Forum Discussion

pednie's avatar
pednie
Copper Contributor
Oct 11, 2023
Solved

See which email triggers "User requested to release a quarantined message"

Hi,

 

I'm trying to automate response to incidents regarding "User requested to release a quarantined message".

The problem with this incidents is that it doesn't list which specific email the user requested a release for, nor do I find it in any logs. I know the email is listed under Email & collaboration --> Review --> Quarantine, but I want to retrive the information through KQL-queries. Anyone who knows if this is possible?

  • pednie you can use the audit blade in defender portal and create a search audit using the below activity , this will give you the activities performed by your users when they requested a release of an email from the quarantine 

     

  • pednie's avatar
    pednie
    Copper Contributor
    I wanted to add to this as I found the solution for KQL. The table to query to find which email that triggers "User requested to release a quarantined message" is CloudAppEvents.
    This query will show the email with given NetworkMessageId that an user have requested a release from quarantine:
    CloudAppEvents
    | where ActionType =~ "QuarantineRequestReleaseMessage"
    | extend UserPrincipalName = tostring(RawEventData.UserId)
    | extend EmailId = tostring(RawEventData.NetworkMessageId)
    • HAOBAN's avatar
      HAOBAN
      Copper Contributor
      pednie I tried your Advanced Hunting query, but seems in my "CloudAppEvents" table, there's no "QuarantineRequestReleaseMessage" in column "ActionType". So, Do you know why?
      Thanks!
      • pednie's avatar
        pednie
        Copper Contributor

        HAOBAN Users must have the option to request a quarantine release. With DefaultFullAccessWithNotificationPolicy for example, users can request release. This option must be selected under anti-phishing policy i Defender XDR

         

         

  • pednie you can use the audit blade in defender portal and create a search audit using the below activity , this will give you the activities performed by your users when they requested a release of an email from the quarantine 

     

    • pednie's avatar
      pednie
      Copper Contributor

      eliekarkafy

      Thank you for your respons!

       

      Unfortunately I don't have Audit available. Any other solutions? 

       

      • what permissions you have to the portal ? try to access it using global admin user

Resources