search cancel

ATP UI does not receive all Anti-Malware service events from Email for a given date


Article ID: 163671


Updated On:


Endpoint Detection and Response


The Dashboard of Advanced Threat Protection (ATP) Platform does not show as many Malicious events for Email as the Email Track and Trace tool within Email shows messages for Anti-Malware service for the same date.


Within ATP Platform UI, Synapse is activated.

Within ATP Platform UI, Email correlation is enabled.



To confirm whether ATP UI receives all Anti-Malware service events for a given date

  • Enumerate the Malicious email events from the graph on the Dashboard of ATP UI
  • Enumerate events for Anti-Malware service within Email Track and Trace
  • Compare
  • If these numbers do not appear to match, upload log evidence at the ATP CLI by typing "gather_logs", then contact support for further assistance.


To enumerate events for Anti-Malware service with Email Track and Trace in the Email portal

  1. Click Tools > Email Track and Trace
  2. In Recipient: line, type *@domain.tld
    ...where domain is your actual recipient domain and tld is your actual Top Level Domain.
  3. Click Select Specific Dates and Times
  4. On the from: line, click the Calendar button, then select the date that matched the date you examined on the Dashbaord.
  5. On the from: line, select 12:00 AM
  6. On the to: date, click the Calendar button, then select the same date as entered on the from: line
  7. On the to: line, select 11:59 PM
  8. Click "Select more search options".
  9. From the options that appear, click Service
  10. When the Service dropdown box appears, click "Any", then click "Anti-Malware"
  11. At the bottom, click the Search button.