Exchange Online Mail Protection Power BI Report

Using advanced reporting tools can give you an added edge over attackers and help you develop a data-informed mitigation strategy. We recently launched some great new Office 365 reports that provide a consolidated view of Exchange’s protection across both known threats (Exchange Online Protection) and unknown threats (Advanced Threat Protection). These new reports are available in the Office 365 Security and Compliance Report Dashboard.

For more advanced reporting scenarios you can also create your own mail protection mashups using the Office 365 reporting APIs and Power BI. Here is sample report that can assist in tracking email trends and to gather data in incident response investigations https://aka.ms/mailprotectionbi.

clip_image001  

 

 

The sample report includes views of: Traffic Summary, Traffic Type, Spam Detail, Malware by Address, Malware by Type, ATP SafeLinks, ATP SafeAttachments, and ATP SafeAttachment Actions.

A report view that has been particularly helpful in Phishing incident response scenarios is looking at the last 10,000 SafeLinks clicks searchable by recipient or URL (ATP is required). For example, if multiple compromised users have clicked on the same URL it could be a good candidate for being added to an organization SafeLinks URL block policy to prevent additional users from being compromised by that URLs from that URL or domain. The report also includes a link to the Exchange Online Message Trace for gathering more details about the original message that contained the URL.

image

 

 

Here are the steps to get the sample report up and running:

1. Download the sample report: https://aka.ms/mailprotectionbi

2. Install PowerBI Desktop: https://go.microsoft.com/fwlink/?LinkId=521662&clcid=0x409

3. Open the MailProtectionReportPowerBITemplate.pbix file in Power BI and select “Refresh”.

4. Enter Office 365 credentials (Basic) to connect to the Reports API (needed on the first refresh only):

clip_image001[9]

 

5. (optional) Modify days of detail in the detail reports edit the DaysOfDetail parameter to go back further on malware and spam detail reports. **Warning** - increasing this value could cause the report to take a long time to refresh depending on the amount of mail in the tenant. For large tenants it is recommend to run the report with a scheduled refresh in a Power BI online workspace which enables the use of larger DaysOfDetail values than are reasonable to run in the client since it can refresh in the background ensuring that the most recent data is always ready to view):

clip_image001[11]

 

clip_image002