Threat Investigation - Email Assessment


This feature requires special licensing.

Email Assessment prerequisites:

  • Configure Exchange Online provisioning in Cloud App Security.

  • Enable the Advanced Threat Protection policy for Exchange Online in Cloud App Security.

  • Enable email metadata collection on the Worry-Free Services web console.

    For more information, see Enabling Email Metadata Collection.

  • Configure your Exchange Online account in Outlook.

  1. Go to DETECTION & RESPONSE > Threat Investigation.
  2. Click Emails.
  3. Choose an assessment type.
    • Quick: Specify sender's email addresses, or file hash values, or URLs and click Assess Impact.

      Skip to the result step.

    • Advanced: Advanced Assessment allows you to specify complex criteria. You can also save your criteria for future investigations.

  4. Specify the data period for the investigation.
  5. Select one of the following options:
    • Match ANY criteria: Find objects matching any of the criteria specified

    • Match ALL criteria: Find objects matching all of the criteria specified

  6. Click New criteria, select a criteria type, and specify valid information.

    To save your criteria for future investigations, click .

  7. (Optional) To load existing custom criteria, click Saved Criteria.
    1. Select the criteria to load.
    2. Click Apply Criteria.
  8. Click Assess Impact.

    The Matched Messages section appears. Allow some time for the investigation to run.

  9. Check the results in the Matched Messages section.

    Click in the Details column to view more information.