Organization Settings

Defines if the organization is:

• Eval: Reviewing Cloud Email Protection
• Subscriber: Has paid for Cloud Email Protection
• Partner:
• Internal:

An organization's classification settings are used for reporting, especially for comparing

an organization's aggregate data to industry peer aggregate data.

Thresholds for Attack Types

(Used for all reports)

For each attack type, you can select:

• Untrusted - Message Trust Score between 0.0 and 1.0
• Untrusted and Suspicious - Message Trust Score between 0.0 and 5.0

Messages with a Trust Score of between 0.0 and 1.0 (on a scale of 0.0 to 10.0) are considered untrusted.

Messages with a Trust Score greater than 1.0 and up to 5.0 are considered suspicious.

This setting allows you to define whether you want reports for each attack type to contain only untrusted messages or both untrusted and suspicious messages.

The default for all attack types except Domain Spoof is Untrusted and Suspicious. For Domain Spoof the default is Untrusted.

Defines the domains for which you accept messages. Required if you select All messages in Evaluate Messages.

This should be a list of your domains, including subdomains, that receive your email messages. For example, mycompany.com is your domain, but you have mail.mycompany.com as your email server. These, (and possibly others) should be in this list. Cloud Email Protection uses this list to help determine message directionality.

Domains you add to this list will automatically be tagged as internal (if they do not already have a tag). Domains tagged as internal before enabling IIP are also automatically added to this list. If a domain is tagged as internal after IIP is enabled, it is not automatically added to the Accepted Domains list. For more information see Domain Tags

To Add to the Accepted Domain list:

• Enter the Domain name and Click ADD to add the domain as part of your organization for which you accept messages.

To Delete a Domain from the Accepted List:

• Click next to the Domain Name you want to delete from the Accepted Domain List.

An organization's message settings determine what messages Cloud Email Protection will ingest.

These settings are only available if the Messaging Platform setting in the Sensor Settings section is Microsoft Office 365 or Exchange Online (journaled) or Microsoft Exchange Server (journaled).

You will also need to have journaling configured correctly, as explained in

Configure Dual Delivery: Office 365 and Configure Dual Delivery: Microsoft Exchange.

All messages sent into your organization, out of your organization, and within your organization are ingested and evaluated by the Sensor. This selection requires that messages are journaled and that you identify domains for which you accept email.

Defines the messaging platform. Select:

• G Suite (formerly Google Apps for Work)
• Microsoft Office 365 or Exchange Online (journaled)
• Microsoft Exchange Server (journaled)
• Other

• Exchange Hybrid (journaled)

These settings are optional. When used, they help optimize sensor operation.

• SEG acting as MX: Defines the identity/brand of the secure email gateway (SEG) that is acting as the mail exchange (MX). Select:
  • Cisco
  • Proofpoint
  • Syamentec
  • Mimecast
  • EOP (Exchange on-premise)
  • Google
  • Other
• SEG Location: Defines the location of the secure email gateway (SEG). Select:
  • Cloud
  • On-Prem

Used only for Sensor processing overrides. Leave as-is unless instructed otherwise by Fortra Cloud Email Protection.

When a value is entered in this field, the value replaces the Original-To Header when the message is processed by the Sensor. This can help you identify Sensor-processed messages when you are creating policies.

NOTE: This depends on Graph Ingest or Journaling you set up.

List IP addresses for any upstream MTA sending traffic that you want to capture. The form accepts CIDR notation for specifying ranges of IP addresses.

NOTE: Use this only in the case of upstream MTAs.

Determines the IP addresses from which Sensors will accept forwarded messages. One or more IP addresses entered in this field will prevent mail forwarding from any IP address not listed.

TIP: This is generally used for heightened security measures, and is typically left blank.

This also affects the testing of SMTP connections.

To add an IP address to the list, enter an IP address into the IP Address field, and then click Add. The IP addresses in this list should be only the IP addresses of the servers in your email infrastructure that forward messages to Sensors.

Choose which components of messages are uploaded for analysis by CEP.

Fortra Cloud Email Protection recommends that you enable all message components.

Determines which components of messages to upload to the sensor for analysis. Fortra Cloud Email Protection recommends analyzing all available message components. All components are selected by default.

The "Include" options (subject header and full From, Reply-to, and Envelope Recipient addresses) allow the sensor to better analyze the message metadata, resulting in more accurate scoring.

The Process message content option allows the sensor to extract only any attachments and URIs from the body of the message and analyze only those components for maliciousness. Non-attachment and non-URL content is not analyzed and is discarded immediately after attachment and URL extraction. You can also choose to display all URIs (default) or only malicious URIs when you view message details.

Processing exception settings are rules that tell Cloud Email Protection which messages it should not evaluate process.

Messages that meet any of these rules will not be evaluated by the Sensor, scored for threats, or managed by policies.

Messages not processed by Cloud Email Protection do not appear, individually or cumulatively, in reports or searches.

For Office 365 organizations only.

When a message is sent through Office 365 spam filtering, it is assigned a spam score, which is mapped to a spam confidence level (SCL) rating. Spam scores of 5 and above are considered spam by Office 365 and are moved by default to users' Junk folders. (Source: Spam confidence levels.)

Some organizations have configured a different spam score on Office 365 for which messages are sent to users' Junk folder. Because you generally do not want Cloud Email Protection to process messages that Office 365 has already determined to be spam, the optimal value for this setting is the same as the organization's Office 365 value.

Defines message rules, rules that tell Cloud Email Protection for which messages to skip any processing. These rules act similarly to message-handling rules in email clients. You select the rule type and enter a value for that type.

Available rules are for headers found in messages, headers that include:

• IP address or CDR
• MAIL FROM domain
• From:
• To:
• Subject:
• X-Header

To add an exception rule, select a rule type, enter a single value, click Add, and then click Save.

The value field accepts only one value (or in the case of X-Header, an X-Header itself and optionally an X-Header value), and does not support wild cards or regular expressions. It is a strict exact text match only (except for Subject, where any subject must contain the entered value anywhere in the message subject to match), and validates for correct values before you can add the exception rule.

To delete an exception rule, click the next to a rule.

When set to Enable, allows policies to enforce rules on messages based on policy settings.

The default enforcement folder can be changed and additional folders set in the Enforcement Settings. These folders are displayed in the Enforce Actions for all Policies in Create / Edit Policy and are the names of the folders or labels that end users will see in their mail client.

Fortra Cloud Email Protection requires authorization to access data in Microsoft APIs for functionality of certain features like Ingest, Enforcement, Address Groups, and Investigation analysis.

Enforcement

Create, update, and delete email in user mailboxes

Enabling these permissions allows investigation analysis of user emails and the enforcement of messages.

To enable these permissions you need to have following mail privileges :

• Mail.ReadWrite

• User.Read.All

Determines how automatic log off happens. Select from:

• Relative (default): Automatic log off happens if no activity in Cloud Email Protection happens within the time period set in the Session Inactivity Logoff setting.
• Absolute: Automatic log off happens when the time period set in the Session Inactivity Logoff setting expires after log in. In other words, the Session Inactivity Logoff clock starts at log in and does not reset for any user activity. This setting may result in users being logged off while they are in the middle of an activity.

When you require a password for login (non-SSO), determines the minimum complexity of the password. The default is

• Minimum length: 10 characters
• Minimum upper case characters: 1
• Minimum lower case characters: 1
• Minimum symbols (non-alpha-numeric characters): 1
• Minimum numbers: 1
• Prevent password reuse for N past passwords: 0

Select Custom to modify any of these password characteristics for your users.

The Continuous Detection and Response (CDR) Settings section controls how CDR operates in your organization.

See Continuous Detection and Response for more information.

Determines the default action for messages determined to be a threat by the CDR threat feeds. For each available threat feed, select:

• Monitor only (no Action) - This is the initial default action. No actions are taken on messages determined to be threats by CDR, but information about those messages populates the CDR list.
• Move to folder [folder name] - Messages determined to be a threat are moved to the selected folder in users' mail stores, basically a quarantine action. Depending on how your system is configured, you may have multiple folders to choose from. The folders in this list are the ones you define in the Enforcement Settings section. You may, for example, want messages quarantined by CDR moved to a different folder than messages quarantined by policies you define specifically.
• Delete - Messages determined to be a threat are deleted.

TIP: Because CDR threat feed rules that affect how messages are identified for enforcement are created for a scope of messages much larger than your organization's message stream and because a Delete action is irreversible, you may want to choose Monitor or Move initially to evaluate how each CDR source affects messages specifically in your organization.

A list of one or more email addresses. A message will be sent to the addresses in this list when a CDR event matches any messages.

Address Group Sync

Connect to and synchronize with your Azure Active Directory

Enabling these permissions allow you to quickly create address groups for use in policies, as well as determine the location of users mailboxes (on-premises or in the cloud) for enforcement.

To enable this permission you need to have following mail privilege :

• Directory.ReadAll