Set Up Secure Email Threat Defense
Secure Email Threat Defense setup includes the following:
1. Sign-in to Your Account
2. Indicate if you have a Secure Email Gateway (SEG)
3. Select your Message Source and Remediation Mode
4. Set Up your Message Source
5. Review Your Policy Settings
6. Import Your Domains
These steps assume you meet the Requirements.
Sign-in to Your Account
1. Follow the directions in the welcome email from Cisco to set up your user account.
Secure Email Threat Defense uses Cisco SecureX sign-on to manage user authentication. For information on SecureX sign-on, see https://cisco.com/go/securesignon. If you are an existing SecureX Threat Response, Cisco Secure Malware Analytics (formerly Threat Grid), or Cisco Secure Endpoint (formerly AMP) customer, be sure to sign in with your existing credentials. If you are not an existing user, you will be prompted to create a new SecureX sign-on account.
2. Once you have successfully logged in, accept the Terms and Conditions.
3. You now have access to the Welcome to Cisco Secure Email Threat Defense page. Follow the setup wizard as described in the following sections.
Indicate if you have a Secure Email Gateway (SEG)
Regardless of your message source, it is important to indicate that a Secure Email Gateway (SEG) is present and which header can be used to identify it in incoming journals so Secure Email Threat Defense can determine the true originating sender of a message. Without this configuration it may appear that all messages come from the SEG, which could result in false positive convictions.
1. Indicate if a Secure Email Gateway (SEG) is present by selecting Yes or No, then click Next.
2. If you answered Yes, enter your SEG type and header. Click Next.
Select your Message Source and Remediation Mode
1. Select your message source: Microsoft O365 or Gateway. If you selected No SEG in the previous step, Microsoft O365 is assumed as your message source.
Note: Using Gateway as your message source is a new feature. You can use your Secure Email Cloud Gateway as your message source only for Microsoft O365 mailboxes. Support for additional sources will be added in future releases.
2. Select your Microsoft Remediation mode.
The remediation mode defines the type of remediation policy you can apply. There are two options:
– Read/Write – Allows visibility and on-demand or automated remediation (that is, move or delete suspect messages). Read/write permissions will be requested from Microsoft 365.
– Read – Allows visibility only, no remediation. Read-only permissions will be requested from Microsoft 365.
Note: If you choose Read/Write, you will need to turn on the Automated Remediation Policy in your Policy Settings once your setup is complete. To apply auto-remediation to all internal emails, ensure the Apply auto-remediation to domains not in the domain list box on the Policy page is selected.
3. Connect to Microsoft 365.
a. Click Next to connect to Microsoft 365.
b. Log in to your Microsoft 365 account, as prompted. This account must have Global Admin rights; the account will not be stored or used by Secure Email Threat Defense. For information on why these rights are needed, see Cisco Secure Email Threat Defense FAQ: Why are Microsoft 365 Global Admin rights required to set up Secure Email Threat Defense?.
c. Click Accept to accept the permissions for the Secure Email Threat Defense app. You are redirected back to the Secure Email Threat Defense setup page.
d. Click Next.
Set Up your Message Source
Complete the steps for your selected message source.
Microsoft O365 Message Source
If you selected Microsoft O365 as your message source, you must configure Microsoft 365 to send journals to Secure Email Threat Defense. To do this, you add a journal rule. If you have a Gateway in place, add a connector in Microsoft 365 before adding your journal rule.
1. For users with a Secure Email Gateway (SEG) : Add a connector in Microsoft 365.
To ensure journals are sent directly from Microsoft 365 to Secure Email Threat Defense without needing to pass through the Secure Email Gateway, we recommend adding an outbound connector in Microsoft 365. The connector needs to be added before you set up journaling.
From the Microsoft 365 Exchange Admin Center, create a new connector by using the following settings in the Add a connector wizard:
– Connection from : Office 365
– Connection to : Partner organization
– Connector name : Outbound to Cisco Secure Email Threat Defense (select the Turn it on check box)
– Use of connector : Only when email messages are sent to these domains (add mail.cmd.cisco.com)
– Routing : Use the MX record associated with the partner’s domain
– Security restrictions : Always use Transport Layer Security (TLS) to secure the connection (recommended); Issued by a trusted certificate authority (CA)
– Validation email : Your journal address from the Secure Email Threat Defense setup page
2. Configure Microsoft 365 to send journals to Secure Email Threat Defense. To do this, you add a journal rule.
a. Copy your journal address from the Secure Email Threat Defense setup page. If you need to repeat this process later, you can also find your journal address on the Administration page.
b. Go to your Microsoft Purview compliance portal: https://compliance.microsoft.com/homepage.
c. Navigate to Solutions > Data lifecycle management > Exchange (legacy) > Journal rules.
d. If you haven’t already done so, add an Exchange recipient to the Send undeliverable journal reports to field, then click Save. The email address used will not be journaled; do not use an address you want Secure Email Threat Defense to analyze. If you do not have a recipient you want to use for this purpose, you will need to create one.
e. Return to the Journal rules page. Click the + button to create a new journal rule.
f. Paste the journal address from the Secure Email Threat Defense setup page into the Send journal reports to field.
g. In the Journal rule name field, enter Cisco Secure Email Threat Defense.
h. Under Journal messages sent or received from, select Everyone.
i. Under Type of message to journal, select All messages.
j. Click Next.
k. Review your choices, then click Submit to finish creating your rule.
3. Return to the Secure Email Threat Defense setup page. Click Review Policy.
Gateway Message Source
If you selected Gateway as your message source, enable your Cisco Secure Email Cloud Gateway’s Threat Defense Connector to send messages to Secure Email Threat Defense.
1. Copy your Message Intake Address from the Secure Email Threat Defense setup page. If you need to repeat this process later, you can find your Message Intake address on the Administration page.
2. From the Secure Email Cloud Gateway UI, select Security Services > Threat Defense Connector.
3. Select the Enable Threat Defense Connector checkbox.
4. Enter the Message Intake Address you copied from Secure Email Threat Defense in step 1.
5. Click Submit to commit your changes.
6. Return to the Secure Email Threat Defense setup page. Click Review Policy.
Review Your Policy Settings
For information on policy settings, see Policy Settings. If you have chosen Read/Write mode, you should verify your Automated Remediation settings now. To apply automated remediation to all internal emails, ensure Apply auto-remediation to domains not in the domain list is selected. You can turn on the Automated Remediation Policy toggle once your domains are imported.
Import Your Domains
Secure Email Threat Defense imports domains with email capabilities from your Microsoft 365 tenant. Import your domains so you can apply automated remediation to specific domains. Secure Email Threat Defense treats newly imported domains differently depending on if you have the Apply auto-remediation to domains not in the domain list box checked or unchecked:
■If Apply auto-remediation to domains not in the domain list is checked, auto-remediation is applied to any new domains that are imported.
■If Apply auto-remediation to domains not in the domain list is unchecked, auto remediation is not applied to any new domains that are imported.
By default, the Apply auto-remediation to domains not in the domain list is unchecked.
To manually import your email domains (recommended when you set up Secure Email Threat Defense for the first time):
1. Navigate to Settings (gear icon) > Policy.
2. Click the Update Imported Domains button to import your domains into Secure Email Threat Defense.
3. Use the check box next to each domain to adjust the automated remediation setting for that domain.
4. We recommend also selecting Apply auto-remediation to domains not in the domain list to ensure auto-remediation is applied to all internal emails and to any domains that are automatically imported later.
5. Click Save and Apply.
Domains are automatically imported every 24 hours to ensure the list is up-to-date.