Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

See which email triggers "User requested to release a quarantined message"

Copper Contributor

Hi,

 

I'm trying to automate response to incidents regarding "User requested to release a quarantined message".

The problem with this incidents is that it doesn't list which specific email the user requested a release for, nor do I find it in any logs. I know the email is listed under Email & collaboration --> Review --> Quarantine, but I want to retrive the information through KQL-queries. Anyone who knows if this is possible?

9 Replies
best response confirmed by pednie (Copper Contributor)
Solution

@pednie you can use the audit blade in defender portal and create a search audit using the below activity , this will give you the activities performed by your users when they requested a release of an email from the quarantine 

eliekarkafy_0-1697015315523.png

 

@eliekarkafy

Thank you for your respons!

 

Unfortunately I don't have Audit available. Any other solutions? 

pednie_0-1697017717169.png

 

what permissions you have to the portal ? try to access it using global admin user
It worked with global admin, thank you

@pednie 

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

I wanted to add to this as I found the solution for KQL. The table to query to find which email that triggers "User requested to release a quarantined message" is CloudAppEvents.
This query will show the email with given NetworkMessageId that an user have requested a release from quarantine:
CloudAppEvents
| where ActionType =~ "QuarantineRequestReleaseMessage"
| extend UserPrincipalName = tostring(RawEventData.UserId)
| extend EmailId = tostring(RawEventData.NetworkMessageId)

@pednie thanks for sharing, so who prefer the KQL method could use this 

@pednie I tried your Advanced Hunting query, but seems in my "CloudAppEvents" table, there's no "QuarantineRequestReleaseMessage" in column "ActionType". So, Do you know why?
Thanks!

@HAOBAN Users must have the option to request a quarantine release. With DefaultFullAccessWithNotificationPolicy for example, users can request release. This option must be selected under anti-phishing policy i Defender XDR

 

pednie_0-1713951794329.png

 

1 best response

Accepted Solutions
best response confirmed by pednie (Copper Contributor)
Solution

@pednie you can use the audit blade in defender portal and create a search audit using the below activity , this will give you the activities performed by your users when they requested a release of an email from the quarantine 

eliekarkafy_0-1697015315523.png

 

View solution in original post