.. _ms-defender-for-office: Microsoft Defender for Office security management and policies --------------------------------------------------------------- .. _25.3|VOSS-1507: :bdg-primary:`Microsoft` Overview .......... Automate provides support for Microsoft Defender for Office that addresses email security threats. Supported functionality includes: * Rapid data sync of a large volume of quarantine messages * Hierarchy-specific data management * Management of email quarantine messages, safe attachment policies, safe link policies * Request staging areas for quarantine email messages and for requests to create and update of policies Requests can then have the **State** that can be managed during the request cycle: * PENDING * REJECTED * APPROVED * COMPLETED * Management of policy configuration templates, allowing customization .. note:: * The following entry under **Global settings**, **Enabled Services** needs to be enabled: **Enable Defender for Office** - see: :ref:`global-settings`. * For further setup and configuration, see: :ref:`ms-defender-overview-sync`. Microsoft Defender for Office dashboards ........................................... The admin GUI provides dashboards for viewing and managing Microsoft Defender for Office data: .. raw:: latex Security Management - Defender for Office Overview Security Management - Defender for Office Actions .. raw:: html

The Microsoft Defender for Office dashboards display default counters for data totals, and quick actions for viewing and managing this data: * **Defender for Office Overview** dashboard Displays counters, charts, and tables showing total count details for quarantine messages visible from the admin's hierarchy. For example, the total number of quarantine messages over time, and the top ten senders and recipients, as well as quarantine policy types. * **Defender for Office Actions** dashboard displays: * Counters with totals for quarantined and released emails, and release requests (pending and rejected requests), and quick actions to view details for these emails and to request release from quarantine. * Counters with totals for safe link policies, and quick actions for viewing, managing, and requesting safe link policies and safe link policy requests * Counters with totals for safe attachment policies, and quick actions for viewing, managing, and requesting safe attachment policies .. rubric:: Customizing Microsoft Defender for Office dashboards The system allows you to customize dashboards: * See: :ref:`automate-dashboards`. * Resources are available to dashboard widgets, where **Data Source** is **Automate Analyzed**. For example: * Quarantine Messages, shows diagnostic information about the Microsoft Quarantined messages, ``device/msexchangeonline/QuarantineMessage`` * Quarantine Message Staging, shows diagnostic information about the Microsoft Quarantined Staging messages, ``data/MicrosoftDefenderQuarantineMessageStaging`` Quarantine Email Actions ........................ When synchronizing and overbuild on existing items that are in quarantine, these are moved to the relevant hierarchy node associated with the user. Automate will sync a high volume quarantine messages using the data collection capability. The ``data/DataModel`` called: "DataCollection" provides this lightweight collection of data from external sources. Administrators can carry out a number or list and request actions: * View Quarantined Emails and Request Release * View Released Emails * View Release Requests View Quarantined Emails and Request Release ''''''''''''''''''''''''''''''''''''''''''' A list view of quarantined email messages visible from the current hierarchy can be inspected and instances can be selected to request the message release. Automate provides a *staging area* for requests (maintained in the data model: ``data/MicrosoftDefenderQuarantineMessageStaging``). | .. image:: /src/images/ms-defender-office-view-quarantined-emails.png An instance from this list can be selected, inspected and managed: | .. image:: /src/images/ms-defender-office-view-quarantined-emails-instance.png | For example, administrators can select a message from this list and request the release of the quarantined email message so that it will have a **State** as **PENDING**: | .. image:: /src/images/ms-defender-office-pending-quarantined-release-request-add-instance.png | Similarly rejected requests can be managed: | .. image:: /src/images/ms-defender-office-rejected-quarantined-release-request-add-instance.png | View Released Emails ''''''''''''''''''''' By default, a separate list view is available to inspect all messages that have been released from quarantine. View Release Requests ''''''''''''''''''''' Following on requesting the release of quarantined messages, the requests can be listed. | .. image:: /src/images/ms-defender-office-view-quarantined-release-requests.png Release request instances can be inspected. | .. image:: /src/images/ms-defender-office-view-quarantined-release-request-instance.png Safe Link Policies .................... Manage Safe Link Policies '''''''''''''''''''''''''' Related device model: ``device/msexchangeonline/SafeLinksPolicy`` Administrators can view and manage Safe Link policies in Automate. This includes the creation and configuration of policies. .. https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure .. image:: /src/images/ms-defender-safe-link-policy.png .. +---------------------------------------------------------------------------+ |Title |Description |Details | |--------------+-------------------+----------------------------------------| |Safe Links |Group Assigned by | * Field Name: Safe Links Policy | |Policy |FDP | * Type: Object | |--------------+-------------------+----------------------------------------| ||Name * | | * Field Name: Safe Links Policy.Name | || | | * Type: String | |+-------------+-------------------+----------------------------------------| || | | * Field Name: Safe Links Policy.State | ||Status | | * Type: ["String", "Null"] | || | | * Choices: ["Enabled", "Disabled"] | |+-------------+-------------------+----------------------------------------| ||Rule |Safe Links Rule | * Field Name: Rule | || | | * Type: Object | |+-------------+-------------------+----------------------------------------| ||| | | * Field Name: Safe Links | |||Status | | Policy.Rule.State | ||| | | * Type: ["String", "Null"] | ||| | | * Choices: ["Enabled", "Disabled"] | |++------------+-------------------+----------------------------------------| ||| | | * Field Name: Safe Links | |||Priority | | Policy.Rule.Priority | ||| | | * Type: Integer | |++------------+-------------------+----------------------------------------| ||||Users | | * Field Name: SentTo.[n] | |||| | | * Type: Array | |+++-----------+-------------------+----------------------------------------| ||||Groups | | * Field Name: SentToMemberOf.[n] | |||| | | * Type: Array | |+++-----------+-------------------+----------------------------------------| ||||Domains | | * Field Name: RecipientDomainIs.[n] | |||| | | * Type: Array | |++------------+-------------------+----------------------------------------| |||Exclude | | * Field Name: Safe Links | |||these users,| | Policy.Rule.ExceptEnabled | |||groups and | | * Type: Boolean | |||domains | | | |++------------+-------------------+----------------------------------------| ||||Users | | * Field Name: ExceptIfSentTo.[n] | |||| | | * Type: Array | |+++-----------+-------------------+----------------------------------------| |||| | | * Field Name: | ||||Groups | | ExceptIfSentToMemberOf.[n] | |||| | | * Type: Array | |+++-----------+-------------------+----------------------------------------| |||| | | * Field Name: | ||||Domains | | ExceptIfRecipientDomainIs.[n] | |||| | | * Type: Array | |+-------------+-------------------+----------------------------------------| || | | * Field Name: Safe Links | ||Priority | | Policy.Priority | || | | * Type: Integer | |+-------------+-------------------+----------------------------------------| ||Enable Safe | | * Field Name: Safe Links | ||Links For | | Policy.EnableSafeLinksForEmail | ||Email | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| ||Enable For | | * Field Name: Safe Links | ||Internal | | Policy.EnableForInternalSenders | ||Senders | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| || | | * Field Name: Safe Links | ||Scan Urls | | Policy.ScanUrls | || | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| ||Deliver | | * Field Name: Safe Links | ||Message After| | Policy.DeliverMessageAfterScan | ||Scan | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| ||Disable Url | | * Field Name: Safe Links | ||Rewrite | | Policy.DisableUrlRewrite | || | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| |||Do Not | | * Field Name: DoNotRewriteUrls.[n] | |||Rewrite Urls| | * Type: Array | |+-------------+-------------------+----------------------------------------| ||Enable Safe | | * Field Name: Safe Links | ||Links For | | Policy.EnableSafeLinksForTeams | ||Teams | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| ||Enable Safe | | * Field Name: Safe Links | ||Links For | | Policy.EnableSafeLinksForOffice | ||Office | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| || | | * Field Name: Safe Links | ||Track Clicks | | Policy.TrackClicks | || | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| ||Allow Click | | * Field Name: Safe Links | ||Through | | Policy.AllowClickThrough | || | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| ||Enable | | * Field Name: Safe Links | ||Organization | | Policy.EnableOrganizationBranding | ||Branding | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| ||Custom | | * Field Name: Safe Links | ||Notification | | Policy.CustomNotificationText | ||Text | | * Type: ["String", "Null"] | |+-------------+-------------------+----------------------------------------| ||Use | | * Field Name: Safe Links | ||Translated | | Policy.UseTranslatedNotificationText| ||Notification | | * Type: Boolean | ||Text | | | |+-------------+-------------------+----------------------------------------| |||Users | | * Field Name: SentTo.[n] | ||| | | * Type: Array | |++------------+-------------------+----------------------------------------| |||Groups | | * Field Name: SentToMemberOf.[n] | ||| | | * Type: Array | |++------------+-------------------+----------------------------------------| |||Domains | | * Field Name: RecipientDomainIs.[n] | ||| | | * Type: Array | |+-------------+-------------------+----------------------------------------| ||Exclude these| | * Field Name: Safe Links | ||users, groups| | Policy.ExceptEnabled | ||and domains | | * Type: Boolean | |+-------------+-------------------+----------------------------------------| |||Users | | * Field Name: ExceptIfSentTo.[n] | ||| | | * Type: Array | |++------------+-------------------+----------------------------------------| ||| | | * Field Name: | |||Groups | | ExceptIfSentToMemberOf.[n] | ||| | | * Type: Array | |++------------+-------------------+----------------------------------------| ||| | | * Field Name: | |||Domains | | ExceptIfRecipientDomainIs.[n] | ||| | | * Type: Array | +---------------------------------------------------------------------------+ Request New Safe Link Policy '''''''''''''''''''''''''''' Automate provides a *staging area* for requests (maintained in the data model: ``data/MicrosoftDefenderSafeLinksPolicyStaging``). Administrators can therefore submit requests for Safe Link policies, according to: * a selected **Safe Links Policy Template** * with **State** set as **PENDING** .. image:: /src/images/ms-defender-safe-link-policy-request.png View Safe Link Policy Requests '''''''''''''''''''''''''''''' By default, a separate list view is available to inspect all Safe Link policy requests that have been made, and to select a request for management. Safe Link Policy Templates ''''''''''''''''''''''''''' Automate provides a reference configuration template for ``device/msexchangeonline/SafeLinksPolicy``, called: ``Reference Safe Links Policy``, but administrators can clone and manage these templates according to their needs when submitting policy requests. Safe Attachment Policies ......................... Manage Safe Attachment Policies '''''''''''''''''''''''''''''''' Related device model: ``device/msexchangeonline/SafeAttachmentPolicy`` Safe Attachments in Microsoft Defender for Office opens attachments in a virtual environment before the messages are delivered. Safe Attachments policies can apply to specific users, groups, or domains and can be managed in Automate. The **Quarantine policy** selected when managing a safe attachement policy in Automate is managed on the Microsoft Defender portal. The default Microsoft Defender quarantine policies are: * AdminOnlyAccessPolicy * DefaultFullAccessPolicy * DefaultFullAccessWithNotificationPolicy * NotificationEnabledPolicy (in some organizations) .. image:: /src/images/ms-defender-safe-attachment-policy.png .. https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-policies-configure .. +---------------------------------------------------------------------------------------+ |Title |Description |Details | |--------------+---------------------+--------------------------------------------------| |Safe | | * Field Name: Safe Attachment Policy | |Attachment |Group Assigned by FDP| * Type: Object | |Policy | | | |--------------+---------------------+--------------------------------------------------| ||Name * | | * Field Name: Safe Attachment Policy.Name | || | | * Type: String | |+-------------+---------------------+--------------------------------------------------| || | | * Field Name: Safe Attachment Policy.State | ||Status | | * Type: ["String", "Null"] | || | | * Choices: ["Enabled", "Disabled"] | |+-------------+---------------------+--------------------------------------------------| ||Rule |Safe Attachment Rule | * Field Name: Rule | || | | * Type: Object | |+-------------+---------------------+--------------------------------------------------| ||| | | * Field Name: Safe Attachment Policy.Rule.State| |||Status | | * Type: ["String", "Null"] | ||| | | * Choices: ["Enabled", "Disabled"] | |++------------+---------------------+--------------------------------------------------| ||| | | * Field Name: Safe Attachment | |||Priority | | Policy.Rule.Priority | ||| | | * Type: Integer | |++------------+---------------------+--------------------------------------------------| ||||Users | | * Field Name: SentTo.[n] | |||| | | * Type: Array | |+++-----------+---------------------+--------------------------------------------------| ||||Groups | | * Field Name: SentToMemberOf.[n] | |||| | | * Type: Array | |+++-----------+---------------------+--------------------------------------------------| ||||Domains | | * Field Name: RecipientDomainIs.[n] | |||| | | * Type: Array | |++------------+---------------------+--------------------------------------------------| |||Exclude | | * Field Name: Safe Attachment | |||these users,| | Policy.Rule.ExceptEnabled | |||groups and | | * Type: Boolean | |||domains | | | |++------------+---------------------+--------------------------------------------------| ||||Users | | * Field Name: ExceptIfSentTo.[n] | |||| | | * Type: Array | |+++-----------+---------------------+--------------------------------------------------| ||||Groups | | * Field Name: ExceptIfSentToMemberOf.[n] | |||| | | * Type: Array | |+++-----------+---------------------+--------------------------------------------------| ||||Domains | | * Field Name: ExceptIfRecipientDomainIs.[n] | |||| | | * Type: Array | |+-------------+---------------------+--------------------------------------------------| ||Priority | | * Field Name: Safe Attachment Policy.Priority | || | | * Type: Integer | |+-------------+---------------------+--------------------------------------------------| || | | * Field Name: Safe Attachment Policy.Action | || | | * Type: ["String", "Null"] | ||Action * |Default: Off | * Default: Off | || | | * Choices: ["Off", "Monitor", "Block", | || | | "DynamicDelivery"] | |+-------------+---------------------+--------------------------------------------------| || | | * Field Name: Safe Attachment | || | | Policy.QuarantineTag | ||Quarantine |Default: | * Type: ["String", "Null"] | ||policy * |AdminOnlyAccessPolicy| * Default: AdminOnlyAccessPolicy | || | | * Choices: ["AdminOnlyAccessPolicy", | || | | "DefaultFullAccessPolicy", | || | | "DefaultFullAccessWithNotificationPolicy"] | |+-------------+---------------------+--------------------------------------------------| ||Enable | | * Field Name: Safe Attachment Policy.Redirect | ||redirect | | * Type: Boolean | |+-------------+---------------------+--------------------------------------------------| || | | * Field Name: Safe Attachment | ||Redirect | | Policy.RedirectAddress | ||Address | | * Type: ["String", "Null"] | || | | * Pattern: | || | | (^$|^([^.@]+)(\.[^.@]+)*@([^.@]+\.)+([^.@]+)$)| |+-------------+---------------------+--------------------------------------------------| |||Users | | * Field Name: SentTo.[n] | ||| | | * Type: Array | |++------------+---------------------+--------------------------------------------------| |||Groups | | * Field Name: SentToMemberOf.[n] | ||| | | * Type: Array | |++------------+---------------------+--------------------------------------------------| |||Domains | | * Field Name: RecipientDomainIs.[n] | ||| | | * Type: Array | |+-------------+---------------------+--------------------------------------------------| ||Exclude these| | * Field Name: Safe Attachment | ||users, groups| | Policy.ExceptEnabled | ||and domains | | * Type: Boolean | |+-------------+---------------------+--------------------------------------------------| |||Users | | * Field Name: ExceptIfSentTo.[n] | ||| | | * Type: Array | |++------------+---------------------+--------------------------------------------------| |||Groups | | * Field Name: ExceptIfSentToMemberOf.[n] | ||| | | * Type: Array | |++------------+---------------------+--------------------------------------------------| |||Domains | | * Field Name: ExceptIfRecipientDomainIs.[n] | ||| | | * Type: Array | +---------------------------------------------------------------------------------------+ Request New Safe Attachment Policy '''''''''''''''''''''''''''''''''' Automate provides a *staging area* for requests (maintained in the data model: ``data/MicrosoftDefenderSafeAttachmentPolicyStaging``). View Safe Attachment Policy Requests ''''''''''''''''''''''''''''''''''''' By default, a separate list view is available to inspect all Safe Attachment policy requests that have been made, and to select a request for management. Safe Attachment Policy Templates ''''''''''''''''''''''''''''''''' Automate provides the following reference configuration template for ``device/msexchangeonline/SafeAttachmentPolicy``: ``Reference Safe Attachment Policy`` Admins can clone and manage these templates according to their needs. .. rubric:: Related topics * :ref:`ms-defender-for-endpoint` * :ref:`model-filter-criteria` for Microsoft Defender overbuild usage