View reports for Office 365 Advanced Threat Protection

If your organization has Office 365 Advanced Threat Protection (ATP) and you have the necessary permissions, you can use several ATP reports in the Security & Compliance Center. (Go to Reports > Dashboard.)

The Security & Compliance Center dashboard can help you see where Advanced Threat Protection is working

ATP reports include the Threat Protection Status report, the ATP File Types report, and the ATP Message Disposition report. This article describes the ATP reports and includes links to additional reports to view.

Threat Protection Status report

The Threat Protection Status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Office 365 ATP. The report provides an aggregated count of unique email messages with malicious content (files or website addresses (URLs)) blocked by the anti-malware engine, zero-hour auto purge (ZAP), and ATP features, such as ATP Safe Links, ATP Safe Attachments, and ATP anti-phishing capabilities.

Note

A Threat Protection Status report is available to customers who have either Office 365 ATP or Exchange Online Protection (EOP); however, the information that is displayed in the Threat Protection Status report for ATP customers will likely contain different data than what EOP customers might see. For example, the Threat Protection Status report for ATP customers will contain information about malicious files detected in SharePoint Online, OneDrive, or Microsoft Teams. Such information is specific to ATP, so customers who have EOP but not ATP will not see those details in their Threat Protection Status report.

To view the Threat Protection Status report, in the Security & Compliance Center, go to Reports > Dashboard > Threat Protection Status.

ATP Threat Protection Status report

To get detailed status for a day, hover over the graph.

ATP Threat Protection Status data for a day

By default, the Threat Protection Status report shows data for the past seven days. However, you can choose Filters and change the date range to view data for up to 90 days.

ATP Threat Protection Status filters

You can also use the View data by menu to change what information is displayed in the report.

Viewing options for ATP Threat Protection Status report

ATP File Types report

The ATP File Types report shows you the type of files detected as malicious by ATP Safe Attachments.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP File Types.

ATP File Types report

When you hover over a particular day, you can see the breakdown of types of malicious files that were detected by ATP Safe Attachments and anti-spam & anti-malware protection in Office 365.

ATP File Types report data for a day

ATP Message Disposition report

The ATP Message Disposition report shows you the actions that were taken for email messages that were detected as having malicious content.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP Message Disposition.

ATP Message Disposition Report

When you hover over a bar in the chart, you can see what actions were taken for detected email for that day.

ATP Message Disposition Report data for a day

Additional reports to view

In addition to the ATP reports described in this article, several other reports are available, as described in the following table:

Report type Learn more
Email security reports, such as a Top Senders and Recipients report, a Spoof Mail report, and a Spam Detections report. View email security reports in the Security & Compliance Center
Explorer (also referred to as Threat Explorer, this is included in Office 365 Threat Intelligence) Use Explorer in the Security & Compliance Center
EOP and ATP results (This is a custom report you generate by using PowerShell). This report contains information, such as Domain, Date, Event Type, Direction, Action, and Message Count. Get-MailTrafficATPReport cmdlet reference
EOP and ATP detections (This is a custom report you generate by using PowerShell). This report contains details about malicious files or URLs, phishing attempts, impersonation, and other potential threats in email or files. Get-MailDetailATPReport cmdlet reference

What permissions are needed to view the ATP reports?

In order to view and use the reports described in this article, you must have an appropriate role assigned in the Security & Compliance Center and in the Exchange Admin Center.

Role group Where assigned Learn more
One of the following:

--Organization Management
--Security Administrator
--Security Reader
Security & Compliance Center
Permissions in the Office 365 Security & Compliance Center
One of the following:

--Organization Management
--View-only Organization Management
--View-Only Recipients role
--Compliance Management
Exchange Admin Center
Feature permissions in Exchange Online

What if the reports aren't showing data?

If you are not seeing data in your ATP reports, double-check that your policies are set up correctly. Your organization must have ATP Safe Links policies and ATP Safe Attachments policies defined in order for ATP protection to be in place. Also see Anti-spam and anti-malware protection in Office 365.

Reports and insights in the Office 365 Security & Compliance Center

Create a schedule for a report in the Security & Compliance Center

Set up and download a custom report in the Security & Compliance Center