About Threat Explorer and Real-time detections in Microsoft Defender for Office 365

• Odnosi se na:

  ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2, ✅ Microsoft Defender XDR

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

Microsoft 365 organizations that have Microsoft Defender for Office 365 included in their subscription or purchased as an add-on have Explorer (also known as Threat Explorer) or Real-time detections. These features are powerful, near real-time reporting tools that help Security Operations (SecOps) teams investigate and respond to threats.

Depending on your subscription, Threat Explorer or Real-time detections is available in the Email & collaboration section in the Microsoft Defender portal at https://security.microsoft.com:

• Real-time detections is available in Defender for Office 365 Plan 1. The Real-time detections page is available directly at https://security.microsoft.com/realtimereportsv3.

  

• Threat Explorer is available in Defender for Office 365 Plan 2. The Explorer page is available directly at https://security.microsoft.com/threatexplorerv3.

  

Threat Explorer contains the same information and capabilities as Real-time detections, but with the following additional features:

• More views.
• More property filtering options, including the option to save queries.
• More actions.

For more information about the differences between Defender for Office 365 Plan 1 and Plan 2, see the Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet.

The rest of this article explains the views and features that are available in Threat Explorer and Real-time detections.

Tip

For email scenarios using Threat Explorer and Real-time detections, see the following articles:

• Threat hunting in Threat Explorer and Real-time detections in Microsoft Defender for Office 365
• Email security with Threat Explorer and Real-time detections in Microsoft Defender for Office 365
• Investigate malicious email that was delivered in Microsoft 365

Permissions and licensing for Threat Explorer and Real-time detections

To use Explorer or Real-time detections, you need to be assigned permissions. You have the following options:

• Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell):
  • Read access for email and Teams message headers: Security operations/Raw data (email & collaboration)/Email & collaboration metadata (read).
  • Preview and download email messages: Security operations/Raw data (email & collaboration)/Email & collaboration content (read).
  • Remediate malicious email: Security operations/Security data/Email & collaboration advanced actions (manage).
• Email & collaboration permissions in the Microsoft Defender portal:
  • Full access: Membership in the Organization Management or Security Administrator role groups. More permissions are required to do all available actions:
    • Preview and download messages: Requires the Preview role, which is assigned only to the Data Investigator or eDiscovery Manager role groups by default. Or, you can create a new role group with the Preview role assigned, and add the users to the custom role group.
    • Move messages in and delete messages from mailboxes: Requires the Search and Purge role, which is assigned only to the Data Investigator or Organization Management role groups by default. Or, you can create a new role group with the Search and Purge role assigned, and add the users to the custom role group.
  • Read-only access: Membership in the Security Reader role group.
• Microsoft Entra permissions: Membership these roles gives users the required permissions and permissions for other features in Microsoft 365:

  • Full access: Membership in the Global Administrator^* or Security Administrator roles.

  • Search for Exchange mail flow rules (transport rules) by name in Threat Explorer: Membership in the Security Administrator or Security Reader roles.

  • Read-only access: Membership in the Global Reader or Security Reader roles.

    Important

    ^* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Tip

End-user spam notifications and system generated messages aren't avaialble in Threat Explorer. These types of messages are available if there's a mail flow rule (also known as a transport rule) to override.

Audit log entries are generated when admins preview or download email messages. You can search the admin audit log by user for AdminMailAccess activity. For instructions, see Audit New Search.

To use Threat Explorer or Real-time detections, you need to be assigned a license for Defender for Office 365 (included in your subscription or an add-on license).

Threat Explorer or Real-time detections contains data for users with Defender for Office 365 licenses assigned to them.

Elements of Threat Explorer and Real-time detections

Threat Explorer and Real-time detections contain the following elements:

• Views: Tabs at the top of the page that organize detections by threat. The view affects the rest of the data and options on the page.

  The following table lists the available views in Threat Explorer and Real-time detections:

  View	Threat Explorer	Real-time detections	Description
  All email	✔		Default view for Threat Explorer. Information about all email messages sent by external users into your organization (Inbound), email messages sent by internal users in your organization to external users (Outbound), and email messages sent between internal users in your organization (Intra-org).
  Malware	✔	✔	Default view for Real-time detections. Information about email messages that contain malware.
  Phish	✔	✔	Information about email messages that contain phishing threats.
  Campaigns	✔		Information about malicious email that Defender for Office 365 Plan 2 identified as part of a coordinated phishing or malware campaign.
  Content malware	✔	✔	Information about malicious files detected by the following features: Built-in virus protection in SharePoint, OneDrive, and Microsoft Teams Safe Attachments for Sharepoint, OneDrive, and Microsoft Teams
  URL clicks	✔		Information about user clicks on URLs in email messages, Teams messages, SharePoint files, and OneDrive files.

  These views are described in detail in this article, including the differences between Threat Explorer and Real-time detections.

• Date/time filters: By default, the view is filtered by yesterday and today. To change the date filter, select the date range, and then select Start Date and End date values up to 30 days ago.

  

• Property filters (queries): Filter the results in the view by the available message, file, or threat properties. The available filterable properties depend on the view. Some properties are available in many views, while other properties are limited to a specific view.

  The available property filters for each view are listed in this article, including the differences between Threat Explorer and Real-time detections.

  For instructions to create property filters, see Property filters in Threat Explorer and Real-time detections

  Threat Explorer allows you to save queries for later use as described in the Saved queries in Threat Explorer section.

• Charts: Each view contains a visual, aggregate representation of the filtered or unfiltered data. You can use available pivots to organize the chart in different ways.

  You can often use Export chart data to export filtered or unfiltered chart data to a CSV file.

  The charts and available pivots are described in detail in this article, including the differences between Threat Explorer and Real-time detections.

  Tip

  To remove the chart from the page (which maximizes the size of the details area), use either of the following methods:

  • Select Chart View > List View at the top of the page.
  • Select Show list view between the chart and the details area.

• Details area: The details area for a view typically shows a table that contains the filtered or unfiltered data. You can use the available views (tabs) to organize the data in the details area in different ways. For example, a view might contain charts, maps, or different tables.

  If the details area contains a table, you can often use Export to selectively export up to 200,000 filtered or unfiltered results to a CSV file.

  Tip

  In the Export flyout, you can select some or all of the available properties to export. The selections are saved per user. Selections in Incognito or InPrivate browsing mode are saved until you close the web browser.

All email view in Threat Explorer

The All email view in Threat Explorer shows information about all inbound, outbound, and intra-org email messages. The view shows malicious and non-malicious email. For example:

• Email identified phishing or malware.
• Email identified as spam or bulk.
• Email identified with no threats.

This view is the default in Threat Explorer. To open the All email view on the Explorer page in the Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer > All email tab. Or, go directly to the Explorer page using https://security.microsoft.com/threatexplorerv3, and then verify that the All email tab is selected.

Filterable properties in the All email view in Threat Explorer

By default, no property filters are applied to the data. The steps to create filters (queries) are described in the Filters in Threat Explorer and Real-time detections section later in this article.

The filterable properties that are available in the Delivery action box in the All email view are described in the following table:

Property	Type
Basic
Sender address	Text. Separate multiple values by commas.
Recipients	Text. Separate multiple values by commas.
Sender domain	Text. Separate multiple values by commas.
Recipient domain	Text. Separate multiple values by commas.
Subject	Text. Separate multiple values by commas.
Sender display name	Text. Separate multiple values by commas.
Sender mail from address	Text. Separate multiple values by commas.
Sender mail from domain	Text. Separate multiple values by commas.
Return path	Text. Separate multiple values by commas.
Return path domain	Text. Separate multiple values by commas.
Malware family	Text. Separate multiple values by commas.
Tags	Text. Separate multiple values by commas. For more information about user tags, see User tags.
Impersonated domain	Text. Separate multiple values by commas.
Impersonated user	Text. Separate multiple values by commas.
Exchange transport rule	Text. Separate multiple values by commas.
Data loss prevention rule	Text. Separate multiple values by commas.
Context	Select one or more values: Evaluation Priority account protection
Connector	Text. Separate multiple values by commas.
Delivery action	Select one or more values: Blocked: Email messages that were quarantined, that failed delivery, or were dropped. Delivered: Email delivered to the user's Inbox or other folder where the user can access the message. Delivered to junk: Email delivered to the user's Junk Email folder or Deleted Items folder where the user can access the message. Replaced: Message attachments that were replaced by Dynamic Delivery in Safe Attachments policies.
Additional action	Select one or more values: Automated remediation Dynamic Delivery: For more information, see Dynamic Delivery in Safe Attachments policies. Manual remediation None Quarantine release Reprocessed: The message was retroactively identified as good. ZAP: For more information, see Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365.
Directionality	Select one or more values: Inbound Intra-org Outbound
Detection technology	Select one or more values: Advanced filter: Signals based on machine learning. Antimalware protection Bulk Campaign Domain reputation File detonation: Safe Attachments detected a malicious attachment during detonation analysis. File detonation reputation: File attachments previously detected by Safe Attachments detonations in other Microsoft 365 organizations. File reputation: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations. Fingerprint matching: The message closely resembles a previous detected malicious message. General filter Impersonation brand: Sender impersonation of well-known brands. Impersonation domain: Impersonation of sender domains that you own or specified for protection in anti-phishing policies Impersonation user IP reputation Mailbox intelligence impersonation: Impersonation detections from mailbox intelligence in anti-phishing policies. Mixed analysis detection: Multiple filters contributed to the message verdict. spoof DMARC: The message failed DMARC authentication. Spoof external domain: Sender email address spoofing using a domain that's external to your organization. Spoof intra-org: Sender email address spoofing using a domain that's internal to your organization. URL detonation reputation: URLs previously detected by Safe Links detonations in other Microsoft 365 organizations. URL malicious reputation: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.
Original delivery location	Select one or more values: Deleted Items folder Dropped Failed Inbox/folder Junk folder On-prem/external Quarantine Unknown
Latest delivery location¹	Same values as Original delivery location
Phish confidence level	Select one or more values: High Normal
Primary override	Select one or more values: Allowed by organization policy Allowed by user policy Blocked by organization policy Blocked by user policy None
Primary override source	Messages can have multiple allow or block overrides as identified in Override source. The override that ultimately allowed or blocked the message is identified in Primary override source. Select one or more values: 3rd Party Filter Admin initiated time travel (ZAP) Antimalware policy block by file type Antispam policy settings Connection policy Exchange transport rule Exclusive mode (User override) Filtering skipped due to on-prem organization IP region filter from policy Language filter from policy Phishing Simulation Quarantine release SecOps Mailbox Sender address list (Admin Override) Sender address list (User override) Sender domain list (Admin Override) Sender domain list (User override) Tenant Allow/Block List file block Tenant Allow/Block List sender email address block Tenant Allow/Block List spoof block Tenant Allow/Block List URL block Trusted contact list (User override) Trusted domain (User override) Trusted recipient (User override) Trusted senders only (User override)
Override source	Same values as Primary override source
Policy type	Select one or more values: Anti-malware policy Anti-phishing policy Exchange transport rule (mail flow rule), Hosted content filter policy (anti-spam policy), Hosted outbound spam filter policy (outbound spam policy), Safe Attachments policy Unknown
Policy action	Select one or more values: Add x-header Bcc message Delete message Modify subject Move to Junk Email folder No action taken Redirect message Send to quarantine
Threat type	Select one or more values: Malware Phish Spam
Forwarded message	Select one or more values: True False
Distribution list	Text. Separate multiple values by commas.
Email size	Integer. Separate multiple values by commas.
Advanced
Internet Message ID	Text. Separate multiple values by commas. Available in the Message-ID header field in the message header. An example value is <08f1e0f6806a47b4ac103961109ae6ef@server.domain> (note the angle brackets).
Network message ID	Text. Separate multiple values by commas. A GUID value that's available in the X-MS-Exchange-Organization-Network-Message-Id header field in the message header.
Sender IP	Text. Separate multiple values by commas.
Attachment SHA256	Text. Separate multiple values by commas.
Cluster ID	Text. Separate multiple values by commas.
Alert ID	Text. Separate multiple values by commas.
Alert Policy ID	Text. Separate multiple values by commas.
Campaign ID	Text. Separate multiple values by commas.
ZAP URL signal	Text. Separate multiple values by commas.
Urls
URL Count	Integer. Separate multiple values by commas.
URL domain²	Text. Separate multiple values by commas.
URL domain and path²	Text. Separate multiple values by commas.
URL²	Text. Separate multiple values by commas.
URL path²	Text. Separate multiple values by commas.
URL source	Select one or more values: Attachments Cloud attachment Email body Email header QR Code Subject Unknown
Click verdict	Select one or more values: Allowed: The user was allowed to open the URL. Block overridden: The user was blocked from directly opening the URL, but they overrode the block to open the URL. Blocked: The user was blocked from opening the URL. Error: The user was presented with the error page, or an error occurred in capturing the verdict. Failure: An unknown exception occurred while capturing the verdict. The user might have opened the URL. None: Unable to capture the verdict for the URL. The user might have opened the URL. Pending verdict: The user was presented with the detonation pending page. Pending verdict bypassed: The user was presented with the detonation page, but they overrode the message to open the URL.
URL Threat	Select one or more values: Malware Phish Spam
File
Attachment Count	Integer. Separate multiple values by commas.
Attachment filename	Text. Separate multiple values by commas.
File type	Text. Separate multiple values by commas.
File Extension	Text. Separate multiple values by commas.
File Size	Integer. Separate multiple values by commas.
Authentication
SPF	Select one or more values: Fail Neutral None Pass Permanent error Soft fail Temporary error
DKIM	Select one or more values: Error Fail Ignore None Pass Test Timeout Unknown
DMARC	Select one or more values: Best guess pass Fail None Pass Permanent error Selector pass Temporary error Unknown
Composite	Select one or more values: Fail None Pass Soft pass

Tip

¹ Latest delivery location doesn't include end-user actions on messages. For example, if the user deleted the message or moved the message to an archive or PST file.

There are scenarios where Original delivery location/Latest delivery location and/or Delivery action have the value Unknown. For example:

• The message was delivered (Delivery action is Delivered), but an Inbox rule moved the message to a default folder other than the Inbox or Junk Email folder (for example, the Draft or Archive folder).
• ZAP attempted to move the message after delivery, but the message wasn't found (for example, the user moved or deleted the message).

² By default, a URL search maps to http, unless another value is explicitly specified. For example:

• Searching with and without the http:// prefix in URL, URL Domain, and URL Domain and Path should show the same results.
• Search for the https:// prefix in URL. When no value is specified, the http:// prefix is assumed.
• / at the beginning and end of the URL path, URL Domain, URL domain and path fields is ignored.
• / at the end of the URL field is ignored.

Pivots for the chart in the All email view in Threat Explorer

The chart has a default view, but you can select a value from Select pivot for histogram chart to change how the filtered or unfiltered chart data is organized and displayed.

The available chart pivots are described in the following subsections.

Delivery action chart pivot in the All email view in Threat Explorer

Although this pivot doesn't look selected by default, Delivery action is the default chart pivot in the All email view.

The Delivery action pivot organizes the chart by the actions taken on messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each delivery action.

Sender domain chart pivot in the All email view in Threat Explorer

The Sender domain pivot organizes the chart by the domains in messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each sender domain.

Sender IP chart pivot in the All email view in Threat Explorer

The Sender IP pivot organizes the chart by the source IP addresses of messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each sender IP address.

Detection technology chart pivot in the All email view in Threat Explorer

The Detection technology pivot organizes the chart by the feature that identified messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each detection technology.

Full URL chart pivot in the All email view in Threat Explorer

The Full URL pivot organizes the chart by the full URLs in messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each full URL.

URL domain chart pivot in the All email view in Threat Explorer

The URL domain pivot organizes the chart by the domains in URLs in messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each URL domain.

URL domain and path chart pivot in the All email view in Threat Explorer

The URL domain and path pivot organizes the chart by the domains and paths in URLs in messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each URL domain and path.

Views for the details area of the All email view in Threat Explorer

The available views (tabs) in the details area of the All email view are described in the following subsections.

Email view for the details area of the All email view in Threat Explorer

Email is the default view for the details area in the All email view.

The Email view shows a details table. You can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown. The default values are marked with an asterisk (^*):

• Date^*
• Subject^*
• Recipient^*
• Recipient domain
• Tags^*
• Sender address^*
• Sender display name
• Sender domain^*
• Sender IP
• Sender mail from address
• Sender mail from domain
• Additional actions^*
• Delivery action
• Latest delivery location^*
• Original delivery location^*
• System overrides source
• System overrides
• Alert ID
• Internet message ID
• Network message ID
• Mail language
• Exchange transport rule
• Connector
• Context
• Data loss prevention rule
• Threat type^*
• Detection technology
• Attachment Count
• URL Count
• Email size

Tip

To see all columns, you likely need to do one or more of the following steps:

• Horizontally scroll in your web browser.
• Narrow the width of appropriate columns.
• Remove columns from the view.
• Zoom out in your web browser.

Customized column settings are saved per user. Customized column settings in Incognito or InPrivate browsing mode are saved until you close the web browser.

When you select one or more entries from the list by selecting the check box next to the first column, the Take action is available. For information, see Threat hunting: Email remediation.

In the Subject value for the entry, the Open in new window action is available. This action opens the message in the Email entity page.

When you click on the Subject or Recipient values in an entry, details flyouts open. These flyouts are described in the following subsections.

Email details from the Email view of the details area in the All email view

When you select the Subject value of an entry in the table, an email details flyout opens. This details flyout is known as the Email summary panel and contains standardized summary information that's also available on the Email entity page for the message.

For details about the information in the Email summary panel, see The Email summary panel in Defender.

The following actions are available at the top of the Email summary panel for Threat Explorer and Real-time detections:

• Open email entity
• View header
• Take action: For information, see Threat hunting: Email remediation.
• More options:
  • Email preview¹ ²
  • Download email¹ ² ³
  • View in Explorer
  • Go hunt⁴

¹ The Email preview and Download email actions require the Preview role in Email & collaboration permissions. By default, this role is assigned to the Data Investigator and eDiscovery Manager role groups. By default, members of the Organization Management or Security Administrators role groups can't do these actions. To allow these actions for the members of those groups, you have the following options:

• Add the users to the Data Investigator or eDiscovery Manager role groups.
• Create a new role group with the Search and Purge role assigned, and add the users to the custom role group.

² You can preview or download email messages that are available in Microsoft 365 mailboxes. Examples of when messages are no longer available in mailboxes include:

• The message was dropped before delivery or delivery failed.
• The message was soft deleted (deleted from the Deleted items folder, which moves the message to the Recoverable Items\Deletions folder).
• ZAP moved the message to quarantine.

³ Download email isn't available for messages that were quarantined. Instead, download a password protected copy of the message from quarantine.

⁴ Go hunt is available only in Threat Explorer. It isn't available in Real-time detections.

Recipient details from the Email view of the details area in the All email view

When you select an entry by clicking on the Recipient value, a details flyout opens with the following information:

Tip

To see details about other recipients without leaving the details flyout, use Previous item and Next item at the top of the flyout.

• Summary section:

  • Role: Whether the recipient has any admin roles assigned.
  • Policies:
    • Whether the user has permission to see archive information.
    • Whether the user has permission to see retention information.
    • Whether the user is covered by data loss prevention (DLP).
    • Whether the user is covered by Mobile management at https://portal.office.com/EAdmin/Device/IntuneInventory.aspx.

• Email section: A table showing the following related information for messages sent to the recipient:

  • Date
  • Subject
  • Recipient

  Select View all email to open Threat Explorer in a new tab filtered by the recipient.

• Recent alerts section: A table showing the following related information for related recent alerts:

  • Severity
  • Alert policy
  • Category
  • Activities

  If there are more than three recent alerts, select View all recent alerts to see all of them.

  • Recent activity section: Shows the summarized results of an Audit log search for the recipient:

    • Date
    • IP address
    • Activity
    • Item

    If the recipient has more than three audit log entries, select View all recent activity to see all of them.

  Tip

  Members of the Security Administrators role group in Email & collaboration permissions can't expand the Recent activity section. You need to be a member of a role group in Exchange Online permissions that has the Audit Logs, Information Protection Analyst, or Information Protection Investigator roles assigned. By default, those roles are assigned to the Records Management, Compliance Management, Information Protection, Information Protection Analysts, Information Protection Investigators, and Organization Management role groups. You can add the members of Security Administrators to those role groups, or you can create a new role group with with the Audit Logs role assigned.

URL clicks view for the details area of the All email view in Threat Explorer

The URL clicks view shows a chart that can be organized using pivots. The chart has a default view, but you can select a value from Select pivot for histogram chart to change how the filtered or unfiltered chart data is organized and displayed.

The chart pivots are described in the following subsections.

Tip

In Threat Explorer, each pivot in URL clicks view has a View all clicks action that opens the URL clicks view in a new tab.

URL domain pivot for the URL clicks view for the details area of the All email view in Threat Explorer

Although this chart pivot doesn't appear to be selected, URL domain is the default chart pivot in the URL clicks view.

The URL domain pivot shows the different domains in URLs in email messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each URL domain.

Click verdict pivot for the URL clicks view for the details area of the All email view in Threat Explorer

The Click verdict pivot shows the different verdicts for clicked URLs in email messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each click verdict.

URL pivot for the URL clicks view for the details area of the All email view in Threat Explorer

The URL pivot shows the different URLs that were clicked in email messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each URL.

URL domain and path pivot for the URL clicks view for the details area of the All email view in Threat Explorer

The URL domain and path pivot shows the different domains and file paths of URLs that were clicked in email messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each URL domain and file path.

Top URLs view for the details area of the All email view in Threat Explorer

The Top URLs view shows a details table. You can sort the entries by clicking on an available column header:

• URL
• Messages blocked
• Messages junked
• Messages delivered

Top URLs details for the All email view

When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens with the following information:

Tip

To see details about other URLs without leaving the details flyout, use Previous item and Next item at the top of the flyout.

• The following actions are available at the top of the flyout:

  • Open URL page

  • Submit for analysis:

    • Report clean
    • Report phishing
    • Report malware

  • Manage indicator:

    • Add indicator
    • Manage in tenant block list

    Selecting any of these options takes you to the Submissions page in the Defender portal.

  • More:

    • View in Explorer
    • Go hunt
• Original URL
• Detection section:
  • Threat intelligence verdict
  • x active alerts y incidents: A horizontal bar graph that shows the number of High, Medium, Low, and Info alerts that are related to this link.
  • A link to View all incidents & alerts in URL page.
• Domain details section:
  • Domain name and a link to View domain page.
  • Registrant
  • Registered on
  • Updated on
  • Expires on
• Registrant contact info section:
  • Registrar
  • Country/Region
  • Mailing address
  • Email
  • Phone
  • More info: A link to Open at Whois.
• URL prevalence (last 30 days) section: Contains the number of Devices, Email, and Clicks. Select each value to view the full list.
• Devices: Shows the affected devices:

  • Date (First / Last)

  • Devices

    If more than two devices are involved, select View all devices to see all of them.

Top clicks view for the details area of the All email view in Threat Explorer

The Top clicks view shows a details table. You can sort the entries by clicking on an available column header:

• URL
• Blocked
• Allowed
• Block overridden
• Pending verdict
• Pending verdict bypassed
• None
• Error page
• Failure

Tip

All available columns are selected. If you select Customize columns, you can't deselect any columns.

To see all columns, you likely need to do one or more of the following steps:

• Horizontally scroll in your web browser.
• Narrow the width of appropriate columns.
• Zoom out in your web browser.

When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. The information in the flyout is the same as described in Top URLs details for the All email view.

Top targeted users view for the details area of the All email view in Threat Explorer

The Top targeted users view organizes the data into a table of the top five recipients who were targeted by the most threats. The table contains the following information:

• Top targeted users: The recipient's email address. If you select a recipient address, a details flyout opens. The information in the flyout is the same as described in Recipient details from the Email view of the details area in the All email view.

• The number of attempts: If you select the number of attempts, Threat Explorer opens in a new tab filtered by the recipient.

Tip

Use Export to export the list of up to 3000 users and the corresponding attempts.

Email origin view for the details area of the All email view in Threat Explorer

The Email origin view shows message sources on a map of the world.

Campaign view for the details area of the All email view in Threat Explorer

The Campaign view shows a details table. You can sort the entries by clicking on an available column header.

The information in the table is the same as described in details table on the Campaigns page.

When you select an entry by clicking anywhere in the row other than the check box next to the Name, a details flyout opens. The information in the flyout is the same as described in Campaign details.

Malware view in Threat Explorer and Real-time detections

The Malware view in Threat Explorer and Real-time detections shows information about email messages that were found to contain malware. This view is the default in Real-time detections.

To open the Malware view, do one of the following steps:

• Threat Explorer: On the Explorer page in the Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer > Malware tab. Or, go directly to the Explorer page using https://security.microsoft.com/threatexplorerv3, and then select the Malware tab.
• Real-time detections: On the Real-time detections page in the Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer > Malware tab. Or, go directly to the Real-time detections page using https://security.microsoft.com/realtimereportsv3, and then verify that the Malware tab is selected.

Filterable properties in the Malware view in Threat Explorer and Real-time detections

By default, no property filters are applied to the data. The steps to create filters (queries) are described in the Filters in Threat Explorer and Real-time detections section later in this article.

The filterable properties that are available in the Sender address box in the Malware view are described in the following table:

Property	Type	Threat Explorer	Real-time detections
Basic
Sender address	Text. Separate multiple values by commas.	✔	✔
Recipients	Text. Separate multiple values by commas.	✔	✔
Sender domain	Text. Separate multiple values by commas.	✔	✔
Recipient domain	Text. Separate multiple values by commas.	✔	✔
Subject	Text. Separate multiple values by commas.	✔	✔
Sender display name	Text. Separate multiple values by commas.	✔	✔
Sender mail from address	Text. Separate multiple values by commas.	✔	✔
Sender mail from domain	Text. Separate multiple values by commas.	✔	✔
Return path	Text. Separate multiple values by commas.	✔	✔
Return path domain	Text. Separate multiple values by commas.	✔	✔
Malware family	Text. Separate multiple values by commas.	✔	✔
Tags	Text. Separate multiple values by commas. For more information about user tags, see User tags.	✔
Exchange transport rule	Text. Separate multiple values by commas.	✔
Data loss prevention rule	Text. Separate multiple values by commas.	✔
Context	Select one or more values: Evaluation Priority account protection	✔
Connector	Text. Separate multiple values by commas.	✔
Delivery action	Select one or more values: Blocked Delivered Delivered to junk Replaced: Message attachments that were replaced by Dynamic Delivery in Safe Attachments policies.	✔	✔
Additional action	Select one or more values: Automated remediation Dynamic Delivery: For more information, see Dynamic Delivery in Safe Attachments policies. Manual remediation None Quarantine release Reprocessed ZAP: For more information, see Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365.	✔	✔
Directionality	Select one or more values: Inbound Intra-org Outbound	✔	✔
Detection technology	Select one or more values: Advanced filter: Signals based on machine learning. Antimalware protection Bulk Campaign Domain reputation File detonation: Safe Attachments detected a malicious attachment during detonation analysis. File detonation reputation: File attachments previously detected by Safe Attachments detonations in other Microsoft 365 organizations. File reputation: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations. Fingerprint matching: The message closely resembles a previous detected malicious message. General filter Impersonation brand: Sender impersonation of well-known brands. Impersonation domain: Impersonation of sender domains that you own or specified for protection in anti-phishing policies Impersonation user IP reputation Mailbox intelligence impersonation: Impersonation detections from mailbox intelligence in anti-phishing policies. Mixed analysis detection: Multiple filters contributed to the message verdict. spoof DMARC: The message failed DMARC authentication. Spoof external domain: Sender email address spoofing using a domain that's external to your organization. Spoof intra-org: Sender email address spoofing using a domain that's internal to your organization. URL detonation: Safe Links detected a malicious URL in the message during detonation analysis. URL detonation reputation: URLs previously detected by Safe Links detonations in other Microsoft 365 organizations. URL malicious reputation: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.	✔	✔
Original delivery location	Select one or more values: Deleted Items folder Dropped Failed Inbox/folder Junk folder On-prem/external Quarantine Unknown	✔	✔
Latest delivery location	Same values as Original delivery location	✔	✔
Primary override	Select one or more values: Allowed by organization policy Allowed by user policy Blocked by organization policy Blocked by user policy None	✔	✔
Primary override source	Messages can have multiple allow or block overrides as identified in Override source. The override that ultimately allowed or blocked the message is identified in Primary override source. Select one or more values: 3rd Party Filter Admin initiated time travel (ZAP) Antimalware policy block by file type Antispam policy settings Connection policy Exchange transport rule Exclusive mode (User override) Filtering skipped due to on-prem organization IP region filter from policy Language filter from policy Phishing Simulation Quarantine release SecOps Mailbox Sender address list (Admin Override) Sender address list (User override) Sender domain list (Admin Override) Sender domain list (User override) Tenant Allow/Block List file block Tenant Allow/Block List sender email address block Tenant Allow/Block List spoof block Tenant Allow/Block List URL block Trusted contact list (User override) Trusted domain (User override) Trusted recipient (User override) Trusted senders only (User override)	✔	✔
Override source	Same values as Primary override source	✔	✔
Policy type	Select one or more values: Anti-malware policy Anti-phishing policy Exchange transport rule (mail flow rule), Hosted content filter policy (anti-spam policy), Hosted outbound spam filter policy (outbound spam policy), Safe Attachments policy Unknown	✔	✔
Policy action	Select one or more values: Add x-header Bcc message Delete message Modify subject Move to Junk Email folder No action taken Redirect message Send to quarantine	✔	✔
Email size	Integer. Separate multiple values by commas.	✔	✔
Advanced
Internet Message ID	Text. Separate multiple values by commas. Available in the Message-ID header field in the message header. An example value is <08f1e0f6806a47b4ac103961109ae6ef@server.domain> (note the angle brackets).	✔	✔
Network message ID	Text. Separate multiple values by commas. A GUID value that's available in the X-MS-Exchange-Organization-Network-Message-Id header field in the message header.	✔	✔
Sender IP	Text. Separate multiple values by commas.	✔	✔
Attachment SHA256	Text. Separate multiple values by commas.	✔	✔
Cluster ID	Text. Separate multiple values by commas.	✔	✔
Alert ID	Text. Separate multiple values by commas.	✔	✔
Alert Policy ID	Text. Separate multiple values by commas.	✔	✔
Campaign ID	Text. Separate multiple values by commas.	✔	✔
ZAP URL signal	Text. Separate multiple values by commas.	✔	✔
Urls
URL Count	Integer. Separate multiple values by commas.	✔	✔
URL domain	Text. Separate multiple values by commas.	✔	✔
URL domain and path	Text. Separate multiple values by commas.	✔	✔
URL	Text. Separate multiple values by commas.	✔	✔
URL path	Text. Separate multiple values by commas.	✔	✔
URL source	Select one or more values: Attachments Cloud attachment Email body Email header QR Code Subject Unknown	✔	✔
Click verdict	Select one or more values: Allowed Block overridden Blocked Error Failure None Pending verdict Pending verdict bypassed	✔	✔
URL Threat	Select one or more values: Malware Phish Spam	✔	✔
File
Attachment Count	Integer. Separate multiple values by commas.	✔	✔
Attachment filename	Text. Separate multiple values by commas.	✔	✔
File type	Text. Separate multiple values by commas.	✔	✔
File Extension	Text. Separate multiple values by commas.	✔	✔
File Size	Integer. Separate multiple values by commas.	✔	✔
Authentication
SPF	Select one or more values: Fail Neutral None Pass Permanent error Soft fail Temporary error	✔	✔
DKIM	Select one or more values: Error Fail Ignore None Pass Test Timeout Unknown	✔	✔
DMARC	Select one or more values: Best guess pass Fail None Pass Permanent error Selector pass Temporary error Unknown	✔	✔
Composite	Select one or more values: Fail None Pass Soft pass

Pivots for the chart in the Malware view in Threat Explorer and Real-time Detections

The chart has a default view, but you can select a value from Select pivot for histogram chart to change how the filtered or unfiltered chart data is organized and displayed.

The chart pivots that are available in the Malware view in Threat Explorer and Real-time detections are listed in the following table:

Pivot	Threat Explorer	Real-time detections
Malware family	✔
Sender domain	✔
Sender IP	✔
Delivery action	✔	✔
Detection technology	✔	✔

The available chart pivots are described in the following subsections.

Malware family chart pivot in the Malware view in Threat Explorer

Although this pivot doesn't look selected by default, Malware family is the default chart pivot in the Malware view in Threat Explorer.

The Malware family pivot organizes the chart by the malware family detected in messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each malware family.

Sender domain chart pivot in the Malware view in Threat Explorer

The Sender domain pivot organizes the chart by the sender domain of messages that were found to contain malware for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each sender domain.

Sender IP chart pivot in the Malware view in Threat Explorer

The Sender IP pivot organizes the chart by the source IP address of messages that were found to contain malware for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each source IP address.

Delivery action chart pivot in the Malware view in Threat Explorer and Real-time detections

Although this pivot doesn't look selected by default, Delivery action is the default chart pivot in the Malware view in Real-time detections.

The Delivery action pivot organizes the chart by what happened to messages that were found to contain malware for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each delivery action.

Detection technology chart pivot in the Malware view in Threat Explorer and Real-time detections

The Detection technology pivot organizes the chart by the feature that identified malware in messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each detection technology.

Views for the details area of the Malware view in Threat Explorer and Real-time detections

The available views (tabs) in the details area of the Malware view are listed in the following table, and are described in the following subsections.

View	Threat Explorer	Real-time detections
Email	✔	✔
Top malware families	✔
Top targeted users	✔
Email origin	✔
Campaign	✔

Email view for the details area of the Malware view in Threat Explorer and Real-time detections

Email is the default view for the details area of the Malware view in Threat Explorer and Real-time detections.

The Email view shows a details table. You can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown.

The following table shows the columns that are available in Threat Explorer and Real-time detections. The default values are marked with an asterisk (^*).

Column	Threat Explorer	Real-time detections
Date*	✔	✔
Subject*	✔	✔
Recipient*	✔	✔
Recipient domain	✔	✔
Tags*	✔
Sender address*	✔	✔
Sender display name	✔	✔
Sender domain*	✔	✔
Sender IP	✔	✔
Sender mail from address	✔	✔
Sender mail from domain	✔	✔
Additional actions*	✔	✔
Delivery action	✔	✔
Latest delivery location*	✔	✔
Original delivery location*	✔	✔
System overrides source	✔	✔
System overrides	✔	✔
Alert ID	✔	✔
Internet message ID	✔	✔
Network message ID	✔	✔
Mail language	✔	✔
Exchange transport rule	✔
Connector	✔
Context	✔	✔
Data loss prevention rule	✔	✔
Threat type*	✔	✔
Detection technology	✔	✔
Attachment Count	✔	✔
URL Count	✔	✔
Email size	✔	✔

Tip

To see all columns, you likely need to do one or more of the following steps:

• Horizontally scroll in your web browser.
• Narrow the width of appropriate columns.
• Remove columns from the view.
• Zoom out in your web browser.

Customized column settings are saved per user. Customized column settings in Incognito or InPrivate browsing mode are saved until you close the web browser.

When you select one or more entries from the list by selecting the check box next to the first column, the Take action is available. For information, see Threat hunting: Email remediation.

When you click on the Subject or Recipient values in an entry, details flyouts open. These flyouts are described in the following subsections.

Email details from the Email view of the details area in the Malware view

When you select the Subject value of an entry in the table, an email details flyout opens. This details flyout is known as the Email summary panel and contains standardized summary information that's also available on the Email entity page for the message.

For details about the information in the Email summary panel, see The Email summary panels.

The available actions at the top of the Email summary panel for Threat Explorer and Real-time detections are described in the Email details from the Email view of the details area in the All email view.

Recipient details from the Email view of the details area in the Malware view

When you select an entry by clicking on the Recipient value, a details flyout opens. The information in the flyout is the same as described in Recipient details from the Email view of the details area in the All email view.

Top malware families view for the details area of the Malware view in Threat Explorer

The Top malware families view for the details area organizes the data into a table of the top malware families. The table shows:

• Top malware families column: The malware family name.

  If you select a malware family name, a details flyout opens that contains the following information:

  • Email section: A table showing the following related information for messages that contain the malware file:

    • Date
    • Subject
    • Recipient

    Select View all email to open Threat Explorer in a new tab filtered by the malware family name.

  • Technical details section

  

• The number of attempts: If you select the number of attempts, Threat Explorer opens in a new tab filtered by the malware family name.

Top targeted users view for the details area of the Malware view in Threat Explorer

The Top targeted users view organizes the data into a table of the top five recipients who were targeted by malware. The table shows:

• Top targeted users: The email address of the top targeted user. If you select an email address, a details flyout opens. The information in the flyout is the same as described in Top targeted users view for the details area of the All email view in Threat Explorer.

• The number of attempts: If you select the number of attempts, Threat Explorer opens in a new tab filtered by the malware family name.

Tip

Use Export to export the list of up to 3000 users and the corresponding attempts.

Email origin view for the details area of the Malware view in Threat Explorer

The Email origin view shows message sources on a map of the world.

Campaign view for the details area of the Malware view in Threat Explorer

The Campaign view shows a details table. You can sort the entries by clicking on an available column header.

The details table is identical to the details table on the Campaigns page.

When you select an entry by clicking anywhere in the row other than the check box next to the Name, a details flyout opens. The information in the flyout is the same as described in Campaign details.

Phish view in Threat Explorer and Real-time detections

The Phish view in Threat Explorer and Real-time detections shows information about email messages that were identified as phishing.

To open the Phish view, do one of the following steps:

• Threat Explorer: On the Explorer page in the Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer > Phish tab. Or, go directly to the Explorer page using https://security.microsoft.com/threatexplorerv3, and then select the Phish tab.
• Real-time detections: On the Real-time detections page in the Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer > Phish tab. Or, go directly to the Real-time detections page using https://security.microsoft.com/realtimereportsv3, and then select the Phish tab.

Filterable properties in the Phish view in Threat Explorer and Real-time detections

By default, no property filters are applied to the data. The steps to create filters (queries) are described in the Filters in Threat Explorer and Real-time detections section later in this article.

The filterable properties that are available in the Sender address box in the Malware view are described in the following table:

Property	Type	Threat Explorer	Real-time detections
Basic
Sender address	Text. Separate multiple values by commas.	✔	✔
Recipients	Text. Separate multiple values by commas.	✔	✔
Sender domain	Text. Separate multiple values by commas.	✔	✔
Recipient domain	Text. Separate multiple values by commas.	✔	✔
Subject	Text. Separate multiple values by commas.	✔	✔
Sender display name	Text. Separate multiple values by commas.	✔	✔
Sender mail from address	Text. Separate multiple values by commas.	✔	✔
Sender mail from domain	Text. Separate multiple values by commas.	✔	✔
Return path	Text. Separate multiple values by commas.	✔	✔
Return path domain	Text. Separate multiple values by commas.	✔	✔
Tags	Text. Separate multiple values by commas. For more information about user tags, see User tags.	✔
Impersonated domain	Text. Separate multiple values by commas.	✔	✔
Impersonated user	Text. Separate multiple values by commas.	✔	✔
Exchange transport rule	Text. Separate multiple values by commas.	✔
Data loss prevention rule	Text. Separate multiple values by commas.	✔
Context	Select one or more values: Evaluation Priority account protection	✔
Connector	Text. Separate multiple values by commas.	✔
Delivery action	Select one or more values: Blocked Delivered Delivered to junk Replaced: Message attachments that were replaced by Dynamic Delivery in Safe Attachments policies.	✔	✔
Additional action	Select one or more values: Automated remediation Dynamic Delivery Manual remediation None Quarantine release Reprocessed ZAP	✔	✔
Directionality	Select one or more values: Inbound Intra-org Outbound	✔	✔
Detection technology	Select one or more values: Advanced filter Antimalware protection Bulk Campaign Domain reputation File detonation File detonation reputation File reputation Fingerprint matching General filter Impersonation brand Impersonation domain Impersonation user IP reputation Mailbox intelligence impersonation Mixed analysis detection spoof DMARC Spoof external domain Spoof intra-org URL detonation URL detonation reputation URL malicious reputation	✔	✔
Original delivery location	Select one or more values: Deleted Items folder Dropped Failed Inbox/folder Junk folder On-prem/external Quarantine Unknown	✔	✔
Latest delivery location	Same values as Original delivery location	✔	✔
Phish confidence level	Select one or more values: High Normal	✔
Primary override	Select one or more values: Allowed by organization policy Allowed by user policy Blocked by organization policy Blocked by user policy None	✔	✔
Primary override source	Messages can have multiple allow or block overrides as identified in Override source. The override that ultimately allowed or blocked the message is identified in Primary override source. Select one or more values: 3rd Party Filter Admin initiated time travel (ZAP) Antimalware policy block by file type Antispam policy settings Connection policy Exchange transport rule Exclusive mode (User override) Filtering skipped due to on-prem organization IP region filter from policy Language filter from policy Phishing Simulation Quarantine release SecOps Mailbox Sender address list (Admin Override) Sender address list (User override) Sender domain list (Admin Override) Sender domain list (User override) Tenant Allow/Block List file block Tenant Allow/Block List sender email address block Tenant Allow/Block List spoof block Tenant Allow/Block List URL block Trusted contact list (User override) Trusted domain (User override) Trusted recipient (User override) Trusted senders only (User override)	✔	✔
Override source	Same values as Primary override source	✔	✔
Policy type	Select one or more values: Anti-malware policy Anti-phishing policy Exchange transport rule (mail flow rule), Hosted content filter policy (anti-spam policy), Hosted outbound spam filter policy (outbound spam policy), Safe Attachments policy Unknown	✔	✔
Policy action	Select one or more values: Add x-header Bcc message Delete message Modify subject Move to Junk Email folder No action taken Redirect message Send to quarantine	✔	✔
Email size	Integer. Separate multiple values by commas.	✔	✔
Advanced
Internet Message ID	Text. Separate multiple values by commas. Available in the Message-ID header field in the message header. An example value is <08f1e0f6806a47b4ac103961109ae6ef@server.domain> (note the angle brackets).	✔	✔
Network message ID	Text. Separate multiple values by commas. A GUID value that's available in the X-MS-Exchange-Organization-Network-Message-Id header field in the message header.	✔	✔
Sender IP	Text. Separate multiple values by commas.	✔	✔
Attachment SHA256	Text. Separate multiple values by commas.	✔	✔
Cluster ID	Text. Separate multiple values by commas.	✔	✔
Alert ID	Text. Separate multiple values by commas.	✔	✔
Alert Policy ID	Text. Separate multiple values by commas.	✔	✔
Campaign ID	Text. Separate multiple values by commas.	✔	✔
ZAP URL signal	Text. Separate multiple values by commas.	✔
Urls
URL Count	Integer. Separate multiple values by commas.	✔	✔
URL domain	Text. Separate multiple values by commas.	✔	✔
URL domain and path	Text. Separate multiple values by commas.	✔
URL	Text. Separate multiple values by commas.	✔
URL path	Text. Separate multiple values by commas.	✔
URL source	Select one or more values: Attachments Cloud attachment Email body Email header QR Code Subject Unknown	✔	✔
Click verdict	Select one or more values: Allowed Block overridden Blocked Error Failure None Pending verdict Pending verdict bypassed	✔	✔
URL Threat	Select one or more values: Malware Phish Spam	✔	✔
File
Attachment Count	Integer. Separate multiple values by commas.	✔	✔
Attachment filename	Text. Separate multiple values by commas.	✔	✔
File type	Text. Separate multiple values by commas.	✔	✔
File Extension	Text. Separate multiple values by commas.	✔	✔
File Size	Integer. Separate multiple values by commas.	✔	✔
Authentication
SPF	Select one or more values: Fail Neutral None Pass Permanent error Soft fail Temporary error	✔	✔
DKIM	Select one or more values: Error Fail Ignore None Pass Test Timeout Unknown	✔	✔
DMARC	Select one or more values: Best guess pass Fail None Pass Permanent error Selector pass Temporary error Unknown	✔	✔
Composite	Select one or more values: Fail None Pass Soft pass

Pivots for the chart in the Phish view in Threat Explorer and Real-time Detections

The chart has a default view, but you can select a value from Select pivot for histogram chart to change how the filtered or unfiltered chart data is organized and displayed.

The chart pivots that are available in the Phish view in Threat Explorer and Real-time detections are listed in the following table:

Pivot	Threat Explorer	Real-time detections
Sender domain	✔	✔
Sender IP	✔
Delivery action	✔	✔
Detection technology	✔	✔
Full URL	✔
URL domain	✔	✔
URL domain and path	✔

The available chart pivots are described in the following subsections.

Sender domain chart pivot in the Phish view in Threat Explorer and Real-time detections

Although this pivot doesn't look selected by default, Sender domain is the default chart pivot in the Phish view in Real-time detections.

The Sender domain pivot organizes the chart by the domains in messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each sender domain.

Sender IP chart pivot in the Phish view in Threat Explorer

The Sender IP pivot organizes the chart by the source IP addresses of messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each source IP address.

Delivery action chart pivot in the Phish view in Threat Explorer and Real-time detections

Although this pivot doesn't look selected by default, Delivery action is the default chart pivot in the Phish view in Threat Explorer.

The Delivery action pivot organizes the chart by the actions taken on messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each delivery action.

Detection technology chart pivot in the Phish view in Threat Explorer and Real-time detections

The Detection technology pivot organizes the chart by the feature that identified the phishing messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each detection technology.

Full URL chart pivot in the Phish view in Threat Explorer

The Full URL pivot organizes the chart by the full URLs in phishing messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each full URL.

URL domain chart pivot in the Phish view in Threat Explorer and Real-time detections

The URL domain pivot organizes the chart by the domains in URLs in phishing messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each URL domain.

URL domain and path chart pivot in the Phish view in Threat Explorer

The URL domain and path pivot organizes the chart by the domains and paths in URLs in phishing messages for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each URL domain and path.

Views for the details area of the Phish view in Threat Explorer

The available views (tabs) in the details area of the Phish view are listed in the following table, and are described in the following subsections.

View	Threat Explorer	Real-time detections
Email	✔	✔
URL clicks	✔	✔
Top URLs	✔	✔
Top clicks	✔	✔
Top targeted users	✔
Email origin	✔
Campaign	✔

Email view for the details area of the Phish view in Threat Explorer and Real-time detections

Email is the default view for the details area of the Phish view in Threat Explorer and Real-time detections.

The Email view shows a details table. You can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown.

The following table shows the columns that are available in Threat Explorer and Real-time detections. The default values are marked with an asterisk (^*).

Column	Threat Explorer	Real-time detections
Date*	✔	✔
Subject*	✔	✔
Recipient*	✔	✔
Recipient domain	✔	✔
Tags*	✔
Sender address*	✔	✔
Sender display name	✔	✔
Sender domain*	✔	✔
Sender IP	✔	✔
Sender mail from address	✔	✔
Sender mail from domain	✔	✔
Additional actions*	✔	✔
Delivery action	✔	✔
Latest delivery location*	✔	✔
Original delivery location*	✔	✔
System overrides source	✔	✔
System overrides	✔	✔
Alert ID	✔	✔
Internet message ID	✔	✔
Network message ID	✔	✔
Mail language	✔	✔
Exchange transport rule	✔
Connector	✔
Phish confidence level	✔
Context	✔
Data loss prevention rule	✔
Threat type*	✔	✔
Detection technology	✔	✔
Attachment Count	✔	✔
URL Count	✔	✔
Email size	✔	✔

Tip

To see all columns, you likely need to do one or more of the following steps:

• Horizontally scroll in your web browser.
• Narrow the width of appropriate columns.
• Remove columns from the view.
• Zoom out in your web browser.

Customized column settings are saved per user. Customized column settings in Incognito or InPrivate browsing mode are saved until you close the web browser.

When you select one or more entries from the list by selecting the check box next to the first column, the Take action is available. For information, see Threat hunting: Email remediation.

When you click on the Subject or Recipient values in an entry, details flyouts open. These flyouts are described in the following subsections.

Email details from the Email view of the details area in the Phish view

When you select the Subject value of an entry in the table, an email details flyout opens. This details flyout is known as the Email summary panel and contains standardized summary information that's also available on the Email entity page for the message.

For details about the information in the Email summary panel, see The Email summary panel in Defender for Office 365 features.

The available actions at the top of the Email summary panel for Threat Explorer and Real-time detections are described in the Email details from the Email view of the details area in the All email view.

Recipient details from the Email view of the details area in the Phish view

When you select an entry by clicking on the Recipient value, a details flyout opens. The information in the flyout is the same as described in Recipient details from the Email view of the details area in the All email view.

URL clicks view for the details area of the Phish view in Threat Explorer and Real-time detections

The URL clicks view shows a chart that can be organized using pivots. The chart has a default view, but you can select a value from Select pivot for histogram chart to change how the filtered or unfiltered chart data is organized and displayed.

The chart pivots that are available in the Malware view in Threat Explorer and Real-time detections are described in the following table:

Pivot	Threat Explorer	Real-time detections
URL domain	✔	✔
Click verdict	✔	✔
URL	✔
URL domain and path	✔

The same chart pivots are available and described for the All email view in Threat Explorer:

• URL domain pivot for the URL clicks view for the details area of the All email view in Threat Explorer
• Click verdict pivot for the URL clicks view for the details area of the All email view in Threat Explorer
• URL pivot for the URL clicks view for the details area of the All email view in Threat Explorer
• URL domain and path pivot for the URL clicks view for the details area of the All email view in Threat Explorer

Tip

In Threat Explorer, each pivot in URL clicks view has a View all clicks action that opens the URL clicks view in Threat Explorer in a new tab. This action isn't available in Real-time detections, because the URL clicks view isn't available in Real-time detections.

Top URLs view for the details area of the Phish view in Threat Explorer and Real-time detections

The Top URLs view shows a details table. You can sort the entries by clicking on an available column header:

• URL
• Messages blocked
• Messages junked
• Messages delivered

Top URLs details for the Phish view

When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. The information in the flyout is the same as described in Top URLs details for the All email view.

Tip

The Go hunt action is available only in Threat Explorer. It isn't available in Real-time detections.

Top clicks view for the details area of the Phish view in Threat Explorer and Real-time detections

The Top clicks view shows a details table. You can sort the entries by clicking on an available column header:

• URL
• Blocked
• Allowed
• Block overridden
• Pending verdict
• Pending verdict bypassed
• None
• Error page
• Failure

Tip

All available columns are selected. If you select Customize columns, you can't deselect any columns.

To see all columns, you likely need to do one or more of the following steps:

• Horizontally scroll in your web browser.
• Narrow the width of appropriate columns.
• Zoom out in your web browser.

When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. The information in the flyout is the same as described in Top URLs details for the All email view.

Top targeted users view for the details area of the Phish view in Threat Explorer

The Top targeted users view organizes the data into a table of the top five recipients who were targeted by phishing attempts. The table shows:

• Top targeted users: The email address of the top targeted user. If you select an email address, a details flyout opens. The information in the flyout is the same as described in Top targeted users view for the details area of the All email view in Threat Explorer.

• The number of attempts: If you select the number of attempts, Threat Explorer opens in a new tab filtered by the malware family name.

Tip

Use Export to export the list of up to 3000 users and the corresponding attempts.

Email origin view for the details area of the Phish view in Threat Explorer

The Email origin view shows message sources on a map of the world.

Campaign view for the details area of the Phish view in Threat Explorer

The Campaign view shows a details table. You can sort the entries by clicking on an available column header.

The information in the table is the same as described in details table on the Campaigns page.

When you select an entry by clicking anywhere in the row other than the check box next to the Name, a details flyout opens. The information in the flyout is the same as described in Campaign details.

Campaigns view in Threat Explorer

The Campaigns view in Threat Explorer shows information about threats that were identified as coordinated phishing and malware attacks, either specific to your organization, or to other organizations in Microsoft 365.

To open the Campaigns view on the Explorer page in the Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer > Campaigns tab. Or, go directly to the Explorer page using https://security.microsoft.com/threatexplorerv3, and then select the Campaigns tab.

All of the available information and actions are identical to the information and actions on the Campaigns page at https://security.microsoft.com/campaignsv3. For more information, see Campaigns page in the Microsoft Defender portal.

Content malware view in Threat Explorer and Real-time detections

The Content malware view in Threat Explorer and Real-time detections shows information about files that were identified as malware by:

• Built-in virus protection in SharePoint, OneDrive, and Microsoft Teams
• Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.

To open the Content malware view, do one of the following steps:

• Threat Explorer: On the Explorer page in the Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer > Content malware tab. Or, go directly to the Explorer page using https://security.microsoft.com/threatexplorerv3, and then select the Content malware tab.
• Real-time detections: On the Real-time detections page in the Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer > Content malware tab. Or, go directly to the Real-time detections page using https://security.microsoft.com/realtimereportsv3, and then select the Content malware tab.

Filterable properties in the Content malware view in Threat Explorer and Real-time detections

By default, no property filters are applied to the data. The steps to create filters (queries) are described in the Filters in Threat Explorer and Real-time detections section later in this article.

The filterable properties that are available in the File name box in the Content malware view in Threat Explorer and Real-time detections are described in the following table:

Property	Type	Threat Explorer	Real-time detections
File
File name	Text. Separate multiple values by commas.	✔	✔
Workload	Select one or more values: OneDrive SharePoint Teams	✔	✔
Site	Text. Separate multiple values by commas.	✔	✔
File owner	Text. Separate multiple values by commas.	✔	✔
Last modified by	Text. Separate multiple values by commas.	✔	✔
SHA256	Integer. Separate multiple values by commas. To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt: certutil.exe -hashfile "<Path>\<Filename>" SHA256.	✔	✔
Malware family	Text. Separate multiple values by commas.	✔	✔
Detection technology	Select one or more values: Advanced filter Antimalware protection Bulk Campaign Domain reputation File detonation File detonation reputation File reputation Fingerprint matching General filter Impersonation brand Impersonation domain Impersonation user IP reputation Mailbox intelligence impersonation Mixed analysis detection spoof DMARC Spoof external domain Spoof intra-org URL detonation URL detonation reputation URL malicious reputation	✔	✔
Threat type	Select one or more values: Block Malware Phish Spam	✔	✔

Pivots for the chart in the Content malware view in Threat Explorer and Real-time Detections

The chart has a default view, but you can select a value from Select pivot for histogram chart to change how the filtered or unfiltered chart data is organized and displayed.

The chart pivots that are available in the Content malware view in Threat Explorer and Real-time detections are listed in the following table:

Pivot	Threat Explorer	Real-time detections
Malware family	✔	✔
Detection technology	✔	✔
Workload	✔	✔

The available chart pivots are described in the following subsections.

Malware family chart pivot in the Content malware view in Threat Explorer and Real-time detections

Although this pivot doesn't look selected by default, Malware family is the default chart pivot in the Content malware view in Threat Explorer and Real-time detections.

The Malware family pivot organizes the chart by the malware identified in files in SharePoint, OneDrive, and Microsoft Teams using the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each malware family.

Detection technology chart pivot in the Content malware view in Threat Explorer and Real-time detections

The Detection technology pivot organizes the chart by the feature that identified malware in files in SharePoint, OneDrive, and Microsoft Teams for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each detection technology.

Workload chart pivot in the Content malware view in Threat Explorer and Real-time detections

The Workload pivot organizes the chart by where the malware was identified (SharePoint, OneDrive, or Microsoft Teams) for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each workload.

Views for the details area of the Content malware view in Threat Explorer and Real-time detections

In Threat Explorer and Real-time detections, the details area of the Content malware view contains only one view (tab) named Documents. This view is described in the following subsection.

Document view for the details area of the Content malware view in Threat Explorer and Real-time detections

Document is the default and only view for the details area in the Content malware view.

The Document view shows a details table. You can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown. The default values are marked with an asterisk (^*):

• Date^*
• Name^*
• Workload^*
• Threat^*
• Detection technology^*
• Last modifying user^*
• File owner^*
• Size (bytes)^*
• Last modified time
• Site path
• File path
• Document ID
• SHA256
• Detected date
• Malware family
• Context

Tip

To see all columns, you likely need to do one or more of the following steps:

• Horizontally scroll in your web browser.
• Narrow the width of appropriate columns.
• Remove columns from the view.
• Zoom out in your web browser.

Customized column settings are saved per user. Customized column settings in Incognito or InPrivate browsing mode are saved until you close the web browser.

When you select a filename value from the Name column, a details flyout opens. The flyout contains the following information:

• Summary section:

  • Filename
  • Site path
  • File path
  • Document ID
  • SHA256
  • Last date modified
  • Last modified by
  • Threat
  • Detection technology

• Details section:

  • Detected date
  • Detected by
  • Malware name
  • Last modified by
  • File size
  • File owner

• Email list section: A table showing the following related information for messages that contain the malware file:

  • Date
  • Subject
  • Recipient

  Select View all email to open Threat Explorer in a new tab filtered by the malware family name.

• Recent activity: Shows the summarized results of an Audit log search for the recipient:

  • Date
  • IP address
  • Activity
  • Item

  If the recipient has more than three audit log entries, select View all recent activity to see all of them.

  Tip

  Members of the Security Administrators role group in Email & collaboration permissions can't expand the Recent activity section. You need to be a member of a role group in Exchange Online permissions that has the Audit Logs, Information Protection Analyst, or Information Protection Investigator roles assigned. By default, those roles are assigned to the Records Management, Compliance Management, Information Protection, Information Protection Analysts, Information Protection Investigators, and Organization Management role groups. You can add the members of Security Administrators to those role groups, or you can create a new role group with with the Audit Logs role assigned.

URL clicks view in Threat Explorer

The URL clicks view in Threat Explorer shows all user clicks on URLs in email, in supported Office files in SharePoint and OneDrive, and in Microsoft Teams.

To open the URL clicks view on the Explorer page in the Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer > URL clicks tab. Or, go directly to the Explorer page using https://security.microsoft.com/threatexplorerv3, and then select the URL clicks tab.

Filterable properties in the URL clicks view in Threat Explorer

By default, no property filters are applied to the data. The steps to create filters (queries) are described in the Filters in Threat Explorer and Real-time detections section later in this article.

The filterable properties that are available in the Recipients box in the URL clicks view in Threat Explorer are described in the following table:

Property	Type
Basic
Recipients	Text. Separate multiple values by commas.
Tags	Text. Separate multiple values by commas. For more information about user tags, see User tags.
Network message ID	Text. Separate multiple values by commas. A GUID value that's available in the X-MS-Exchange-Organization-Network-Message-Id header field in the message header.
URL	Text. Separate multiple values by commas.
Click action	Select one or more values: Allowed Block page Block page override Error page Failure None Pending detonation page Pending detonation page override
Threat type	Select one or more values: Allow Block Malware Phish Spam
Detection technology	Select one or more values: URL detonation URL detonation reputation URL malicious reputation
Click ID	Text. Separate multiple values by commas.
Client IP	Text. Separate multiple values by commas.

Pivots for the chart in the URL clicks view in Threat Explorer

The chart has a default view, but you can select a value from Select pivot for histogram chart to change how the filtered or unfiltered chart data is organized and displayed.

The available chart pivots are described in the following subsections.

URL domain chart pivot in the URL clicks view in Threat Explorer

Although this pivot doesn't look selected by default, URL domain is the default chart pivot in the URL clicks view.

The URL domain pivot organizes the chart by the domains in URLs that users clicked in email, Office files, or Microsoft Teams for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each URL domain.

Workload chart pivot in the URL clicks view in Threat Explorer

The Workload pivot organizes the chart by the location of the clicked URL (email, Office files, or Microsoft Teams) for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each workload.

Detection technology chart pivot in the URL clicks view in Threat Explorer

The Detection technology pivot organizes the chart by the feature that identified the URL clicks in email, Office files, or Microsoft Teams for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each detection technology.

Threat type chart pivot in the URL clicks view in Threat Explorer

The Threat type pivot organizes the chart by the results for clicked URLs in email, Office files, or Microsoft Teams for the specified date/time range and property filters.

Hovering over a data point in the chart shows the count for each threat type technology.

Views for the details area of the URL clicks view in Threat Explorer

The available views (tabs) in the details area of the URL clicks view are described in the following subsections.

Results view for the details area of the URL clicks view in Threat Explorer

Results is the default view for the details area in the URL clicks view.

The Results view shows a details table. You can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown. By default, all columns are selected:

• Time clicked
• Recipient
• URL click action
• URL
• Tags
• Network message ID
• Click ID
• Client IP
• URL chain
• Threat type
• Detection technology

Tip

To see all columns, you likely need to do one or more of the following steps:

• Horizontally scroll in your web browser.
• Narrow the width of appropriate columns.
• Remove columns from the view.
• Zoom out in your web browser.

Customized column settings are saved per user. Customized column settings in Incognito or InPrivate browsing mode are saved until you close the web browser.

Select one or entries by selecting the check box next to the first column in the row, and then select View all emails to open Threat Explorer in All email view in a new tab filtered by the Network message ID values of the selected messages.

Top clicks view for the details area of the URL clicks view in Threat Explorer

The Top clicks view shows a details table. You can sort the entries by clicking on an available column header:

• URL
• Blocked
• Allowed
• Block overridden
• Pending verdict
• Pending verdict bypassed
• None
• Error page
• Failure

Tip

All available columns are selected. If you select Customize columns, you can't deselect any columns.

To see all columns, you likely need to do one or more of the following steps:

• Horizontally scroll in your web browser.
• Narrow the width of appropriate columns.
• Zoom out in your web browser.

Select an entry by selecting the check box next to the first column in the row, and then select View all clicks to open Threat Explorer in a new tab in URL clicks view.

When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. The information in the flyout is the same as described in Top URLs details for the All email view.

Top targeted users view for the details area of the URL clicks view in Threat Explorer

The Top targeted users view organizes the data into a table of the top five recipients who clicked on URLs. The table shows:

• Top targeted users: The email address of the top targeted user. If you select an email address, a details flyout opens. The information in the flyout is the same as described in Top targeted users view for the details area of the All email view in Threat Explorer.

• The number of attempts: If you select the number of attempts, Threat Explorer opens in a new tab filtered by the malware family name.

Tip

Use Export to export the list of up to 3000 users and the corresponding attempts.

Property filters in Threat Explorer and Real-time detections

The basic syntax of a property filter/query is:

Condition = <Filter property> <Filter operator> <Property value or values>

Multiple conditions use the following syntax:

<Condition1> <AND | OR> <Condition2> <AND | OR> <Condition3>... <AND | OR> <ConditionN>

Tip

Wildcard searches (**** or ?) aren't supported in text or integer values. The Subject property uses partial text matching, and yields results similar to a wildcard search.

The steps to create property filter/query conditions are the same in all views in Threat Explorer and Real-time detections:

1. Identify the filter property using the tables in the preview view description sections earlier in this article.

2. Select an available filter operator. The available filter operators depend on the property type as described in the following table:

   Filter operator	Property type
   Equal any of	Text Integer Discreet values
   Equal none of	Text Discreet values
   Greater than	Integer
   Less than	Integer

3. Enter or select one or more property values. For text values and integers, you can enter multiple values separated by commas.

   Multiple values in the property value use the OR logical operator. For example, Sender address > Equal any of > bob@fabrikam.com,cindy@fabrikam.com means Sender address > Equal any of > bob@fabrikam.com OR cindy@fabrikam.com.

   After you enter or select one or more property values, the completed filter condition appears below the filter creation boxes.

   Tip

   For properties that require you to select one or more available values, using the property in the filter condition with all values selected has the same result as not using the property in the filter condition.

4. To add another condition, repeat the previous three steps.

   The conditions below the filter creation boxes are separated by the logical operator that was selected at the time you created the second or subsequent conditions. The default value is AND, but you can also select OR.

   The same logical operator is used between all conditions: they're all AND or they're all OR. To change the existing logical operators, select the logical operator box, and then select AND or OR.

   To edit an existing condition, double-click on it to bring the selected property, filter operator, and values back into the corresponding boxes.

   To remove an existing condition, select on the condition.

5. To apply the filter to the chart and the details table, select Refresh

   

Saved queries in Threat Explorer

Tip

Save query is part of Threat trackers and isn't available in Real-time detections. Saved queries and Threat trackers are available only in Defender for Office 365 Plan 2.

Save query isn't available in the Content malware view.

Most views in Threat Explorer allow you to save filters (queries) for later use. Saved queries are available on the Threat tracker page in the Defender portal at https://security.microsoft.com/threattrackerv2. For more information about Threat trackers, see Threat trackers in Microsoft Defender for Office 365 Plan 2.

To save queries in Threat Explorer, do the following steps:

1. After you create the filter/query as previously described, select Save query > Save query.

2. In the Save query flyout that opens, configure the following options:

   • Query name: Enter a unique name for the query.
   • Select one of the following options:
     • Exact dates: Select a start date and end date in the boxes. The oldest start date that you can select is 30 days before today. The newest end date that you can select is today.
     • Relative dates: Select the number of days in the Show last nn days when search is run. The default value is 7, but you can select 1 to 30.
   • Track query: By default, this option isn't selected. This option affects whether the query runs automatically:
     • Track query not selected: The query is available for you to run manually in Threat Explorer. The query is saved on the Saved queries tab on the Threat tracker page with the Tracked query property value No.
     • Track query selected: The query periodically runs in the background. The query is available on the Saved queries tab on the Threat tracker page with the Tracked query property value Yes. The periodic results of the query are shown on the Tracked queries tab on the Threat tracker page.

   When you're finished in the Save query flyout, select Save, and then select OK in the confirmation dialog.

On the Saved query or Tracked query tabs on the Threat tracker page in the Defender portal at https://security.microsoft.com/threattrackerv2, you can select Explore in the Actions column to open and use the query in Threat Explorer.

When you open the query by selecting Explore from the Threat tracker page, Save query as and Saved query settings are now available in Save query on the Explorer page:

• If you select Save query as, the Save query flyout opens with all previously selected settings. If you make changes, select Save, and then select OK in the Success dialog, the updated query is saved as a new query on the Threat tracker page (you might need to select Refresh to see it).

• If you select Saved query settings, the Saved query settings flyout opens where you can update the date and Track query settings of the existing query.

More information

• Threat Explorer collect email details on the Email entity page
• Find and investigate malicious email that was delivered
• View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams
• Threat protection status report
• Automated investigation and response in Microsoft Threat Protection