General

Share

Is this article helpful?

Last updated:

Defend Technical Overview

Defend uses artificial intelligence to detect and prevent sophisticated phishing attacks that bypass traditional security tools. Its adaptive security architecture automatically adjusts security controls based on real-time risk assessments. Incoming emails are analyzed and bannered in real time to provide security awareness training opportunities.

This article provides an overview of the deployment process and technical specifications required to implement and operate Defend successfully.

Tip: To view a Defend product demo, see our KnowBe4 Product Demos article.

Feature Analysis

When Defend detects threats, protective measures can be applied, such as warning banners, link rewriting, link scanning, and quarantining emails. Admins can use the Defend admin console to configure Defend’s settings to suit an organization’s needs.

For full details about Defend's features, see the Defend - Feature Analysis article.

Deployment

The Defend deployment center is a comprehensive wizard that allows admins to configure and deploy Defend features to their organization easily. Admins are guided through each section of the deployment process, and progress is saved at every step. Once the deployment center is complete, admins gain access to the Defend console, where further customization can be completed.

For full details about the deployment process, see the Defend Quickstart Guide.

Summarized Changes

Defend will deploy multiple elements in your Microsoft 365 environment to ensure seamless integration and proper functionality between Defend and your Microsoft 365 services. This deployment includes the creation and configuration of the following elements:

  • An accepted domain
  • Connectors
  • User groups
  • Transport rules
  • App registrations

During the deployment process, you will have to grant the necessary permissions for each of these components to operate effectively in your organization's Microsoft 365 tenant.

For full details about the changes you will see in your Microsoft 365 environment, see the Defend Quickstart Guide’s Summarized Changes section.

Transport Neutral Encapsulation Format (TNEF)

Defend does not support TNEF email. During deployment, the TNEF-enabled parameter is set to “False” for all external domains. All TNEF emails that leave Exchange Online will be converted to the Multipurpose Internet Mail Extensions (MIME) email format by Microsoft.

By default, new Defend deployments will only send internal emails via Defend if they contain banners. This process is done by tracking if email chains contain a “References” header, which is unique to each Defend customer. These emails will continue to have TNEF features removed when leaving Microsoft 365, but TNEF will continue to work for all other use cases.

Architecture

Defend will integrate with your organization's email system to process and analyze emails before delivery to users. Defend requires Microsoft Exchange mail flow rules and connectors to redirect mail flow to the Defend service, where it is processed and sent back to the customer tenant before delivery to the users. All emails sent between Defend and Microsoft 365 are encrypted with TLS.

For full details about Defend architecture, see the Defend - Architecture article.

Data Storage

Defend stores email metadata, which is used for reports and dashboards in the console.

For full details about the data Defend stores, see the Defend - Data Storage article.

Hosting and Availability

Defend is split across two data centers in AWS, which make use of availability zones. These zones are isolated locations within a region, each with its own independent power, networking, and cooling infrastructure to ensure full redundancy.

Current hosting regions are the UK, the US, the EU, and AU. 

Service Outages

We have extensive monitoring and will be alerted if Defend is not operational. We will then follow our incident process to determine the issue. If the issue can be resolved easily, we will rectify this quickly.

During an outage, the redundancy measures detailed above will be used to failover. No emails will be lost in this process. However, emails will be delivered without Defend banners or link rewriting.

If you wish to disable Defend completely during an outage, you can do so by removing all users from the Defend_User_Group. In this event, Defend will not scan emails and will deliver them to users without banners. Once Defend is operational, users can be added back to the group, and normal email scanning will resume.

Latency

Defend typically processes and sends emails back to Microsoft 365 in low single-digit seconds. However, if Microsoft 365 is experiencing issues, Defend will retry sending mail to ensure that it is delivered as soon as Microsoft 365 becomes available.

Alerting

We use AWS metrics and alarms to monitor the Defend system 24/7 on a granular level.

If Microsoft 365 goes down, your emails will be queued, retried, and sent as soon as Microsoft 365 is available again. During that downtime, you will not receive any emails in your environment.

We have a service status system that shows live service updates for all our platforms. Customers can subscribe to notifications on the status page to be notified when there is a change to any of our services.

Note: If you’re subscribed to email notifications, we recommend using an email address or distribution group that is not part of your Defend mail flow.

View our status page and subscribe here: status.knowbe4.com.

Was this article helpful?

0 out of 0 found this helpful

Can't find what you're looking for?

Contact Support