Create a Post
Showing results for 
Search instead for 
Did you mean: 

What are the best practice for implementing CG SaaS for O365 E-mail Threat Detection policy

Hi Checkmates,


I have started to implement CG SaaS for O365 after ending use of Sandblast for O365.


I have some questions to O365 E-mail Threat Dectection Policy mode.

I have started using "Monitoring" mode, but doesn't Protect users or detect/prevent possible attacks.



From the SK141072 - CloudGuard SaaS Product Feature-Set the description of the three function are well explained.


A detection only mode in which email accounts or file sharing folders are monitored and account owners are alerted in cases of security events. No active actions are taken against the discovered security events



Inline Protection
Ability to protect email boxes inline, i.e. analyzing and protecting mails accounts before they are getting to the recipient inbox


Detection and Prevention
Ability to detect malicious files (in cloud storage) / attachments (in emails) after they've reached cloud folders or email accounts and remove them from that account


I have taken a look at Eugene Tcheby guide migrating from Sandblast Cloud for Office 365 ---> CloudGuard SaaS migration Step by Step - version 1.1 and his guide is moving from monitoring mode to Inline Protection after a week.


I haven't found any clear recommendations in either CloudGuard Saas Getting Started Guide or Threat Protection guide. 


What are the best practice for implementing the different modes? any recommended time spans or what to be aware of?





Best Regards
0 Kudos
2 Replies

Hi Kim,

Having the system running at Monitor mode (for entire org) for 1-2 weeks is about to give you the option to monitor relevant findings and tune the system accordingly, e.g you may see some false Phishing events created and might need to add relevant exceptions to avoid feature detections based on exception criteria or change the AntiPhishing engine confidence level.

When moving to Protect(Inline) mode you might start with small group of users or user groups (defined under the Scope section)  to get their feedback and expand gradualy to cover more users.

All this time you need to have the default Monitor rule for 'entire organization' that will match users not matched by the Inline(Protect) rule.


Hi Igor,

This was just the feedback I needed.

So running two policies monitor for all users in the organisation and another with protect(inline) only for specific users with slow deployment I can end up with a succesfull Implementation.

Have you experienced desktop users see e-mail arriving and the disapear few seconds (5 sec) to reapear again? Is this due to running monitoring mode?

Again thank you for your answer.


Best Regards
Upcoming Events

    CheckMates Events