Analyzing threats on the Malicious page

Information about security threats that have been identified by Datto SaaS Defense are conveyed on the Malicious page. You analyze the threat details on this page and can take action, if necessary.

Malicious page

When Datto SaaS Defense detects a security threat, it creates a detailed record of the threat that is listed on the Malicious page.

The Malicious page information is described in the table below.

Column	Description
Scan Date	The date on which the record of the threat was created.
Region	The region in which the client is located.
Clients	The name of the client for which the threat was prevented.
Verdict	The action taken by Datto SaaS Defense or by you to handle a malicious threat. Values are: Malicious: Value displayed in Monitoring Mode for malicious content. Content is still accessible by the end user. Quarantined: Value displayed in Prevention Mode for malicious content. The malicious email or file is moved to a quarantine repository on a Datto server where it cannot be accessed by the end user. Restricted: Content that is quarantined based on a client policy when client is in Prevention Mode. Released: Content you have determined should not have been quarantined or restricted, and therefore, have released.
Threat Type	The type of threat as determined by Datto SaaS Defense. See the article Types of threats prevented.
Service	The specific service/application for which the threat was intended.
Scans	The number of scans accessible for a record based on the value selected in View Mode
Name	The name Datto SaaS Defense assigned to the threat record. The value is assigned based on the application for which the threat was intended. For example, when a threat is intended for Exchange 365, the text used in the email's Subject field is displayed in the Name field.

IMPORTANT When an existing file in OneDrive or SharePoint is edited or replaced with a new version, SaaS Defense scans the document for malicious threats and looks for restricted content based on client policy. If the scan results in a quarantined verdict, but another user was using the existing document while the scan occurred, the document cannot be quarantined. Instead, the updates are made to the existing file, and a record is created on the Malicious page with a Malicious Verdict.

Releasing a quarantined email or file

The first column in the table includes a checkbox for each threat record. You can release an email or file that has been quarantined (Verdict = Quarantined) or restricted (Verdict = Restricted) by selecting the checkbox for the applicable record and clicking Release.

You can select multiple records. (For specific steps, see the procedure Releasing quarantined content on the Malicious page below.)

Releasing a quarantined email delivers it to the intended recipient. A quarantined file that is released is available at its original location.

Content whose Verdict = Malicious cannot be released because it was not quarantined to begin with.

Malicious page toolbar

The Malicious page toolbar allows you to select filtering options to display only the threat records that match the options you select.

Search box

You can use this search box to search for and display only the threat records for the email address you enter. A valid user inbox email address is required to conduct a search.

The search box applies to the Exchange 365 and OneDrive services only. Therefore, one or both of these services are required to be selected in the Services filter.

NOTE Exchange 365 and OneDrive are among the services selected by default. You can use the Services filter to deselect and select services.

The results on the Malicious page don’t show the user inbox address. However, you can click a record to open the Verdicts & Info pane. The User Inbox address is displayed in the Scan Summary section (see the Verdicts & Info section below).

Filters

The table below describes each filter.

Menu	Description
Services	Lists the services/applications available in your organization.
Verdict	Lists each verdict type. Options are: Malicious: Content determined to be malicious or has been quarantined. Released: Content which Datto SaaS Defense has quarantined but you have determined is not a threat. Therefore, you have released the content. Restricted: Content that does not contain a malicious threat but it is quarantined based on a client policy.
Region	Lists the regions for which your clients may be located.
Clients	Lists the names of each of your clients.
Threat Type	Lists each threat type. For more information about threat types, see the article Types of threats prevented.
View Mode	Provides options for grouping threat records: Name: Threat records that have the same Name value are grouped together and accessed using one record. Name is the default value selected. Clients: Threat records for the same client (same Clients value) are listed consecutively and then within that result, by Scan Date. Region: Threat records that have the same Region value are listed consecutively and then within that result, by Scan Date. Flat: Each record is listed sequentially by Scan Date, starting with the most recent.

Verdicts & Info

The Verdicts & Info pane allows you to drill down into the artifacts of the security threat record you select. The information is divided into sections that vary based on the threat type determined by Datto SaaS Defense. However, the Header and Scan Summary sections are always populated regardless of threat type.

Header section

The Header section displays key words that summarize the attack data. In this example, a malware threat was sent by sales@lbcranch.com via Outlook and quarantined by Datto SaaS Defense. Also, there is the option to release the quarantined email. For malicious emails detected in Monitoring Mode, you have the option to quarantine the email.

Scan Summary section

The Scan Summary section is located below the header section and includes customized information based on the threat type. The Scan Summary section for the malware threat example is shown below.

The following table describes the Scan Summary information for the malware threat.

Information	Description
Date	The date on which the email was received by the folder indicated in the Original Mail Folder field.
Original Mail Folder	The mail folder in the organization that first received the email.
User Inbox	The end user's mailbox address.
From	The Email address of the sender.
To	The Email address of the intended recipient.
Subject	The text the sender entered in the email's Subject field.
SPF	The Sender Policy Framework (SPF) status. SPF is an email authentication method used to verify the email sender with the sender's domain.
View Full Headers	A link to the email's complete header information.

Scan Dynamics pane

The Scan Dynamics pane displays an interactive visual of the malicious attack. This is where you really dive into the artifacts to analyze the threat. Each artifact is represented by a labeled node. A red circle means Datto SaaS Defense has identified the artifact as malicious. Moving dots illustrate data flow to and from the artifacts.

You can hover over a node to display basic information about the artifact.

Clicking the node displays comprehensive information on the Details tab.

Continuing with the malware threat example, the Scan Dynamics image below shows the threat was received via Outlook. The email contained a malicious Excel (.xlsx) file. The Process Policy document includes the process Datto SaaS Defense performed to detect two instances of the attack. (EQNEDT32.EXE).

Analyzing a threat

Drilling into the details of an attack helps you determine the reason an email or file was blocked, which is valuable information you can provide to your client.

Perform the following steps to analyze a threat:

Access the Datto SaaS Protection Status Overview page.
For the applicable client, in the SaaS Defense Status column, click the link indicating the number of threats detected (in Prevention or Monitoring Mode).
If desired, filter the Malicious page results. For more information, see the articles Filtering page results and Using the Calendar tool.
Click anywhere on the desired record.
In the Verdicts & Info pane, review the Header and Scan Summary sections.
Review additional sections as necessary.
Analyze the artifacts in the Scan Dynamics pane.
To display basic artifact information, hover over the artifact.
To display comprehensive artifact information, click the artifact.
To quarantine an email or file that SaaS Defense has assigned a Malicious verdict:
1. In the Header section, click Move to Quarantine.
2. In the dialog box verifying you want to quarantine the email, click OK.
3. In the dialog box confirming the email has been successfully quarantined, click OK.
To release an email or file that SaaS Defense has Quarantined:
1. In the Header section, click Release from Quarantine.
2. In the dialog box verifying you want to release the email, click OK.
3. In the dialog box confirming the email has been released, click OK.

Releasing quarantined content on the Malicious page

On the Malicious page, you can release content that has been quarantined or restricted.

To release quarantined or restricted content on the Malicious page:

For the applicable record(s), select the checkbox in the first column.
Click Release.
In the confirmation box, click Yes.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.