Announcing persistent views and UX enhancements in Threat Explorer

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

In response to the ever-evolving landscape of cyber threats, Threat Explorer plays a critical role in identifying and mitigating security risks within Office 365 environments. Microsoft Defender for Office 365 is focused on refining the user interface and functionality in threat Explorer to provide a more intuitive, responsive, and seamless experience for users to empower them with robust security solutions, ensuring a proactive and effective defense against cyber threats.


Recently, we released a couple of enhancements to Threat Explorer’s user experience to make URL click based threat hunting effortless and provide a more extensive capability via navigation between data tabs in Explorer. Along with this, we have introduced persistent views in Explorer which will allow users to save their column preferences. Following are the details of the recently introduced UX enhancements and how security analysts can adopt them in their investigation & hunting workflows:


1) Persistent views: Explorer now allows users to select and save the columns they want to see on the data grid via “Customize columns” and the columns user wants to export as per their need, via customizable export flyout. We have enhanced this experience allowing users to save these preferences and the saved preferences will be used in consecutive actions.

How to save the column selection:

  1. In customize columns flyout of Explorer, once the user applies the new column selection by clicking on “Apply” button, the newly selected column preferences will be saved for that user.
  2. In customizable export flyout, once the user applies the new column selection and exports the data by clicking on “Export” button, the newly selected column preferences will be saved for that user.
  3. User will be able to save different preferences for individual tabs in Explorer (All email, Malware, Phish, Campaign, Content Malware, URL Clicks) for both customizable columns set and customizable exports.

How the saved column selections are used:

  1. User preferences will be specific to the web browser in. Users will have an option to save different preferences in different web browsers in different devices.
  2. If users are in private browsing mode, preferences will be active till the browse session is active. Closing all tabs in private browsing mode will allow user to erase those preferences by closing all tabs.
  3. Saved preferences for the data grid will be reused each time user clicks on refresh, applies filters or lands on explorer via deep links provided in alerts, incidents, AIR, submission etc.
  4. Saved preferences will be retained until user.



2) Navigation between URL Clicks and All email tab: Malicious URLs and end user clicks on malicious URLs have been a major threat in URL based phishing attacks. To investigate and hunt for similar threats we have recently added URL clicks tab in Explorer to allow security analysts to see end user clicks on URLs across emails, Teams messages and documents shared across SPO/OD. If analysts want to extend the search and hunt for more such attacks in their email domain, they can do so by joining clicks data with email metadata in Explorer’s all email tab.

How to navigate from URL clicks tab to All email tab:

  1. Users can apply filters to narrow down the search results, if required
  2. Users can select up to 10 clicks belonging to “Email” workload from URL clicks tab 
  3. Click on “View all emails” button to navigate to All email tab to see the corresponding emails (using NetworkMessageID and Recipient as primary filters).



How to navigate from All email tab to URL clicks tab:

  1. Users can apply filters to narrow down the search results, if required
  2. The URL clicks and Top Clicks tab in the result set section besides the Email in All email tab will now have “View all clicks” button to navigate from All email tab to URL clicks tab.

Note: These navigations will honor the applied filters in All email and URL clicks tab provided the applied filter is present in both tabs.


3) Custom inputs for timestamp filter: To empower users to filter with more granular time ranges to narrow down the searches in Explorer as per their requirements- and perform thorough analysis on the attack patterns, the timestamp filter in Explorer will now have two different methods of input:

  1. Manual Input: Users can manually enter the time in hh:mm format
  2. Time picker: Users can select the time from the dropdown list in increments of 30 mins



4) Remediation action results in Explorer: SOC teams have direct and in-line visibility into manual remediation, quarantine release etc. and system post-delivery actions like ZAP and reprocessed messages (for FP recovery) etc. in Threat Explorer’s result set. The result of the action will be appended to the action name for respective actions in the Additional Actions column of Threat Explorer. With this view in Additional actions, users can track the post-delivery email action status in Threat Explorer as well as exported data from Threat Explorer and avoid going to Email Entity timeline view.



For questions or feedback about Microsoft Defender for Office 365, engage with the community and Microsoft experts in the Defender for Office 365 forum

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.