Forum Discussion
Create playbook to release requested quarantined emails?
I can't find any information on possibility of releasing quarantined emails of the alert created by Microsoft Defender XDR. Such as "User requested to release a quarantined message" and "User requested to release a quarantined message involving one user".
I see there are playbooks created with Microsoft Defender Connector. Have conditions in such as non-high confidence only and not reported by more than one user.
Would Azure logic app be able to do this, if so, some guide is appreciated?
Hi Kithu147,
Agreed that an API is desired in this area. Recently, some updates for analyzedMessages (Emails in MDO) in Graph API were released. Let's hope that support for this use case is on the roadmap.
As far as I know, markoandrejic is correct and Exchange Online PowerShell is the only way to achieve this programmatically. Here is the documentation for the relevant action: https://learn.microsoft.com/en-us/powershell/module/exchange/release-quarantinemessage?view=exchange-ps.
Actually, this Playbook in Microsoft's Defender for Office Solution is an implementation that uses Azure Functions to use this PowerShell module from a Logic App. Release-QuarantineMessage is not one of the supported actions, but it's definitely doable to add it using a similar action as a starting point, for instance: Remove-InboxRule.
Kind regards,
Rutger
Oh, and here is an example of a Logic App calling the Azure Function: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20for%20Office%20365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule. The page includes a screenshot of the workflow. I hope this is helpful! 🙂
- I am also interested in this but as far as I research the only some possible way is via running a Powershell script. So there should be a way to run a PS script via logic app. Haven't got yet time to play with it, but it would be useful to have an API.
