Avanan: Frequently Asked Questions (FAQs)

General

When does the Tenant POC start?

The trial period starts on creation of the Avanan tenant regardless of when we’re integrated with O365, so only spin up portals for trials when you’re ready to integrate.

Can I Extend the Trial Period?

No. We find that this ensures that people engage with Avanan only when they have the time to do so properly. On the last day of the POC, the license WILL expire, your tenant will default to a “Pending” mode, and access will be disabled. In this mode Avanan is not active and will not collect data so there will be no information displayed in the portal.

What Happens When the Trial Period Ends?

After the trial expires, you will not be able to access the Avanan menus and functions.

During this time, emails still flow through Avanan and are enforced just as before dashboard access was revoked.

Are historical emails scanned?

Avanan will start collecting emails and metadata during the initial tenant integration. During the next 24 hours, Avanan will scan and collect information on as many historical emails as possible. For small environments, this could be a years worth of email, but for larger environments, it could be as little as a couple of days. It’s completely dependent on the size of the environment.

What kind of training is available?

In order to gain the most from Avanan, MSS has put together a playlist of Avanan Partner Training videos for your reference. Check back regularly as more “How-To” videos are regularly added/updated.

• Partner Avanan Training – YouTube

How long are emails held/Data Retention?

Email retention is determined by the configured Data Retention Policy. The Data Retention Policy describes how long Avanan stores emails from Microsoft 365 or Gmail in its database. You can search and view emails stored in the database using Mail Explorer and Custom Queries.

Data Retention Policy for Emails

Prerequisites

• The user must have Admin privileges.
• In Configuration > User Management, select Allow drill-down into the customer data under Alerts and Reports.

Default Retention Period of Emails

By default, Avanan retains the emails as follows:

Note - Avanan keeps backend logs on emails for seven days after the email is delivered.

Customizing Retention Period of Emails

Avanan allows you to customize the email retention period based on the verdict of the security engines.

To configure custom retention periods for raw emails:

1. Go to Configuration > Customization.
2. Under Email Retention Settings, select Custom.
3. Based on the security engines' verdict and quarantine state, select the number of days you need to retain an email.
4. Click Save and Apply.

Notes:

• Any changes to the retention period take effect within 24 hours and apply only to new emails.
• Emails get deleted at the end of the day (UTC time zone) of each retention period. Sometimes, it may take extra time for the delete action to be completed.

Auditing

Avanan audits all the changes to the retention period and adds them to the System Logs (Audit > System Logs).

Available Actions on Emails During and After the Retention Period

Actions you can perform after you open an email:

 

Can I Manage MSP Users?

Yes! Avanan MSP Portal supports similar user management capabilities as the Avanan Portal, including Role assignment, tenant permissions, etc. With the MSP Portal roles and permissions, there is now no need to drill down into the Avanan Portal to configure the user. All the attributes are controlled from the MSP Portal.

Creating MSP Users

To create a new user:

Go to Settings, expand User Management and click Create User.

In the Create User pop-up that appears, enter the user’s First Name, Last Name and Email.

Expand MSP Portal Settings and modify the following settings:

Role: Select the desired role for the user.

MSP Admin – full access to all tenants in the MSP Portal and to the MSP Portal settings (User Management, Branding etc.)

MSP Help Desk – no access to MSP Portal settings.
Administrators can also choose to limit the access an MSP Help Desk user has to customer tenants as follows:

Grant access to all tenants except select ones.

Grant access only to select customer tenants.

Tenant Access: Select the applicable tenants that the user should (or should not) have access to.

Expand Customer Portal Settings and modify the following settings:

Role: the role associated with the user in the managed tenants.

Advanced options:

Allow drill-down toto customer data: Allow admin to view emails content (on tenant portal). Viewing email content is audited.

All User Data: Access to all user data is allowed.

When Detection Exists: Access user data only when a security engine detection exists for them.

Send alerts: Allow admin to resend alerts to users.

Receive Weekly Reports: Admin will receive weekly admin reports from each tenant.

Enable Password Login: Check this so that the user can log in with a password.

Enable SAML Login: Check this if you would like to log into the Avanan MSP portal with your MSS EVO credentials.

Click Save.

Can I Add Email Banners?

Yes! Avanan provides a variety of automated actions that the security administrator can choose from - such as quarantine malicious emails.

For suspected (low confidence) email detections, the administrator can choose to allow the email to be delivered to the inbox. In such cases, Avanan allows to embed a warning banner in the email explaining the nature and potential risk to the end-users.

Note - Warning banners are available only in Protect (Inline) and Detect and Prevent modes.

Email Protection - Warning banners

Types of warning banners

Warning banners are generated based on these detection attributes:

Suspected phishing: This email contains elements that may indicate "Phishing" intent - aimed at tricking you to disclose private/financial information or even your credentials.

Encrypted Attachments: Be careful when opening this email. It is carrying an encrypted attachment - often used for evading virus scans. Make sure you trust this email before opening the attachment.

Password Protected Attachments: The email contains an attachment which is protected with a password. The user must provide password for the  engine to scan the attachment for malicious content.

Configuring warning banner

To configure warning banners:

Go to Policy.

Open Threat Detection policy for the required SaaS.

Select the workflow for which the banner has to be configured.

To customize the banner (text, background color etc.), click the gear icon next to the workflow.

Click Save and Apply.

Warning banner samples

Warning banner for suspected phishing emails.

Warning banner for emails having encrypted attachments.

Warning banner for emails having password protected attachments. 

Licensing

MSS calculates usage on the 1st day of the month for the previous month.

How do I Change/Apply Licenses

To change a tenants license

Log into the MSP portal

Select the applicable Tenant and click the “License” button.

Choose the applicable license from the drop-down menu.

Type in the number of Licensed users - There are 2 options for this:

Option 1: Make the max number greater than the actual number of user licenses by 25. If there are 30 actual users, the max number should be 55.

This allows new users created in M365 to automatically be protected. This is the recommended option.

Option 2: Make the max number exactly the same as the number of users the tenant has. This will NOT automatically protect new users created in M365 so this option is not recommended.

Click “Update License” - The tenant is now fully licensed.

The tenant will now show the max user count next to the Total users in the MSP portal.

You now need to make sure the correct users are licensed.

Log into the tenant and go to the Configuration →Licenses page.

From here, make sure the desired users are licensed by selecting them and clicking “assign”.

You may also “exclude” users from licensing, so they are not billed by selecting them and clicking “Un-Assign”.

How Do I View License Usage

License usage can be viewed from the MSP portal

Once logged in, go to Manage Tenants. Here you can see the list of tenants along with their packages (license type), POC status, total & Max users.

To export a CSV list simply slick Export. There is no need to select any tenants as the exported file will contain all tenants listed under the MSP

Avanan Add-Ons

Archiving

Avanan Archiving is a cloud-based archiving solution for preserving email communications. Archiving provides organizations with a variety of tools for one or more of these reasons:

Business continuity and disaster recovery

Email Backup and recovery of emails deleted by end-users or because of technical malfunction

Regulatory compliance and records management

Litigation and Legal Discovery

Prove chain of custody and keep the authenticity of emails.

How to Configure Email Archiving

Activating Email Archiving

After your purchase request is processed, Archiving gets activated automatically.

After activation, Archiving starts archiving all the emails sent from and received by the protected user’s mailboxes (users that are assigned Avanan license).

Note - Though Archiving starts archiving the emails immediately, it might take up to 48 hours for these emails to be available in the Archive Search (Archiving > Archive Search).

If required, administrators can import the archived emails from an external source.

Archived Emails

After activating Archiving, all the internal, outgoing, and incoming emails (sent or received) from protected users will be archived.

For users not licensed for Avanan, the emails will not be archived.

Emails that were sent before activating Archiving are not archived.

Emails will be stored for a period of 7 years and will be automatically deleted afterwards.

Avanan encrypts and stores the archived emails in the same region as your tenant in the Avanan Portal.

Viewing Archived Emails

From the Archive Search screen, administrators can use filters and search for the required emails. The Archive Search screen gives a detailed view of all the archived emails (whether they have been archived or imported from an external source).

Note - After the emails are archived, it takes up to 48 hours for the archived emails to appear in the Archive Search.

Importing Emails to Archive

Administrators can import emails from the email archiving solutions they used in the past or from other sources.

Before importing emails to Archiving:

Export the emails from the 3rd party archiving solution to EML format.

Compress the EML files to ZIP files.
Notes:

Maximum file size supported to import an EML file is 150 MB.

Maximum file size supported to import a ZIP file is 15 GB.

Total file size supported in a single upload session for all the ZIP files is 150 GB.

To import emails to Archiving:

Go to Archiving > Archive Search.

Click Import archive.

In the Import Emails to Archive window that appears, click Get credentials to receive credentials to a temporary upload path.
Note - This upload path and credentials are valid only for 7 days.

Use the path and credentials (Host name, user name and password) to log in to SFTP.

Upload the ZIP file(s) to the uploads folder.

After uploading all the files, click Done uploading.

Click Confirm to initiate the import.
Note - After importing the emails, it takes up to 48 hours for the archived emails to appear in the Archive Search.

Exporting Emails from Archive

If required, administrators can export the archived emails from the Archive. Each archive export creates encrypted ZIP file(s), which includes EML files. If the export file size exceeds 10 GB, then the export is divided into multiple ZIP files, with each file size not exceeding 10 GB.

To export archived emails:

Go to Archiving > Archive Search.

Using filters, refine the search criteria for the required emails.

Select the emails to export, and click Export.

In the Export Archive Emails window that appears, enter the required Export Name and Passphrase for the archive export.

Click OK.
Note - The export process could take several hours. After it is complete, the administrator who initiated the export process receives an email notification.

To download the archive export file(s), go to Archiving > Archive Export.

Click Download for the required export file(s).
Note - The link to download the exported file(s) will only be available for 7 days after the export is completed.

Auditing

Avanan audits all the archive search, archive import, archive export, and archive download actions and adds them to the System Logs (Audit > System Logs).

Incident Response As-A-Service (IRaaS)

The Avanan Incident Response as a Service (IRaaS) leverages Avanan’s team of experts to manage end-user reports of suspicious emails and requests to release quarantined emails. Every time a user reports a suspicious email or asks to have a quarantined email released, the request goes to our highly trained team of experts, instead of to your in-house team.

How it Works

If a user thinks an email is suspicious, all they have to do is press "Report as Phishing," just as they would today. The only difference is that it opens a ticket in Avanan’s system for their analysts to review. Avanan experts will review the email and then choose from a variety of actions. such as:

Releasing from quarantine

Creating whitelists

Creating blacklists

Marking as phishing

Cross- customer mitigation

If a user is notified that an email was quarantined as malicious or phishing, they can request an investigation to ensure that it wasn't a false positive. In this case, Avanan does the investigation and remediates as necessary.

The end-user request is presented within the UI, and there are no changes to user behavior.

When it comes to Restore Request notifications, Avanan analysts may render three distinct determinations when processing these requests:

Malicious Email: In cases where the analyst identifies an email as malicious, the request will be rejected, and the email will remain in quarantine.

Benign Email: If an email is deemed benign by the analyst, the request will be approved, and the email will be restored to the user's mailbox.

Inconclusive: When an analyst is unable to definitively classify an email as either malicious or benign, administrators will be alerted. These emails will necessitate further review.

To ensure that administrators receive notifications in instances of inconclusive determinations, the option to send alerts MUST be enabled for their users. This setting can be accessed by navigating to Settings > User Management from the MSP dashboard.

Kindly note that the updated settings for your users will only take effect within the tenant upon access by your user.

Avanan Security Engines

Anti-Malware

To override the Check Point recommended list of operating systems, go to Security Settings > Security Engines > Anti-Malware (Configure) > Emulation Operating Systems, check the Override Check Point defaults box and select up to 3 different operating systems.

Data Loss Prevention (DLP)

Avanan enables you to create universal policies across multiple cloud applications to control how files are shared amongst internal and external users. Our advanced tools identify and mark files containing confidential, financial, and personally identifiable information, including: credit card numbers, social security numbers, bank routing numbers, or data protected under HIPAA.

DLP and SmartVault are available for both O365 and Gmail.

Custom Regex’s

Custom Regex’s

Can Custom Regex’s be Specified For The Subject?

Yes! However, only 1 phrase for a subject inspection can be specified.

This can be found by going to Policy → Office 365 emails → DLP policy.

Can Custom Regex’s be Specified For The Body?

Yes! However, only 1 phrase for a body inspection can be specified.

This can be found by going to: Configuration → Security Engine → Smart DLP → Configure → custom regex.

In order to use it, you have to select custom regex under a detection type (ex: PII, PCI).

Smart DLP Engine Sensitivity vs Minimum Match Type

Q: What is the difference between the sensitivity in a DLP policy and the Minimum Match Type Count option within the Smart DLP engine?

A: The Minimum Match Type Count option is specifically for the Patient Information compound info type directly above it. If this is set to 4, then if the Patient Name String trigger and 4 of the children types are detected, then this will trigger a DLP event.

Avanan Tenant/Console

What is the Analytics Dashboard?

Analytics Dashboard

Avanan’s Analytics examines the scanned data and presents it in the form of useful information for your analysis and necessary remedial actions.

Analytics is supported for these SaaS applications:

Office 365 Mail

Office 365 OneDrive

Office 365 SharePoint

Gmail

Citrix ShareFile

Microsoft Teams

Google Drive

Slack

Box

To view analytics for a SaaS application:

Go to Analytics > Dashboard.

Select the required SaaS application.

Select the period to view the analytics (Last 24 hours, 7 days, 30 days, 60 days, and 90 days).

Viewing Analytics

Log in to the Avanan portal.

Click Analytics> Analytics.

Select the SaaS application.

Select the period to view the analytics.

Last 24h

Last 7 days

Last 30 days

Analytics for Office 365 Mail and Gmail 

 Office 365 OneDrive

The analytics for Office 365 OneDrive shows an overview of the activity in Office 365 OneDrive.

 Google Drive

The analytics for Google Drive shows an overview of the activity in Google Drive.

 Shadow IT

Shadow IT is hardware or software within an enterprise that is not supported by the organization's central IT department.

This implies that the organization has not explicitly approved the technology, or it does not know that employees are using it.

Avanan's Approach to Shadow IT

Based on email analysis (Office 365 and/or Gmail), Avanan gives you a direct line of sight into cloud applications in use at your company.

Avanan identifies emails from cloud applications to users that suggest they have been using a cloud application. For example, emails containing messages such as "Thank you for registering" or "You have a notification" suggest that a user has been using a cloud application. When such an email is detected in a user's mailbox, a security event is created with the type of Shadow IT.

Avanan inspects all licensed users' emails for Shadow IT.

Shadow IT Dashboard and Events

Shadow IT events are listed under Events. SaaS usage can then be visualized in the Shadow IT dashboard
visible under Analytics & Reports > Shadow IT.

Shadow IT panel and description:

 Shadow IT classifies the severity of events using these terms:

 These actions can be performed on Shadow IT events:

How do I add a Custom Logo?

Custom Logo

You can replace the Avanan logo to show your organization logo in the browser pages, email notifications, and reports Avanan sends to the administrators and users.

To add a custom logo:

Log in to Avanan Portal.

Go to System Settings > Customization.

Enable Custom Logo.
Note - The logo must have these properties.

File type is PNG

File size is less than 2 MB

Logo dimensions ratio is 1/2.5 px, 72 dpi (Horizontal version)

Upload the required logo(s).

To upload the logo compatible with dark backgrounds, under Logo for dark background, click Browse and select the relevant logo.

To upload the logo compatible with white backgrounds, under Logo for white background, click Browse and select the relevant logo.
Notes:

If you upload only one logo, Avanan uses the same logo for dark and white backgrounds.

To have a clear logo compatible with the background, Avanan recommends using separate logos for dark and white backgrounds.

Select where you want to replace the Avanan logo:

To replace the logo in the Security Checkup report, enable the Security Checkup Report checkbox.

To replace the logo in the Daily Quarantine report, enable the Daily Quarantine Report checkbox.

To replace the logo in the browser pages presented to the administrators and users, enable the Browser pages checkbox.

To replace the logo in the email notifications, select the required option:

To replace the logo in all the email notifications sent to administrators and end users, enable the Admins and end users checkbox.

To replace the logo in all the email notifications sent only to administrators, enable the Admins only checkbox.

To replace the logo in all the email notifications sent only to end users, enable the End users only checkbox.

Click Save and Apply.

Can I View Email Bodies?

Yes - In the customer tenant, click Configuration -> User Management. Select the user and ensure the checkbox that says “Allow drill-down into customer-data (detected email body, DLP found text etc)” is checked.

What do the workflow options in the different policies mean?

The available dropdown workflow options in the different policies enable you to customize the actions for the selected event. See below for more information about each option:

Threat Detection Policy Workflows

User receives the email with a warning

Message is received by the end-user but with a warning banner in Outlook

Low security since the message isn’t quarantined

High user interaction since they can view the message still

Quarantine. User is alerted and allowed to restore the email

End user is notified that the message was quarantined but the user can restore the message themselves

Low security since the user can restore the message themselves

High user interaction since the user can restore the message themselves

Quarantine. User is alerted and allowed to request a request (admin must approve)

Message is quarantined and the user is alerted and allowed to request a request

Users identified as Restore request approvers receive email notifications of a restore request

Those individuals are defined under “Configure” > “SaaS Application” > Office 365 Mail or Gmail then under “Restore requests approver”

High security due to an admin having to approve

Low user interaction since a user must request and wait for the restore

Quarantine. User is not alerted (admin can restore)

User isn’t alerted, and the message is just sent to quarantine if detection is found

If a user is missing a message, they will need to reach out to the portal admin to locate it for restoration or confirmation it was quarantined.

High security because the message was quarantined

Low user engagement because the end-user never knows about the message

Email is allowed. Delivered to Junk.

Message is allowed but delivered to the junk folder

Low security because users are still able to access the message directly

High user engagement because they have access to the message

Do nothing.

Never recommended. Should always have an action

Email is allowed. Header is added to the email.

Message is allowed and a Header is added

Exchange rules can be created to perform certain actions based on the added header

Low security because the message is still allowed

High user interaction because the message is allowed

Spam Threat Detection Policy Workflows

Email is allowed. Deliver to Junk folder.

Message is sent directly to the user’s Junk Folder

Most common workflow for Spam 

Add [Spam] to subject.

Message is sent to the user’s Inbox with [Spam] added to the subject

Useful if users don’t want to check their Junk folder

Custom Queries

Avanan stores the metadata of all items (emails, files, user logins, etc.) obtained through the public APIs of the cloud applications you are protecting and inspected by the system.

For items found to be harmless, metadata is retained for two weeks.

For malicious items, the metadata is stored indefinitely.

Custom Queries give you direct access to this database of metadata.

Use Custom Queries to:

Troubleshoot

Build custom reports

Perform bulk action such as quarantining phishing emails

Working with Custom Queries

Creating and Saving a New Query

You can create and save custom queries to analyze a specific SaaS application for immediate and future use.

To create and save a new query:

From the left panel, click Analytics > Custom Queries.

Click Create New Query.
It displays a list of available templates for each protected SaaS application.
You can use the Filter by search box to filter through the templates.

Select the required template.

After you select a template, a query with predefined conditions and columns is displayed.
You can edit the Conditions and Columns to fit your needs. See the section below.

To save the query for future use:

Click Query

Click Save As.

Enter the query details and click OK.

Editing the Query Columns and Conditions

After you have selected a template, use the options in Custom Queries to edit the template for your specific needs.

You can edit the template's predefined columns by choosing to add, remove or rename columns.

In addition, you can set conditions on columns.

To add a column:

Open the query to which you need to add the Columns. 

Click Columns.
A drop-down list opens.

Click on a column to select it, and then click Apply.
Note - Certain columns are marked with an arrow. Click on the arrow to see more options.

To remove a column:

Click the column's name.
A condition box opens.

Select Remove column.
The column gets removed.

To edit (rename) a column's name:

Click on the column's name.
A condition box opens.

Select Rename column.
The Rename column box opens.

In the Column name, delete the column's current name and then enter a new name.

Click OK.

To sort a column:

Click on the column's name.
A condition box opens.

In the Sort field, choose either Sort ascending or Sort descending.
Note - If the query returns more than 1,000 results, then sorting is not available.

To add a condition to a column:

Click the column's name.
An editing box opens.

In the condition box, set the condition's parameters.
Note - You can add more than one condition to a column. To add another condition to the same column click Add condition.

Click OK.
After adding a condition, it appears next to Add Condition.

You can also add conditions without the need to display the corresponding column. In the section above the query's result table, click Add Condition, and then select from the list of available fields.

Note - By default, all conditions are evaluated with an AND relationship when returning the query's results. For more advanced conditions, click on the gear icon (in the top right corner) and then select Edit Conditions.

Bulk Actions on Query Results

Click on Query Actions to see options for bulk remediation: quarantine, move to junk, or add phishing alert.

If no items in the query's results are selected, the action will be taken on all items. You can select only some items before choosing a manual action to apply that action on those items only.

Additionally, the Send Email Alert option sends an email alert to your email for each item selected in the query's result. A pop-up enables you to configure the template before sending alerts.

Exporting Query Results

In Custom Queries, you have the option to export the query's results to your email. This sends an email to your email address with the query's results attached as a *.csv document.

You can schedule an export of the query's results.

To export a query's results to your email:

Run the query.

Ensure that the query is saved.

Click Query, and then choose Export as CSV.

Scheduled reports based on Custom Query Results

To schedule a query's result export:

Run the query.

Ensure that the query is saved.

Click Query, and then choose Scheduled Report.
Note - Choose the email address to have the query sent to, the frequency (daily/weekly/monthly) and the exact day and time. Double-click the report to open it.

Using a Query as a Detect and Prevent Policy Rule

Sometimes you may want to create an action (such as quarantine) that will apply to future events matching the query's conditions. In such a case, you can use your query as a policy rule in the Detect and Prevent mode.

Note - No action will be taken on the current results of the query, only future results will be impacted.

These are the available options:

Use the query as a Detect and Prevent Rule

In Custom Queries, create a new query or open a saved query.

Click Query > Query actions > Add action.

Choose an action, such as quarantine, in the list of available actions.

In the pop-up window that opens, you can choose to edit the name of the action, and then click OK.
Afterward, the action should appear in the menu under Query Actions.
Note - Actions linked to queries are automatically taken from that point forward in the Detect and Prevent mode. However, policy rules keep priority over custom queries.

 Start the workflow from the Policy screen

Click Add a New Policy Rule.

Choose the SaaS application for which you want to create the rule.

Under Security, choose Custom Query, then click Next.

You are redirected to Custom Queries with a list of your saved queries (if any) and available templates for the SaaS application that you selected.

Select the query that you want to work with, if needed edit the conditions, and then click Save as.

The system will prompt you to choose an action before you can save the query.

Microsoft 365

What Microsoft 365 Licenses/Packages Do I need?

The table below shows the SaaS licenses required by Avanan to protect the applications.

Because Tier 3 includes DLP, a Microsoft 365 plan that has Protection Capabilities (also known as Azure Information Protection [AIP]) is required if you wish to leverage Microsoft’s Encryption.

The below M365 packages are recommended by Avanan as they include Protection Capabilities however there may be other Government or Education 365 plans that include AIP not listed below:

Microsoft 365 Business Premium/Standard  

Office 365 Education A1

Office 365 Education A3

Office 365 Education A4

Office 365 Education A5

Office 365 Enterprise E3

Office 365 Enterprise E4

Office 365 Enterprise E5

Does the service in Gmail need to be a Global Admin?

Yes. This is because Avanan needs to connect to the service on your side with a service user that they create at start-up, and it takes Global permissions to do so. However, you can disable to service user, but once you do if Avanan needs to do anything, you would have to re-activate it. This also means that once the portal is setup, it would not change if you added new polices or changed them since there would be no way for Avanan to sync.

Can you enforce MFA for the Service Account?

Unfortunately, not with the service user. The MFA would be needed every time Avanan connects and since it is automatic, would prevent the service from doing so. It must be in an OU that does not have any form of 2 factor Authentication.

Can I change the password of the Service Account?

No. You do not need to change the password at any time. The password contains 43 random characters, a mix of lower-case letters, upper case letters, and digits.

How does Avanan License Users (Microsoft 365)?

Avanan automatically licenses 365 users based on the following Microsoft criteria:

o   Domain Status: is No

o   Account enabled: is Yes

o   Has a valid inbox: is Yes

o   Has Exchange License: is True

o   Azure AD is queried for everything that you see there. So if an account is disabled via O365 or disabled on-prem and it shows as disabled to the system, we’ll see that in the results – that is to say disabled accounts won’t show up because we’re looking for accounts that are enabled among other things to determine user counts.

Users can be excluded from Avanan licensing if desired.

o   Note that excluded users are NOT protected whatsoever.

Compromised Accounts

The Anomaly Detection engine detects behaviors or actions that seems abnormal when observed in the context of an organization and a user's historical activity. The engine analyzes the behavior using a machine-learning algorithm that builds a profile based upon historical event information including login locations and times, data-transfer behavior, and email message patterns. Anomalies are often a sign that an account is compromised.

When an anomaly is detected, a security event is generated providing the context and other information necessary for investigation. Depending on the Severity Level, the anomaly is categorized as Critical or Suspected.

Critical anomalies are events indicating a high probability for compromised accounts. These anomalies require investigation and validation from administrators and should be handled immediately.
Note - You can configure the Anomaly Detection engine to automatically block the detected compromised accounts.

Suspected anomalies are events that might indicate a compromised account and can be reviewed with a lesser sense of urgency.

An account is considered compromised when a (single) critical anomaly is detected.

After detecting an account as compromised, emails previously sent from this account are scanned and - if needed - removed from users’ mailboxes.

Compromised accounts can cause a lot of damage, and fast. In addition to automatically blocking the account, SOC teams also need to investigate the activity of the account after it was compromised.

To ensure the damage from the compromised account is thoroughly investigated, SOC teams need to consider that the account was compromised before the actual detection. Therefore, they need to go back a number of hours and carefully look into the account’s emails.

Avanan now automates this process. Immediately after detecting an account as compromised, emails sent from this account up to 3 hours before the detection are re-scanned with higher sensitivity parameters and if emails are found to be malicious, they are also automatically quarantined.

This way, the load on the SOC team, as well as the urgency of handling compromised accounts incidents, is reduced.

Security Engines - Compromised Account (BEC/Anomaly) Detection

To focus on high probability account takeover, do one of these:

On the Events page, filter the events by Type (Anomaly) and Severity Level (Critical).

On the Overview page, under Security Events, click on Filter by Type and select Critical Anomalies.

On the Overview page, click on the BEC card main indicators.

Critical Anomalies

New delete-all-emails rule

This anomaly inspects new rules configured to delete all the incoming emails. It detects potential malicious configuration to delete all the incoming emails. This behavior may indicate an account takeover.

This anomaly has the highest impact.

Users Sending Malicious Emails

This anomaly is triggered when an internal user sends a phishing or spam email to internal and/or external recipients.

Note - Using exceptions, administrators can disable this anomaly for a specific user or for all users.

Move all emails to a subfolder

This anomaly inspects new rules configured to move all the incoming emails to a subfolder. It detects possible malicious configurations to move all the incoming emails to a specific subfolder. This behavior could indicate an account takeover.

AI-Based Detection of Anomalous Logins

This anomaly uses an AI engine designed to inspect all the parameters of login events to pinpoint those that malicious actors do. The AI engine inspects a variety of parameters, including IP address, browser type, browser version, device, VPN brand, etc.

Login events detected by this AI engine flag the corresponding users as compromised.

Login from Malicious IP Address

This anomaly detects the compromised accounts based on the IP address from which attackers logged into Microsoft 365.

Users logging into Microsoft 365 from IP addresses detected as sources of phishing emails or from the IP address known to Check Point as malicious will be flagged as compromised.

Suspected Anomalies

First Time in New Country

This anomaly is triggered when a user log in from a country they have never logged in from.

Note - If the user's title includes the name of a country, logging in from that country will not be flagged.

Reset Password Anomaly

This anomaly detects successful account takeovers. This anomaly is triggered when a user has received three or more password reset emails (each from a different service) in a short amount of time.

It informs the administrator that a user has attempted to recover their password from three different services.

Example: If someone wants to take over Joe's GitHub account, they may first try to take over his Gmail account. Once they succeed in taking over his Gmail, they can use it to reset his password in the GitHub account - and take it over it as well.

Massive senders

This anomaly detects users that start sending emails at an unusual rate.

It is based on a baseline that is built for every user during Learning Mode and over the span of 30 days after onboarding, measuring the amount of emails sent from the user per minute.

Event text - <user> has sent an unusual number of emails - at a rate of <rate> emails per minute.

Auto-forwarding to external email address

This anomaly is based on reading the Office 365 management events. It processes specific events triggered when a mailbox auto-forwarding rule is created.

The anomaly does these tasks:

Inspects new auto-forwarding rules created in Office 365

Checks if the target email is 'external' to the organization. If the email is external, then an anomaly
is triggered.

Note - The anomaly's severity is decided based on the forwarding condition. If there is no condition, the severity is set to high. By default, the severity is set to medium.

Unusual Country Anomaly

This anomaly detects incoming emails from countries associated with phishing attempts and various types of cyber attacks.

By default, these countries are Nigeria and China. The Allow-List allows you to ignore events from either of these two countries.

Suspicious Geo Location (Impossible Travel)

This anomaly detects possible credential theft and use from another location. It detects the frequent login and email events from different locations, and alerts the administrator about what is likely to be another person operating from an account of a company employee.

It is possible to create Allow-List rule of accounts (for example, employees that use VPN or similar tools on a frequent basis).

Suspicious MFA login failure

This anomaly detects login operations that failed during Multi Factor Authentication (MFA)/Second Factor Authentication (2FA). To reduce the rate of false detection, it correlates the failed MFA with additional events or follow-up successful login.

Event text - A suspicious login failure for <email>, attempting to login from <geo location>, failing at the MFA stage.

Note - The detection is not generated in real time as it correlates and analyzes the past events and successful logins. Alert may be generated a few hours after the failed login.

Client is a vulnerable browser

This anomaly checks the client browser's vulnerability. It checks the browser version used by the end user performing the event (when reported by the SaaS), and compares it to the list of old versions (with known vulnerabilities).

Configuring Anomaly Detection

Navigate to Security Settings > Security Engines.

Under Anomaly Detection, click Configure.

Under Compromised accounts workflow, select the required workflow when critical anomalies (which indicates that an account is compromised) are detected.

To send email alerts to the administrator and automatically block the compromised account, select Alert admins, automatically block user.

To send only email alerts to the administrator, select Alert admins.

Under Compromised Microsoft administrators, select the required workflow when compromised
global admin accounts are detected.

To block compromised global admin accounts, select Automatically block admin.

To avoid blocking compromised global admin accounts, select Do nothing.

To send email alerts when suspected anomalies (which indicates that an account may be compromised) are detected, under Suspected compromised accounts workflow, select Alert Admins.

To configure a dedicated mailbox for alerts on compromised accounts:

Select the Dedicated mailbox for alerts on compromised accounts checkbox.

Under Dedicated Alert Mailbox, enter the email address.

To stop creating massive sender anomaly when an email is sent to an unusually large number of recipients using a distribution list, under Massive Sender Anomaly, select the Do not generate event when sending emails to distribution list check-box.

To generate Impossible Travel Anomaly event even when the user logs in from multiple locations inside the same country, select the Generate event even if the impossible travel is within the same country check-box.

Click Save.

Anomaly Exceptions

At times, to handle falsely flagged events, administrators may need to create exceptions for anomaly detections.

To create Anomaly exceptions:

Go to Events screen.

Select the anomaly event for which you want to create an exception.

Click on the vertical ellipses icon (in the right side of the selected anomaly event), and select Add Exception.
The Create allow-list for anomaly pop-up screen appears.

Under Allow-List type, select the required exception from the drop-down.
Note - The drop-down shows different options applicable for the anomaly event you selected.

Under Apply for all past events, select Yes or No.

Yes - The exception gets applied to all the events in the past and to the future events.

No - The exception gets applied only to the event you selected and to all the future events.

If required, enter a Comment for the anomaly exception.

Click OK.

To see all the anomaly exceptions, go to Security Engines > Exceptions > Anomaly.

Are Shared Mailboxes Protected?

Shared mailboxes are protected automatically when you click “All Users” in the protect policy creation screen.

Are Groups Protected?

When an email is sent to a Microsoft 365 Group, every member in the group receives the email and the email will also be available in the mailbox assigned with the Microsoft 365 Group.

When a malicious email is sent to a Microsoft 365 Group, Harmony Email & Collaboration detects and quarantines the malicious email from every group member's individual mailbox.

However, the malicious email gets quarantined from the Microsoft 365 Group mailbox only when the policy is set to Prevent (Inline) mode.

How Does User Reported Phishing Work?

Microsoft offers a built-in Mark as Phishing buttons in Outlook. When clicking on the buttons Microsoft gets notified of the suspected missed phishing, and many organizations encourage their users to report any suspicious email.

Requirements

The dedicated phishing reporting mailbox must be an internal mailbox we are able to read for the tenant

A user-reported-phishing submission must be a forward of an email to the dedicated phishing reporting mailbox

Submissions will come through as alert events on the portal

ONLY submissions by active users will go through to the user reported phishing page

How Can I Manually Trigger Workflows?

If you would like to manually trigger the Avanan workflows for testing/demonstrations, you may perform the following:

Email

Add one of the following URLs to the email body to trigger the related workflow.

Phishing - https://this-is-confident.com/login.php

Suspected Phishing - https://this-is-suspicious.com/login.php

Spam - https://this-is-spam.com/login.php

Malware File

To trigger files for malware. You will need to add “avanan_malicious_” without quotes to the name of the file.

Excluding Message Types

In this example we will be excluding messages that contain Voicemails from Microsoft Teams.

Excluding Message Types

Navigate to your Exchange admin center and clicking on edit for the Avanan - Protect rule.

Towards the bottom, you will see more options, which will allow you to create an except if rule for the message type = voice mail.

Once this is done, your updated Avanan - Protect mail flow rule will look like this.

How does Encrypted Email work?

Organizations often opt to encrypt outgoing emails to share sensitive information securely with the intended recipients while preventing access to others. Avanan supports Microsoft 365 Email Encryption or Avanan SmartVault for secure email transmission.

When deciding between Microsoft 365 Email Encryption and SmartVault, consider these factors:

Maintaining user experience - If you already use Microsoft 365 Email Encryption, triggering it through the Avanan DLP policy might be a good idea to have the same experience for your end users and external recipients.

Price and quality - If you are unsatisfied with Microsoft 365 Email Encryption regarding price or quality, Avanan's SmartVault is highly recommended.

Microsoft 365 Email Encryption for Outgoing Emails

Microsoft 365 Email Encryption for Outgoing Emails

Microsoft 365 provides the ability to encrypt outgoing emails using Microsoft Encryption. Encryption can be applied automatically for emails detected as sensitive by the DLP engine.

Note - The Office 365 email encryption is applicable only for outgoing emails.

For more information about the Office 365 encryption mechanism, see the Microsoft Documentation.

Licensing

In Monitor only mode, you can use the existing license of Office 365 as the minimum requirement. However if you want to use Microsoft Encryption as an action in policy, you must have license with Office 365 Message Encryption (OME) capabilities. For more details, see Microsoft plans with OME capabilities and Microsoft Documentation.

Encrypting Outgoing Emails

Select the required DLP workflow that has encryption (Email is allowed. Encrypted by Microsoft or Email is blocked and user can resend as encrypted). Based on the workflow defined, the emails are encrypted automatically.

All outgoing emails that has data leak will be sent with a header:

Microsoft Encryption: X-CLOUD-SEC-AV-Encrypt-Microsoft: True

Encrypting Outgoing Emails using Avanan SmartVault

Encrypting Outgoing Emails using Avanan SmartVault

Avanan's SmartVault allows you to send emails containing sensitive information in a secured manner so that the external recipient can see the email in a secured portal, while the email and its content are stored only in Avanan's tenant.

Activating SmartVault

To activate SmartVault:

Create or edit an existing Office 365 Mail DLP policy.

Set the policy protection mode as Protect (Inline).

Under Scope, select Direction as Outbound.

Select the DLP workflow as Email is allowed. Encrypted by SmartVault.

Click Save.

Accessing SmartVault Encrypted Emails

Validating the Identity of the External Recipient

When an external recipient receives a secured email notification from SmartVault, the recipient must validate to view the email.

To validate the identity, the external recipient must do these:

Click the link in the email notification to access the secured portal.

By default, the link is valid only for 10 hours.

Click Authenticate to receive the one-time authentication code.

The recipient receives the authentication code through email. By default, the authentication code is valid only for 10 minutes.

Enter the code and click Submit.

After successful authentication, the recipient can view and respond to the email.

Also, Avanan adds a cookie to the browser. By default, it remains valid for 30 days, and the recipient is not required to authenticate again from the same browser. After the cookie expires, the recipient must authenticate again.

External Recipients Interacting with Emails Vaulted by SmartVault

After successful authentication, the email opens in a secured portal and allows the recipient to:

Read the email

Download the attachments (if any)

Reply to the sender.

Storage of Emails by SmartVault

Avanan stores the secured emails by SmartVault only in the Avanan servers associated with the data residency region of your Avanan tenant. The email and its attachments are stored encrypted by SSE-S3 encryption.

Configuring SmartVault Parameters

You can configure the security and retention parameters of the SmartVault security engine. To do that:

Go to Configuration > Security Engines.

Click Configure for Avanan SmartVault.

Under From, select from address for the SmartVault email notification.

Original Sender

Single Custom Address
Note - If you select Single Custom Address, make sure the email address has the required permissions to send emails from the domain.

Under Subject, enter the email's subject in the SmartVault email notification.

Under Body, enter the required information in the email notification.

Under Email lifetime in days, enter the number of days before the emails expire. By default, SmartVault emails expire after 14 days.

Under Code expiration in minutes, enter the expiration time for the authentication code. By default, the code expires in 10 minutes.

Under Cookie expiration in days, enter the expiration for the cookie. By default, the cookie expires after 30 days. After this period, the recipient must authenticate again.

Under Link expiration in hours, enter when the secured link in the email notification expires.
By default, the link is valid only for 10 hours. After this period, the recipient cannot access the vaulted email using the encrypted link. However, the recipient can request a new link from the old encrypted link.

Click Save.

Emails Encrypted by SmartVault - End User (External Recipient) Experience

When Avanan detects sensitive information in an email, the email is vaulted, and the recipient receives an email notification from SmartVault.

To view the secured email, the external recipient must do these:

Click the secured link in the email notification.

Note - By default, the secured link is valid only for 10 hours. After it expires, you must request a new link. To do that, click Send link from the Encrypted Link Expired page. You will receive an email with the new secured link.

To read the email, click Read the Message.

The secured portal opens and requests for authentication.

Click Get Authentication Code. The recipient receives an authentication code through an email.

Enter the authentication code in the secured portal and click Go to the Email.

After successful authentication, the original email appears.

To reply to the email, click Reply to Sender.

Enter the required information and click Send.

The response is sent as an email to the original sender and the secured portal shows the email delivery status.

Prerequisites to Avoid Failing SPF Checks

When enabling inline protection for outgoing emails – DLP or phishing/malware – emails are sent out to the external party from the Microsoft 365 IP addresses, that need to be included in your SPF record.

However, since Avanan inspects those emails inline, if the external recipient's email security policy is very strict, it may require the Avanan IP addresses to be included in the SPF record as well.

To achieve that you need to add one entry to your SPF record, utilizing the Include mechanism: Include:spfa.cpmails.com

Customers that already added the different IP addresses and networks to the SPF record can now change it to only include the new entry.

Will Avanan work in Hybrid Environments?

Yes!

Office 365 Mail in Hybrid Environments

A hybrid environment is a setup in which some mailboxes are in Microsoft 365 or Office 365, and some mailboxes are on your organization's email servers (on-premises Exchange server).

The most common use case for hybrid environments is with organizations migrating the mailboxes group by group to Microsoft 365 or Office 365.

Mail Flow in Hybrid Environments

Legacy Hybrid Architecture – MX Points to On-Premises Exchange Server

While migrating from an on-premises environment to the cloud (Exchange Online), organizations usually start with a basic architecture where the MX record points to the on-premises Exchange server or to the legacy Secure Email Gateway (SEG) that protects the on-premises Exchange server.

So the mail flows from the sender to the on-premises Exchange server and then gets routed to Microsoft 365 or Office 365.

Modern Hybrid Architecture – MX Points to Microsoft 365 or Office 365

To reduce the load on the organization's network and to ensure all emails are secured, organizations often change the mail flow so that the MX record points to Microsoft 365 or Office 365.

Microsoft 365 or Office 365 performs all the filtering and routes the emails sent to on-premises mailboxes to the on-premises Exchange server. For this scenario, your organization's mail flow setup looks like the following diagram.

Note - To protect mailboxes in hybrid environments, Avanan need the modern hybrid architecture, where MX points to Microsoft 365 or Office 365.

Best Practice - Microsoft recommended this architecture for hybrid environments. For more information, see Microsoft documentation.

Modern Hybrid Architecture – Licensing Considerations

Before migrating to the modern hybrid architecture, make sure you have the required licenses:

For incoming emails, Microsoft usually does not require additional cloud mailbox licenses. The licenses you have for your on-premises mailboxes should be enough.

For outgoing emails, Microsoft might require additional licenses to route outgoing emails from on-premises mailboxes through Microsoft 365 or Office 365.

Note - Before migrating, consult your Microsoft representative to ensure you have the required licenses.

Avanan Support for Hybrid Environments

Avanan can protect mailboxes in multiple locations (Exchange Online and on-premises Exchange Server) with modern hybrid architecture mail flow, where the MX record points to Microsoft 365 or Office 365.

Hybrid Environments – Protection Scope

When integrated with modern hybrid environment, where the MX points to Microsoft 365 or Office 365, Avanan can protect these:

Microsoft OneDrive, Microsoft SharePoint and Microsoft Teams (The protection to these SaaS applications is not affected by the environment being hybrid)

All incoming and outgoing emails, whether they are sent to or sent from mailboxes in on-premises Exchange Server or Exchange Online (cloud mailboxes)

Internal emails, only when the mailbox of either the sender or one of the recipients is in the Exchange Online (cloud mailboxes)

Limitations for On-premises Mailboxes

Avanan does not have API access to the mailboxes in on-premises Exchange Server. So, these are the limitations.

Avanan cannot pull the emails from on-premise mailboxes to quarantine.
Important - To secure hybrid environments, you must keep the Avanan policies in Protect (Inline) mode. Otherwise, phishing emails sent to on-premises mailboxes will not be quarantined.

Avanan cannot present the status of the emails (deleted, forwarded, replied to etc.).

Enabling Office 365 Mail Protection in Hybrid Environments

Prerequisites

Before you connect Avanan to your environment, perform these steps:

Ensure that the mail flow is configured correctly, where the MX points to Microsoft 365 or Office 365. For more details, contact your Microsoft technical representative.

Ensure you have the required licenses from Microsoft.

Connecting Avanan to Microsoft 365 or Office 365

After all the prerequisites are met, you can connect and protect your hybrid environments with Avanan.

Important - To secure hybrid environments, you must keep the Avanan policies in Protect (Inline) mode. Otherwise, phishing emails sent to on-premises mailboxes will not be quarantined.

G Suite

What Google Workspace Licenses/Packages Do I need?

The table below shows the SaaS licenses required by Avanan to protect the applications.

Google Cloud Directory Sync (GCDS)

If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, you must create exclusion rules for check_point_inline_policy and check_point_monitor_policy before activating Google Workspace.

Super Admin Account

After installing the Check Point Cloud Security app, a new Super Admin account is created in your Google Admin console. The Super Admin has an email address in the cloud-sec-av@[domain] format and is sometimes referred to as the Check Point Service User.

This user requires a Gmail license.

The password of the Super Admin contains 43 random characters, a mix of lower case letters, upper case letters, and digits. The password is safely stored in AWS Key Management Service (AWS KMS).

You cannot change the password after the initial setup.

Avanan recommends enabling Multi-Factor Authentication (MFA) to enhance security for this account.

After the onboarding process completes, the Super Admin may be disabled if needed.

How does Avanan License Users (G Suite)?

Avanan automatically licenses G Suite users based on the following Google criteria:

Email is on internal domain

Not suspended

Not archived

Not deleted from the cloud.

Users can be excluded from Avanan licensing if desired.

o   Note that excluded users are NOT protected whatsoever.

How does Encrypted Email work?

Secure messaging allows for safe email correspondence with partners and customers, where external parties view sensitive emails through an authenticated portal, while the sending organization controls the availability of the message to the external party.

SmartVault - Secure Messaging for Outgoing Gmail Emails

Avanan recently introduced SmartVault – a Check Point proprietary secure messaging solution for Microsoft 365 emails. After the recent introduction of inline prevention of data leakage (DLP) for Gmail, Avanan now extends SmartVault to support secure messaging for Gmail customers as well.

Gmail customers can now also customize SmartVault to align with their security and branding standards, with settings such as how long the link to the message will be available for, the sender address, subject and more.

To encrypt sensitive emails via Check Point’s SmartVault:

Create an inline DLP policy, and under the DLP workflow, select one of the SmartVault workflows.

To customize the SmartVault parameters, go to Configuration > Security Engines and click Configure next to Avanan SmartVault

Other SaaS Applications

What Licenses Do I Need?

The table below shows the SaaS licenses required by Avanan to protect the applications.