Forum Discussion
Assessing Microsoft Defender for Office365 Effectiveness
I'm looking to gather three data points from Defender for Office365. I'm looking for true positives (emails that have been detected as malicious), false positives (emails detected as malicious but released from quarantine) and false negatives (emails not detected as malicious but later reported by users as phishing). Is there any easy way to find these in logs? Or get counts of these?
It's not ideal (takes an age to draw, and you have to mouseover for the numbers) but this little puppy is still available in your admin context:
For post-delivery actions, you could try the following query if the number of events for your tenancy does not overrun the limits of KQL. Also beware that portal reports, KQL and any PowerShell you may be using rarely give exactly the same answer (because they are measuring subtly different things, I suspect). Always sanity-check any figures before presentation:
// concatenate Action strings but for single 30D view
//
EmailPostDeliveryEvents
| where Timestamp > ago(30d)
| project Action, ActionType, ActionTrigger, ActionResult
| extend Act = strcat(ActionType, " ", Action, ", ", ActionResult)
| summarize count () by Act
| sort by Act asc, count_ desc
| render piechart
