Forum Discussion
pednie
Oct 11, 2023Copper Contributor
See which email triggers "User requested to release a quarantined message"
Hi,
I'm trying to automate response to incidents regarding "User requested to release a quarantined message".
The problem with this incidents is that it doesn't list which specific email the user requested a release for, nor do I find it in any logs. I know the email is listed under Email & collaboration --> Review --> Quarantine, but I want to retrive the information through KQL-queries. Anyone who knows if this is possible?
pednie you can use the audit blade in defender portal and create a search audit using the below activity , this will give you the activities performed by your users when they requested a release of an email from the quarantine
- pednieCopper ContributorI wanted to add to this as I found the solution for KQL. The table to query to find which email that triggers "User requested to release a quarantined message" is CloudAppEvents.
This query will show the email with given NetworkMessageId that an user have requested a release from quarantine:
CloudAppEvents
| where ActionType =~ "QuarantineRequestReleaseMessage"
| extend UserPrincipalName = tostring(RawEventData.UserId)
| extend EmailId = tostring(RawEventData.NetworkMessageId) pednie you can use the audit blade in defender portal and create a search audit using the below activity , this will give you the activities performed by your users when they requested a release of an email from the quarantine
- pednieCopper Contributor
Thank you for your respons!
Unfortunately I don't have Audit available. Any other solutions?
- what permissions you have to the portal ? try to access it using global admin user