[Index]

Model: device/msexchangeonline/SafeAttachmentPolicy

View Quarantined Emails and Request Release

Full HTML Help

MICROSOFT

Overview

Automate provides support for Microsoft Defender for Office that addresses email security threats.

In particular, Automate supports:

• the rapid data sync of a large volume of quarantine messages

• hierarchy-specific data management

• the management of email quarantine messages, Safe Attachment Policies, Safe Link Policies

• request staging areas for quarantine email messages and for requests to create and update of policies

  Requests can then have the State that can be managed during the request cycle:

  • PENDING
  • REJECTED
  • APPROVED
  • COMPLETED

• the management of policy configuration templates, allowing for customization

Dashboards

The administrator interface provides dashboards for the view and management of data:

Security Management - Defender for Office Overview Security Management - Defender for Office Actions

For details, also see:

• Security Management - Defender for Office Overview
• Security Management - Defender for Office Actions
• By default:
  • The Defender for Office Overview dashboard provides the administrator with counters, charts and tables showing information on quarantine messages that are visible from the administrator's hierarchy, for example the total number of messages and breakdowns by site, time and type, including message senders, recipients and release requests.
  • The Defender for Office Actions dashboard also provides the administrator with counters on quarantined and released emails, as well as safelink and attachment policies. In addition, quick links are provided to manage quarantined emails, safe link policies and safe attachment policies.

To customize your dashboards:

• See: Automate Dashboards.

• Resources have been added and are available to widgets on a dashboard where Data Source is Automate Analyzed.

  For example:

  • Quarantine Messages, Shows diagnostic information about the Microsoft Quarantined messages, device/msexchangeonline/QuarantineMessage
  • Quarantine Message Staging, Shows diagnostic information about the Microsoft Quarantined Staging messages, data/MicrosoftDefenderQuarantineMessageStaging

Quarantine Email Actions

When synchronizing and overbuild on existing items that are in quarantine, these are moved to the relevant hierarchy node associated with the user.

Automate will sync a high volume quarantine messages using the data collection capability. The data/DataModel called: "DataCollection" provides this lightweight collection of data from external sources.

Administrators can carry out a number or list and request actions:

• View Quarantined Emails and Request Release
• View Released Emails
• View Release Requests

View Quarantined Emails and Request Release

A list view of quarantined email messages visible from the current hierarchy can be inspected and instances can be selected to request the message release.

Automate provides a staging area for requests (maintained in the data model: data/MicrosoftDefenderQuarantineMessageStaging).




An instance from this list can be selected, inspected and managed:







For example, administrators can select a message from this list and request the release of the quarantined email message so that it will have a State as PENDING:







Similarly rejected requests can be managed:







View Released Emails

By default, a separate list view is available to inspect all messages that have been released from quarantine.

View Release Requests

Following on requesting the release of quarantined messages, the requests can be listed.




Release request instances can be inspected.




Safe Link Policies

Manage Safe Link Policies

Related device model: device/msexchangeonline/SafeLinksPolicy

Administrators can view and manage Safe Link policies in Automate. This includes the creation and configuration of policies.

Request New Safe Link Policy

Automate provides a staging area for requests (maintained in the data model: data/MicrosoftDefenderSafeLinksPolicyStaging). Administrators can therefore submit requests for Safe Link policies, according to:

• a selected Safe Links Policy Template
• with State set as PENDING

View Safe Link Policy Requests

By default, a separate list view is available to inspect all Safe Link policy requests that have been made, and to select a request for management.

Safe Link Policy Templates

Automate provides a reference configuration template for device/msexchangeonline/SafeLinksPolicy, called: Reference Safe Links Policy, but administrators can clone and manage these templates according to their needs when submitting policy requests.

Safe Attachment Policies

Manage Safe Attachment Policies

Related device model: device/msexchangeonline/SafeAttachmentPolicy

Safe Attachments in Microsoft Defender for Office opens attachments in a virtual environment before the messages are delivered.

Safe Attachments policies can apply to specific users, groups, or domains and can be managed in Automate.

The Quarantine policy selected when managing a safe attachement policy in Automate is managed on the Microsoft Defender portal.

The default Microsoft Defender quarantine policies are:

• AdminOnlyAccessPolicy
• DefaultFullAccessPolicy
• DefaultFullAccessWithNotificationPolicy
• NotificationEnabledPolicy (in some organizations)

Request New Safe Attachment Policy

Automate provides a staging area for requests (maintained in the data model: data/MicrosoftDefenderSafeAttachmentPolicyStaging).

View Safe Attachment Policy Requests

By default, a separate list view is available to inspect all Safe Attachement policy requests that have been made, and to select a request for management.

Safe Attachment Policy Templates

Automate provides a reference configuration template for device/msexchangeonline/SafeAttachmentPolicy, called: Reference Safe Attachment Policy, but administrators can clone and manage these templates according to their needs.

Related Topics

• Microsoft Defender for Endpoint security management and policies
• Model Filter Criteria for Microsoft Defender Overbuild usage

Model Details: device/msexchangeonline/SafeAttachmentPolicy

• An asterisk * in the title indicates the field is mandatory.
• If a field has a default value, it is shown in the Description column.
• If the field type is an array, the Field Name has a .[n] suffix, where n is the array index placeholder.
• Object and array field names are listed to provide context. If a field belongs to an object or an array, the full field name is shown in dot separated notation.

Title															Description																				Details
Safe Attachement Policy															Group Assigned by FDP																				Field Name: Safe Attachement Policy Type: Object
	Name *																																		Field Name: Safe Attachement Policy.Name Type: String
	Status																																		Field Name: Safe Attachement Policy.State Type: ["String", "Null"] Choices: ["Enabled", "Disabled"]
	Rule														Safe Attachment Rule																				Field Name: Rule Type: Object
		Status																																	Field Name: Safe Attachement Policy.Rule.State Type: ["String", "Null"] Choices: ["Enabled", "Disabled"]
		Priority																																	Field Name: Safe Attachement Policy.Rule.Priority Type: Integer
			Users																																Field Name: SentTo.[n] Type: Array
			Groups																																Field Name: SentToMemberOf.[n] Type: Array
			Domains																																Field Name: RecipientDomainIs.[n] Type: Array
		Exclude these users, groups and domains																																	Field Name: Safe Attachement Policy.Rule.ExceptEnabled Type: Boolean
			Users																																Field Name: ExceptIfSentTo.[n] Type: Array
			Groups																																Field Name: ExceptIfSentToMemberOf.[n] Type: Array
			Domains																																Field Name: ExceptIfRecipientDomainIs.[n] Type: Array
	Priority																																		Field Name: Safe Attachement Policy.Priority Type: Integer
	Action *														Default: Off																				Field Name: Safe Attachement Policy.Action Type: ["String", "Null"] Default: Off Choices: ["Off", "Monitor", "Block", "DynamicDelivery"]
	Quarantine policy *														Default: AdminOnlyAccessPolicy																				Field Name: Safe Attachement Policy.QuarantineTag Type: ["String", "Null"] Default: AdminOnlyAccessPolicy Choices: ["AdminOnlyAccessPolicy", "DefaultFullAccessPolicy", "DefaultFullAccessWithNotificationPolicy"]
	Enable redirect																																		Field Name: Safe Attachement Policy.Redirect Type: Boolean
	Redirect Address																																		Field Name: Safe Attachement Policy.RedirectAddress Type: ["String", "Null"] Pattern: (^$|^([^.@]+)(\.[^.@]+)*@([^.@]+\.)+([^.@]+)$)
		Users																																	Field Name: SentTo.[n] Type: Array
		Groups																																	Field Name: SentToMemberOf.[n] Type: Array
		Domains																																	Field Name: RecipientDomainIs.[n] Type: Array
	Exclude these users, groups and domains																																		Field Name: Safe Attachement Policy.ExceptEnabled Type: Boolean
		Users																																	Field Name: ExceptIfSentTo.[n] Type: Array
		Groups																																	Field Name: ExceptIfSentToMemberOf.[n] Type: Array
		Domains																																	Field Name: ExceptIfRecipientDomainIs.[n] Type: Array