SOLVED

Transtport rule raise scl

%3CLINGO-SUB%20id%3D%22lingo-sub-2965908%22%20slang%3D%22en-US%22%3ETranstport%20rule%20raise%20scl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2965908%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20created%20a%20transport%20rule%20that%20raises%20the%20scl%20on%20bulk%20emails%2C%20and%20send%20the%20emails%20to%20the%20quarantine.%20How%20can%20i%20quickly%20identity%26nbsp%3B%20emails%20that%20were%20detected%20by%20the%20rule%20and%20sent%20to%20the%20quarantine%3F%20Does%20EOP%20stamp%20an%20attribute%20on%20the%20message%20header%3F%20can%20i%20find%20these%20emails%20running%20a%20report%20a%20report%20in%20EOP%5CDefender%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2965908%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPhishing%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

Hello all

 

I created a transport rule that raises the scl on bulk emails, and send the emails to the quarantine. How can i quickly identity  emails that were detected by the rule and sent to the quarantine? Does EOP stamp an attribute on the message header? can i find these emails running a report a report in EOP\Defender ?

1 Reply
best response confirmed by Skipster311-1 (Frequent Contributor)
Solution
The Get-MailDetailTransportRuleReport gives you a detailed list of all messages processed by transport rules, you can filter it down to specific rules as needed. Message trace details also contain this information. Header will also contain some information, but those are generally harder to get compared to the two aforementioned methods.