Assessing Microsoft Defender for Office365 Effectiveness

It's not ideal (takes an age to draw, and you have to mouseover for the numbers) but this little puppy is still available in your admin context:

• https://security.microsoft.com/mailflowStatusReport?viewid=sankey

For post-delivery actions, you could try the following query if the number of events for your tenancy does not overrun the limits of KQL. Also beware that portal reports, KQL and any PowerShell you may be using rarely give exactly the same answer (because they are measuring subtly different things, I suspect). Always sanity-check any figures before presentation:

// concatenate Action strings but for single 30D view

//

EmailPostDeliveryEvents

| where Timestamp > ago(30d)

| project Action, ActionType, ActionTrigger, ActionResult

| extend Act = strcat(ActionType, " ", Action, ", ", ActionResult)

| summarize count () by Act

| sort by Act asc, count_ desc

| render piechart