Forum Discussion
Poor reporting capability
I'm finding the flexibility of exchange online protection and reporting in general to be terrible.
I'm trying to get a report of cases where people have clicked a link that was later determined to be malicious. Including links, we have manually determined to be malicious and later zapped those emails.
I have kind of done this in threat hunting however I need to run a query that starts older than the 30 days in threat hunting. Of course I don't have these going into sentinel or anything, so the data is gone.
Someone suggested reports but I can see how or if there even is a way to report clicks on malicious links (based on them being later determined to be malicious and zapped). Any suggestions?
1 Reply
There's the URL protection report, but it covers 90 days max, so if you are not exporting the data to another repository, it wont help you cover historical events. Audit logs also contain some events you can query for this info, though in general they're harder to work with compared to reports or hunting. And again, limited in coverage, unless you have the Audit premium addon.
