Forum Discussion
dsmhood
Dec 12, 2024Occasional Reader
Assessing Microsoft Defender for Office365 Effectiveness
I'm looking to gather three data points from Defender for Office365. I'm looking for true positives (emails that have been detected as malicious), false positives (emails detected as malicious but released from quarantine) and false negatives (emails not detected as malicious but later reported by users as phishing). Is there any easy way to find these in logs? Or get counts of these?
2 Replies
Sort By
- Ben_Harris
Microsoft
Hey dsmhood - I've been working on some queries you can run / customise, and started to document them here: MDO-Heros/MDO-Bootcamp2024 at main · EHLOBen/MDO-Heros · GitHub
The full query I'm testing starts at line 68, but if you follow along it may help you put some of it all together the way you want it. - there are other queries stored here too, please let me know if you find any of them useful! - ExMSW4319Steel Contributor
It's not ideal (takes an age to draw, and you have to mouseover for the numbers) but this little puppy is still available in your admin context:
For post-delivery actions, you could try the following query if the number of events for your tenancy does not overrun the limits of KQL. Also beware that portal reports, KQL and any PowerShell you may be using rarely give exactly the same answer (because they are measuring subtly different things, I suspect). Always sanity-check any figures before presentation:
// concatenate Action strings but for single 30D view
//
EmailPostDeliveryEvents
| where Timestamp > ago(30d)
| project Action, ActionType, ActionTrigger, ActionResult
| extend Act = strcat(ActionType, " ", Action, ", ", ActionResult)
| summarize count () by Act
| sort by Act asc, count_ desc
| render piechart