Configuration Settings

Note: This chapter describes settings that were previously referred to as Policy settings

The settings on the Configuration pages determine how Secure Email Threat Defense handles mail. Default settings are applied when you Set Up Secure Email Threat Defense. Be sure to review your settings to make sure Secure Email Threat Defense is handling your mail in the way you want it to.

Configuration settings are split into three areas:

blank.gifMail flow configuration

blank.gifGlobal settings

blank.gifPolicy configuration

Edit items on these pages by clicking the pencil icon in the top right corner of a panel, or at the end of a row. After you click the pencil, you are taken to a dialog or workflow to make changes to those settings. For example:

489258.jpg

Mail Flow Configuration

The Mail flow configuration page shows your message sources and Microsoft 365 visibility, and information related to your domains.

The Message traffic panel houses settings for message sources and Microsoft 365 authentication and visibility. Your Microsoft journal address or Secure Email Gateway (SEG) Message intake address is also accessible from this panel. Click the pencil icon to change these settings. This takes you to a workflow to make changes.

489260.jpg

The Domains panel lists your email domains. Imported domains help determine message direction. Specific domains can be excluded from automated remediation policies.

The domains list is automatically updated every 24 hours or you can click Import list to refresh your domains immediately.

489284.jpg

Click the pencil icon in the top right corner of the Domains panel to adjust which domains you want to apply your policies to and if you want to apply policies to domains not in the list. Domains might not be in your list if they haven’t been imported yet.

489259.jpg

 

Table 1 Mail Flow Configuration Settings

Setting
Description
Options
Default

Message Source

Defines the source for your messages.

blank.gif Microsoft 365

blank.gif Secure email gateway (SEG) (for incoming messages only)

Manually selected when you set up Secure Email Threat Defense.

Visibility

Defines the type of remediation policy you can apply.

blank.gif Microsoft 365 Authentication

blank.gif Read and Write - Allows visibility and on-demand or automated remediation (that is, move or delete suspect messages). Also allows EML downloads. Read and write permissions will be requested from Microsoft 365.

blank.gif Read - Allows visibility only, no remediation or EML downloads. Read-only permissions will be requested from Microsoft 365.

If you select Read, you need only set the Attachment Analysis and Message Analysis directions. Remediation policy will not be applied.

blank.gif No Authentication - Allows Visibility only.

Manually selected when you set up Secure Email Threat Defense.

If you change your Microsoft 365 Authentication setting, you will be redirected to reset your Microsoft 365 permissions.
You may also be directed to set up journaling; you can skip this step if you have already set up journaling.

Note: When you choose Microsoft 365 Authentication: Read and Write, you should also verify your Policy configuration settings.

Secure Email Gateway (SEG)

The presence of a Secure Email Gateway (SEG) impacts how Secure Email Threat Defense identifies the Sender IP.

blank.gif No, Secure Email Gateway is not present

blank.gif Yes, Secure Email Gateway is present

blank.gif Cisco SEG default header (X-IronPort-RemoteIP).

blank.gif Cisco SEG custom header. (indicate header)

blank.gif Non Cisco SEG custom header. (indicate header)

Manually selected when you set up Secure Email Threat Defense.

For more information, see Configuration Settings with a Gateway.

Domains - Domains are imported to help determine message directions. Domains are automatically imported from Microsoft 365 every 24 hours. Domains can be excluded from automated remediation policies.

Auto-Remediation

Applied to the domains not in the domains list.

Checked or Unchecked

Unchecked. When you turn on Read and Write visibility, select this check box.

Switching Your Message Source

To change your message source, navigate to the Configuration > Mail flow configuration page.

1.blank.gif Click the pencil icon to be taken to a wizard that will walk you through the steps to change your message source.

2.blank.gif A notice indicating you are switching your message source appears. Click Continue.

3.blank.gif The Switch Message Source dialog appears. You need to configure your previous message source to stop sending messages to Secure Email Threat Defense. For details on how to do this, see Delete Your Secure Email Threat Defense Journal Rule or Configure your Gateway to Stop Sending Messages.

4.blank.gif Select the checkbox indicating you have stopped sending journals or messages from your previous source, then click Next.

5.blank.gif Configure your new message source using the Message Intake Address or Journal Address shown in the dialog. The steps for setting up each type of message source are detailed in Set up Your Message Source.

Global Settings

The Global settings page is where you define which content you want to analyze.

The Content analysis panel shows which directions of messages and attachments you want Secure Email Threat Defense to Analyze. The Unwanted message analysis panel shows if you have chosen to analyze or remediate Spam and Graymail messages. Click the pencil next to each panel to edit your settings.

489261.jpg

 

Table 2 Global settings

Setting
Description
Options
Default

Content Analysis

Messages Analysis

Direction of messages to be dynamically analyzed.

 

Attachment Analysis

Direction of mail attachments to be dynamically analyzed.

blank.gif Direction of Messages

blank.gif Incoming

blank.gif Internal

blank.gif Outgoing

blank.gif Direction of Attachments

blank.gif Incoming

blank.gif Internal

blank.gif Outgoing

blank.gif Direction of Messages

blank.gif All for Microsoft O365 Message Source

blank.gif Incoming for Gateway message source

blank.gif Direction of Attachments

blank.gif Incoming

Unwanted Message Analysis

Analyze messages for Spam and Graymail

blank.gif Checked or Unchecked

Unchecked for all accounts created after May 9, 2023

Safe Sender : Microsoft Safe Sender messages with Spam or Graymail verdicts will not be remediated.

Messages tagged by Microsoft in the journal header as Safe Sender and with Secure Email Threat Defense verdicts of Spam or Graymail will not be remediated if this box is checked.

Checked or Unchecked

Unchecked

Policy Configuration

The Policy configuration page is where you configure remediation actions the system will use for verdicts returned by the scanners as well as exceptions the system will use based on specific senders and recipients.

489262.jpg

Default Base Policy

The Default Base Policy defines your default remediation actions. You can indicate different actions for different types of messages (Threats, Spam, and Graymail) and different message directions.

Click the pencil icon at the right side of the Default Base Policy row to be taken to the Edit Default Base Policy dialog where you can make adjustments for different directions and categories. You can set different policies by message direction.

Internal message settings also apply to outgoing messages in a sender’s mailbox. For example, if bob@yourcompany.com sends a message to a recipient outside of your domain, the Internal message settings apply to the message in his sent messages folder.

489283.jpg

 

Table 3 Policy Configuration Settings

Setting
Description
Options
Default

Default Base Policy

Default remediation actions for messages found to be:

blank.gif Threats (BEC, Scam, Phishing, or Malicious)

blank.gif Spam

blank.gif Graymail

blank.gif Move to Trash

blank.gif Move to Junk

blank.gif Move to Quarantine

blank.gif No Action

Note: If the sender address belongs to a sender allow-list in Exchange or the message has already been remediated by Microsoft 365, remediation actions are not applied.

blank.gifThreats - Move to Quarantine

blank.gifSpam - Move to Junk

blank.gifGraymail - No Action

Policy Exceptions

Use the rules under Administration > Message Rules to create exceptions to your default policy. Additional policy exception options will be added to the Policy configuration page in future releases.

Configuration Settings with a Gateway

If you have a Cisco Email Security appliance or similar gateway in place, consider using the following settings.

Table 4 Suggested Policy Settings with Gateway

Setting Name
Recommended Selection

Secure Email Gateway (SEG)

Yes, Secure Email Gateway is present, and indicate header

Content Analysis

Unwanted message analysis (Spam and Graymail) off

Remediation Actions

Threats Move to Quarantine

It is important to indicate that a Secure Email Gateway (SEG) is present and which header can be used to identify it in incoming journals so Secure Email Threat Defense can determine the true originating sender of a message. Without this configuration it may appear that all messages come from the SEG, which could result in false positive convictions.

For information on verifying or configuring the header on Cisco Secure Email Cloud Gateway (formerly CES) or Cisco Secure Email Gateway (formerly ESA), see https://docs.ces.cisco.com/docs/configuring-asyncos-message-filter-to-add-sender-ip-header-for-email-threat-defense.

If you are using Microsoft 365 as your message source, we also recommend bypassing your appliance so journals are sent directly from Microsoft 365 to Secure Email Threat Defense. You can do this by adding a connector in Microsoft 365, as described in Set Up Secure Email Threat Defense.