Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Any way to add comments or notes to an item in Quarantine?

Copper Contributor

Hi,

 

We have multiple Quarantine admins in our organization.

 

The admins work across different time zones and act on the Quarantined emails.

 

Currently we don't know if an email was already attended by another admin.

 

I would like to know if there is a facility to add comments/notes for each item in the Quarantine, so that if one of the admins worked on a particular item he/she can add a simple note to it.

6 Replies
Afaik no. There is no description/notes field, and the only way to "tag" emails is by recipient.
we audit every action that is taken by an Admin on the quarantine console in their audit logs. does this help?
Thanks for the tip. How and where should we conduct the audit?
Thank you very much.

This audit tool will help us find the released messages from Quarantine. (satisfies one part of our requirement). The only challenge I see here is matching the "Item ID" from the audit result to the actual email released.

Challenge #2
Our business blocks repeated spammers even from the Quarantine, we do this using mail flow rules (block emails, domains, keywords etc) and connection filter to block IPs.

Is there a way to also audit connection filter and mail flow rules?

If you are engaging hostile mail with mail flow rules, you can have actions to add a subject line tag or a header to intercepted messages before you send them to the hosted quarantine.

I audit most of my mail flow rules with a week-end PowerShell script doing get-maildetailtransportrulereport -transportrule $rule on the more interesting ones. If you have a rule with a very high engagement rate, you may run into throttling problems.

To answer the original posting, would it not be worth saying that if an analyst takes the time to examine a message in the hosted quarantine, that message should then be deleted? If the prior action was to release or download, that might also appear in the audit?