Forum Discussion
dmarquesgn
Mar 28, 2024Iron Contributor
User reported messages data table
Hi,
I'm using the "Submissions" page on Defender to reply (with custom messages) to our users who report some email as phishing. On the portal, I can see if the report has been already replied or not on the field "Marked as", which has the value "Doesn't apply" whenever no one replied yet.
I want to extract some metrics daily to check if all reported messages have had a reply for example. But I don't know where can I get this data from.
Do you know in which table I can find this data to create some hunting queries?
Thanks
- Dhairyya_Agarwal
Microsoft
dmarquesgn
The table inside Advanced hunting with submission events is CloudAppEvents.
The events are denoted as ActionType and the specific action are "SubmissionAdminReview" and "UserSubmission""UserSubmission" action is triggered whenever user report is done.
"SubmissionAdminReview" action is triggered whenever admin reviews the user report.
a sample query is
CloudAppEvents| where ActionType == "SubmissionAdminReview"| take 100- dmarquesgnIron Contributor
Thanks for the tip. I'm already looking into it.
By the way, do you have an idea of what's the field that match both submission and admin review?
The goal is to understand which messages were not yet reviewed.
Thanks
- Dhairyya_Agarwal
Microsoft
dmarquesgn Check out submission id or message reported id