Threat hunting in Threat Explorer for Microsoft Defender for Office 365

• Applies to:

  ✅ Microsoft Defender for Office 365 plan 1 and plan 2, ✅ Microsoft Defender XDR

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

If your organization has Microsoft Defender for Office 365, and you have the permissions, you can use Explorer or Real-time detections to detect and remediate threats.

In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration, and then choose Explorer or Real-time detections. To go directly to the page, use https://security.microsoft.com/threatexplorer or https://security.microsoft.com/realtimereports.

With these tools, you can:

• See malware detected by Microsoft 365 security features
• View phishing URL and click verdict data
• Start an automated investigation and response process from a view in Explorer
• Investigate malicious email, and more

For more information, see Email security with Threat Explorer.

Tip

Advanced hunting in Microsoft Defender XDR now supports an easy-to-use query builder for analysts who want to hunt through cloud app data and other threat data (if available), even if they do not know Kusto Query Language (KQL). To get started, read Build queries using guided mode.

Watch this short video to learn how to hunt and investigate email and collaboration-based threats using Microsoft Defender for Office 365.

Threat Explorer walk-through

In Microsoft Defender for Office 365, there are two subscription plans—Plan 1 and Plan 2. Manually operated Threat hunting tools exist in both plans, under different names and with different capabilities.

Defender for Office 365 Plan 1 uses Real-time detections, which is a subset of the Threat Explorer (also called Explorer) hunting tool in Plan 2. In this series of articles, most of the examples were created using the full Threat Explorer. Admins should test any steps in Real-time detections to see where they apply.

After you go to Explorer, by default, you'll arrive on the All email page, but use the tabs to navigate to the available views. If you're hunting phish or digging into a threat campaign, choose those views.

Once a security operations (Sec Ops) person selects the data they want to see, they can further narrow down the data by applying filters such as Sender, Recipient, and Subject, or select an appropriate date range to get the desired results. Remember to select Refresh to complete your filtering actions.

Refining focus in Explorer or Real-time detection can be thought of in layers. The first is View. The second can be thought of as a filtered focus. For example, you can retrace the steps you took in finding a threat by recording your decisions like this: To find the issue in Explorer, I chose the Malware View with a Recipient filter focus. This makes retracing your steps easier.

Tip

If Sec Ops uses Tags to mark accounts they consider high valued targets, they can make selections like Phish View with a Tags filter focus (include a date range if used). This will show them any phishing attempts directed at their high value user targets during a time-range (like dates when certain phishing attacks are happening a lot for their industry).

With the new version of Threat Explorer, users can use the following new dropdown options with four new operators on the filters:

• Equals any of – returns values matching the exact user input.
• Equals none of – returns values not matching the exact user input.
• Contains any of – returns values partially matching user input.
• Contains none of – returns values not partially matching user input.

Note that these filter conditions are available based on filter types and input types.

Use the Column options button to get the kind of information on the table that would be most helpful:

In the same mien, make sure to test your display options. Different audiences will react well to different presentations of the same data. For some viewers, the Email Origins map can show that a threat is widespread or discreet more quickly than the Campaign display option right next to it. Sec Ops can make use of these displays to best make points that underscore the need for security and protection, or for later comparison, to demonstrate the effectiveness of their actions.

Email investigation

When you see a suspicious email, click the name to expand the flyout on the right. Here, the banner that lets Sec Ops see the email entity page is available.

The email entity page pulls together contents that can be found under Details, Attachments, Devices, but includes more organized data. This includes things like DMARC results, plain text display of the email header with a copy option, verdict information on attachments that were securely detonated, and files those detonations dropped (can include IP addresses that were contacted and screenshots of pages or files). URLs and their verdicts are also listed with similar details reported.

When you reach this stage, the email entity page will be critical to the final step—remediation.

Tip

To learn more about the rich email entity page (seen below on the Analysis tab), including the results of detonated Attachments, findings for included URLs, and safe Email preview, click here.

Email remediation

Once a Sec Ops person determines that an email is a threat, the next Explorer or Real-time detection step is dealing with the threat and remediating it. This can be done by returning to Threat Explorer, selecting the checkbox for the problem email, and using the Actions button.

Here, the analyst can take actions like reporting the mail as Spam, Phishing, or Malware, contacting recipients, or further investigations that can include triggering Automated Investigation and Response (or AIR) playbooks (if you have Plan 2). Or, the mail can also be reported as clean.

Required licenses and permissions

You must have Microsoft Defender for Office 365 to use Explorer or Real-time detections.

• Explorer is included in Defender for Office 365 Plan 2.
• The Real-time detections report is included in Defender for Office 365 Plan 1.
• Plan to assign licenses for all users who should be protected by Defender for Office 365. Explorer and Real-time detections show detection data for licensed users.

To view and use Explorer or Real-time detections, you must have the following permissions:

• In the Microsoft Defender portal:
  • Organization Management
  • Security Administrator (this can be assigned in the Microsoft Entra admin center (https://aad.portal.azure.com)
  • Security Reader
• In Exchange Online:
  • Organization Management
  • View-Only Organization Management
  • View-Only Recipients
  • Compliance Management

To learn more about roles and permissions, see the following resources:

• Permissions in the Microsoft Defender portal
• Permissions in Exchange Online
• Exchange Online PowerShell

More information

• Find and investigate malicious email that was delivered
• View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams
• Get an overview of the views in Threat Explorer (and Real-time detections)
• Threat protection status report
• Automated investigation and response in Microsoft Threat Protection
• Investigate emails with the Email Entity Page