In this guide, you’ll learn how to get started with Defend. Defend is a powerful cybersecurity tool that safeguards your organization against sophisticated inbound threats. Defend analyzes your mail flow before delivery and provides protection that keeps your users and sensitive data secure. You can use the Defend console to customize security settings and conduct thorough investigations of detected and user-reported phishing emails.
To access the Defend console, you must first use the deployment center to deploy Defend for your organization.
Deployment Center
The Defend deployment center is a comprehensive wizard that allows admins to configure and deploy Defend features to their organization easily. Admins are guided through each section of the deployment process, and progress is saved at every step. Once the deployment center is complete, admins gain access to the Defend console, where further customization can be completed.
Prerequisites
To successfully complete the deployment center process, make sure you have the following prerequisites:
- Microsoft 365 tenant
- Global admin role on Microsoft 365 tenant
Deployment Center Steps
The following steps are completed in the deployment center:
-
Validation: Ensure your current email system is ready for deployment. Defend will analyze your email system to ensure compatibility with the deployment process and the Defend service.
-
Tenancy and Secure Email Gateway (SEG): Confirm your primary domain, industry, and SEG provider. For more information about the fields on the Tenancy and Secure Email Gateway (SEG) page, see the list below.
- Primary Domain: Defend will detect and provide a list of internal domains. Review the list and select your organization's primary domain.
- Industry: Use the drop-down menu to select the most appropriate industry for your organization. Industry information enables Defend to address industry-specific threats.
- Secure Email Gateway (SEG): Select if your organization uses a SEG.
-
Impersonation: Customize your impersonation protection by providing your organization's associated domains and brand names. For more information about the fields on the Impersonation page, see the list below.
- Secondary Domains: Knowing your secondary domains allows Defend to extend protection to all your organization's domains and prevents impersonation attacks of these domains.
- Brand Names: Understanding your brand names enables Defend to detect and block brand impersonation attacks that attempt to use variations of your organization's trusted identity. Adding as many brand names as possible is key to maximizing protection against these impersonation attacks.
Warning: Leaving the Brand Names field empty exposes your organization to an increased risk of impersonation attacks. -
Linguistic Analysis: Avoid false positives by listing custom subject line phrases used widely in your organization. For more information about the fields on the Linguistic Analysis page, see the list below.
- Custom Subject Phrases: Understanding your organization's common email subject phrases enables Defend to better distinguish between legitimate communications and sophisticated phishing attempts that mimic your organization's standard messaging patterns.
-
Defend Features: Grant permissions for the User Analysis and Admin Features app registrations that allow Defend features to protect your users. For more information about the fields on the Defend Features page, see the list below.
- User Analysis: Grant the User Analysis permissions so that Defend can analyze historical data to enhance threat detection and protection.
- Admin Features: Grant the Admin Features permissions so that Defend can facilitate the viewing and remediation of emails from the Defend console.
-
Admins: Specify the Global Admins that will be managing your Defend console.
-
User Groups: Create or specify the Microsoft 365 group that will be used to control which users in your organization will have Defend functionality. For testing purposes, create or specify a banner override group that will allow users to receive Defend banners. For more information about the fields on the User Groups page, see the list below.
- User Group Name: Specify the name of the group that will contain all the users that Defend will protect.
- Override Group Name: Specify the name of the group that can be used to test Defend functionality while Defend is in silent mode for the rest of the organization.
-
Deployment Summary: Review and edit the information you have provided.
-
Health Check: Add a test user to the Defend user group to run a health check against the user, ensuring successful deployment.
Once deployment is complete, you can roll out Defend features to your organization by adding the required users to the Defend user group in Microsoft 365.
Summarized Changes
Once successfully deployed, the following changes will be made to your Microsoft tenant, allowing Defend features to function correctly.
For example, “aaaaa.c.us1.defend.com”, where “aaaaa” is a randomly generated string that is unique to each Defend customer.
This feature allows:
- The Microsoft 365 inbound connector validates emails coming from Defend and attributes those emails to your Microsoft 365 tenant. The certificate used to send emails from Defend to your Microsoft 365 must match an accepted domain on your tenant to ensure uninterrupted mail flow.
- Defend to DKIM-sign all emails before returning them to your Microsoft 365 tenant. For security reasons, this signature is unique to each tenant and uses your unique domain.
| Connector | Action |
|---|---|
| Microsoft 365 to Defend | Route mail to Defend for processing |
| Defend to Microsoft 365 | Route mail back to Microsoft 365 for delivery to the user |
Defend User Group
The default name for the Defend user group is "Defend_User_Group". Users in this group will have their emails processed by Defend.
You can use dynamic expressions to add all users to the "Defend_User_Group" automatically. Two examples of dynamic expressions are:
- (user.mail -ne null)
- (user.userType -eq "Member").
For new deployments via the Deployment Center, the Defend User Group now includes the legacy graymail and spam groups mentioned below.
Legacy Groups
The following groups may exist in your Microsoft tenant if you have used a previous Defend deployment tool:
- Graymail User Group: The graymail group contains users who have access to Defend’s graymail functionality. Custom group names can be specified in the Graymail User Group field on the Defend Settings page. For more information on managing and enabling the Graymail user groups, see the Defend - Graymail Management article.
- Spam User Group: The spam group contains users who receive spam protection functionality in Defend. Custom group names can be specified in the Spam User Group field. For more information, see the Defend - Spam Management article.
These legacy groups are still valid and can be used as normal.
POV Groups
For POV deployments, two additional groups are available as follows:
- Defend_Banners_Override Group: Allows admins to add specific users who will receive banners even when Defend is in silent mode. This feature enables IT admins to test Defend functionality and train users at their own pace.
- Defend_Graph_Users Group: A Graph API only group used during POV deployments where the SMTP transport rules are not activated. All Defend functionality operates via the Microsoft Graph API for users in this group.
| Transport Rule | Action |
|---|---|
| Defend Add Internal Header* | This rule allows admins to opt in to keep banners and rewritten links when forwarding an internal email to another Defend user. The logic of this rule will only occur if the Retain banners on internal forwards option is enabled in the Defend console. |
| Defend Add Outbound Header* | This rule adds a Defend-specific header to indicate the message direction to the Defend platform. |
| Defend Add Domain Header* | This rule adds a Defend-specific header for tenant message attribution. |
| Defend Disable ATP Dynamic Scanning | This rule disables Advanced Threat Protection (ATP) logic on attachments when sent to Defend. It does not bypass ATP. Exclusions ensure ATP is still operating when the email returns to Microsoft 365 from Defend. |
| Defend Banner Active Override | When in silent mode, this rule adds a specific header for users in an override group, enabling banners only for that group. |
| Incoming Emails via Defend | There are exceptions in place between external organizations that use Defend for loop prevention. A shared secret identifier is added in a header as a form of authentication. |
| Internal Emails via Defend | This rule routes internal emails to Defend. This functionality allows Defend to strip any HTML banners and link rewriting previously added to the thread. This rule sets the "X-Egress-Defend" header with values for "SK", "Domain", and "Direction”. |
| Outgoing Emails via Defend | This rule routes outgoing emails to Defend. This functionality allows Defend to strip any HTML banners previously added to the thread. |
| Defend Microsoft Spam | This rule preserves Microsoft’s original Spam Confidence Level for the message. |
| Defend Microsoft Strong Spam | This rule preserves Microsoft’s original Spam Confidence Level for the message. |
| Defend Microsoft Not Spam | This rule preserves Microsoft’s original Spam Confidence Level for the message. |
| Defend Remove Sk Header* | This rule prevents the "X-Egress Defend-Sk" value from leaving the organization. |
| Defend Quarantine | This rule sends emails Defend has identified as high risk to Microsoft's Quarantine. |
| App Registration | Permissions Required | Justification |
|---|---|---|
| User Analysis |
|
Establishes an understanding of users and groups in an organization and analyses their historical email to improve efficacy. |
| Admin Features |
|
Enables admins to view emails in the Defend console and remediate dangerous phishing emails from inboxes. |
| Egress ESI OpenID |
|
The OpenID permissions are generic authentication scopes that enable Defend to authenticate users, access their basic identity information, and maintain persistent access for a seamless user experience across sessions. |
| KnowBe4 Onboard* |
|
This app registration handles the initial onboarding phase and requires read access to validate your domain and get started, along with basic authentication scopes needed for initial user login and verification. |
| KnowBe4 Deploy* |
|
This primary app registration is for the Deployment Center. It requires write access to configure mail flow, creates transport rules and connectors in Microsoft Exchange for Defend, manages necessary processing groups, queries, and verifies all users for protection policies, and enables SCIM provisioning. |
Defend Console
Once deployment is complete and you have rolled out Defend to your organization by adding the required users to the Defend user group in Microsoft 365, you will have access to the Defend console.
The console is comprised of the following pages:
- Dashboard
- The dashboard provides an overview of the email activity observed by Defend. The information on the dashboard is displayed in easy-to-read graphs and charts.
- For further information, see the Defend - Dashboard article.
- Recent Emails
- The recent emails page allows admins to view and analyze emails processed by Defend.
- For further information, see the Defend - Recent Emails article.
- Abuse Mailbox
- The abuse mailbox page displays all the emails submitted to the abuse mailbox and their analysis status.
- For further information, see the Defend - Abuse Mailbox Automation article.
- Allow or Deny List
- These lists can specify what happens when a specified email address, domain, or IP address sends an email to a user in your organization.
- For further information, see the Defend - Allow or Deny Lists article.
- Event Notifications
- Event notifications can be used to trigger admin notifications when specific actions occur.
- For further information, see the Defend - Event Notifications article.
- Settings
- The settings page allows admins to customize Defend settings to suit an organization's needs.
- For further information, see the Defend - Settings article.
- URL Rewriting or Decoding
- Add URL exceptions that Defend will no longer rewrite. Use the decode tool to view Defend’s rewritten URLs in their original form.
- For further information, see the Defend - URL Rewriting Exceptions and Defend - URL Decoding articles.
- User Management
- The user management page allows you to add, edit, and remove Defend admins.
- For further information, see the Defend - User Management article.
- Audit Log
- View changes in your Defend console made by all admins.