Changing the SaaS Defense operating mode

SaaS Defense modes

Datto SaaS Defense can be run in one of two operating modes:

In Prevention Mode, the default operating mode, the application quarantines suspicious emails within seconds of reaching the intended recipient. If a document, located on OneDrive for example, includes a potential threat, the document is removed from the live environment so users cannot access it.
In Monitoring Mode, the application identifies suspicious content but does not take any action. The content remains in its current location and the MSP determines the actions to take.

The table below describes the process Datto SaaS Defense performs in each mode when scanning for potential threats.

Mode	Process
Prevention	Datto SaaS Defense scans Microsoft 365 application content for potential threats by comparing the content to the applicable execution model (see the article What is Datto SaaS Defense?). If content does not contain a potentially malicious threat: Datto SaaS Defense does not take any action. If the end user believes an email should have been quarantined, the end user submits an incident report using the Report Threat Outlook add-in. Then, the end user can delete the email. The MSP investigates the incident. If an email contains a potentially malicious threat: Datto SaaS Defense moves the email to the email application's "Junk" directory. If notifications have been configured, an email is automatically sent to the MSP alerting of the potential threat. The end user reviews the email in the "Junk" directory. If the end user believes the email does not contain a threat, the end user submits an incident report indicating the email was incorrectly identified as malicious using the Report Threat Outlook add-in. The MSP analyzes the email content. If the MSP determines the email includes malicious content, the MSP does not take any action, leaving the email in the "Junk" directory. If the MSP determines the email does not include malicious content, the MSP releases the email to the intended recipient's inbox. If a document includes a potential threat, the document is removed from the live environment so users cannot access it. If notifications have been configured, an email is automatically sent to the MSP alerting of the potential threat. The MSP analyzes the document. If the MSP determines the document does not include malicious content, the MSP can release it back into the live environment.
Monitoring	Datto SaaS Defense scans all incoming communications for potential threats intended for Microsoft 365 applications. If content does not contain a potential threat, Datto SaaS Defense does not take any action. If an email contains a potential threat, Datto SaaS Defense "flags" the email as malicious. If notifications have been configured, an email is automatically sent to the MSP alerting of the potential threat. The MSP analyzes the email content. If the MSP determines the email includes malicious content, the MSP quarantines the email which automatically sends it to the email application's "Junk" directory. If the MSP determines the email does not include malicious content, the MSP does not take any action. The email remains in the intended recipient's inbox. If a document includes a potential threat, Datto SaaS Defense "flags" the document as malicious. If notifications have been configured, an email is automatically sent to the MSP alerting of the potential threat. The MSP analyzes the document. If the MSP determines the document does include malicious content, the MSP can remove it from the live environment.

Mode

Process

Prevention

Datto SaaS Defense scans Microsoft 365 application content for potential threats by comparing the content to the applicable execution model (see the article What is Datto SaaS Defense?).
If content does not contain a potentially malicious threat:
1. Datto SaaS Defense does not take any action.
2. If the end user believes an email should have been quarantined, the end user submits an incident report using the Report Threat Outlook add-in. Then, the end user can delete the email.
3. The MSP investigates the incident.
If an email contains a potentially malicious threat:
1. Datto SaaS Defense moves the email to the email application's "Junk" directory.
2. If notifications have been configured, an email is automatically sent to the MSP alerting of the potential threat.
3. The end user reviews the email in the "Junk" directory. If the end user believes the email does not contain a threat, the end user submits an incident report indicating the email was incorrectly identified as malicious using the Report Threat Outlook add-in.
4. The MSP analyzes the email content.
  - If the MSP determines the email includes malicious content, the MSP does not take any action, leaving the email in the "Junk" directory.
  - If the MSP determines the email does not include malicious content, the MSP releases the email to the intended recipient's inbox.

If a document includes a potential threat, the document is removed from the live environment so users cannot access it.
1. If notifications have been configured, an email is automatically sent to the MSP alerting of the potential threat.
2. The MSP analyzes the document. If the MSP determines the document does not include malicious content, the MSP can release it back into the live environment.

Monitoring

Datto SaaS Defense scans all incoming communications for potential threats intended for Microsoft 365 applications.
If content does not contain a potential threat, Datto SaaS Defense does not take any action.
If an email contains a potential threat, Datto SaaS Defense "flags" the email as malicious.
1. If notifications have been configured, an email is automatically sent to the MSP alerting of the potential threat.
2. The MSP analyzes the email content.
  - If the MSP determines the email includes malicious content, the MSP quarantines the email which automatically sends it to the email application's "Junk" directory.
  - If the MSP determines the email does not include malicious content, the MSP does not take any action. The email remains in the intended recipient's inbox.
If a document includes a potential threat, Datto SaaS Defense "flags" the document as malicious.
1. If notifications have been configured, an email is automatically sent to the MSP alerting of the potential threat.
2. The MSP analyzes the document. If the MSP determines the document does include malicious content, the MSP can remove it from the live environment.

Changing operating mode within Datto SaaS Defense

To change the client's operating mode within Datto SaaS Defense:

On the Clients page, hover over the applicable client record and in the far right column, click the Configurations icon.
If you want to turn Prevention Mode off and activate Monitoring Mode, in the Prevention Mode field, click the toggle (button moves to the left). Click again to switch back to Prevention Mode (button moves to the right).

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.

Changing the SaaS Defense operating mode

SaaS Defense modes

Changing operating mode within Datto SaaS Defense

Why wasn't this article helpful? (check all that apply)

Great!