Quarantine notification via Transport Rule

M00nshine 40 Reputation points
2023-02-16T13:07:00.2766667+00:00

Hello,

I work in a SOC and I'd like our team to be notified whenever an employee from a VIP group, has one of their emails quarantined.

I do not know of any way that Defender can do this - currently it only notifies the recipient that their mail has been quarantined. Because of this, I'm now looking down the route of creating a mail flow rule.

This is the current Quarantine rule that's in place and is functioning ok:

User's image

And this is the 2nd rule I'd like to run in unison with the above rule. This rule picks up on the auto-generated mail from postmaster to the employee above - redirects it to our security mailbox to review, and posts them a message to let them know.

User's image

For some reason, the 2nd rule won't run, as if it's disabled. I have read online previously that auto-generated "mails" won't be picked up by transport rules, which may explain it, however I'm not confident of that.
If anybody has any advice/possible workarounds it'd be much appreciated!

Microsoft Exchange Online
Outlook
Outlook
A family of Microsoft email and calendar products.
3,329 questions
Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,037 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,342 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
175 questions
0 comments
Accepted answer
  1. Yuki Sun-MSFT 40,931 Reputation points
    2023-02-17T06:19:12.89+00:00

    Hi @M00nshine

    For some reason, the 2nd rule won't run, as if it's disabled. I have read online previously that auto-generated "mails" won't be picked up by transport rules, which may explain it, however I'm not confident of that.

    True, system generated messages won't be processed by mail flow rules (previously called "transport rules"). See Mail flow rules (transport rules) in Exchange Online:.)
    image

    With this being said, for the requirement you described, seems to me that it's not feasible to send a customized notification mail as you intended to do in the 2nd rule. However, I am assuming that you can try adding the action "Generate incident report and send it to" in the original rule and set the security team as the recipient, so that an auto generated notification report can be sent to the security team with some chosen properties.

    I tried testing in my lab tenant by adding this action into an existing rule "RuleForTest", and chose to include the "Recipients" and "RuleDetections", the specified group can receive a report like below:
    2

    3

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest