Organization Settings

Defines if the organization is:

• Eval: Reviewing Cloud Email Protection
• Subscriber: Has paid for Cloud Email Protection

An organization's classification settings are used for reporting, especially for comparing

an organization's aggregate data to industry peer aggregate data.

See Reports for more information.

An organization's message settings determine what messages Cloud Email Protection will ingest.

These settings are only available if the Messaging Platform setting in the Sensor Settings section is

Microsoft Office 365 or Exchange Online (journaled) or Microsoft Exchange Server (journaled).

You will also need to have journaling configured correctly, as explained in

Configure Dual Delivery: Office 365 and Configure Dual Delivery: Microsoft Exchange.

Defines what messages are ingested. Select from:

• Inbound messages - Only messages sent into your organization are ingested and evaluated by the Sensor.
• All messages (Inbound. Internal, Outbound) - All messages sent into your organization, out of your organization, and within your organization are ingested and evaluated by the Sensor. This selection requires that messages are journaled and that you identify domains for which you accept email.

Defines the domains for which you accept messages. Required if you select All messages in Evaluate Messages.

This should be a list of your domains, including subdomains, that receive your email messages. For example, mycompany.com is your domain, but you have mail.mycompany.com as your email server. These, (and possibly others) should be in this list. Cloud Email Protection uses this list to help determine message directionality.

Domains you add to this list will automatically be tagged as internal (if they do not already have a tag). Domains tagged as internal before enabling IIP are also automatically added to this list. If a domain is tagged as internal after IIP is enabled, it is not automatically added to the Accepted Domains list. For more information see Domain Tags

For each attack type, you can select:

• Untrusted - Message Trust Score between 0.0 and 1.0
• Untrusted and Suspicious - Message Trust Score between 0.0 and 5.0

Messages with a Trust Score of between 0.0 and 1.0 (on a scale of 0.0 to 10.0) are considered untrusted.

Messages with a Trust Score greater than 1.0 and up to 5.0 are considered suspicious.

This setting allows you to define whether you want reports for each attack type
to contain only untrusted messages or both untrusted and suspicious messages.

The default for all attack types except Domain Spoof is Untrusted and Suspicious.

The Continuous Detection and Response (CDR) Settings section controls how CDR operates in your organization.

See Continuous Detection and Response for more information.

Determines the default action for messages determined to be a threat by the CDR threat feeds. For each available threat feed, select:

• Monitor only (no Action) - This is the initial default action. No actions are taken on messages determined to be threats by CDR, but information about those messages populates the CDR list.
• Move to folder [folder name] - Messages determined to be a threat are moved to the selected folder in users' mail stores, basically a quarantine action. Depending on how your system is configured, you may have multiple folders to choose from. The folders in this list are the ones you define in the Enforcement Settings section. You may, for example, want messages quarantined by CDR moved to a different folder than messages quarantined by policies you define specifically.
• Delete - Messages determined to be a threat are deleted.

TIP: Because CDR threat feed rules that affect how messages are identified for enforcement are created for a scope of messages much larger than your organization's message stream and because a Delete action is irreversible, you may want to choose Monitor or Move initially to evaluate how each CDR source affects messages specifically in your organization.

A list of one or more email addresses. A message will be sent to the addresses in this list when a CDR event matches any messages.

The Sensor Settings section refers to global sensor settings for the organization.

Defines the messaging platform. Select:

• G Suite (formerly Google Apps for Work)
• Microsoft Office 365 or Exchange Online (journaled)
• Microsoft Exchange Server (journaled)
• Other

Used only for Sensor processing overrides. Leave as-is unless instructed otherwise by Fortra Cloud Email Protection.

When a value is entered in this field, the value replaces the Original-To Header when the message is processed by the Sensor. This can help you identify Sensor-processed messages when you are creating policies.

List IP addresses for any upstream MTA sending traffic that you want to capture. The form accepts CIDR notation for specifying ranges of IP addresses.

NOTE: Use this only in the case of upstream MTAs.

Determines the IP addresses from which Sensors will accept forwarded messages. One or more IP addresses entered in this field will prevent mail forwarding from any IP address not listed.

TIP: This is generally used for heightened security measures, and is typically left blank.

This also affects the testing of SMTP connections.

To add an IP address to the list, enter an IP address into the IP Address field, and then click Add. The IP addresses in this list should be only the IP addresses of the servers in your email infrastructure that forward messages to Sensors.

The default enforcement folder can be changed and additional folders set in the Enforcement Settings. These folders are displayed in the Enforce Actions for all Policies in Create / Edit Policy and are the names of the folders or labels that end users will see in their mail client.

Determines how automatic log off happens. Select from:

• Relative (default): Automatic log off happens if no activity in Cloud Email Protection happens within the time period set in the Session Inactivity Logoff setting.
• Absolute: Automatic log off happens when the time period set in the Session Inactivity Logoff setting expires after log in. In other words, the Session Inactivity Logoff clock starts at log in and does not reset for any user activity. This setting may result in users being logged off while they are in the middle of an activity.

When you require a password for login (non-SSO), determines the minimum complexity of the password. The default is

• Minimum length: 10 characters
• Minimum upper case characters: 1
• Minimum lower case characters: 1
• Minimum symbols (non-alpha-numeric characters): 1
• Minimum numbers: 1
• Prevent password reuse for N past passwords: 0

Select Custom to modify any of these password characteristics for your users.

NOTE: This depends on Graph Ingest or Journaling you set up.

Fortra Cloud Email Protection requires authorization to access data in Microsoft APIs for functionality of certain features like Ingest, Enforcement, Address Groups, and Investigation analysis.

Ingest

Read email in user mailboxes and read all service usage reports

Enabling these permissions allows Fortra Cloud Email Protection to get emails from the user email boxes and scan email for scoring purposes to identify business email compromise. When you enable Ingest the application will take you to the Microsoft page to authorize Cloud Email Protection.

To enable these permissions you need to have following mail privileges :

• Mail.Read

• Reports.Read.All

• User.Read.All

Enforcement

Create, update, and delete email in user mailboxes

Enabling these permissions allows investigation analysis of user emails and the enforcement of messages.

To enable these permissions you need to have following mail privileges :

• Mail.ReadWrite

• User.Read.All

Address Group Sync

Connect to and synchronize with your Azure Active Directory

Enabling these permissions allow you to quickly create address groups for use in policies, as well as determine the location of users mailboxes (on-premises or in the cloud) for enforcement.

To enable this permission you need to have following mail privilege :

• Directory.ReadAll

Choose which components of messages are uploaded for analysis by CEP.

Fortra Cloud Email Protection recommends that you enable all message components.

Determines which components of messages to upload to the sensor for analysis. Fortra Cloud Email Protection recommends analyzing all available message components. All components are selected by default.

The "Include" options (subject header and full from, reply to, and recipient) allow the sensor to better analyze the message metadata, resulting in more accurate scoring.

The Process message content option allows the sensor to extract only any attachments and URIs from the body of the message and analyze only those components for maliciousness. Non-attachment and non-URL content is not analyzed and is discarded immediately after attachment and URL extraction. You can also choose to display all URIs (default) or only malicious URIs when you view message details.

Processing exception settings are rules that tell Cloud Email Protection which messages it should not evaluate process.

Messages that meet ay of these rules will not be evaluated by the Sensor, scored for threats, or managed by policies.

Messages not processed by Cloud Email Protection do not appear, individually or cumulatively, in reports or searches.

For Office 365 organizations only.

When a message is sent through Office 365 spam filtering, it is assigned a spam score, which is mapped to a spam confidence level (SCL) rating. Spam scores of 5 and above are considered spam by Office 365 and are moved by default to users' Junk folders. (Source: Spam confidence levels.)

Some organizations have configured a different spam score on Office 365 for which messages are sent to users' Junk folder. Because you generally do not want Cloud Email Protection to process messages that Office 365 has already determined to be spam, the optimal value for this setting is the same as the organization's Office 365 value.

Defines message rules, rules that tell Cloud Email Protection for which messages to skip any processing. These rules act similarly to message-handling rules in email clients. You select the rule type and enter a value for that type.

Available rules are for headers found in messages, headers that include:

• IP address or CDR
• MAIL FROM domain
• From:
• To:
• Subject:
• X-Header

To add an exception rule, select a rule type, enter a single value, click Add Exception, and then click Save.

The value field accepts only one value (or in the case of X-Header, an X-Header itself and optionally an X-Header value), and does not support wild cards or regular expressions. It is a strict exact text match only (except for Subject, where any subject must contain the entered value anywhere in the message subject to match), and validates for correct values before you can add the exception rule.

To delete an exception rule, click the next to a rule, then click Save.