Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

How to pull a report for detected Phishing, Spam or Malware in Defender for email.

Brass Contributor

I am trying to pull a report in defender that shows how many phishing emails were detected in the last 30 days. I've tried this in the reports>email and collaboration reports as well as using queries in advanced hunting.


I'm getting different numbers every time and starting to think i'm over thinking this. I am trying to see how many of a certain email defender detects and how many our other email security tool detects to see what microsoft is missing.



1 Reply
Yep. Been there, done that. Threat Explorer GUI, PowerShell and KQL all give different answers. The devil is in the detail - the actual criteria for what "counts" in those three enumerations will vary slightly, even if you specify a date range that (a) is in scope for all three methods and (b) does not include the most recent activity where product latency will give variable results.

If you add in a third party tool then it is absolutely guaranteed to give a fourth answer because it will be using different detection criteria. I don't see how you can compare the two anyway, unless you are forking your inflow into two separate systems. In any other test, the order in which the two products act or the differing periods over which you test the two will lead to differences.