View reports for Office 365 Advanced Threat Protection

If you are an Office 365 Enterprise global administrator, security administrator, or security analyst, you can view reports for Office 365 Advanced Threat Protection (ATP) in the Security & Compliance Center. (Go to Reports > Dashboard.)

The Security & Compliance Center dashboard can help you see where Advanced Threat Protection is working

ATP reports include the Threat protection status report, ATP Message Disposition report, and ATP File Types report.

Important: Advanced Threat Protection is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans.

Threat protection status report

The Threat protection status report is a single view that brings together information about malicious content found and blocked by Exchange Online and Advanced Threat Protection.

To view the Threat protection status report, do one of the following:

In the Security & Compliance Center, go to Threat management > Review > Protection status.

OR

In the Security & Compliance Center, go to Reports > Dashboard > Threat protection status.

Use this report to see what malware, malicious links, and malicious attachments were detected by ATP

To get detailed status for a day, hover over the graph. The report provides an aggregated count of unique email messages with malicious content (files or links) blocked by Exchange Online features (which include the Anti-malware engine and zero-hour auto purge (ZAP)), and Advanced Threat Protection features (which include ATP safe links and ATP safe attachments).

Underneath the chart, you'll see a detailed list of the detections, including subject lines and how each item was detected. Select an item to view additional details, including the item's file name, whether the item was inbound or outbound, and how it was detected.

Select an item in the Protection Status report to view additional details

For malware caught ATP safe attachments, on the Details page, choose Advanced Analysis to view more information, including the observed behavior and analysis details for a selected item.

On the Details page, choose Advanced Analysis to view more information about a selected item.

ATP File Types report

The ATP File Types report shows you the type of files detected as malicious by ATP safe attachments.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP File Types.

Use the ATP File Types report to see how many malicious URLs and files were detected

When you hover over a particular day, you can see the breakdown of types of malicious files that were detected by ATP safe attachments. Click (or tap) the ATP File Types report to open it in a new browser window, where you can get a more detailed view of the report.

In the ATP File Types report, hover over a day to see how many malicious URLs and files detected

Below the chart, you'll see details about the malicious email messages that were detected, including the recipient's email address, the sender's email address, and the file name. Select an item in the list to view additional details about that item, including what actions were taken for the malicious URL or file.

ATP Message Disposition report

The ATP Message Disposition report shows you the actions that were taken for email messages that were found to have malicious files.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP Message Disposition.

Use the ATP Message Disposition Report to see how email messages were handled after malware detection

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

In the Security & Compliance Center Dashboard, choose ATP Message Disposition to view this report in more detail.

Below the chart, you'll see a list of detected email messages and what actions were taken, according to the policies that are defined for your organization.

What if the reports aren't showing data?

If you are not seeing data in your reports, double-check that your policies are set up correctly. Your organization must have ATP safe links policies and ATP safe attachments policies defined in order for ATP protection to be in place.

Related topics

View email security reports in Office 365 Enterprise
Overview of the Office 365 Security & Compliance Center
Threat management in the Office 365 Security & Compliance Center
Office 365 Threat Intelligence overview

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×