Phishing Response Settings

The Settings page is where you manage Phishing Response users, organization settings, and Phishing Response configuration. The Settings page contains the following tabs:

Users
Organization
Configuration

To view Phishing Response settings, click the Settings tab at the top of the page.

Users Tab

The Users tab is where you add, edit, and delete Phishing Response users. (See User Accounts for details.) Existing Phishing Response users are listed in alphabetical order by first name. Click on the down arrow () in the Role column next to a user's name to view the roles that have been assigned to the user.

Organization Tab

The Organization tab contains settings that define your organization, as well as global user settings and settings for how Phishing Response interacts with other products.

NOTE: You can make changes to the organization settings only if you have the Organization Administrator role.

Setting	Description
Administrative
Organization Name	The name of your organization. This is what you see wherever there is information displayed about or relating to your organization, such as audit trails. Contact your Agari representative to change the organization name.
Symbolic Name	A unique string created from the initial organization name to uniquely define the organization. This identifier is used by the system and is viewable only here. It cannot be changed.
Subdomain	The part of the application URL that is unique to your organization. It is a subdomain of air.agari.com. TIP: Use caution when deciding to change this value. You may break links, bookmarks, and other connections to Phishing Response.
Creation Date	The date and time that the organization was created. Click to toggle between local time and UTC (Coordinated Universal Time).
Primary Administrative Contact	The Phishing Response user who is considered to be your organization's primary contact with Agari support.
Classification
Overview	An organization's classification settings are used for reporting, especially for comparing an organization's aggregate data to industry peer aggregate data. See Reports for more information.
Region	This is used to determine geographic peers.
Industry	This is used to determine industry peers. If your organization isn't categorized by one of the defined choices, select Other.
Mailboxes	This is used to determine peers based on mailbox size range as a proxy for organization size.
Exact Mailbox Count	Enter the actual number of mailboxes in your organization. This should be a number in the range you selected above.
User Account Settings
Session Inactivity Logoff	Determines how long users can stay signed in to Phishing Response before they get signed out automatically. The default is 12 hours.
Session Absolute Logoff	Determines how automatic log off happens. Select from: Relative (default): Automatic log off happens if no activity in Phishing Response happens within the time period set in the Session Inactivity Logoff setting. Absolute: Automatic log off happens when the time period set in the Session Inactivity Logoff setting expires after log in. In other words, the Session Inactivity Logoff clock starts at log in and does not reset for any user activity. This setting may result in users being logged off while they are in the middle of an activity.
Password expiration	Determines the time period before users have to select a new password. The default is Never.
Maximum failed login attempts	Determines how many times a user can attempt logins without success before being locked out and requiring a new activation link to be sent. Select Disabled if you do not want to limit login attempts.
Password policy	When you require a password for login (non-SSO), determines the minimum complexity of the password. The default is Minimum length: 10 characters Minimum upper case characters: 1 Minimum lower case characters: 1 Minimum symbols (non-alpha-numeric characters): 1 Minimum numbers: 1 Prevent password reuse for N past passwords: 0 Select Custom to modify any of these password characteristics for your users.


MS Graph	Phishing Response requires access to the Microsoft Graph service to function, and access to Microsoft Graph requires one-time authorization. This setting indicates if that access is authorized. See Authorize Microsoft Graph for details.
Continuous Detection and Response
Overview	Continuous Detection and Response (CDR) is an Agari Secure Email Cloud technology in the Phishing Defense product that gets one of its threat feeds from Phishing Response and allows organizations to prevent or mitigate data breaches as new threat intelligence is discovered. The Agari SOC (Security Operations Center) Network provides human-vetted threat intelligence via Phishing Response to Agari Continuous Detection and Response organizations.
Do not share information from closed malicious investigations	Clear this check box (the default state) to allow information sharing. Select this check box to prevent information sharing. (This will prevent CDR from receiving the Agari SOC Network Feed.

Configuration Tab

The Configuration tab contains settings to configure how Phishing Response works.

Setting	Description
Enforcement
Enforcement Label(s)	Defines folder names (sometimes referred to as "tags") where messages can be moved when you are remediating an incident. (See Remediate an Incident.) The first field is the default. The second field allows you to define additional folders/tags by entering a folder/tag name and then clicking Add. When you have additional folders, you can click and drag them into the order you want them to appear in the Enforcement action drop down list in the Enforce Now dialog box.
Message Preview
Show images for message previews by default	This allows you to decide if you want images in the message preview pane when you select an investigation to be shown or hidden by default. In the upper-right of the message preview pane, there is a Show/Hide Images button where you can toggle image viewing an any individual message preview.
Attachments
Automatically upload attachments for reported messages to	This section allows you to select which service(s) you want attachments uploaded to automatically for analysis when messages with attachments are reported as malicious. (You can always analyze attachments manually from an investigation with any of these services from an investigation. See Analyze Attachment Details for details.) For all attachments, hash-based lookups are enabled through Virus Total by default. Hybrid Analysis and Agari are not selected by default. These are "sandbox" scanners that open an attachment in a secure, isolated environment, called detonation. This takes a bit longer, and reads the entire content of an attachment.
URLs
Automatically analyze URLs at VirusTotal for reported messages	This section allows you to automatically allow URL analysis when messages with URLs are reported as malicious. (You can always analyze URLs manually from an investigation. See Analyze URL Details for details.) You can also define one or more domains for which analysis will not be performed when URLs containing those domains are found in messages reported as malicious. To whitelist a domain, enter a domain and click Add. You can use * as a wildcard in the domain name. For example: foo.com will exclude URLs from foo.com, but not bar.foo.com. *.foo.com will exclude URLs bar.foo.com, and any other subdomain of foo.com, but not the root domain of foo.com NOTE: Because of how the World Wide Web and its servers are designed, both www.foo.com and foo.com work in your browser to go to the domain foo.com. Technically, www. is a sub-domain of foo.com, but web servers are configured to hide this and to serve up the correct resource no matter which URL is used. In whitelisting, however, if you enter just foo.com as a whitelist entry, www.foo.com will not be whitelisted. So for any root domains you want to whitelist, make sure you create two whitelist entries, the root URL and the www. URL.