Metrics from Defender for O365

Question

I am struggling to reconcile the different sources of information we have about the activities of Defender on our tenancy. If I compare the following EXO PowerShell and KQL, I get answers that do not match. I am fairly certain the problem is that they are compiling slightly different definitions. Where do I look to discover what those definitions are?

get-ATPTotalTrafficReport -StartDate(get-date).AddDays(-15) -EndDate(get-date).AddDays(-1) | ft

EmailEvents

| where Timestamp > ago(15d)

| where Timestamp < ago(1d)

| project ThreatTypes

| summarize count () by ThreatTypes

The phishing totals I get are vaguely correct; the KQL ThreatType column can contain several threat types, and if I add all of them together I am only 10% over the figure reported by the commandlet. My spam totals are however wildly out, with the commandlet giving a figure thirteen times the corresponding KQL total. The commandlet also mentions the Bulk total, which does not even appear in the KQL threat types and is another order of magnitude greater still.

Wild guesses and speculation:

The commandlet figures arise from the actual EOP and ATP engines whereas EmailEvents only occur if a message gets to the delivery stage (yet KQL shows me messages going to the hosted quarantine?) Alternatively, the commandlet includes edge-detection drops and the KQL query does not.

The commandlet works on our entire tenancy but the Advanced Hunting portal only works on our primary domain, and we have a significant number of other accepted domains (so where is the control to focus on one of the others?)

Both searches are intended for the same period of time but in fact select time periods differently. Alternatively, despite the fact that the last 24 hours (?) are omitted, the data used by one search is prone to latency and will not be available for a further day or so.

There is some very useful information here somewhere, but unless the discrepancies can be explained it is very vulnerable to criticism.

giulian garruba · Answer

ExMSW4319&nbsp;Hi there, I realize this doesn't directly answer your question about the discrepancy in definitions, but have you checked out the mailflow status report? There are a couple of different views that show mail volume as it transits through the various layers of the filtering stack.&nbsp;

exmsw4319 · Answer

I did look at it briefly, Giulian, and a couple of the other reports too. If anything, it only deepened the mystery. There was a third set of figures that clearly did not match the previous two, almost certainly because of unstated differences in the definitions.

I must admit that I had not seen the current funnel view, which is very useful for clarifying and quantifying the delivery pipeline sequence.

faithebenezeroquong · Answer

thanks for your feedback here.... we have worked on fixing our cmdlet Get-ATPTotalTrafficReport (https://docs.microsoft.com/en-us/powershell/module/exchange/get-atptotaltrafficreport?view=exchange-ps) . we expect our updated changes to reflect on the cmdlet by July 2022... for now you can leverage the Get-MailTrafficATPReport (https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailtrafficatpreport?view=exchange-ps) for all your report aggregate needs.

please let me know if you have any other questions

Forum Discussion

Metrics from Defender for O365

3 Replies

Resources