 File1.exe will be blocked on Device3. — No

 User2 will be marked with a risk level of medium. — No

 An investigation package will be collected from Device1. — Yes

Custom detection rules in Microsoft Defender XDR are scoped to devices or device groups and only take device-related actions for devices that are in that scope. As the documentation states, “Only data from devices in the scope will be queried. Also, actions are taken only on those devices.” Therefore a rule scoped to DevGroup1 will apply actions only to devices in DevGroup1 (Device1 and Device2); it will not apply to Device3 because Device3 is in DevGroup2. Microsoft Learn

File blocking is a file-level action triggered by the rule, but blocking is applied only where the rule is in scope. Consequently File1.exe will not be blocked on Device3 (out of scope). For the user action, the rule’s Mark user as compromised action explicitly “sets the users risk level to 'high' in Microsoft Entra ID” — it does not set a medium risk. So the statement that User2 will be marked with risk level medium is incorrect; the documented outcome is a high risk marking. Microsoft Learn

Finally, device actions include Collect investigation package and these are applied to the DeviceId results when the rule matches. Because Device1 is in DevGroup1 (in scope) and the rule specifies collecting an investigation package for matching devices, an investigation package will be collected from Device1 when the rule fires. Microsoft Learn

Sources: Official Microsoft Defender XDR documentation for custom detection rules (actions, scope, and user actions). Microsoft Learn