Professional Documents
Culture Documents
View Defender For Office 365 Reports - Microsoft Defender For Office 365 Microsoft Learn
View Defender For Office 365 Reports - Microsoft Defender For Office 365 Microsoft Learn
Tip
Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender
portal trials hub . Learn about who can sign up and trial terms here.
In organizations with Microsoft Defender for Office 365 Plan 1 or Plan 2 (for example,
Microsoft 365 E5 or Microsoft Business Premium) a variety of security-related reports
are available. If you have the necessary permissions, you can view and download these
reports in the Microsoft Defender portal.
Summary information for each report is available on the page. Identify the report you
want to view, and then select View details for that report.
The rest of this article describes the reports that are exclusive to Defender for Office 365.
1 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
7 Note
Email security reports that don't require Defender for Office 365 are described in
View email security reports in the Microsoft Defender portal.
For reports that have been deprecated or replaced, see the table in Email security
report changes in the Microsoft Defender portal.
Reports that are related to mail flow are now in the Exchange admin center (EAC).
For more information about these reports, see Mail flow reports in the new
Exchange admin center.
Watch this short video to learn how you can use reports to understand the effectiveness
of Defender for Office 365 in your organization.
https://www.microsoft.com/en-us/videoplayer/embed/RWBkxB?postJsllMsg=true
7 Note
This report has been deprecated. The same information is available in the Threat
protection status report.
7 Note
This report has been deprecated. The same information is available in the Threat
protection status report.
2 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
delivery times in the service are affected by many factors, and the absolute delivery time
in seconds is often not a good indicator of success or a problem. A slow delivery time
on one day might be considered an average delivery time on another day, or vice-versa.
This report tries to qualify message delivery based on statistical data about the observed
delivery times of other messages.
On the Mail latency report page, the following tabs are available:
• 50th percentile: The middle for message delivery times. You can consider this
value as an average delivery time. This tab is selected by default.
• 90th percentile: Indicates a high latency for message delivery. Only 10% of
messages took longer than this value to deliver.
• 99th percentile: Indicates the highest latency for message delivery.
Regardless of the tab you select, the chart shows messages organized into the following
categories:
• Overall
• Detonation (these values are explained in the Filter values)
3 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
Hover over a category in the chart to see a breakdown of the latency in each category.
In the details table below the chart, the following information is available:
• Date (UTC)
• Latency
• Message count
• 50th percentile
• 90th percentile
• 99th percentile
Select Filter to modify the report and the details table by selecting one or more of
the following values in the flyout that opens:
4 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
When you're finished configuring the filters, select Apply, Cancel, or Clear filters.
On the Post-delivery activities page, the chart shows the following information for the
specified date range:
• No threat: The number of unique delivered messages that were found to be not
spam by ZAP.
• Spam: The number of unique messages that were removed from mailboxes by ZAP
for spam.
• Phishing: The number of unique messages that were removed from mailboxes by
5 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
The details table below the graph shows the following information:
• Subject
• Received time
• Sender
• Recipient
• ZAP time
• Original threat
• Original location
• Updated threat
• Detection technology
To see all columns, you likely need to do one or more of the following steps:
◦ Horizontally scroll in your web browser.
◦ Narrow the width of appropriate columns.
◦ Zoom out in your web browser.
Select Filter to modify the report and the details table by selecting one or more of
the following values in the flyout that opens:
When you're finished configuring the filters, select Apply, Cancel, or Clear filters.
6 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
On the Post delivery activities page, the Create schedule and Export actions are
available.
7 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
The available views in the URL threat protection report are described in the following
subsections.
The View data by URL click protection action view shows the number of URL clicks by
users in the organization and the results of the click:
8 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
A click indicates that the user has clicked through the block page to the malicious
website (admins can disable click through in Safe Links policies).
The details table below the chart provides the following near-real-time view of all clicks
that happened within the organization for the last 30 days:
• Click time
• User
• URL
• Action
• App
• Tags: For more information about user tags, see User tags.
Select Filter to modify the report and the details table by selecting one or more of
the following values in the flyout that opens:
When you're finished configuring the filters, select Apply, Cancel, or Clear filters.
9 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
On the URL threat protection page, the Create schedule, Request report, and
Export actions are available.
Tip
URL clicks by guest users are available in the report. Guest user accounts might be
compromised or access malicious content inside the organization.
The View data by URL click by application view shows the number of URL clicks by apps
that support Safe Links:
• Email client
• Teams
• Office document
The details table below the chart provides the following near-real-time view of all clicks
that happened within the organization for the last seven days:
• Click time
• User
• URL
10 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
• Action: The same URL click protection actions as previously described for the View
data by URL click protection action view.
• App
• Tags: For more information about user tags, see User tags.
Select Filter to modify the report and the details table by selecting one or more of
the following values in the flyout that opens:
When you're finished configuring the filters, select Apply, Cancel, or Clear filters.
On the URL threat protection page, the Create schedule, Request report, and
Export actions are available.
ノ Expand table
Report Article
Explorer (Microsoft Defender for Office 365 Plan 2) or real- Threat Explorer (and real-time
time detections (Microsoft Defender for Office 365 Plan 1) detections)
Email security reports that don't require Defender for Office View email security reports in the
365 Microsoft Defender portal
11 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
Report Article
Mail flow reports in the Exchange admin center (EAC) Mail flow reports in the new
Exchange admin center
ノ Expand table
Report Article
Get-MailDetailATPReport
Get-SafeLinksDetailReport
Get-CompromisedUserDetailReport
12 of 13 5/30/2024, 12:11 AM
View Defender for Office 365 reports - Microsoft Defender for Office 36... https://learn.microsoft.com/en-us/defender-office-365/reports-defender-...
policies are set up correctly. Safe Links policies and Safe Attachments policies from Built-
in protection, preset security policies, or custom policies need to be in effect and acting
on messages. For more information, see the following articles:
• Preset security policies in EOP and Microsoft Defender for Office 365
• Configuration analyzer for protection policies in EOP and Microsoft Defender for
Office 365
• Set up Safe Links policies in Microsoft Defender for Office 365
• Set up Safe Attachments policies in Microsoft Defender for Office 365
Feedback
Was this page helpful? Yes No
13 of 13 5/30/2024, 12:11 AM