Nov 03 2021 11:41 AM
Nov 03 2021 11:41 AM
Hello to all M365 Defender gurus out there.
Disclaimer: I am new to M365 Defender and my question may be obvious for the seasoned professional.
Situation: I am using M365 Defender's Advanced hunting feature and have created a query that focuses on the identification of specific phishing emails. The emails are in an M365 Exchange environment. The query works and returns results as expected.
Challenge:
Goal:
I would like to utilize the custom query (see below) to identify emails of interest. Once confirmed the results are indeed malicious/unwanted emails, I would like to trigger a "remediation" action against all email records returned directly within the "Advanced Hunting" screen using the "take actions" feature. The desired "remediation" would be to delete the emails from the user's mailboxes.
Question:
Modified version of the custom query:
EmailEvents
| project Timestamp, Subject, SenderFromDomain, EmailAction, AttachmentCount, EmailDirection, DeliveryLocation
| where (Subject contains "(ABC001)")
| limit 100
| order by Timestamp
Nov 03 2021 07:53 PM
@Deleted
So just curious - have you tried using the "Threat Explorer"?
https://security.microsoft.com/threatexplorer
You can use this and search "All Emails" for "Ignite" & then in the lower half of the console you can choose Select All and the actions available are:
Track & Notify includes:
Start new Submission includes:
Hope that helps?
Nov 04 2021 08:52 AM