You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-office-365/reports-email-security.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -560,6 +560,7 @@ In the **View data by Email \> Spam** and **Chart breakdown by Detection Technol
560
560
-**Fingerprint matching**: The message closely resembles a previous detected malicious message.
561
561
-**General filter**
562
562
-**IP reputation**: The message was from a source that was previously identified as sending spam in other Microsoft 365 organizations.
563
+
-**Mail bombing**: Messages detected as part of a mail bombing attack where attackers flood targeted email addresses with an overwhelming volume of messages.
563
564
-**Mixed analysis detection**: Multiple filters contributed to the verdict for the message.
564
565
-**URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-graph.md
+4-1Lines changed: 4 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,7 +25,10 @@ search.appverid: met150
25
25
ms.date: 09/30/2025
26
26
27
27
---
28
-
# Hunt for threats using the hunting graph
28
+
# Hunt for threats using the hunting graph (Preview)
29
+
30
+
> [!IMPORTANT]
31
+
> Some information relates to prereleased product that may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
29
32
30
33
The **hunting graph** provides visualization capabilities in [advanced hunting](advanced-hunting-overview.md) by rendering threat scenarios as interactive graphs. This feature allows security operations center (SOC) analysts, threat hunters, and security researchers conduct threat hunting and incident response easily and more intuitively, improving their efficiency and ability to assess possible security issues.
Copy file name to clipboardExpand all lines: defender-xdr/understand-graph-icons.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,7 +27,7 @@ ms.date: 09/30/2025
27
27
---
28
28
# Understanding graphs and visualizations in Microsoft Defender
29
29
30
-
Microsoft Defender use interactive graphs to visualize attack paths, [blast radius](investigate-incidents.md), and relationships between entities in your environment. These visualizations provide a bird’s eye view of a possible threat or attack, letting you and your security operations (SOC) team to investigate and [hunt](advanced-hunting-graph.md) them quickly.
30
+
Microsoft Defender use interactive graphs to visualize attack paths, [blast radius](investigate-incidents.md#view-blast-radius-graphs), and relationships between entities in your environment. These visualizations provide a bird’s eye view of a possible threat or attack, letting you and your security operations (SOC) team to investigate and [hunt](advanced-hunting-graph.md) them quickly.
31
31
32
32
The graphs generated in the Defender portal are composed of [nodes](#nodes) and [edges](#edges). This article enumerates and defines the commonly used icons for graph these elements.
33
33
@@ -59,9 +59,9 @@ Entities and might also appear as **grouped nodes**, which have numerical indica
59
59
60
60
A node might also have any of the following indicators around it:
61
61
62
-
-**Critical asset** - Indicates that an entity is classified as business-critical or valuable, as identified in the [critical asset management](/security-exposure-management/critical-asset-management) in Microsoft Security Exposure Management. The nodes representing critical assets also have a golden halo surrounding them.
63
-
-**Vulnerability**[icon]- Indicates that at least one vulnerability was detected on the entity.
64
-
-**Explore connected assets** - Indicates that the node can expand the hunting graph further beyond the initial results. Expanding the graph lets you explore other relationships the selected entity has with the other ones.
62
+
-**Critical asset**- Indicates that an entity is classified as business-critical or valuable, as identified in the [critical asset management](/security-exposure-management/critical-asset-management) in Microsoft Security Exposure Management. This indicator appears as a golden crown . The nodes representing critical assets also have a golden halo surrounding them.
63
+
-**Vulnerability** - Indicates that at least one vulnerability was detected on the entity. This indicator appears as a red bug .
64
+
-**Explore connected assets**- Indicates that the node can expand the hunting graph further beyond the initial results. Expanding the graph lets you explore other relationships the selected entity has with the other ones. This indicator appears as a blue plus sign .
65
65
-**Discovery source** - Indicates the entity's data source. This indicator appears as the icon of the Defender product protecting the entity in blue (for example,  for Microsoft Defender for Endpoint, or  for Microsoft Defender for Cloud).
66
66
67
67
>[!TIP]
@@ -75,7 +75,7 @@ An **edge** indicates the relationship or connection properties between two nod
0 commit comments