+Centralized deployment of add-ins requires that the users are using Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium), Office 365 Enterprise licenses (E1/E3/E5/F3), or Microsoft 365 Enterprise licenses (E3/E5/F3) (and are signed into Office using their organizational ID), Office 365 Education licenses (A1/A3/A5), or Microsoft 365 Education licenses (A3/A5), and have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in or federated to Azure Active Directory.

+|**Tenant Allow/Block List entry is about to expire**|Generates an alert when a Tenant Allow/Block List entry is about to be removed. This event is triggered three days prior to expiration date, which is based when the entry was created or last updated. This alert policy has an **Informational** severity setting. This is to inform admins of upcoming changes in the filters since the allow or block could be going away. For blocks, you can extend the expiration date to keep the block in place. For allows, you need to resubmit the item so that our analysts can take another look. However, if the allow has already been graded as a false positive, then the entry will only expire when the system filters have been updated to naturally allow the entry. For more information on events that trigger this alert, see [Manage the Tenant Allow/Block list](../security/office-365-security/tenant-allow-block-list.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|

+- admindeeplinkCOMPLIANCE

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft 365 compliance center</a> and sign in using an account that can assign permissions.

+A Microsoft 365 trainable classifier is a tool you can train to recognize various types of content by giving it samples to look at. Once trained, you can use it to identify items for application of Office sensitivity labels, communications compliance policies, and retention label policies.

+This article shows you how to improve the performance of custom trainable classifiers by providing them additional feedback.

+> [!NOTE]

+> Pre-trained classifiers cannot be retrained.

+description: "A Microsoft 365 trainable classifier is a tool you can use to recognize various types of content for labeling or policy application by giving it positive and negative samples to look at."

+This classification method is particularly well suited to content that isn't easily identified by either the manual or automated pattern matching methods. This method of classification is more about using a classifier to identify an item based on what the item is, not by elements that are in the item (pattern matching). A classifier learns how to identify a type of content by looking at hundreds of examples of the content you're interested in classifying.

+### Where you can use classifiers

+Classifiers are available to use as a condition for [Office autolabeling with sensitivity labels](apply-sensitivity-label-automatically.md), [auto-apply retention label policy based on a condition](apply-retention-labels-automatically.md#configuring-conditions-for-auto-apply-retention-labels) and in [communication compliance](communication-compliance.md).

+- **custom trainable classifiers** - If you have classification needs that extend beyond what the pre-trained classifiers cover, you can create and train your own classifiers.

+You start creating a custom trainable classifier by feeding it examples that are definitely in the category. Once it processes those examples, you test it by giving it a mix of both matching and non-matching examples. The classifier then makes predictions as to whether any given item falls into the category you're building. You then confirm its results, sorting out the true positives, true negatives, false positives, and false negatives to help increase the accuracy of its predictions.

+When you publish the classifier, it sorts through items in locations like SharePoint Online, Exchange, and OneDrive, and classifies the content. After you publish the classifier, you can continue to train it using a feedback process that is similar to the initial training process.

+You can help improve the accuracy of all custom trainable classifiers and by providing them with feedback on the accuracy of the classification that they perform. This is called retraining, and follows this workflow.

+> [!NOTE]

+> Pre-trained classifiers cannot be re-trained.

+audience: Admin

+- admindeeplinkCOMPLIANCE

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Microsoft 365 admin center</a> and then click **Users** > **Active users**.

+2. Select the user that you want to place on Litigation hold.

+3. On the properties flyout page, click the **Mail** tab, and then under **More actions**, click **Manage litigation hold**.

+4. On the **Manage litigation hold** flyout page, select the **Turn on litigation hold** checkbox and then enter the following optional information:

+. Click **Save changes** on the **Litigation hold** flyout page to create the hold.

+If you use the sender address as a condition or exception the actual field where the value is looked for varies depending on the type of rule you use. For DLP based rules, the Envelope address is used as the sender address. For Exchange transport rules the Header address is used as the sender address.

+<!-- REMOVE COMMENTS ON 1/20/2022

+> [!NOTE]

+> Starting January 20, 2022, the default sender address location will be moved to the Header address along with the availability of the -SenderAddressLocation parameter to configure desired behavior at a DLP rule level.

+

+At the tenant level, you can configure a sender address location to be used across all rules, unless overridden by a single rule. To revert tenant DLP policy configuration to evaluate the sender address from the Envelope across all rules, you can run the following command:

+```PowerShell

+Set-PolicyConfig ΓÇôSenderAddressLocation Envelope

+```

+To configure the sender address location at a DLP rule level, the parameter is _SenderAddressLocation_. The available values are:

+- **Header**: Only examine senders in the message headers (for example, the **From**, **Sender**, or **Reply-To** fields). This is the default value.

+- **Envelope**: Only examine senders from the message envelope (the **MAIL FROM** value that was used in the SMTP transmission, which is typically stored in the **Return-Path** field).

+- **Header or envelope** (`HeaderOrEnvelope`) Examine senders in the message header and the message envelope.

+<br>

+-->

+> [!IMPORTANT]

+> Decryption isn't supported for files that are locally encrypted and then uploaded to SharePoint or OneDrive. For example, local files that are encrypted by the Azure Information Protection (AIP) client and then uploaded to Microsoft 365 aren't supported. Only files that are encrypted in the SharePoint or OneDrive service are supported for decryption.

+- Privacy by design: Scan results and insights are returned as aggregated and anonymized user activity, individual user names are not identifiable by reviewers.

+description: "Admins can use eDiscovery tools in Microsoft 365 to search for and export Teams chat data for on-premises users in an Exchange hybrid deployment."

+Here's how to use Content search in the Microsoft 365 compliance center to search for Teams chat data for on-premises users. You can also use the search tool in Core eDiscovery to search for chat data for on-premises users.

+3. On the **Locations** page, set the toggle to **On** for Exchange mailboxes.

+4. To search for Teams content for specific users (including on-premises users), select **Choose user, groups, or teams** and choose specific users to include in the search. If you don't list specific users, the search will include all users, including on-premises users.

+5. Make sure the **Add app content for on-premises users** checkbox is selected. This ensures that the cloud-bases storage for on-premises users will be searched.

+ 

+6. On the **Define your search conditions** page, create a keyword query and add conditions to the search query if necessary. To only search for Team chats data, you can add the following query in the **Keywords** box:

+You can use the **New-ComplianceSearch** cmdlets in Security & Compliance Center PowerShell to search for Teams chat data for on-premises users. As previously explained, you don't have to submit a support request to use PowerShell to search for Teams chat data for on-premises users.

+Yes. You can apply eDiscovery holds or retention policies for Teams chats and channel messages of on-premises users. But to preserve or retain Teams content for on-premises users, an on-premises user must be assigned an Exchange Online Plan 2 license.

+- [Feature reference](content-search-reference.md) for Content search

+- [Content search limits](limits-for-content-search.md), such as the maximum number of searches that you can run at one time and the maximum number of content locations you can include in a single search

+- [Estimated and actual search results](differences-between-estimated-and-actual-ediscovery-search-results.md) and the reasons why there might be differences between them when you export and download search results

+- [Partially indexed items in Exchange and SharePoint](partially-indexed-items-in-content-search.md) and how to include or exclude them when you export and download search results

+- [Investigate partially indexed items](investigating-partially-indexed-items-in-ediscovery.md) and determine your organization's exposure to them

+- [Search specific mailbox and site folders](use-content-search-for-targeted-collections.md) (called a *targeted* collection) when you're confident that items responsive to a case are located in that folder

+- [Clone a content search](clone-a-content-search.md) and quickly compare the results of different keyword search queries run on the same content locations; or use the script to save time by not having to re-enter a large number of content locations when you create a new search

+|Service Support Administrator | Admins with this role will have **read-only permissions to features not related to security** and **write permissions to manage support requests including escalation requests** in the Microsoft Managed Desktop Admin portal. |

+|Microsoft Managed Desktop Service Administrator | When assigned to a user, this role gives the admin **read and write permissions to Microsoft Managed Desktop features not related to security** in the Microsoft Managed Desktop Admin portal. |

+|Microsoft Managed Desktop Service Reader | When assigned to a user, this role gives the admin **read-only permissions to Microsoft Managed Desktop features not related to security** in the Microsoft Managed Desktop Admin portal. |

+|Microsoft Managed Desktop Support Partner |When assigned to a user, this role gives the admin **read and write permissions only for creating and managing elevation requests and support partner engaged escalation requests** in the Microsoft Managed Desktop Admin portal. |

+1. [Get started with app control](get-started-app-control.md).

+- M365-security-compliance

+- m365solution-zerotrust

+- m365solution-overview

+- Apply the installation package

+#### Known issues and limitations on the new, unified solution package for Windows Server 2012 R2 and 2016

+> [!NOTE]

+> - The integration between Microsoft Defender for servers and Microsoft Defender for Endpoint has been expanded to support Windows Server 2022, [Windows Server 2019, and Windows Virtual Desktop (WVD)](/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview).

+> - Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.

+### Onboarding steps summary

+- STEP 1: [Download the installation and onboarding packages](#step-1-download-installation-and-onboarding-packages)

+- STEP 2: [Apply the installation and onboarding package](#step-2-apply-the-installation-and-onboarding-package)

+- STEP 3: [Complete the onboarding steps](#step-3-complete-the-onboarding-steps)

+### STEP 1: Download installation and onboarding packages

+You will need to download both the **installation** and **onboarding** packages from the portal.

+> [!div class="mx-imgBorder"]

+> 

+The **installation package** contains an MSI file that installs the Microsoft Defender for Endpoint agent.

+The **onboarding package** contains the following files:

+- `OptionalParamsPolicy` - contains the setting that enables sample collection

+- `WindowsDefenderATPOnboardingScript.cmd` - contains the onboarding script

+Use the following steps to download the packages:

+1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.

+2. Select **Windows Server 2012 R2 and 2016**.

+3. Select **Download installation package** and save the .msi file.

+

+### STEP 2: Apply the installation and onboarding package

+In this step you will install the prevention and detection components required before onboarding your device to the Microsoft Defender for Endpoint cloud environment, to prepare the machine for onboarding. Ensure all [prerequisites](#prerequisites) have been met.

+ > [!NOTE]

+ > Microsoft Defender Antivirus will get installed and will be active unless you set it to passive mode.

+#### Options to install the Microsoft Defender for Endpoint packages

+In the previous section, you downloaded an installation package. The installation package contains the installer for all Microsoft Defender for Endpoint components.

+You can use any of the following options to install the agent:

+- [Install using the command line](#install-microsoft-defender-for-endpoint-using-the-command-line)

+- [Install using a script](#install-microsoft-defender-for-endpoint-using-a-script)

+- [Apply the installation and onboarding packages using Group Policy](#apply-the-microsoft-defender-for-endpoint-installation-and-onboarding-packages-using-group-policy)

+##### Install Microsoft Defender For Endpoint using the command line

+Use the installation package from the previous step to install Microsoft Defender for Endpoint.

+##### Install Microsoft Defender for Endpoint using a script

+You can use the [installer script](server-migration.md#installer-script) to help automate installation, uninstallation, and onboarding. For more information, see the instructions in the following section to use the script with Group Policy.

+##### Apply the Microsoft Defender for Endpoint installation and onboarding packages using Group policy

+1. Create a group policy: <br> Open the [Group Policy Management Console](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click **Group Policy Objects** you want to configure and click **New**. Enter the name of the new GPO in the dialogue box that is displayed and click **OK**.

+2. Open the [Group Policy Management Console](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.

+3. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.

+4. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task (At least Windows 7)**.

+5. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as.

+6. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.

+7. In the Name field, type an appropriate name for the scheduled task (for example, Defender for Endpoint Deployment).

+8. Go to the **Actions** tab and select **New...** Ensure that **Start a program** is selected in the **Action** field. The [installer script](server-migration.md#installer-script) handles the installation, and immediately perform the onboarding step after installation completes. Select *C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe* then provide the arguments:

+ ```console

+ -ExecutionPolicy RemoteSigned \\servername-or-dfs-space\share-name\install.ps1 -OnboardingScript \\servername-or-dfs-space\share-name\windowsdefenderatponboardingscript.cmd

+ ```

+ >[!NOTE]

+ >The recommended execution policy setting is `Allsigned`. This requires importing the script's signing certificate into the Local Computer Trusted Publishers store if the script is running as SYSTEM on the endpoint.

+ Replace \\servername-or-dfs-space\share-name with the UNC path, using the file server's fully qualified domain name (FQDN), of the shared *install.ps1* file. The installer package md4ws.msi must be placed in the same directory. Also ensure that the permissions of the UNC path allows read access to the computer account that's installing the platform.

+

+ For scenarios where you want Microsoft Defender Antivirus to co-exist with non-Microsoft antimalware solutions, add the $Passive parameter to set passive mode during installation.

+9. Select **OK** and close any open GPMC windows.

+10. To link the GPO to an Organization Unit (OU), right-click and select **Link an existing GPO**. In the dialogue box that is displayed, select the Group Policy Object that you wish to link. Click **OK**.

+For additional configuration setttings, see [Configure sample collection settings](configure-endpoints-gp.md#configure-sample-collection-settings) and [Other recommended configuration settings](configure-endpoints-gp.md#other-recommended-configuration-settings).

+### STEP 3: Complete the onboarding steps

+The following steps are only applicable if you're using a third-party anti-malware solution. You'll need to apply the following Microsoft Defender Antivirus passive mode setting. Verify that it was configured correctly:

+1. Set the following registry entry:

+ - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`

+ - Name: `ForceDefenderPassiveMode`

+ - Type: `REG_DWORD`

+ - Value: `1`

+2. Run the following PowerShell command to verify that the passive mode was configured:

+ ```powershell

+ Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}

+ ```

+3. Confirm that a recent event containing the passive mode event is found:

+ 

+## Windows Server Semi-Annual Enterprise Channel and Windows Server 2019 and Windows Server 2022

+The onboarding package for Windows Server 2019 and Windows Server 2022 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](/configmgr/apps/deploy-use/packages-and-programs).

+### Download package

+1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.

+2. Select **Windows Server 1803 and 2019**.

+3. Select **Download package**. Save it as WindowsDefenderATPOnboardingPackage.zip.

+4. Follow the steps provided in the [Complete the onboarding steps](#step-3-complete-the-onboarding-steps) section.

+## Step 3: Get listed in the Microsoft Defender for Endpoint partner application portal

+> This option is not available for Windows Server 2012 R2. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages).

+You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and and Windows Server 2016. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages).

+For information licensing requirements for Microsoft Defender for Endpoint, see [Microsoft Defender for Endpoint licensing information](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-defender-for-endpoint).

+ 3. Install the Microsoft Defender for Endpoint for Windows Server 2012 R2 and 2016 package and **enable passive mode**. See [Install Microsoft Defender Antivirus using command line](configure-server-endpoints.md#install-microsoft-defender-for-endpoint-using-the-command-line).

+2. Install the Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016 package and **enable passive mode**. See [Install Microsoft Defender Antivirus using command line](configure-server-endpoints.md#install-microsoft-defender-for-endpoint-using-the-command-line).

+> You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and 2016. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages).

+### Are you using Windows Server 2012 R2 or Windows Server 2016?

+You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and 2016 using the method above. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages).

+<th colspan="2">Event ID: 1127</th>

+</tr>

+<tr><td>

+Symbolic name:

+</td>

+<td >

+<b>MALWAREPROTECTION_FOLDER_GUARD_SECTOR_BLOCK</b>

+</td>

+</tr>

+<tr>

+<td>

+Message:

+</td>

+<td >

+<b>Controlled Folder Access(CFA) blocked an untrusted process from making changes to the memory.

+</b>

+</td>

+</tr>

+<tr>

+<td>

+Description:

+</td>

+<td >

+Controlled Folder Access has blocked an untrusted process from potentially modifying disk sectors.

+<br/> For more information about the event record, see the following:

+<dl>

+<dt>EventID: &lt;EventID&gt;, for example: 1127</dt>

+<dt>Version: &lt;Version&gt;, for example: 0</dt>

+<dt>Level: &lt;Level&gt;, for example: win:Warning</dt>

+<dt>TimeCreated: &lt;SystemTime&gt;, time when the event was created</dt>

+<dt>EventRecordID: &lt;EventRecordID&gt;, index number of the event in the event log</dt>

+<dt>Execution ProcessID: &lt;Execution ProcessID&gt;, process that generated the event</dt>

+<dt>Channel: &lt;Event channel&gt;, for example: Microsoft-Windows-Windows Defender/Operational</dt>

+<dt>Computer: &lt;Computer name&gt;</dt>

+<dt>Security UserID: &lt;Security UserID&gt;</dt>

+<dt>Product Name: &lt;Product Name&gt;, for example: Microsoft Defender Antivirus</dt>

+<dt>Product Version: &lt;Product Version&gt;</dt>

+<dt>Detection Time: &lt;Detection Time&gt;, time when CFA blocked an untrusted process</dt>

+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>

+<dt>Path: &lt;Device name&gt;, name of the device or disk that an untrusted process accessed for modification</dt>

+<dt>Process Name: &lt;Process path&gt;, the process path name that CFA blocked from accessing the device or disk for modification</dt>

+<dt>Security Intelligence Version: &lt;Security intelligence version&gt;</dt>

+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>

+</dl>

+</td>

+</tr>

+<tr>

+<td>

+User action:

+</td>

+<td >

+The user can add the blocked process to the <i>Allowed Process</i> list for CFA, using Powershell or Windows Security Center.

+</td>

+</tr>

+<tr>

+The comparison bar chart is available on the **Overview** tab. Hover over the chart to view the score and score opportunity.

+**Organizations like yours** is an average score of other tenants in same region (provided we have at least five or more tenants to compare) with a similar organization size to yours.

+The comparison data is anonymized so we donΓÇÖt know exactly which others tenants are in the mix.

+

+> This is part of a **3-article series** on **Threat Explorer (Explorer)**, **email security**, and **Explorer and Real-time detections** (such as differences between the tools, and permissions needed to operate them). The other two articles in this series are [Threat hunting in Threat Explorer](threat-hunting-in-threat-explorer.md) and [Threat Explorer and Real-time detections](real-time-detections.md).

+1. *Detonation chain*. A single file or URL detonation can trigger multiple detonations. The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs affected by the detonation. These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious.

+ - Fail (IP address): The SPF check for the message failed, and includes the sender's IP address. This is sometimes called hard fail.

+### Email summary panel

+The email summary panel is a summarized view of the full email entity page. It contains standardized details about the email (e.g., detections), as well as context-specific information (e.g., for Quarantine or Submissions metadata). The email summary panel replaces the traditional Real-time Detections, Threat Explorer, Submissions, and Reporting flyouts.

+> [!div class="mx-imgBorder"]

+> 

+> [!NOTE]

+> To view all the components, click on the **Open email entity** link to open the full email entity page.

+The email summary panel is divided into the following sections:

+- *Delivery details*: Contains information about threats and corresponding confidence level, detection technologies, and original and latest delivery location.

+- *Email details*: Contains information about email properties like sender name, sender address, time received, authentication details, and other several other details.

+- *URLs*: By default, you will see 3 URLs and their corresponding threats. You can always click **View all URLs** to expand and see all URLs and export them.

+- *Attachments*: By default, you will see 3 attachments. You can always click **View all attachments** to expand and see all attachments.

+In addition to the above sections, you will also see sections specific to few experiences which are integrated with the summary panel:

+- Submissions:

+ - *Submission details*: Contains information about the specific submissions such as:

+ - Date submitted

+ - Subject

+ - Submission type

+ - Reason for submitting

+ - Submission ID

+ - Submitted by

+ - *Result details*: Messages that are submitted are reviewed. You can see the result of your submission as well as any recommended next steps.

+- Quarantine:

+ - *Quarantine details*: Contains quarantine-specific details. For more information, see [Manage quarantined messages](manage-quarantined-messages-and-files.md#view-quarantined-message-details).

+ - Expires: The date/time when the message will be automatically and permanently deleted from quarantine.

+ - Released to: All email addresses (if any) to which the message has been released.

+ - Not yet released to: All email addresses (if any) to which the message has not yet been released.

+ - *Quarantine actions*: For more information on different quarantine actions, see [Manage quarantined messages](manage-quarantined-messages-and-files.md#take-action-on-quarantined-email).

+# Explorer and Real-time detections

+- [Updated experience for Explorer and Real-time detections](#updated-experience-for-explorer-and-real-time-detections)

+This article explains the difference between Explorer and real-time detections reporting, updated experience with Explorer and real-time detections where you can toggle between old and new experiences, and the licenses and permissions that are required.

+## Updated experience for Explorer and Real-time detections

+The experience for Threat Explorer and Real-time detections is updated to align with modern accessibility standards, and to optimize the workflow. For a short while, you will be able to toggle between the old experience and the new one.

+> [!NOTE]

+> Toggling impacts only your account and does not impact anyone else within your tenant.

+Threat Explorer and Real-time detections is divided into the following views:

+- *All email*: Shows all email analyzed by Defender for office 365 and contains both good and malicious emails. This feature is only present in Threat Explorer and is not available for Real-time detections. By default, it is set to show data for two days, which can be expanded up to 30 days. This is also the default view for Threat Explorer.

+- *Malware view*: Shows emails on which a malware threat was identified. This is the default view for Real-time detections, and shows data for two days (can be expanded to 30 days).

+- *Phish view*: Shows emails on which a phish threat was identified.

+- *Content malware view*: Shows malicious detections identified in files shared through OneDrive, SharePoint, or Teams.

+Here are the common components within these experiences:

+- Filters

+ - You can use the various filters to view the data based on email or file attributes.

+ - By default, the time filter is applied to the records, and is applied for two days.

+ - If you are applying multiple filters, they are applied in ΓÇÿANDΓÇÖ mode and you can use the advanced filter to change it to ΓÇÿORΓÇÖ mode.

+ - You can use commas to add multiple values for the same filter.

+ > [!div class="mx-imgBorder"]

+ > 

+- Charts

+ - Charts provide a visual, aggregate view of data based on filters. You can use different filters to view the data by different dimensions.

+ > [!NOTE]

+ > You may see no results in chart view even if you are seeing an entry in the list view. This happens if the filter does not produce any data. For example, if you have applied the filter malware family, but the underlying data does not have any malicious emails, then you may see the message no data available for this scenario.

+ > [!div class="mx-imgBorder"]

+ > 

+- Results grid

+ - Results grid shows the email results based on the filters you have applied.

+ - Based on the configuration set in your tenant, data will be shown in UTC or local timezone, with the timezone information available in the first column.

+ - You can navigate to the individual email entity page from the list view by clicking the **Open in new window** icon.

+ - You can also customize your columns to add or remove columns to optimize your view.

+ > [!Note]

+ > You can toggle between the *Chart View* and the *List View* to maximize your result set.

+ > [!div class="mx-imgBorder"]

+ > 

+- Detailed flyout

+ - You can click on hyperlinks to get to the email summary panel (entries in Subject column), recipient, or IP flyout.

+ - The email summary panel replaces the legacy email flyout, and also provides a path to access the email entity panel.

+ - The individual entity flyouts like IP, recipient, and URL would reflect the same information, but presented in a single tab-based view, with the ability to expand and collapse the different sections based on requirement.

+ - For flyouts like URLs, you can click **View all Email** or **View all Clicks** to view the full set of emails/clicks containing that URL, as well as export the result set.

+- Actions

+ - From Threat Explorer, you can trigger remediation actions like *Delete an email*. For more information on remediation, remediation limits, and tracking remediation see [Remediate malicious email](remediate-malicious-email-delivered-office-365.md).

+- Export

+ - You can click **Export chart data** to export the chart details. Similarly, click **Export email list** to export email details.

+ - You can export up to 200K records for email list. However, for better system performance and reduced download time, you should use various email filters.

+ > [!div class="mx-imgBorder"]

+ > 

+In addition to these features, you will also get updated experiences like *Top URLs*, *Top clicks*, *Top targeted users*, and *Email origin*. *Top URLs*, *Top clicks*, and *Top targeted users* can be further filtered based on the filter that you apply within Explorer.

+> This is part of a **3-article series** on **Threat Explorer (Explorer)**, **email security**, and **Explorer and Real-time detections** (such as differences between the tools, and permissions needed to operate them). The other two articles in this series are [Email security with Threat Explorer](email-security-in-microsoft-defender.md) and [Threat Explorer and Real-time detections](real-time-detections.md).

+- set up mobile ap protection

+- m365solution-managedevices

+- m365solution-scenario

+- Intune device compliance policy-

+- m365solution-managedevices

+- m365solution-scenario

+- customize configuration profiles-

+- m365solution-managedevices

+- m365solution-scenario

+- dlp policies

+- m365solution-managedevices

+- m365solution-scenario

+- m365solution-managedevices

+- m365solution-scenario

+- m365solution-managedevices

+- m365solution-scenario

+- m365solution-managedevices

+- m365solution-overview

+- m365solution-managedevices

+- m365solution-scenario

+## Corporate communications with Microsoft 365 ΓÇö a Contoso case study

+Employee engagement is a significant contributor to workplace satisfaction, retention, and productivity at any organization. Across Microsoft 365, there are multiple ways to communicate and engage your audience.

+Knowing which method (or combinations of methods) to use and when to use them depends on your audience and the communication culture of your organization.

+| Item | Description |

+|:--|:--|

+|[](https://download.microsoft.com/download/0/3/4/034fbee5-ecf4-4559-86d3-815e898f21ea/contoso-corporate-communication-poster.pdf) <br/> [PDF](https://download.microsoft.com/download/0/3/4/034fbee5-ecf4-4559-86d3-815e898f21ea/contoso-corporate-communication-poster.pdf) \| [Visio](https://download.microsoft.com/download/0/3/4/034fbee5-ecf4-4559-86d3-815e898f21ea/contoso-corporate-communication-poster.vsdx) <br>Updated January 2022 |This poster illustrates how Contoso keeps employees informed and engaged across popular communication scenarios. Contoso uses a variety of M365 apps, including a new offering, Viva Connections.<br/><br/>**Related solution guides** <br/> <ul><li>[Organizational communications: Guidance, methods, and products](/sharepoint/corporate-communications-overview)|