I have started to implement CG SaaS for O365 after ending use of Sandblast for O365.
I have some questions to O365 E-mail Threat Dectection Policy mode.
I have started using "Monitoring" mode, but doesn't Protect users or detect/prevent possible attacks.
From the SK141072 - CloudGuard SaaS Product Feature-Set the description of the three function are well explained.
A detection only mode in which email accounts or file sharing folders are monitored and account owners are alerted in cases of security events. No active actions are taken against the discovered security events
Ability to protect email boxes inline, i.e. analyzing and protecting mails accounts before they are getting to the recipient inbox
Detection and Prevention
Ability to detect malicious files (in cloud storage) / attachments (in emails) after they've reached cloud folders or email accounts and remove them from that account
I have taken a look at Eugene Tcheby guide migrating from Sandblast Cloud for Office 365 ---> CloudGuard SaaS migration Step by Step - version 1.1 and his guide is moving from monitoring mode to Inline Protection after a week.
I haven't found any clear recommendations in either CloudGuard Saas Getting Started Guide or Threat Protection guide.
What are the best practice for implementing the different modes? any recommended time spans or what to be aware of?