Views:

Quarantine a suspicious email message from all supported mailboxes protected by Cloud App Security or Cloud Email and Collaboration Protection using context menus in the Trend Vision One console.

This task is supported by the following services:
  • Cloud App Security
  • Cloud Email and Collaboration Protection

Procedure

  1. After identifying the suspicious email message, access the context or response menu and click Quarantine Message.
    The Quarantine message task screen appears.
  2. Confirm the targets of the response.
  3. Select the mailboxes that this task applies to.
    This task is only applicable on supported mailboxes (Exchange Online and Gmail) protected by Cloud App Security or Cloud Email and Collaboration Protection.
    To quarantine messages in Gmail, ensure that you have configured a designated quarantine location. If not, perform the following steps:
    1. Click Set quarantine location.
    2. On the Quarantine tab that appears, click Settings.
    3. Specify the email addresses to store quarantined email messages on the Quarantine Settings screen that appears.
      A maximum of 10 email addresses is supported.
      Important
      Important
      Make sure that the specified email addresses have associated mailboxes in your organization and that you have granted the read-only, modify, and full access scopes to Cloud App Security or Cloud Email and Collaboration Protection. You can click Verify to check whether the specified email addresses are valid.
      To avoid potential issues, Trend Micro recommends using a dedicated Gmail mailbox exclusively for managing quarantined emails, rather than combining it with regular email communication.
    4. Click Save.
    Note
    Note
    If the target message is not found in a supported mailbox or users have already deleted all instances of the message, you cannot create the task.
  4. Specify a Description for the response or event.
  5. Click Create.
    Trend Vision One creates the task and displays the current task status in Response Management.
  6. Monitor the task status.
    1. Go to Workflow and AutomationResponse Management .
    2. (Optional) Locate the task using the Search field or by selecting Quarantine Message from the Action drop-down list.
    3. View the task status.
      • Pending approval (pending_approval=f0525c66-199a-46f5-b40a-902bd498cf53.jpg) (if applicable): The automated response task was created on the Workbench app and is waiting for approval
      • Rejected (rejected=bd05fc87-5b5d-4d84-bfb1-3a6dc09ddac5.jpg) (if applicable): The automated response task created on the Workbench app was rejected
      • In progress (in_progress=GUID-A55897DB-3DEA-4F5C-B7F9-70B3D7FB9EDE=1=en-us=Low.jpg): Trend Vision One sent the command and is waiting for a response.
      • Successful (successful=GUID-1E31AD86-DE2E-48B5-85F7-7C78A3E8BB11=1=en-us=Low.jpg): The command was successfully executed.
      • Partially successful (partially_successful_icon=GUID-20230103030733.jpg): One or more commands was unsuccessful.
      • Unsuccessful (error=5cc21722-7ceb-480c-b9c2-a47d420cf1cc.jpg): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.
      • Action taken by Cloud App Security(actionTakeByCASicon=GUID-20230103032833.jpg): The email message has already been deleted or quarantined by Cloud App Security. Go to Cloud App Security to learn more.
    If you determine that a quarantined message is malicious, you can delete the message using context menus on the Trend Vision One console.
    After determining that a quarantined message is not malicious, you can restore the message by clicking Restore message on the task context menu..
    For more information, see Delete Message task.