What Is Threat Explorer? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
Threat Explorer is a tool in Microsoft 365 that lets security teams see and investigate email threats like phishing and malware. It shows detailed information about detected threats, such as who sent them and who received them. You can use filters to find specific threats and take action, like deleting malicious emails. It helps you understand and respond to security incidents quickly.
Common Commands & Configuration
Search-ThreatExplorer -TimeRange 7d -DetectionType Malware -SenderDomain example.comQueries Threat Explorer for malware detections from a specific sender domain within the last 7 days. Used for initial incident scoping.
CISSP and CySA+ exams test the use of PowerShell for security investigations; this command is a simple example of automating Threat Explorer queries.
Get-ExplorerData -View Phish -Filter "(SenderAddress -contains 'phish@') -and (Verdict -eq 'Malicious')"Fetches phishing emails where the sender address contains 'phish' and the verdict is malicious. Useful for targeted phishing campaign analysis.
The MS-102 exam often includes PowerShell-based management tasks; knowing how to construct proper filters is essential for automation.
Invoke-RemediationAction -Action Quarantine -Identity <EmailID> -Scope AllUsersInitiates a quarantine action on a specific email ID for all users who received it. Used for mass removal of a malicious email.
For the Security+ or SC-900 exam, this demonstrates automated response; such commands are part of scenario-based questions about incident handling.
Set-ThreatExplorerRole -Role 'Security Administrator' -Enabled $trueEnables Threat Explorer access for a user with the Security Administrator role. Required to view the tool in the portal.
The AZ-104 exam covers RBAC; understanding that Threat Explorer requires specific roles like Security Admin is a common question.
Get-ExplorerEmailEntity -MessageId <MessageId> -IncludeAttachmentDetails $trueRetrieves detailed information about a single email, including attachment metadata, by its Message ID. Useful for deep forensic analysis.
The CySA+ exam emphasizes forensic investigation; this command allows retrieving chain of custody data from Threat Explorer.
New-ThreatExplorerSavedQuery -Name 'DailyPhishReport' -View Phish -Filter 'Last7Days' -Schedule DailyCreates a scheduled query in Threat Explorer that runs daily for the Phish view. Used for ongoing monitoring.
In the MS-102 or SC-900 exams, the ability to automate security reports using saved queries is a key administrative skill.
Remove-ExplorerMailboxItem -Identity <UserUPN> -Filter "(ReceivedDate -gt '01/01/2024') -and (Subject -like '*invoice*')"Forcefully deletes emails from a specific user's mailbox that match a subject pattern. Used for targeted cleanup after a phishing campaign.
The CISSP exam tests incident response; this command shows how to purge selected items without affecting other mailboxes.
Must Know for Exams
Threat Explorer is a key topic in several Microsoft security and compliance exams, as well as some broader security certifications. For the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals), Threat Explorer appears as part of the 'Describe the capabilities of Microsoft Defender for Office 365' objective. Candidates need to understand what Threat Explorer is and its role in investigating threats. It is an 'also_useful' topic here, as the exam focuses more on core concepts.
For the MS-102 (Microsoft 365 Administrator) exam, which covers administration of Microsoft 365, Threat Explorer is more prominent. The 'Manage security and threats' domain includes topics like investigating threats using Explorer and managing detections. Candidates should be able to describe how to use Explorer to investigate a phishing incident, filter results, and take actions like deleting emails or initiating an automated investigation. This exam expects a good working knowledge of the tool's features and capabilities.
For the MD-102 (Microsoft 365 Endpoint Administrator), Threat Explorer is an 'also_useful' topic. While the focus is on endpoints, understanding email threats is relevant for a holistic security posture. The exam may include questions about coordinating email threat data from Explorer with endpoint alerts in Microsoft Defender for Endpoint. For the AZ-104 (Microsoft Azure Administrator), Threat Explorer is 'light_supporting'. The exam is primarily about Azure infrastructure, but questions about security may touch on Microsoft 365 security tools. Knowing that Threat Explorer exists for email threat investigation may be helpful but not critical.
For non-Microsoft exams like AWS-SAA, ISC2 CISSP, CySA+, and Security+, Threat Explorer is not a primary topic. However, it appears as 'light_supporting' because these certifications value the concept of a 'threat hunting' or 'threat investigation' tool. For Security+ (SY0-601 and SY0-701), the exam covers 'Given a scenario, analyze indicators of compromise and determine the type of malware or activity'. Understanding a tool like Threat Explorer that provides IoC data is relevant. Similarly, for CySA+, the entire focus is on threat hunting and incident response, and Threat Explorer is a prime example of a SIEM-like tool. For CISSP, it fits under domain 7 (Security Operations) regarding monitoring and detection. However, these exams will not ask specific Microsoft product questions, but rather general concepts that Threat Explorer exemplifies. In those cases, the exam relevance is 'light_supporting'.
In exam questions, you might see a scenario like 'A user reports receiving a suspicious email. An administrator needs to investigate the email's threat status and see if other users received it. Which tool should they use?' The answer is Threat Explorer. Or 'An organization wants a real-time view of all detected phishing emails with the ability to take bulk remediation actions. What tool in Microsoft 365 provides this?' Again, Threat Explorer. Knowing the tool's name, its purpose (investigation and remediation of email threats), and its location (Microsoft 365 Defender portal) is key. Also, understand that it is different from the 'Activity log' or 'Audit log', which are for audit trails of admin actions, not threat investigation.
Simple Meaning
Imagine you are the security guard at a busy office building. Every day, thousands of letters and packages arrive. Most are safe, but some are suspicious. You need a way to quickly see all these items, sort them, and find the dangerous ones. Threat Explorer is like a digital control room for your email system. It gives you a big, interactive screen that shows every email that Microsoft Defender thought might be bad. You can filter this list by who sent it, what it contains, who received it, and when it arrived. If you see a dangerous email, you can click a button to delete it from everyone's inbox at once. It also shows you the path the email took, so you can understand how a threat got in. This is much faster than checking each email one by one.
In more technical terms, Threat Explorer connects to data from Microsoft Defender for Office 365. It pulls in information about detected threats like malware, phishing attempts, and spam. You can see email metadata, delivery details, and threat detection triggers. The tool supports advanced queries using filters like sender IP, URL reputation, file hash, and user actions (like 'clicked' or 'reported'). It also provides trend charts so you can spot patterns, like a sudden increase in phishing emails targeting your finance team. This is essential for investigating incidents, understanding attack vectors, and taking corrective actions such as moving emails to quarantine or blocking senders. Threat Explorer is not just a log viewer; it is an interactive investigation interface that helps security professionals respond to threats efficiently.
Think of it like a security camera system for your email. The cameras (detection engines) record everything. Threat Explorer is the central monitor where you can rewind, zoom in, and follow the action. You can see exactly what happened, when it happened, and who was involved. This tool turns raw detection data into actionable intelligence, allowing you to see the big picture and the fine details of any email-borne attack.
Full Technical Definition
Threat Explorer is a real-time, interactive reporting tool within the Microsoft 365 Defender portal, specifically designed for investigating and responding to email-borne threats detected by Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection or ATP). It provides security analysts with a comprehensive view of threat data, including malware, phishing, spam, and malicious URLs. The tool uses the Microsoft 365 security graph and data from the Exchange Online Protection (EOP) and Defender for Office 365 pipelines. It ingests telemetry from millions of email transactions, applying multiple layers of machine learning and heuristic analysis to classify threats.
At its core, Threat Explorer operates on a powerful backend that indexes email events and threat verdicts. When an email traverses the Microsoft 365 transport pipeline, it is scanned by several engines: the Malware Engine, the Safe Attachments engine (which detonates attachments in a sandbox), the Safe Links engine (which time-of-click scans URLs), and the Anti-Phishing engine (which checks for impersonation). Each of these engines produces verdicts (e.g., Malicious, Suspicious, Clean) and detailed findings. These findings are stored in a time-series database optimized for rapid querying. Threat Explorer allows analysts to query this database using a rich set of filters, including Email sender, Recipient, Sender domain, Sender IP, Subject, File name, File hash, URL, Threat type (e.g., Malware, Phish, Spam), Detection technology (e.g., Machine Learning, Reputation, Sandbox), Delivery action (e.g., Delivered, Quarantined, Blocked), and User-reported feedback (e.g., Phish, Junk, Not Junk).
The interface provides both a tabular view and a chart view. The tabular view lists individual email messages with their detection details. You can select multiple rows and take bulk actions like deleting messages, moving them to quarantine, or triggering a report submission. The chart view aggregates data over time, showing trends in threat volumes, top senders, top recipients, and threat categories. This is particularly useful for identifying ongoing campaigns or sudden spikes. Threat Explorer also supports advanced hunting scenarios through its API, allowing integration with SIEM (Security Information and Event Management) systems. The data retention period for Threat Explorer is typically 30 days for real-time queries, though historical reports can be generated for longer periods (up to 30 days) depending on the license.
A critical feature is the 'View email' capability, which shows the original email headers and body in a sanitized format. This allows analysts to inspect the email without the risk of executing malicious content. The tool also provides a 'Timeline' view for a specific email, showing a chronological sequence of events: when the email was sent, when it was received, when it was scanned, what verdicts were assigned, and any subsequent user actions (e.g., user clicked a link, user reported as phish). This timeline is invaluable for incident response, as it helps reconstruct the entire attack lifecycle. Threat Explorer integrates with Microsoft Defender for Identity and Microsoft Defender for Endpoint, allowing cross-correlation of email threats with endpoint activities. For example, if a user clicks a malicious link in an email, Threat Explorer can show that event, and Defender for Endpoint can show the subsequent process execution on the user's device. This unified view is central to the Microsoft 365 Defender ecosystem.
Another important aspect is the 'Role-based access control (RBAC)'. Not all users in the organization can access Threat Explorer. Permissions are managed through roles like 'Organization Management', 'Security Administrator', 'Security Reader', and 'View-Only Recipients' in the Microsoft 365 Defender portal. This ensures that only authorized personnel can investigate and take remediation actions. Threat Explorer is a pillar of the SOC (Security Operations Center) workflow for M365, providing the necessary visibility to detect, investigate, and respond to email-based attacks in real time. It is not a static report but an interactive investigation console that evolves with the threat landscape.
Real-Life Example
Think of Threat Explorer like the dashboard of a high-tech security command center in a large office building. The command center has a giant screen that shows every delivery that comes into the building: packages, letters, and couriers. Each delivery is scanned by sensors at the loading dock, and the dashboard logs everything. Now, suppose the security team hears a rumor that a package containing something dangerous might be heading to the finance department. Without a dashboard, they would have to physically check every package, ask every guard, and search through piles of paper logs. That would take hours or days.
With Threat Explorer, the security team can sit at the dashboard and type 'Finance Department' into the search bar. Instantly, the screen shows all deliveries destined for that floor in the last 48 hours. They can filter by 'high risk' sensors that flagged items with suspicious weights or shapes. They see a specific package from an unknown sender that was flagged by the 'X-ray machine' (think Safe Attachments sandbox). The dashboard shows the sender's address, the recipient's name, the time of delivery, and even a photo of the package (like the email body preview). The team can then click a button to 'retrieve and hold' the package (quarantine the email) from the finance department's mailroom before anyone opens it. They can also see a timeline: the package was logged at 10:00 AM, scanned at 10:01 AM, flagged as risky at 10:02 AM, and is still sitting in the mailroom. This complete visibility allows the team to act quickly and confidently.
In the digital world, Threat Explorer does exactly this for email. It gives the security team a unified view of every email that entered the organization, its threat status, its journey, and the ability to take immediate action. The dashboard transforms a chaotic flood of email data into an organized, searchable, and actionable interface. Without it, investigating a phishing campaign would be like searching for a needle in a haystack by hand. With Threat Explorer, the haystack is digitized, sorted, and the needles are automatically flagged, allowing the team to focus on the real threats.
Why This Term Matters
In any organization using Microsoft 365 for email, email is the primary vector for cyberattacks, including ransomware, phishing, and business email compromise. A single successful phishing email can lead to data breaches, financial loss, and reputational damage. Threat Explorer is critical because it provides the visibility needed to detect and respond to these threats quickly. Without it, security teams are blind to the details of what emails are being delivered, who is being targeted, and what actions users are taking. They might rely on static reports that show aggregate numbers, but those reports don't allow for deep investigation or immediate remediation.
Threat Explorer enables proactive hunting. Instead of waiting for a user to report a phishing email, analysts can pro-actively search for emails with specific indicators of compromise (IOCs) like malicious URLs or file hashes. They can track the success of an attack by seeing which recipients clicked on a malicious link. They can then take action to delete those emails from all affected mailboxes and block the sender. This reduces the dwell time of threats and minimizes potential damage. Threat Explorer provides detailed reporting for compliance and audit purposes. If a breach occurs, the security team can use Threat Explorer to generate a timeline of events, showing exactly which emails were involved, what actions were taken, and who was affected. This is often required for incident reports and regulatory compliance (e.g., GDPR, HIPAA).
For IT professionals managing Microsoft 365, Threat Explorer is a standard tool in their security toolkit. It is not just for large enterprises; small and medium businesses also benefit from its capabilities, as it is included in many Microsoft 365 plans (like E3 and E5). Understanding how to use Threat Explorer is a core skill for roles like Security Administrator, SOC Analyst, and IT Support Specialist. It directly impacts the security posture of the organization by enabling faster incident response, better threat intelligence, and more effective security operations.
How It Appears in Exam Questions
Exam questions involving Threat Explorer typically fall into scenario-based or tool-identification formats. A common question type presents a security incident and asks which tool in Microsoft 365 should be used for investigation. For example: 'An IT security analyst has identified a phishing campaign targeting the executive team. The analyst needs to view all emails related to this campaign, including sender details, delivery status, and user interactions (like clicks on a malicious link). Which tool should be used?' The answer is Threat Explorer. The question might also specify that the organization uses Microsoft Defender for Office 365 P1 or P2 license, as P2 includes the full capabilities of Threat Explorer with the 'Investigation' tab.
Another pattern involves troubleshooting. A question might state that an administrator is trying to find emails that were detected as malware but were still delivered to user inboxes (a common scenario with Zero-Hour Auto Purge or ZAP not working perfectly). The administrator needs to filter for emails with 'Malware' threat type and 'Delivered' delivery status. The exam may ask what feature allows this level of filtering. The answer is Threat Explorer. The question may also include a step like 'Use the Threat Explorer to identify the specific emails and then manually delete them from the affected mailboxes'.
Questions may also test understanding of the difference between Threat Explorer and other tools. For instance, 'What is the primary difference between Threat Explorer and the Audit Log in Microsoft 365?' The correct response would be that Threat Explorer focuses on investigating threats detected by Defender for Office 365, including email payloads and user actions, while the Audit Log records administrative activities and login events. Another question might contrast Threat Explorer with the 'Quarantine' view. While Quarantine shows only emails that were blocked, Threat Explorer shows all detected threats, including those that were delivered, and allows for deeper investigation and bulk actions.
some questions may ask about the types of data displayed in Threat Explorer, such as 'Which of the following is NOT a filter available in Threat Explorer?' Options might include Sender IP, Recipient, Threat Type, and File Hash. The examiner wants you to know that all of these are valid filters. A distractor might be 'Calendar ID', which is not relevant. Finally, performance-based questions (lab simulations) in exams like MS-102 might require you to navigate the Microsoft 365 Defender portal to Threat Explorer, perform a search using specific criteria (e.g., 'Find all emails sent by a specific user that were detected as phishing in the last 7 days'), and then take an action like 'Quarantine the messages'. Understanding the exact user interface workflow is crucial for these types of questions.
Practise Threat Explorer Questions
Test your understanding with exam-style practice questions.
Example Scenario
Imagine you are a security administrator for a mid-sized company that uses Microsoft 365. One morning, you get an alert from the security team: several users in the accounting department have received an email claiming to be from the CEO, asking them to urgently wire a payment to a new vendor. The email looks suspicious, and the CFO has already called you, worried that someone might have clicked the link.
You need to act fast. You log into the Microsoft 365 Defender portal and navigate to 'Email & collaboration' > 'Threat Explorer'. You want to see all emails from the last 24 hours that are related to this attack. You set the filter for 'Threat type' as 'Phish' and for 'Sender domain' as the domain you suspect (maybe 'ceo-support.com' or something similar). You also add a filter for 'Recipients' to include the accounting department's usernames. The results populate quickly, showing 12 emails delivered to various users. You can see that 3 users have already clicked on the link (the 'Clicked' column shows 'True'). You need to take immediate action.
You select all 12 emails from the list. From the 'Actions' dropdown, you choose 'Delete messages'. This will permanently remove the emails from those users' inboxes, preventing any further clicks. For the 3 users who already clicked, you escalate the incident. You also use the 'Add action' button to submit the emails to Microsoft for analysis, which helps improve future detection. Then, you go to the 'Timeline' view for one of the clicked emails. You see that the user clicked the link at 9:15 AM, and Defender for Office 365 blocked the malicious site via Safe Links, so the user saw a warning page. This is good news. You also see that no further malicious activity was detected on the user's endpoint. You use this information to build a complete timeline for your incident report.
This scenario demonstrates how Threat Explorer is used in a real-world incident. It is not just for passive monitoring; it is an active investigation and remediation tool that enables a rapid, coordinated response to email-borne threats. Without Threat Explorer, you would have to manually search through audit logs, ask users if they received the email, and use separate tools to delete messages. It would take significantly longer and be more error-prone.
Common Mistakes
Thinking Threat Explorer is the same as the Microsoft 365 Audit Log.
The Audit Log records administrative activities and user actions (like creating a mailbox), while Threat Explorer is specifically for investigating email threats detected by Defender for Office 365. They serve different purposes and show different data.
Remember: Audit Log = who did what in the admin center. Threat Explorer = what bad emails came in and what happened to them.
Believing Threat Explorer only shows threats that were blocked or quarantined.
Threat Explorer actually shows all emails that were detected as threats, including those that were delivered to the user's inbox. It allows you to see threats that bypassed initial filters (like malware that was detected after delivery).
Threat Explorer shows both 'Delivered' and 'Quarantined' threats. Use the delivery action filter to see what actually reached users.
Assuming Threat Explorer is available in all Microsoft 365 plans.
Threat Explorer is primarily available with Microsoft Defender for Office 365 Plan 2 (included in E5, A5, G5) and some add-on licenses. It is not available in basic E3 licenses without the Defender add-on. Some features are also available in Plan 1 but with limitations.
Check your organization's license. If you have E3, you likely need the Defender for Office 365 Plan 2 add-on to access full Threat Explorer capabilities.
Using Threat Explorer to investigate user login activity or app permissions.
Threat Explorer focuses exclusively on email threats (malware, phish, spam). It does not provide information about user sign-ins, Azure AD events, or app grants. For those, you need the Azure AD sign-in logs or the Microsoft 365 Audit Log.
Match the tool to the data: Email threats -> Threat Explorer. User logins -> Azure AD Sign-in logs. Admin actions -> Audit Log.
Thinking that the 'Delete messages' action in Threat Explorer only removes the email from your own mailbox.
The 'Delete messages' action in Threat Explorer is a bulk remediation action that can remove the email from all affected mailboxes in the organization. It is a powerful, organization-wide cleanup tool, not a personal action.
When you have an admin role, the delete action in Threat Explorer targets all selected emails across all users. It is a global cleanup tool.
Confusing Threat Explorer with the 'Quarantine' page in the Defender portal.
The Quarantine page shows only emails that were blocked and quarantined. Threat Explorer shows all detected threats, including those that were delivered. Threat Explorer also provides richer investigation capabilities like timeline, user actions, and bulk actions.
Threat Explorer is for investigation and deep diving. Quarantine is for reviewing and releasing blocked items. Use Explorer first, then Quarantine if you need to release a blocked email.
Exam Trap — Don't Get Fooled
{"trap":"A question states: 'An administrator needs to investigate a spear-phishing attack. Which tool should they use?' Options include: Audit Log, Threat Explorer, Azure AD Sign-in logs, and the Security & Compliance Center (legacy).
Some learners choose Audit Log because they think 'investigate' means 'look at logs'.","why_learners_choose_it":"Learners often see the word 'log' and think 'Audit Log' is the go-to for any investigation. They may not fully understand that Audit Log is for admin actions, not email threat data."
,"how_to_avoid_it":"Remember: 'Investigate a spear-phishing attack' is a clear indicator of an email threat. The tool designed for email threat investigation is Threat Explorer. Audit Log is for changes to configurations, not for looking at actual email threats.
When you see 'phishing', 'malware', 'email threat', think Defender for Office 365 tools, specifically Threat Explorer."
Commonly Confused With
The Audit Log tracks administrative actions (like creating a user, adjusting a policy) and user activities (like viewing a file), but it does not show the content or threat analysis of emails. Threat Explorer focuses specifically on email threats, showing the email itself and its detection details. Audit Log is for compliance and change tracking, Threat Explorer is for security investigation.
If you need to see who deleted a mailbox, use Audit Log. If you need to see the email that was deleted because it was malware, use Threat Explorer.
Quarantine is a storage location for emails that were blocked and held for review. Threat Explorer is the investigation tool that can also show emails that were not quarantined (delivered). You can use Threat Explorer to find emails and then take action to quarantine them. Quarantine is a destination, Threat Explorer is a search engine with actions.
The Quarantine page shows only the emails that were already blocked. Threat Explorer shows all threats (blocked and delivered) and allows you to filter and take action.
Alert policies generate notifications when certain threats are detected (e.g., a user clicks a malicious link). Threat Explorer is where you go to investigate the details of those alerts. The alert tells you something happened; Threat Explorer shows you exactly what happened, including the email, the user, and the timeline.
An alert says 'A user clicked a malicious link'. You then open Threat Explorer, filter for that user and time, and see the specific email and link details.
Safe Links is a detection engine that scans URLs at time-of-click to protect users from malicious sites. Threat Explorer is the reporting and investigation interface that shows the results of Safe Links actions, along with other protection engines. Safe Links is the protector, Threat Explorer is the reviewer.
Safe Links blocks a user from accessing a malicious URL. Threat Explorer shows you that the URL was blocked, which user was involved, and when it happened.
Mail flow reports in Exchange admin center show statistics about email delivery, like messages sent, received, and failed. They focus on volume and delivery issues. Threat Explorer focuses on security threats and provides detailed investigation capabilities, including user actions and file analysis.
Mail flow reports help you see if a lot of emails are bouncing. Threat Explorer helps you see if those bounced emails were actually phishing attempts.
Step-by-Step Breakdown
Accessing Threat Explorer
Log into the Microsoft 365 Defender portal (https://security.microsoft.com). Navigate to 'Email & collaboration' then 'Threat Explorer'. This is the default landing page for investigating email threats. You need appropriate permissions, such as being a member of the Security Administrators or Security Readers role.
Choosing the Scope (View)
At the top, you can choose between 'All email', 'Malware', 'Phish', 'Spam', or 'Content' filters. You can also switch between 'Explorer' and 'Real-time detections' (the latter shows only data from the last 30 minutes to 2 hours and is less detailed). For most investigations, use 'Explorer' to get full history (up to 30 days).
Setting Filters
Use the filter bar to narrow down results. You can filter by date range, sender, recipient, subject, sender IP, threat type, detection technology, delivery action (delivered, quarantined, etc.), user actions (clicked, reported), and more. Combine multiple filters to isolate specific threats. For example, 'Threat type = Phish' + 'Delivery action = Delivered' + 'Recipient = user@company.com'.
Reviewing the Results List
The results appear in a table. Each row is an email message. Columns show Subject, Sender, Recipients, Delivery action, Threat type, Detection technology, and additional columns like 'Clicked' or 'Reported'. You can sort columns and click on an email to see more details.
Inspecting an Email
Click on any email row. A flyout panel opens. You can see the email metadata (body preview, headers) and the detection details. The 'Timeline' tab shows a chronological view of events related to this email: when it was sent, received, scanned, verdict assigned, and any user interactions (clicks, report). The 'File' tab shows attachments and their analysis results. The 'URLs' tab shows embedded links and their verdicts (blocked, allowed).
Taking Bulk Actions
Select multiple emails (checkboxes) or select all (top checkbox). From the 'Actions' dropdown above the list, choose 'Delete messages' to permanently remove the emails from user mailboxes. You can also choose 'Move to quarantine', 'Report as clean', or 'Send for analysis'. This is a powerful remediation step applied globally.
Creating a Custom Alert or Logic
You can use the 'Add filter' options to create a specific query and then 'Save query' for future use. You can also click 'Create alert rule' to set up an automated alert when similar threats occur again. This moves from reactive investigation to proactive detection.
Exporting Data
For reporting or further analysis, click 'Export' to download the results as a CSV file. This is useful for creating incident reports or importing data into a SIEM tool. The export includes all the selected fields from the current view.
Investigating User Actions
Use the 'User actions' filter (e.g., 'User clicked' or 'User reported') to see which users actually interacted with a threat. This is critical for determining the impact of a phishing campaign. The 'Clicked' column shows true/false, and you can drill down to see the specific link and timestamp.
Using Chart View for Trends
Click on the 'Chart' tab to see an aggregated view of the data over time. You can see how many threats of a certain type occurred per day, top senders, top recipients, etc. This is good for identifying ongoing attack campaigns or spikes in specific threat types.
Practical Mini-Lesson
To become truly effective with Threat Explorer, you need to understand its role in the incident response lifecycle. It is not just a reporting tool but an active investigation console. Here is a deeper look at how professionals use it in practice.
First, understand the underlying data. Threat Explorer pulls from two main sources: the email pipeline data (from EOP and Defender for Office 365) and user feedback (from the Outlook Report Message add-in). The email pipeline data includes verdicts from all detection engines. User feedback is critical because it shows what end users think is suspicious. When a user reports a message as phishing using the Report Message button, that feedback appears in Threat Explorer under 'User actions' as 'Reported as phish'. This is a powerful input for identifying threats that might have bypassed automatic detection.
Configuration context matters. Threat Explorer's effectiveness depends on the proper configuration of Defender for Office 365 policies. For example, Safe Links and Safe Attachments policies must be enabled and scoped to the correct users. If policies are misconfigured, threats may not be detected, and Threat Explorer will not show them. Always verify that the protection settings are active. Also, ensure that the 'Report Message' add-in is deployed to users, as this enriches Threat Explorer data with human intelligence.
What can go wrong? One common issue is that data in Threat Explorer is not real-time. There is typically a delay of 5 to 15 minutes for email event data to appear. For very recent events, use the 'Real-time detections' view. Another issue is permissions. Users who are not in the correct security role will see a blank page or an error. Assign the 'Security Reader' role if the user only needs to view data, and 'Security Administrator' if they need to take actions like deleting emails.
Another advanced usage is integrating Threat Explorer with automated investigation and response (AIR) capabilities in Microsoft 365 Defender. When you identify a threat in Explorer, you can manually initiate an investigation that uses automated playbooks to remediate the threat at endpoints, identities, and email. This is a best practice for modern SOC workflows. For example, if you see that a user clicked a malicious link, you can trigger an investigation that automatically collects the email, checks the endpoint for malware, and resets the user's password if needed.
Professionals also use Threat Explorer to measure the effectiveness of their security policies. By reviewing emails that were 'Delivered' with a 'Malware' verdict, they can identify weaknesses in their filters and adjust policies accordingly. Similarly, they can use the 'Spam' view to see if legitimate emails are being incorrectly marked as spam (false positives) and release them from quarantine. This is a continuous tuning process.
Finally, master the export functionality. For incident reporting, export the data to CSV and include it in your post-incident report. Use the 'Chart' view to create visualizations for management. For example, a chart showing the trend of phishing emails over the past 30 days communicating the security posture of the organization. This transforms technical data into business intelligence.
Core Functionality of Threat Explorer in Microsoft 365 Defender
Threat Explorer is a real-time, interactive reporting and investigation tool within the Microsoft 365 Defender portal, specifically designed for security analysts and administrators to investigate threats related to email, collaboration tools, and endpoints. It provides a granular view of data across Microsoft 365 workloads, including Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. The core purpose of Threat Explorer is to allow security teams to query, filter, and analyze threat intelligence data, such as malware detections, phishing attempts, and suspicious email flows, over a customizable time window of up to 30 days.
At its heart, Threat Explorer operates by aggregating telemetry from Microsoft's threat protection stack, which includes Microsoft Defender for Office 365, Microsoft Defender for Endpoint, and Microsoft Defender for Identity. This integration enables a unified investigation experience. For example, if a user receives a phishing email that bypasses initial filters, Threat Explorer can be used to trace the email's origin, identify if the user clicked any malicious links, and determine if any subsequent lateral movement occurred on the endpoint. The data is presented through a pivot-table-like interface, allowing analysts to drill down by sender, recipient, subject, detection technology, or verdict (e.g., malicious, suspicious, clean).
A key differentiator of Threat Explorer is its capability to perform post-delivery actions. Analysts can directly take remediation steps from within the tool, such as moving emails to quarantine, deleting messages from users' mailboxes, or triggering a mailbox search for related threats. This reduces the response time from detection to containment. For exam contexts such as the AWS SAA, ISC2 CISSP, or CompTIA Security+, understanding how Threat Explorer fits into an organization's incident response workflow is crucial. It is not just a reporting tool but an active component of Microsoft's security operations center (SOC) stack, often tested in scenarios where a security administrator must rapidly investigate and remediate a widespread email-based attack.
Threat Explorer also supports advanced hunting queries through the Microsoft 365 Defender advanced hunting portal, but its native interface is more accessible for immediate investigations. The tool integrates with role-based access control (RBAC), ensuring that only authorized personnel can view sensitive threat data. For exams like the MS-102 or SC-900, candidates are expected to know that Threat Explorer is available only with specific licenses, such as Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2. Overall, Threat Explorer is a cornerstone tool for proactive threat hunting and reactive incident response in modern enterprise environments.
Understanding Data Filters and Views in Threat Explorer
Threat Explorer provides a robust set of filters and views that allow security analysts to narrow down massive datasets into actionable intelligence. The primary views include Malware, Phish, Submissions, and All email. Each view pre-applies relevant filters. For instance, the Malware view shows only emails detected with malware attachments or embedded malicious code, while the Phish view focuses on phishing attempts identified by various detection technologies like machine learning models or URL detonation.
Filters in Threat Explorer are categorized into essential and advanced groups. Essential filters include time range (up to 30 days), delivery action (e.g., delivered, blocked, quarantined), file type, sender domain, recipient domain, and detection technology. Advanced filters allow for granular segmentation, such as by system override (user allowed a block), email authentication status (SPF, DKIM, DMARC), or specific threat names. For example, in an exam scenario, a candidate might be asked to identify which filter would show emails that were delivered but later classified as malicious due to a detection upgrade, a scenario that uses the 'ZAP' (Zero-Hour Auto Purge) status filter.
The interface uses a pivot table format where analysts can drag and drop fields to create custom reports. Common columns include Subject, Sender, Recipients, Date, Detected by, and Status. One powerful feature is the ability to create a 'Query' using the 'Advanced Filter' button, which supports complex conditions like 'Sender domain contains example.com AND Detection technology is 'Advanced filter'. This is distinct from the simpler 'Quick Filter' at the top. For the AWS SAA, understanding cloud-native filtering tools is beneficial, but Threat Explorer's approach is specifically tied to Microsoft's ecosystem, which is critical for the MD-102 and MS-102 exams covering device and identity management.
Another important aspect is the 'Email entity' page, which can be accessed by clicking on a specific email in the results. This page provides a deep dive, including the email timeline, authentication details, attachment analysis, and any URL clicks. This granular view is often tested in CISSP or CySA+ scenarios where an analyst needs to prove the chain of events leading to a security incident. Knowing how to filter by 'Phish simulation' is also vital for exams, as it distinguishes real threats from internal training exercises, a common misconfiguration pitfall.
Remediation Actions Available in Threat Explorer
One of Threat Explorer's most powerful capabilities is its integration of remediation actions directly within the investigation interface. When a security analyst identifies a malicious email, they can take immediate action without navigating to separate admin centers. The primary actions include 'Move to inbox', 'Move to junk', 'Move to deleted items', and 'Quarantine'. However, the most impactful actions are 'Hard delete' (permanently removes the email from the mailbox) and 'ZAP' (Zero-Hour Auto Purge) which retroactively pulls emails from all users' mailboxes that match a threat definition.
Threat Explorer also supports bulk actions. For example, if a phishing campaign targets thousands of users, an analyst can select all matching emails and issue a single 'Quarantine' command. This is a critical feature for reducing response time during large-scale attacks. In exam scenarios for MS-102 or SC-900, candidates are often asked how to remediate a zero-day malware outbreak. The correct answer often involves using Threat Explorer to filter by malware family and then performing a 'Hard delete' across all affected mailboxes, followed by using advanced hunting to check for endpoint compromise.
Another essential remediation capability is 'Release quarantine' but with forensic preservation. Threat Explorer allows analysts to release emails for investigation while keeping a copy for evidence. This is crucial for incident response teams that need to analyze malicious attachments without losing the original sample. The tool also provides an 'Action center' where all remediation actions are logged, and administrators can monitor the success or failure of each action. For the ISC2 CISSP or CySA+ exams, understanding the concept of 'automated remediation' and how Threat Explorer provides a manual but efficient workflow is important.
Threat Explorer integrates with Microsoft 365 Defender's 'Incidents' feature. When an email is moved to quarantine via Threat Explorer, it automatically creates or updates an incident, linking the email investigation to the broader attack profile. This is highly tested in scenarios where an organization uses a combination of tools. For the AZ-104 exam, which focuses on Azure administration but includes security overlap, understanding how Threat Explorer's actions trigger Azure AD conditional access or compliance policies can be relevant. The ability to 'Submit to Microsoft' for analysis of a false positive is another remediation action that security administrators must know, as it impacts the organization's security posture.
Threat Explorer Performance Monitoring and Limitations
While Threat Explorer is a powerful tool, it has specific performance considerations and limitations that any security professional must understand. The data latency is near real-time, typically within 5 to 15 minutes from email processing to appearing in Threat Explorer reports. However, during peak usage or high-volume attacks, latency can extend to 30 minutes. For time-sensitive investigations, this delay can be critical. In exam contexts for Security+ or CySA+, candidates are often tested on the trade-off between real-time detection tools like Threat Explorer and other reactive tools like mailbox auditing.
Another performance aspect is the pivot table rendering. Threat Explorer can handle large datasets, but when filtering millions of emails, the interface may take several seconds to load. Microsoft recommends using the 'Advanced Filter' to narrow down results before running the query. For example, instead of viewing all emails in the last 30 days, filter by a specific sender domain or detection technology first. This is a practical skill tested in the MS-102 exam, where administrators must demonstrate efficient use of resources.
Limitations include the maximum retention period of 30 days for data in Threat Explorer. Any investigation requiring older data must use the 'Email security' report in the Microsoft 365 Defender or export data to an external SIEM like Azure Sentinel. Threat Explorer only shows data for users with valid Microsoft Defender for Office 365 licenses (Plan 2 for full functionality). For organizations with mixed licensing, some mailboxes may be invisible, leading to incomplete investigations. This is a common trick question in the SC-900 exam.
Monitoring Threat Explorer itself involves checking the 'Health' section in the Defender portal, which shows if Threat Explorer is indexing data correctly. Another limitation is that Threat Explorer does not show data from on-premises Exchange unless hybrid modern authentication is fully configured. For the AZ-104 exam, which covers hybrid identity, understanding this limitation is important when troubleshooting security incidents in hybrid environments. Finally, Threat Explorer's role in compliance is limited-it does not track access to emails for privacy purposes, which is governed by Microsoft Purview. This distinction is often tested in the AWS SAA (which compares cloud security tools across providers) or CISSP (which covers governance and compliance).
Troubleshooting Clues
Threat Explorer Not Showing Data
Symptom: The Threat Explorer page loads but displays 'No data available' for all filters, even with known malicious emails.
This often occurs because the user's mailbox is not licensed for Microsoft Defender for Office 365 Plan 2, or the data retention period has expired (over 30 days). Another cause is that the user has no permissions to view the specific mailbox or tenant data.
Exam clue: Exam questions (e.g., SC-900) test that Threat Explorer requires specific licensing and RBAC; an unlicensed mailbox will yield no data.
Threat Explorer Query Returns Timeout Error
Symptom: When running a broad query (e.g., all emails in last 30 days), the tool throws an error 'Query timed out' or the browser becomes unresponsive.
This happens because the dataset is too large for the pivot table to render within the default timeout (typically 60 seconds). The query engine has limits on the number of rows processed.
Exam clue: In MS-102 exams, candidates must know to use advanced filters to narrow down results (e.g., by detection technology) before running the query.
Remediation Action Fails with 'Insufficient Privileges'
Symptom: When trying to quarantine or delete emails, the action fails with an error 'You do not have permission to perform this action'.
This is due to role-based access control (RBAC). The user must have the 'Execute remediation actions' permission, which is part of the 'Security Operator' or 'Security Administrator' roles. Lower roles like 'Helpdesk' cannot execute actions.
Exam clue: The AZ-104 and CISSP exams test RBAC concepts; understanding that remediation requires specific roles is a classic question.
Threat Explorer Shows Duplicate Entries for Same Email
Symptom: The same email appears multiple times in the results, often with different detection technologies or timestamps.
This can occur when multiple detection engines (e.g., anti-malware, anti-phish, URL detonation) each generate separate events for the same email. Threat Explorer sometimes merges them, but duplicates may appear if the email was reprocessed after a ZAP action.
Exam clue: In CySA+ or Security+ exams, understanding that multiple detection layers can produce separate logs is crucial for accurate incident analysis.
ZAP Action Not Removing Emails from Inboxes
Symptom: After executing a ZAP (Zero-Hour Auto Purge) action, some users report that the malicious email remains in their inbox.
ZAP may fail if the user's mailbox is on hold (litigation or retention hold), or if the email was already moved by a different compliance policy. ZAP only works on emails that were delivered; it cannot affect items already deleted.
Exam clue: The MS-102 and SC-900 exams test ZAP limitations; knowing that retention holds block ZAP is a common trick question.
Threat Explorer Cannot See On-Premises Mailbox Data
Symptom: When filtering by a user with an on-premises Exchange mailbox, no data appears, though cloud mailboxes show results.
Threat Explorer exclusively works with cloud-hosted mailboxes (Exchange Online). On-premises mailboxes require hybrid configuration with mail flow through Exchange Online Protection (EOP) to be visible. Without that, no telemetry is sent.
Exam clue: In AZ-104 and MD-102 exams, this highlights the importance of hybrid deployment for security tools to function fully.
Threat Explorer Reports Inconsistent with Advanced Hunting
Symptom: Running a similar query in Advanced Hunting yields different results compared to Threat Explorer for the same time range.
Threat Explorer uses a slightly different data schema and may have a 5-15 minute latency compared to near-real-time advanced hunting tables. Also, Threat Explorer applies default filters (e.g., excludes system-generated messages) that advanced hunting does not.
Exam clue: The CISSP and CySA+ exams test understanding of tool limitations; candidates should know that discrepancy can be due to schema or latency differences.
Threat Explorer Filters Not Applying Correctly
Symptom: When setting a filter for a specific detection technology (e.g., 'Advanced filter'), the results still show emails from other technologies.
This likely occurs because the filter is applied at the wrong level. In the pivot table, filters must be set on the correct column header, and 'AND' conditions must be configured properly. A common mistake is using 'OR' instead of 'AND' for multiple criteria.
Exam clue: In MS-102 exams, practical filter logic is tested; understanding how to combine filters correctly is a hands-on skill.
Memory Tip
Think 'TE brings the E (email) to light.' Explorer is where you explore email threats; Audit is where you audit admin actions.
Learn This Topic Fully
This glossary page explains what Threat Explorer means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →SY0-701CompTIA Security+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →SAA-C03SAA-C03 →220-1102CompTIA A+ Core 2 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
A/B testing is a controlled experiment that compares two versions of a single variable to determine which one performs better against a predefined metric.
A 2-in-1 laptop is a portable computer that can switch between a traditional laptop form and a tablet form, usually by detaching or rotating the keyboard.
The 24-pin motherboard connector is the main power cable that connects the computer's power supply unit (PSU) to the motherboard, supplying electricity to the motherboard and its components.
Quick Knowledge Check
1.Which license is required for a user's mailbox to appear in Threat Explorer results?
2.A security analyst finds a malicious email delivered to 500 users. What is the most efficient remediation action in Threat Explorer?
3.Your Threat Explorer query times out when viewing all emails from the last 30 days. What should you do first?
4.Why might a ZAP (Zero-Hour Auto Purge) action fail to remove a malicious email from a user's mailbox?
5.An analyst observes that Threat Explorer shows no data for an on-premises mailbox user. What is the most likely cause?
6.What role must a user have to execute remediation actions in Threat Explorer?
7.How do duplicate entries for the same email appear in Threat Explorer?