Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,594 questions
Alert "User requested to release a quarantined message" doesn't have sufficient metadata for analyst to use
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 4%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL7%3C/text%3E%3C/svg%3E)
LindsayOlson-7017
10
Reputation points
When the alert "User requested to release a quarantined message" is generated, the payload data Microsoft Graph supplies for alert_v2 and also in the Alerts UI in Defender do not have enough data to identify the email item that is being requested for release.
The alert needs to contain some kind of linkage to the quarantined mail item such as "subject" and "recipient" or even the NetworkID/MessageID of the message itself.
Without this information available, tracking down the email item requested to be released can be quite a deep dive when the recipient is a shared mailbox email address but the requestor of the release is a user account as the quarantine doesn't seem to have a filter option for "Release Requested by".
Additionally, when an email item is quarantined, and the sender is on the tenant allow list, the system reprocesses that message after the user requests release from quarantine, but they system does not resolve the associated alert. The alert needs to also be resolved by the system if the system is automatically releasing mail items from quarantine otherwise analysts are addressing alerts that have already been completed by the system.
Is any of this possible or can these options be added somehow?
Microsoft Graph
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 48%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Roy Beaulieu 0 Reputation points2025-05-12T17:22:22.87+00:00 I was about to ask this question. My main issue is with the clickable blue button/link "View alert details" bringing us to a useless page telling what I already knew. In preparing the body of my question, I tested the "quarantine" link above it. At least this took me to the actual quarantine page. What I'm assuming is happening with our staff is:
We proactively release the email in advance of staff getting notified they have mail in quarantine. They receive the notification email later as our system was set to only notify them once a day. We have changed this to "at least 4 hours". By the time they request quarantine release and IT is notified, we can no longer tell what email they requested as this has already been done?
Sign in to comment
Sign in to answer