*** NOTICE ***

• Documents here contain information on how to complete an Avanan POC/deployment for a customer.
• This guide is meant to serve as a guide with examples ONLY that you can tailor to fit your needs.

Findings Review

1. Verify that the customer has watched the video on the portal walk-through/training.
   1. If not, they will want/need to in order to learn how to use the portal.
2. Review with following with the customer:

Dashboard

Users Found/Licensed

1. Click on Active Users on the bottom left

2. This will list the number of users found & licensed.
3. For information on how users are licensed, see the below resources:
   1. Microsoft 365: How does Avanan License Users (Microsoft 365)?
   2. G Suite: How does Avanan License Users (G Suite)?

Phishing

This tile will show you phishing events detected by Avanan. The Smart-Phish (Anti-Phishing) security engine is responsible for detecting phishing, suspected phishing, and spam emails. It analyzes various components of an email, such as attachments, links, sender reputation, domain analysis, OCR, and many more.

• Click on one of the numbers to dive into the events page.

BEC

This tile will show you Business Email Compromise (Anomalies) detected by Avanan. The Anomaly Detection engine detects behaviors or actions that seems abnormal when observed in the context of an organization and a user's historical activity. The engine analyzes the behavior using a machine-learning algorithm that builds a profile based upon historical event information including login locations and times, data-transfer behavior, and email message patterns. Anomalies are often a sign that an account is compromised.

• Anomalies are mail activity events that are pulled by the portal for any events that are outside the usual activity for this user. This can include but is not limited to:
  • First-time logins from new countries
  • Performing activity in one location and then performing another activity from a distant location (Typical with VPNs)
  • Large number of password resets
  • Delete-all-emails Outlook rule
  • Internal user is sending malicious/spam emails

Customers should pay close attention to the BEC box as this is what indicates possible account takeover events: Enhanced Focus on Account Takeover Events (avanan.com)

• Click on one of the numbers to dive into the events page.
• Note: Full Prevention means Avanan will automatically block a user that is confirmed to be compromised. (Adjusted in the Anomaly Detection security engine).

Malware

This tile will show you malware events detected by Avanan. The Anti-Malware engine determines if an email attachment or a shared file contains malware. It detects files containing known malware (Anti-Virus) and Avanan’s advanced sandbox (Threat Emulation) to detect the evasive zero-day malware.

• Click on one of the numbers to dive into the events page.

DLP

This tile will show you DLP events detected by Avanan. Avanan's Data Loss Prevention (DLP) engine safeguards the organization's data from breaches or unauthorized sharing. It scans emails, attachments, shared files, and text messages, even extracting text from images using OCR. The DLP engine identifies patterns that should not be shared with unauthorized people or destinations.

• Click on one of the numbers to dive into the events page.

User Interaction

This tile will report open Restore Requests and User Reported Phishing alerts.

• Click on one of the numbers to dive into either of these alert types.

Security Checkup Report

Generate a Security Checkup Report and review with the customer. The Security Checkup report gives a periodic overview of all the threats detected in the SaaS applications protected by Avanan. It gives insights into the threats detected and how Avanan handled these threats based on the configured policies.

To generate Security Checkup Report:

1. Go to Analytics > Security Checkup.
2. Click Generate now.
3. Enter the required report name.
4. Select the required Time Frame.
   • Last 1 week
   • Last 2 weeks
   • Last 30 days
5. Click Generate.
   The system starts generating the Security Checkup report.
6. Click OK.
   1. You can track the report generation status from the System Settings > System Tasks page.
   2. After the report gets generated, you can see the report in the Security Checkup page.

Production Licensing

Explain that at this point, we are ready to apply production licensing to the tenant and move their policies to protection mode.

Enabling Production Licensing

1. From the MSP portal, select License (right hand side) while hovering over the applicable tenant.

2. Choose the applicable license from the drop-down menu.
3. Type in the number of Licensed users - There are 2 options for this:
   1. Option 1: Make the max number greater than the actual number of user licenses by 25. If there are 30 actual users, the max number should be 55.
      1. This allows new users created in M365 to automatically be protected. This is the recommended option.
   2. Option 2: Make the max number exactly the same as the number of users the tenant has.
      1. This will NOT automatically protect new users created in M365 so this option is not recommended.
4. Select the appropriate Add-On if applicable.
5. Click Save - The tenant is now fully licensed.

6. The tenant will now show the max user count next to the Total users in the MSP portal.

You now need to make sure the correct users are licensed:

1. Log into the tenant and go to the Configuration →Licenses page.
2. From here, make sure the desired users are licensed by selecting them and clicking assign.
   • You may also “exclude” users from licensing, so they are not billed by selecting them and clicking Un-Assign.

Switching Policies to Protect Mode

At this point we are ready to switch the policies that we setup during the initial setup call to Prevent mode so Avanan can start taking action against threats.

Threat Protection

We have 2 policy recommendations, configure one of the following according to what the partner/customer would like.

NOTE: If a signature service is used and you wish to enable Protect (Inline) Outgoing Traffic, you will need to modify the Avanan - Protect Outgoing mailflow rule within the Exchange Admin Center. An exception will need to be created based upon the header addition from your signature service.

1. Exclaimer: 'X-ExclaimerHostedSignatures-MessageProcessed' header matches the following patterns: 'true'
2. CodeTwo: 'X-CodeTwoProcessed' header matches the following patterns: 'true'

Moderate Security Threat Detection Policy

• Workflows with the star icon are suggested
• Policy uses several workflows that allow Users to be self-sufficient
• Higher severity events require Administrator approval
• Spam messages go to the Junk

High Security Threat Detection Policy

• Mostly Quarantine, but the user is not alerted
• Minimal User Interaction
• If users are missing anything, they can reach out to locate the message and restore it as needed by the administrators

Click-Time Protection

Click-Time Protection Policy Recommendations

1. 

DLP

Only if the tenant is licensed for Full Suite protection (Tier 3)

DLP Protection Policy Recommendations

1. Protection Mode: Protect (Inline)
2. Scope
   1. Direction: Outbound
3. DLP Workflow: Select the option that best fit the customer’s needs.
   1. This is also where you can choose to encrypt emails using either Microsoft or SmartVault. For more information regarding Avanan’s DLP, Secure Email, etc. See our Avanan: Frequently Asked Questions (solutionsgranted.com) page.
4. NOTE: If a signature service is used, you will need to modify the Avanan - Protect Outgoing mailflow rule within the Exchange Admin Center. An exception will need to be created based upon the header addition from your signature service.
   1. Exclaimer: 'X-ExclaimerHostedSignatures-MessageProcessed' header matches the following patterns: 'true'
   2. CodeTwo: 'X-CodeTwoProcessed' header matches the following patterns: 'true'

Configure Security Engines

Click-Time Protection

Click-Time Protection is the URL rewriting aspect of Avanan/Check Point

• As a message is received, the hyperlink of the URL is rewritten to go back to Avanan/Check Point’s URL scanning engine
• Enabled via a dedicated O365 Mail policy from the “Policy” section
• Offers URL Replacement for Email body and attachments

Links Replacing

Links Replacing Recommendations

1. Recommendation: Enabled but only if not using another rewriting service

URL Emulation

In addition to protecting users based on the reputation of the URL, we are now able to perform URL Emulation

• Once the link is clicked, Avanan/Check Point’s engine will scan the behavior of the landing URL
• Looking for odd file download requests
• Looking for odd sites prompting email login

URL Emulation Recommendations

1. Recommendation: Enable URL Emulation
   1. URL Version: v2

Portal Review

Restore Requests

Restore Request Recommendations

• End-users can request the restoration of messages and files that they believe are safe.
• When the workflow includes “admin must approve,” anyone listed as a “Restore request approver” will receive an email notifying them of a request for restoration.
• A link in the email will take you to the approval page, which can also be found under “User Interaction” > “Restore Requests”.
• Approvers can review the message and then decide to Restore or Decline the request.
• Providing end-user feedback is configured under “User Interaction” > “Configuration,” then check the box for “Send feedback email to end users.”

User Reported Phishing

User Reported Phishing Recommendations

• A message may come in that end-users feel is unsafe or suspicious so they can report this message according to their internal process.
• Avanan/Check Point can integrate seamlessly with Microsoft Report Phishing button with no additional configuration required.
• The message can be investigated within Avanan under “User Interaction” > “User Reported Phishing”.
• An admin can then decide to quarantine that message or decline the notification.

Anti-Phishing Allow/Block List

Anti-Phishing Allow/Block List Recommendations

• Avanan/Check Point’s Anti-Phishing lists cover both phishing and spam events
• These can be created in several different locations
  • Directly from the message view
  • This will pull in data from the message
  • From “Mail Explorer”
  • Under “Security Settings > Exceptions > Smart-Phish”

• Use data and adjust the “Date Received” to locate matches

Create Allow-List Rule

• Only use “Ignore SPF” if necessary
  • SPF is how we prevent spoofing on Allow-List

• “Release matched email” we release messages previously quarantined

Create Block-List Rule

• “Detection type” is how the matched event will be identified
• “Quarantine matched email” will quarantine all messages identified.

Click-Time Protection Exceptions

Click-Time Protection Exceptions Recommendations

Allow-List

• Click-Time Protection engine automatically flags this URL as clean without even scanning it.

Block-List

• Click-Time Protection engine automatically flags this URL as malicious without even scanning it.

Ignore-List

• Click-Time Protection engine will not replace this URL.

Anti-Malware Allow/Block-List

Anti-Malware Allow/Block-List Recommendations

• Lists used to allow files identified by signature/sandboxing of the Malware Engine.
• Can be used to create Allow/Block-Lists based off macros within the file.
• Useful for spreadsheets with macros

DLP Allow-List

DLP Allow-List Recommendations

• Used to allow items, recipients, or senders to pass through when identified by the DLP engine
• String option only available with “View Private Data” enabled

Reports

Send Daily Quarantine Report to End Users

1. Configure options based on partner/customer requirements. Located under Security Settings > User Interaction > Restore Requests.
   1. Recommendation: Send Daily Quarantine Report to End Users
   2. Recipients: “All Users”

Additional/Other SaaS Applications

If the partner has any other SaaS applications (Teams, OneDrive, SharePoint, etc.) setup, they will need to setup the same policies for those additional applications.

Below are some recommendations for additional SaaS applications:

Microsoft Teams

Microsoft Teams Recommended Policy Settings

Ensure the following 3 policies are created and configured per the below recommendations.

1. Threat Protection

2. Malware

3. DLP

Only if the tenant is licensed for Full Suite protection (Tier 3)

• 

Microsoft SharePoint

Microsoft SharePoint Recommended Policy Settings

Ensure the following 3 policies are created and configured per the below recommendations.

Prerequisites

• Must have either E5 License or E3 License with the E5 Compliance add-on for successful integration

1. Threat Protection

2. Malware

3. DLP

Only if the tenant is licensed for Full Suite protection (Tier 3)

• 

Microsoft OneDrive

Microsoft OneDrive Recommended Policy Settings

Ensure the following 3 policies are created and configured per the below recommendations.

1. Threat Protection

2. Malware

3. DLP

Only if the tenant is licensed for Full Suite protection (Tier 3)

• 

Citrix ShareFile

Citrix ShareFile Recommended Policy Settings

Prerequisites

• ShareFile Admin access is required to complete the onboarding process.
• The minimum required permissions for the Avanan platform are:
  • Users Type: Standard ShareFile Users
  • Content: Read/Write All Files/Folders
  • Management: Manage Enterprise
• We recommend ensuring all folder/file download email notifications are turned off for all participating ShareFile users. This will prevent automatic email-notifications for each scanned file.

New Policy Creation

1. Navigate to Policy page.
2. Add new policy by click on the + button near ShareFile.
3. On “Choose Security” combo-box select DLP or Malware.
4. Next.
5. On “Mode” combo-box select protection mode (Detect and Protect or Monitor).
6. Based on the policy type:
   1. Select the requested DLP rules.
   2. Choose if you want to activate the scans on internal files (not shared with external users).
   3. Select the tools you want to activate in the scan.
   4. DLP
   5. Malware
7. Click “Save and Apply”.

Dropbox

Dropbox Recommended Policy Settings

Prerequisites

• Dropbox Admin access is required to complete the onboarding process.
• The minimum required permissions for the Avanan platform are:
  • Users Type: Standard Dropbox Users
  • Content: Read/Write All Files/Folders
  • Management: Manage Enterprise
• We recommend ensuring all folder/file download email notifications are turned off for all participating Dropbox users. This will prevent automatic email-notifications for each scanned file.

New Policy Creation

1. Navigate to Policy page.
2. Add new policy by clicking on the "Add New Policy Rule" button near Dropbox.
3. On “Choose Security” combo-box select DLP or Malware.
4. Next.
5. On “Mode” combo-box select protection mode (Detect and Protect or Monitor).
6. Based on the policy type:
   • Select the requested DLP rules.
   • Choose if you want to activate the scans on internal files (not shared with external users).
   • Select the tools you want to activate in the scan.
   • DLP
     • Malware
7. Click “Save and Apply”.

Slack

Slack Recommended Policy Settings

Prerequisites

• Licensing: Discovery API support is required to scan messages. The following plans are supported:
  • Enterprise Grid: supported by default.
  • Plus: Reach out to Slack to discuss the options.
• Permissions
  • Onboarding user must have admin access to the workspaces that would be protected.
  • For Enterprise Grids, the onboarding user should be part of the workspace that you want to protect.

New Policy Creation

1. Navigate to Policy page.
2. Add new policy by click on the + button near Slack.
3. On “Choose Security” combo-box select DLP or Malware.
4. Next.
5. On “Mode” combo-box select protection mode (Detect and Protect or Monitor).
6. Based on the policy type:
   1. Select the requested DLP rules.
   2. Choose if you want to activate the scans on internal messages (not shared with external users).
   3. Select the tools you want to activate in the scan.
   4. DLP
   5. Malware
7. Click “Save and Apply”.