If you are an Office 365 Enterprise global administrator, security administrator, or security analyst, you can view reports for Office 365 Advanced Threat Protection (ATP) in the Security & Compliance Center. (Go to Reports > Dashboard.)
Important: Advanced Threat Protection is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans.
Threat protection status report
The Threat protection status report is a single view that brings together information about malicious content found and blocked by Exchange Online and Advanced Threat Protection.
To view the Threat protection status report, do one of the following:
In the Security & Compliance Center, go to Threat management > Review > Protection status.
In the Security & Compliance Center, go to Reports > Dashboard > Threat protection status.
To get detailed status for a day, hover over the graph. The report provides an aggregated count of unique email messages with malicious content (files or links) blocked by Exchange Online features (which include the Anti-malware engine and zero-hour auto purge (ZAP)), and Advanced Threat Protection features (which include ATP safe links and ATP safe attachments).
Underneath the chart, you'll see a detailed list of the detections, including subject lines and how each item was detected. Select an item to view additional details, including the item's file name, whether the item was inbound or outbound, and how it was detected.
For malware caught ATP safe attachments, on the Details page, choose Advanced Analysis to view more information, including the observed behavior and analysis details for a selected item.
ATP File Types report
The ATP File Types report shows you the type of files detected as malicious by ATP safe attachments.
To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP File Types.
When you hover over a particular day, you can see the breakdown of types of malicious files that were detected by ATP safe attachments. Click (or tap) the ATP File Types report to open it in a new browser window, where you can get a more detailed view of the report.
Below the chart, you'll see details about the malicious email messages that were detected, including the recipient's email address, the sender's email address, and the file name. Select an item in the list to view additional details about that item, including what actions were taken for the malicious URL or file.
ATP Message Disposition report
The ATP Message Disposition report shows you the actions that were taken for email messages that were found to have malicious files.
To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP Message Disposition.
Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.
Below the chart, you'll see a list of detected email messages and what actions were taken, according to the policies that are defined for your organization.
What if the reports aren't showing data?
If you are not seeing data in your reports, double-check that your policies are set up correctly. Your organization must have ATP safe links policies and ATP safe attachments policies defined in order for ATP protection to be in place.
View email security reports in Office 365 Enterprise
Overview of the Office 365 Security & Compliance Center
Threat management in the Office 365 Security & Compliance Center
Office 365 Threat Intelligence overview