The first step is to provide FireEye Email Security—Cloud Edition the permissions to access the organization’s Office 365 tenant. To do this, simply add an Authorization from Configuration, as shown in Figure 1. Cloud Edition will use OAuth 2.0 and let administrators provide FireEye the right permissions needed to action on their emails on retroactive alerts.
Figure 1: Authorize FireEye Email Security—Cloud Edition permission to access Office 365 tenant
Auto remediate policies can be easily configured via the Cloud Edition user interface. As shown in Figure 2, this is done simply by clicking the Configuration tab (Step 1) and choosing Auto Remediate from the list of Rule Types (Step 2).
Figure 2: Configure auto remediate policy
There are three possible policy actions: Quarantine, Move, and Permanent Delete. Figure 3 shows these selections from the pull-down menu, and how the action Move appears when it is selected. The designated action is triggered by a retroactive alert.
Figure 3: Policy actions
As shown in Figure 4, a centralized dashboard provides a trace of each email message. When an auto remediate policy is in effect, the message details highlight that it was delivered, a retroactive alert occurred, and the policy action was taken. The red Office 365 badge denotes the designated remediation action was executed.
Figure 4: Email trace with red Office 365 badges denoting auto remediation policy
Cloud Edition automatically extracts emails from customer mailboxes when they become retroactively malicious. Customer administrators can authorize Cloud Edition and configure a policy to auto remediate, meaning they can automatically pull an email from an inbox upon a retroactive alert. Built-in auto remediation reduces alert to response time and reduces the risk of a cyber threat going beyond a user’s inbox and becoming more serious.