Alerts

This page includes:

About alerts

You can configure FortiMail Workspace Security to send an email alert each time:

  • a malicious incident occurs - that is, the scan of an email or of a file is assigned a malicious verdict

    - or -

  • a case is added to the Account Takeover page in FortiMail Workspace Security

Malicious incidents

When enabled, an email alert will be sent each time an email or a file is assigned a malicious scan verdict.

  • The email alert is sent immediately when the scan is assigned a malicious verdict.

  • The email alert can be sent to admin users, end users, or both. A similar email is sent to admin users and to end users. The admin version includes slightly more information, as well as a link to the scan in FortiMail Workspace Security.

  • The email alert usually includes a screenshot preview of the original email - to help understand which email was blocked.

    Note: If the email includes a suspected malicious QR code, a preview of the email may not be available in the email alert. This is to prevent users from mistakenly accessing the potentially malicious QR code in the preview.

  • The email alert is sent irrespective of whether or not the email or file was quarantined.

  • Email alerts are sent to shared mailboxes as well as to ordinary main boxes.

  • [Malicious emails] Email alerts are sent only when an email is scanned and then automatically assigned a malicious verdict by the system, or if the verdict is changed from clean to malicious by the FortiMail Workspace Security IR Team. If the verdict is changed from clean to malicious by an admin user, then an email alert is NOT sent.

  • Email alerts are not sent in response to emails or files that are assigned a restricted or spam scan verdict.

  • Email alerts are not sent for emails that were quarantined by Microsoft. [See Quarantined by Microsoft]

  • For details on how to customize email alerts, see Customizing FortiMail Workspace Security.

Malicious cases

When enabled, an email alert will be sent each time a case is added to the Account Takeover page. The email alert is sent to the specified admin users only, not to end users. For details about these cases, see Account Takeover.

Note: This setting affects auto alerts only. Manual alerts are sent whether or not this setting is enabled. Manual alerts are sent to the escalation contacts only. For details about types of alerts, see About Microsoft 365 - ATO detection.

Note:

  • You can also send Digest reports - that include a list of all emails and files that were assigned specified verdicts during the reporting period. For details, see Digest reports.

  • By default, the times that appear in alerts are UTC times. You can specify a time zone for your organization, and then all alerts will be based on the specified time zone. For details, see Time Zone.

  • Alerts are available in English only - they are not available in any other languages.

The Alerts functionality is available to admin users with the "Administrator" role only.

Propagating alerts

Alerts that are set in a parent organization are not propagated to the child organization. You must configure the alerts in every child organization.

However, by setting the Admin alerts on the parent level, the specified admin users will receive alerts regarding all of the child organizations.

Configuring alerts

Alerts can be configured for admin users and for end-users.

To configure the alerts that will be sent:

  1. In FortiMail Workspace Security, in the left navigation menu, select Settings > Account.

  2. Scroll down to the Alerts and Reports section, and then click Edit [].

  3. Configure the required settings for admin users and end-users. See Admin alerts and reports - options below.

  4. Click Save Changes.

Important: To ensure that the email alerts arrive in the recipient's Inbox [and are not classified as spam], add the following email address to an allowlist in your email service:

support@sg.perception-point.io

Admin alerts and reports - options

Admin alerts and reports

Alert via email on malicious incidents

When selected, an email alert will be sent each time an email or a file is assigned a malicious scan verdict.

[Email alerts are not sent in response to emails or files that are assigned a restricted or spam scan verdict.]

  • The email alert is sent irrespective of whether or not the email or file was quarantined.

  • The email alert is sent for both inbound and outbound malicious activities.

Email headers:

  • Quarantined: Malicious Email has been detected and safely blocked

  • Not quarantined: Malicious Email has been detected

Recipients: Defines which admin users will be sent the email alerts that are enabled above:

  • All admin users: The email alerts will be sent to all FortiMail Workspace Security admin users in your organization [not to additional admin users in the parent organization]. Email alerts are sent regardless of the admin user's role. Escalation contacts are included only if they are admin users.

  • Specific users: The email alerts will be sent to the specified admin-user email address or addresses.

Note: If scanning of outbound email is enabled, then an alert will be sent when a malicious outbound email is detected. [See Onboarding Microsoft 365 - Outbound]

Alert via email on malicious cases

When selected, an email alert may be sent each time a case is added to the Account Takeover page. For details about these cases, see Account Takeover.

  • Severity: Defines for which severity of malicious cases alerts will be sent. This enables you to limit the number of alerts that are sent for suspected malicious cases.

  • Recipients: Defines which admin users will be sent the email alerts that are defined above:

    • Same as escalation contacts: The email alerts will be sent to the escalation contacts. For details, see Escalation contacts.

    • All admin users: The email alerts will be sent to all FortiMail Workspace Security admin users in your organization [not to additional admin users in the parent organization]. Email alerts are sent regardless of the admin user's role. Escalation contacts are included only if they are admin users.

    • Same as malicious incidents: The email alerts will be sent to the recipients that are defined [above] to receive email alerts about malicious incidents.

    • Specific users: The email alerts will be sent to the specified admin-user email address or addresses.

      Limitation: All specified email addresses should be in the same domain.

Receive periodic reports

  • Frequency: Select which periodic reports will be sent to admin users.

    For details on periodic reports, see Reports.

  • Recipients: Defines which admin users will be sent the periodic reports that are selected above.

End-user alerts and reports - options

End user alerts and reports

Alert via email on malicious incidents

An email alert will be sent each time an email or a file is assigned a malicious scan verdict.

[Email alerts are not sent in response to emails or files that are assigned a restricted or spam scan verdict.]

The email alert is sent irrespective of whether or not the email or file was quarantined.

The "warning" email will be sent to the intended recipient of the original email or to the owner of the file. The "warning" email will have the subject similar to "A malicious email has been detected and blocked"

If the recipient of the email alert thinks that the email or file is not malicious, the recipient can request their IT security team to investigate the scan - and to release the email or file from quarantine, if the email was quarantined.

Note:

  • You can configure FortiMail Workspace Security so that end-users are able to release quarantined emails that have a Spam scan verdict. For details, see Configuring Digest reports.

    End-users are not able to release from quarantine emails with Malicious scan verdicts. Instead, the end-user must request their IT security team to investigate the scan, and to release the email or file from quarantine - as described above. If necessary, the IT security team can request that the FortiMail Workspace Security IR Team investigate the scan. For details, see Requesting an investigation.

  • It is possible to customize the logo and the text in the email alert that is sent to end-users. For details, see Customizing FortiMail Workspace Security.

  • When this control is enabled, alerts will be sent to all end-users [when necessary] - it is not possible to exclude specific end-users from being sent alerts.

Notify requester upon investigation handling

When enabled, end-users who submit an investigation request using the Report Message button [Microsoft 365 Inline or API] or the Report Email button [Google Workspace] will receive a feedback alert [email] when the request is handled.

See:

Receive digested incidents report on selected verdicts

Specifies if Digest reports will be sent to end-users. For details, see Digest reports.

Sending alerts to Slack

FortiMail Workspace Security can be configured to send alerts to a dedicated Slack channel. This is in addition to the alerts that are sent by email. The configuration is performed by FortiMail Workspace Security Support.

How do I do this

  1. Create a dedicated Slack channel to which you want to receive alerts.

  2. Send the webhook of the new Slack channel to FortiMail Workspace Security Support [support@perception-point.io].

    FortiMail Workspace Security Support will perform the required configuration for you - and will inform you when the configuration is complete.

You can include the text template below in your email:

Subject: Sending alerts to our Slack channel

Hi Perception Point Support Team,

Organization name: <Your organization name> as it appears in FortiMail Workspace Security

We would like FortiMail Workspace Security to send alerts to our dedicated Slack channel.

The webhook of the dedicated Slack channel is: <webhook>

Please can you perform the required configuration.

[Internal Reference: 1164]

Please let us know when this has been done.

Thank you

Additional alert features

In addition to the standard alert features described above, there are additional alert features that can be configured by FortiMail Workspace Security Support. For details about each of these features, listed below, contact FortiMail Workspace Security Support [support@perception-point.io].

  • By default, email alerts are sent immediately on assigning the scan verdict. FortiMail Workspace Security can be configured to send alerts only after the assigned verdict has been reviewed by the FortiMail Workspace Security IR Team.

  • Additional email alerts to admin users and end users can be configured.

    • Alerts can be sent when FortiMail Workspace Security is set up in monitoring mode or non-blocking mode [i.e. when there is no quarantine].
    • Alerts can be sent when false positive scans or false negative scans are identified by the FortiMail Workspace Security IR Team.

See also: