Announcing quarantine release integration in MDO hunting experience!!

We are excited to introduce a new isolation release integration as part of the hunting experience in Microsoft Defender for Office 365. This enhancement will enable security operators (SecOps) to more efficiently and flexibly address false positives in Microsoft Defender for Office 365.

This new capability allows SecOps to now move quarantined messages from hunting environments such as Threat Explorer, Advanced Hunting, Email Summary Panel, Email Entity Page, and Custom Detections to the Inbox.

SecOps team members can take action on single and quarantined messages in bulk. To take action on a single message, use the Email Entity page. To take action on multiple messages, use Threat Explorer, Advanced Hunting, or custom detection rules in Defender XDR.

The previous false positive triage workflow was cumbersome and required SecOps to go through about five different steps and switch tabs across hunting surfaces like Threat Explorer and Advanced Hunting. With this new capability, these additional steps are no longer necessary and SecOps can quickly release messages as-is without losing context. It also allows SecOps teams to define messages with custom queries, better filter them, and perform release actions directly from Threat Explorer and Advanced Hunting.

Additionally, SecOps can perform bulk quarantine release operations asynchronously for more than 100 messages. For best results, release fixes should be performed in batches of 50,000 or fewer.

Here are some examples of how to effectively address false positives using Threat Explorer, Email Entity Page/Email Summary Panel, Advanced Hunting, and APIs:

• SecOps can search for False Positive URLs in Threat Explorer to find related quarantine messages and move/release them directly from Threat Explorer to the Inbox.
• SecOps can retrieve blocked/quarantined false positive URLs through advanced hunting, find all quarantined messages based on URL and threat type, and directly trigger move to inbox/release quarantine while using Microsoft Defender XDR’s advanced hunting.

Email Event

| where Threat Type include “Fish” and Latest delivery location include “Health quarantine”

| join Email URL information In ~ Network Message ID

| where URL In ~ ( ‘http://contoso.com/.i‘)

| project Timestamp, Network Message ID, Recipient Email Address, Subject, Delivery Action, Last Delivery Location, URL, URL Count, Report ID

• SecOps can take action on quarantine release from the email entity page and email summary panel.
• Release quarantine via custom detection rules –
  • Email actions using Microsoft Defender for Office 365 are natively integrated with custom detection capabilities in Microsoft Defender XDR. This means SecOps can easily write sophisticated KQL queries to find messages quarantined incorrectly, respond to these events, and automatically perform Release/Move to Inbox actions. For more information, see: Custom detection here.

Learn more:

Have questions or feedback about Microsoft Defender for Office 365? Connect with the community and Microsoft experts.Defender for Office 365 Forum