 |
NoteThe following tables list all available actions in ATP and DLP policies for protected
services. The specific actions available for a service vary depending on the security
filter and threat type.
|
-
Exchange Online, Exchange Online (Inline Mode) - Inbound Protection, Exchange Online (Inline Mode) - Outbound Protection policiesActionDescriptionTag subjectCloud App Security adds keywords before email message subject to inform the user that a security risk is detected. The email message is delivered to the intended recipient.DeleteCloud App Security deletes the entire email message.QuarantineCloud App Security moves the email message to a dedicated quarantine location, removing it as a security risk to protected services.
Note
For Exchange Online, the quarantine location is a folder in the user's mailbox; for Exchange Online (Inline Mode), the quarantine location is in the storage of Cloud App Security.PassCloud App Security records the detection in a log and the message is unchanged.Pass without loggingCloud App Security does not record the detection in a log and the message is unchanged.Move to Junk Email folderCloud App Security moves the email message to the user's Junk Email folder.Note
-
This action option is not available for Exchange Online (Inline Mode) - Outbound Protection.
-
In the Virtual Analyzer filter, this action option applies only to email messages whose attachment was submitted to Virtual Analyzer and classified as Unrated, which means that the submitted sample was not analyzed by Virtual Analyzer for a certain reason.
Add disclaimerCloud App Security adds a disclaimer to display at the beginning of the email body to inform the recipient that the email may contain some security risks.The disclaimer cannot exceed 512 characters.You can use a token to specify the exact reason that caused the sender to be identified as suspicious. For details, see Token List.Replace with text/fileCloud App Security deletes the file, infected, malicious, or undesirable content and replaces it with text or a file. The email message is delivered to the intended recipient, but the text replacement informs them that the original content was infected and was replaced.Note
For Exchange Online, Cloud App Security does not support this action for MIP-encrypted email messages and applies the Pass action instead.Sanitize fileCloud App Security removes the active content from the file and delivers the email message with the sanitized file.Note
For Exchange Online, Cloud App Security does not support this action for MIP-encrypted email messages and applies the Pass action instead.Change recipientCloud App Security intercepts emails and routes them to your specified recipients instead of the original recipients.Note
This action option is available for Exchange Online (Inline Mode), but not for Exchange Online. -
-
Gmail, Gmail (Inline Mode) - Inbound Protection policiesActionDescriptionDeleteCloud App Security deletes the entire email message.QuarantineCloud App Security moves the email message to a restricted access folder, removing it as a security risk to protected services.Move to SpamCloud App Security applies Gmail's system label "Spam" to the email message and the message only displays in the user's Spam folder.Label emailCloud App Security includes a label Risky (by Trend Micro) at the top of the email message in the user's mailbox.PassCloud App Security records the detection in a log and the message is unchanged.Pass without loggingCloud App Security does not record the detection in a log and the message is unchanged.Change recipientCloud App Security intercepts emails and routes them to your specified recipients instead of the original recipients.
Note
This action option is available for Gmail (Inline Mode), but not for Gmail. -
SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive policiesActionDescriptionDeleteCloud App Security deletes the file and replaces it with a placeholder using the original file name and .txt.QuarantineCloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services.PassCloud App Security records the detection in a log and the file is unchanged.Apply sensitivity label
Note
This action is available only to OneDrive, Microsoft Teams (Teams), SharePoint Online after you have granted Cloud App Security access to Microsoft Information Protection.Cloud App Security applies a selected Microsoft Information Protection sensitivity label on the file.When you select the action, click Show Advanced Options and configure Sensitivity LabelingRemove sensitivity labelNote
This action is available only to OneDrive, Microsoft Teams (Teams), SharePoint Online after you have granted Cloud App Security access to Microsoft Information Protection.Cloud App Security removes the Microsoft Information Protection sensitivity label from the file.Pass without loggingCloud App Security does not record the detection in a log and the file is unchanged.Note
For Microsoft Teams (Teams), after Cloud App Security quarantines or deletes an image posted in a Teams channel, users can still preview and download the image in the Teams channel. -
Teams ChatActionDescriptionBlockCloud App Security calls Microsoft Teams to hide the message from both the sender and recipient.
Note
If a file in a chat message violated the policy, it was hidden from the private chat window (the Chat tab), but it is still stored in the sender's OneDrive folder and shown on the Files tab.PassCloud App Security records the detection in a log and the message is unchanged.Pass without loggingCloud App Security does not record the detection in a log and the message is unchanged.Note
The specific actions available for Teams Chat depend on your Microsoft license. For more information, see Granting access to Teams. -
SalesforceIn the Malware Scanning filterActionDescriptionDeleteCloud App Security deletes the entire file.QuarantineCloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services.PassCloud App Security records the detection in a log and the file is unchanged.Tag file nameCloud App Security adds a tag to the file name to warn stakeholders about threats detected in uploaded files.Pass without loggingCloud App Security does not record the detection in a log and the file is unchanged.In the File Blocking filterActionDescriptionDeleteCloud App Security deletes the entire file.QuarantineCloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services.PassCloud App Security records the detection in a log and the file is unchanged.Tag file nameCloud App Security adds a tag to the file name to warn stakeholders about threats detected in uploaded files.In the Web Reputation filterActionDescriptionDelete
-
For files: Cloud App Security deletes the file and adds a pre-configured replacement file, informing the user that the original file violated a specific Cloud App Security policy and was removed.
Note
For files with a version history, for example, Chatter File, Cloud App Security deletes the file and adds a feed comment to warn the user that the file violated a specific Cloud App Security policy and was removed. -
For text contents in Chatter and Community: Cloud App Security deletes the entire content.
-
For text contents in Cases: Cloud App Security records the detection in a log and replaces the entire content violating the policy with asterisks (*).
Quarantine-
For text or a URL in Chatter, Community, and Cases, for example, Chatter post or Chatter link, Cloud App Security replaces half of the content violating the policy with asterisks (*) and moves the content to a restricted custom object. The quarantined content is not editable.
-
For files: Cloud App Security moves the file to a restricted custom object and replaces it with a pre-configured file, informing the user that the original file violated a specific Cloud App Security policy and was replaced.
Note
For files with a version history, for example, Chatter File, Cloud App Security does not remove it, but adds a feed comment to warn the user that the file violated a specific Cloud App Security policy.
PassCloud App Security records the detection in a log and the content is unchanged.In the Data Loss Prevention filterActionDescriptionDelete-
For files: Cloud App Security deletes the file and adds a pre-configured replacement file, informing the user that the original file violated a specific Cloud App Security policy and was removed.
Note
For files with a version history, for example, Chatter File, Cloud App Security deletes the file and adds a feed comment to warn the user that the file violated a specific Cloud App Security policy and was removed. -
For text contents in Chatter and Community: Cloud App Security deletes the entire content.
-
For text contents in Note, Cloud App Security deletes the note content and adds pre-configured text, informing the user that the original content violated a specific Cloud App Security policy and was removed.
-
For text contents in other Salesforce object records: Cloud App Security records the detection in a log and replaces the entire content violating the policy with asterisks (*).
Quarantine-
For text contents: Cloud App Security replaces half of the content violating the policy with asterisks (*) and moves the content to a restricted custom object. The quarantined content is not editable.
-
For files: Cloud App Security moves the file to a restricted custom object and replaces it with a pre-configured file, informing the user that the original file violated a specific Cloud App Security policy and was replaced.
Note
For files with a version history, for example, Chatter File, Cloud App Security does not remove it, but adds a feed comment to warn the user that the file violated a specific Cloud App Security policy.
PassCloud App Security records the detection in a log and the object record content is unchanged. -