- IE mode on Microsoft Edge makes it easy to use all of the sites your organization needs in a single browser. It uses the integrated Chromium engine for modern sites, and it uses the Trident MSHTML engine from Internet Explorer 11 (IE11) for legacy sites. When a site loads in IE mode, the IE logo indicator displays on the left side of navigation.
- Click the Windows logo in the bottom-left corner of the screen, or press the ⊞ Win key. On Windows 8, instead hover your mouse in the upper-right corner of the screen, then click the magnifying glass icon. Type file explorer into Start. You should see a folder icon appear at the top of the Start window.
- How To Use Microsoft Explorer On Windows 10
- Microsoft Explorer For Windows 10
- Microsoft Edge
- Microsoft Explorer On My Computer
- How To Get Microsoft Explorer On Pc
Microsoft Edge is built on the Chromium open-source project to provide world-class compatibility for modern sites and apps. Internet Explorer mode provides compatibility for your legacy sites and apps by supporting Internet Explorer functionality like all document and enterprise modes, Active X controls (such as Java or Silverlight), and more.
-->By Mark Russinovich
Published: June 1, 2021
Download Process Explorer(2.5 MB)
Run now from Sysinternals Live.
Introduction
Ever wondered which program has a particular file or directory open? Nowyou can find out. Process Explorer shows you information about whichhandles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The topwindow always shows a list of the currently active processes, includingthe names of their owning accounts, whereas the information displayed inthe bottom window depends on the mode that Process Explorer is in: ifit is in handle mode you'll see the handles that the process selected inthe top window has opened; if Process Explorer is in DLL mode you'llsee the DLLs and memory-mapped files that the process has loaded.Process Explorer also has a powerful search capability that willquickly show you which processes have particular handles opened or DLLsloaded.
The unique capabilities of Process Explorer make it useful fortracking down DLL-version problems or handle leaks, and provide insightinto the way Windows and applications work.
Related Links
- Windows Internals BookThe official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon.
- Windows Sysinternals Administrator's Reference The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use.
Download
Download Process Explorer(2.5 MB)
Run now from Sysinternals Live.
Runs on:
- Client: Windows 8.1 and higher.
- Server: Windows Server 2012 and higher.
Installation
Simply run Process Explorer (procexp.exe).
The help file describes Process Explorer operation and usage. If youhave problems or questions please visit the Process Explorer section on Microsoft Q&A.
Note on use of symbols
When you configure the path to DBGHELP.DLL and the symbol path uses the symbol server, the location of DBGHELP.DLL also has to contain the SYMSRV.DLL supporting the server paths used. See SymSrv documentation or more information on how to use symbol servers.
Learn More
Here are some other handle and DLL viewing tools and informationavailable at Sysinternals:
- The case of the Unexplained... In this video, Mark describes how he has solved seemingly unsolvable system and application problems on Windows.
- Handle - a command-line handle viewer
- ListDLLs - a command-line DLL viewer
- PsList - local/remote command-line process lister
- PsKill - local/remote command-line process killer
- Defrag Tools: #2 - Process ExplorerIn this episode of Defrag Tools, Andrew Richards and Larry Larsen show how to use Process Explorer to view the details of processes, both at a point in time and historically.
- Windows Sysinternals Primer: Process Explorer, Process Monitor and More Process Explorer gets a lot of attention in the first Sysinternals Primer delivered by Aaron Margosis and Tim Reckmeyer at TechEd 2010.
Applies to
If your organization has Microsoft Defender for Office 365, and you have the necessary permissions, you have either Explorer or Real-time detections (formerly Real-time reports — see what's new!). In the Security & Compliance Center, go to Threat management, and then choose ExplorerorReal-time detections.
With Microsoft Defender for Office 365 Plan 2, you see: | With Microsoft Defender for Office 365 Plan 1, you see: |
---|
Explorer or Real-time detections helps your security operations team investigate and respond to threats efficiently. The report resembles the following image:
With this report, you can:
- Start an automated investigation and response process from a view in Explorer (Defender for Office 365 Plan 2 only)
Improvements to Threat Hunting Experience
Introduction of Alert ID for Defender for Office 365 alerts within Explorer/Real-time detections
Today, if you navigate from an alert to Threat Explorer, it opens a filtered view within the Explorer, with the view filtered by Alert policy ID (policy ID being a unique identifier for an Alert policy).We are making this integration more relevant by introducing the alert ID (see an example of alert ID below) in Threat Explorer and Real-time detections so that you see messages which are relevant to the specific alert, as well as a count of emails. You will also be able to see if a message was part of an alert, as well as navigate from that message to the specific alert.
Alert ID is available within the URL when you are viewing an individual alert; an example being https://protection.office.com/viewalerts?id=372c9b5b-a6c3-5847-fa00-08d8abb04ef1
.
Extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 to 30 days
As part of this change, you will be able to search for, and filter email data across 30 days (an increase from the previous 7 days) in Threat Explorer/Real-time detections for both Defender for Office P1 and P2 trial tenants.This does not impact any production tenants for both P1 and P2/E5 customers, which already has the 30 day data retention and search capabilities.
Updated limits for Export of records for Threat Explorer
As part of this update, the number of rows for Email records that can be exported from Threat Explorer is increased from 9990 to 200,000 records. The set of columns that can be exported currently will remain the same, but the number of rows will increase from the current limit.
Tags in Threat Explorer
Note
The user tags feature is in Preview, isn't available to everyone, and is subject to change. For information about the release schedule, check out the Microsoft 365 roadmap.
User tags identify specific groups of users in Microsoft Defender for Office 365. For more information about tags, including licensing and configuration, see User tags.
In Threat Explorer, you can see information about user tags in the following experiences.
Email grid view
The Tags column in the email grid contains all the tags that have been applied to the sender or recipient mailboxes. By default, system tags like priority accounts are shown first.
Filtering
You can use tags as a filter. Hunt just across priority accounts or specific user tags scenarios. You can also exclude results that have certain tags. Combine this functionality with other filters to narrow your scope of investigation.
Email detail flyout
To view the individual tags for sender and recipient, select the subject to open the message details flyout. On the Summary tab, the sender and recipient tags are shown separately, if they're present for an email.The information about individual tags for sender and recipient also extends to exported CSV data, where you can see these details in two separate columns.
Tags information is also shown in the URL clicks flyout. To view it, go to Phish or All Email view and then to the URLs or URL Clicks tab. Select an individual URL flyout to view additional details about clicks for that URL, including tags associated with that click.
Updated Timeline View
Learn more by watching this video.
Improvements to the threat hunting experience (upcoming)
Updated threat information for emails
We've focused on platform and location won't be updated. But if a system action updated the location (for example, ZAP resulting in an email moving to quarantine), Latest delivery location would show as 'quarantine.'
Note
There are a few cases where Delivery location and Delivery action may show as 'unknown':
You might see Delivery location as 'delivered' and Delivery location as 'unknown' if the message was delivered, but an Inbox rule moved the message to a default folder (such as Draft or Archive) instead of to the Inbox or Junk Email folder.
Latest delivery location can be unknown if an admin/system action (such as ZAP) was attempted, but the message wasn't found. Typically, the action happens after the user moved or deleted the message. In such cases, verify the Result/Details column in timeline view. Look for the statement 'Message moved or deleted by the user.'
Additional actions
Additional actions were applied after delivery of the email. They can include ZAP, manual remediation (action taken by an Admin such as soft delete), dynamic delivery, and reprocessed (for an email that was retroactively detected as good).
Note
As part of the pending changes, the 'Removed by ZAP' value currently surfaced in the Delivery Action filter is going away. You'll have a way to search for all email with the ZAP attempt through Additional actions.
System overrides
System overrides enable you to make exceptions to the intended delivery location of a message. You override the delivery location provided by the system, based on the threats and other detections identified by the filtering stack. System overrides can be set through tenant or user policy to deliver the message as suggested by the policy. Overrides can identify unintentional delivery of malicious messages due to configurations gaps, such as an overly broad Safe Sender policy set by a user. These override values can be:
Allowed by user policy: A user creates policies at the mailbox level to allows domains or senders.
Blocked by user policy: A user creates policies at the mail box level to block domains or senders.
Allowed by org policy: The organization's security teams set policies or Exchange mail flow rules (also known as transport rules) to allow senders and domains for users in their organization. This can be for a set of users or the entire organization.
Blocked by org policy: The organization's security teams set policies or mail flow rules to block senders, domains, message languages, or source IPs for users in their organization. This can be applied to a set of users or the entire organization.
File extension blocked by org policy: An organization's security team blocks a file name extension through the anti-malware policy settings. These values will now be displayed in email details to help with investigations. Secops teams can also use the rich-filtering capability to filter on blocked file extensions.
Improvements for the URL and clicks experience
The improvements include:
Show the full clicked URL (including any query parameters that are part of the URL) in the Clicks section of the URL flyout. Currently, the URL domain and path appear in the title bar. We're extending that information to show the full URL.
Fixes across URL filters (URL versus URL domain versus URL domain and path): The updates affect searching for messages that contain a URL/click verdict. We enabled support for protocol-agnostic searches, so you can search for a URL without using
http
. By default, the URL search maps to http, unless another value is explicitly specified. For example:- Search with and without the
http://
prefix in the URL, URL Domain, and URL Domain and Path filter fields. The searches should show the same results. - Search for the
https://
prefix in URL. When no value is specified, thehttp://
prefix is assumed. /
is ignored at the beginning and end of the URL path, URL Domain, URL domain and path fields./
at the end of the URL field is ignored.
- Search with and without the
Phish confidence level
Phish confidence level helps identify the degree of confidence with which an email was categorized as 'phish.' The two possible values are High and Normal. In the initial stages, this filter will be available only in the Phish view of Threat Explorer.
ZAP URL signal
The ZAP URL signal is typically used for ZAP Phish alert scenarios where an email was identified as Phish and removed after delivery. This signal connects the alert with the corresponding results in Explorer. It's one of the IOCs for the alert.
To improve the hunting process, we've updated Threat Explorer and Real-time detections to make the hunting experience more consistent. The changes are outlined here:
Filter by user tags
You can now sort and filter on system or custom user tags to quickly grasp the scope of threats. To learn more, see User tags.
Important
Filtering and sorting by user tags is currently in public preview. This functionality may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided about it.
Timezone improvements
You'll see the time zone for the email records in the Portal as well as for Exported data. It will be visible across experiences like Email Grid, Details flyout, Email Timeline, and Similar Emails, so the time zone for the result set is clear.
Update in the refresh process
Some users have commented about confusion with automatic refresh (for example, as soon as you change the date, the page refreshes) and manual refresh (for other filters). Similarly, removing filters leads to automatic refresh. Changing filters while modifying the query can cause inconsistent search experiences. To resolve these issues, we're moving to a manual-filtering mechanism.
From an experience standpoint, the user can apply and remove the different range of filters (from the filter set and date) and select the refresh button to filter the results after they've defined the query. The refresh button is also now emphasized on the screen. We've also updated the related tooltips and in-product documentation.
Chart drilldown to add to filters
You can now chart legend values to add them as filters. Select the Refresh button to filter the results.
In-product information updates
Additional details are now available within the product, such as the total number of search results within the grid (see below). We've improved labels, error messages, and tooltips to provide more information about the filters, search experience, and result set.
Extended capabilities in Threat Explorer
Top targeted users
Today we expose the list of the top targeted users in the Malware view for emails, in the Top Malware Families section. We'll be extending this view in the Phish and All Email views as well. You'll be able to see the top-five targeted users, along with the number of attempts for each user for the corresponding view. For example, for Phish view, you'll see the number of Phish attempts.
You'll be able to export the list of targeted users, up to a limit of 3,000, along with the number of attempts for offline analysis for each email view. In addition, selecting the number of attempts (for example, 13 attempts in the image below) will open a filtered view in Threat Explorer, so you can see more details across emails and threats for that user.
Exchange transport rules
As part of data enrichment, you'll be able to see all the different Exchange transport rules (ETR) that were applied to a message. This information will be available in the Email grid view. To view it, select Column options in the grid and then Add Exchange Transport Rule from the column options. It will also be visible on the Details flyout in the email.
You'll be able to see both the GUID and the name of the transport rules that were applied to the message. You'll be able to search for the messages by using the name of the transport rule. This is a 'Contains' search, which means you can do partial searches as well.
Important
How To Use Microsoft Explorer On Windows 10
ETR search and name availability depend on the specific role that's assigned to you. You need to have one of the following roles/permissions to view the ETR names and search. If you don't have any of these roles assigned to you, you can't see the names of the transport rules or search for messages by using ETR names. However, you could see the ETR label and GUID information in the Email Details. Other record-viewing experiences in Email Grids, Email flyouts, Filters, and Export are not affected.
- EXO Only - Data Loss Prevention: All
- EXO Only - O365SupportViewConfig: All
- Microsoft Azure Active Directory or EXO - Security Admin: All
- AAD or EXO - Security Reader: All
- EXO Only - Transport Rules: All
- EXO Only - View-Only Configuration: All
Within the email grid, Details flyout, and Exported CSV, the ETRs are presented with a Name/GUID as shown below.
Microsoft Explorer For Windows 10
Inbound connectors
Connectors are a collection of instructions that customize how your email flows to and from your Microsoft 365 or Office 365 organization. They enable you to apply any security restrictions or controls. Within Threat Explorer, you can now view the connectors that are related to an email and search for emails by using connector names.
The search for connectors is 'contains' in nature, which means partial keyword searches should work as well. Within the Main grid view, the Details flyout, and the Exported CSV, the connectors are shown in the Name/GUID format as shown here:
New features in Threat Explorer and Real-time detections
View phishing emails sent to impersonated users and domains
To identify phishing attempts against users and domains that are impersonated users must be added to the list of Users to protect. For domains, admins must either enable Organization domains, or add a domain name to Domains to protect. The domains to protect are found on the Anti-Phishing policy page in the Impersonation section.
To review phish messages and search for impersonated users or domains, use the Email > Phish view of Explorer.
This example uses Threat Explorer.
In the Security & Compliance Center (https://protection.office.com), choose Threat management > Explorer (or Real-time detections).
In the View menu, choose Email > Phish.
Here you can choose impersonated domain or impersonated user.
EITHER select Impersonated domain, and then type a protected domain in the textbox.
For example, search for protected domain names like contoso, contoso.com, or contoso.com.au.
Select the Subject of any message under the Email tab > Details tab to see additional impersonation information like Impersonated Domain / Detected location.
OR
Select Impersonated user and type a protected user's email address in the textbox.
Tip
For best results, use full email addresses to search protected users. You will find your protected user quicker and more successfully if you search for firstname.lastname@contoso.com, for example, when investigating user impersonation. When searching for a protected domain the search will take the root domain (contoso.com, for example), and the domain name (contoso). Searching for the root domain contoso.com will return both impersonations of contoso.com and the domain name contoso.
Select the Subject of any message under Email tab > Details tab to see additional impersonation information about the user or domain, and the Detected location.
Note
In step 3 or 5, if you choose Detection Technology and select Impersonation domain or Impersonation user respectively, the information in the Email tab > Details tab about the user or domain, and the Detected location will be shown only on the messages that are related to the user or domain listed on the Anti-Phishing policy page.
Preview email header and download email body
You can now preview an email header and download the email body in Threat Explorer. Admins can analyze downloaded headers/email messages for threats. Because downloading email messages can risk exposure of information, this process is controlled by role-based access control (RBAC). A new role, Preview, must be added to another role group (such as Security Operations or Security Administrator) to grant the ability to download mails in all-email messages view. However, viewing the email header does not require any additional role (other than what is required to view messages in Threat Explorer).
Explorer and Real-time detections will also get new fields that provide a more complete picture of where your email messages land. These changes make hunting easier for Security Ops. But the main result is you can know the location of problem email messages at a glance.
How is this done? Delivery status is now broken out into two columns:
- Delivery action - Status of the email.
- Delivery location - Where the email was routed.
Delivery action is the action taken on an email due to existing policies or detections. Here are the possible actions for an email:
Delivered | Junked | Blocked | Replaced |
---|---|---|---|
Email was delivered to the inbox or folder of a user, and the user can access it. | Email was sent to the user's Junk or Deleted folder, and the user can access it. | Emails that are quarantined, that failed, or were dropped. These mails are inaccessible to the user. | Email had malicious attachments replaced by .txt files that state the attachment was malicious. |
Microsoft Edge
Here is what the user can and can't see:
Accessible to end users | Inaccessible to end users |
---|---|
Delivered | Blocked |
Junked | Replaced |
Delivery location shows the results of policies and detections that run post-delivery. It's linked to Delivery action. These are the possible values:
- Inbox or folder: The email is in the inbox or a folder (according to your email rules).
- On-prem or external: The mailbox doesn't exist on cloud but is on-premises.
- Junk folder: The email is in a user's Junk folder.
- Deleted items folder: The email in a user's Deleted items folder.
- Quarantine: The email is in quarantine and not in a user's mailbox.
- Failed: The email failed to reach the mailbox.
- Dropped: The email got lost somewhere in the mail flow.
Email timeline
The Email timeline is a new Explorer feature that improves the hunting experience for admins. It cuts the time spent checking different locations to try to understand the event. When multiple events happen at or close to the same time an email arrives, those events are displayed in a timeline view. Some events that happen to your email post-delivery are captured in the Special action column. Admins can combine information from the timeline with the special action taken on the mail post-delivery to get insight into how their policies work, where the mail was finally routed, and, in some cases, what the final assessment was.
For more information, see Investigate and remediate malicious email that was delivered in Office 365.
Export URL click data
You can now export reports for URL clicks to Microsoft Excel to view their network message ID and click verdict, which helps explain where your URL click traffic originated. Here's how it works: In Threat Management on the Office 365 quick-launch bar, follow this chain:
Explorer > View Phish > Clicks > Top URLs or URL Top Clicks > select any record to open the URL flyout.
When you select a URL in the list, you'll see a new Export button on the fly-out panel. Use this button to move data to an Excel spreadsheet for easier reporting.
Follow this path to get to the same location in the Real-time detections report:
Explorer > Real-time detections > View Phish > URLs > Top URLs or Top Clicks > Select any record to open the URL flyout > navigate to the Clicks tab.
Tip
The Network Message ID maps the click back to specific mails when you search on the ID through Explorer or associated third-party tools. Such searches identify the email associated with a click result. Having the correlated Network Message ID makes for quicker and more powerful analysis.
See malware detected in email by technology
Suppose you want to see malware detected in email sorted by Microsoft 365 technology. To do this, use the Email > Malware view of Explorer (or Real-time detections).
In the Security & Compliance Center (https://protection.office.com), choose Threat management > Explorer (or Real-time detections). (This example uses Explorer.)
In the View menu, choose Email > Malware.
Click Sender, and then choose Basic > Detection technology.
Your detection technologies are now available as filters for the report.
Choose an option. Then select the Refresh button to apply that filter.
The report refreshes to show the results that malware detected in email, using the technology option you selected. From here, you can conduct further analysis.
View phishing URL and click verdict data
Suppose that you want to see phishing attempts through URLs in email, including a list of URLs that were allowed, blocked, and overridden. To identify URLs that were clicked, Safe Links must be configured. Make sure that you set up Safe Links policies for time-of-click protection and logging of click verdicts by Safe Links.
To review phish URLs in messages and clicks on URLs in phish messages, use the Email > Phish view of Explorer or Real-time detections.
In the Security & Compliance Center (https://protection.office.com), choose Threat management > Explorer (or Real-time detections). (This example uses Explorer.)
In the View menu, choose Email > Phish.
Click Sender, and then choose URLs > Click verdict.
Select one or more options, such as Blocked and Block overridden, and then select the Refresh button on the same line as the options to apply that filter. (Don't refresh your browser window.)
The report refreshes to show two different URL tables on the URL tab under the report:
Top URLs are the URLs in the messages that you filtered down to and the email delivery action counts for each URL. In the Phish email view, this list typically contains legitimate URLs. Attackers include a mix of good and bad URLs in their messages to try to get them delivered, but they make the malicious links look more interesting. The table of URLs is sorted by total email count, but this column is hidden to simplify the view.
Top clicks are the Safe Links-wrapped URLs that were clicked, sorted by total click count. This column also isn't displayed, to simplify the view. Total counts by column indicate the Safe Links click verdict count for each clicked URL. In the Phish email view, these are usually suspicious or malicious URLs. But the view could include URLs that aren't threats but are in phish messages. URL clicks on unwrapped links don't show up here.
The two URL tables show top URLs in phishing email messages by delivery action and location. The tables show URL clicks that were blocked or visited despite a warning, so you can see what potential bad links were presented to users and that the user's clicked. From here, you can conduct further analysis. For example, below the chart you can see the top URLs in email messages that were blocked in your organization's environment.
Select a URL to view more detailed information.
Note
In the URL flyout dialog box, the filtering on email messages is removed to show the full view of the URL's exposure in your environment. This lets you filter for email messages you're concerned about in Explorer, find specific URLs that are potential threats, and then expand your understanding of the URL exposure in your environment (via the URL details dialog box) without having to add URL filters to the Explorer view itself.
Interpretation of click verdicts
Within the Email or URL flyouts, Top Clicks as well as within our filtering experiences, you'll see different click verdict values:
- None: Unable to capture the verdict for the URL. The user might have clicked through the URL.
- Allowed: The user was allowed to navigate to the URL.
- Blocked: The user was blocked from navigating to the URL.
- Pending verdict: The user was presented with the detonation-pending page.
- Blocked overridden: The user was blocked from navigating directly to the URL. But the user overrode the block to navigate to the URL.
- Pending verdict bypassed: The user was presented with the detonation page. But the user overrode the message to access the URL.
- Error: The user was presented with the error page, or an error occurred in capturing the verdict.
- Failure: An unknown exception occurred while capturing the verdict. The user might have clicked through the URL.
Review email messages reported by users
Suppose that you want to see email messages that users in your organization reported as Junk, Not Junk, or Phishing through the Report Message add-in or the Report Phishing add-in. To see them, use the Email > Submissions view of Explorer (or Real-time detections).
In the Security & Compliance Center (https://protection.office.com), choose Threat management > Explorer (or Real-time detections). (This example uses Explorer.)
In the View menu, choose Email > Submissions.
Click Sender, and then choose Basic > Report type.
Select an option, such as Phish, and then select the Refresh button.
Microsoft Explorer On My Computer
The report refreshes to show data about email messages that people in your organization reported as a phishing attempt. You can use this information to conduct further analysis, and, if necessary, adjust your anti-phishing policies in Microsoft Defender for Office 365.
Start automated investigation and response
Note
Automated investigation and response capabilities are available in Microsoft Defender for Office 365 Plan 2 and Office 365 E5.
Automated investigation and response can save your security operations team time and effort spent investigating and mitigating cyberattacks. In addition to configuring alerts that can trigger a security playbook, you can start an automated investigation and response process from a view in Explorer. For details, see Example: A security administrator triggers an investigation from Explorer.
More ways to use Explorer and Real-time detections
In addition to the scenarios outlined in this article, you have many more reporting options available with Explorer (or Real-time detections). See the following articles:
Required licenses and permissions
You must have Microsoft Defender for Office 365 to use Explorer or Real-time detections.
- Explorer is included in Defender for Office 365 Plan 2.
- The Real-time detections report is included in Defender for Office 365 Plan 1.
- Plan to assign licenses for all users who should be protected by Defender for Office 365. Explorer and Real-time detections show detection data for licensed users.
To view and use Explorer or Real-time detections, you must have appropriate permissions, such as those granted to a security administrator or security reader.
For the Security & Compliance Center, you must have one of the following roles assigned:
- Organization Management
- Security Administrator (this can be assigned in the Azure Active Directory admin center (https://aad.portal.azure.com)
- Security Reader
For Exchange Online, you must have one of the following roles assigned in either the Exchange admin center (https://admin.protection.outlook.com/ecp/) or Exchange Online PowerShell:
- Organization Management
- View-Only Organization Management
- View-Only Recipients
- Compliance Management
To learn more about roles and permissions, see the following resources:
Differences between Threat Explorer and Real-time detections
- The Real-time detections report is available in Defender for Office 365 Plan 1. Threat Explorer is available in Defender for Office 365 Plan 2.
- The Real-time detections report allows you to view detections in real time. Threat Explorer does this as well, but it also provides additional details for a given attack.
- An All email view is available in Threat Explorer but not in the Real-time detections report.
- More filtering capabilities and available actions are included in Threat Explorer. For more information, see Microsoft Defender for Office 365 Service Description: Feature availability across Defender for Office 365 plans.