Threat Explorer & Investigation
Understanding the Concept
Threat Explorer in Defender for Office 365 is a near real-time investigation tool that allows security analysts to view and analyze threats detected in email and collaboration. It provides visibility into malware, phishing, all email, content malware, and URL clicks.
Analysts can pivot on various attributes including sender, recipient, subject, attachment name, delivery action, and detection technology. The email entity page provides a comprehensive view of a specific email including headers, URLs, attachments, and delivery timeline.
Remediation actions from Threat Explorer include soft delete, hard delete, move to junk, and move to inbox. These actions can be applied to individual emails or bulk selections matching specific criteria.
Key Points
- Near real-time visibility into email threats
- Views: Malware, Phishing, All Email, Content Malware, URL Clicks
- Pivot on sender, recipient, subject, attachment, detection technology
- Email entity page shows comprehensive email details
- Remediation: soft delete, hard delete, move to junk
- Supports bulk remediation for threat campaigns
Why This Matters in Real Organizations
When a phishing campaign bypasses initial filtering, Threat Explorer enables analysts to quickly identify all affected mailboxes, understand the scope of the threat, and remediate across the entire organization in minutes rather than hours.
Common Mistakes to Avoid
Interview Tips
- Describe your email threat investigation workflow using Threat Explorer
- Discuss how you handle post-delivery phishing remediation
Exam Tips (SC-200)
- Know Threat Explorer views and filtering options
- Understand available remediation actions
- Know how to investigate email campaigns
Course Complete!
You've finished all lessons