FireEye Stories Blog

Automated Threat Remediation for Office 365 Is Now a Few Clicks Away (Part Two)

In the first post of this two-part series, we described how auto remediate for Office 365 works and the business value. In this second post, we discuss how to configure an auto remediate policy.

The first step is to provide FireEye Email Security—Cloud Edition the permissions to access the organization’s Office 365 tenant. To do this, simply add an Authorization from Configuration, as shown in Figure 1. Cloud Edition will use OAuth 2.0 and let administrators provide FireEye the right permissions needed to action on their emails on retroactive alerts.

Figure 1: Authorize FireEye Email Security—Cloud Edition permission to access Office 365 tenant

Auto remediate policies can be easily configured via the Cloud Edition user interface. As shown in Figure 2, this is done simply by clicking the Configuration tab (Step 1) and choosing Auto Remediate from the list of Rule Types (Step 2).

Figure 2: Configure auto remediate policy

There are three possible policy actions: Quarantine, Move, and Permanent Delete. Figure 3 shows these selections from the pull-down menu, and how the action Move appears when it is selected. The designated action is triggered by a retroactive alert.

Figure 3: Policy actions

As shown in Figure 4, a centralized dashboard provides a trace of each email message. When an auto remediate policy is in effect, the message details highlight that it was delivered, a retroactive alert occurred, and the policy action was taken. The red Office 365 badge denotes the designated remediation action was executed.

Figure 4: Email trace with red Office 365 badges denoting auto remediation policy

Cloud Edition automatically extracts emails from customer mailboxes when they become retroactively malicious. Customer administrators can authorize Cloud Edition and configure a policy to auto remediate, meaning they can automatically pull an email from an inbox upon a retroactive alert. Built-in auto remediation reduces alert to response time and reduces the risk of a cyber threat going beyond a user’s inbox and becoming more serious.

Take a self-guided tour to learn more about how FireEye Email Security detects and blocks the latest advanced threats, including impersonation techniques.