Identify cybersecurity issues by using Threat Trackers

Completed

The threat investigation and response capabilities in Microsoft Defender for Office 365 enable an organization's security team to discover and respond to cybersecurity threats. These threat investigation and response capabilities include Threat Trackers. Threat Trackers are informative widgets and views that provide organizations with intelligence on different cybersecurity issues. For example, you can view information about trending malware campaigns using Threat Trackers.

Most threat tracker pages include:

  • Trending numbers that the system periodically updates.
  • Widgets that identify which issues are the biggest or grew the most.
  • A quick link in the Actions column that takes you to Threat Explorer, where you can view more detailed information.

To view and use Threat Trackers, go to the Microsoft Defender portal, and then under the Email and collaboration section in the navigation pane, select Threat tracker.

Note

Only users assigned a Global Administrator, Security Administrator, or Security Reader role can use Threat Trackers.

Available Threat Trackers include:

  • Noteworthy trackers
  • Trending trackers
  • Tracked queries
  • Saved queries.

The following sections examine each of these features.

Noteworthy trackers

The Noteworthy trackers feature identifies threats and risks, both large and small, that Microsoft thinks you should know about. Noteworthy trackers help you find whether these issues exist in your Microsoft 365 environment. These trackers also provide links to articles that provide more details on what's happening, and how they might affect your organization's use of Microsoft 365.

An organization's security team uses Noteworthy trackers to find important new items that it should review and examine periodically. These items can include both new threats (for example, Wannacry and Petya) and existing threats that might create new challenges (such as Nemucod),

Microsoft typically posts Noteworthy trackers for just a couple of weeks when it identifies new threats that it feels organizations should know about. Once the biggest risk for a threat passes, Microsoft removes that Noteworthy item. This way, Microsoft can keep the list fresh and up to date with other relevant new items.

Trending trackers (formerly called Campaigns) highlight new threats that didn't appear in an organization's email in the past week. Trending trackers provide visibility into new threats that organizations should review. In doing so, organizations can ensure the preparedness of their broader corporate environment against attacks.

Screenshot showing the Trending Trackers view.

Trending trackers give organizations an idea of new threats they should review. Doing so helps ensure the preparedness of their broader corporate environment against attacks.

Tracked queries

Tracked queries use an organization's saved queries to periodically assess its Microsoft 365 activity. This feature provides an organization with event trending. Tracked queries run automatically, giving an organization up-to-date information without having to remember to rerun its queries.

Saved queries

The Trackers section also includes Saved queries. An organization can use Saved queries to store the common Explorer searches that it wants to get back to quicker and repeatedly, without having to re-create the search every time.

You can use the Save query button at the top of the Explorer page to save a Noteworthy tracker query or any of your own Explorer queries. Anything saved there appears in the Saved queries list on the Tracker section.

Trackers and Explorer

Threat Explorer and Threat Trackers work together to help organizations investigate and track security risks and threats. They do so whether you're reviewing email, content, or Office activities. All together, Threat Trackers provide organizations with information to protect their users by highlighting new, notable, and frequently searched issues. This design helps organizations ensure their protection as they move to the cloud.

Trackers and Microsoft Defender for Office 365

Microsoft 365 Enterprise E5 tenants include Microsoft Defender for Office 365. Microsoft Defender for Office 365 provides value even if you have other security tools filtering email flow with your Microsoft 365 services. However, anti-spam, Safe Attachments, and Safe Links features work best when your main email security solution is through Microsoft 365.

Screenshot of the threat policies page that shows both policy templates and custom policies.

In today's threat-riddled world, organizations that run only traditional anti-malware scans don't protect themselves enough against attacks. Today's more sophisticated attackers use common tools to create new, obfuscated, or delayed attacks that traditional, signature-based anti-malware engines can't recognize. The Safe Attachments feature takes email attachments and detonates them in a virtual environment to determine whether they're safe or malicious. This detonation process opens each file in a virtual computer environment. It then watches what happens after it opens the file. Attackers hide malicious code in all types of files, including PDF documents, compressed files, and Office documents. The code activates when the victim opens the document on their computer. The threat tracking capability in Microsoft Defender for Office 365 detonates and analyzes the file in the email flow. By doing so, it can find these threats based on behaviors, file reputation, and numerous heuristic rules.

The Noteworthy threat filter highlights items recently detected through Safe Attachments. These detections represent items that are new malicious files. An organization's Microsoft 365 tenant didn't previously find them in either its email flow or other customers' email. Organizations should pay particular attention to the items in the Noteworthy Threat Tracker. Doing so enables them to see who was the target of the attack and review the detonation details shown on the Advanced Analysis tab. You can find these items by selecting on the subject of the email in Threat Explorer.

Note

You only find the Advanced Analysis tab on emails detected by the Safe Attachments capability. This Noteworthy tracker includes that filter, but you can also use it for other searches in Threat Explorer.

Knowledge check

Choose the best response for the following question.

Check your knowledge

1.

Holly Dickson is the Microsoft 365 Administrator for Contoso. Holly wants Contoso's security operations team to have visibility into the large and small threats and risks that Microsoft thinks an organization should be aware of. Which Threat Tracker feature provides this information?