NO - https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#actions-on-emails
"The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages."
Since NetworkMessageID is not mentioned in the sumarize, it won't work.
YES - https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#actions-on-devices
YES - https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#actions-on-files
I couldn't actually test it now, but if someone could give it a test to confirm that would be great. :)
Deletion of files and restricting an app are not an option for custom detection rule automation. You can't automate these actions with a custom detection rule. So should it not be no No NO No?
Hi, I have just right Query in lab environemnt and try to create an custom rule based on it. Query works and I got some result.
When I try to create query anfd follow the steps;
Custom Detections:
Impactec Entities:
Device---> Device ID
Mailbox--> RecipientEmail Address
User ---> RecipientObjectId
From the actions in this link "https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#4-specify-actions"
1) All device actions includes "restrict app execution" is active and can be implemented.
2) for Files : Allow/Block active delete is inactive
3) for users: Mar user as compromised active
4) for Emails no action is active.
On the base of this teswt on lab environment
I will go with "No, yes, No" Opption.
N,Y,Y.
Both "RecipientEmailAddress" and "NetworkMessageId" are required to automatically remove an email message from a user's mailbox.
If the "Device ID" column is printed in the query results, the app can be automatically restricted from running.
If the query outputs one of the "SHA1", "InitiatingProcessSHA1", or "SHA256" columns, you can automatically restrict the execution of your app.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide
Tested in the lab,
"Deletion of email messages from user mailbox based on RecipientEmailAddress" - No
"Restrict the App execution using DeviceId" - Yes
"Deletion of file based on SHA256" - No
It can.
It's
No: The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.
Yes: Restrict app execution—sets restrictions on device to allow only files that are signed with a Microsoft-issued certificate to run.
Yes: When selected, the Quarantine file action can be applied to files in the SHA1, InitiatingProcessSHA1, SHA256, or InitiatingProcessSHA256 column of the query results. This action deletes the file from its current location and places a copy in quarantine.
I agree that the 3rd one could be dubious because of the quarantine, but it DOES delete the file.
Yes, No, No
Keyword is | where EntityType in ("User", "Mailbox")
so actions available are
For "User" :
Mark user as compromised
Disable user
Force password reset
For "Mailbox" :
Move to Mailbox folder
Delete Mail
Ref : https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#4-specify-actions
not correct. Definitely not for email ( The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.) But seems ok for the other two. So I go with NO for email and yes for the other two.
they are.
No: The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.
Yes: Restrict app execution—sets restrictions on device to allow only files that are signed with a Microsoft-issued certificate to run.
Yes: When selected, the Quarantine file action can be applied to files in the SHA1, InitiatingProcessSHA1, SHA256, or InitiatingProcessSHA256 column of the query results. This action deletes the file from its current location and places a copy in quarantine.
I agree that the 3rd one could be dubious because of the quarantine, but it DOES delete the file.
The answers seems to be correct based on this source: https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#4-specify-actions
The link you provided specifically shows that "The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.". How did you come to that conclusion? There is nothing in the query indicating that NetworkMessageId is provided, or am i missing something?
No: The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.
Yes: Restrict app execution—sets restrictions on device to allow only files that are signed with a Microsoft-issued certificate to run.
Yes: When selected, the Quarantine file action can be applied to files in the SHA1, InitiatingProcessSHA1, SHA256, or InitiatingProcessSHA256 column of the query results. This action deletes the file from its current location and places a copy in quarantine.
I agree that the 3rd one could be dubious because of the quarantine, but it DOES delete the file.
Sigh. I guess this is one of those questions where microsoft leaves too much interpretation
"When selected, the Quarantine file action can be applied to files in the SHA1, InitiatingProcessSHA1, SHA256, or InitiatingProcessSHA256 column of the query results. This action deletes the file from its current location and places a copy in quarantine."
So yes it's "deleted".
I would also say "no", but tbh it's just guessing.
upvoted 1 times
...
...
...
...
This section is not available anymore. Please use the main Exam Page.SC-200 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
cris_exam
Highly Voted 1 year, 1 month agoHectorF09
8 months, 2 weeks agokazaki
10 months, 2 weeks agokazaki
10 months, 2 weeks agoGurulee
1 year, 1 month agodanb67
1 year agokabooze
1 year agokabooze
1 year agosmanzana
8 months, 3 weeks agomc250616
Highly Voted 11 months, 2 weeks agoparaze
10 months, 2 weeks agoHarryd82
Most Recent 6 months agoKodoi
7 months, 3 weeks agoKodoi
6 days, 16 hours agoPradeep064
9 months, 2 weeks agosmanzana
12 months agochepeerick
1 year agokabooze
1 year agoDracula666
1 year agopigl3t
1 year, 1 month agochepeerick
1 year, 1 month agokabooze
1 year agodanb67
1 year agoant0b1
1 year, 1 month agooddsol
1 year agoUnlikely
1 year, 1 month agodanb67
1 year agokabooze
1 year agokabooze
1 year ago