Cloud App Security Administration Guide for Office 365
- Cloud App Security
- Understanding Cloud App Security
- Configuring Cloud App Security
- Managing Quarantine for Office 365 and Microsoft 365
- Setting Up a Quarantine Mailbox for Office 365 and Microsoft 365 Email (Exchange Online)
- Setting Up a Quarantine Folder for Office 365 and Microsoft 365 OneDrive
- Setting Up a Quarantine Folder for Office 365 and Microsoft 365 SharePoint
- Using the Quarantine View for Office 365 and Microsoft 365 Email (Exchange Online)
- Using the Quarantine Page
- Using the Quarantined File Creator Dashboard
- Using the User Dashboard for Office 365 and Microsoft 365
- Managing Restore Requests
- Using the SonicWall Cloud App Security Dashboard
- Managing Security Events
- Managing Policies
- Understanding Cloud App Security Policies
- Creating New Policy Rules
- Stopping Policy Rules
- Removing Policy Rules
- Managing Office 365 and Microsoft 365 (Exchange Online) Mail-Flow Rules
- Managing Spam and Anti-Phishing
- Managing Spam
- Managing User-Reported Phishing
- Customizing Warning Messages
- Managing Nickname Impersonation
- Managing the Anti-Phishing Exceptions
- Using the Mail Explorer
- Working with Office 365 and Microsoft 365 Email Encryption
- Configuring and Using Click-Time Protection
- Using Cloud App Security Analytics
- Configuring Cloud Applications in the Cloud App Store
- Managing Security Applications in the Security App Store
- Managing Anomaly Exceptions
- Managing Security Tool Exceptions
- Using the System Log
- Managing Cloud App Security Licenses
- SonicWall Support
Creating Threat Detection Policy Rules
To create a Threat Detection policy rule
- In the Rule Name field, enter the name you want to use to identify the rule.
- From the Mode dropdown list, select the mode in which you want the DLP policy rule to operate:
- In the Scope section, either:
- Select All users and groups (all licensed users) to have the policy rule either apply to all users.
- In the Specific users and groups list, select the specific users or user groups to which the policy should apply or be excluded from being applied.
- In the Advanced section, the workflow options you see will depend on the Mode set for the policy.
- For the Malicious attachment workflow, you can specify that:
- messages or files be quarantined, and the recipient is alerted and allowed to restore the email messages or files.
- messages or files be quarantined, and the recipient is alerted and allowed to request that the email or files be restored by an administrator.
- messages or files be quarantined, but the recipient is not alerted. However, an administrator can restore the message.
- no action be taken on the message. The event will still be logged.
- For the Phishing workflow, you can specify that:
- messages or files be sent to the intended recipient with a warning.
- messages or files be quarantined, and the recipient is alerted and allowed to restore the messages or files.
- messages or files be quarantined, and the recipient is alerted and allowed to request that the messages or files be restored by an administrator.
- messages or files be quarantined, but the recipient is not alerted. However, an administrator can restore the messages or files.
- no action be taken on the messages or files. The event will still be logged.
- For the Suspicious phishing workflow, you can specify that:
messages or files be sent to the intended recipient with a warning.
The content and formatting of the warning can be customized by clicking the gear icon to the right of the list.
- messages or files be quarantined, and the recipient is alerted and allowed to request that the messages or files be restored by an administrator.
- messages or files be quarantined, but the recipient is not alerted. However, an administrator can restore the message.
- no action be taken on the messages or files. The event will still be logged.
- For the Spam workflow, you can specify that:
- email messages be sent to the intended recipient with “[Spam]” added to the Subject line.
- email messages be sent to the intended recipient with “[Spam]” added to the Subject line and delivered to the
Junk folder. - email messages be quarantined, the recipient is alerted, and the recipient can restore the email message.
- email messages be quarantined, but the recipient is not alerted. However, an administrator can restore the email message.
- no action be taken on the email message. The event will still be logged.
- From the Severity list, specify severity level with which the event will be recorded:
- Auto
- Critical
- High
- Medium
- Low
- Lowest
- For the Malicious attachment workflow, you can specify that:
- In the Advanced > Security Tools section:
- Select All running threat detection tools to use all of the activated Security Tools. (This is on by default.) If you unselect this option, you can then select which specific Security Tools are used.
- Click Configure Anti-Impersonation and Phishing Confidence-Level to configure additional anti-phishing options.
- Select a value for the Confidence level field to set a default confidence level. By setting a higher confidence level, you should see fewer detections and fewer false-positive results.
- Enable Warn users of suspected impersonations to warn users of suspected impersonated messages and accounts. You can set the detection level to all internal users or only senior-level users within your organization.
- Select Allow end users to Allowed list senders they trust via in-mail link to allow your end users to add senders they trust to the Allowed list using a link provided in the email message.
- Select Allow list emails with MSFT SCL = -1 to automatically allow emails that Microsoft marks as allowed by placing
SCL=-1
in the header of the email message.
For more information about configuring the anti-impersonation options, refer to Managing Nickname Impersonation.
- Click Ok.
- In the Advanced > Alerts section:
- Select Send email alert to admin(s) about phishing to notify administrators when a possible leak is detected.
- Click the gears icon to modify the email message sent to administrators.
- Click the users icon to select which administrators should receive the message.
- Select Send Email alert to… to notify specific users sharing the file when a possible threat is detected.
- Click the gears icon to modify the email message sent to the users.
- Select Send email alert to admin(s) about malware to notify administrators when a possible threat is detected.
- Click the gears icon to modify the email message sent to administrators.
- Click the users icon to select which administrators should receive the message.
- Select Alert recipient to inform the recipient of the message when a possible threat is detected.
- Click the gears icon to modify the email message sent to the recipient.
- Select Send email alert to admin(s) about phishing to notify administrators when a possible leak is detected.
- Click Save and Apply.
Was This Article Helpful?
Help us to improve our support portal