Forum Discussion
Solved
See which email triggers "User requested to release a quarantined message"
Hi, I'm trying to automate response to incidents regarding "User requested to release a quarantined message". The problem with this incidents is that it doesn't list which specific email the use...
pednie you can use the audit blade in defender portal and create a search audit using the below activity , this will give you the activities performed by your users when they requested a release of an email from the quarantine
I wanted to add to this as I found the solution for KQL. The table to query to find which email that triggers "User requested to release a quarantined message" is CloudAppEvents.
This query will show the email with given NetworkMessageId that an user have requested a release from quarantine:
CloudAppEvents
| where ActionType =~ "QuarantineRequestReleaseMessage"
| extend UserPrincipalName = tostring(RawEventData.UserId)
| extend EmailId = tostring(RawEventData.NetworkMessageId)
This query will show the email with given NetworkMessageId that an user have requested a release from quarantine:
CloudAppEvents
| where ActionType =~ "QuarantineRequestReleaseMessage"
| extend UserPrincipalName = tostring(RawEventData.UserId)
| extend EmailId = tostring(RawEventData.NetworkMessageId)
pednie I tried your Advanced Hunting query, but seems in my "CloudAppEvents" table, there's no "QuarantineRequestReleaseMessage" in column "ActionType". So, Do you know why?
Thanks!
Thanks!