Use Explorer in the Security & Compliance Center

If your organization has Office 365 Threat Intelligence, and you have the necessary permissions, you can use Explorer to identify and analyze threats. For example, you can identify and delete malicious email that was delivered, or see malware that was caught by Office 365 security features. Explorer (also referred to as Threat Explorer) is a powerful near real-time report in the Security & Compliance Center.

Go to Threat management > Explorer

To use Explorer, in the Security & Compliance Center, go to Threat management > Explorer.

Explorer overview

Explorer displays information about suspected malware in email and files in Office 365, as well as other security threats and risks to your organization. When you first open Explorer, the default view shows malware detections from antivirus for the past 7 days. Explorer can also show security protection features in Office 365, including Safe Links and Safe Attachments and can be modified to show data for the past 30 days.

Explorer shows info about top malware and targeted users

Use the View menu to change what information is displayed.

The View menu for Explorer

Explorer has several filtering and querying capabilities that enable you to drill into details, such as top targeted users, top malware families, and more. Each kind of report offers a variety of ways to view and explore data.

Important

Do not use wildcard characters, such as an asterisk (*) or a question mark (?), with Explorer. When you search on the Subject field for email messages, Explorer will perform partial matching and yield results similar to a wildcard search.

Email > Malware

This view shows email messages identified as containing malware.

View information in the chart by malware family, sender domain, sender IP, protection status (actions taken by your threat protection features and policies in Office 365), and detection technology (how the malware was detected).

View data about detected malware

Below the chart, view details about top malware families, top targeted users, and more details about specific messages.

Email > Phish

This view shows email messages identified as phishing attempts.

View information by sender domain, sender IP, and protection status (actions taken by your threat protection features and policies in Office 365).

View data about email identified as phishing attempts

Below the chart, view more details about specific messages.

Email > User-reported

This view shows email that users have reported as junk, not junk, or phishing email.

View information by report type (the user's determination that the email was junk, not junk, or phish), and by delivery reason (reasons why email went to a specific location, such as a spam filter policy, a mail flow rule, a blocked-senders list, a safe-senders list, etc.).

View data about email users reported as junk, not junk, or phishing

Below the chart, view more details about specific email messages, such as subject line, the sender's IP address, the user that reported the message as junk, not junk, or phish, and more.

Email > All mail

This views shows an all-up view of email activity, including email identified as malicious due to phishing or malware, as well all non-malicious mail (normal email, spam, and bulk mail).

Note

If you get an error that reads Too much data to display, add a filter and, if necessary, narrow the date range you're viewing.

To apply a filter, choose Sender, select an item in the list, and then click the Refresh button. In our example, we used Detection technology as a filter (there are several options available). View information by sender, sender's domain, recipients, subject, attachment filename, malware family, protection status (actions taken by your threat protection features and policies in Office 365), detection technology (how the malware was detected), and more.

View data about detected email by detection technology

Below the chart, view more details about specific email messages, such as subject line, recipient, sender, status, and so on.

Content > Malware

This view shows files that were identified as malicious in SharePoint Online, OneDrive for Business, and Microsoft Teams.

View information by malware family, detection technology (how the malware was detected), and workload (OneDrive, SharePoint, or Teams).

View data about detected malware

Below the chart, view more details about specific files, such as attachment filename, workload, file size, who last modified the file, and more.

(New!) Click-to-filter capabilities

New to Explorer is the ability to click to filter. Beginning in late May 2018, when you click an item in the legend, that item becomes a filter for the report. For example, suppose we are looking at the Malware view in Explorer:

Go to Threat management > Explorer

Clicking ATP Detonation in this chart results in a view like this:

Explorer filtered to display only ATO Detonation results

In this view, we are now looking at data for files that were detonated by Office 365 ATP Safe Attachments. Below the chart, we can see details about specific email messages that had attachments that were detected by ATP Safe Attachments.

Specific details about email messages with detected attachments

Selecting one or more items activates the Actions menu, which offers several choices from which to choose for the selected item(s).

Selecting an item activates the Actions menu

The ability to filter in a click and navigate to specific details can save you a lot of time in investigating threats.

How do I get Explorer?

Explorer is included in Office 365 Threat Intelligence.

You must have appropriate permissions, such as those granted to a security administrator or security reader, in order to view and use Explorer. To learn more, see Permissions in the Office 365 Security & Compliance Center.

Reports and insights in the Office 365 Security & Compliance Center

Find and investigate malicious email that was delivered (Office 365 Threat Intelligence)

Anti-spam and anti-malware protection in Office 365