Attack Simulation Training campaigns do not generate Threat Intelligence events. Their logs are found only within the Attack Simulation Training section, not in general Threat Intelligence telemetry. This is a common reason why expected events might not appear. For EICAR test files, the correct place to check for detection is crucial. You need to look for specific RecordType values used for Defender for Office 365 threat events. These include values like 28 for phishing/malware and 41 for Safe Links events. Ensure Purview audit logging is enabled in your tenant before attempting any tests. Sending the EICAR string as a .txt attachment from an external mailbox can generate a malware detection. Verify this detection appears in the Email & collaboration → Explorer → Malware tab first. Once confirmed there, the underlying ThreatIntelligence record should exist. Similarly, use a known safe-but-flagged test URL to trigger ThreatIntelligenceUrl events. If detections show in Explorer but not via the Management API, investigate API subscription and permission issues. This is separate from the detection mechanism itself.