Skip to content

Commit

Permalink
Merge branch 'public' into patch-1
Browse files Browse the repository at this point in the history
  • Loading branch information
denisebmsft authored Aug 21, 2024
2 parents e65f368 + 940d011 commit 31ba9b6
Show file tree
Hide file tree
Showing 204 changed files with 393 additions and 446 deletions.
35 changes: 35 additions & 0 deletions .github/workflows/AutoLabelAssign.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: Assign and label PR

permissions:
pull-requests: write
contents: read
actions: read

on:
workflow_run:
workflows: [Background tasks]
types:
- completed

jobs:
download-payload:
name: Download and extract payload artifact
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
with:
WorkflowId: ${{ github.event.workflow_run.id }}
OrgRepo: ${{ github.repository }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}

label-assign:
name: Run assign and label
needs: [download-payload]
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelAssign.yml@workflows-prod
with:
PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
AutoAssignUsers: 1
AutoLabel: 1
ExcludedUserList: '["user1", "user2"]'
ExcludedBranchList: '["branch1", "branch2"]'
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}
34 changes: 34 additions & 0 deletions .github/workflows/AutoLabelMsftContributor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Auto label Microsoft contributors

permissions:
pull-requests: write
contents: read
actions: read

on:
workflow_run:
workflows: [Background tasks]
types:
- completed

jobs:
download-payload:
if: github.repository_visibility == 'public'
name: Download and extract payload artifact
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
with:
WorkflowId: ${{ github.event.workflow_run.id }}
OrgRepo: ${{ github.repository }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}

label-msft:
name: Label Microsoft contributors
if: github.repository_visibility == 'public'
needs: [download-payload]
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelMsftContributor.yml@workflows-prod
with:
PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}
TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}
26 changes: 26 additions & 0 deletions .github/workflows/BackgroundTasks.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Background tasks

permissions:
pull-requests: write
contents: read

on:
pull_request_target:

jobs:
upload:
runs-on: ubuntu-latest

steps:
- name: Save payload data
env:
PayloadJson: ${{ toJSON(github) }}
AccessToken: ${{ github.token }}
run: |
mkdir -p ./pr
echo $PayloadJson > ./pr/PayloadJson.json
sed -i -e "s/$AccessToken/XYZ/g" ./pr/PayloadJson.json
- uses: actions/upload-artifact@v4
with:
name: PayloadJson
path: pr/
19 changes: 19 additions & 0 deletions .github/workflows/LiveMergeCheck.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: PR can merge into branch

permissions:
pull-requests: write
statuses: write
contents: read

on:
pull_request_target:
types: [opened, reopened, synchronize, edited]

jobs:

live-merge:
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-LiveMergeCheck.yml@workflows-prod
with:
PayloadJson: ${{ toJSON(github) }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}
19 changes: 19 additions & 0 deletions .github/workflows/PrFileCount.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: PR file count less than limit

permissions:
pull-requests: write
statuses: write
contents: read

on:
pull_request_target:
types: [opened, reopened, synchronize, labeled, unlabeled, edited]

jobs:

file-count:
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-PrFileCount.yml@workflows-prod
with:
PayloadJson: ${{ toJSON(github) }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}
17 changes: 17 additions & 0 deletions .github/workflows/ProtectedFiles.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: PR has no protected files

permissions:
pull-requests: write
statuses: write
contents: read

on: [pull_request_target]

jobs:

protected-files:
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ProtectedFiles.yml@workflows-prod
with:
PayloadJson: ${{ toJSON(github) }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ ms.reviewer: mkaminska, yongrhee
manager: deniseb
ms.subservice: ngp
ms.topic: conceptual
ms.date: 02/18/2024
ms.date: 08/20/2024
ms.collection:
- m365-security
- tier2
Expand Down Expand Up @@ -54,37 +54,25 @@ Microsoft Defender Antivirus and cloud protection automatically block most new,

3. High-precision antivirus, detecting common malware through generic and heuristic techniques.

1. Advanced cloud-based protection is provided for cases when Microsoft Defender Antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.
4. Advanced cloud-based protection is provided for cases when Microsoft Defender Antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.

1. In the event Microsoft Defender Antivirus can't make a clear determination, file metadata is sent to the cloud protection service. Often within milliseconds, the cloud protection service can determine based on the metadata as to whether the file is malicious or not a threat.

- The cloud query of file metadata can be a result of behavior, mark of the web, or other characteristics where a clear verdict isn't determined.
- A small metadata payload is sent, with the goal of reaching a verdict of malware or not a threat. The metadata doesn't include personally identifiable information (PII). Information such as filenames, are hashed.
- A small metadata payload is sent, with the goal of reaching a verdict of malware or not a threat. The metadata doesn't include personal data, such as personally identifiable information (PII). Information such as filenames, are hashed.
- Can be synchronous or asynchronous. For synchronous, the file won't open until the cloud renders a verdict. For asynchronous, the file opens while cloud protection performs its analysis.
- Metadata can include PE attributes, static file attributes, dynamic and contextual attributes, and more (see [Examples of metadata sent to the cloud protection service](#examples-of-metadata-sent-to-the-cloud-protection-service)).

1. After examining the metadata, if Microsoft Defender Antivirus cloud protection can't reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:

1. **Send safe samples automatically**
- Safe samples are samples considered to not commonly contain PII data like: .bat, .scr, .dll, .exe.
- If file is likely to contain PII, the user gets a request to allow file sample submission.
- This option is the default on Windows, macOS, and Linux.

1. **Always Prompt**
- If configured, the user is always prompted for consent before file submission
- This setting isn't available in macOS and Linux cloud protection

3. **Send all samples automatically**
- If configured, all samples are sent automatically
- If you would like sample submission to include macros embedded in Word docs, you must choose "Send all samples automatically"
- This setting isn't available on macOS cloud protection

1. **Do not send**
- Prevents "block at first sight" based on file sample analysis
- "Don't send" is the equivalent to the "Disabled" setting in macOS policy and "None" setting in Linux policy.
- Metadata is sent for detections even when sample submission is disabled

1. After files are submitted to cloud protection, the submitted files can be **scanned**, **detonated**, and processed through **big data analysis** **machine-learning** models to reach a verdict. Turning off cloud-delivered protection limits analysis to only what the client can provide through local machine-learning models, and similar functions.
2. After examining the metadata, if Microsoft Defender Antivirus cloud protection can't reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the setting configuration for sample submission, as described in the following table:

| Setting | Description |
|---|---|
| **Send safe samples automatically** | - Safe samples are samples considered to not commonly contain PII data. Examples include `.bat`, `.scr`, `.dll`, and `.exe`. <br/>- If file is likely to contain PII, the user gets a request to allow file sample submission.<br/>- This option is the default configuration on Windows, macOS, and Linux. |
| **Always Prompt** | - If configured, the user is always prompted for consent before file submission<br/>- This setting isn't available in macOS and Linux cloud protection |
| **Send all samples automatically** | - If configured, all samples are sent automatically<br/>- If you would like sample submission to include macros embedded in Word docs, you must choose **Send all samples automatically**<br/>- This setting isn't available on macOS cloud protection |
| **Do not send** | - Prevents "block at first sight" based on file sample analysis<br/>- "Don't send" is the equivalent to the "Disabled" setting in macOS policy and "None" setting in Linux policy.<br/>- Metadata is sent for detections even when sample submission is disabled |

3. After files are submitted to cloud protection, the submitted files can be **scanned**, **detonated**, and processed through **big data analysis** **machine-learning** models to reach a verdict. Turning off cloud-delivered protection limits analysis to only what the client can provide through local machine-learning models, and similar functions.

> [!IMPORTANT]
> [Block at first sight (BAFS)](configure-block-at-first-sight-microsoft-defender-antivirus.md) provides detonation and analysis to determine whether a file or process is safe. BAFS can delay the opening of a file momentarily until a verdict is reached. If you disable sample submission, BAFS is also disabled, and file analysis is limited to metadata only. We recommend keeping sample submission and BAFS enabled. To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight)
Expand Down Expand Up @@ -132,7 +120,7 @@ For more information, see the following resources:

- [Azure Compliance Offerings](/azure/storage/common/storage-compliance-offerings)
- [Service Trust Portal](https://servicetrust.microsoft.com)
- [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md#data-storage-location)
- [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md)

## Other file sample submission scenarios

Expand Down
69 changes: 13 additions & 56 deletions defender-endpoint/data-storage-privacy.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ ms.collection:
- essentials-compliance
ms.topic: conceptual
search.appverid: met150
ms.date: 08/12/2024
ms.date: 08/20/2024
---

# Microsoft Defender for Endpoint data storage and privacy
Expand All @@ -37,13 +37,13 @@ This section covers some of the most frequently asked questions regarding privac
> [!NOTE]
> This article explains the data storage and privacy details related to Defender for Endpoint and Defender for Business. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576), and also [Windows privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577).
## What data does Microsoft Defender for Endpoint collect?
## What are we collecting?

Microsoft Defender for Endpoint collects information from your configured devices and stores it in a customer-dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.

Information collected includes file data (file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (device identifiers, names, and the operating system version).

Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).

This data enables Defender for Endpoint to:

Expand All @@ -53,74 +53,31 @@ This data enables Defender for Endpoint to:

Microsoft doesn't use your data for advertising.

## Data protection and encryption
## Data location

The Defender for Endpoint service utilizes state-of-the-art data protection technologies, which are based on Microsoft Azure infrastructure.
Defender for Endpoint operates in the Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, Switzerland, or India. Customer data collected by the service might be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).

There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical aspects, and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Defender for Endpoint service, see [Azure encryption overview](/azure/security/security-azure-encryption-overview).
(a) the geo-location of the tenant as identified during provisioning; or

In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
(b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data.

## Data storage location
## Data Retention

Defender for Endpoint operates in the Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, Switzerland, or India. Customer data collected by the service might be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).
Data from Microsoft Defender for Endpoint is retained for 180 days, visible across the portal.

Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States.
Your data is kept and is available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft's systems to make it unrecoverable, no later than 180 days from contract termination or expiration.

Select **Need help?** in the Microsoft Defender portal to contact Microsoft support about provisioning Microsoft Defender XDR in a different data center location.
In the advanced hunting investigation experience, it's accessible via a query for 30 days.

## Data sharing for Microsoft Defender for Endpoint

Microsoft Defender for Endpoint shares data, including customer data, among the following Microsoft products, also licensed by the customer.

- Microsoft Defender XDR
- Microsoft Defender for Cloud Apps
- Microsoft Sentinel
- Microsoft Tunnel for Mobile Application Management - Android
- Microsoft Defender for Cloud
- Microsoft Defender for Identity
- Microsoft Security Exposure Management (public preview)

## Is my data isolated from other customer data?

Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization, and the generic data that Microsoft provides.

## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?

Microsoft developers and administrators have, by design, been given sufficient privileges to carry out their assigned duties to operate and evolve the service. Microsoft deploys combinations of preventive, detective, and reactive controls including the following mechanisms to help protect against unauthorized developer and/or administrative activities:

- Tight access control to sensitive data
- Combinations of controls that greatly enhance independent detection of malicious activity
- Multiple levels of monitoring, logging, and reporting

Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they're required to access a customer's account or related information in the performance of their duties.

Access to data for services deployed in Microsoft Azure Government data centers is only granted to operating personnel who have been screened and approved to handle data that's subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS.

## Is data shared with other customers?

No. Customer data is isolated from other customers and isn't shared. However, threat intelligence on the data resulting from Microsoft processing, and which doesn't contain any customer-specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.

## How long will Microsoft store my data? What is Microsoft's data retention policy?

### At service onboarding

Data from Microsoft Defender for Endpoint is retained for 180 days, visible across the portal. However, in the advanced hunting investigation experience, it's accessible via a query for 30 days.

### At contract termination or expiration

Your data is kept and is available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft's systems to make it unrecoverable, no later than 180 days from contract termination or expiration.

### Advanced Hunting data

Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data.

## Can Microsoft help us maintain regulatory compliance?

Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help them assess Defender for Endpoint services against their own legal and regulatory requirements. Defender for Endpoint has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional, and industry-specific certifications.

By providing customers with compliant, independently verified services, Microsoft makes it easier for them to achieve compliance for the infrastructure and applications they run.

For more information on the Defender for Endpoint certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/).

> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-datastorage-belowfoldlink)
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
Loading

0 comments on commit 31ba9b6

Please sign in to comment.