Configuring the Email Threat Report

The Email Threat Report is a customized report that describes the malware and phishing email threats Datto SaaS Defense has blocked or flagged for each end user. You have the option to include spam in the report as well.

The report is automatically generated and mailed at an interval you specify and includes only the email information that applies to the user to whom it is sent. It contains just the malicious emails that have been detected since the last report. If a malicious email has not been detected within the specified interval, a report is not sent.

The purpose of the report is to regularly notify the end user of malicious emails that have been detected and to provide the ability to take action, if necessary.

Report versions

There are two versions of the report: one for users operating in Prevention Mode, the other for users operating in Monitoring Mode.

The table describes each section in the report with an example for each version.

Section Prevention Mode Monitoring Mode

Title area: Identifies the time period for which the report data applies. This is based on the interval selected when configuring the User Report Configuration rule.
Summary: Identifies total number of emails blocked (Prevention Mode) or flagged (Monitoring Mode) for each threat type during the report time period.
Body: Includes a section for each threat type listing the specific emails blocked or flagged.




Each email entry identifies the sender, subject, and date and time received.
Each email entry includes an Additional Info section describing the reason the email was blocked or flagged, the directory in which the email was detected, and any action taken by Datto SaaS Defense.
Each email entry enables the user to take action. Actions are explained below.

Spam:

Malware, phishing:

 Spam, malware, phishing:

Actions

For clients operating in Prevention Mode, their users can take the following actions, when applicable:

  • Release to Inbox: This action is available for spam email only. When a user clicks Release to Inbox, the spam email is moved to the original folder in which it was received. The user is redirected to a web page that confirms the action and informs the user that future emails from this sender will not be blocked as spam. The sender's email address is automatically added to the client's Spam Trials Excludes allowlist.
  • I think it's safe: This action is available for malware and phishing emails. When a user clicks I think it's safe, the user is redirected to a web page confirming the selected email has been reported. Also, the user is informed that the administrator has been notified, will investigate, and will release the email, if applicable.

NOTE  In some cases, someone (you or another administrator) may take action on an email before the end user has acted on it. When this occurs and the user clicks Release to Inbox, the user is informed that someone has already determined the email should not have been blocked and it has already been released to it's original folder.

For clients operating in Monitoring Mode, their users can click I think it's safe, if applicable. When clicked for a spam email, the user is redirected to a web page informing that future emails from this sender will not be flagged as spam. The sender's email address is automatically added to the client's Spam Trials Excludes allowlist.

When a user clicks I think it's safe for a malware or phishing email, the user is informed that the administrator has been notified and will investigate.

Client configuration rules

With the Users Report Configuration option, available on each client's Configurations page, you can configure one rule specifying the interval for which the Email Threat Report is automatically sent to the client's end users. The interval options are Hourly, Daily, or Weekly. Any end user that has not had an email(s) quarantined during the current interval period will not be sent a report.

The User Report Excludes option allows you to configure a rule that excludes an end user from receiving a report, even if emails intended for the end user have been quarantined. You can configure multiple User Report Excludes Rules.

To configure a Users Report Configuration rule:

  1. On the Clients page, hover over the applicable client record and in the far right column, click the Configurations icon.

  2. In the Account Configurations section, click General.
  3. Verify the Users Report Configuration option is activated (button is on the right side in the Status column). If it is not, click the button to activate.
  4. Click Users Report Configuration.
  5. On the rules page, click Add Rule.
  6. Click the Interval field and select the frequency for which the Email Threat Report will be sent to the client's end users. When selecting Daily, also select the time of day. When selecting Weekly, also select the day of the week and the time of day.
  7. To include emails identified as spam, in the Include Spam column, click the toggle.
  8. Click the Save New Rule icon.
  9. At the bottom of the page, click Update.
  10. In the top left corner, click the back arrow.
  11. To close the Configuration page, in the top left corner, click the X.

To edit an existing Users Report Configuration rule:

  1. Hover over the applicable client record and in the far right column, click the Configurations icon.

  2. In the Account Configurations section, click General.
  3. Click Users Report Configuration.
  4. Hover over the rule and in the far right column (does not have a heading) click the Edit icon.

  5. Make the desired selections.
  6. Click Save.
  7. Click Update.
  8. In the top left corner, click the back arrow.
  9. To close the Configuration page, in the top left corner, click the X.

To delete an existing Users Report Configuration rule:

  1. Hover over the applicable client record and in the far right column, click the Configurations icon.

  2. In the Account Configurations section, click General.
  3. Click Users Report Configuration.
  4. Hover over the rule and in the far right column, click the Delete icon.

  5. In the Delete Rule message box, click Yes.
  6. Click Update.
  7. In the top left corner, click the back arrow.
  8. To close the Configuration page, in the top left corner, click the X.

To configure a Users Report Excludes rule:

  1. Hover over the applicable client record and in the far right column, click the Configurations icon.
  2. In the Account Configurations section, click General.
  3. Verify the Users Report Excludes option is activated (button is on the right side in the Status column). If it is not, click the button to activate.
  4. Click Users Report Excludes.
  5. On the rules page, click Add Rule.
  6. In the User Inbox field, enter the end user's email address.
  7. Click the Save New Rule icon.



  8. At the bottom of the page, click Update.
  9. In the top left corner, click the back arrow.
  10. To close the Configuration page, in the top left corner, click the X.

To edit an existing Users Report Excludes rule:

  1. Hover over the applicable client record and in the far right column, click the Configurations icon.

  2. In the Account Configurations section, click General.
  3. Click Users Report Excludes.
  4. Hover over the rule and in the far right column (does not have a heading) click the Edit icon.

  5. Make the desired edits.
  6. Click Save.
  7. Click Update.
  8. In the top left corner, click the back arrow.
  9. To close the Configuration page, in the top left corner, click the X.

To delete an existing Users Report Excludes rule:

  1. Hover over the applicable client record and in the far right column, click the Configurations icon.

  2. In the Account Configurations section, click General.
  3. Click Users Report Excludes.
  4. Hover over the rule and in the far right column, click the Delete icon.

  5. In the Delete Rule message box, click Yes.
  6. Click Update.
  7. In the top left corner, click the back arrow.
  8. To close the Configuration page, in the top left corner, click the X.