spam confidence level or SCL) and are routed through the [high-risk delivery pool](outbound-spam-high-risk-delivery-pool-about.md) to help protect the reputation of the service (that is, to keep Microsoft 365 source email servers off of IP block lists). Admins are automatically notified of suspicious outbound email activity and blocked users via [alert policies](/purview/alert-policies). EOP uses outbound spam policies as part of your organization's overall defense against spam. For more information, see [Anti-spam protection](anti-spam-protection-about.md). @@ -54,7 +54,7 @@ You can configure outbound spam policies in the Microsoft 365 Defender portal or - For our recommended settings for outbound spam policies, see [EOP outbound spam policy settings](recommended-settings-for-eop-and-office365.md#eop-outbound-spam-policy-settings). -- The default [alert policies](../../compliance/alert-policies.md) named **Email sending limit exceeded**, **Suspicious email sending patterns detected**, and **User restricted from sending email** already send email notifications to members of the **TenantAdmins** (**Global admins**) group about unusual outbound email activity and blocked users due to outbound spam. For more information, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). We recommend that you use these alert policies instead of the notification options in outbound spam policies. +- The default [alert policies](/purview/alert-policies) named **Email sending limit exceeded**, **Suspicious email sending patterns detected**, and **User restricted from sending email** already send email notifications to members of the **TenantAdmins** (**Global admins**) group about unusual outbound email activity and blocked users due to outbound spam. For more information, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). We recommend that you use these alert policies instead of the notification options in outbound spam policies. ## Use the Microsoft 365 Defender portal to create outbound spam policies @@ -149,7 +149,7 @@ You can configure outbound spam policies in the Microsoft 365 Defender portal or > > - This setting is in the process of being deprecated from outbound spam policies. > - > - The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in the **Recipient Limits** section. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). + > - The default [alert policy](/purview/alert-policies) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in the **Recipient Limits** section. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). When you're finished on the **Protection settings** page, select **Next**. diff --git a/microsoft-365/security/office-365-security/outbound-spam-protection-about.md b/microsoft-365/security/office-365-security/outbound-spam-protection-about.md index 10c75467568..9f7077df678 100644 --- a/microsoft-365/security/office-365-security/outbound-spam-protection-about.md +++ b/microsoft-365/security/office-365-security/outbound-spam-protection-about.md @@ -37,7 +37,7 @@ This article describes the controls and notifications that are designed to help ## What admins can do to control outbound spam -- **Use built-in notifications**: When a user exceeds sending limits of [the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or [outbound spam policies](outbound-spam-policies-configure.md) and is restricted from sending email, the default alert policy named **User restricted from sending email** sends email notifications to members of the **TenantAdmins** (**Global admins**) group. To configure who else receives these notifications, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). Also, the default alert policies named **Email sending limit exceeded** and **Suspicious email sending patterns detected** send email notifications to members of the **TenantAdmins** (**Global admins**) group. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md). +- **Use built-in notifications**: When a user exceeds sending limits of [the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or [outbound spam policies](outbound-spam-policies-configure.md) and is restricted from sending email, the default alert policy named **User restricted from sending email** sends email notifications to members of the **TenantAdmins** (**Global admins**) group. To configure who else receives these notifications, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). Also, the default alert policies named **Email sending limit exceeded** and **Suspicious email sending patterns detected** send email notifications to members of the **TenantAdmins** (**Global admins**) group. For more information about alert policies, see [Alert policies in Microsoft 365](/purview/alert-policies). - **Review spam complaints from third-party email providers**: Many email services like Outlook.com, Yahoo, and AOL provide a feedback loop where we review our messages that are identified as spam by their users. To learn more about sender support for Outlook.com, go to . diff --git a/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md b/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md index 4c3b7d2565a..06cad65769e 100644 --- a/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md +++ b/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md @@ -95,9 +95,9 @@ After you secure and tag your priority users, you can use the available reports, |Feature|Description| |---|---| -|Alerts|The user tags of affected users are visible and available as filters on the **Alerts** page in the Microsoft 365 Defender portal. For more information, see [Viewing alerts](../../compliance/alert-policies.md#view-alerts).| +|Alerts|The user tags of affected users are visible and available as filters on the **Alerts** page in the Microsoft 365 Defender portal. For more information, see [Viewing alerts](/purview/alert-policies#view-alerts).| |Incidents|The user tags for all correlated alerts are visible on the **Incidents** page in the Microsoft 365 Defender portal. For more information, see [Manage incidents and alerts](mdo-sec-ops-manage-incidents-and-alerts.md).| -|Custom alert policies|You can create alert policies based on user tags in the Microsoft 365 Defender portal. For more information, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).| +|Custom alert policies|You can create alert policies based on user tags in the Microsoft 365 Defender portal. For more information, see [Alert policies in Microsoft 365](/purview/alert-policies).| |Explorer

Real-time detections|In **Explorer** (Defender for Office 365 Plan 2) or **Real-time detections** (Defender for Office 365 Plan 1), user tags are visible in the Email grid view and the Email details flyout. User tags are also available as a filterable property. For more information, see [Tags in Explorer](threat-explorer-about.md#tags-in-threat-explorer).| |Email entity page|You can filter email based on applied user tags in Microsoft 365 E5 and in Defender for Office 365 Plan 1 and Plan 2. For more information, see [Email entity page](mdo-email-entity-page.md).| |Campaign Views|User tags are one of many filterable properties in Campaign Views in Microsoft Defender for Office 365 Plan 2. For more information, see [Campaign Views](campaigns.md).| diff --git a/microsoft-365/security/office-365-security/protect-against-threats.md b/microsoft-365/security/office-365-security/protect-against-threats.md index 331c90fbae0..45f83aff519 100644 --- a/microsoft-365/security/office-365-security/protect-against-threats.md +++ b/microsoft-365/security/office-365-security/protect-against-threats.md @@ -72,7 +72,7 @@ To learn more, see [Permissions in the Microsoft 365 Defender portal](mdo-portal ### Turn on audit logging for reporting and investigation -- Audit logging is turned on by default for Microsoft 365 and Office 365 enterprise organizations. To view data in threat protection reports, [email security reports](reports-email-security.md), and [Explorer](threat-explorer-about.md), audit logging must be *On*. To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md). +- Audit logging is turned on by default for Microsoft 365 and Office 365 enterprise organizations. To view data in threat protection reports, [email security reports](reports-email-security.md), and [Explorer](threat-explorer-about.md), audit logging must be *On*. To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable). ## Part 1 - Anti-malware protection in EOP @@ -199,7 +199,7 @@ For more information about the recommended settings for Safe Attachments, see [S - **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams**: Turn on this setting (![Toggle on.](../../media/scc-toggle-on.png)). > [!IMPORTANT] - > **Before you turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, verify that audit logging is turned in your organization** (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md). + > **Before you turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, verify that audit logging is turned in your organization** (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable). - **Turn on Safe Documents for Office clients**: Turn on this setting (![Toggle on.](../../media/scc-toggle-on.png)). Note that this feature is available and meaningful only with the required types of licenses. For more information, see [Safe Documents in Microsoft 365 E5](safe-documents-in-e5-plus-security-about.md). - **Allow people to click through Protected View even if Safe Documents identified the file as malicious**: Verify this setting is turned off (![Toggle off.](../../media/scc-toggle-off.png)). @@ -295,7 +295,7 @@ To receive notification when a file in SharePoint Online or OneDrive for Busines 6. On the **Review your settings** page, review your settings, verify **Yes, turn it on right away** is selected, and then select **Finish** -To learn more about alert policies, see [Alert policies in the Microsoft Purview compliance portal](../../compliance/alert-policies.md). +To learn more about alert policies, see [Alert policies in the Microsoft Purview compliance portal](/purview/alert-policies). > [!NOTE] > When you're finished configuring, use these links to start workload investigations: diff --git a/microsoft-365/security/office-365-security/quarantine-policies.md b/microsoft-365/security/office-365-security/quarantine-policies.md index 1046c0548bf..e3f0e03c972 100644 --- a/microsoft-365/security/office-365-security/quarantine-policies.md +++ b/microsoft-365/security/office-365-security/quarantine-policies.md @@ -631,7 +631,7 @@ By default, the default alert policy named **User requested to release a quarant Admins can customize the email notification recipients or create a custom alert policy for more options. -For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md). +For more information about alert policies, see [Alert policies in Microsoft 365](/purview/alert-policies). ## Appendix diff --git a/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md b/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md index be34d9271fa..f13b169483f 100644 --- a/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md +++ b/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md @@ -172,7 +172,7 @@ For more information about the default sending limits in the service, see [Sendi |**Restriction placed on users who reach the message limit** (_ActionWhenThresholdReached_)|**Restrict the user from sending mail until the following day** (`BlockUserForToday`)|**Restrict the user from sending mail** (`BlockUser`)|**Restrict the user from sending mail** (`BlockUser`)|| |**Automatic forwarding rules** (_AutoForwardingMode_)|**Automatic - System-controlled** (`Automatic`)|**Automatic - System-controlled** (`Automatic`)|**Automatic - System-controlled** (`Automatic`)| |**Send a copy of outbound messages that exceed these limits to these users and groups** (_BccSuspiciousOutboundMail_ and _BccSuspiciousOutboundAdditionalRecipients_)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|We have no specific recommendation for this setting.

This setting works only in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.| -|**Notify these users and groups if a sender is blocked due to sending outbound spam** (_NotifyOutboundSpam_ and _NotifyOutboundSpamRecipients_)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).| +|**Notify these users and groups if a sender is blocked due to sending outbound spam** (_NotifyOutboundSpam_ and _NotifyOutboundSpamRecipients_)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|The default [alert policy](/purview/alert-policies) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).| ### EOP anti-phishing policy settings diff --git a/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md b/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md index 7ce6bef48fd..f4a49da67e1 100644 --- a/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md +++ b/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md @@ -94,10 +94,10 @@ In the Microsoft 365 Defender portal at , go to ## Verify the alert settings for restricted users -The default alert policy named **User restricted from sending email** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md). +The default alert policy named **User restricted from sending email** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](/purview/alert-policies). > [!IMPORTANT] -> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md). +> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable). 1. In the Microsoft 365 Defender portal at , go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. Or, to go directly to the **Alert policy** page, use .