We are excited to introduce the new quarantine release integration within Microsoft Defender for Office 365 as part of the hunting experience. This enhancement allows Security Operators (SecOps) to address false positives more efficiently and with greater flexibility in Microsoft Defender for Office 365. 

With this new capability, SecOps can now move quarantined messages to Inbox across hunting experiences – Threat Explorer, Advanced Hunting, Email summary panel, Email Entity Page, and custom detection.

SecOps team members can act on both single and quarantine messages in bulk. To act on a single message, use the Email Entity page, to act on multiple messages use Threat Explorer, Advanced hunting, custom detection rules in Defender XDR.

The previous workflow for false positive triage was cumbersome and required SecOps to go through approximately 5 different steps and switch tabs from hunting surfaces like Threat explorer and Advanced hunting. With this new functionality, these extra steps are no longer needed and SecOps can quickly release messages from where they are without losing context. This also allows SecOps teams to define and better filter on messages with custom queries and take release action directly from Threat explorer and Advanced hunting. 

Additionally, SecOps can carry out a bulk quarantine release operation on more than 100 messages asynchronously. For best result, release remediation should be done in batches of 50,000 or fewer.

Some examples of how Threat explorer, email entity page/ email summary panel, Advanced hunting and API can deal with false positives effectively are given below.

SecOps can search for a False positive URL in threat explorer find related Quarantined messages and directly Move to inbox/release from Quarantine – while in Threat explorer
SecOps can search for a False positive URL in Advanced hunting that have been blocked/ Quarantined, find all messages quarantined based on the URL and threat type and directly trigger Move to inbox/release from Quarantine – while using Advance hunting in Microsoft Defender XDR.

EmailEvents

| where ThreatTypes contains “Phish” and LatestDeliveryLocation contains “Quarantine”

| join EmailUrlInfo on NetworkMessageId

| where Url in ( ‘http://contoso.com/.i‘)

| project Timestamp,NetworkMessageId,RecipientEmailAddress,Subject,DeliveryAction,LatestDeliveryLocation,Url,UrlCount, ReportId

SecOps can act on the quarantine release from Email entity page and Email Summary Panel –

Click on the Take actions button from the top right corner of the email entity page and this will open the Action wizard. Follow the steps to trigger “move to inbox/ release “action. Go to the Action center to view and approve your automated investigation and remediation tasks – Microsoft Defender XDR | Microsoft Learn.  

 Quarantine release through custom detection rules-

Email action with Microsoft Defender for Office 365 is natively integrated with custom detections in Microsoft Defender XDR. This means SecOps can easily write sophisticated kql queries to find any messages which got quarantined incorrectly and respond to these events and take release / move to inbox action even automatically. Please learn more about custom detection here.

Learn more:

Check out our documentation for more information on the email entity page and related actions.
Track email move and delete actions centrally in Action center
Previous blogs on Quarantine experience can be found  part one version and part two version. 

 Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum 

​Microsoft Tech Community – Latest Blogs –Read More