Issue:
Why does not Elements Collaboration Protection automatically quarantine a high severity email detection, but an email with a medium severity detection is quarantined?
Resolution:
The Elements Collaboration Protection Severity level indicates whether an administrator action is needed to mitigate the immediate risk.
- Low: No action is needed because the item is coming from a trusted source.
- Medium: No action is needed. The item was automatically either quarantined or deleted.
- High: Action required. No automatic action is specified in the policy.
- Critical: Immediate action is required to mitigate the risk.
If some emails are quarantined and not others, it can be that in the policy you have set only specific content (URLs or files) to trigger a quarantine action.
In case of URLs, they are divided into harmful and suspicious in the policy. Both can be given differend actions.
How to check the action for both malicious and suspicious URLs:
- Log in to the Elements portal
- Open the Collaboration Protection section from the menu on the left
- Go to the Policies page
- Open the policy that is in use on your cloud service
- Open the Exchange tab and go to the URL scanning page
Here in the Action section you can make sure that both Malicious URL and Suspicious URL are set to Move the item to quarantine. Take no action would result in the admin having to manually delete or take action on the item (resulting in a high severity classification).
If the email with high severity classification includes a malicious file, make sure that the malware scanning action has been set up to quarantine the file:
- Open the policy that is in use on the cloud service
- Open the Exchange tab and go to the Malware scanning page
- In the Action section, make sure that the action is set to Move whole item into quarantine
Article no: 000045126