AnsweredAssumed Answered

What are the best practice for implementing CG SaaS for O365 E-mail Threat Detection policy

Question asked by Kim Moberg on Jan 9, 2019
Latest reply on Jan 10, 2019 by Kim Moberg

Hi Checkmates,


I have started to implement CG SaaS for O365 after ending use of Sandblast for O365.


I have some questions to O365 E-mail Threat Dectection Policy mode.

I have started using "Monitoring" mode, but doesn't Protect users or detect/prevent possible attacks.



From the SK141072 - CloudGuard SaaS Product Feature-Set the description of the three function are well explained.


A detection only mode in which email accounts or file sharing folders are monitored and account owners are alerted in cases of security events. No active actions are taken against the discovered security events



Inline Protection
Ability to protect email boxes inline, i.e. analyzing and protecting mails accounts before they are getting to the recipient inbox


Detection and Prevention
Ability to detect malicious files (in cloud storage) / attachments (in emails) after they've reached cloud folders or email accounts and remove them from that account


I have taken a look at Eugene Tcheby guide migrating from Sandblast Cloud for Office 365 ---> CloudGuard SaaS migration Step by Step - version 1.1 and his guide is moving from monitoring mode to Inline Protection after a week.


I haven't found any clear recommendations in either CloudGuard Saas Getting Started Guide or Threat Protection guide. 


What are the best practice for implementing the different modes? any recommended time spans or what to be aware of?