diff --git a/.github/workflows/AutoLabelAssign.yml b/.github/workflows/AutoLabelAssign.yml
new file mode 100644
index 0000000000..1a30efad7c
--- /dev/null
+++ b/.github/workflows/AutoLabelAssign.yml
@@ -0,0 +1,35 @@
+name: Assign and label PR
+
+permissions:
+ pull-requests: write
+ contents: read
+ actions: read
+
+on:
+ workflow_run:
+ workflows: [Background tasks]
+ types:
+ - completed
+
+jobs:
+ download-payload:
+ name: Download and extract payload artifact
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
+ with:
+ WorkflowId: ${{ github.event.workflow_run.id }}
+ OrgRepo: ${{ github.repository }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
+
+ label-assign:
+ name: Run assign and label
+ needs: [download-payload]
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelAssign.yml@workflows-prod
+ with:
+ PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
+ AutoAssignUsers: 1
+ AutoLabel: 1
+ ExcludedUserList: '["user1", "user2"]'
+ ExcludedBranchList: '["branch1", "branch2"]'
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/AutoLabelMsftContributor.yml b/.github/workflows/AutoLabelMsftContributor.yml
new file mode 100644
index 0000000000..7058a420cf
--- /dev/null
+++ b/.github/workflows/AutoLabelMsftContributor.yml
@@ -0,0 +1,34 @@
+name: Auto label Microsoft contributors
+
+permissions:
+ pull-requests: write
+ contents: read
+ actions: read
+
+on:
+ workflow_run:
+ workflows: [Background tasks]
+ types:
+ - completed
+
+jobs:
+ download-payload:
+ if: github.repository_visibility == 'public'
+ name: Download and extract payload artifact
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
+ with:
+ WorkflowId: ${{ github.event.workflow_run.id }}
+ OrgRepo: ${{ github.repository }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
+
+ label-msft:
+ name: Label Microsoft contributors
+ if: github.repository_visibility == 'public'
+ needs: [download-payload]
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelMsftContributor.yml@workflows-prod
+ with:
+ PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
+ TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}
diff --git a/.github/workflows/BackgroundTasks.yml b/.github/workflows/BackgroundTasks.yml
new file mode 100644
index 0000000000..c0389bb252
--- /dev/null
+++ b/.github/workflows/BackgroundTasks.yml
@@ -0,0 +1,26 @@
+name: Background tasks
+
+permissions:
+ pull-requests: write
+ contents: read
+
+on:
+ pull_request_target:
+
+jobs:
+ upload:
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Save payload data
+ env:
+ PayloadJson: ${{ toJSON(github) }}
+ AccessToken: ${{ github.token }}
+ run: |
+ mkdir -p ./pr
+ echo $PayloadJson > ./pr/PayloadJson.json
+ sed -i -e "s/$AccessToken/XYZ/g" ./pr/PayloadJson.json
+ - uses: actions/upload-artifact@v4
+ with:
+ name: PayloadJson
+ path: pr/
diff --git a/.github/workflows/LiveMergeCheck.yml b/.github/workflows/LiveMergeCheck.yml
new file mode 100644
index 0000000000..56b79b4813
--- /dev/null
+++ b/.github/workflows/LiveMergeCheck.yml
@@ -0,0 +1,19 @@
+name: PR can merge into branch
+
+permissions:
+ pull-requests: write
+ statuses: write
+ contents: read
+
+on:
+ pull_request_target:
+ types: [opened, reopened, synchronize, edited]
+
+jobs:
+
+ live-merge:
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-LiveMergeCheck.yml@workflows-prod
+ with:
+ PayloadJson: ${{ toJSON(github) }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/PrFileCount.yml b/.github/workflows/PrFileCount.yml
new file mode 100644
index 0000000000..95fcf5e1ed
--- /dev/null
+++ b/.github/workflows/PrFileCount.yml
@@ -0,0 +1,19 @@
+name: PR file count less than limit
+
+permissions:
+ pull-requests: write
+ statuses: write
+ contents: read
+
+on:
+ pull_request_target:
+ types: [opened, reopened, synchronize, labeled, unlabeled, edited]
+
+jobs:
+
+ file-count:
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-PrFileCount.yml@workflows-prod
+ with:
+ PayloadJson: ${{ toJSON(github) }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ProtectedFiles.yml b/.github/workflows/ProtectedFiles.yml
new file mode 100644
index 0000000000..769cd0aa14
--- /dev/null
+++ b/.github/workflows/ProtectedFiles.yml
@@ -0,0 +1,17 @@
+name: PR has no protected files
+
+permissions:
+ pull-requests: write
+ statuses: write
+ contents: read
+
+on: [pull_request_target]
+
+jobs:
+
+ protected-files:
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ProtectedFiles.yml@workflows-prod
+ with:
+ PayloadJson: ${{ toJSON(github) }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md b/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
index 3873080c18..8babd207d2 100644
--- a/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
+++ b/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
@@ -9,7 +9,7 @@ ms.reviewer: mkaminska, yongrhee
manager: deniseb
ms.subservice: ngp
ms.topic: conceptual
-ms.date: 02/18/2024
+ms.date: 08/20/2024
ms.collection:
- m365-security
- tier2
@@ -54,37 +54,25 @@ Microsoft Defender Antivirus and cloud protection automatically block most new,
3. High-precision antivirus, detecting common malware through generic and heuristic techniques.
-1. Advanced cloud-based protection is provided for cases when Microsoft Defender Antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.
+4. Advanced cloud-based protection is provided for cases when Microsoft Defender Antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.
1. In the event Microsoft Defender Antivirus can't make a clear determination, file metadata is sent to the cloud protection service. Often within milliseconds, the cloud protection service can determine based on the metadata as to whether the file is malicious or not a threat.
- The cloud query of file metadata can be a result of behavior, mark of the web, or other characteristics where a clear verdict isn't determined.
- - A small metadata payload is sent, with the goal of reaching a verdict of malware or not a threat. The metadata doesn't include personally identifiable information (PII). Information such as filenames, are hashed.
+ - A small metadata payload is sent, with the goal of reaching a verdict of malware or not a threat. The metadata doesn't include personal data, such as personally identifiable information (PII). Information such as filenames, are hashed.
- Can be synchronous or asynchronous. For synchronous, the file won't open until the cloud renders a verdict. For asynchronous, the file opens while cloud protection performs its analysis.
- Metadata can include PE attributes, static file attributes, dynamic and contextual attributes, and more (see [Examples of metadata sent to the cloud protection service](#examples-of-metadata-sent-to-the-cloud-protection-service)).
- 1. After examining the metadata, if Microsoft Defender Antivirus cloud protection can't reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:
-
- 1. **Send safe samples automatically**
- - Safe samples are samples considered to not commonly contain PII data like: .bat, .scr, .dll, .exe.
- - If file is likely to contain PII, the user gets a request to allow file sample submission.
- - This option is the default on Windows, macOS, and Linux.
-
- 1. **Always Prompt**
- - If configured, the user is always prompted for consent before file submission
- - This setting isn't available in macOS and Linux cloud protection
-
- 3. **Send all samples automatically**
- - If configured, all samples are sent automatically
- - If you would like sample submission to include macros embedded in Word docs, you must choose "Send all samples automatically"
- - This setting isn't available on macOS cloud protection
-
- 1. **Do not send**
- - Prevents "block at first sight" based on file sample analysis
- - "Don't send" is the equivalent to the "Disabled" setting in macOS policy and "None" setting in Linux policy.
- - Metadata is sent for detections even when sample submission is disabled
-
- 1. After files are submitted to cloud protection, the submitted files can be **scanned**, **detonated**, and processed through **big data analysis** **machine-learning** models to reach a verdict. Turning off cloud-delivered protection limits analysis to only what the client can provide through local machine-learning models, and similar functions.
+ 2. After examining the metadata, if Microsoft Defender Antivirus cloud protection can't reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the setting configuration for sample submission, as described in the following table:
+
+ | Setting | Description |
+ |---|---|
+ | **Send safe samples automatically** | - Safe samples are samples considered to not commonly contain PII data. Examples include `.bat`, `.scr`, `.dll`, and `.exe`. - If file is likely to contain PII, the user gets a request to allow file sample submission. - This option is the default configuration on Windows, macOS, and Linux. |
+ | **Always Prompt** | - If configured, the user is always prompted for consent before file submission - This setting isn't available in macOS and Linux cloud protection |
+ | **Send all samples automatically** | - If configured, all samples are sent automatically - If you would like sample submission to include macros embedded in Word docs, you must choose **Send all samples automatically** - This setting isn't available on macOS cloud protection |
+ | **Do not send** | - Prevents "block at first sight" based on file sample analysis - "Don't send" is the equivalent to the "Disabled" setting in macOS policy and "None" setting in Linux policy. - Metadata is sent for detections even when sample submission is disabled |
+
+ 3. After files are submitted to cloud protection, the submitted files can be **scanned**, **detonated**, and processed through **big data analysis** **machine-learning** models to reach a verdict. Turning off cloud-delivered protection limits analysis to only what the client can provide through local machine-learning models, and similar functions.
> [!IMPORTANT]
> [Block at first sight (BAFS)](configure-block-at-first-sight-microsoft-defender-antivirus.md) provides detonation and analysis to determine whether a file or process is safe. BAFS can delay the opening of a file momentarily until a verdict is reached. If you disable sample submission, BAFS is also disabled, and file analysis is limited to metadata only. We recommend keeping sample submission and BAFS enabled. To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight)
@@ -132,7 +120,7 @@ For more information, see the following resources:
- [Azure Compliance Offerings](/azure/storage/common/storage-compliance-offerings)
- [Service Trust Portal](https://servicetrust.microsoft.com)
-- [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md#data-storage-location)
+- [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md)
## Other file sample submission scenarios
diff --git a/defender-endpoint/data-storage-privacy.md b/defender-endpoint/data-storage-privacy.md
index af004ef1f8..80863898f9 100644
--- a/defender-endpoint/data-storage-privacy.md
+++ b/defender-endpoint/data-storage-privacy.md
@@ -16,7 +16,7 @@ ms.collection:
- essentials-compliance
ms.topic: conceptual
search.appverid: met150
-ms.date: 08/12/2024
+ms.date: 08/20/2024
---
# Microsoft Defender for Endpoint data storage and privacy
@@ -37,13 +37,13 @@ This section covers some of the most frequently asked questions regarding privac
> [!NOTE]
> This article explains the data storage and privacy details related to Defender for Endpoint and Defender for Business. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576), and also [Windows privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577).
-## What data does Microsoft Defender for Endpoint collect?
+## What are we collecting?
Microsoft Defender for Endpoint collects information from your configured devices and stores it in a customer-dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (device identifiers, names, and the operating system version).
-Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
+Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
This data enables Defender for Endpoint to:
@@ -53,74 +53,31 @@ This data enables Defender for Endpoint to:
Microsoft doesn't use your data for advertising.
-## Data protection and encryption
+## Data location
-The Defender for Endpoint service utilizes state-of-the-art data protection technologies, which are based on Microsoft Azure infrastructure.
+Defender for Endpoint operates in the Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, Switzerland, or India. Customer data collected by the service might be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).
-There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical aspects, and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Defender for Endpoint service, see [Azure encryption overview](/azure/security/security-azure-encryption-overview).
+(a) the geo-location of the tenant as identified during provisioning; or
-In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
+(b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data.
-## Data storage location
+## Data Retention
-Defender for Endpoint operates in the Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, Switzerland, or India. Customer data collected by the service might be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).
+Data from Microsoft Defender for Endpoint is retained for 180 days, visible across the portal.
-Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States.
+Your data is kept and is available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft's systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
-Select **Need help?** in the Microsoft Defender portal to contact Microsoft support about provisioning Microsoft Defender XDR in a different data center location.
+In the advanced hunting investigation experience, it's accessible via a query for 30 days.
## Data sharing for Microsoft Defender for Endpoint
Microsoft Defender for Endpoint shares data, including customer data, among the following Microsoft products, also licensed by the customer.
+- Microsoft Defender XDR
+- Microsoft Defender for Cloud Apps
- Microsoft Sentinel
- Microsoft Tunnel for Mobile Application Management - Android
- Microsoft Defender for Cloud
- Microsoft Defender for Identity
- Microsoft Security Exposure Management (public preview)
-## Is my data isolated from other customer data?
-
-Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization, and the generic data that Microsoft provides.
-
-## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
-
-Microsoft developers and administrators have, by design, been given sufficient privileges to carry out their assigned duties to operate and evolve the service. Microsoft deploys combinations of preventive, detective, and reactive controls including the following mechanisms to help protect against unauthorized developer and/or administrative activities:
-
-- Tight access control to sensitive data
-- Combinations of controls that greatly enhance independent detection of malicious activity
-- Multiple levels of monitoring, logging, and reporting
-
-Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they're required to access a customer's account or related information in the performance of their duties.
-
-Access to data for services deployed in Microsoft Azure Government data centers is only granted to operating personnel who have been screened and approved to handle data that's subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS.
-
-## Is data shared with other customers?
-
-No. Customer data is isolated from other customers and isn't shared. However, threat intelligence on the data resulting from Microsoft processing, and which doesn't contain any customer-specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
-
-## How long will Microsoft store my data? What is Microsoft's data retention policy?
-
-### At service onboarding
-
-Data from Microsoft Defender for Endpoint is retained for 180 days, visible across the portal. However, in the advanced hunting investigation experience, it's accessible via a query for 30 days.
-
-### At contract termination or expiration
-
-Your data is kept and is available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft's systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
-
-### Advanced Hunting data
-
-Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data.
-
-## Can Microsoft help us maintain regulatory compliance?
-
-Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help them assess Defender for Endpoint services against their own legal and regulatory requirements. Defender for Endpoint has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional, and industry-specific certifications.
-
-By providing customers with compliant, independently verified services, Microsoft makes it easier for them to achieve compliance for the infrastructure and applications they run.
-
-For more information on the Defender for Endpoint certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/).
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-datastorage-belowfoldlink)
-
-[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/device-control-deploy-manage-intune.md b/defender-endpoint/device-control-deploy-manage-intune.md
index c76bd5ad7f..38b1f758e1 100644
--- a/defender-endpoint/device-control-deploy-manage-intune.md
+++ b/defender-endpoint/device-control-deploy-manage-intune.md
@@ -55,6 +55,7 @@ If you're using Intune to manage Defender for Endpoint settings, you can use it
- Under **Connectivity**, see [Allow USB Connection](/windows/client-management/mdm/policy-csp-Connectivity#allowusbconnection)** and [Allow Bluetooth](/windows/client-management/mdm/policy-csp-Connectivity#allowbluetooth) settings.
- Under **Bluetooth**, see a list of settings that pertain to Bluetooth connections and services. For more details, see [Policy CSP - Bluetooth](/windows/client-management/mdm/policy-csp-Bluetooth?WT.mc_id=Portal-fx).
- Under **Device Control**, you can configure custom policies with reusable settings. For more details, see [Device control overview: Rules](device-control-policies.md#rules).
+ - Under **System**, see [Allow Storage Card](/windows/client-management/mdm/policy-csp-System#allowstoragecard) settings.
6. After you have configured your settings, proceed to the **Scope tags** tab, where you can specify [scope tags](/mem/intune/fundamentals/scope-tags) for the policy.
diff --git a/defender-endpoint/mac-install-with-intune.md b/defender-endpoint/mac-install-with-intune.md
index f28c915493..baa109dd62 100644
--- a/defender-endpoint/mac-install-with-intune.md
+++ b/defender-endpoint/mac-install-with-intune.md
@@ -14,7 +14,7 @@ ms.collection:
ms.topic: conceptual
ms.subservice: macos
search.appverid: met150
-ms.date: 08/01/2024
+ms.date: 08/20/2024
---
# Deploy Microsoft Defender for Endpoint on macOS with Microsoft Intune
@@ -100,6 +100,9 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
Download [netfilter.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
+> [!IMPORTANT]
+> Only one `.mobileconfig` (plist) for Network Filter is supported. Adding multiple Network Filters leads to network connectivity issues on Mac. This issue is not specific to Defender for Endpoint on macOS.
+
To configure your network filter:
1. Under **Configuration profiles**, select **Create Profile**.
diff --git a/defender-endpoint/media/bip-notification-m365defender.png b/defender-endpoint/media/bip-notification-m365defender.png
deleted file mode 100644
index 5fbc0e1a53..0000000000
Binary files a/defender-endpoint/media/bip-notification-m365defender.png and /dev/null differ
diff --git a/defender-endpoint/media/device-control-policy-intune.png b/defender-endpoint/media/device-control-policy-intune.png
index 9f55dfa771..0d756089ec 100644
Binary files a/defender-endpoint/media/device-control-policy-intune.png and b/defender-endpoint/media/device-control-policy-intune.png differ
diff --git a/defender-endpoint/media/download-mde.png b/defender-endpoint/media/download-mde.png
deleted file mode 100644
index e57e98c4a6..0000000000
Binary files a/defender-endpoint/media/download-mde.png and /dev/null differ
diff --git a/defender-endpoint/media/event-viewer.gif b/defender-endpoint/media/event-viewer.gif
deleted file mode 100644
index 7909bfe728..0000000000
Binary files a/defender-endpoint/media/event-viewer.gif and /dev/null differ
diff --git a/defender-endpoint/media/events-create.gif b/defender-endpoint/media/events-create.gif
deleted file mode 100644
index 68f057de3a..0000000000
Binary files a/defender-endpoint/media/events-create.gif and /dev/null differ
diff --git a/defender-endpoint/media/trustca.png b/defender-endpoint/media/trustca.png
deleted file mode 100644
index f94012d361..0000000000
Binary files a/defender-endpoint/media/trustca.png and /dev/null differ
diff --git a/defender-endpoint/offboard-machines.md b/defender-endpoint/offboard-machines.md
index acf3cb547b..7b977a7b04 100644
--- a/defender-endpoint/offboard-machines.md
+++ b/defender-endpoint/offboard-machines.md
@@ -40,7 +40,7 @@ Follow the corresponding instructions depending on your preferred deployment met
The status of a device switches to [Inactive](fix-unhealthy-sensors.md#inactive-devices) seven (7) days after offboarding.
-Data, such as Timeline, Alerts, Vulnerabilities, etc., from devices that were offboarded remains in the Microsoft Defender portal until the configured [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) expires.
+Data, such as Timeline, Alerts, Vulnerabilities, etc., from devices that were offboarded remains in the Microsoft Defender portal until the configured [retention period](data-storage-privacy.md) expires.
The device's profile (without data) remains in the [Device inventory](machines-view-overview.md) for no longer than 180 days.
diff --git a/defender-for-iot/media/set-up-rbac/permissions-review.png b/defender-for-iot/media/set-up-rbac/permissions-review.png
deleted file mode 100644
index 7a5cdb3811..0000000000
Binary files a/defender-for-iot/media/set-up-rbac/permissions-review.png and /dev/null differ
diff --git a/defender-office-365/advanced-delivery-policy-configure.md b/defender-office-365/advanced-delivery-policy-configure.md
index 465474ae01..c40469317d 100644
--- a/defender-office-365/advanced-delivery-policy-configure.md
+++ b/defender-office-365/advanced-delivery-policy-configure.md
@@ -42,7 +42,7 @@ Use the _advanced delivery policy_ in EOP to prevent inbound messages _in these
- [AIR and clustering in Defender for Office 365](air-about.md) ignores these messages.
- Specifically for third-party phishing simulations:
- [Admin submission](submissions-admin.md) generates an automatic response saying that the message is part of a phishing simulation campaign and isn't a real threat. Alerts and AIR aren't triggered. The admin submissions experience shows these messages as a simulated threat.
- - When a user reports a phishing simulation message using the [built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web) or the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook), the system doesn't generate an alert, investigation, or incident. The links or files aren't detonated, but the message appears on the **User reported** tab of the **Submissions** page.
+ - When a user reports a phishing simulation message using the [built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook) or the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook), the system doesn't generate an alert, investigation, or incident. The links or files aren't detonated, but the message appears on the **User reported** tab of the **Submissions** page.
Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences show these messages as **Phishing simulation** or **SecOps mailbox** system overrides. Admins can use these values to filter and analyze messages in the following experiences:
diff --git a/defender-office-365/anti-phishing-protection-tuning.md b/defender-office-365/anti-phishing-protection-tuning.md
index c91062745d..ec1370c8ee 100644
--- a/defender-office-365/anti-phishing-protection-tuning.md
+++ b/defender-office-365/anti-phishing-protection-tuning.md
@@ -81,7 +81,7 @@ You can also use the [configuration analyzer](configuration-analyzer-for-securit
- Whenever possible, we recommend that you deliver email for your domain directly to Microsoft 365. In other words, point your Microsoft 365 domain's MX record to Microsoft 365. Exchange Online Protection (EOP) is able to provide the best protection for your cloud users when their mail is delivered directly to Microsoft 365. If you must use a third-party email hygiene system in front of EOP, use Enhanced Filtering for Connectors. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
-- Have users use the [built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web) or deploy the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook) in your organization. Configure the [user reported settings](submissions-user-reported-messages-custom-mailbox.md) to send user reported messages to a reporting mailbox, to Microsoft, or both. User reported messages are then available to admins on the **User reported** tab on the **Submissions** page at . Admin can report user reported messages or any messages to Microsoft as described in [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](submissions-admin.md). User or admin reporting of false positives or false negatives to Microsoft is important, because it helps train our detection systems.
+- Have users use the [built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook) or deploy the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook) in your organization. Configure the [user reported settings](submissions-user-reported-messages-custom-mailbox.md) to send user reported messages to a reporting mailbox, to Microsoft, or both. User reported messages are then available to admins on the **User reported** tab on the **Submissions** page at . Admin can report user reported messages or any messages to Microsoft as described in [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](submissions-admin.md). User or admin reporting of false positives or false negatives to Microsoft is important, because it helps train our detection systems.
- Multi factor authentication (MFA) is a good way to prevent compromised accounts. You should strongly consider enabling MFA for all of your users. For a phased approach, start by enabling MFA for your most sensitive users (admins, executives, etc.) before you enable MFA for everyone. For instructions, see [Set up multi-factor authentication](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication).
diff --git a/defender-office-365/attack-simulation-training-get-started.md b/defender-office-365/attack-simulation-training-get-started.md
index 0fbe1bce1e..de8ca6773b 100644
--- a/defender-office-365/attack-simulation-training-get-started.md
+++ b/defender-office-365/attack-simulation-training-get-started.md
@@ -64,12 +64,12 @@ Watch this short video to learn more about Attack simulation training.
- There are no corresponding PowerShell cmdlets for Attack simulation training.
-- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information, see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations). Attack simulation training is available in the following regions: APC, EUR, and NAM. Countries within these regions where Attack simulation training is available include ARE, AUS, BRA, CAN, CHE, DEU, FRA, GBR, IND, JPN, KOR, LAM, NOR, POL, QAT, SGP, SWE, and ZAF.
+- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information, see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations). Attack simulation training is available in the following regions: APC, EUR, and NAM. Countries within these regions where Attack simulation training is available include ARE, AUS, BRA, CAN, CHE, DEU, ESP, FRA, GBR, IND, ISR, ITA, JPN, KOR, LAM, MEX, NOR, POL, QAT, SGP, SWE, and ZAF.
> [!NOTE]
> NOR, ZAF, ARE and DEU are the latest additions. All features except reported email telemetry are available in these regions. We're working to enable the features and we'll notify customers as soon as reported email telemetry becomes available.
-- As of September 2023, Attack simulation training is available in Microsoft 365 GCC and GCC High environments, but certain advanced features aren't available in GCC High (for example, payload automation, recommended payloads, the predicted compromised rate). If your organization has Office 365 G5 GCC or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training as described in this article. Attack simulation training isn't yet available in DoD environments.
+- Attack simulation training is available in Microsoft 365 GCC, GCC High and DoD environments, but certain advanced features aren't available in GCC High and DoD (for example, payload automation, recommended payloads, the predicted compromised rate). If your organization has Microsoft 365 G5, Office 365 G5 or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training as described in this article.
> [!NOTE]
> Attack simulation training offers a subset of capabilities to E3 customers as a trial. The trial offering contains the ability to use a Credential Harvest payload and the ability to select 'ISA Phishing' or 'Mass Market Phishing' training experiences. No other capabilities are part of the E3 trial offering.
diff --git a/defender-office-365/defender-for-office-365-whats-new.md b/defender-office-365/defender-for-office-365-whats-new.md
index 6a8dd071f3..244d239d0a 100644
--- a/defender-office-365/defender-for-office-365-whats-new.md
+++ b/defender-office-365/defender-for-office-365-whats-new.md
@@ -160,7 +160,7 @@ For more information on what's new with other Microsoft Defender security produc
- The new Microsoft Defender XDR role-based access control (RBAC) model, with support for Microsoft Defender for Office, is now available in public preview. For more information, see [Microsoft Defender XDR role-based access control (RBAC)](/defender-xdr/manage-rbac).
-- [Use the built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web): Use the built-in Report button in Outlook on the web to report messages as phish, junk, and not junk.
+- [Use the built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook): Use the built-in Report button in Outlook on the web to report messages as phish, junk, and not junk.
## October 2022
diff --git a/defender-office-365/migrate-to-defender-for-office-365-setup.md b/defender-office-365/migrate-to-defender-for-office-365-setup.md
index 36744d7993..d9b24a1ab9 100644
--- a/defender-office-365/migrate-to-defender-for-office-365-setup.md
+++ b/defender-office-365/migrate-to-defender-for-office-365-setup.md
@@ -78,7 +78,7 @@ You can specify an Exchange Online mailbox to receive messages that users report
You should also confirm that all users in the pilot have a supported way to report messages that received an incorrect verdict from Defender for Office 365. These options include:
-- [The built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web)
+- [The built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook)
- [The Report Message and Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook)
- Supported third party reporting tools as described [here](submissions-user-reported-messages-custom-mailbox.md#message-submission-format-for-third-party-reporting-tools).
diff --git a/defender-office-365/reports-email-security.md b/defender-office-365/reports-email-security.md
index 789f255b06..56ffb8b818 100644
--- a/defender-office-365/reports-email-security.md
+++ b/defender-office-365/reports-email-security.md
@@ -1009,7 +1009,7 @@ The **URL protection report** is available only in Microsoft Defender for Office
> [!IMPORTANT]
> In order for the **User reported messages** report to work correctly, **audit logging must be turned on** in your Microsoft 365 organization (it's on by default). For more information, see [Turn auditing on or off](/purview/audit-log-enable-disable).
-The **User reported messages** report shows information about email messages that users have reported as junk, phishing attempts, or good mail by using the [built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web) or the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook).
+The **User reported messages** report shows information about email messages that users have reported as junk, phishing attempts, or good mail by using the [built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook) or the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook).
On the **Email & collaboration reports** page at , find **User reported messages**, and then select **View details**. Or, to go directly to the report, use .
diff --git a/defender-office-365/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md b/defender-office-365/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md
index 7e2332ee38..5f268ad283 100644
--- a/defender-office-365/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md
+++ b/defender-office-365/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md
@@ -26,9 +26,9 @@ Depending on whether you're licensed for Defender for Office 365, you also get a
## Choose between which add-in to deploy
-- The Report Phishing add-in provides the option to report only phishing messages
-- The Report Message add-in provides the option to report junk, not junk (false positive), and phishing messages
-- The built-in Report button in Outlook on the web *[Learn More](../submissions-outlook-report-messages.md)*
+- The Report Phishing add-in provides the option to report only phishing messages.
+- The Report Message add-in provides the option to report junk, not junk (false positive), and phishing messages.
+- The built-in Report button in supported versions of Outlook. *[Learn More](../submissions-outlook-report-messages.md)*
## What you need
@@ -55,7 +55,7 @@ Depending on whether you're licensed for Defender for Office 365, you also get a
1. **Login** to the Microsoft Security portal at .
2. On the left nav, select **Settings** and choose **Email & collaboration**.
3. Select **User reported settings**.
-4. Ensure **Monitor report messages in outlook** is selected and select **use the built-in report button**.
+4. Ensure **Monitor report messages in outlook** is selected and select **Use the built-in Report button**.
5. Under **Send the reported messages to** choose **Microsoft Only** (Recommended).
## Optional steps – configure notifications
diff --git a/defender-office-365/submissions-admin.md b/defender-office-365/submissions-admin.md
index 1038b7f12c..ffc22c1fa2 100644
--- a/defender-office-365/submissions-admin.md
+++ b/defender-office-365/submissions-admin.md
@@ -846,8 +846,8 @@ For email messages, admins can see what users are reporting on the **User report
- The [user reported settings](submissions-user-reported-messages-custom-mailbox.md) are turned on.
- **Email messages**: You're using supported methods for users to report messages:
+ - The [built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook).
- The [Microsoft Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md).
- - The [built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web).
- [Supported third-party reporting tools](submissions-user-reported-messages-custom-mailbox.md#options-for-third-party-reporting-tools)
- **Teams messages**: [User reporting settings for Teams messages](submissions-teams.md#user-reporting-settings-for-teams-messages) is turned on.
diff --git a/defender-office-365/submissions-outlook-report-messages.md b/defender-office-365/submissions-outlook-report-messages.md
index b6668bcb3b..160e5756dc 100644
--- a/defender-office-365/submissions-outlook-report-messages.md
+++ b/defender-office-365/submissions-outlook-report-messages.md
@@ -11,10 +11,10 @@ ms.localizationpriority: medium
ms.collection:
- m365-security
- tier1
-description: Learn how to report phishing and suspicious emails in Outlook using the built-in Report button or the Report Message and Report Phishing add-ins.
+description: Learn how to report phishing and suspicious emails in supported versions of Outlook using the built-in Report button or the Report Message and Report Phishing add-ins.
ms.service: defender-office-365
search.appverid: met150
-ms.date: 11/9/2023
+ms.date: 08/19/2024
appliesto:
- ✅ Exchange Online Protection
- ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2
@@ -38,24 +38,30 @@ Admins configure user reported messages to go to a specified reporting mailbox,
[!INCLUDE [MDO Setup guide](../includes/mdo-setup-guide.md)]
-## Use the built-in Report button in Outlook on the web
+## Use the built-in Report button in Outlook
-- The built-in **Report** button is available in Outlook on the web *only* if user reporting is turned on *and* the built-in **Report** button in Outlook (not a non-Microsoft add-in button) are configured in the [user reported settings](submissions-user-reported-messages-custom-mailbox.md) at :
+- The built-in **Report** button is available in the following versions of Outlook:
+ - Outlook for Microsoft 365 and Outlook 2021.
+ - The new Outlook for Windows.
+ - Outlook on the web.
- If user reporting is turned off and a non-Microsoft add-in button is selected, the **Report** button isn't available in Outlook on the web.
+ The **Report** button is available in supported versions of Outlook if both of the following conditions are true:
-- Currently, the **Report** button in Outlook on the web doesn't honor the before and after notification pop-up options in the user reported settings.
+ - User reporting is turned on.
+ - The built-in **Report** button is configured in the [user reported settings](submissions-user-reported-messages-custom-mailbox.md) at .
-- Built-in reporting in Outlook on the web supports reporting messages from shared mailboxes or other mailboxes by a delegate.
+ If user reporting is turned off and a non-Microsoft add-in button is selected, the **Report** button isn't available in supported versions of Outlook.
+
+- The built-in **Report** button in supported versions of Outlook supports reporting messages from shared mailboxes or other mailboxes by a delegate.
- Shared mailboxes require Send As or Send On Behalf permission for the user.
- Other mailboxes require Send As or Send On Behalf permission _and_ Read and Manage permissions for the delegate.
-### Use the built-in Report button in Outlook on the web to report junk and phishing messages
+### Use the built-in Report button in Outlook to report junk and phishing messages
- Users can report a message as junk from the Inbox or any email folder other than Junk Email folder.
- Users can report a message as phishing from any email folder.
-In Outlook on the web, select one or more messages, select **Report**, and then select **Report phishing** or **Report junk** in the dropdown list.
+In a supported version of Outlook, select one or more messages, select **Report**, and then select **Report phishing** or **Report junk** in the dropdown list.
> [!div class="mx-imgBorder"]
> :::image type="content" source="media/owa-report-junk-phishing.png" alt-text="The results of selecting the Report button after selecting multiple messages in Outlook on the web." lightbox="media/owa-report-junk-phishing.png":::
@@ -65,9 +71,9 @@ Based on the [User reported settings](submissions-user-reported-messages-custom-
- **Reported as junk**: The messages are moved to the Junk Email folder.
- **Reported as phishing**: The messages are deleted.
-### Use the built-in Report button in Outlook on the web to report messages that aren't junk
+### Use the built-in Report button in Outlook to report messages that aren't junk
-In Outlook on the web, select one or more messages in the Junk Email folder, select **Report**, and then select **Not junk** in the dropdown list.
+In a supported version of Outlook, select one or more messages in the Junk Email folder, select **Report**, and then select **Not junk** in the dropdown list.
> [!div class="mx-imgBorder"]
> :::image type="content" source="media/owa-report-as-not-junk.png" alt-text="The results of selecting the Report button after selecting multiple messages in the Junk Email folder in Outlook on the web." lightbox="media/owa-report-as-not-junk.png":::
@@ -77,10 +83,9 @@ Based on the [User reported settings](submissions-user-reported-messages-custom-
## Use the Report Message and Report Phishing add-ins in Outlook
- The procedures in this section require the Microsoft Report Message or Report Phishing add-ins. For more information, see [Enable the Microsoft Report Message or the Report Phishing add-in](submissions-users-report-message-add-in-configure.md) installed.
-
- The versions of Outlook that are supported by the Report Message and Report Phishing add-ins are described [here](submissions-users-report-message-add-in-configure.md#what-do-you-need-to-know-before-you-begin).
-### Use the Report Message add-in to report junk and phishing messages in Outlook
+### Use the Report Message add-in to report junk and phishing messages
- Users can report a message as junk from the Inbox or any email folder other than the Junk Email folder.
- Users can report a message as phishing from any email folder.
@@ -105,7 +110,7 @@ Based on the [user reported settings](submissions-user-reported-messages-custom-
- **Reported as junk**: The messages are moved to the Junk Email folder.
- **Reported as phishing**: The messages are deleted.
-### Use the Report Message add-in to report messages that aren't junk in Outlook
+### Use the Report Message add-in to report messages that aren't junk
1. In Outlook, open a message in the Junk Email folder.
2. Do one of the following steps based on your **Ribbon Layout** configuration in Outlook:
diff --git a/defender-office-365/submissions-report-messages-files-to-microsoft.md b/defender-office-365/submissions-report-messages-files-to-microsoft.md
index 55e69295cd..2f6aebfa85 100644
--- a/defender-office-365/submissions-report-messages-files-to-microsoft.md
+++ b/defender-office-365/submissions-report-messages-files-to-microsoft.md
@@ -46,7 +46,7 @@ Watch this video that shows more information about the unified submissions exper
|Method|Submission type|Comments|
|---|---|---|
-|[The built-in Report button](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web)|User|Currently, this method is available only in Outlook on the web (formerly known as Outlook Web App or OWA).|
+|[The built-in Report button in supported versions of Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook)|User||
|[The Microsoft Report Message and Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook)|User|These free add-ins work in Outlook on all available platforms. For installation instructions, see [Enable the Report Message or the Report Phishing add-ins](submissions-users-report-message-add-in-configure.md).|
|[The Submissions page in the Microsoft Defender portal](submissions-admin.md)|Admin|Admins can report good (false positives) and bad (false negative) messages, email attachments, and URLs (entities) from the available tabs on the **Submissions** page.
Admins can also submit user reported messages from the **User reported** tab on the **Submissions** page to Microsoft for analysis. The **Submissions** page is available only in organizations with Exchange Online mailboxes as part of a Microsoft 365 subscription (not available in standalone EOP).|
|Report messages from quarantine|Admin and User|Admins can [submit quarantined messages to Microsoft for analysis](quarantine-admin-manage-messages-files.md#report-email-to-microsoft-for-review-from-quarantine) (false positives and false negatives).
If users are allowed to [release their own messages from quarantine](quarantine-end-user.md#release-quarantined-email), and [user reported settings](submissions-user-reported-messages-custom-mailbox.md) is configured to allow users to report quarantined messages, users can select **Report message as having no threats** (false positive) when they release a quarantined message.|
diff --git a/defender-office-365/submissions-user-reported-messages-custom-mailbox.md b/defender-office-365/submissions-user-reported-messages-custom-mailbox.md
index 983ece78bc..ba5e45d7a3 100644
--- a/defender-office-365/submissions-user-reported-messages-custom-mailbox.md
+++ b/defender-office-365/submissions-user-reported-messages-custom-mailbox.md
@@ -31,7 +31,7 @@ In Microsoft 365 organizations with Exchange Online mailboxes, you can identify
User reported settings and the reporting mailbox work with the following message reporting tools:
-- [The built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web)
+- [The built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook)
- [The Microsoft Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md)
- [Supported third-party reporting tools](#options-for-third-party-reporting-tools)
@@ -85,7 +85,7 @@ On the **User reported settings** page, the available settings for reporting mes
- **Monitor reported messages in Outlook** is selected: The following configurations are supported:
- - Use the built-in **Report** button in Outlook on the web or the Microsoft Report Message or Report Phishing add-ins in virtually all Outlook platforms to report email messages.
+ - Use the built-in **Report** button in [supported versions of Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook) or the Microsoft Report Message or Report Phishing add-ins in virtually all Outlook platforms to report email messages.
- Configure user reported messages to go to the reporting mailbox, to Microsoft, or both.
- Decide whether users receive default or customized pre-reporting and post-reporting pop-ups in supported version of Outlook.
- Decide whether to customize the feedback email that's sent to users after an admin reviews and marks the message on the **User submissions** tab on the **Submissions** page.
@@ -116,7 +116,7 @@ When **Monitor reported messages in Outlook** is selected and you also select **
Notification pop-ups contain default English text that's automatically localized for users based on their client language. To customize the pop-up text, you can create custom versions of the five reporting pop-ups in up to seven different languages.
> [!NOTE]
- > Customized pre-reporting and post-reporting pop-ups are shown when using the **Report** button in Outlook on the web.
+ > Customized pre-reporting and post-reporting pop-ups are shown when using the **Report** button in [supported versions of Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook).
>
> The Microsoft Report Message add-in supports only customized **Title** and **Description** values, and only for pre-reporting pop-ups (**Report phishing**, **Report junk**, and **Report not junk**).
>
@@ -167,7 +167,7 @@ When **Monitor reported messages in Outlook** is selected and you also select **
> [!NOTE]
>
- > - When you select **Use the built-in Report button in Outlook** and users report messages using the built-in **Report** button in Outlook on the web or the Microsoft Report Message or Report Phishing add-ins in Outlook, user reported messages are available to admins on the **User reported** tab on the **Submissions** page at , regardless of the value you select for **Send the reported messages to**. For more information, see [Admin options for user reported messages](submissions-admin.md#admin-options-for-user-reported-messages).
+ > - When you select **Use the built-in Report button in Outlook** and users report messages using the built-in **Report** button in [supported versions of Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook) or the Microsoft Report Message or Report Phishing add-ins in virtually all versions of Outlook, user reported messages are available to admins on the **User reported** tab on the **Submissions** page at , regardless of the value you select for **Send the reported messages to**. For more information, see [Admin options for user reported messages](submissions-admin.md#admin-options-for-user-reported-messages).
>
> - In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), the only available value for **Send the reported messages to** is **My reporting mailbox only**. The other two options are unavailable for compliance reasons (data isn't allowed to leave the organization boundary).
@@ -416,7 +416,7 @@ Other settings:
- For the number of language codes that you specify, you need to provide the same number of blank values for **all** of the _MultiLanguage\*SubmitMessage\*_ parameters that you aren't using. For example, if you're using three languages, but you aren't using the _MultiLanguagePostSubmitMessageButtonTextForJunk_ and _MultiLanguagePostSubmitMessageButtonLinkForJunk_ parameters, you need to use the value `"","",""` for those parameters. You might need to add these blank values for up to 18 of the _MultiLanguage\*SubmitMessage\*_ parameters.
> [!NOTE]
- > Customized pre-reporting and post-reporting pop-ups are shown when using the **Report** button in Outlook on the web.
+ > Customized pre-reporting and post-reporting pop-ups are shown when using the **Report** button in [supported versions of Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook).
>
> The Microsoft Report Message add-in supports only customized **Title** and **Description** values, and only for pre-reporting pop-ups (**Report phishing**, **Report junk**, and **Report not junk**).
>
@@ -540,7 +540,7 @@ New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPoli
Turning off reporting in Outlook has the following consequences:
-- The **Report** button in Outlook on the web and the Microsoft Report Message and Report Phishing add-ins are unavailable in all Outlook platforms.
+- The built-in **Report** button and the Microsoft Report Message and Report Phishing add-ins are unavailable in all Outlook platforms.
- Third-party reporting tools still work, but reported messages don't appear on the **User reported** tab on the **Submissions** page in the Defender portal.
- **Allow reporting for quarantined messages** (_DisableQuarantineReportingOption_) is unaffected, and can be enabled or disabled when reporting in Outlook is turned off.
@@ -587,7 +587,7 @@ The following examples show how to change the user reporting experience without
New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub
```
-- Turn on reporting in Outlook if necessary, select **Use the built-in Report button in Outlook**, and change **Send reported messages to** to **My reporting mailbox only** with userreportedmessages@fabrikam.com as the reporting mailbox:
+- Turn on reporting in Outlook if necessary, select **Use the built-in Report button in Outlook**, and change **Send reported messages to** to **My reporting mailbox only** with `userreportedmessages@fabrikam.com` as the reporting mailbox:
```powershell
$usersub = "userreportedmessages@fabrikam.com"
diff --git a/defender-office-365/submissions-users-report-message-add-in-configure.md b/defender-office-365/submissions-users-report-message-add-in-configure.md
index 53a24942a2..34c919517f 100644
--- a/defender-office-365/submissions-users-report-message-add-in-configure.md
+++ b/defender-office-365/submissions-users-report-message-add-in-configure.md
@@ -32,7 +32,7 @@ appliesto:
> [!NOTE]
> If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the **Submissions** page in the Microsoft Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](submissions-admin.md).
-The Microsoft Report Message and Report Phishing add-ins for Outlook and Outlook on the web (formerly known as Outlook Web App or OWA) makes it easy for users to report false positives and false negatives to Microsoft for analysis. False positives are good email that was blocked or sent to the Junk Email folder. False negatives are unwanted email or phishing that was delivered to the Inbox.
+The Microsoft Report Message and Report Phishing add-ins for Outlook and inbuild report button on Outlook on the web (formerly known as Outlook Web App or OWA), new Outlook for Windows, legacy Outlook for Windows makes it easy for users to report false positives and false negatives to Microsoft for analysis. False positives are good email that was blocked or sent to the Junk Email folder. False negatives are unwanted email or phishing that was delivered to the Inbox.
Microsoft uses these user-reported messages to improve the effectiveness of email protection technologies. For example, suppose that people are reporting many messages using the Report Phishing add-in. This information surfaces in the Security Dashboard and other reports. Your organization's security team can use this information as an indication that anti-phishing policies might need to be updated.
diff --git a/defender-vulnerability-management/defender-vulnerability-management-capabilities.md b/defender-vulnerability-management/defender-vulnerability-management-capabilities.md
index c6dfc6fdc3..bc8fa609da 100644
--- a/defender-vulnerability-management/defender-vulnerability-management-capabilities.md
+++ b/defender-vulnerability-management/defender-vulnerability-management-capabilities.md
@@ -13,7 +13,7 @@ f1.keywords: NOCSH
ms.collection:
- m365-security
- Tier1
-ms.date: 04/02/2024
+ms.date: 08/14/2024
---
# Compare Microsoft Defender Vulnerability Management plans and capabilities
@@ -30,17 +30,17 @@ This article helps clarify the Defender Vulnerability Management capabilities in
- [Microsoft Defender Vulnerability Management](defender-vulnerability-management.md)
- [Microsoft Defender for Servers](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+> [!NOTE]
+> Microsoft Defender Vulnerability Management isn't currently available to Microsoft Defender for Business customers.
+
## Start a trial
+> [!NOTE]
+> The Microsoft Defender Vulnerability Management trial isn't currently available to US Government customers using GCC High, and DoD. For more information on purchase options available, see [Microsoft Defender Vulnerability Management](https://www.microsoft.com/security/business/threat-protection/microsoft-defender-vulnerability-management-pricing?msockid=17c438e9b0b8628c22d52cd3b1c763eb).
+
- If you already have Defender for Endpoint Plan 2 [Try Defender Vulnerability Management Add-on trial for Defender for Endpoint Plan 2 customers](get-defender-vulnerability-management.md#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers).
- For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers the **Microsoft Defender Vulnerability Management Standalone is now generally available**. To try it, go to [Try Defender Vulnerability Management Standalone](get-defender-vulnerability-management.md#try-defender-vulnerability-management-standalone).
-> [!NOTE]
-> Trial offerings for Microsoft Defender Vulnerability Management aren't currently available to:
->
-> - US Government customers using GCC High, and DoD
-> - Microsoft Defender for Business customers
-
## Vulnerability Management capabilities for endpoints
The table below shows the availability of Defender Vulnerability Management capabilities for endpoints:
diff --git a/defender-vulnerability-management/get-defender-vulnerability-management.md b/defender-vulnerability-management/get-defender-vulnerability-management.md
index 96e4c03398..b4e17e2adf 100644
--- a/defender-vulnerability-management/get-defender-vulnerability-management.md
+++ b/defender-vulnerability-management/get-defender-vulnerability-management.md
@@ -14,18 +14,22 @@ ms.collection:
- m365-security
- tier1
- essentials-get-started
-ms.date: 08/01/2023
+ms.date: 08/14/2023
---
# Sign up for Microsoft Defender Vulnerability Management
-Microsoft Defender Vulnerability Management is available as a standalone and as an add-on for Microsoft Defender for Endpoint Plan 2 customers.
+> [!NOTE]
+> Microsoft Defender Vulnerability Management isn't currently available to Microsoft Defender for Business customers.
+
+## Starting a trial
> [!NOTE]
-> The trial offering for Microsoft Defender Vulnerability Management isn't currently available to:
->
-> - US Government customers using GCC High, and DoD
-> - Microsoft Defender for Business customers
+> The Microsoft Defender Vulnerability Management trial isn't currently available to US Government customers using GCC High, and DoD.
+>
+> For more information on purchase options available, see [Microsoft Defender Vulnerability Management](https://www.microsoft.com/security/business/threat-protection/microsoft-defender-vulnerability-management-pricing?msockid=17c438e9b0b8628c22d52cd3b1c763eb).
+
+Microsoft Defender Vulnerability Management is available as a standalone and as an add-on for Microsoft Defender for Endpoint Plan 2 customers.
- If you're a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer sign up to try the [Defender Vulnerability Management Standalone Trial](#try-defender-vulnerability-management-standalone)
- If you already have Defender for Endpoint Plan 2, sign up to try the [Defender Vulnerability Management Add-on Trial](#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers)
@@ -33,6 +37,7 @@ Microsoft Defender Vulnerability Management is available as a standalone and as
> [!NOTE]
> Trials will be available to customers using the New Commerce Experience (NCE) for a 30 day period. After the 30 day period customers will be able to purchase Microsoft Defender Vulnerability Management through NCE.
+
## Required roles for starting the trial
As a Global Administrator, you can start the trial or you can allow to users start the trial on behalf of your organization by enabling this option:
diff --git a/defender-vulnerability-management/media/tvm-internetfacing-weaknesses.jpg b/defender-vulnerability-management/media/tvm-internetfacing-weaknesses.jpg
deleted file mode 100644
index f1cc2711d3..0000000000
Binary files a/defender-vulnerability-management/media/tvm-internetfacing-weaknesses.jpg and /dev/null differ
diff --git a/defender-xdr/TOC.yml b/defender-xdr/TOC.yml
index 974bd68996..92de7abacd 100644
--- a/defender-xdr/TOC.yml
+++ b/defender-xdr/TOC.yml
@@ -478,12 +478,14 @@
items:
- name: SOC optimization overview
display name: SOC optimization
- href: https://aka.ms/soc-opt-from-defender
+ href: /azure/sentinel/soc-optimization/soc-optimization-access?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
+ - name: Use SOC optimizations programmatically
+ href: /azure/sentinel/soc-optimization/soc-optimization-api?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
- name: SOC optimization reference
- href: https://aka.ms/soc-opt-ref
+ href: /azure/sentinel/soc-optimization/soc-optimization-reference?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
- name: Manage multitenant environments
items:
- - name: Multitenant management in Microsoft Defender XDR
+ - name: Overview
href: mto-overview.md
- name: Set up multitenant management
href: mto-requirements.md
diff --git a/defender-xdr/media/eval-defender-xdr/defender-endpoint-pilot-deploy-steps.svg b/defender-xdr/media/eval-defender-xdr/defender-endpoint-pilot-deploy-steps.svg
deleted file mode 100644
index c886a4fd6d..0000000000
--- a/defender-xdr/media/eval-defender-xdr/defender-endpoint-pilot-deploy-steps.svg
+++ /dev/null
@@ -1,204 +0,0 @@
-
-
-
-
diff --git a/defender-xdr/microsoft-threat-actor-naming.md b/defender-xdr/microsoft-threat-actor-naming.md
index 528a0d82cb..424b05eb30 100644
--- a/defender-xdr/microsoft-threat-actor-naming.md
+++ b/defender-xdr/microsoft-threat-actor-naming.md
@@ -6,8 +6,8 @@ ms.service: defender-xdr
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: vpattnaik
-author: diannegali
+ms.author: diannegali
+author: vpattnaik
manager: dansimp
audience: ITPro
ms.collection:
@@ -15,7 +15,7 @@ ms.collection:
- tier2
ms.topic: conceptual
search.appverid: met150
-ms.date: 06/12/2024
+ms.date: 08/19/2024
---
# How Microsoft names threat actors
@@ -54,6 +54,7 @@ Use the following reference table to understand how our previously publicly disc
|Threat actor name|Previous name|Origin/Threat|Other names|
|:---:|:---:|:---:|:---:|
+|Antique Typhoon|Storm-0558|China||
|Aqua Blizzard|ACTINIUM|Russia|UNC530, Primitive Bear, Gamaredon|
|Blue Tsunami||Private sector offensive actor|Black Cube|
|Brass Typhoon|BARIUM|China|APT41|
@@ -97,7 +98,7 @@ Use the following reference table to understand how our previously publicly disc
|Night Tsunami|DEV-0336|Private sector offensive actor|NSO Group|
|Nylon Typhoon|NICKEL|China|ke3chang, APT15, Vixen Panda|
|Octo Tempest|Storm-0875|Financially motivated|0ktapus, Scattered Spider, UNC3944|
-|Onyx Sleet|PLUTONIUM|North Korea|Silent Chollima, Andariel, DarkSeoul|
+|Onyx Sleet|PLUTONIUM|North Korea|APT45, Silent Chollima, Andariel, DarkSeoul|
|Opal Sleet|OSMIUM|North Korea|Konni|
|Peach Sandstorm|HOLMIUM|Iran|APT33, Refined Kitten|
|Pearl Sleet|DEV-0215 (LAWRENCIUM)|North Korea||
@@ -110,13 +111,15 @@ Use the following reference table to understand how our previously publicly disc
|Purple Typhoon|POTASSIUM|China|APT10, Cloudhopper, MenuPass|
|Raspberry Typhoon|RADIUM|China|APT30, LotusBlossom|
|Ruby Sleet|CERIUM|North Korea||
+|Ruza Flood|Storm-1099|Russia, Influence operations||
|Salmon Typhoon|SODIUM|China|APT4, Maverick Panda|
|Sangria Tempest|ELBRUS|Financially motivated|Carbon Spider, FIN7|
|Sapphire Sleet|COPERNICIUM|North Korea|Genie Spider, BlueNoroff|
|Seashell Blizzard|IRIDIUM|Russia|APT44, Sandworm|
|Secret Blizzard|KRYPTON|Russia|Venomous Bear, Turla, Snake|
+|Sefid Flood|Storm-1364|Iran, Influence operations||
|Silk Typhoon|HAFNIUM|China||
-|Smoke Sandstorm|BOHRIUM|Iran||
+|Smoke Sandstorm|BOHRIUM|Iran|UNC1549|
|Spandex Tempest|CHIMBORAZO|Financially motivated|TA505|
|Star Blizzard|SEABORGIUM|Russia|Callisto, Reuse Team|
|Storm-0062||China|DarkShadow, Oro0lxy|
@@ -125,9 +128,10 @@ Use the following reference table to understand how our previously publicly disc
|Storm-0257||Group in development|UNC1151|
|Storm-0324||Financially motivated|TA543, Sagrid|
|Storm-0381||Financially motivated||
+|Storm-0501||Group in development||
+|Storm-0506||Group in development||
|Storm-0530||North Korea|H0lyGh0st|
|Storm-0539||Financially motivated|Atlas Lion|
-|Storm-0558||China||
|Storm-0569||Financially motivated||
|Storm-0587||Russia|SaintBot, Saint Bear, TA471|
|Storm-0744||Financially motivated||
@@ -135,13 +139,13 @@ Use the following reference table to understand how our previously publicly disc
|Storm-0829||Group in development|Nwgen Team|
|Storm-0835||Group in development|EvilProxy|
|Storm-0842||Iran||
+|Storm-0844||Group in development||
|Storm-0861||Iran||
|Storm-0867||Egypt|Caffeine|
|Storm-0971||Financially motivated|(Merged into Octo Tempest)|
|Storm-0978||Group in development|RomCom, Underground Team|
|Storm-1044||Financially motivated|Danabot|
|Storm-1084||Iran|DarkBit|
-|Storm-1099||Russia||
|Storm-1101||Group in development|NakedPages|
|Storm-1113||Financially motivated||
|Storm-1133||Palestinian Authority||
@@ -151,17 +155,22 @@ Use the following reference table to understand how our previously publicly disc
|Storm-1283||Group in development||
|Storm-1286||Group in development||
|Storm-1295||Group in development|Greatness|
-|Storm-1364||Iran||
-|Storm-1376||China, Influence operations||
|Storm-1516||Russia, Influence operations||
|Storm-1567||Financially motivated|Akira|
|Storm-1575||Group in development|Dadsec|
+|Storm-1660||Iran, Influence operations||
|Storm-1674||Financially motivated||
|Storm-1679||Russia, Influence operations||
+|Storm-1804||Iran, Influence operations||
+|Storm-1805||Iran, Influence operations||
|Storm-1811||Financially motivated||
+|Storm-1841||Russia, Influence operations||
|Storm-1849||China|UAT4356|
+|Storm-1852||Group in development||
+|Storm-2035||Iran, Influence operations||
|Strawberry Tempest||Financially motivated|LAPSUS$|
|Sunglow Blizzard||Russia||
+|Taizi Flood|Storm-1376|China, Influence operations|Spamouflage, Dragonbridge|
|Tomato Tempest|SPURR|Financially motivated|Vatet|
|Vanilla Tempest|DEV-0832|Financially motivated||
|Velvet Tempest|DEV-0504|Financially motivated||
diff --git a/defender-xdr/mto-advanced-hunting.md b/defender-xdr/mto-advanced-hunting.md
index 6497a881e5..feca96fb0f 100644
--- a/defender-xdr/mto-advanced-hunting.md
+++ b/defender-xdr/mto-advanced-hunting.md
@@ -1,6 +1,6 @@
---
-title: Advanced hunting in multi-tenant management in Microsoft Defender XDR
-description: Learn about advanced hunting in multi-tenant management in Microsoft Defender XDR
+title: Advanced hunting in Microsoft Defender multitenant management
+description: Learn about advanced hunting in Microsoft Defender multitenant management
search.appverid: met150
ms.service: defender-xdr
ms.author: siosulli
@@ -12,21 +12,21 @@ ms.collection:
- m365-security
- highpri
- tier1
+- usx-security
ms.topic: conceptual
-ms.date: 07/18/2024
+ms.date: 08/19/2024
+appliesto:
+ - Microsoft Defender XDR
+ - Microsoft Sentinel in the Microsoft Defender portal
---
-# Advanced hunting in multi-tenant management in Microsoft Defender XDR
+# Advanced hunting in Microsoft Defender multitenant management
-**Applies to:**
-
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
-Advanced hunting in multi-tenant management in Microsoft Defender XDR allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time.
+Advanced hunting in Microsoft Defender multitenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time. If you have tenants with a Microsoft Sentinel workspace onboarded to the Microsoft unified security operations platform, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants.
## Run cross-tenant queries
-In multi-tenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the **Queries** tab. Select a tenant to view the queries available under each one.
+In multitenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the **Queries** tab. Select a tenant to view the queries available under each one.
Once you load the query in the query editor, you can then specify the scope of the query by tenant by selecting **Tenant scope**:
@@ -50,7 +50,7 @@ Likewise, you can manage custom detection rules from multiple tenants in the cus
### View custom detection rules by tenant
-1. To view custom detection rules, go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in multi-tenant management in Microsoft Defender XDR.
+1. To view custom detection rules, go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in Microsoft Defender multitenant management.
2. View the **Tenant name** column to see which tenant the detection rule comes from:
:::image type="content" source="/defender/media/defender/mto-custom-detection-tenant-name.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant custom detection page" lightbox="/defender/media/defender/mto-custom-detection-tenant-name.png":::
@@ -61,11 +61,11 @@ To read more about custom detection rules, read [Custom detections overview](cus
### Manage custom detection rules
-You can **Run**, **Turn off**, and **Delete** detection rules from multi-tenant management in Microsoft Defender XDR.
+You can **Run**, **Turn off**, and **Delete** detection rules from Microsoft Defender multitenant management.
To manage detection rules:
-1. Go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in multi-tenant management in Microsoft Defender XDR
+1. Go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in Microsoft Defender multitenant management
2. Choose the detection rule you want to manage
When you select a single detection rule, a flyout panel opens with the detection rule details:
@@ -73,3 +73,9 @@ When you select a single detection rule, a flyout panel opens with the detection
:::image type="content" source="/defender/media/defender/custom-detection-rule-details.png" alt-text="Screenshot of the Microsoft Defender XDR custom detection rule details page" lightbox="/defender/media/defender/custom-detection-rule-details.png":::
Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](./custom-detection-rules.md).
+
+## Related content
+
+- [Set up Microsoft Defender multitenant management](mto-requirements.md)
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
+- [View and manage incidents and alerts](mto-incidents-alerts.md)
\ No newline at end of file
diff --git a/defender-xdr/mto-incidents-alerts.md b/defender-xdr/mto-incidents-alerts.md
index d3fbf0ff9a..55d9e3d9fd 100644
--- a/defender-xdr/mto-incidents-alerts.md
+++ b/defender-xdr/mto-incidents-alerts.md
@@ -1,6 +1,6 @@
---
-title: View and manage incidents and alerts in multi-tenant management in Microsoft Defender XDR
-description: Learn about incidents and alerts in multi-tenant management in Microsoft Defender XDR
+title: View and manage incidents and alerts in Microsoft Defender multitenant management
+description: Learn about incidents and alerts in Microsoft Defender multitenant management
search.appverid: met150
ms.service: defender-xdr
ms.author: siosulli
@@ -12,29 +12,31 @@ ms.collection:
- m365-security
- highpri
- tier1
+ - usx-security
ms.topic: conceptual
-ms.date: 09/01/2023
+ms.date: 08/19/2024
+appliesto:
+ - Microsoft Defender XDR
+ - Microsoft Sentinel in the Microsoft Defender portal
---
-# View and manage incidents and alerts
+# View and manage incidents and alerts in Microsoft Defender multitenant management
-**Applies to:**
+Multitenant management for Microsoft Defender XDR and the Microsoft unified security operations platform enables security operation center (SOC) analysts to access and analyze data from multiple tenants in one place, allowing them to quickly identify and respond to threats. Triage incidents and alerts across security information and event management (SIEM) and extended detection and response (XDR) data for tenants that onboarded a Microsoft Sentinel workspace to the unified security operations platform.
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
-Multi-tenant management in Microsoft Defender XDR enables security operation center (SOC) analysts to access and analyze data from multiple tenants in one place, allowing them to quickly identify and respond to threats.
-
-You can manage incidents & alerts originating from multiple tenants under **Incidents & alerts**.
+Manage incidents & alerts originating from multiple tenants under **Incidents & alerts**.
## View and investigate incidents
-1. To View or investigate an incident, go to the [Incidents page](https://mto.security.microsoft.com/incidents) in multi-tenant management in Microsoft Defender XDR. The **Tenant name** column shows which tenant the incident originates from:
+To view or investigate an incident:
- :::image type="content" source="/defender/media/defender/mto-incidents.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant incidents page" lightbox="/defender/media/defender/mto-incidents.png":::
+1. Go to the [Incidents page](https://mto.security.microsoft.com/incidents) in Microsoft Defender multitenant management. The **Tenant name** column shows which tenant the incident originates from:
+
+ :::image type="content" source="/defender/media/defender/mto-incidents.png" alt-text="Screenshot of the Microsoft Defender multitenant incidents page." lightbox="/defender/media/defender/mto-incidents.png":::
2. Select the incident you want to view. A flyout panel opens with the incident details page:
- :::image type="content" source="/defender/media/defender/mto-incident-details.png" alt-text="Screenshot of the Microsoft Defender XDR incidents details page" lightbox="/defender/media/defender/mto-incident-details.png":::
+ :::image type="content" source="/defender/media/defender/mto-incident-details.png" alt-text="Screenshot of the Microsoft Defender multitenant incidents details page." lightbox="/defender/media/defender/mto-incident-details.png":::
3. From the incident details page you can:
@@ -47,10 +49,10 @@ To learn more, see [Investigate incidents](/defender-endpoint/investigate-incide
To manage incidents across multiple tenants:
-1. Go to the [Incidents page](https://mto.security.microsoft.com/incidents) in multi-tenant management.
+1. Go to the [Incidents page](https://mto.security.microsoft.com/incidents) in Microsoft Defender multitenant management.
2. Choose the incidents you want to manage from the incidents list and select **Manage incidents**.
- :::image type="content" source="/defender/media/defender/mto-manage-incidents.png" alt-text="Screenshot of the Microsoft Defender XDR incidents page" lightbox="/defender/media/defender/mto-manage-incidents.png":::
+ :::image type="content" source="/defender/media/defender/mto-manage-incidents.png" alt-text="Screenshot that highlights the manage incidents option on the incidents page in Microsoft Defender multitenant management." lightbox="/defender/media/defender/mto-manage-incidents.png":::
On the incidents fly-out you can assign incidents, assign incidents tags, set the incident status, and classify multiple incidents for multiple tenants simultaneously.
@@ -61,9 +63,11 @@ To learn more about incidents in the Microsoft Defender portal, see [Manage inci
## View and investigate alerts
-1. To view or investigate an alert, go to the [Alerts page](https://mto.security.microsoft.com/alerts) in multi-tenant management and select the alert you want to view. A flyout panel opens with the alert details page:
+To view or investigate an alert:
+
+1. Go to the [Alerts page](https://mto.security.microsoft.com/alerts) in multitenant management and select the alert you want to view. A flyout panel opens with the alert details page:
- :::image type="content" source="/defender/media/defender/mto-alerts-details.png" alt-text="Screenshot of the Microsoft Defender XDR alert details page" lightbox="/defender/media/defender/mto-alerts-details.png":::
+ :::image type="content" source="/defender/media/defender/mto-alerts-details.png" alt-text="Screenshot of alert details page for an alert in Microsoft Defender multitenant management." lightbox="/defender/media/defender/mto-alerts-details.png":::
2. From the alert details page you can:
@@ -76,13 +80,20 @@ To learn more, see [Investigate alerts](/defender-endpoint/investigate-alerts).
To manage alerts across multiple tenants:
-1. Go to the [Alerts page](https://mto.security.microsoft.com/alerts) in multi-tenant management.
+1. Go to the [Alerts page](https://mto.security.microsoft.com/alerts) in Microsoft Defender multitenant management.
2. Choose the alerts you want to manage from the alerts list and select **Manage alerts**.
- :::image type="content" source="/defender/media/defender/mto-manage-alerts.png" alt-text="Screenshot of the Microsoft Defender XDR alerts page" lightbox="/defender/media/defender/mto-manage-alerts.png":::
+ :::image type="content" source="/defender/media/defender/mto-manage-alerts.png" alt-text="Screenshot that highlights the manage alerts option for selected alerts in Microsoft Defender multitenant management." lightbox="/defender/media/defender/mto-manage-alerts.png":::
On the alert fly-out you can assign alerts, set the alert status, and classify the alerts for multiple tenants simultaneously.
> [!Note]
> Currently, you can only assign multiple alerts from same tenant.
To learn more about alerts in the Microsoft Defender portal, see [Manage alerts](/defender-endpoint/manage-alerts).
+
+## Related content
+
+- [Set up Microsoft Defender multitenant management](mto-requirements.md)
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
+- [Advanced hunting in Microsoft Defender multitenant management](mto-advanced-hunting.md)
+
diff --git a/defender-xdr/mto-overview.md b/defender-xdr/mto-overview.md
index e832b2e8a2..a656a66486 100644
--- a/defender-xdr/mto-overview.md
+++ b/defender-xdr/mto-overview.md
@@ -1,6 +1,6 @@
---
-title: Multi-tenant management in Microsoft Defender XDR
-description: Overview of multi-tenant management in Microsoft Defender XDR.
+title: Microsoft Defender multitenant management
+description: Learn about multitenant management for Microsoft Defender XDR and Microsoft Sentinel in the Microsoft unified security operations platform.
ms.service: defender-xdr
ms.author: siosulli
author: siosulli
@@ -11,41 +11,48 @@ ms.collection:
- m365-security
- highpri
- tier1
+ - usx-security
ms.topic: conceptual
-ms.date: 09/01/2023
+ms.date: 08/19/2024
+appliesto:
+ - Microsoft Defender XDR
+ - Microsoft Sentinel in the Microsoft Defender portal
+ - Microsoft Defender for Endpoint Plan 2
+ - Microsoft Defender for Office 365 P2
---
-# Overview of multi-tenant management in Microsoft Defender XDR
+# Microsoft Defender multitenant management
-**Applies to:**
+Multitenant management for Microsoft Defender XDR and the Microsoft unified security operations platform provides your security operation teams with a single, unified view of all the tenants you manage. This view enables your teams to quickly investigate incidents and perform advanced hunting across data from multiple tenants, improving your security operations.
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-- [Microsoft Defender for Endpoint Plan 2](/defender-endpoint/microsoft-defender-endpoint)
-- [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/p/?LinkID=2158212)
+If you have tenants with a Microsoft Sentinel workspace onboarded to the unified security operations platform, you're able to:
->[!Tip]
->To learn how to turn on preview features, see [Microsoft Defender XDR preview features](preview.md).
+- Triage incidents and alerts across security information and event management (SIEM) and extended detection and response (XDR) data.
+- Proactively search for SIEM and XDR data across multiple tenants.
-Managing multi-tenant environments can add an additional layer of complexity when it comes to keeping up with the ever-evolving security threats facing your enterprise. Navigating across multiple tenants can be time consuming and reduce the overall efficiency of security operation center (SOC) teams.
+Only one Microsoft Sentinel workspace per tenant is currently supported in the unified security operations platform. So in Microsoft Defender multitenant management, you have SIEM data from one Microsoft Sentinel workspace per tenant.
-Multi-tenant management in Microsoft Defender XDR was designed to provide security operation teams with a single, unified view of all the tenants they manage. This view enables teams to quickly investigate incidents and perform advanced hunting across data from multiple tenants, improving their security operations.
+For more information, see:
->[!Tip]
->To learn more about multi-tenant organizations, see [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations/).
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
+- [Multitenant organizations documentation](/azure/active-directory/multi-tenant-organizations/)
-Some of the key benefits you get with multi-tenant management in Microsoft Defender XDR include:
-- **A centralized place to manage incidents across tenants**: A unified view provides SOC analysts with all the information they need for incident investigation across multiple tenants, eliminating the need to sign in and out of each one.
+## Benefits of multitenant management
-- **Streamlined threat hunting**: Multi-tenancy support enables SOC teams use Microsoft Defender XDR advanced hunting capabilities to create KQL queries that will proactively hunt for threats across multiple tenants.
+Some of the key benefits you get with multitenant management for Defender XDR and the Microsoft unified security operations platform include:
+
+- **A centralized place to manage incidents across tenants**: A unified view provides SOC analysts with all the information they need to investigate incidents across multiple tenants, eliminating the need to sign in and out of each one.
+
+- **Streamlined threat hunting**: Multi-tenancy support enables SOC teams use Microsoft Defender XDR advanced hunting capabilities to create Kusto Query Language (KQL) queries that proactively hunt for threats across multiple tenants.
- **Multi-customer management for partners**: Managed Security Service Provider (MSSP) partners can now gain visibility into security incidents, alerts, and threat hunting across multiple customers through a single pane of glass.
-## What's included in multi-tenant management in Microsoft Defender XDR
+## What's included in multitenant management
-The following key capabilities are available for each tenant you have access to in multi-tenant management in Microsoft Defender XDR:
+The following key capabilities are available for each tenant you have access to in multitenant management for Microsoft Defender XDR and the Microsoft unified security operations platform:
| Capability | Description |
| ------ | ------ |
@@ -60,4 +67,4 @@ The following key capabilities are available for each tenant you have access to
## Next steps
-- [Set up multi-tenant management in Microsoft Defender XDR](mto-requirements.md)
+- [Set up Microsoft Defender multitenant management](mto-requirements.md)
diff --git a/defender-xdr/mto-requirements.md b/defender-xdr/mto-requirements.md
index 95a32f2910..384f743949 100644
--- a/defender-xdr/mto-requirements.md
+++ b/defender-xdr/mto-requirements.md
@@ -1,6 +1,6 @@
---
-title: Set up multitenant management in Microsoft Defender XDR
-description: Learn what steps you need to take to get started with multitenant management in Microsoft Defender XDR.
+title: Set up Microsoft Defender multitenant management
+description: Learn what steps you need to take to get started with multitenant management for Microsoft Defender XDR and the Microsoft unified security operations platform.
ms.service: defender-xdr
ms.author: siosulli
author: siosulli
@@ -11,44 +11,43 @@ ms.collection:
- m365-security
- highpri
- tier1
+ - usx-security
ms.topic: conceptual
-ms.date: 09/01/2023
+ms.date: 08/19/2024
+appliesto:
+ - Microsoft Defender XDR
+ - Microsoft Sentinel in the Microsoft Defender portal
---
-# Set up multi-tenant management in Microsoft Defender XDR
+# Set up Microsoft Defender multitenant management
-**Applies to:**
-
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
-This article describes the steps you need to take to start using multi-tenant management in Microsoft Defender XDR.
-
->[!Note]
->In multi-tenant management, interactions between the multi-tenant user and the managed tenants could involve accessing data and managing configurations. The ability to undertake these actions is determined by the permissions a managed tenant has granted the multi-tenant user.
+This article describes the steps you need to take to start using multitenant management for Microsoft Defender XDR and the Microsoft unified security operations platform.
1. [Review the requirements](#review-the-requirements)
2. [Verify your tenant access](#verify-your-tenant-access)
-3. [Set up multi-tenant management in Microsoft Defender XDR](#set-up-multi-tenant-management)
+3. [Set up Microsoft Defender multitenant management](#set-up-multitenant-management)
>[!Note]
-> [Data privacy](data-privacy.md), [role-based access control (RBAC)](m365d-permissions.md) and [Licensing](prerequisites.md#licensing-requirements) are respected by multi-tenant management in Microsoft Defender XDR.
+>- In multi-tenant management, interactions between the multi-tenant user and the managed tenants could involve accessing data and managing configurations. The ability to undertake these actions is determined by the permissions a managed tenant has granted the multi-tenant user.
+>- [Data privacy](data-privacy.md), [role-based access control (RBAC)](m365d-permissions.md) and [Licensing](prerequisites.md#licensing-requirements) are respected by Microsoft Defender multi-tenant management.
## Review the requirements
-The following table lists the basic requirements you need to use multi-tenant management in Microsoft Defender XDR.
+The following table lists the basic requirements you need to use multitenant management for Microsoft Defender XDR and the unified security operations platform.
| Requirement | Description |
|:---|:---|
| Microsoft Defender XDR prerequisites | Verify you meet the [Microsoft Defender XDR prerequisites](prerequisites.md)|
-| Multi-tenant access | To view and manage the data you have access to in multi-tenant management, you need to ensure you have the necessary access. For each tenant you want to view and manage, you need to have either:
To learn more about how to synchronize multiple B2B users across tenants, see [Configure cross-tenant synchronization](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure).|
-| Permissions | Users must be assigned the correct roles and permissions at the individual tenant level, in order to view and manage the associated data in multi-tenant management. To learn more, see:
- [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](./m365d-permissions.md) - [Custom roles in role-based access control for Microsoft Defender XDR](./custom-roles.md)
To learn how to grant permissions for multiple users at scale, see [What is entitlement management](/azure/active-directory/governance/entitlement-management-overview).|
+| Multitenant access | To view and manage the data you have access to in multitenant management, you need to ensure you have the necessary access. For each tenant you want to view and manage, you need to have either:
To learn more about how to synchronize multiple B2B users across tenants, see [Configure cross-tenant synchronization](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure).|
+| Permissions | Users must be assigned the correct roles and permissions at the individual tenant level, in order to view and manage the associated data in multitenant management. To learn more, see:
- [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](./m365d-permissions.md) - [Custom roles in role-based access control for Microsoft Defender XDR](./custom-roles.md)
To learn how to grant permissions for multiple users at scale, see [What is entitlement management](/azure/active-directory/governance/entitlement-management-overview).|
+| Security information and event management (SIEM) data (Optional) |To include SIEM data with the extended detection and response (XDR) data, one or more tenants must include a Microsoft Sentinel workspace onboarded to the Microsoft unified security operations platform. For more information, see [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md).
Only one Microsoft Sentinel workspace per tenant is currently supported in the unified security operations platform. So in Microsoft Defender multitenant management, you have SIEM data from one Microsoft Sentinel workspace per tenant.
Access to Microsoft Sentinel data is available through [Microsoft Entra B2B authentication](/azure/active-directory/external-identities/what-is-b2b). Microsoft Sentinel doesn't support [granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction) at this time. |
+
+We recommend that you set up [multifactor authentication trust](/azure/active-directory/external-identities/authentication-conditional-access) for each tenant to avoid missing data in Microsoft Defender multitenant management.
->[!Note]
-> Setting up [multi-factor authentication trust](/azure/active-directory/external-identities/authentication-conditional-access) is highly recommended for each tenant to avoid missing data in multi-tenant management Microsoft Defender XDR.
## Verify your tenant access
-In order to view and manage the data you have access to in multi-tenant management, you need to ensure you have the necessary permissions. For each tenant you want to view and manage, you need to either:
+In order to view and manage the data you have access to in Microsoft Defender multitenant management, you need to ensure you have the necessary permissions. For each tenant you want to view and manage, you need to either:
- [Verify your tenant access with Microsoft Entra B2B](#verify-your-tenant-access-with-microsoft-entra-b2b)
- [Verify your tenant access with GDAP](#verify-your-tenant-access-with-gdap)
@@ -70,30 +69,30 @@ In order to view and manage the data you have access to in multi-tenant manageme
3. Verify all the tenants you plan to manage appear in the list.
4. For each tenant, go to the [Microsoft Defender portal](https://security.microsoft.com/?tid=tenant_id) and sign in to validate you can successfully access the tenant.
-## Set up multi-tenant management
+## Set up multitenant management
-The first time you use multi-tenant management in Microsoft Defender XDR, you need setup the tenants you want to view and manage. To get started:
+The first time you use Microsoft Defender multitenant management, you need setup the tenants you want to view and manage. To get started:
-1. Sign in to [Multi-tenant management in Microsoft Defender XDR](https://mto.security.microsoft.com/)
+1. Sign in to [Microsoft Defender multitenant management](https://mto.security.microsoft.com/)
2. Select **Add tenants**.
- :::image type="content" source="/defender/media/defender/mto-add-tenants.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant portal setup screen" lightbox="/defender/media/defender/mto-add-tenants.png":::
+ :::image type="content" source="/defender/media/defender/mto-add-tenants.png" alt-text="Screenshot of the Microsoft Defender multi-tenant portal setup screen" lightbox="/defender/media/defender/mto-add-tenants.png":::
3. Choose the tenants you want to manage and select **Add**
>[!Note]
-> The multi-tenant view in Microsoft Defender XDR currently has a limit of 50 target tenants.
+> The Microsoft Defender multi-tenant view currently has a limit of 50 target tenants.
-The features available in multi-tenant management now appear on the navigation bar and you're ready to view and manage security data across all your tenants.
+The features available in multitenant management now appear on the navigation bar and you're ready to view and manage security data across all your tenants.
- :::image type="content" source="/defender/media/defender/mto-tenant-selection.png" alt-text="Screenshot of multi-tenant management in Microsoft Defender XDR" lightbox="/defender/media/defender/mto-tenant-selection.png":::
+ :::image type="content" source="/defender/media/defender/mto-tenant-selection.png" alt-text="Screenshot of Microsoft Defender multitenant management." lightbox="/defender/media/defender/mto-tenant-selection.png":::
## Next step
-Use these articles to get started with multi-tenant management in Microsoft Defender XDR:
+Use these articles to get started with Microsoft Defender multitenant management:
- [View and manage incidents and alerts](./mto-incidents-alerts.md)
- [Advanced hunting](./mto-advanced-hunting.md)
-- [Multi-tenant devices](./mto-tenant-devices.md)
+- [Multitenant devices](./mto-tenant-devices.md)
- [Vulnerability management](./mto-dashboard.md)
- [Manage tenants](./mto-tenants.md)
diff --git a/defender-xdr/mto-tenants.md b/defender-xdr/mto-tenants.md
index e818d1ab7f..cb476bf8ba 100644
--- a/defender-xdr/mto-tenants.md
+++ b/defender-xdr/mto-tenants.md
@@ -1,6 +1,6 @@
---
-title: Manage tenants with multitenant management in Microsoft Defender XDR
-description: Learn about the tenant list in multitenant management in Microsoft Defender XDR
+title: Manage tenants with Microsoft Defender multitenant management
+description: Learn about the tenant list in Microsoft Defender multitenant management
search.appverid: met150
ms.service: defender-xdr
ms.author: siosulli
@@ -12,21 +12,23 @@ ms.collection:
- m365-security
- highpri
- tier1
+ - usx-security
ms.topic: conceptual
-ms.date: 03/20/2024
+ms.date: 08/19/2024
+appliesto:
+ - Microsoft Defender XDR
+ - Microsoft Sentinel in the Microsoft Defender portal
---
-# Manage tenants
+# Manage tenants with Microsoft Defender multitenant management
-**Applies to:**
-
-- [Microsoft Defender XDR](microsoft-365-defender.md)
+Add or remove tenants from the settings page in Microsoft Defender multitenant management.
## View the tenants page
-To view the list of tenants that appear in multitenant management, go to [Settings page](https://mto.security.microsoft.com/mtosettings) in multitenant management in Microsoft Defender XDR:
+To view the list of tenants that appear in multitenant management, go to [Settings page](https://mto.security.microsoft.com/mtosettings) in Microsoft Defender multitenant management:
- :::image type="content" source="/defender/media/defender/mto-tenant-settings.png" alt-text="Screenshot of multitenant management in Microsoft Defender XDR" lightbox="/defender/media/defender/mto-tenant-settings.png":::
+ :::image type="content" source="/defender/media/defender/mto-tenant-settings.png" alt-text="Screenshot of Microsoft Defender multitenant management" lightbox="/defender/media/defender/mto-tenant-settings.png":::
From the **Settings** page you can:
@@ -49,3 +51,8 @@ When an issue exists, the status indicator shows a red warning sign:
Hovering over the red warning sign displays the issues that occurred and the tenant information. By expanding each section, you see all the tenants with this issue.
- 
+
+## Related content
+
+- [Microsoft Defender multitenant management](mto-overview.md)
+- [Set up Microsoft Defender multitenant management](mto-requirements.md)
diff --git a/defender-xdr/security-copilot-in-microsoft-365-defender.md b/defender-xdr/security-copilot-in-microsoft-365-defender.md
index 245560b653..091b05c74a 100644
--- a/defender-xdr/security-copilot-in-microsoft-365-defender.md
+++ b/defender-xdr/security-copilot-in-microsoft-365-defender.md
@@ -3,21 +3,21 @@ title: Microsoft Copilot in Microsoft Defender
description: Learn about Microsoft Copilot for Security capabilities embedded in Microsoft Defender.
ms.service: defender-xdr
f1.keywords:
- - NOCSH
+- NOCSH
ms.author: diannegali
author: diannegali
ms.localizationpriority: medium
manager: deniseb
audience: ITPro
ms.collection:
- - m365-security
- - tier1
- - security-copilot
+- m365-security
+- tier1
+- security-copilot
ms.topic: conceptual
search.appverid:
- - MOE150
- - MET150
-ms.date: 04/01/2024
+- MOE150
+- MET150
+ms.date: 08/20/2024
---
# Microsoft Copilot in Microsoft Defender
@@ -27,7 +27,7 @@ ms.date: 04/01/2024
**Applies to:**
- Microsoft Defender XDR
-- Microsoft Defender unified security operations center (SOC) platform
+- Microsoft Sentinel in the Microsoft Defender portal
[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Copilot for Security is embedded in the Microsoft Defender portal to enable security teams to efficiently summarize incidents, analyze scripts and codes, analyze files, summarize device information, use guided responses to resolve incidents, generate KQL queries, and create incident reports.
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
index 6ef324073b..65fb47913f 100644
--- a/defender-xdr/whats-new.md
+++ b/defender-xdr/whats-new.md
@@ -31,6 +31,7 @@ You can also get product updates and important notifications through the [messag
## August 2024
+- (Preview) Microsoft Sentinel data is now available with Defender XDR data in Microsoft Defender multitenant management. Only one Microsoft Sentinel workspace per tenant is currently supported in the Microsoft unified security operations platform. So, Microsoft Defender multitenant management shows security information and event management (SIEM) data from one Microsoft Sentinel workspace per tenant. For more information, see [Microsoft Defender multitenant management](mto-overview.md) and [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal).
- To ensure a smooth experience while navigating the Microsoft Defender portal, configure your network firewall by adding the appropriate addresses to your allow list. For more information, see [Network firewall configuration for Microsoft Defender XDR](m365d-enable.md#configure-your-network-firewall).
## July 2024
diff --git a/defender/media/XDR/defender-app-bot.png b/defender/media/XDR/defender-app-bot.png
deleted file mode 100644
index a2e0b714c6..0000000000
Binary files a/defender/media/XDR/defender-app-bot.png and /dev/null differ
diff --git a/defender/media/advanced-hunting-take-actions-email.png b/defender/media/advanced-hunting-take-actions-email.png
deleted file mode 100644
index f191fea60b..0000000000
Binary files a/defender/media/advanced-hunting-take-actions-email.png and /dev/null differ
diff --git "a/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-\342\200\214incident-small.png" "b/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-\342\200\214incident-small.png"
deleted file mode 100644
index a6261012be..0000000000
Binary files "a/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-\342\200\214incident-small.png" and /dev/null differ
diff --git "a/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-\342\200\214incident.png" "b/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-\342\200\214incident.png"
deleted file mode 100644
index 235c52f6c2..0000000000
Binary files "a/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-\342\200\214incident.png" and /dev/null differ
diff --git a/defender/media/deception/fig2-deception.png b/defender/media/deception/fig2-deception.png
deleted file mode 100644
index 1e8cb71d4c..0000000000
Binary files a/defender/media/deception/fig2-deception.png and /dev/null differ
diff --git a/defender/media/defender-cloud-apps-m365-defender-control.png b/defender/media/defender-cloud-apps-m365-defender-control.png
deleted file mode 100644
index 63ae8e41b8..0000000000
Binary files a/defender/media/defender-cloud-apps-m365-defender-control.png and /dev/null differ
diff --git a/defender/media/defender-cloud-apps-m365-defender-discover.png b/defender/media/defender-cloud-apps-m365-defender-discover.png
deleted file mode 100644
index 79cdba08a3..0000000000
Binary files a/defender/media/defender-cloud-apps-m365-defender-discover.png and /dev/null differ
diff --git a/defender/media/defender-cloud-apps-m365-defender-investigate.png b/defender/media/defender-cloud-apps-m365-defender-investigate.png
deleted file mode 100644
index 2d1fec1645..0000000000
Binary files a/defender/media/defender-cloud-apps-m365-defender-investigate.png and /dev/null differ
diff --git a/defender/media/defender-cloud-apps-m365-defender-settings.png b/defender/media/defender-cloud-apps-m365-defender-settings.png
deleted file mode 100644
index c374170563..0000000000
Binary files a/defender/media/defender-cloud-apps-m365-defender-settings.png and /dev/null differ
diff --git a/defender/media/defender/m365-defender-eval-process.png b/defender/media/defender/m365-defender-eval-process.png
deleted file mode 100644
index 50e2ad1f06..0000000000
Binary files a/defender/media/defender/m365-defender-eval-process.png and /dev/null differ
diff --git a/defender/media/defender/mto-incident-details.png b/defender/media/defender/mto-incident-details.png
index 5710dece34..d16354daa7 100644
Binary files a/defender/media/defender/mto-incident-details.png and b/defender/media/defender/mto-incident-details.png differ
diff --git a/defender/media/defender/mto-incidents.png b/defender/media/defender/mto-incidents.png
index 120f4b6150..ef06287c9c 100644
Binary files a/defender/media/defender/mto-incidents.png and b/defender/media/defender/mto-incidents.png differ
diff --git a/defender/media/eval-defender-investigate-respond/eval-defender-eval-investigate-respond-step2.png b/defender/media/eval-defender-investigate-respond/eval-defender-eval-investigate-respond-step2.png
deleted file mode 100644
index 4bef1e889d..0000000000
Binary files a/defender/media/eval-defender-investigate-respond/eval-defender-eval-investigate-respond-step2.png and /dev/null differ
diff --git a/defender/media/eval-defender-investigate-respond/eval-defender-eval-investigate-respond-steps.png b/defender/media/eval-defender-investigate-respond/eval-defender-eval-investigate-respond-steps.png
deleted file mode 100644
index e156d0517c..0000000000
Binary files a/defender/media/eval-defender-investigate-respond/eval-defender-eval-investigate-respond-steps.png and /dev/null differ
diff --git a/defender/media/incidents-queue/resolution-note-in-log.png b/defender/media/incidents-queue/resolution-note-in-log.png
deleted file mode 100644
index 8aa684a353..0000000000
Binary files a/defender/media/incidents-queue/resolution-note-in-log.png and /dev/null differ
diff --git a/defender/media/investigate-alerts/alert-tuning-add-new.png b/defender/media/investigate-alerts/alert-tuning-add-new.png
deleted file mode 100644
index 6dcef66551..0000000000
Binary files a/defender/media/investigate-alerts/alert-tuning-add-new.png and /dev/null differ
diff --git a/defender/media/investigate-alerts/alert-tuning-alert-types.png b/defender/media/investigate-alerts/alert-tuning-alert-types.png
deleted file mode 100644
index 081981624a..0000000000
Binary files a/defender/media/investigate-alerts/alert-tuning-alert-types.png and /dev/null differ
diff --git a/defender/media/investigate-alerts/alert-tuning-any-ioc.png b/defender/media/investigate-alerts/alert-tuning-any-ioc.png
deleted file mode 100644
index 94c69b9ab0..0000000000
Binary files a/defender/media/investigate-alerts/alert-tuning-any-ioc.png and /dev/null differ
diff --git a/defender/media/investigate-alerts/alert-tuning-auto-fill-conditions.png b/defender/media/investigate-alerts/alert-tuning-auto-fill-conditions.png
deleted file mode 100644
index 0a6e9c7226..0000000000
Binary files a/defender/media/investigate-alerts/alert-tuning-auto-fill-conditions.png and /dev/null differ
diff --git a/defender/media/investigate-alerts/alert-tuning-choose-action2.png b/defender/media/investigate-alerts/alert-tuning-choose-action2.png
deleted file mode 100644
index 4438a2011a..0000000000
Binary files a/defender/media/investigate-alerts/alert-tuning-choose-action2.png and /dev/null differ
diff --git a/defender/media/investigate-alerts/alert-tuning-conditions.png b/defender/media/investigate-alerts/alert-tuning-conditions.png
deleted file mode 100644
index 752ac8e7e5..0000000000
Binary files a/defender/media/investigate-alerts/alert-tuning-conditions.png and /dev/null differ
diff --git a/defender/media/investigate-alerts/alert-tuning-scope.png b/defender/media/investigate-alerts/alert-tuning-scope.png
deleted file mode 100644
index 30e9e12671..0000000000
Binary files a/defender/media/investigate-alerts/alert-tuning-scope.png and /dev/null differ
diff --git a/defender/media/investigate-alerts/alert-tuning-tune-pane-action.png b/defender/media/investigate-alerts/alert-tuning-tune-pane-action.png
deleted file mode 100644
index 3b06199ca7..0000000000
Binary files a/defender/media/investigate-alerts/alert-tuning-tune-pane-action.png and /dev/null differ
diff --git a/defender/media/investigate-alerts/alert-tuning-tune-pane2.png b/defender/media/investigate-alerts/alert-tuning-tune-pane2.png
deleted file mode 100644
index 4a53cf1a3b..0000000000
Binary files a/defender/media/investigate-alerts/alert-tuning-tune-pane2.png and /dev/null differ
diff --git a/defender/media/mde-p1/mem-firewallpolicy.png b/defender/media/mde-p1/mem-firewallpolicy.png
deleted file mode 100644
index f872232f36..0000000000
Binary files a/defender/media/mde-p1/mem-firewallpolicy.png and /dev/null differ
diff --git a/defender/media/mtp-eval-10.png b/defender/media/mtp-eval-10.png
deleted file mode 100644
index 6af3e4c148..0000000000
Binary files a/defender/media/mtp-eval-10.png and /dev/null differ
diff --git a/defender/media/mtp-eval-11.png b/defender/media/mtp-eval-11.png
deleted file mode 100644
index 7ba5c47323..0000000000
Binary files a/defender/media/mtp-eval-11.png and /dev/null differ
diff --git a/defender/media/mtp-eval-12.png b/defender/media/mtp-eval-12.png
deleted file mode 100644
index 5adde61b5a..0000000000
Binary files a/defender/media/mtp-eval-12.png and /dev/null differ
diff --git a/defender/media/mtp-eval-13.png b/defender/media/mtp-eval-13.png
deleted file mode 100644
index 49613e2a66..0000000000
Binary files a/defender/media/mtp-eval-13.png and /dev/null differ
diff --git a/defender/media/mtp-eval-14.png b/defender/media/mtp-eval-14.png
deleted file mode 100644
index 9a52aefb43..0000000000
Binary files a/defender/media/mtp-eval-14.png and /dev/null differ
diff --git a/defender/media/mtp-eval-15.png b/defender/media/mtp-eval-15.png
deleted file mode 100644
index afba069242..0000000000
Binary files a/defender/media/mtp-eval-15.png and /dev/null differ
diff --git a/defender/media/mtp-eval-16.png b/defender/media/mtp-eval-16.png
deleted file mode 100644
index bf1d60d718..0000000000
Binary files a/defender/media/mtp-eval-16.png and /dev/null differ
diff --git a/defender/media/mtp-eval-17.png b/defender/media/mtp-eval-17.png
deleted file mode 100644
index 2b3646a999..0000000000
Binary files a/defender/media/mtp-eval-17.png and /dev/null differ
diff --git a/defender/media/mtp-eval-18.png b/defender/media/mtp-eval-18.png
deleted file mode 100644
index 86e7bdc9b1..0000000000
Binary files a/defender/media/mtp-eval-18.png and /dev/null differ
diff --git a/defender/media/mtp-eval-19.png b/defender/media/mtp-eval-19.png
deleted file mode 100644
index a7a3c60163..0000000000
Binary files a/defender/media/mtp-eval-19.png and /dev/null differ
diff --git a/defender/media/mtp-eval-20.png b/defender/media/mtp-eval-20.png
deleted file mode 100644
index 28d1ff0b2d..0000000000
Binary files a/defender/media/mtp-eval-20.png and /dev/null differ
diff --git a/defender/media/mtp-eval-21.png b/defender/media/mtp-eval-21.png
deleted file mode 100644
index 4fc31f34a1..0000000000
Binary files a/defender/media/mtp-eval-21.png and /dev/null differ
diff --git a/defender/media/mtp-eval-22.png b/defender/media/mtp-eval-22.png
deleted file mode 100644
index f96e95394a..0000000000
Binary files a/defender/media/mtp-eval-22.png and /dev/null differ
diff --git a/defender/media/mtp-eval-23.png b/defender/media/mtp-eval-23.png
deleted file mode 100644
index 069b0f899b..0000000000
Binary files a/defender/media/mtp-eval-23.png and /dev/null differ
diff --git a/defender/media/mtp-eval-24.png b/defender/media/mtp-eval-24.png
deleted file mode 100644
index 64c2a22e2a..0000000000
Binary files a/defender/media/mtp-eval-24.png and /dev/null differ
diff --git a/defender/media/mtp-eval-25.png b/defender/media/mtp-eval-25.png
deleted file mode 100644
index 390cf41e5b..0000000000
Binary files a/defender/media/mtp-eval-25.png and /dev/null differ
diff --git a/defender/media/mtp-eval-26.png b/defender/media/mtp-eval-26.png
deleted file mode 100644
index aa332a1314..0000000000
Binary files a/defender/media/mtp-eval-26.png and /dev/null differ
diff --git a/defender/media/mtp-eval-27.png b/defender/media/mtp-eval-27.png
deleted file mode 100644
index 60015764ab..0000000000
Binary files a/defender/media/mtp-eval-27.png and /dev/null differ
diff --git a/defender/media/mtp-eval-28.png b/defender/media/mtp-eval-28.png
deleted file mode 100644
index 539ca87cb9..0000000000
Binary files a/defender/media/mtp-eval-28.png and /dev/null differ
diff --git a/defender/media/mtp-eval-29.png b/defender/media/mtp-eval-29.png
deleted file mode 100644
index 7730ca59cc..0000000000
Binary files a/defender/media/mtp-eval-29.png and /dev/null differ
diff --git a/defender/media/mtp-eval-30.png b/defender/media/mtp-eval-30.png
deleted file mode 100644
index 68cdd97038..0000000000
Binary files a/defender/media/mtp-eval-30.png and /dev/null differ
diff --git a/defender/media/mtp-eval-9.png b/defender/media/mtp-eval-9.png
deleted file mode 100644
index a5a398ec44..0000000000
Binary files a/defender/media/mtp-eval-9.png and /dev/null differ
diff --git a/defender/media/threat-analytics/ta_prevented_email_attempts_mtp.png b/defender/media/threat-analytics/ta_prevented_email_attempts_mtp.png
deleted file mode 100644
index b94e166eb6..0000000000
Binary files a/defender/media/threat-analytics/ta_prevented_email_attempts_mtp.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/UsingTagsChromeHomePage.png b/defender/threat-intelligence/media/UsingTagsChromeHomePage.png
deleted file mode 100644
index 85ad38b0a9..0000000000
Binary files a/defender/threat-intelligence/media/UsingTagsChromeHomePage.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/analystInsightsEdgeScreenshot.png b/defender/threat-intelligence/media/analystInsightsEdgeScreenshot.png
deleted file mode 100644
index 9b7c8ec79f..0000000000
Binary files a/defender/threat-intelligence/media/analystInsightsEdgeScreenshot.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsCertificatesObservationDates.png b/defender/threat-intelligence/media/dataSetsCertificatesObservationDates.png
deleted file mode 100644
index 3cf3c3d427..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsCertificatesObservationDates.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsCookiesDomainsIssuingSameCookie.png b/defender/threat-intelligence/media/dataSetsCookiesDomainsIssuingSameCookie.png
deleted file mode 100644
index ae37f4d0de..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsCookiesDomainsIssuingSameCookie.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsCookiesDomainsTrackingSameCookie.png b/defender/threat-intelligence/media/dataSetsCookiesDomainsTrackingSameCookie.png
deleted file mode 100644
index ba35ff5ce1..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsCookiesDomainsTrackingSameCookie.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsCookiesNumberAssociatedwithArtifact.png b/defender/threat-intelligence/media/dataSetsCookiesNumberAssociatedwithArtifact.png
deleted file mode 100644
index 3d62c67fb7..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsCookiesNumberAssociatedwithArtifact.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsDomainActiveResolutions.png b/defender/threat-intelligence/media/dataSetsDomainActiveResolutions.png
deleted file mode 100644
index 7371ac27c0..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsDomainActiveResolutions.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsDomainFirstSeen.png b/defender/threat-intelligence/media/dataSetsDomainFirstSeen.png
deleted file mode 100644
index bf62860753..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsDomainFirstSeen.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsDomainLastSeen.png b/defender/threat-intelligence/media/dataSetsDomainLastSeen.png
deleted file mode 100644
index fa21470c57..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsDomainLastSeen.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsEdgeScreenshot.png b/defender/threat-intelligence/media/dataSetsEdgeScreenshot.png
deleted file mode 100644
index dd3a95d959..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsEdgeScreenshot.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsHostPairsInfringementAttack.png b/defender/threat-intelligence/media/dataSetsHostPairsInfringementAttack.png
deleted file mode 100644
index b06648bbd2..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsHostPairsInfringementAttack.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsHostPairsMaliciousRedirect.png b/defender/threat-intelligence/media/dataSetsHostPairsMaliciousRedirect.png
deleted file mode 100644
index e21d4f41ae..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsHostPairsMaliciousRedirect.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsHostPairsSkimmerReference.png b/defender/threat-intelligence/media/dataSetsHostPairsSkimmerReference.png
deleted file mode 100644
index b4d4bbe0b1..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsHostPairsSkimmerReference.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsIPASN.png b/defender/threat-intelligence/media/dataSetsIPASN.png
deleted file mode 100644
index 68b29573f4..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsIPASN.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsIPGeolocation.png b/defender/threat-intelligence/media/dataSetsIPGeolocation.png
deleted file mode 100644
index 5b640cdedd..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsIPGeolocation.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsIPOwner.png b/defender/threat-intelligence/media/dataSetsIPOwner.png
deleted file mode 100644
index fb50b7ea09..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsIPOwner.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsIPSubnet.png b/defender/threat-intelligence/media/dataSetsIPSubnet.png
deleted file mode 100644
index aa8e719025..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsIPSubnet.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsRoutableIPs.png b/defender/threat-intelligence/media/dataSetsRoutableIPs.png
deleted file mode 100644
index 16a06e6463..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsRoutableIPs.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsServicesCertificateAssociations.png b/defender/threat-intelligence/media/dataSetsServicesCertificateAssociations.png
deleted file mode 100644
index 805eda3e29..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsServicesCertificateAssociations.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsServicesPortStatuses.png b/defender/threat-intelligence/media/dataSetsServicesPortStatuses.png
deleted file mode 100644
index a696f8b57c..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsServicesPortStatuses.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsServicesVersionRunning.png b/defender/threat-intelligence/media/dataSetsServicesVersionRunning.png
deleted file mode 100644
index d4beaf9f79..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsServicesVersionRunning.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsSubdomains.png b/defender/threat-intelligence/media/dataSetsSubdomains.png
deleted file mode 100644
index 381d21cb21..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsSubdomains.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsSubdomainsMalicious.png b/defender/threat-intelligence/media/dataSetsSubdomainsMalicious.png
deleted file mode 100644
index 637ac9a5ee..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsSubdomainsMalicious.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsTrackersHtTrack.png b/defender/threat-intelligence/media/dataSetsTrackersHtTrack.png
deleted file mode 100644
index 9819b3fc55..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsTrackersHtTrack.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsTrackersJARM.png b/defender/threat-intelligence/media/dataSetsTrackersJARM.png
deleted file mode 100644
index 4ae3d24faa..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsTrackersJARM.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsTrackersLengthOfTime.png b/defender/threat-intelligence/media/dataSetsTrackersLengthOfTime.png
deleted file mode 100644
index 64f8a74974..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsTrackersLengthOfTime.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsTrackersPivotAnalyticsAccount.gif b/defender/threat-intelligence/media/dataSetsTrackersPivotAnalyticsAccount.gif
deleted file mode 100644
index 017321fd18..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsTrackersPivotAnalyticsAccount.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsTrackersTypes.png b/defender/threat-intelligence/media/dataSetsTrackersTypes.png
deleted file mode 100644
index 4e74a4c9a4..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsTrackersTypes.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsWhoisDomainAge.png b/defender/threat-intelligence/media/dataSetsWhoisDomainAge.png
deleted file mode 100644
index 6043f5463e..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsWhoisDomainAge.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsWhoisFakePrivacyEmails.png b/defender/threat-intelligence/media/dataSetsWhoisFakePrivacyEmails.png
deleted file mode 100644
index 02ec883403..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsWhoisFakePrivacyEmails.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsWhoisHistory.gif b/defender/threat-intelligence/media/dataSetsWhoisHistory.gif
deleted file mode 100644
index ba52abc6c3..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsWhoisHistory.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsWhoisHoneypotDomain.png b/defender/threat-intelligence/media/dataSetsWhoisHoneypotDomain.png
deleted file mode 100644
index 89971b95f4..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsWhoisHoneypotDomain.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsWhoisNameServers.png b/defender/threat-intelligence/media/dataSetsWhoisNameServers.png
deleted file mode 100644
index 7182bcdd54..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsWhoisNameServers.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsWhoisParkedDomain.png b/defender/threat-intelligence/media/dataSetsWhoisParkedDomain.png
deleted file mode 100644
index 9cdf5d5029..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsWhoisParkedDomain.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsWhoisPrivacyProtected.png b/defender/threat-intelligence/media/dataSetsWhoisPrivacyProtected.png
deleted file mode 100644
index 529719179a..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsWhoisPrivacyProtected.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsWhoisSharedValueSearch.gif b/defender/threat-intelligence/media/dataSetsWhoisSharedValueSearch.gif
deleted file mode 100644
index 637091f4f8..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsWhoisSharedValueSearch.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsWhoisSinkhole.png b/defender/threat-intelligence/media/dataSetsWhoisSinkhole.png
deleted file mode 100644
index d08c977cf5..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsWhoisSinkhole.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataSetsWhoisUnique.png b/defender/threat-intelligence/media/dataSetsWhoisUnique.png
deleted file mode 100644
index 215cefdd2c..0000000000
Binary files a/defender/threat-intelligence/media/dataSetsWhoisUnique.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataTabIntelligence.png b/defender/threat-intelligence/media/dataTabIntelligence.png
deleted file mode 100644
index f7042da9c4..0000000000
Binary files a/defender/threat-intelligence/media/dataTabIntelligence.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataTabIntelligenceArticles.png b/defender/threat-intelligence/media/dataTabIntelligenceArticles.png
deleted file mode 100644
index 00e684aad9..0000000000
Binary files a/defender/threat-intelligence/media/dataTabIntelligenceArticles.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataTabIntelligenceProjects.png b/defender/threat-intelligence/media/dataTabIntelligenceProjects.png
deleted file mode 100644
index f708f146bc..0000000000
Binary files a/defender/threat-intelligence/media/dataTabIntelligenceProjects.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataTabResolutions.png b/defender/threat-intelligence/media/dataTabResolutions.png
deleted file mode 100644
index 6aee02022e..0000000000
Binary files a/defender/threat-intelligence/media/dataTabResolutions.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/dataTabWHOIS.png b/defender/threat-intelligence/media/dataTabWHOIS.png
deleted file mode 100644
index 661f5c7013..0000000000
Binary files a/defender/threat-intelligence/media/dataTabWHOIS.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/filtersComponents.gif b/defender/threat-intelligence/media/filtersComponents.gif
deleted file mode 100644
index 5ee388e55b..0000000000
Binary files a/defender/threat-intelligence/media/filtersComponents.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/filtersDNS.gif b/defender/threat-intelligence/media/filtersDNS.gif
deleted file mode 100644
index 2e8741f4cf..0000000000
Binary files a/defender/threat-intelligence/media/filtersDNS.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/filtersHostPairs.gif b/defender/threat-intelligence/media/filtersHostPairs.gif
deleted file mode 100644
index 6ab16b2507..0000000000
Binary files a/defender/threat-intelligence/media/filtersHostPairs.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/filtersResolutions.gif b/defender/threat-intelligence/media/filtersResolutions.gif
deleted file mode 100644
index fc0d5f9b21..0000000000
Binary files a/defender/threat-intelligence/media/filtersResolutions.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/filtersTrackers.gif b/defender/threat-intelligence/media/filtersTrackers.gif
deleted file mode 100644
index 25faa8abb6..0000000000
Binary files a/defender/threat-intelligence/media/filtersTrackers.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/infrastructureChaining.jpg b/defender/threat-intelligence/media/infrastructureChaining.jpg
deleted file mode 100644
index 5a46ea77f0..0000000000
Binary files a/defender/threat-intelligence/media/infrastructureChaining.jpg and /dev/null differ
diff --git a/defender/threat-intelligence/media/projectsAddNewProjectDetails.png b/defender/threat-intelligence/media/projectsAddNewProjectDetails.png
deleted file mode 100644
index e80535fba6..0000000000
Binary files a/defender/threat-intelligence/media/projectsAddNewProjectDetails.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/projectsAddProject.png b/defender/threat-intelligence/media/projectsAddProject.png
deleted file mode 100644
index c6fb600c68..0000000000
Binary files a/defender/threat-intelligence/media/projectsAddProject.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/projectsDetailedProjectChromeScreenshot.png b/defender/threat-intelligence/media/projectsDetailedProjectChromeScreenshot.png
deleted file mode 100644
index 22ea23b99d..0000000000
Binary files a/defender/threat-intelligence/media/projectsDetailedProjectChromeScreenshot.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/projectsHomePage.png b/defender/threat-intelligence/media/projectsHomePage.png
deleted file mode 100644
index 2a6491ca75..0000000000
Binary files a/defender/threat-intelligence/media/projectsHomePage.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/reputationEdgeScreenshot.png b/defender/threat-intelligence/media/reputationEdgeScreenshot.png
deleted file mode 100644
index 6da387c963..0000000000
Binary files a/defender/threat-intelligence/media/reputationEdgeScreenshot.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchCertificateIssuerCommonName.png b/defender/threat-intelligence/media/searchCertificateIssuerCommonName.png
deleted file mode 100644
index 94d232d233..0000000000
Binary files a/defender/threat-intelligence/media/searchCertificateIssuerCommonName.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchCertificateSerialNumber.png b/defender/threat-intelligence/media/searchCertificateSerialNumber.png
deleted file mode 100644
index aebdcd7e23..0000000000
Binary files a/defender/threat-intelligence/media/searchCertificateSerialNumber.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchCertificateSha1.png b/defender/threat-intelligence/media/searchCertificateSha1.png
deleted file mode 100644
index fd9689cb48..0000000000
Binary files a/defender/threat-intelligence/media/searchCertificateSha1.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchCertificateSubjectAlternativeName.png b/defender/threat-intelligence/media/searchCertificateSubjectAlternativeName.png
deleted file mode 100644
index d0bc7efc70..0000000000
Binary files a/defender/threat-intelligence/media/searchCertificateSubjectAlternativeName.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchCertificateSubjectCommonName.png b/defender/threat-intelligence/media/searchCertificateSubjectCommonName.png
deleted file mode 100644
index cc4ae3312a..0000000000
Binary files a/defender/threat-intelligence/media/searchCertificateSubjectCommonName.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchComponent.png b/defender/threat-intelligence/media/searchComponent.png
deleted file mode 100644
index a7bea0d943..0000000000
Binary files a/defender/threat-intelligence/media/searchComponent.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchCookieDomain.png b/defender/threat-intelligence/media/searchCookieDomain.png
deleted file mode 100644
index 47a5e9d785..0000000000
Binary files a/defender/threat-intelligence/media/searchCookieDomain.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchCookieName.png b/defender/threat-intelligence/media/searchCookieName.png
deleted file mode 100644
index 7461537165..0000000000
Binary files a/defender/threat-intelligence/media/searchCookieName.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchDomain.png b/defender/threat-intelligence/media/searchDomain.png
deleted file mode 100644
index 66e9ffd96a..0000000000
Binary files a/defender/threat-intelligence/media/searchDomain.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchHomePageChromeScreenshot.png b/defender/threat-intelligence/media/searchHomePageChromeScreenshot.png
deleted file mode 100644
index 20dca987dd..0000000000
Binary files a/defender/threat-intelligence/media/searchHomePageChromeScreenshot.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchHost.png b/defender/threat-intelligence/media/searchHost.png
deleted file mode 100644
index 6a6f5449ec..0000000000
Binary files a/defender/threat-intelligence/media/searchHost.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchIPKeyInsights.png b/defender/threat-intelligence/media/searchIPKeyInsights.png
deleted file mode 100644
index ed6aa21edb..0000000000
Binary files a/defender/threat-intelligence/media/searchIPKeyInsights.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchIpAddress.png b/defender/threat-intelligence/media/searchIpAddress.png
deleted file mode 100644
index 0230dd2304..0000000000
Binary files a/defender/threat-intelligence/media/searchIpAddress.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchKeyword.png b/defender/threat-intelligence/media/searchKeyword.png
deleted file mode 100644
index 690b62894a..0000000000
Binary files a/defender/threat-intelligence/media/searchKeyword.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchTag.png b/defender/threat-intelligence/media/searchTag.png
deleted file mode 100644
index f7a3df0012..0000000000
Binary files a/defender/threat-intelligence/media/searchTag.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchTiArticle.png b/defender/threat-intelligence/media/searchTiArticle.png
deleted file mode 100644
index af27b383d1..0000000000
Binary files a/defender/threat-intelligence/media/searchTiArticle.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchTrackers.png b/defender/threat-intelligence/media/searchTrackers.png
deleted file mode 100644
index 16af3353f1..0000000000
Binary files a/defender/threat-intelligence/media/searchTrackers.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisAddress.png b/defender/threat-intelligence/media/searchWhoisAddress.png
deleted file mode 100644
index 7f9c2da3c7..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisAddress.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisCity.png b/defender/threat-intelligence/media/searchWhoisCity.png
deleted file mode 100644
index b6f7db0cfc..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisCity.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisCountry.png b/defender/threat-intelligence/media/searchWhoisCountry.png
deleted file mode 100644
index d18b6c061e..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisCountry.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisEmail.png b/defender/threat-intelligence/media/searchWhoisEmail.png
deleted file mode 100644
index b0c0d27a28..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisEmail.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisHistory.png b/defender/threat-intelligence/media/searchWhoisHistory.png
deleted file mode 100644
index 2de9a757f9..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisHistory.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisName.png b/defender/threat-intelligence/media/searchWhoisName.png
deleted file mode 100644
index b17806965d..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisName.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisNameserver.png b/defender/threat-intelligence/media/searchWhoisNameserver.png
deleted file mode 100644
index 4d610e5842..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisNameserver.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisOrganization.png b/defender/threat-intelligence/media/searchWhoisOrganization.png
deleted file mode 100644
index b177bd9e1d..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisOrganization.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisPhone.png b/defender/threat-intelligence/media/searchWhoisPhone.png
deleted file mode 100644
index b3a9795e11..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisPhone.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisPostalCode.png b/defender/threat-intelligence/media/searchWhoisPostalCode.png
deleted file mode 100644
index 33776de745..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisPostalCode.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/searchWhoisState.png b/defender/threat-intelligence/media/searchWhoisState.png
deleted file mode 100644
index 9279ab77a0..0000000000
Binary files a/defender/threat-intelligence/media/searchWhoisState.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/sortingDataSetsChromeScreenshot.png b/defender/threat-intelligence/media/sortingDataSetsChromeScreenshot.png
deleted file mode 100644
index 009e659ab8..0000000000
Binary files a/defender/threat-intelligence/media/sortingDataSetsChromeScreenshot.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/sortingResolutions.gif b/defender/threat-intelligence/media/sortingResolutions.gif
deleted file mode 100644
index 8c47e3239c..0000000000
Binary files a/defender/threat-intelligence/media/sortingResolutions.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/summaryTabReputation.png b/defender/threat-intelligence/media/summaryTabReputation.png
deleted file mode 100644
index 3175689354..0000000000
Binary files a/defender/threat-intelligence/media/summaryTabReputation.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tagsSearch.png b/defender/threat-intelligence/media/tagsSearch.png
deleted file mode 100644
index 97742853b6..0000000000
Binary files a/defender/threat-intelligence/media/tagsSearch.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tagsSearchAddTags.png b/defender/threat-intelligence/media/tagsSearchAddTags.png
deleted file mode 100644
index be47dc420c..0000000000
Binary files a/defender/threat-intelligence/media/tagsSearchAddTags.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tagsSearchEditTags.png b/defender/threat-intelligence/media/tagsSearchEditTags.png
deleted file mode 100644
index 489aafcb3f..0000000000
Binary files a/defender/threat-intelligence/media/tagsSearchEditTags.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tagsSearchSaveTags.png b/defender/threat-intelligence/media/tagsSearchSaveTags.png
deleted file mode 100644
index 36ae25fcc9..0000000000
Binary files a/defender/threat-intelligence/media/tagsSearchSaveTags.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tagsSearchTags.png b/defender/threat-intelligence/media/tagsSearchTags.png
deleted file mode 100644
index 053c533921..0000000000
Binary files a/defender/threat-intelligence/media/tagsSearchTags.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tagsSystem.png b/defender/threat-intelligence/media/tagsSystem.png
deleted file mode 100644
index 402c52c733..0000000000
Binary files a/defender/threat-intelligence/media/tagsSystem.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tiOverviewHomePageChromeScreenshot.png b/defender/threat-intelligence/media/tiOverviewHomePageChromeScreenshot.png
deleted file mode 100644
index 20dca987dd..0000000000
Binary files a/defender/threat-intelligence/media/tiOverviewHomePageChromeScreenshot.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainMyPillowIpSummary.png b/defender/threat-intelligence/media/tutorialInfraChainMyPillowIpSummary.png
deleted file mode 100644
index ef5381d0a5..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainMyPillowIpSummary.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainMyPillowcomArticle.png b/defender/threat-intelligence/media/tutorialInfraChainMyPillowcomArticle.png
deleted file mode 100644
index ecedefd5fd..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainMyPillowcomArticle.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainMyPillowcomHostPairsLiveChatScriptSrc.gif b/defender/threat-intelligence/media/tutorialInfraChainMyPillowcomHostPairsLiveChatScriptSrc.gif
deleted file mode 100644
index 38b57365b1..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainMyPillowcomHostPairsLiveChatScriptSrc.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainMyPillowcomReputation.png b/defender/threat-intelligence/media/tutorialInfraChainMyPillowcomReputation.png
deleted file mode 100644
index 6a4b3e367a..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainMyPillowcomReputation.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainMyPiltowIpSummary.png b/defender/threat-intelligence/media/tutorialInfraChainMyPiltowIpSummary.png
deleted file mode 100644
index cc91d8e1b0..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainMyPiltowIpSummary.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainMyPiltowcom2Whois.png b/defender/threat-intelligence/media/tutorialInfraChainMyPiltowcom2Whois.png
deleted file mode 100644
index 8c02b686ac..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainMyPiltowcom2Whois.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainMyPiltowcomArticles.gif b/defender/threat-intelligence/media/tutorialInfraChainMyPiltowcomArticles.gif
deleted file mode 100644
index 45de1f34ef..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainMyPiltowcomArticles.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainMyPiltowcomReputation.png b/defender/threat-intelligence/media/tutorialInfraChainMyPiltowcomReputation.png
deleted file mode 100644
index f2d0fe959a..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainMyPiltowcomReputation.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgHostPairs.png b/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgHostPairs.png
deleted file mode 100644
index 0bbbc73da2..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgHostPairs.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgIpSummary.png b/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgIpSummary.png
deleted file mode 100644
index 06ca7ed059..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgIpSummary.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgResolutions.png b/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgResolutions.png
deleted file mode 100644
index f7971b8fac..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgResolutions.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgWhois.png b/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgWhois.png
deleted file mode 100644
index d28554f8e8..0000000000
Binary files a/defender/threat-intelligence/media/tutorialInfraChainSecureLiveChatIncOrgWhois.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialVulnerabilityIntelArticles.png b/defender/threat-intelligence/media/tutorialVulnerabilityIntelArticles.png
deleted file mode 100644
index a7c89140a6..0000000000
Binary files a/defender/threat-intelligence/media/tutorialVulnerabilityIntelArticles.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialVulnerabilityIntelDomainPivot.png b/defender/threat-intelligence/media/tutorialVulnerabilityIntelDomainPivot.png
deleted file mode 100644
index c55e601edc..0000000000
Binary files a/defender/threat-intelligence/media/tutorialVulnerabilityIntelDomainPivot.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialVulnerabilityIntelDomainReview.gif b/defender/threat-intelligence/media/tutorialVulnerabilityIntelDomainReview.gif
deleted file mode 100644
index a975905fa0..0000000000
Binary files a/defender/threat-intelligence/media/tutorialVulnerabilityIntelDomainReview.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialVulnerabilityIntelFireEyeBreachArticle.png b/defender/threat-intelligence/media/tutorialVulnerabilityIntelFireEyeBreachArticle.png
deleted file mode 100644
index 6151423354..0000000000
Binary files a/defender/threat-intelligence/media/tutorialVulnerabilityIntelFireEyeBreachArticle.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialVulnerabilityIntelFireEyeBreachArticleIndicators.gif b/defender/threat-intelligence/media/tutorialVulnerabilityIntelFireEyeBreachArticleIndicators.gif
deleted file mode 100644
index eed15abbcb..0000000000
Binary files a/defender/threat-intelligence/media/tutorialVulnerabilityIntelFireEyeBreachArticleIndicators.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpArticle.png b/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpArticle.png
deleted file mode 100644
index 95099f5a93..0000000000
Binary files a/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpArticle.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpReview.gif b/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpReview.gif
deleted file mode 100644
index 9c7ab9f578..0000000000
Binary files a/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpReview.gif and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpSearch.png b/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpSearch.png
deleted file mode 100644
index afb6c6a1dc..0000000000
Binary files a/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpSearch.png and /dev/null differ
diff --git a/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpSummaryTab.png b/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpSummaryTab.png
deleted file mode 100644
index 443c936d46..0000000000
Binary files a/defender/threat-intelligence/media/tutorialVulnerabilityIntelIpSummaryTab.png and /dev/null differ