Forum Discussion
Possible actions within the "Explorer" in the Microsoft Defender Portal
Hi everybody, I have a problem understanding the possible actions in the email "explorer" within the Microsoft Defender portal. In the meantime I have spent a lot of time browsing the Micrsosoft...
Add to Remediation starts a remediation [job]. Unlike the Hard Delete action visible at the top of your screen shot, this action merely creates a job or adds the mails you have selected to an existing job. You then have to go into the action tab of the job and select the action you want to do. Why bother with this method? Because unlike the earlier action, a formal remediation can tackle a lot more than 100 mails (unless that limit has been changed).
Contact Recipients simply creates a mail BCC all of the recipients of the mails you have selected. It is useful in situations where EO is forwarding on to another mail system, and all you can do is send an urgent mail after the phish or whatever saying "Don't open this!"
If I want to investigate a sender, I just turn on the Sender IP column in Threat Explorer, write myself a scrap of KQL or pull an EML sample apart manually.
Contact Recipients simply creates a mail BCC all of the recipients of the mails you have selected. It is useful in situations where EO is forwarding on to another mail system, and all you can do is send an urgent mail after the phish or whatever saying "Don't open this!"
If I want to investigate a sender, I just turn on the Sender IP column in Threat Explorer, write myself a scrap of KQL or pull an EML sample apart manually.