(Updated) Upcoming updates to Office 365 threat hunting experiences through Threat Explorer/Real-Time Detections

As part of Hunting Improvements, Microsoft is making updates to Threat Explorer and Real-Time Detections. These are updates around data enrichment, data consistency, and better experiences to make analyst hunting more efficient and effective. These set of changes include:

1. Additional Threat information within our Hunting Experiences, which includes introduction of spam verdict, additional detection technologies and an updated email timeline to show more details around post-delivery events on an email.
2. System overrides, which will help the analyst to locate malicious emails delivered due to potential config gaps, as well as identifying any tenant or user level configurations which have impacted the delivery of an email.
3. Additional Actions, which consist of actions that were applied post the delivery of the Email, and includes actions like ZAP, Manual Remediation (which are action taken by an Admin e.g. Soft Delete) and Dynamic Delivery.
4. Threat information about URLs, which will help admins to identify which specific URL in an email was malicious.
5. Latest delivery location, which is intended to inform admins of the message’s last known location post-delivery or any system/admin actions.

This message is associated with Microsoft 365 Roadmap ID 66467

When this will happen

The roll-out will began at the end of November (previously mid-October) and Microsoft expects to complete by mid-December (previously end of November).

How this will affect your organization:

As part of this change, Microsoft is introducing new fields and filters, as well as updating certain fields. A notable change is the shifting of Removed by ZAP value (currently surfaced in Delivery Action filter) to Additional Actions. This means, that you can now search for all emails with ZAP attempt through the Additional Actions.

Due to these new changes, you should re-evaluate your saved and tracked queries, especially for ZAP scenarios.

What you need to do to prepare:

You should look to re-evaluate your saved queries and tracked queries. While most of the updates are additional data, there are updates like the change in ZAP filter which may impact your saved queries.

Please see the Additional Information to learn more about Threat Explorer and real-time detections.