View reports for Advanced Threat Protection and Exchange Online Protection

If you are an Office 365 Enterprise global administrator, security administrator, or security analyst, you can view reports for Office 365 Advanced Threat Protection (ATP) and Exchange Online Protection (EOP) in the Security & Compliance Center. (Go to Reports > Dashboard.)

The Security & Compliance Center dashboard can help you see where Advanced Threat Protection is working

ATP reports include the Threat protection status report, ATP Message Disposition report, and ATP File Types report.

EOP reports include the Top Malware report, Spam Detections report, and Spoof Mail report.

Important: Advanced Threat Protection is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans.

Threat protection status report

The Threat protection status report is a single view that brings together information about malicious content found and blocked by Exchange Online Protection and Advanced Threat Protection.

To view the Threat protection status report, do one of the following:

In the Security & Compliance Center, go to Threat management > Review > Protection status.

OR

In the Security & Compliance Center, go to Reports > Dashboard > Threat protection status.

Use this report to see what malware, malicious links, and malicious attachments were detected by ATP

To get detailed status for a day, hover over the graph. The report provides an aggregated count of unique email messages with malicious content (files or links) blocked by Exchange Online Protection features (which include the Anti-malware engine and zero-hour auto purge (ZAP)), and Advanced Threat Protection features (which include ATP safe links and ATP safe attachments).

Underneath the chart, you'll see a detailed list of the detections, including subject lines and how each item was detected. Select an item to view additional details, including the item's file name, whether the item was inbound or outbound, and how it was detected.

Select an item in the Protection Status report to view additional details

For malware caught ATP safe attachments, on the Details page, choose Advanced Analysis to view more information, including the observed behavior and analysis details for a selected item.

On the Details page, choose Advanced Analysis to view more information about a selected item.

ATP File Types report

The ATP File Types report shows you the type of files detected as malicious by ATP safe attachments.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP File Types.

Use the ATP File Types report to see how many malicious URLs and files were detected

When you hover over a particular day, you can see the breakdown of types of malicious files that were detected by ATP safe attachments. Click (or tap) the ATP File Types report to open it in a new browser window, where you can get a more detailed view of the report.

In the ATP File Types report, hover over a day to see how many malicious URLs and files detected

Below the chart, you'll see details about the malicious email messages that were detected, including the recipient's email address, the sender's email address, and the file name. Select an item in the list to view additional details about that item, including what actions were taken for the malicious URL or file.

ATP Message Disposition report

The ATP Message Disposition report shows you the actions that were taken for email messages that were found to have malicious files.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP Message Disposition.

Use the ATP Message Disposition Report to see how email messages were handled after malware detection

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

In the Security & Compliance Center Dashboard, choose ATP Message Disposition to view this report in more detail.

Below the chart, you'll see a list of detected email messages and what actions were taken, according to the policies that are defined for your organization.

Top Malware report

The report shows the various kinds of malware that was detected by EOP.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Top Malware.

SCC - EOP Top Malware

When you hover over a wedge in the pie chart, you can see the name of a kind of malware and how many messages were detected as having that malware.

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

This report shows the top malware detected for your organization

Below the chart, you'll see a list of detected malware and how many messages were detected as having that malware.

Top Senders and Recipients report

The report is a pie chart showing your top email senders.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Top Senders and Recipients.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Top Senders and Recipients

When you hover over a wedge in the pie chart, you can see a count of messages sent or received.

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

Use the Show data for list to choose whether to view data for top senders, receivers, spam recipients, and malware recipients. You can also see who received malware that was detected by Advanced Threat Protection.

Use the Show Data For list to view specific information

Below the chart, you'll see who the top email senders or recipients were, along with a count of messages sent or received for the given time period.

Spoof Mail report

The report shows how many spoof mail messages were detected, and of those, which ones were considered "good" (spoof mail done for legitimate business reasons).

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Spoof Mail.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Spoof Mail

When you hover over a day in the chart, you can see how many spoof mail messages came through.

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

Spam Detections report

The report shows all the spam content blocked by EOP.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Spam Detections.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > EOP Spam Detections

When you hover over a day in the chart, you can see how many items were blocked that day, as well as how those items are categorized. For example, you can see how many spam messages were filtered, and how many items came from a blocked Internet Protocol (IP) address.

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

The Spam Detections report tells you how many spam messages were blocked or filtered out

Below the chart, you'll see a list of spam items that were detected. Select an item to view additional information, such as whether the spam item was inbound or outbound, its message ID, and its recipient.

Sent and received email report

The report shows information about incoming and outgoing email, including spam detections, malware, and "good" email.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Sent and received email.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Sent and received email

When you hover over a day in the chart, you can see how many messages came in, and how those messages are categorized. For example, you can see how many messages were detected as containing malware, and how many were identified as spam.

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

You can use the Break down by list to view information by type or by direction (incoming and outgoing).

Use the Break Down By list to view information by type or direction

Below the chart, you'll see a list of email categories, such as GoodMail, SpamContentFiltered, and so on. Select a category to view additional information, such as actions that were taken for malware, and whether email was incoming or outgoing.

This report tells you about anti-malware, anti-spam, and other message detections

What if the reports aren't showing data?

If you are not seeing data in your reports, double-check that your policies are set up correctly. For example, your organization must have ATP safe links policies and ATP safe attachments policies defined in order for ATP protection to be in place. For more information, see the following resources:

Anti-spam and anti-malware protection

ATP safe attachments in Office 365

ATP safe links in Office 365

Anti-spam and anti-malware protection in Office 365

Related topics

Overview of the Office 365 Security & Compliance Center
Threat management in the Office 365 Security & Compliance Center
Office 365 Threat Intelligence overview

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×