12 Feb Updates to Threat Explorer and Real-time detections
We are updating Threat Explorer and Real-time detections within Microsoft Defender for Office 365. There are three sets of changes: improving export limits, introducing Alert ID, and improving our trial experiences.
This message is associated with Microsoft 365 Roadmap ID 70544.
When this will happen
We will begin rollout in early February and expect it to be complete in late March 2021.
How this will affect your organization
1. Increasing export limits for email records in Threat Explorer and Real-time detections
We are expanding the export limits for email records in Threat Explorer and Real-time detections. Once the updates are enabled, you will be able to download 200,000 email records as part of the exported CSV file, in one download request, rather than the current limit of 9,990 records.
2. Introduction of Alert ID within hunting experiences
Currently, Alert Policy ID is a filter within the different email view. With this update, Alert ID is exposed as a filter as well as a value within the email details flyout. With this change, you will able to filter for exact messages which were associated with an alert. In addition, you will be able to navigate from an individual alert to a filtered view (filtered by Alert ID) of Threat Explorer to examine relevant messages.
Note: We recommend you shift to Alert ID as the filter for any current saved queries that are mapped to Alert policy ID.
3. Extending data retention for hunting experiences for trial tenants
For trial tenants, we are extending Threat Explorer and Real-time detections data retention to 30 days. Trial tenants will be able to search for data for 30 days in Threat Explorer and Real time detections.
There is no change for any other experiences, and no impact to existing capabilities within Threat Explorer such as filtering, export, or data views.
What you need to do to prepare
There is no impact to existing capabilities within Threat Explorer.
However, if you are using Alert Policy ID as part of your Saved Queries, we recommend you to shift to Alert ID as the filtering parameter.