NO - https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#actions-on-emails
"The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages."
Since NetworkMessageID is not mentioned in the sumarize, it won't work.
YES - https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#actions-on-devices
YES - https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#actions-on-files
I couldn't actually test it now, but if someone could give it a test to confirm that would be great. :)
Deletion of files and restricting an app are not an option for custom detection rule automation. You can't automate these actions with a custom detection rule. So should it not be no No NO No?
Hi, I have just right Query in lab environemnt and try to create an custom rule based on it. Query works and I got some result.
When I try to create query anfd follow the steps;
Custom Detections:
Impactec Entities:
Device---> Device ID
Mailbox--> RecipientEmail Address
User ---> RecipientObjectId
From the actions in this link "https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#4-specify-actions"
1) All device actions includes "restrict app execution" is active and can be implemented.
2) for Files : Allow/Block active delete is inactive
3) for users: Mar user as compromised active
4) for Emails no action is active.
On the base of this teswt on lab environment
I will go with "No, yes, No" Opption.
N,Y,Y.
Both "RecipientEmailAddress" and "NetworkMessageId" are required to automatically remove an email message from a user's mailbox.
If the "Device ID" column is printed in the query results, the app can be automatically restricted from running.
If the query outputs one of the "SHA1", "InitiatingProcessSHA1", or "SHA256" columns, you can automatically restrict the execution of your app.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide
Tested in the lab,
"Deletion of email messages from user mailbox based on RecipientEmailAddress" - No
"Restrict the App execution using DeviceId" - Yes
"Deletion of file based on SHA256" - No
It can.
It's
No: The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.
Yes: Restrict app execution—sets restrictions on device to allow only files that are signed with a Microsoft-issued certificate to run.
Yes: When selected, the Quarantine file action can be applied to files in the SHA1, InitiatingProcessSHA1, SHA256, or InitiatingProcessSHA256 column of the query results. This action deletes the file from its current location and places a copy in quarantine.
I agree that the 3rd one could be dubious because of the quarantine, but it DOES delete the file.
Yes, No, No
Keyword is | where EntityType in ("User", "Mailbox")
so actions available are
For "User" :
Mark user as compromised
Disable user
Force password reset
For "Mailbox" :
Move to Mailbox folder
Delete Mail
Ref : https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#4-specify-actions
not correct. Definitely not for email ( The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.) But seems ok for the other two. So I go with NO for email and yes for the other two.
they are.
No: The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.
Yes: Restrict app execution—sets restrictions on device to allow only files that are signed with a Microsoft-issued certificate to run.
Yes: When selected, the Quarantine file action can be applied to files in the SHA1, InitiatingProcessSHA1, SHA256, or InitiatingProcessSHA256 column of the query results. This action deletes the file from its current location and places a copy in quarantine.
I agree that the 3rd one could be dubious because of the quarantine, but it DOES delete the file.
The answers seems to be correct based on this source: https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#4-specify-actions
The link you provided specifically shows that "The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.". How did you come to that conclusion? There is nothing in the query indicating that NetworkMessageId is provided, or am i missing something?
No: The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.
Yes: Restrict app execution—sets restrictions on device to allow only files that are signed with a Microsoft-issued certificate to run.
Yes: When selected, the Quarantine file action can be applied to files in the SHA1, InitiatingProcessSHA1, SHA256, or InitiatingProcessSHA256 column of the query results. This action deletes the file from its current location and places a copy in quarantine.
I agree that the 3rd one could be dubious because of the quarantine, but it DOES delete the file.
Sigh. I guess this is one of those questions where microsoft leaves too much interpretation
"When selected, the Quarantine file action can be applied to files in the SHA1, InitiatingProcessSHA1, SHA256, or InitiatingProcessSHA256 column of the query results. This action deletes the file from its current location and places a copy in quarantine."
So yes it's "deleted".
I would also say "no", but tbh it's just guessing.
upvoted 1 times
...
...
...
...
This section is not available anymore. Please use the main Exam Page.SC-200 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
cris_exam
Highly Voted 1 year, 3 months agoHectorF09
10 months agokazaki
1 year agokazaki
1 year agoGurulee
1 year, 2 months agodanb67
1 year, 2 months agokabooze
1 year, 1 month agokabooze
1 year, 1 month agosmanzana
10 months, 1 week agomc250616
Highly Voted 1 year, 1 month agoparaze
1 year agoHarryd82
Most Recent 7 months, 3 weeks agoKodoi
9 months, 1 week agoKodoi
1 month, 3 weeks agoPradeep064
11 months, 1 week agosmanzana
1 year, 1 month agochepeerick
1 year, 2 months agokabooze
1 year, 1 month agoDracula666
1 year, 2 months agopigl3t
1 year, 3 months agochepeerick
1 year, 2 months agokabooze
1 year, 1 month agodanb67
1 year, 2 months agoant0b1
1 year, 3 months agooddsol
1 year, 2 months agoUnlikely
1 year, 3 months agodanb67
1 year, 2 months agokabooze
1 year, 1 month agokabooze
1 year, 1 month ago