Adversaries may use quarantine release trends to exfiltrate data or evade detection by manipulating Office 365 quarantine actions. SOC teams should proactively hunt for this behavior to identify potential data exfiltration attempts and disrupt adversary operations in their Azure Sentinel environment.
KQL Query
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| summarize count() by bin(Timestamp, 1d)
| project-rename Releases = count_
| render timechart with (title="Quarantine Releases by Day")
id: 9f135aef-ad25-4df2-bdab-8399978a36a2
name: Quarantine release trend
description: |
This query helps reviewing quarantine release trend in Defender for Office 365
description-detailed: |
This query helps reviewing quarantine release trend in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| summarize count() by bin(Timestamp, 1d)
| project-rename Releases = count_
| render timechart with (title="Quarantine Releases by Day")
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: A scheduled backup job uploads a large number of files to a shared folder, triggering a quarantine release trend.
Filter/Exclusion: Exclude file uploads from known backup tools like Veeam Backup & Replication or Commvault by checking the source IP or user context.
Scenario: An administrator manually releases quarantined files as part of a routine security review or incident response.
Filter/Exclusion: Exclude actions performed by admin accounts (e.g., [email protected]) or specific roles like Global Admin in Microsoft 365.
Scenario: A system maintenance task, such as Windows Update or Microsoft Defender scheduled scan, temporarily quarantines benign files during a scan.
Filter/Exclusion: Exclude events related to Microsoft Defender scheduled scan or Windows Update by checking the process name or task name.
Scenario: A user accidentally sends an email with an attachment that gets quarantined by Microsoft Defender for Office 365, but the file is legitimate.
Filter/Exclusion: Exclude files with known safe extensions (e.g., .pdf, .docx) or files sent from trusted domains using Microsoft Purview or Exchange Online Protection.
Scenario: A third-party security tool, such as CrowdStrike or SentinelOne, integrates with Defender for Office 365 and temporarily quarantines files during a threat detection process.
Filter/Exclusion: Exclude events originating from third-party security tools by checking the source process name or integration logs in Microsoft Sentinel.