This chapter covers the Microsoft 365 Threat Analytics Dashboard, a critical tool for identifying and investigating security threats across your Microsoft 365 environment. On the MS-102 exam, this topic falls under Domain 3 (Security Threats), Objective 3.2: Analyze threats using the Threat Analytics dashboard. Approximately 5-8% of exam questions will test your knowledge of this dashboard, its data sources, severity levels, and how to use it in incident response. You will need to understand not just how to navigate the dashboard, but how to interpret the threat intelligence it surfaces and how it integrates with Microsoft Defender for Office 365 and Azure Active Directory.
Jump to a section
Imagine a corporate security operations center (SOC) that monitors 10,000 employees across 50 cities. Each employee has a badge that logs entry and exit times, and every door has a sensor that reports when it is opened. The SOC has a giant digital map showing all buildings in real time. Normally, the map is green. But if an employee enters a building at 3 AM when they have no shift, the sensor sends an alert, and the map flashes yellow for that building. If three employees in different cities badge into the same restricted server room within 5 minutes, the map turns red and an automated incident response kicks in: cameras zoom in, the system locks the doors, and a supervisor is paged. The SOC analysts don't manually watch every door; they rely on the map to highlight suspicious patterns. The Threat Analytics Dashboard is that digital map for Microsoft 365. It ingests signals from Exchange Online, SharePoint, Azure AD, and Microsoft Defender for Office 365. Instead of door sensors, it uses telemetry like failed logins, unusual file downloads, and phishing email reports. The dashboard aggregates these signals into a single view, applies Microsoft's threat intelligence to score risks, and surfaces the most critical threats. Just as the SOC map uses color coding (green/yellow/red) to prioritize attention, the dashboard uses severity levels (Informational, Low, Medium, High, Critical). And just as the SOC can drill into a red building to see which specific door triggered the alert, an admin can click on a threat to see the exact user, IP address, and activity that caused the alert. The dashboard doesn't stop threats by itself — it equips the admin to take action, like blocking a user or isolating a device, just as the SOC supervisor locks the door and pages security.
What Is the Threat Analytics Dashboard?
The Threat Analytics dashboard is a centralized view within the Microsoft 365 Defender portal (security.microsoft.com) that provides real-time visibility into active threats detected across your Microsoft 365 tenant. It is not a separate product but a feature of Microsoft Defender for Office 365 Plan 2 (or higher) and Microsoft 365 E5. The dashboard aggregates threat intelligence from multiple sources, including Exchange Online Protection (EOP), Microsoft Defender for Office 365, Azure Active Directory Identity Protection, and Microsoft Threat Intelligence. Its primary purpose is to help security administrators quickly identify, prioritize, and respond to threats such as malware, phishing, compromised accounts, and data exfiltration.
How It Works Internally
The Threat Analytics dashboard operates by collecting and correlating telemetry from various Microsoft 365 workloads. Here is the step-by-step mechanism:
Data Ingestion: Each workload (Exchange Online, SharePoint Online, Teams, Azure AD) generates security events. For example, Exchange Online logs email delivery events, malware detections, and spam classifications. Azure AD logs sign-in attempts, risky sign-ins, and user risk events. These events are sent to a unified backend service called the Microsoft 365 Security Graph.
Threat Scoring: The Security Graph applies machine learning models and rule-based heuristics to assign a severity level to each threat. The severity is determined by factors such as the type of threat (malware vs. phishing), the number of affected users, the confidence level of the detection, and whether the threat is actively spreading.
Aggregation and Correlation: The dashboard groups related alerts into incidents. For instance, if a user clicks a phishing link and then downloads malware, those two events are correlated into a single incident. The correlation engine uses entity graphs that link users, devices, IP addresses, and email messages.
Presentation: The dashboard displays threats in a sortable table with columns for severity, detection technology, affected users, and status. It also includes a summary bar showing total threats, critical threats, and threats requiring action. Each row can be expanded to see details such as the threat family, attack vector, and recommended actions.
Key Components, Values, Defaults, and Timers
Severity Levels: Informational (no action needed), Low (minor risk, e.g., a single spam email), Medium (requires investigation, e.g., a phishing campaign targeting multiple users), High (likely compromise, e.g., malware detected on a device), Critical (confirmed compromise or active attack, e.g., ransomware detected).
Detection Technologies: The dashboard categorizes threats by detection source: Anti-malware engine (Microsoft Defender AV), Anti-phishing (EOP), Safe Attachments, Safe Links, Anti-spam, and Azure AD Identity Protection.
Time Range: By default, the dashboard shows threats from the last 7 days. You can filter to 24 hours, 48 hours, or a custom date range up to 30 days.
Data Retention: Threat data is retained for 30 days in the dashboard. For longer retention, you must export or use Microsoft 365 audit logs.
Update Frequency: The dashboard refreshes every 15 minutes. Manual refresh is available via the Refresh button.
Maximum Threats Displayed: The dashboard shows up to 1000 threats at a time. Use filters to narrow results.
Configuration and Verification Commands
While the Threat Analytics dashboard is primarily GUI-based, you can use PowerShell to retrieve threat data for automation or reporting. The relevant cmdlets are part of the Exchange Online Protection PowerShell module.
Example: Get threat data for the last 7 days
Get-ThreatDetectionReport -ReportType ThreatDetection -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)To get detailed malware detections:
Get-MailDetailMalwareReport -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)For Azure AD Identity Protection events:
Get-AzureADIdentityProtectionRiskyUserTo verify the dashboard is receiving data, check the Microsoft 365 Defender portal at https://security.microsoft.com/threatanalytics. If no data appears, ensure you have the required license (Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5) and that auditing is enabled for the tenant.
How It Interacts with Related Technologies
The Threat Analytics dashboard does not operate in isolation. It integrates with:
Microsoft Defender for Office 365: Provides the core threat detections for email and collaboration tools. The dashboard surfaces alerts from Safe Attachments, Safe Links, and anti-phishing policies.
Azure AD Identity Protection: Feeds risky user and risky sign-in events into the dashboard. For example, if a user's account is compromised, the dashboard shows a critical alert.
Microsoft 365 Defender: The dashboard is part of the unified security platform. Incidents from the dashboard can be escalated to the Microsoft 365 Defender incident queue.
Microsoft Sentinel: You can connect the Threat Analytics dashboard to Microsoft Sentinel for advanced SIEM capabilities. This is done via the Microsoft 365 Defender connector.
Microsoft Graph Security API: Allows third-party SIEMs to ingest threat data from the dashboard programmatically.
Step-by-Step: How to Investigate a Threat
Navigate to the Dashboard: Go to https://security.microsoft.com/threatanalytics. Sign in with an account that has Security Administrator or Global Administrator role.
Review the Summary Bar: At the top, you see total threats, critical threats, and threats requiring action. Click any number to filter the list.
Filter by Severity: Use the Severity dropdown to focus on Critical or High threats first.
Select a Threat: Click on a threat row to open the details pane. Here you see the threat name, detection technology, affected users, and a timeline of events.
Analyze the Details: In the details pane, review the attack story, which shows how the threat entered the environment and spread. Look at the affected users list to identify compromised accounts.
Take Action: Use the Actions button to perform remediation. Options include Delete email (for phishing), Block sender, Block URL, Reset user password, or Isolate device.
Export Data: Use the Export button to download a CSV of the threat list for reporting or further analysis.
Common Misconfigurations
Insufficient Licenses: Without Microsoft Defender for Office 365 Plan 2 or E5, the dashboard is empty or shows limited data.
Disabled Auditing: The dashboard relies on audit logs. If auditing is disabled, many threats won't appear.
Incorrect Roles: Users without Security Administrator or Global Administrator roles cannot view the dashboard.
Time Zone Mismatch: The dashboard uses UTC. If your analysts expect local time, they may misinterpret timestamps.
Exam-First Focus
On the MS-102 exam, you will be tested on:
Knowing that the Threat Analytics dashboard is found at https://security.microsoft.com/threatanalytics.
Understanding the severity levels: Informational, Low, Medium, High, Critical.
Recognizing that the dashboard aggregates threats from Exchange Online, SharePoint, Teams, and Azure AD.
Knowing that Safe Attachments and Safe Links detections appear in this dashboard.
Being able to differentiate between the Threat Analytics dashboard and other Microsoft 365 security reports (e.g., Threat Protection Status report, Mailflow report).
Common wrong answers include confusing the Threat Analytics dashboard with the Security & Compliance Center's threat management reports or thinking it is part of Azure Security Center. Remember: Threat Analytics is specific to Microsoft 365 workloads, not Azure resources.
Navigate to the Dashboard
Open a web browser and go to https://security.microsoft.com/threatanalytics. Sign in with an account that has the Security Administrator or Global Administrator role. If you see an empty dashboard, verify that you have the correct license (Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5) and that auditing is enabled. The dashboard URL is case-sensitive and must be typed exactly as shown. Bookmark this URL for quick access.
Review the Summary Bar
At the top of the dashboard, you will see a summary bar displaying the total number of threats, the number of critical threats, and the number of threats requiring action. These numbers are clickable filters. For example, clicking 'Critical threats' will filter the list to show only those with Critical severity. The summary bar updates every 15 minutes automatically. Use this to quickly gauge the overall security posture of your tenant.
Filter by Severity and Time Range
Use the dropdown menus to filter threats by severity (Informational, Low, Medium, High, Critical) and time range (24 hours, 48 hours, 7 days, custom). The default time range is 7 days. Filtering by Critical severity is recommended to prioritize the most dangerous threats. You can also filter by detection technology (e.g., Anti-malware, Anti-phishing) or affected workload (Exchange Online, SharePoint, etc.).
Select a Threat to Investigate
Click on any threat row to open the details pane on the right side. The details pane shows the threat name, detection technology, severity, affected users, and a timeline of events. Scroll down to see the attack story, which describes how the threat entered and moved through the environment. This information is critical for understanding the scope of the incident and determining the appropriate response.
Analyze the Attack Story
The attack story provides a graphical timeline of events related to the threat. For example, it might show that a user received a phishing email, clicked a link, and then downloaded malware. Each event is timestamped and includes details such as the sender IP, email subject, and file hash. Use this to identify the initial entry point and any lateral movement. This information is also used for forensic analysis and reporting.
Take Remediation Actions
In the details pane, click the 'Actions' button to see available remediation options. Common actions include: Delete email (quarantine the message), Block sender (add to block list), Block URL (add to custom block list), Reset user password (for compromised accounts), and Isolate device (for malware-infected endpoints). Some actions require additional permissions (e.g., resetting passwords requires Global Administrator). After taking action, the threat status changes to 'Resolved'.
In a real-world enterprise environment, the Threat Analytics dashboard is used daily by security operations teams to monitor and respond to threats. For example, a multinational corporation with 50,000 users might see hundreds of threats per day, ranging from low-severity spam to critical ransomware outbreaks. The dashboard allows a small SOC team to triage effectively by focusing on critical and high-severity threats first. One common scenario is a phishing campaign targeting finance employees. The dashboard surfaces a high-severity threat named 'Phishing: Credential Harvesting' with 20 affected users. The SOC analyst clicks the threat, sees that the phishing email originated from a specific domain, and uses the 'Block sender' action to prevent further emails from that domain. They also reset passwords for the 20 users who clicked the link. Another scenario involves a malware outbreak detected by Safe Attachments. The dashboard shows a critical threat with 5 affected devices. The analyst uses the 'Isolate device' action to cut off the infected machines from the network, then investigates the attack story to find the source email. In production, performance considerations include the dashboard's 15-minute refresh cycle, which means there is a slight delay between detection and visibility. Also, the dashboard can only display 1000 threats at a time, so large tenants must use filters to avoid missing older threats. Misconfigurations that go wrong include not enabling auditing, which causes many threats to be invisible, or assigning incorrect roles, which prevents analysts from taking remediation actions. A common mistake is relying solely on the dashboard without integrating with Microsoft Sentinel for long-term retention and advanced analytics. In one incident, a company missed a slow data exfiltration because they only looked at the default 7-day view; the threat had been active for 10 days. They later configured custom date ranges and set up automated exports to their SIEM.
The MS-102 exam tests the Threat Analytics dashboard under Objective 3.2: Analyze threats using the Threat Analytics dashboard. Specifically, you must know:
The exact URL: https://security.microsoft.com/threatanalytics
The five severity levels in order: Informational, Low, Medium, High, Critical.
That the dashboard aggregates data from Exchange Online, SharePoint, Teams, and Azure AD.
That Safe Attachments and Safe Links detections appear in this dashboard.
That the default time range is 7 days.
That the dashboard refreshes every 15 minutes.
That to view the dashboard, you need Security Administrator or Global Administrator role.
That the required license is Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5.
Common wrong answers on the exam: 1. Confusing with other dashboards: Candidates often select 'Security & Compliance Center' or 'Azure Security Center' as the location. Always choose the Microsoft 365 Defender portal (security.microsoft.com). 2. Mixing severity levels: Some questions list severity levels as 'Low, Medium, High, Critical' without 'Informational'. The correct list includes Informational. 3. Wrong license requirement: Candidates think E3 or Business Premium is sufficient. The correct answer is Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5. 4. Misunderstanding data sources: Questions may state that the dashboard shows threats from Azure VMs or on-premises servers. It does not; it only covers Microsoft 365 workloads.
Edge cases the exam loves:
What happens if auditing is disabled? The dashboard will show fewer threats or no data.
What if a user has Global Reader role? They can view but cannot take actions like resetting passwords.
Can you export threat data? Yes, via the Export button or PowerShell.
Does the dashboard show threats older than 30 days? No, data retention is 30 days.
To eliminate wrong answers, focus on the underlying mechanism: the dashboard is a visualization of threat intelligence from Microsoft 365 workloads. Any answer that implies it covers non-Microsoft 365 resources or that it provides real-time (instant) updates is incorrect. Also, remember that the dashboard is read-only for most roles; actions require higher privileges.
The Threat Analytics dashboard URL is https://security.microsoft.com/threatanalytics.
There are five severity levels: Informational, Low, Medium, High, Critical.
The dashboard refreshes every 15 minutes and retains data for 30 days.
Required license: Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5.
Required roles: Security Administrator, Global Administrator, or Security Reader (read-only).
The dashboard aggregates threats from Exchange Online, SharePoint, Teams, and Azure AD.
Safe Attachments and Safe Links detections appear in the dashboard.
To take remediation actions like blocking sender or resetting password, you need Security Administrator or Global Administrator role.
The dashboard can be exported to CSV for reporting.
Integrate with Microsoft Sentinel for long-term retention and advanced analytics.
These come up on the exam all the time. Here's how to tell them apart.
Threat Analytics Dashboard
Located at https://security.microsoft.com/threatanalytics
Covers Microsoft 365 workloads only (Exchange, SharePoint, Teams, Azure AD)
Severity levels: Informational, Low, Medium, High, Critical
Default time range: 7 days, max 30 days retention
Requires Microsoft Defender for Office 365 Plan 2 or E5 license
Azure Security Center
Located at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0
Covers Azure resources (VMs, SQL, storage, etc.) and hybrid workloads
Severity levels: Low, Medium, High, Critical (no Informational)
Default time range: 24 hours, configurable up to 90 days
Requires Azure Defender (paid) or Azure Security Center Free tier
Mistake
The Threat Analytics dashboard shows threats from all Microsoft services including Azure VMs.
Correct
The dashboard only covers Microsoft 365 workloads: Exchange Online, SharePoint, Teams, and Azure AD. It does not include Azure VMs, SQL databases, or on-premises servers. For Azure resources, use Azure Security Center or Microsoft Defender for Cloud.
Mistake
The dashboard updates in real time.
Correct
The dashboard refreshes every 15 minutes. There is a delay between detection and visibility. For near-real-time alerts, use the Microsoft 365 Defender alerts page or configure email notifications.
Mistake
Any user can view the Threat Analytics dashboard.
Correct
Only users with Security Administrator, Global Administrator, or Security Reader roles can view the dashboard. Security Reader can view but cannot take remediation actions.
Mistake
The dashboard retains data for 90 days.
Correct
Data retention is 30 days. For longer retention, export the data to a CSV or integrate with Microsoft Sentinel.
Mistake
The Threat Analytics dashboard is the same as the Threat Protection Status report.
Correct
The Threat Protection Status report (in the Exchange admin center) shows email-specific threat data like malware detections and spam. The Threat Analytics dashboard is a broader view that includes threats from all Microsoft 365 workloads and provides correlation and incident management.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Threat Analytics dashboard is located at https://security.microsoft.com/threatanalytics. You must sign in with a Security Administrator or Global Administrator account. If you cannot access it, verify your license includes Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5.
The dashboard uses five severity levels: Informational (no action needed), Low (minor risk), Medium (requires investigation), High (likely compromise), and Critical (confirmed compromise or active attack). On the exam, remember that 'Informational' is the lowest level, not 'Low'.
The dashboard refreshes automatically every 15 minutes. You can also manually refresh by clicking the Refresh button. There is no real-time update; expect a delay of up to 15 minutes between detection and visibility.
The dashboard ingests threat data from Exchange Online (email threats), SharePoint Online (malicious files), Teams (malicious links), and Azure AD (risky sign-ins and compromised accounts). It does not include on-premises or Azure IaaS workloads.
Yes, if you have the appropriate permissions (Security Administrator or Global Administrator). In the details pane of a threat, click 'Actions' to see options like Delete email, Block sender, Block URL, Reset user password, and Isolate device. Security Reader can view but cannot take actions.
Data is retained for 30 days. After 30 days, the data is no longer visible in the dashboard. To keep records longer, export the data to CSV or connect the dashboard to Microsoft Sentinel.
You need Microsoft Defender for Office 365 Plan 2 (standalone or included in Microsoft 365 E5). Microsoft 365 E3 or Business Premium does not include this dashboard. Check your subscription before assuming access.
You've just covered Threat Analytics Dashboard — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?