SaaS Security Administrator's Guide
    : Configure Phishing Analysis
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. Data Security
    5. Secure Sanctioned SaaS Apps on Data Security
    6. Configure Phishing Analysis
    Download PDF

    SaaS Security Administrator's Guide

    Configure Phishing Analysis

    Table of Contents

    Configure Phishing Analysis

    Learn how to configure Phishing analysis.
    Similar to DLP and Wildfire detections, Data Security supports Phishing Analysis and detects malicious and phishing URLs and proactively removes them.
    This feature is currently available only for Microsoft Teams. Data Security scans chat messages, channel messages and URLs embedded within them.
    Phishing Analysis is enabled by default (Data SecuritySettingsScan SettingsPhishing Analysis). You can add URLs to the Whitelisted URLs (exact URL or domain based) list so that Data Security does not perform Phishing Analysis on those URLs.

    Configure Policies for Phishing Analysis

    Data Security uses a predefined Phishing policy to proactively scan and remediate malicious and phishing URLs. You can also modify it as per your requirement or create a custom phishing policy using the following steps.
    1. Select Data SecurityPoliciesAdd Policy.
    2. Enter the basic information such as policy name, description (optional), severity and enable Phishing Analysis.
    3. Select the Cloud Applications (currently only instances of Microsoft Teams) you want to analyze for phishing.
    4. Select: URL for Data Pattern or Phishing for Data Profile as match criteria.
    5. Select the currently available options for Auto Remediation: Modify URLDelete URL.
    6. Select Other Actions as required. For example, you can choose to create an incident, assign it to a user, and send an administrator email alert.
    7. Save Policy.
    8. Next step: Monitor Phishing Scanning.

    Monitor Phishing Analysis

    You can view the details of assets scanned for phishing.
    1. To monitor phishing scanning, select Data SecurityData Assets and apply the appropriate filters.
      In the following example, you can see that the Phishing data profile filter has been applied to display assets related to phishing analysis.
    2. Select the data asset you want to monitor to view additional details, specifically Phishing Report.
    3. Data Security uses Auto Remediation to delete malicious and phishing URLs automatically. To delete the URLs manually, select Data Asset NameActionsDelete URL.
      • If there are two URLs in a chat message, one whitelisted and the other phishing, Data Security performs remediation on the chat message and deletes both the URLs.
      • When a phishing URL is detected, only one remediation action can be performed on the asset—User Quarantine OR Delete URL. Both remediation actions cannot be performed on the same asset.

    © 2024 Palo Alto Networks, Inc. All rights reserved.