In organizations with Microsoft Defender for Office 365 Plan 1 or Plan 2 (for example, Microsoft 365 E5 or Microsoft Business Premium) a variety of security-related reports are available. If you have the necessary permissions, you can view and download these reports in the Microsoft Defender portal.
The Mail latency report shows you an aggregate view of the mail delivery and detonation latency experienced within your Defender for Office 365 organization. Mail delivery times in the service are affected by many factors, and the absolute delivery time in seconds is often not a good indicator of success or a problem. A slow delivery time on one day might be considered an average delivery time on another day, or vice-versa. This report tries to qualify message delivery based on statistical data about the observed delivery times of other messages.
Client-side latency and network latency aren't included in the results.
On the Mail latency report page, the following tabs are available:
50th percentile: The middle for message delivery times. You can consider this value as an average delivery time. This tab is selected by default.
90th percentile: Indicates a high latency for message delivery. Only 10% of messages took longer than this value to deliver.
99th percentile: Indicates the highest latency for message delivery.
Regardless of the tab you select, the chart shows messages organized into the following categories:
Overall
Detonation (these values are explained in the Filter values)
Hover over a category in the chart to see a breakdown of the latency in each category.
In the details table below the chart, the following information is available:
Date (UTC)
Latency
Message count
50th percentile
90th percentile
99th percentile
Select Filter to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
Date (UTC): Start date and End date
Message view: Select one of tne of the following values:
All email
Detonated email: After you select this value, select one of the following values that appears:
Inline detonation: Links and attachments in messages are fully tested by Safe Links and Safe Attachments before delivery.
Asynchronous detonation: Dynamic delivery of attachments by Safe Attachments and links in email tested by Safe Links after delivery.
When you're finished configuring the filters, select Apply, Cancel, or Clear filters.
On the Mail latency report page, the Export action is available.
Post-delivery activities report
The Post-delivery activities report shows information about email messages that removed from user mailboxes after delivery by zero-hour auto purge (ZAP). For more information about ZAP, see Zero-hour auto purge (ZAP) in Exchange Online.
The report shows real-time information with updated threat information.
On the Post-delivery activities page, the chart shows the following information for the specified date range:
No threat: The number of unique delivered messages that were found to be not spam by ZAP.
Spam: The number of unique messages that were removed from mailboxes by ZAP for spam.
Phishing: The number of unique messages that were removed from mailboxes by ZAP for phishing.
Malware: The number of unique messages that were removed from mailboxes by ZAP for phishing.
The details table below the graph shows the following information:
Subject
Received time
Sender
Recipient
ZAP time
Original threat
Original location
Updated threat
Updated delivery location
Detection technology
To see all columns, you likely need to do one or more of the following steps:
Horizontally scroll in your web browser.
Narrow the width of appropriate columns.
Zoom out in your web browser.
Select Filter to modify the report and the details table by selecting one or more of the following values in the flyout that opens:
Date (UTC): Start date and End date.
Updated threat: Select one ore mor of the following values:
No threat
Spam
Phishing
Malware
When you're finished configuring the filters, select Apply, Cancel, or Clear filters.
On the Post delivery activities page, the Create schedule and Export actions are available.
Threat protection status report
The Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. For more information, see Threat protection status report.
Top senders and recipients report
The Top senders and recipients report show the top recipients for EOP and Defender for Office 365 protection features. For more information, see Top senders and recipients report.
URL protection report
The URL protection report provides summary and trend views for threats detected and actions taken on URL clicks as part of Safe Links. This report doesn't have click data from users if Track user clicks in the effective Safe Links policy isn't selected.
Domains (separated by commas): The URL domains listed in the report results.
Recipients (separated by commas)
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
When you're finished configuring the filters, select Apply, Cancel, or Clear filters.
View data by URL click by application in the URL protection report
Tip
URL clicks by guest users are available in the report. Guest user accounts might be compromised or access malicious content inside the organization.
The View data by URL click by application view shows the number of URL clicks by apps that support Safe Links:
Email client
Teams
Office document
The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last seven days:
Domains (separated by commas): The URL domains listed in the report results.
Recipients (separated by commas)
Tag: Leave the value All or remove it, double-click in the empty box, and then select Priority account. For more information about user tags, see User tags.
When you're finished configuring the filters, select Apply, Cancel, or Clear filters.
If you don't see data in the reports, check the report filters and double-check that your policies are set up correctly. Safe Links policies and Safe Attachments policies from Built-in protection, preset security policies, or custom policies need to be in effect and acting on messages. For more information, see the following articles:
This learning path examines how to manage the Microsoft 365 security services, with a special focus on security reporting and managing the Safe Attachments and Safe Links features in Microsoft Defender for Office 365. MS-102
Filter values)
Clear filters.
