What is Threat Explorer and Real-time detections?
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
This article explains the difference between Threat Explorer and real-time detections reporting, updated experience with Threat Explorer and real-time detections where you can toggle between old and new experiences, and the licenses and permissions that are required.
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & collaboration, and then choose Explorer or Real-time detections. To go directly to the page, use https://security.microsoft.com/threatexplorer or https://security.microsoft.com/realtimereports.
With these tools, you can:
- See malware detected by Microsoft 365 security features.
- View phishing URL and click verdict data.
- Start an automated investigation and response process from a view in Explorer.
- Investigate malicious email, and more.
For more information, see Email security with Explorer.
Differences between Explorer and Real-time detections
- Real-time detections is a reporting tool available in Defender for Office 365 Plan 1. Threat Explorer is a threat hunting and remediation tool available in Defender for Office 365 Plan 2.
- The Real-time detections report allows you to view detections in real time. Threat Explorer does this as well, but it provides additional details for a given attack, such as highlighting attack campaigns, and gives security operations teams the ability to remediate threats (including triggering an Automated Investigation and Response investigation.
- An All email view is available in Threat Explorer, but not included in the Real-time detections report.
- Rich filtering capabilities and remediation actions are included in Threat Explorer. For more information, see Microsoft Defender for Office 365 Service Description: Feature availability across Defender for Office 365 plans.
Updated experience for Explorer and Real-time detections
The experience for Threat Explorer and Real-time detections is updated to align with modern accessibility standards, and to optimize the workflow. For a short while, you'll be able to toggle between the old experience and the new one.
Toggling impacts only your account and does not impact anyone else within your tenant.
Threat Explorer and Real-time detections are divided into the following views:
All email: Shows all email analyzed by Defender for office 365 and contains both good and malicious emails. This feature is only present in Threat Explorer and isn't available for Real-time detections. By default, it's set to show data for two days, which can be expanded up to 30 days. This is also the default view for Threat Explorer.
Malware view: Shows emails on which a malware threat was identified. This is the default view for Real-time detections, and shows data for two days (can be expanded to 30 days).
Phish view: Shows emails on which a phish threat was identified.
Content malware view: Shows malicious detections identified in files shared through OneDrive, SharePoint, or Teams.
Here are the common components within these experiences:
You can use the various filters to view the data based on email or file attributes.
By default, the time filter is applied to the records, and is applied for two days.
If you're applying multiple filters, they're applied in 'AND' mode and you can use the advanced filter to change it to 'OR' mode.
You can use commas to add multiple values for the same filter.
Charts provide a visual, aggregate view of data based on filters. You can use different filters to view the data by different dimensions.
You may see no results in chart view even if you are seeing an entry in the list view. This happens if the filter does not produce any data. For example, if you have applied the filter malware family, but the underlying data does not have any malicious emails, then you may see the message no data available for this scenario.
Results grid shows the email results based on the filters you've applied.
Based on the configuration set in your tenant, data is shown in UTC or local timezone, with the timezone information available in the first column.
You can navigate to the individual email entity page from the list view by clicking the Open in new window icon.
You can also customize your columns to add or remove columns to optimize your view.
You can toggle between the Chart View and the List View to maximize your result set.
You can click on hyperlinks to get to the email summary panel (entries in Subject column), recipient, or IP flyout.
The email summary panel replaces the legacy email flyout, and also provides a path to access the email entity panel.
The individual entity flyouts like IP, recipient, and URL would reflect the same information, but presented in a single tab-based view, with the ability to expand and collapse the different sections based on requirement.
For flyouts like URLs, you can click View all Email or View all Clicks to view the full set of emails/clicks containing that URL, as well as export the result set.
- From Threat Explorer, you can trigger remediation actions like Delete an email. For more information on remediation, remediation limits, and tracking remediation see Remediate malicious email.
You can click Export chart data to export the chart details. Similarly, click Export email list to export email details.
You can export up to 200K records for email list. However, for better system performance and reduced download time, you should use various email filters.
In addition to these features, you'll also get updated experiences like Top URLs, Top clicks, Top targeted users, and Email origin. Top URLs, Top clicks, and Top targeted users can be further filtered based on the filter that you apply within Explorer.
Threat Explorer and Real-time detections now allows users to export additional data in addition to the data visible on the data grid. With the new export feature, users will have the ability to selectively export the data that are relevant to their analysis or investigation, without having to shift through irrelevant data. The latest export feature includes a group of default fields that offer fundamental information from email metadata as pre-selected options. You now have the choice to pick extra fields or modify the current selection based on your requirements. The new export feature is available across all tabs in Threat Explorer and Real-time detections.
Required licenses and permissions
You must have Microsoft Defender for Office 365 to use either of Explorer or Real-time detections:
- Explorer is only included in Defender for Office 365 Plan 2.
- The Real-time detections report is included in Defender for Office 365 Plan 1.
Security Operations teams need to assign licenses for all users who should be protected by Defender for Office 365 and be aware that Explorer and Real-time detections show detection data for licensed users.
To view and use Explorer or Real-time detections, you need the following permissions:
- In Defender for Office 365:
- Organization Management
- Security Administrator (this can be assigned in the Azure Active Directory admin center) (https://aad.portal.azure.com)
- Security Reader
- In Exchange Online:
- Organization Management
- View-Only Organization Management
- View-Only Recipients
- Compliance Management
To learn more about roles and permissions, see the following articles:
- Threat Explorer collect email details on the email entity page
- Find and investigate malicious email that was delivered
- View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams
- Threat protection status report
- Automated investigation and response in Microsoft Threat Protection