Get started with Office 365 Threat Intelligence

If you are part of your organization's security team, you can use Office 365 Threat Intelligence to protect your users from attacks. Office 365 Threat Intelligence helps security analysts and administrators keep users safe by bubbling up insights and identifying action based on what is happening in their your Office 365 environment. These insights are based on a comprehensive repository of threat intelligence data and systems to spot patterns that correspond to attack behaviors and suspicious activity.

Threat intelligence helps you understand attacks targeted at your organization

Read this article to learn more about what Office 365 Threat Intelligence includes and how to get started.

In this article

What is Office 365 Threat Intelligence?

Office 365 Threat Intelligence is a collection of insights and information available in the Office 365 Security & Compliance Center. These insights can help your organization's security team protect Office 365 users from attacks. Office 365 Threat Intelligence monitors signals and gathers data from multiple sources, such as user activity, authentication, email, compromised PCs, and security incidents. Business decision makers and Office 365 global administrators, security administrators, and security analysts can all use the information Office 365 Threat Intelligence provides to understand and respond to threats against Office 365 users and intellectual property.

Back to top

Get acquainted with the Threat dashboard, Explorer, and Incidents

Office 365 Threat Intelligence surfaces in the Security & Compliance Center, as a set of tools and reports, including the Threat dashboard, Threat Explorer, and Incidents.

Threat dashboard

Use the Threat dashboard (this is also referred to as the Security dashboard) to quickly see what threats have been addressed, and as a visual way to report to business decision makers how Office 365 services are securing your business.

Threat Intelligence Dashboard

To view and use this dashboard, in the Security & Compliance Center, go to Threat management > Dashboard.

Back to top

Threat Explorer

Use the Threat explorer to analyze threats, see the volume of attacks over time, and analyze data by threat families, attacker infrastructure, and more. The Threat explorer is the starting place for any security analyst's investigation workflow.

Threat explorer

To view and use this report, in the Security & Compliance Center, go to Threat management > Explorer.

Back to top

Incidents

Use the Incidents list to see a list of in flight security incidents. Incidents are used to track threats such as suspicious email messages, and to conduct further investigation and remediation.

List of current Incidents in Office 365 Threat Intelligence

To view the list of current incidents for your organization, in the Security & Compliance Center, go to Threat management > Review > Incidents.

In the Security & Compliance Center, choose Threat management > Review

Back to top

Learn more about Malware & Threats

As part of ´╗┐the Office 365 Threat Intelligence offering, security analysts can review details about a known threat. This is useful to determine whether there are additional preventative measures/steps that can be taken to keep users safe.

Security Trends showing information about recent threats

Back to top

How do we get Office 365 Threat Intelligence?

Office 365 Threat Intelligence is included in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, such as Office 365 Enterprise E3, Office 365 Threat Intelligence can be purchased as an add-on. (As a global administrator, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Office 365 Platform Service Description: Office 365 Security & Compliance Center and Buy or edit an add-on for Office 365 for business.

  1. As an Office 365 global administrator, go to https://portal.office.com and sign in using your work or school account for Office 365.

  2. Choose Admin > Billing to see what your current subscription includes.

  3. If you see Office 365 Enterprise E5, then your organization has Office 365 Threat Intelligence.

    If you see a different subscription, such as Office 365 Enterprise E3 or Office 365 Enterprise E1, then you can add Office 365 Threat Intelligence. To do that, choose + Add subscription.

  4. In the Office 365 admin center, choose Users > Active users.

  5. Assign Office 365 Threat Intelligence licenses to users. For more information about assigning licenses, see Assign licenses to users in Office 365 for business.

  6. Assign roles to people in your organization who will be working with the Office 365 Threat Intelligence. See Give users access to the Office 365 Security & Compliance Center, and refer to the following table:

    To do this activity...

    You must have one of these roles

    Use the Threat dashboard (or the new Security dashboard)

    View information about recent or current threats

    Office 365 Global Administrator

    Security Administrator (assigned in the Security & Compliance Center)

    Security Reader (assigned in the Security & Compliance Center)

    Use the Threat Explorer (also referred to as Explorer)

    Analyze threats

    Office 365 Global Administrator

    Security Administrator (assigned in the Security & Compliance Center)

    Security Reader (assigned in the Security & Compliance Center)

    View Incidents

    Add email messages to an incident

    Office 365 Global Administrator

    Security Administrator (assigned in the Security & Compliance Center)

    Security Reader (assigned in the Security & Compliance Center)

    Trigger email actions in an incident

    Find and delete suspicious email messages

    Office 365 Global Administrator

    Search and Purge (assigned in the Security & Compliance Center)

    Integrate Office 365 Threat Intelligence with Windows Defender Advanced Threat Protection

    Integrate Office 365 Threat Intelligence with a SIEM server

    Office 365 Global Administrator

    Security Administrator (assigned in the Security & Compliance Center)

    Appropriate role assigned in additional applications (such as Windows Defender Advanced Threat Protection portal or a SIEM server)

    For information about roles, role groups, and permissions, see Permissions in the Office 365 Security & Compliance Center.

    Back to top

Next steps

Back to top

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×