Event banner
Event details
Ajaj_Shaikh
Microsoft
MicrosoftHi CRL55, currently we do not support wildcard searches in Threat Explorer. You can check out the Advanced Hunting experience under Hunting->Advanced Hunting where we provide KQL based filtering experience which might help you get the desired results. Please check out this link for more details on Advanced Hunting - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide
Thanks - but having moved from Mimecast to 365 it would be nice to have this simple feature added to the capabilities within the GUI. KQL is fine if you have the time to sit down and learn it - even the query builder can be monotonous. Would be nice to have basic search capabilities all in the same place.
- johnengelsCRL55 - FYI, the 'subject' field is a contains type search, so it doesn't really need wildcards. Simply type in partial phrase or words and it should match things.
- So if I want to search for all inbound emails from Colin* but dont know the subject - can you explain what i need to do please? With Mimecast - 'Email From: Colin* 'TO' Robert*' gave me all the results i needed - subject wasnt relevant or known.
- johnengelsFor Explorer, you'd need to know specific email addresses and then start with those as 'sender' and/or 'recipient' searches. You cannot just start with a partial sender/recipient name - that would be better in Advanced Hunting. You can save your Advanced Hunting queries (for yourself as well as others in your team to use), so it doesn't have to be something you use every day - plus the older KQL queries will stay around in open tabs in that hunting page for a while. You could also do the initial pass in Advanced Hunting - copy out some of the email addresses in use and then search again with those specific items in Explorer.
- Ajaj_ShaikhThanks for the inputs CRL55. We have made a note of this ask and we will consider this for future enhancements.