Organization Settings

Organization settings determine how Cloud Email Protection works in your organization. You manage your organization on the Edit Organization page. The Edit Organization page contains tabs on which settings are collected, and each tab contains sections of related settings. Here, you configure the following categories of settings:

To view or edit organization settings, go to Manage > Organizations, and then click the organization name.

NOTE: You can make changes to the organization settings only if you have the Organization Administrator role. (Certain settings require higher-level roles that are available only to Cloud Email Protection administrators. If you do not see a setting in your view or you cannot change a setting, this is likely the reason.)

Administrative Tab

General Settings

Setting Description
Organization Name The name of your organization. This is what you see wherever there is information displayed about or relating to your organization, such as audit trails. You can change the organization name.
Symbolic Name A unique string created from the initial organization name to uniquely define the organization. This identifier is used by the system and is viewable only here. It cannot be changed.
Subdomain The part of the application URL that is unique to your organization. It is a subdomain of ep.agari.com.
Creation Date Shows the date and time that the organization was created.

Organization Settings

Setting Description
Primary Administrative Contact The organization user selected here will be the person who will receive all administrative contact from Fortra Cloud Email Protection.
Parent Organization The Partner organization that manages the selected child organization.
Organization Type

Defines if the organization is:

  • Eval: Reviewing Cloud Email Protection
  • Subscriber: Has paid for Cloud Email Protection
  • Partner:
  • Internal:
Expiration Defines when an organization's subscription expires and is up for renewal.
Display EULA for this organization Enable to display the End-User License Agreement (EULA) for the selected Organization.

Classification Settings

Setting Description

An organization's classification settings are used for reporting, especially for comparing

an organization's aggregate data to industry peer aggregate data.

Region This is used to determine geographic peers.
Industry This is used to determine industry peers. If your organization isn't categorized by one of the defined choices, select Other.
Mailboxes This is used to determine peers based on mailbox size range as a proxy for organization size.
Exact mailbox count Enter the actual number of mailboxes in your organization. This should be a number in the range you selected above.

Report Settings

Setting Description

Thresholds for Attack Types

(Used for all reports)

For each attack type, you can select:

  • Untrusted - Message Trust Score between 0.0 and 1.0
  • Untrusted and Suspicious - Message Trust Score between 0.0 and 5.0

Messages with a Trust Score of between 0.0 and 1.0 (on a scale of 0.0 to 10.0) are considered untrusted.

Messages with a Trust Score greater than 1.0 and up to 5.0 are considered suspicious.

This setting allows you to define whether you want reports for each attack type to contain only untrusted messages or both untrusted and suspicious messages.

The default for all attack types except Domain Spoof is Untrusted and Suspicious. For Domain Spoof the default is Untrusted.

Mail Flow

Accepted Domains

Setting Description
Accepted Domains

Defines the domains for which you accept messages. Required if you select All messages in Evaluate Messages.

This should be a list of your domains, including subdomains, that receive your email messages. For example, mycompany.com is your domain, but you have mail.mycompany.com as your email server. These, (and possibly others) should be in this list. Cloud Email Protection uses this list to help determine message directionality.

Domains you add to this list will automatically be tagged as internal (if they do not already have a tag). Domains tagged as internal before enabling IIP are also automatically added to this list. If a domain is tagged as internal after IIP is enabled, it is not automatically added to the Accepted Domains list. For more information see Domain Tags

To Add to the Accepted Domain list:

  • Enter the Domain name and Click ADD to add the domain as part of your organization for which you accept messages.

To Delete a Domain from the Accepted List:

  • Click next to the Domain Name you want to delete from the Accepted Domain List.

Messages

Setting Description

An organization's message settings determine what messages Cloud Email Protection will ingest.

These settings are only available if the Messaging Platform setting in the Sensor Settings section is Microsoft Office 365 or Exchange Online (journaled) or Microsoft Exchange Server (journaled).

You will also need to have journaling configured correctly, as explained in

Configure Dual Delivery: Office 365 and Configure Dual Delivery: Microsoft Exchange.

Evaluate All Messages

All messages sent into your organization, out of your organization, and within your organization are ingested and evaluated by the Sensor. This selection requires that messages are journaled and that you identify domains for which you accept email.

Cloud Gateway Settings

Settings Description
Messaging Platform

Defines the messaging platform. Select:

  • G Suite (formerly Google Apps for Work)
  • Microsoft Office 365 or Exchange Online (journaled)
  • Microsoft Exchange Server (journaled)
  • Other
  • Exchange Hybrid (journaled)

SEG Information

These settings are optional. When used, they help optimize sensor operation.

  • SEG acting as MX: Defines the identity/brand of the secure email gateway (SEG) that is acting as the mail exchange (MX). Select:
    • Cisco
    • Proofpoint
    • Syamentec
    • Mimecast
    • EOP (Exchange on-premise)
    • Google
    • Other
  • SEG Location: Defines the location of the secure email gateway (SEG). Select:
    • Cloud
    • On-Prem
Original-To Header Name

Used only for Sensor processing overrides. Leave as-is unless instructed otherwise by Fortra Cloud Email Protection.

When a value is entered in this field, the value replaces the Original-To Header when the message is processed by the Sensor. This can help you identify Sensor-processed messages when you are creating policies.

Original-Mail-From Header Name Used only for Sensor processing overrides. Leave as-is unless instructed otherwise by Fortra Cloud Email Protection.

Affiliate Admin

Setting Description
Ingest Enables the ability for the CEP data pipeline to ingest the organizations message data.

NOTE: This depends on Graph Ingest or Journaling you set up.

Parsing Set to valid after initial set up. Before setting parsing to valid status, confirm in the CEP web application that properly formatted message data is being ingested. This ensures that only valid data is fed into scoring models.
Internal MTA IPs

List IP addresses for any upstream MTA sending traffic that you want to capture. The form accepts CIDR notation for specifying ranges of IP addresses.

NOTE: Use this only in the case of upstream MTAs.

Allowed Forwarding IPs

Determines the IP addresses from which Sensors will accept forwarded messages. One or more IP addresses entered in this field will prevent mail forwarding from any IP address not listed.

TIP: This is generally used for heightened security measures, and is typically left blank.

This also affects the testing of SMTP connections.

To add an IP address to the list, enter an IP address into the IP Address field, and then click Add. The IP addresses in this list should be only the IP addresses of the servers in your email infrastructure that forward messages to Sensors.

Message Processing

Message Components

Setting Description

Choose which components of messages are uploaded for analysis by CEP.

Fortra Cloud Email Protection recommends that you enable all message components.

Message Components

Determines which components of messages to upload to the sensor for analysis. Fortra Cloud Email Protection recommends analyzing all available message components. All components are selected by default.

The "Include" options (subject header and full From, Reply-to, and Envelope Recipient addresses) allow the sensor to better analyze the message metadata, resulting in more accurate scoring.

The Process message content option allows the sensor to extract only any attachments and URIs from the body of the message and analyze only those components for maliciousness. Non-attachment and non-URL content is not analyzed and is discarded immediately after attachment and URL extraction. You can also choose to display all URIs (default) or only malicious URIs when you view message details.

Processing Exceptions

Setting Description

Processing exception settings are rules that tell Cloud Email Protection which messages it should not evaluate process.

Messages that meet any of these rules will not be evaluated by the Sensor, scored for threats, or managed by policies.

Messages not processed by Cloud Email Protection do not appear, individually or cumulatively, in reports or searches.

Office 365 Spam Processing

For Office 365 organizations only.

When a message is sent through Office 365 spam filtering, it is assigned a spam score, which is mapped to a spam confidence level (SCL) rating. Spam scores of 5 and above are considered spam by Office 365 and are moved by default to users' Junk folders. (Source: Spam confidence levels.)

Some organizations have configured a different spam score on Office 365 for which messages are sent to users' Junk folder. Because you generally do not want Cloud Email Protection to process messages that Office 365 has already determined to be spam, the optimal value for this setting is the same as the organization's Office 365 value.

Message Scoring Exception Rules

Defines message rules, rules that tell Cloud Email Protection for which messages to skip any processing. These rules act similarly to message-handling rules in email clients. You select the rule type and enter a value for that type.

Available rules are for headers found in messages, headers that include:

  • IP address or CDR
  • MAIL FROM domain
  • From:
  • To:
  • Subject:
  • X-Header

To add an exception rule, select a rule type, enter a single value, click Add, and then click Save.

The value field accepts only one value (or in the case of X-Header, an X-Header itself and optionally an X-Header value), and does not support wild cards or regular expressions. It is a strict exact text match only (except for Subject, where any subject must contain the entered value anywhere in the message subject to match), and validates for correct values before you can add the exception rule.

To delete an exception rule, click the next to a rule.

Enforcement

General

Enforcement Settings
Enforcement allows you to create policies that move messages to a designated folder in the end-user's inbox. Enforcement is available for Gmail, Office 365, and Exchange Web Services (EWS) environments only.
Enforcement Enabled

When set to Enable, allows policies to enforce rules on messages based on policy settings.

TIP:

Once you disable the Enforcement from CEP, you will need to login as Global Admin in Microsoft Azure to delete the Fortra Cloud Email Protection Enforcement from the Application.

Enforcement Labels

The default enforcement folder can be changed and additional folders set in the Enforcement Settings. These folders are displayed in the Enforce Actions for all Policies in Create / Edit Policy and are the names of the folders or labels that end users will see in their mail client.

NOTE:

The Default Label is set to Fortra-Quarantine

Microsoft API Permission

Setting Description

Fortra Cloud Email Protection requires authorization to access data in Microsoft APIs for functionality of certain features like Ingest, Enforcement, Address Groups, and Investigation analysis.

Enforcement

Create, update, and delete email in user mailboxes

Enabling these permissions allows investigation analysis of user emails and the enforcement of messages.

To enable these permissions you need to have following mail privileges :

  • Mail.ReadWrite

  • User.Read.All

User Account

NOTE:

User Account features not applicable for Organizations using CEP Platform .

User Account Settings

Setting Description
Single Sign-On Determines whether your users need to enter a password in addition to their user name to access Cloud Email Protection or whether they can use your existing authentication. See Single Sign-On (SSO) and Enable Single Sign-On for Your Organization for more information.
Session Inactivity Logoff Determines how long users can stay signed in to Cloud Email Protection before they get signed out automatically. The default is 12 hours.
Session Absolute Logoff

Determines how automatic log off happens. Select from:

  • Relative (default): Automatic log off happens if no activity in Cloud Email Protection happens within the time period set in the Session Inactivity Logoff setting.
  • Absolute: Automatic log off happens when the time period set in the Session Inactivity Logoff setting expires after log in. In other words, the Session Inactivity Logoff clock starts at log in and does not reset for any user activity. This setting may result in users being logged off while they are in the middle of an activity.
Password expiration Determines the time period before users have to select a new password. The default is Never.
Maximum failed login attempts Determines how many times a user can attempt logins without success before being locked out and requiring a new activation link to be sent. Select Disabled if you do not want to limit login attempts.
Password policy

When you require a password for login (non-SSO), determines the minimum complexity of the password. The default is

  • Minimum length: 10 characters
  • Minimum upper case characters: 1
  • Minimum lower case characters: 1
  • Minimum symbols (non-alpha-numeric characters): 1
  • Minimum numbers: 1
  • Prevent password reuse for N past passwords: 0

Select Custom to modify any of these password characteristics for your users.

Contentious Detection and Response

To view or edit CDR organization settings:

  • For Organizations using CEP Platform, go to Analyze > Continuous Detection and then click .

  • Non platform organizations, go to Manage > Continuous Detectionand then click .

     

Settings Description

The Continuous Detection and Response (CDR) Settings section controls how CDR operates in your organization.

See Continuous Detection and Response for more information.

Default Enforcement - Event Source

Determines the default action for messages determined to be a threat by the CDR threat feeds. For each available threat feed, select:

  • Monitor only (no Action) - This is the initial default action. No actions are taken on messages determined to be threats by CDR, but information about those messages populates the CDR list.
  • Move to folder [folder name] - Messages determined to be a threat are moved to the selected folder in users' mail stores, basically a quarantine action. Depending on how your system is configured, you may have multiple folders to choose from. The folders in this list are the ones you define in the Enforcement Settings section. You may, for example, want messages quarantined by CDR moved to a different folder than messages quarantined by policies you define specifically.
  • Delete - Messages determined to be a threat are deleted.

TIP: Because CDR threat feed rules that affect how messages are identified for enforcement are created for a scope of messages much larger than your organization's message stream and because a Delete action is irreversible, you may want to choose Monitor or Move initially to evaluate how each CDR source affects messages specifically in your organization.

Notify Recipients

A list of one or more email addresses. A message will be sent to the addresses in this list when a CDR event matches any messages.

TIP:

For a large organization, CDR could generate many messages. Consider creating:

  • An email account specifically for receiving these messages.
  • A filter in your email client to move these messages to a separate folder.

Address Group

To view or edit Address Group Organization settings, go to Manage >Address Group, and then click .

Setting Description
Reset Microsoft Entra ID Config Click RESET to disconnect the address group from the selected organization.

Address Group Sync

Connect to and synchronize with your Azure Active Directory

Enabling these permissions allow you to quickly create address groups for use in policies, as well as determine the location of users mailboxes (on-premises or in the cloud) for enforcement.

To enable this permission you need to have following mail privilege :

  • Directory.ReadAll