Forum Discussion
User reported messages data table
Hi, I'm using the "Submissions" page on Defender to reply (with custom messages) to our users who report some email as phishing. On the portal, I can see if the report has been already replied or...
Dhairyya_Agarwal
Microsoft
Microsoftdmarquesgn
The table inside Advanced hunting with submission events is CloudAppEvents.
The events are denoted as ActionType and the specific action are "SubmissionAdminReview" and "UserSubmission"
"UserSubmission" action is triggered whenever user report is done.
"SubmissionAdminReview" action is triggered whenever admin reviews the user report.
a sample query is
CloudAppEvents
| where ActionType == "SubmissionAdminReview"
| take 100
Thanks for the tip. I'm already looking into it.
By the way, do you have an idea of what's the field that match both submission and admin review?
The goal is to understand which messages were not yet reviewed.
Thanks
- Dhairyya_Agarwal
dmarquesgn Check out submission id or message reported id
Thanks. I've confirmed that "SubmissionID" is the one.
I'm trying to achieve the following, I want to extract periodically, daily for example, a list of User submitted messages which had not yet had a reply, or an Admin Submission. I'm trying to think how can I build that on a KQL query. The logic needed is to search for all User Reported "SubmissionID" and check for each if there is an Admin Submitted "SubmissionID" and just write down those who doesn't have.
I'm kind of new to KQL. Is this something achievable in KQL?
Thanks
- Dhairyya_AgarwalYou have to join the concept of outer join where the outer data is all user report and inner data is user report which has been marked and notified.
