Reports in Microsoft Defender for Business
Several reports are available in the Microsoft Defender portal (https://security.microsoft.com). These reports enable your security team to view information about detected threats, device status, and more.
This article describes these reports, how you can use them, and how to find them.
The monthly security summary report (currently in preview) shows:
- Threats that were detected and prevented by Defender for Business, so you can see how the service is working for you.
- Your current status from Microsoft Secure Score, which gives you an indication of your organization's security posture.
- Recommended actions you can take to improve your score and your security posture.
To access this report, in the navigation pane, choose Reports > Endpoints > Monthly Security Summary.
The license report provides information about licenses your organization has purchased and is using.
To access this report, in the navigation pane, choose Settings > Endpoints > Licenses.
The security report provides information about your company's identities, devices, and apps.
To access this report, in the navigation pane, choose Reports > General > Security report.
Tip
You can view similar information on the home page of your Microsoft Defender portal (https://security.microsoft.com).
The threat protection report provides information about alerts and alert trends.
- Use the Alert trends column to view information about alerts that were triggered over the last 30 days.
- Use the Alert status column to view current snapshot information about alerts, such as categories of unresolved alerts and their classification.
To access this report, in the navigation pane, choose Reports > Endpoints > Threat protection.
You can use the Incidents list to view information about alerts. To learn more, see View and manage incidents in Defender for Business.
To access this report, in the navigation pane, choose Incidents to view and manage current incidents.
The device health report provides information about device health and trends. You can use this report to determine whether Defender for Business sensors are working correctly on devices and the current status of Microsoft Defender Antivirus.
To access this report, in the navigation pane, choose Reports > Endpoints > Device health.
You can use the Devices list to view information about your company's devices. To learn more, see Manage devices in Defender for Business.
To access this report, in the navigation pane, go to Assets > Devices.
The vulnerable devices report provides information about devices and trends.
- Use the Trends column to view information about devices that had alerts over the last 30 days.
- Use the Status column to view current snapshot information about devices that have alerts.
To access this report, in the navigation pane, choose Reports > Endpoints > Vulnerable devices.
The web protection report shows attempts to access phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that are explicitly blocked. Categories of blocked sites include adult content, leisure sites, legal liability sites, and more.
To access this report, in the navigation pane, choose Reports > Endpoints > Web protection.
Note
If you haven't yet configured web protection for your company, choose the Settings button in a report view. Then, under Rules, choose Web content filtering. To learn more about web content filtering, see Web content filtering.
When firewall protection is configured, the firewall report shows blocked inbound, outbound, and app connections. This report also shows remote IPs connected by multiple devices, and remote IPs with the most connection attempts.
To access this report, in the navigation pane, choose Reports > Endpoints > Firewall.
Note
If your firewall report has no data, it might be because you haven't configured your firewall protection yet. In the navigation pane, choose Endpoints > Configuration management > Device configuration. To learn more, see Firewall in Defender for Business.
The device control report shows information about media usage, such as the use of removable storage devices in your organization.
To access this report, in the navigation pane, choose Reports > Endpoints > Device control.
The attack surface reduction rules report has three tabs:
- Detections to show blocked or audited detections;
- Configuration enabling you to filter on standard protection rules or additional attack surface reduction rules; and
- Add exclusions enabling you to define exclusions, if needed.
To learn more, see Attack surface reduction capabilities in Microsoft Defender for Business.
To access this report, in the navigation pane, choose Reports > Endpoints > Attack surface reduction rules.