Episode Details

Ever wonder why your phishing reports feel like they’re missing half the story? Most dashboards just show surface-level numbers, but behind those simple stats is a constant stream of real threats slipping through cracks. Today, I’ll show you how to transform Microsoft Defender data into living dashboards that actually tell you what’s happening in your environment — and what you’re not seeing yet.The Hidden Layer: What Defender Knows That Your Reports Don’tIf you’ve ever looked at your security dashboard and thought, “Looks good to me,” you’re not alone. Execs love a tidy chart—blocked emails, a drop in reported phishing, maybe one or two suspicious sign-ins. It’s comforting, right? But here’s the catch: the data sitting right underneath is almost never as simple as those friendly graphs make it seem. In most orgs, the actual story is far more complicated, largely because those dashboards pull from the same handful of exportable stats. A lot rides on whatever filter you set in your mail flow reports or security tool. Most people stick to what’s easy to get out of Exchange Online or the built-in phishing report from their email provider. If a user flagged something, tick mark. If an email was blocked, bar goes up. End of story—or so it appears.But Microsoft Defender for Office 365 is sitting on a goldmine of details most teams skip over completely. It’s the classic iceberg: everything you show in a regular incident review covers about twenty percent of what actually gets picked up in the background. What Defender captures is almost embarrassingly detailed. It logs every click your users make on links inside emails—even when Safe Links steps in to stop a detonation. It tracks those silent “near miss” moments when a phish was one click away from success. Automated Investigation & Response runs playbooks in the background, picking up on correlated signals your manual review would probably never spot until the situation escalates for real. Most dashboards? They just don’t bother to look under the surface. We all know those emails that get blocked right away get counted, but a targeted attack that blends into a newsletter and is manually reported by one vigilant user? Often lost in the noise.Let’s talk reality for a second. I saw this firsthand last summer. Security had a dashboard that looked flawless—trendline of blocked phishing up, reported incidents down, execs all happy. Meanwhile, a low-volume spear-phishing campaign was targeting the finance team. Defender tagged it with a high severity, ran an automated investigation, and quietly bundled up the event in the backend logs. None of it landed in the weekly cybersecurity summary because nobody was pulling data from the Automated Investigation & Response logs. It wasn’t even a blip for execs until someone got suspicious about a calendar invite. That’s the gap—Defender caught the signal, but the dashboard never showed it.If you crack open Defender’s portal, there are three sources that almost always get left out: Threat Explorer, Automated Investigation & Response, and User Submissions. Threat Explorer is not just a list of threats—it maps relationships between malicious files, sender infrastructure, and user behavior. It tracks attack campaigns, figuring out who else in your org saw the same phish, even if no one reported it. AIR, that's Automated Investigation & Response, does more than block an obvious threat. It pieces together what your automated policies did: what devices were checked, how compromised accounts were flagged, which mailboxes were scanned for ‘potentially harmful’ content long before a breach is visible to end users. And user submissions—probably the least appreciated signal—layer something valuable on top: human reporting of suspicious items that the filters missed. Defender takes those and sometimes surfaces genuine threats by combining user intel with backend analytics.Research from Microsoft regularly shows data gaps between what’s available in Defender logs