| Announcement ID | MC802702 | Published Date | 06-17-2024 | |
| Service | Microsoft365Defender | Last Updated | 08-28-2024 | |
| Category | Plan for change | Expiration Date | 09-30-2024 | |
| Roadmap ID | 184915 | Action Required by Date | ||
| Tags | Admin impact, New feature | |||
| Summary |
|---|
| Microsoft Defender XDR will soon enable SecOps to restore quarantined emails directly from various interfaces, including Threat Explorer and Microsoft Graph API. This feature, part of Microsoft 365 Roadmap ID 184915, is for Defender for Office 365 Plan 2 and Microsoft 365 E5 customers and will roll out from mid-July to mid-September 2024. No admin action is required for the rollout. |
| More Information |
|---|
Microsoft Defender XDR will soon let Security Operations (SecOps) restore quarantined emails to an inbox from Threat Explorer, Email Entity, Summary Panel, Advanced Hunting, and Microsoft Graph API. Note that this new feature is only available for Microsoft Defender for Office 365 Plan 2 and Microsoft 365 E5 customers. When this will happen:General Availability: We will begin rolling out mid-July (previously late June) 2024 and expect to complete by mid-September 2024 (previously late mid-August). How this will affect your organization:Before this rollout, admins did not have a way to release or move false positive emails (emails that are not breaches) to an inbox directly from post breach scenarios. They needed to go back to the Quarantine page to complete these actions. Also, previously, admins could only bulk release 100 emails. With this new feature, the following steps explain how to move false positive emails to inbox or release after investigating them in Threat Explorer, Email Entity, or Advanced Hunting and have selected entities to act. 1.Create remediation: Click on the Take action button on the top-right corner of the Email Entity page to open the Action wizard. Follow the steps to trigger the "move to inbox" action. This action can be tracked in Action center. Note that Email Entity Take action allows admins to take release action for either specific users or a release to all. 2.Quarantine release from Threat Explorer (bulk scenarios): Go to Threat explorer and select the messages that you want to move, then click move to inbox. 3.Track the action status in Action center: Go to Actions & Submissions, click on Action center, and then go to the History page. You will be able to see who has taken the action, action status, and so on. 4.Track the status on the Quarantine page: You will be able to see the email status on the Quarantine page as well as who released it. 5.Quarantine release from Advanced Hunting (bulk scenarios): Go to Advanced Hunting and select the messages that you want to move by selecting Move to mailbox folder. then proceed to click on the Inbox option. 6. Custom detection: SecOps can create a custom detection rule and take action. 7. Graph API: You can take move to inbox action through Graph API. What you need to do to prepare:This rollout will happen automatically with no admin action required. You may want to notify your admins about this change and update any relevant documentation as appropriate. |
