As part of our user experience enhancements, we will be rolling out the following improvements to the user experience of Threat Explorer by Microsoft Defender for Office 365:

• Persistent views
• Navigation between URL Clicks and All email tab
• Custom inputs for timestamp filter
• Remediation action results in Explorer

[When this will happen:]

Preview: We will begin the private preview by early December 2023 and will finish the rollout by mid-December 2023.

Standard Release: We will begin the worldwide rollout by late December 2023 and will finish the rollout by mid-January 2024.

[How this will affect your organization:]

1. Persistent views: Explorer allows users to select the columns they want to see on the data grid and the columns they want to export as per their need and supporting data that they are looking for to investigate their cases and hunt for threats. We have enhanced this experience to allow users to save these preferences, and the saved preferences will be used in consecutive actions.

• User preferences will be specific to the web browser in use and the user. Users will have an option to save different preferences in different web browsers.
• If users are in private browsing mode, preferences will be active until the browse session is active. Closing all tabs in private browsing mode will allow users to erase those preferences by closing all tabs.
• Users will be able to save different preferences for individual tabs in Explorer (All email, Malware, Phish, Campaign, Content Malware, URL Clicks) for both result sets and customizable columns.
• Preferences will be saved each time the user clicks on “Apply” in customize columns flyout and “Export” in customize export flyout.
• Saved preferences for the data grid will be reused each time the user clicks on refresh, applies filters, or lands on explorer via deep links provided in alerts, incidents, AIR, submission, and so on.
• Saved preferences for export will be retained until the user changes the preference.

2. Navigation between URL Clicks and All email tab: The recently added URL clicks tab allow users to see end user clicks on URLs across emails, Teams messages, and documents shared across SPO/OD. Users will be able to navigate between the URL clicks tab and the All email tab of Explorer, allowing users to be more effective and efficient while hunting via clicks on malicious URLs.

• Users can select up to 10 clicks belonging to the “Email” workload from the URL clicks tab and use the “View all emails” button to navigate to the All email tab to see the corresponding emails (using NetworkMessageID and Recipeint). 
• The URL clicks and Top Clicks tabs in the result set section now have a “View all clicks” option to navigate from the All email tab to the URL clicks tab.
• These navigations will honor the applied filters in the All email and URL clicks tabs if the applied filter is present in both tabs.

3. Custom inputs for timestamp filter: The timestamp filter in Explorer will now allow users to input time ranges along with the current filter where users can select the time range from the dropdown options. Since the current dropdown allows users to select a time range in increments of 30 minutes only, this enhancement will allow users to manually enter more granular time ranges to narrow down the searches per their requirements.

4. Remediation action results in Explorer: SOC teams have direct and in-line visibility into manual remediation, quarantine release, and system post-delivery actions like ZAP and reprocessed messages (for FP recovery) in Threat Explorer’s result set. The result of the action will be appended to the action name for respective actions in the Additional Actions column of Threat Explorer.

[What you need to do to prepare:]

You do not have to do anything to prepare.