View reports for Office 365 Advanced Threat Protection

Office 365 Advanced Threat Protection (ATP) organizations (for example, Microsoft 365 E5 subscriptions or ATP Plan 1 or ATP Plan 2 add-ons) contain a variety of security-related reports. If you have the necessary permissions, you can view these reports in the Security & Compliance Center by going to Reports > Dashboard. To go directly to the Reports dashboard, open https://protection.office.com/insightdashboard.

The Reports dashboard in the Security & Compliance Center

Advanced Threat Protection file types report

The Advanced Threat Protection file types report report shows you the type of files detected as malicious by ATP Safe Attachments.

The aggregate view of the report allows for 90 days of filtering, while the detail view only allows for 10 days of filtering.

To view the report, open the Security & Compliance Center, go to Reports > Dashboard and select Office ATP file types. To go directly to the report, open https://protection.office.com/reportv2?id=ATPFileReport.

Office ATP file types widget in the Reports dashboard

Note

The information in this report is also available in the Advanced Threat Protection message disposition report.

Report view for the Advanced Threat Protection file types report

The following views are available:

  • View data by: File: The chart contains the following information:

    • Malicious Excel attachments
    • Malicious Flash attachments
    • Malicious PDF attachments
    • Malicious PowerPoint attachments
    • Malicious URLs
    • Malicious Word attachments
    • Malicious executable attachments
    • Others

    When you hover over a particular day (data point), you can see the breakdown of types of malicious files that were detected by ATP Safe Attachments and anti-malware protection in EOP.

    File view in the ATP file types report

    If you click Filters, you can modify the report with the following filters:

    • Start date and End date
    • The same file type values that are visible in the chart.
  • View data by: Message: The chart contains the following information:

    Message view in the ATP file types report

    If you click Filters, you can modify the report with the following filters:

    • Start date and End date
    • The same message disposition values that are available in the chart, and the additional Messages passed value.

Details table view for the Advanced Threat Protection file types report

If you click View details table, the report provides a near-real-time view of all clicks that happen within the organization for the last 10 days. The information that's shown depends on the chart you were looking at:

  • View data by: File:

    • Date
    • Recipient address
    • Sender address
    • Message ID: Available in the Message-ID header field in the message header and should be unique. An example value is <08f1e0f6806a47b4ac103961109ae6ef@server.domain> (note the angle brackets).
    • File

    If you click Filters, you can modify the report with the following filters:

    • Start date and End date
    • The same file type values that are visible in the chart.
  • View data by: Message:

    • Date
    • Recipient address
    • Sender address
    • Message ID
    • File
    • Subject

    If you click Filters, you can modify the results with the following filters:

    • Start date and End date
    • The same message disposition values that are available in the chart, and the additional Messages passed value.

To get back to the reports view, click View report.

Advanced Threat Protection message disposition report

The ATP Message Disposition report shows you the actions that were taken for email messages that were detected as having malicious content.

To view the report, open the Security & Compliance Center, go to Reports > Dashboard and select Office ATP message disposition. To go directly to the report, open https://protection.office.com/reportv2?id=ATPMessageReport.

Office 365 ATP message disposition widget in the Reports dashboard

Note

The information in this report is also available in the Advanced Threat Protection file types report.

Report view for the Advanced Threat Protection message disposition report

The following views are available:

  • View data by: Message: The chart contains the following information:

    Message view in the ATP file types report

    If you click Filters, you can modify the report with the following filters:

    • Start date and End date
    • The same message disposition values that are available in the chart, and the additional Messages passed value.
  • View data by: File: The chart contains the following information:

    • Malicious Excel attachments
    • Malicious Flash attachments
    • Malicious PDF attachments
    • Malicious PowerPoint attachments
    • Malicious URLs
    • Malicious Word attachments
    • Malicious executable attachments
    • Others

    When you hover over a particular day (data point), you can see the breakdown of types of malicious files that were detected by ATP Safe Attachments and anti-malware protection in EOP.

    File view in the ATP file types report

    If you click Filters, you can modify the report with the following filters:

    • Start date and End date
    • The same file type values that are visible in the chart.

Details table view for the Advanced Threat Protection message disposition report

If you click View details table, the report provides a near-real-time view of all clicks that happen within the organization for the last 10 days. The information that's shown depends on the chart you were looking at:

  • View data by: Message:

    • Date
    • Recipient address
    • Sender address
    • Message ID
    • File
    • Subject

    If you click Filters, you can modify the results with the following filters:

    • Start date and End date
    • The same message disposition values that are available in the chart, and the additional Messages passed value.
  • View data by: File:

    • Date
    • Recipient address
    • Sender address
    • Message ID
    • File

    If you click Filters, you can modify the report with the following filters:

    • Start date and End date
    • The same file type values that are visible in the chart.

To get back to the reports view, click View report.

Threat protection status report

The Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Office 365 ATP. For more information, see Threat protection status report.

URL threat protection report

The URL threat protection report provides summary and trend views for threats detected and actions taken on URL clicks as part of ATP Safe Links. This report will not have click data from users where the Safe Links policy applied has the Do not track user clicks option selected.

To view the report, open the Security & Compliance Center, go to Reports > Dashboard and select URL protection report. To go directly to the report, open https://protection.office.com/reportv2?id=URLProtectionActionReport.

URL protection report widget in the Reports dashboard

Note

This is a protection trend report, meaning data represents trends in a larger dataset. As a result, the data in the aggregate view is not available in real time here, but the data in the details table view is, so you may see a slight discrepancy between the two views.

Report view for the URL threat protection report

The URL threat protection report has two aggregated views that are refreshed once every four hours that shows data for the last 90 days:

  • URL click protection action: Shows the number of URL clicks by users in the organization and the results of the click:

    • Blocked (the user was blocked from navigating to the URL)
    • Blocked and clicked through
    • Clicked through during scan

    A click indicates that the user has clicked through the block page to the malicious website (admins can disable click through in Safe Links policies).

    If you click Filters, you can modify the report with the following filters:

    • Start date and End date
    • The available click protection actions, plus the value Allowed (the user was allowed to navigate to the URL).

    URL click protection action view in the URL threat protection report

  • URL click by application: Shows the number of URL clicks by applications that support Office 365 ATP Safe Links:

    • Email client
    • PowerPoint
    • Word
    • Excel
    • OneNote
    • Visio
    • Teams
    • Other

    If you click Filters, you can modify the report with the following filters:

    • Start date and End date
    • The available applications.

Details table view for the URL threat protection report

If you click View details table, the report provides a near-real-time view of all clicks that happen within the organization for the last 7 days with the following details:

  • Click time
  • User
  • URL
  • Action
  • App

If you click Filters in the details table view, you can filter by the same criteria as in the report view, and also by Domains or Recipients separated by commas.

To get back to the reports view, click View report.

Additional reports to view

In addition to the ATP reports described in this topic, several other reports are available, as described in the following table:

Report Topic
Explorer (ATP Plan 2) or real-time detections (ATP Plan 1) Threat Explorer (and real-time detections)
Email security reports, such as the Top senders and recipients report, the Spoof mail report, and the Spam detections report. View email security reports in the Security & Compliance Center
Mail flow reports, such as the Forwarding report, the Mailflow status report, and the Top senders and recipients report. View mail flow reports in the Security & Compliance Center
URL trace for ATP Safe Links (PowerShell only). The output of this cmdlet shows you the results of ATP Safe Links actions over the past seven days. Get-UrlTrace
Mail traffic results for EOP and ATP (PowerShell only). The output of this cmdlet contains information about Domain, Date, Event Type, Direction, Action, and Message Count. Get-MailTrafficATPReport

Mail detail reports for EOP and ATP detections (PowerShell only). The output of this cmdlet contains details about malicious files or URLs, phishing attempts, impersonation, and other potential threats in email or files. Get-MailDetailATPReport

What permissions are needed to view the ATP reports?

In order to view and use the reports described in this topic, you must have an appropriate role assigned for both the Security & Compliance Center and the Exchange admin center.

  • For the Security & Compliance Center, you must have one of the following roles assigned:

  • For Exchange Online, you must have one of the following roles assigned in either the Exchange admin center (https://outlook.office365.com/ecp) or with PowerShell cmdlets (See Exchange Online PowerShell):

    • Organization Management
    • View-only Organization Management
    • View-Only Recipients role
    • Compliance Management

To learn more, see the following resources:

What if the reports aren't showing data?

If you are not seeing data in your ATP reports, double-check that your policies are set up correctly. Your organization must have ATP Safe Links policies and ATP Safe Attachments policies defined in order for ATP protection to be in place. Also see Anti-spam and anti-malware protection in Office 365.

Smart reports and insights in the Security & Compliance Center

Role permissions (Azure Active Directory