Merge pull request #3209 from MicrosoftDocs/master

Publish 07/01/2020 3:35 PM

windows/privacy/data-processor-service-for-windows-public-preview-terms.md

@@ -0,0 +1,170 @@
+---
+title: Data processor service for Windows public preview terms 
+description: Use this article to understand Windows public preview terms of service.
+keywords: privacy, GDPR
+ms.localizationpriority: high
+ROBOTS: NOINDEX, NOFOLLOW
+ms.prod: w10
+ms.topic: article
+f1.keywords:
+- NOCSH
+ms.author: daniha
+author: DaniHalfin
+manager: dansimp
+audience: itpro
+ms.collection: 
+- GDPR
+- M365-security-compliance
+---
+
+# Data processor service for Windows public preview terms
+
+**These terms (“Terms”) must be read and accepted by a tenant admin with appropriate access rights and authority. By participating in this public preview, you: (a) agree to the following Terms, and (b) represent and warrant that you have such rights and authority.**
+
+These Terms govern your use of the preview described below (“**Preview**”). In order to access the Preview, you must be a current Microsoft Windows customer with an Azure Active Directory (“**AAD**”) subscription. The Preview consists of features and services that are in preview, beta, or other pre-release form for use with Windows and AAD.
+
+ 1. **Definitions**. The following terms have the following meanings:
+
+    1. "**Customer Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through your use of Windows or AAD.
+
+    2. "**Feedback**" means, collectively, suggestions, comments, feedback, ideas, or know-how, in any form, that you or your users provide to Microsoft about Microsoft’s business, products, or services.
+
+    3. "**Personal Data**" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
+
+    4. "**Preview Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through use of the Services.
+
+    5. "**Subprocessor**" means other processors used by Microsoft to process Personal Data.
+
+2. **Scope of Services**. The Preview is for a service that enables organizations to become controllers of Windows diagnostic data on supported versions of Windows, with Microsoft operating as processor of the data (collectively, the “**_Services_**”). You will collaborate with Microsoft in order to provide Microsoft the ability to enable the Services for you. To access the Services, you will need to configure participating Windows devices; Microsoft will assist you in such configuration via documentation or other communications.
+
+3. **Intellectual Property**.
+
+    1. **License Grant**. During the term of this Preview (“**Term**”), Microsoft grants you and authorized users in your tenant for Windows a non-exclusive, non-transferable, non-sublicensable right and license to access and use the Services in accordance with these Terms.
+
+    2. **Use Terms**. These Terms supersede any Microsoft terms and conditions or other agreement. You acknowledge that (i) the Services may not work correctly or in the manner that a commercial service may function; Microsoft may change the Services for the final, commercial version or choose not to release a commercial version; (ii) Microsoft may not provide support for the Services; (iii) the Online Services Terms (OST), including any obligations Microsoft may have regarding Customer Data, do not apply to the Services or Preview Data; (iv) Microsoft has no obligation to hold, export, or return Preview Data, except as described in these Terms; (v) Microsoft has no liability for the deletion of Preview Data, except as described in these Terms; and (vi) you may lose access to the Services and Preview Data after the Term.
+
+    3. **Acceptable Use**.  Neither you, nor those that access the Services through you, may: (a) use the Services: (i) in a way prohibited by law, regulation, governmental order or decree; (ii) to violate the rights of others; (iii) to try to gain unauthorized access to or disrupt any service, device, data, account or network; (iv) to spam or distribute malware; or (v) in a way that could harm the Services or impair anyone else’s use of it; or (b) reverse engineer, decompile, disassemble, or work around any technical limitations in the Services, or use the Services to create a competing product. You are responsible for responding to any third-party request regarding your use of the Services or Preview Data, such as a request to take down Preview Data under the U.S. Digital Millennium Copyright Act or other applicable laws.
+
+    4. **Data Collection, Use and Location**. The Microsoft Privacy Statement https://privacy.microsoft.com/privacystatement applies to the collection, use and location of Preview Data. In the event of a conflict between Privacy Statement and the terms of these Terms, the terms of these Terms will control.
+
+4. **Confidentiality**. The following confidentiality terms apply to the Preview:
+
+    1. During the Term plus 5 years, the parties will hold in strictest confidence and not use or disclose to any third party any Confidential Information of the other party. “Confidential Information” means all non-public information a party designates in writing or orally as being confidential, or which under the circumstances of disclosure ought to be treated as confidential. Confidential Information includes information relating to: </br></br>
+        1. a party’s released or unreleased software or hardware products;</br></br>
+        2. a party’s source code;</br></br>
+        3. a party’s product marketing or promotion;</br></br>
+        4. a party’s business policies or practices;</br></br>
+        5. a party’s customers or suppliers;</br></br>
+        6. information received from others that a party must treat as confidential; and</br></br>
+        7. information provided, obtained, or created by a party under these Terms, including:
+            * information in reports; 
+            * the parties’ electronic or written correspondence, customer lists and customer information, regardless of source; 
+            * Personal Data; and 
+            * Transactional, sales, and marketing information. 
+
+    2. A party will consult with the other if it questions what comprises Confidential Information. Confidential Information excludes information (i) known to a party before the disclosing party’s disclosure to the receiving party, (ii) information publicly available through no fault of the receiving party, (iii) received from a third party without breach of an obligation owed to the disclosing party, or (iv) independently developed by a party without reference to or use of the disclosing party’s Confidential Information. 
+
+    3. Each party will employ security procedures to prevent disclosure of the other party’s Confidential Information to unauthorized third parties. The receiving party’s security procedures must include risk assessment and controls for:</br></br>
+        1. system access;</br></br>
+        2. system and application development and maintenance;</br></br>
+        3. change management;</br></br>
+        4. asset classification and control;</br></br>
+        5. incident response, physical and environmental security;</br></br>
+        6. disaster recovery/business continuity; and</br></br>
+        7. employee training.
+
+5. **Data Protection.**
+
+    **Generally**. To the extent Microsoft is a processor of Personal Data, the General Data Protection Regulation (GDPR) Terms in Appendix 1 govern that processing and the parties also agree to the following terms:
+
+    1. Processing Details:  The parties agree that: 
+        * The subject-matter of the processing is limited to Personal Data within the scope of the GDPR; 
+        * The duration of the processing shall be for the duration of your right to use the Services and until all Personal Data is deleted or returned in accordance with your instructions or these Terms; 
+        * The nature and purpose of the processing shall be to provide the Services pursuant to these Terms; 
+        * The types of Personal Data processed by the Services include those expressly identified in Article 4 of the GDPR to the extent included by Preview Data; and 
+        * The categories of data subjects are your representatives and end users, such as employees, contractors, collaborators, and customers. 
+
+    2. Data Transfers:  
+        * Preview Data and Personal Data that Microsoft processes on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. You appoint Microsoft to perform any such transfer of Preview Data and Personal Data to any such country and to store and process Preview Data and Personal Data to provide the Services.  
+        * Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR. 
+        * In addition, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify you in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles.  
+
+6. **No Support or Incident Response.** Microsoft will have no obligation under these Terms to correct any bugs, defects or errors in the Services or AAD, provide any updates, upgrades or new releases, or otherwise provide any technical support or maintenance for any Services or AAD. You will make reasonable efforts to promptly report to Microsoft any defects you find in the Services, as an aid to creating improved revisions of the Services. Microsoft will have no obligation under these Terms to provide you with incident response as part of the Services.
+
+7. **Term and Termination.** The term of the Preview begins when you accept these Terms and continues until: (a) either party terminates this Preview by providing the other party: (i) 2 days’ notice for any reason (or no reason), or (ii) notice of such party’s breach of these Terms and such party fails to cure within 15 days, or (b) upon the general availability of the Services. When the Term ends, you will no longer have access to the Services, and Microsoft will no longer have the rights to access Customer Data granted herein. Each party will, on request, return or destroy the other’s Confidential Information provided under the Preview.
+
+8. **Feedback.** Providing Feedback is voluntary. Microsoft is under no obligation to post or use any Feedback. By providing Feedback to Microsoft, you (and anyone providing Feedback through your use of the Preview) irrevocably and perpetually grant to Microsoft and its affiliates, under all of its (and their) owned or controlled intellectual property rights, a worldwide, non-exclusive, fully paid-up, royalty-free, transferable, sub-licensable right and license to make, use, reproduce, prepare derivative works based upon, distribute, publicly perform, publicly display, transmit, and otherwise commercialize the Feedback (including by combining or interfacing products, services or technologies that depend on or incorporate Feedback with other products, services or technologies of Microsoft or others), without attribution in any way and for any purpose. You warrant that (a) you will not provide Feedback that is subject to a license requiring Microsoft to license anything to third parties because Microsoft exercises any of the above rights in your Feedback; and (b) you own or otherwise control all of the rights to such Feedback and that no such Feedback is subject to any third-party rights (including any personality or publicity rights).
+
+9. **Representations and Warranties; Limitation of Liability.** 
+
+    1. **By the Parties.**  Each party represents and warrants to the other party that (a) it has all necessary rights, title, and authority to enter into and perform under these Terms; (b) its performance under these Terms will not breach any agreement with a third party; and (c) it will comply with any and all laws, rules, and regulations that are applicable to its performance under these Terms.
+
+    2. **Disclaimer.**  EXCEPT AS OTHERWISE PROVIDED IN THESE TERMS AND TO THE EXTENT APPLICABLE LAW PERMITS, MICROSOFT (a) PROVIDES THE SERVICES AS-IS; (b) PROVIDES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; AND (c) DOES NOT GUARANTEE THAT THE SERVICES WILL BE AVAILABLE, UNINTERRUPTED, OR ERROR-FREE, OR THAT LOSS OF PREVIEW DATA WILL NOT OCCUR.
+
+    3. **Limitation of Liability.**  Except as otherwise described in this Section 9, the only remedy either party has for claims relating to these Terms or participation in the Preview is to terminate these Terms or your participation in the Preview. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY DAMAGES, INCLUDING DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOST REVENUE, LOST PROFIT, LOST BUSINESS INFORMATION, OR BUSINESS INTERRUPTION, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. The limitations in this Section 9 do not apply to claims arising from any breach of confidentiality obligations under Section 4.
+
+10. **General.** 
+
+    1. **Non-Exclusivity.** These Terms are nonexclusive. These Terms do not restrict either party from entering into the same or similar arrangement with any third party.
+
+    2. **Jurisdiction and Governing Law.** The laws of the State of Washington, excluding conflicts of law provisions, govern these Terms. If federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the federal courts in King County, Washington. If no federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the Superior Court of King County, Washington.
+
+    3. **Force Majeure.** A party will not be liable for failure to perform an obligation under these Terms to the extent that failure is due to a cause beyond that party’s reasonable control, including natural disaster, war, civil disturbance, or governmental action.
+
+    4. **Attorneys’ fees.** If a party employs attorneys to enforce any rights arising out of or relating to these Terms, the prevailing party will be entitled to recover its reasonable attorneys’ fees, costs, and other expenses.
+
+    5. **Assignment**. You may not assign these Terms or delegate any of your rights or obligations under these Terms to a third party without Microsoft’s prior written consent.
+
+    6. **Entire Agreement.** These Terms are the entire agreement between the parties regarding its subject matter and replaces all prior agreements, communications, and representations between the parties regarding its subject matter.
+
+    7. **Survival.** Sections 3.b, 4, 7 (with respect to post-termination obligations), and 8-10 will survive these Terms’ expiration or termination.</br></br>
+
+<p align="center">
+  <b>Appendix 1: GDPR Terms</b><br>
+
+For purposes of these GDPR Terms, you and Microsoft agree that you are the controller of Personal Data and Microsoft is the processor of such data, except when you act as a processor of Personal Data, in which case Microsoft is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microsoft on your behalf. These GDPR Terms do not limit or reduce any data protection commitments Microsoft makes to you in other agreement between Microsoft and you. These GDPR Terms do not apply where Microsoft is a controller of Personal Data. 
+
+**Relevant GDPR Obligations: Articles 28, 32, and 33**
+
+1. Microsoft shall not engage another processor without prior specific or your general written authorization. In the case of general written authorization, Microsoft shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. (Article 28(2)) 
+2. Processing by Microsoft shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microsoft with regard to you. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and your obligations and rights are set forth in the Terms above, including these GDPR Terms. In particular, Microsoft shall:
+
+    1. process the Personal Data only on your documented instructions, including with  regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Microsoft is subject; in such a case, Microsoft shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
+
+    2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
+
+    3. take all measures required pursuant to Article 32 of the GDPR;
+
+    4. respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
+
+    5. taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
+
+    6. assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microsoft;
+
+    7. at your choice, delete or return all the Personal Data to you after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
+
+    8. make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
+
+    9. immediately inform you if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.  (Article 28(3)) 
+
+3. Where Microsoft engages another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microsoft shall remain fully liable to you for the performance of that other processor's obligations. (Article 28(4)) 
+
+4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you and Microsoft shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
+
+    1. the pseudonymisation and encryption of Personal Data;
+
+    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
+
+    3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
+
+    4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1))
+
+5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2)) 
+
+6. You and Microsoft shall take steps to ensure that any natural person acting under your authority or Microsoft’s who has access to Personal Data does not process them except on instructions from you, unless he or she is required to do so by Union or Member State law. (Article 32(4)) 
+
+7. Microsoft shall notify you without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microsoft. 
+
+ 
+
+ 

windows/privacy/deploy-data-processor-service-windows.md

@@ -0,0 +1,96 @@
+---
+title: Technical Deployment of the data processor service for Windows 
+description: Use this article to understand how to deploy and manage the data processor service for Windows.
+keywords: privacy, GDPR
+ms.localizationpriority: high
+ROBOTS: NOINDEX, NOFOLLOW
+ms.prod: w10
+ms.topic: article
+f1.keywords:
+- NOCSH
+ms.author: daniha
+author: DaniHalfin
+manager: dansimp
+audience: itpro
+ms.collection: 
+- GDPR
+- M365-security-compliance
+---
+
+# Data processor service for Windows Overview 
+
+>[!NOTE]
+>This topic is intended for participants in the data processor service for Windows preview program and requires acceptance of specific terms of use. To learn
+more about the program and agree to the terms of use, see [https://aka.ms/dpswpublicpreview](https://aka.ms/dpswpublicpreview).
+
+The privacy landscape keeps evolving, and with it, we make changes to our services to meet our customers’ needs. 
+The data processor service for Windows empowers you to be in control of diagnostic data from Windows devices, and act as data controllers for that data, under the definition of the European Union General Data Protection Regulation (GDPR). 
+
+The data processor service for Windows will serve as a foundation for other Microsoft services that use Windows diagnostic data. 
+
+The data processor service for Windows offering enables you to store and manage your Windows diagnostic data in the cloud, on top of an end-to-end data platform designed and built with compliance in mind, to help you meet your compliance obligations. 
+Your data is routed and stored inside an enterprise compliance boundary, operating under a prescriptive and focused set of compliance requirements, in accordance with industry standards. 
+
+The data processor service for Windows provides you with controls that help respond to delete data subject requests (DSRs) on diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for a specific Azure AD User ID. 
+Should you desire so, Microsoft will accommodate a data processor service for Windows tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for diagnostic data, but still wish to remain an Azure customer. 
+
+>[!Note]
+>Tenant account closure will lead to the deletion of all data associated with that tenant. 
+
+## Deployment of data processor service for Windows
+Use the instructions below to easily manage the data processor service for Windows using a single setting, through Group Policy, or an MDM solution, in Windows 10, version 1809 or Windows Server 2019 and newer. 
+
+### Prerequisites 
+#### Versions supported 
+The data processor service for Windows is currently supported on Windows 10, version 1809, and newer versions.
+
+#### Network requirements 
+The following endpoints need to be reachable from devices enrolled into the data processor service for Windows:
+ 
+ login.live.com
+
+ cy2.vortex.data.microsoft.com.akadns.net 
+
+ v10.events.data.microsoft.com 
+
+ v10.vortex-win.data.microsoft.com/collect/v1 
+
+For additional information, see the “device authentication” and “diagnostic data” sections in the endpoint articles for each respective Windows version: 
+
+[Windows 10, version 1809 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1809-endpoints)
+
+[Windows 10, version 1903 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1903-endpoints)
+
+### Deploying data processor service for Windows
+You can use either Group Policy or an MDM solution to deploy the data processor service for Windows to your supported devices.
+
+In Group Policy, to enable data collection through the data processor service for Windows, go to **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**. 
+
+If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**.
+
+To use an MDM solution, such as [Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-Windows-10), to deploy the data processor service for Windows to your supported devices, use the following custom OMA-URI setting configuration:
+
+- **Name:** System/AllowCommercialDataPipeline 
+- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline 
+- **Data type:** Integer 
+
+Under **Value**, use **1** to enable the service. 
+
+If you wish to disable, at any time, switch the same setting to **0** to disable. The default is **0**. 
+
+>[!Note]
+>Data collected from a device, before it was enrolled into the data processor service for Windows, will not be moved into the enterprise compliance boundary. 
+
+## Managing data processor service for Windows 
+### Executing user-based data subject requests (DSRs) 
+To perform user-based DSRs, the data processor service for Windows requires your organization to be reflected in Azure AD. 
+
+If your environment is cloud-only and managed in Azure, or all your devices are Azure AD joined - you don’t need to take any further action. 
+
+If your environment uses on-premises Active Directory to manage identities - Azure AD Connect synchronization is required, and your environment needs to be configured for hybrid Azure AD join. 
+To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+
+Once you have Azure AD join or hybrid Azure AD join in place, you can learn more about executing user-based DSRs, by visiting this [page](https://review.docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-windows?branch=siosulli-wps&view=o365-worldwide).
+
+## Geo-location 
+Windows Diagnostic Data collected through the data processor service for Windows is hosted in our datacenter in the United States.

windows/security/threat-protection/TOC.md

@@ -38,6 +38,7 @@
 #### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
 #### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
 #### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
+#### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md)
 #### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
 
 ### [Attack surface reduction]()

windows/security/threat-protection/microsoft-defender-atp/android-intune.md

@@ -136,7 +136,7 @@ Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
 As Microsoft Defender ATP for Android is deployed via managed Google Play,
 updates to the app are automatic via Google Play.
 
-Currently only Work Profile, Fully Managed devices are supported for deployment.
+Currently only Work Profile enrolled devices are supported for deployment.
 
 
 >[!NOTE]
@@ -265,7 +265,7 @@ assignment.
 ## Complete onboarding and check status
 
 1. Confirm the installation status of Microsoft Defender ATP for Android by
-clicking on the **Device Install Status**. Verif that the device is
+clicking on the **Device Install Status**. Verify that the device is
 displayed here.
 
     ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)

windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md

@@ -115,6 +115,7 @@ See the following topics for related APIs:
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
 - [APIs](next-gen-threat-and-vuln-mgt.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md

@@ -0,0 +1,132 @@
+---
+title: Event timeline
+description: Event timeline is a "risk news feed" which will help you interpret how risk is introduced into the organization and which mitigations happened to reduce it.
+keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+# Event timeline
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Event timeline is a risk news feed which helps you interpret how risk, through new vulnerabilities or exploits, is introduced into the organization. You can view events which may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was addd to an exploit kit, and more.
+
+Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) so you can determine the cause of large changes. Reduce you exposure score by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md).
+
+## Navigate to the Event timeline page
+
+You can access Event timeline mainly through three ways:
+
+- In the Threat & Vulnerability Management navigation menu in the Microsoft Defender Security Center
+- Top events card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most machines or critical vulnerabilities)
+- Hovering over the Exposure Score graph in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+
+### Navigation menu
+
+Go to the Threat & Vulnerability Management navigation menu and select **Event timeline** to view impactful events.
+
+### Top events card
+
+In the Threat & Vulnerability Management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page.
+
+![Event timeline page](images/tvm-top-events-card.png)
+
+### Exposure score graph
+
+In the Threat & Vulnerability Management dashboard, hover over the Exposure score graph to view top events from that day that impacted your machines. If there are no events, then none will be shown.
+
+![Event timeline page](images/tvm-event-timeline-exposure-score400.png)
+
+Selecting **Show all events from this day** will lead you to the Event timeline page with a pre-populated custom date range for that day.
+
+![Event timeline page](images/tvm-event-timeline-drilldown.png)
+
+Select **Custom range** to change the date range to another custom one, or a pre-set time range.
+
+![Event timeline date range options](images/tvm-event-timeline-dates.png)
+
+## Event timeline overview
+
+On the Event timeline page, you can view the all the necesssary info related to an event. 
+
+Features:
+
+- Customize columns
+- Filter by event type or percent of impacted machines
+- View 30, 50, or 100 items per page
+
+The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events.
+
+![Event timeline page](images/tvm-event-timeline-overview-mixed-type.png)
+
+### Columns
+
+- **Date**: month, day, year
+- **Event**: impactful event, including component, type, and number of impacted machines
+- **Related component**: software
+- **Originally impacted machines**: the number, and percentage, of impacted machines when this event originally occurred. You can also filter by the percent of originally impacted machines, out of your total number of machines.
+- **Currently impacted machines**: the current number, and percentage, of machines that this event currently impacts. You can find this field by selecting **Customize columns**.
+- **Types**: reflect time-stamped events that impact the score. They can be filtered.
+    - Exploit added to an exploit kit
+    - Exploit was verified
+    - New public exploit
+    - New vulnerability
+- **Score trend**: exposure score trend
+
+### Icons
+
+The following icons show up next to events:
+
+- ![bug icon](images/tvm-black-bug-icon.png) New public exploit
+- ![report warning icon](images/report-warning-icon.png) New vulnerability was published
+- ![exploit kit](images/bug-lightning-icon2.png) Exploit found in exploit kit
+- ![bug icon](images/bug-caution-icon2.png) Exploit verified
+
+### Drill down to a specific event
+
+Once you select an event, a flyout will appear listing the details and current CVEs that affect your machines. You can show more CVEs or view the related recommendation.
+
+The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means machines are more vulnerable to exploitation.
+
+![Event timeline flyout](images/tvm-event-timeline-flyout500.png)
+
+From there, select **Go to related security recommendation** to go to the [security recommendations page](tvm-security-recommendation.md) and the recommendation that will address the new software vulnerability. After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md).  
+
+## View Event timelines in software pages
+
+To open a software page, select an event > select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout. [Learn more about software pages](tvm-software-inventory.md#software-pages)
+
+A full page will appear with all the details of a specific software, including an event timeline tab. From there you can view all the events related to that software, along with security recommendations, discovered vulnerabilities, installed machines, and version distribution.
+
+![Software page with an Event timeline tab](images/tvm-event-timeline-software-pages.png)
+
+## Related topics
+
+- [Supported operating systems and platforms](tvm-supported-os.md)
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation and exception](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Score APIs](software.md)
+- [Vulnerability APIs](vulnerability.md)

windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md

@@ -61,6 +61,7 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
 - [APIs](next-gen-threat-and-vuln-mgt.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
 - [Advanced hunting overview](overview-hunting.md)

windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md

@@ -93,6 +93,7 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
 - [APIs](next-gen-threat-and-vuln-mgt.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md

@@ -22,8 +22,14 @@ ms.topic: conceptual
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
 Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation.
 
+- Quickly understand and identify high-level takeaways about the state of security in your organization.
+- Detect and respond to areas that require investigation or action to improve the current state.
+- Communicate with peers and management about the impact of security efforts.
+
 The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
 
 ![Exposure score card](images/tvm_exp_score.png)
@@ -61,6 +67,7 @@ Lower your threat and vulnerability exposure by remediating [security recommenda
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
 - [APIs](next-gen-threat-and-vuln-mgt.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md

@@ -103,6 +103,7 @@ Select **Show exceptions** at the bottom of the **Top security recommendations**
 - [Security recommendations](tvm-security-recommendation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
 - [APIs](next-gen-threat-and-vuln-mgt.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md

@@ -22,7 +22,6 @@ ms.topic: conceptual
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-> [!TIP]
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
 [!include[Prerelease information](../../includes/prerelease.md)]
@@ -80,7 +79,7 @@ Useful icons also quickly calls your attention to:
 - ![red bug](images/tvm_bug_icon.png) associated public exploits
 - ![light bulb](images/tvm_insight_icon.png) recommendation insights
 
-### Investigate
+### Explore security recommendation options
 
 Select the security recommendation that you want to investigate or process.
 
@@ -97,6 +96,14 @@ From the flyout, you can do any of the following:
 >[!NOTE]
 >When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
 
+### Investigate changes in machine exposure or impact
+
+If there is a large jump in the number of exposed machines, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating.
+
+1. Select the recommendation and **Open software page**
+2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md)
+3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request
+
 ## Request remediation
 
 The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
@@ -209,6 +216,7 @@ After you have identified which software and software versions are vulnerable du
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
 - [APIs](next-gen-threat-and-vuln-mgt.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md

@@ -48,7 +48,13 @@ Select the software that you want to investigate and a flyout panel opens up wit
 
 ## Software pages
 
-Once you are in the Software inventory page and have opened the flyout panel by selecting a software to investigate, select **Open software page** (see image in the previous section). A full page will appear with all the details of a specific software and the following information:
+You can view software pages a few different ways:
+
+- Software inventory page > Select a software name > Select **Open software page** in the flyout
+- [Security recommendations page](tvm-security-recommendation.md) > Select a recommendation > Select **Open software page** in the flyout
+- [Event timeline page](threat-and-vuln-mgt-event-timeline.md) > Select an event > Select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout
+
+ A full page will appear with all the details of a specific software and the following information:
 
 - Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score
 - Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices
@@ -84,6 +90,7 @@ You can report a false positive when you see any vague, inaccurate version, inco
 - [Security recommendations](tvm-security-recommendation.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
 - [APIs](next-gen-threat-and-vuln-mgt.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md

@@ -51,6 +51,7 @@ Some of the above prerequisites might be different from the [Minimum requirement
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
 - [APIs](next-gen-threat-and-vuln-mgt.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md

@@ -131,6 +131,7 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
 - [Security recommendations](tvm-security-recommendation.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
 - [APIs](next-gen-threat-and-vuln-mgt.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)