Use Threat Explorer in the Security & Compliance Center

If your organization has Office 365 Advanced Threat Protection Plan 2 (ATP), and you have the necessary permissions, you can use Threat Explorer (also referred to as Explorer) to identify and analyze threats. (To use Explorer, in the Security & Compliance Center, go to Threat management > Explorer.)

Go to Threat management > Explorer

Explorer is a powerful, near real-time tool to help Security Operations teams investigate and respond to threats in the Security & Compliance Center. Here are some of the things you can do:

See malware detected in email by technology

Suppose you want to see malware that was detected in email, and by what technology in Office 365. To do this, use the Email > Malware view of Explorer.

  1. In the Security & Compliance Center (https://protection.office.com), choose Threat management > Explorer.
  2. In the View menu, choose Email > Malware.
    View menu for Explorer
  3. Click Sender, and then choose Basic > Detection technology.
    Your detection technologies are now available as filters for the report.
    Malware detection technologies
  4. Select an option, and then click the Refresh button to apply that filter.
    Selected detection technology

The report refreshes to show the results malware detected in email, using the technology option you selected. From here, you can conduct further analysis.

View data about phishing URLs and click verdict

Suppose you want to see phishing attempts through URLs in email, including a list of URLs that were allowed, blocked, and overridden. Identifying URLs that were clicked requires ATP Safe links. (Make sure you have set up and applied ATP Safe Links policies to your users for click-time protection and logging of click verdicts by ATP Safe Links.) To review phish URLs in messages and clicks on URLs in phish messages, use the Email > Phish view of Explorer.

  1. In the Security & Compliance Center (https://protection.office.com), choose Threat management > Explorer.
  2. In the View menu, choose Email > Phish.
    View menu for Explorer
  3. Click Sender, and then choose URLs > Click verdict.
  4. Select one or more options, such as Blocked and Block overridden, and then click the Refresh button to apply that filter.
    URLs and click verdicts

The report refreshes to show two different URL tables on the URL tab below:

  1. Top URLs are the URLs contained in the messages you have filtered down to, and the email delivery action counts for each URL. In the phish email view, this list typically will contain legitimate URLs. Attackers include a mix of good and bad URLs in their messages to try to get them delivered, but they'll make the malicious links more interesting for the user to click. The table of URLs is sorted by total email count (NOTE: This column is not shown to simplify the view).
  2. Top clicks are the Safe Links wrapped URLs that were clicked, sorted by total click count (this column is also not shown to simplify the view). Total counts by column indicate the Safe Links click verdict count for each clicked URL. In the phish email view, these will more often be suspicious or malicious links, but could include clean URLs that happen to be in phish messages. URL clicks on unwrapped links will not show up here.

The two URLs tables show top URLs in phishing emails by delivery status, and they show URL clicks that were blocked (or visited despite a warning) so that you can understand what potential bad links were received by users and interacted with by users. From here, you can conduct further analysis. For example, below the chart, you can see the top URLs in emails that were blocked in your organization's environment.

Explorer URLs that were blocked

Select a URL to view more detailed information. Note that in the URL flyout dialog, the filtering on emails is removed in order to show you the full view of the URL's exposure in your environment. This lets you filter down emails in Explorer to ones you are concerned about, find specific URLs that are potential threats, then expand your understanding of the URL exposure in your environment (via the URL details dialog) without having to add URL filters to the Explorer view itself.

Review email messages reported by users

Suppose you want to see email messages that users in your organization have reported as Junk, Not Junk, or Phishing by using the Report Message add-in for Outlook and Outlook on the web. To do this, use the Email > User-reported view of Explorer.

  1. In the Security & Compliance Center (https://protection.office.com), choose Threat management > Explorer.
  2. In the View menu, choose Email > User-reported.
    View menu for Explorer
  3. Click Sender, and then choose Basic > Report type.
  4. Select an option, such as Phish, and then click the Refresh button.
    User-reported phish

The report refreshes to show data about email messages that people in your organization have reported as a phishing attempt. You can use this information to conduct further analysis, and if necessary, adjust your ATP anti-phishing policies.

Start automated investigation and response

(NEW!) Automated investigation and response, recently added to ATP Plan 2, can save your security operations team a lot of time and effort in investigating and mitigating cyber attacks. In addition to configuring alerts that can trigger a security playbook, you can start an automated investigation and response process from a view in Explorer.

For details on this, see Example: A security administrator triggers an investigation from Threat Explorer.

More ways to use Explorer

In addition to the scenarios outlined in this article, you have many more reporting options available with Explorer.

Required licenses and permissions

Explorer is included in Office 365 Advanced Threat Protection Plan 2.

To view and use Explorer, you must have appropriate permissions, such as those granted to a security administrator or security reader.

  • For the Security & Compliance Center, you must have one of the following roles assigned:

    • Organization Management
    • Security Administrator (this can be assigned in the Azure Active Directory admin center (https://aad.portal.azure.com))
    • Security Reader
  • For Exchange Online, you must have one of the following roles assigned in either the Exchange admin center (https://outlook.office365.com/ecp) or with PowerShell cmdlets (See Exchange Online PowerShell):

    • Organization Management
    • View-only Organization Management
    • View-Only Recipients role
    • Compliance Management

To learn more about roles and permissions, see the following resources: