Query Details
MDO Release Quarantine
Query
# Microsoft Defender for Office 365 - Release from Quarantine ## Query Information ### Description Use the below query to list all e-mail messages that were released from quarantine #### References - [Manage quarantined messages and files as a user](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-end-user?view=o365-worldwide) - [Manage quarantined messages and files as an admin](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files?view=o365-worldwide) ### Microsoft Sentinel List all e-mail messages that were released from quarantine in Microsoft Exchange Online ```kql EmailPostDeliveryEvents | where TimeGenerated > ago(7d) | where Action == "Quarantine release" | project TimeGenerated, Action, ActionTrigger, ActionType, DeliveryLocation, RecipientEmailAddress, NetworkMessageId | join EmailEvents on $left. NetworkMessageId == $right. NetworkMessageId | project TimeGenerated, Action, ActionTrigger, ActionType, Subject, RecipientEmailAddress, SenderFromAddress, SenderFromDomain //| summarize count() by SenderFromDomain ```
Explanation
This query lists all email messages that have been released from quarantine in Microsoft Exchange Online. It filters the results to show only events that occurred within the last 7 days and have the action "Quarantine release". The query then selects specific fields such as the time the event occurred, the action taken, the type of action, the delivery location, the recipient's email address, and the network message ID. It joins the results with the EmailEvents table and selects additional fields such as the subject of the email, the sender's email address, and the sender's domain. Finally, it can be summarized by the count of emails per sender's domain if needed.
Details
Alex Verboon
Released: November 23, 2023
Tables
EmailPostDeliveryEventsEmailEvents
Keywords
EmailPostDeliveryEvents,TimeGenerated,Action,ActionTrigger,ActionType,DeliveryLocation,RecipientEmailAddress,NetworkMessageId,EmailEvents,Subject,SenderFromAddress,SenderFromDomain
Operators
whereago==projectjoinonsummarizecount()