How to report on the Advanced Threat Incidents and export it
Advanced Threat Protection is enabled on the tenant, and at least one Local Policy is configured to scan for any of the ATP services.
1- Note down the name of the policy that scans for ATP
2- Login to Cloudsoc Console
3- Navigate to Investigate App screen
4- Filter by { "ATP Policy Name" AND Severity = "High" OR "Critical" }.
5- Optional, if needed, export the displayed results using the export options