Updated June 2, 2022: We have updated the rollout timeline below. Thank you for your patience.
As part of Hunting improvements, we are making updates to the Email entity page, and Threat Explorer and Real-Time Detections. These updates should help provide additional data points and context for security analysts.
Involved Workload
- Defender
- Microsoft 365 Defender
These updates include:
Updates to Email entity Page will include:
- A section around Threat Detection Details which will contain information around Threat, the corresponding detection technology and if the detection ran into any additional context.
- We will also light up additional email attributes like To, CC, Distribution list, Client information and forwarding (indicating if email forwarding was involved)
- Override information would include the Primary override and Source (Primary override is the override which impacted the delivery of the email) as well as any additional overrides that were applicable to the email.
- If a URL or a File was allowed due to a tenant policy like Tenant Allow/Block list, then that information would be shown in the entity views as well.
Updates to Threat Explorer will include:
- Threat Explorer filters around System Override and System Override source would be renamed to Primary Override and Primary Override source to indicate the specific overrides which impacted the delivery of the email. This will help the analyst to locate malicious emails delivered due to potential config gaps, as well as identifying any tenant or user level configurations which have impacted the delivery of an email.
- In addition to the name updates for the above 2 filters, we will also be lighting up new filters to cover scenarios like if an email contained forwarding or not.
When this will happen
We expect these updates to begin rolling out in early March and expect the rollout to be completed by late June (previously late May).
Message ID: MC333945
Created: 18 February 2022
Updated: 03 June 2022
Platform: World tenant, Web, Online
