ETP Implementation - Adding MX records in GoDaddy 1. Log into the GoDaddy account, click on the drop-menu next to the username, and select My Products.     2. Scroll down to Domains and click on the menu icon for the appropriate domain, and select Manage DNS.     3. In DNS Records, click on the drop-menu in Filter, select MX (Mail Exchange), and you should see all current MX records. Click Add.     4. Add each of the following four records. (Copy and paste to avoid errors.)   MX Records (Scope: @)   Priority Record 10 primary.us.email.fireeyecloud.com 20 alt1.us.email.fireeyecloud.com 30 alt2.us.email.fireeyecloud.com 40 alt3.us.email.fireeyecloud.com     5. Verify that the new MX records were added correctly, then delete all other existing MX records. Click on Delete Record in the pop-up to confirm.         ***CAUTION: After changing MX records, you may receive a notification that email cannot be delivered. Do NOT click the link Let's fix this. That will cause the MX records to revert and email to this domain will no longer be filtered through ETP.         Please report any errors or omissions in this guide to onboarding@ostra.net.

ETP Implementation - Adding MX records in mydomain.com 1. Log into the Control Panel in mydomain.com.     2. In the Domains > Advanced left-menu, select DNS & Nameservers, click on the DNS Records tab, scroll to note the existing MX records, and click on + Add DNS Record.     3. Add each of the following four records. (Copy and paste to avoid errors.)   MX Records (Scope: @)   Priority Record 10 primary.us.email.fireeyecloud.com 20 alt1.us.email.fireeyecloud.com 30 alt2.us.email.fireeyecloud.com 40 alt3.us.email.fireeyecloud.com     4. Verify that these four MX records are present along with the original MX records and the parameters are correct.     5. Click the menu next to each old MX records and select Delete, then confirm by clicking Yes, delete it. (Do NOT remove the previous records until verifying that the new records were entered properly.)       Please report any errors or omissions in this guide to onboarding@ostra.net.

How to install ETP on a domain set up for email in M365 ***Important: ETP for a new domain can only be implemented after confirmation from the Ostra Onboarding Team that prep is complete. 1. Log into the Microsoft admin portal (admin.microsoft.com/Adminportal/Home) and click on the burger next to Microsoft 365 admin center. ***Important: If the domain registrar is GoDaddy and the admin is logged in, you will be redirected to GoDaddy when attempting to navigate to the Microsoft admin portal. As a workaround, type in the URLs for the admin portals that are needed. More information below in the steps where this is applicable. 2. Click on All Apps. 3. Search or scroll down and click on Security. ***Important: If redirected to GoDaddy, type in this URL: security.microsoft.com 4. In Microsoft 365 Defender, click on Policies & rules in the left menu, then click on Threat policies. 5. In Policies & rules > Threat policies, click on Anti-spam. 6. In Policies & rules > Threat policies > Anti-spam policies, click on Anti-spam inbound policy (Default). 7. In Anti-spam inbound policy (Default), scroll down and click on Edit allowed and blocked senders and domains. 8. In Allowed and blocked senders and domains, click on Allow domains. 9. In Manage allowed domains, click on + Add domains. 10. In Add custom domains, enter these domains in the Domain field to ensure deliverability: fireeyecloud.com, ostra.net, the Ostra partner domain, and the MSP domain if applicable. Click Add domains. Click OK/Save on the next few screens. ***Important: If these settings have never been previously accessed, this will trigger an organization customization error and will cause a delay in access to continue with the remaining steps. Click OK when this prompt comes up and the command will run automatically. It may take several hours before you can proceed. 11. In Anti-spam policies, check Connection filter policy (Default). 12. In Connection filter policy (Default), click Edit connection filter policy. 13. In Connection filter policy (Default), enter these IPs in the Always allow field: 34.223.36.0/24 and 3.93.93.0/24. Save. 14. Go back to the browser tab for Microsoft 365 admin center, click Show all, scroll down to Admin centers, and click on Exchange. ***Important: If redirected to GoDaddy, type in this URL: admin.exchange.microsoft.com. 15. In Exchange admin center, expand Mail flow, then click on Connectors. 16. In Connector, click on + Add a connector. In New connector, check Partner organization. 17. in Connector name, type ETP Connector in the Name field and save. 18. In Authenticating sent email, check the second option ("By verifying that the IP address..."), add the IP addresses 34.223.36.0/24 and 3.93.93.0/24. Click OK/Save through the next few options, verifying that the box is checked to Reject email messages if they aren't sent over TLS in the Security restrictions. 19. In the Mail flow menu, select Rules. In Rules, click on + Add a rule, then Create a new rule. 20. In Set rule conditions, type ETP Spam Bypass in the Name field, select The sender and IP address is in any of these ranges or exactly matches in the Apply this rule if drop-menus. 21. In specify IP address ranges, add 34.223.36.0/24 and 3.93.93.0/24 and save. 22. In Set rule conditions > Do the following, select Modify the message properties and set the spam confidence level (SCL) from the drop-menus, and click OK/Save through the next few steps. 23. Go back to the Microsoft 365 admin center tab in your browser, and click on Azure Active Directory in the left-menu. ***Important: If redirected to GoDaddy, type in this URL: portal.azure.com. 24. In Azure Active Directory admin center, select Azure Active Directory, then App registrations, and click on + New registration. 25. In Register an application, type ETP Remediation in the Name field and save. 26. In ETP Remediation, click on API permissions, then + Add a permission. 27. In Request API permissions, click on Application permissions, type directory.read.all in Select permissions, and check the box for Directory.Read.All in Directory. 28. Type group.read.all in Select permissions, and check the box for Group.Read.All in Group. 29. Type mail.readwrite in Select permissions, and check the box for Mail.ReadWrite in Mail. 30. Type user.read.all in Select permissions, and check the box for User.Read.All in User and save. 31. In Configured permissions, click on Grant admin consent for ..., then click Yes in the pop-up. 32. In the Manage left-menu, click on Certificates & secrets, then click on + New client secret. 33. In Add a client secret, type ETP Remediation Secret in the Description field, then select 24 months from the drop-menu in Expires and save. 34. Start an email draft to onboarding@ostra.net and enter the following subject: Values for [Domain] ETP. Enter the values from the following sub-steps in the email body. These values will be used by Ostra to set up remediation for this domain. 34a. In Certificates & secrets in the Client secrets tab, click the copy icon next to the the text in the Value column and paste it in the email body. 34b. Click on Overview in the left-menu, then left-click and drag your cursor to select the Application (client) ID, Object ID, and Directory (tenant) ID, right-click to Copy, then paste in the email body and send. 35. All changes in Microsoft 365 have been completed. To finalize ETP implementation, add the following MX records in the domain registrar. All other MX records should be removed. MX Records (Scope: @) Priority Record 10 primary.us.email.fireeyecloud.com 20 alt1.us.email.fireeyecloud.com 30 alt2.us.email.fireeyecloud.com 40 alt3.us.email.fireeyecloud.com (See other Knowledge Base articles for instructions on changing MX records in GoDaddy or mydomain.com.) 36. Send a test email to an existing mailbox in the client domain and cc' onboarding@ostra.net. The subject should be Test email to (domain). The Onboarding Team will verify that inbound email is being filtered through ETP and reply all to confirm a successful deployment. Troubleshooting: - If the test email is not received in the client inbox, check the MX records. Enter the domain in mxtoolbox.com or another tool to verify that only the records above are listed. - Review all the steps to ensure all policies were created according to this guide. - Contact the Onboarding Team at onboarding@ostra.net or call (952) 521-8002. Please report any errors or omissions in this guide to onboarding@ostra.net.

How to install ETP on a domain set up for email in Google Workspace ***Important: ETP for a new domain can only be implemented after confirmation from the Ostra Onboarding Team that prep is complete. ***Important: Remediation steps are currently under revision due to changes in Google. (Steps 30-42) 1. Log into the Google Workspace Admin (admin.google.com) , then go to Apps > Google Workspace > Gmail on the left menu. 2. Scroll down and click on Spam, Phishing and Malware. 3. In Inbound gateway, click the Edit pencil icon. 4. In Inbound gateway, check the box to Enable, then click on Add in IP addresses / ranges. 5. Enter 34.223.36.0/24 in the Enter IP address/range field, click Save, then ADD. Enter 3.93.93.0/24 and click Save. 6. Uncheck the boxes for Automatically detect external IP and Reject all mail not from gateway IPs. Click Save at the bottom right of the screen. 7. Click on Spam, phishing, and malware to close it out. 8. In Settings for Gmail, click on Hosts. 9. In Settings for Gmail > Hosts, click on ADD ROUTE. 10. In Add mail route, type in Google Internal in the Name field, change the drop-menu option in 1. Specify email server to Multiple hosts, and copy and paste the host names below in Primary. Enter 25 for the Port and 20 for Load % for all host names. aspmx.l.google.com alt1.aspmx.l.google.com alt2.aspmx.l.google.com alt3.aspmx.l.google.com alt4.aspmx.l.google.com 11. Scroll down to 2. Options and verify that all boxes are checked. Click Save. 12. Verify that all hosts are listed and click on Hosts to close out this section. 13. In Settings for Gmail, scroll down and select Routing. 14. In Routing > Routing, click on Configure. 15. In Add setting, type in Internal Routing in the Routing text field. In 1. Email messages to affect, check the box for Internal - Sending. 16. Scroll down to Route, check the box for Change route, then check the box for Suppress bounces from this recipient. Click on the drop-menu and select Google Internal. 17. Scroll down and click on Show options. In B. Account types to affect, check the box for Groups. In C. Envelope filter, click on the drop-menu and select Pattern match. 18. In the text field for Regexp, type .* (period asterisk) and click Save. 19. Open another browser tab and go to console.cloud.google.com. Ensure that Google is signed in under the right profile (top right). Check the box to agree to the Terms of Service and click AGREE AND CONTINUE. 20. Click on the burger icon next to Google Cloud (top left), then IAM & Admin > Manage Resources. 21. In Manage resources, click on + CREATE PROJECT on the top menu. 22. In New Project, type ETP Remediation in the Project name text field. Click CREATE, then SELECT PROJECT in the Notifications pop-up. 23. Click on APIs & Services, select Enabled APIs & services, then Library. 24. Type admin sdk into the API Library search box, then open Admin SDK API. 25. In Admin SDK API, click on ENABLE. 26. Go back to the APIs & Services left-menu, click on Library, type google calendar in the search box, open Google Calendar API, then click ENABLE. 27. Go back to the APIs & Services left-menu, click on Library, type contacts in the search box, open Essential Contacts API, then click ENABLE. 28. Go back to the APIs & Services left-menu, click on Library, type gmail in the search box, open Gmail API, then click ENABLE. 29. Go back to the APIs & Services left-menu, click on Library, type groups migration in the search box, open Groups Migration API, then click ENABLE. 30. By default, Google Cloud does not allow the creation of service account keys. This policy will need to be disabled in order to complete the setup of the Remediation Service Account. Navigate to to the parent organization for the ETP Remediation project. (Select 'ALL' in order to see which organization this project was created under) 31. Navigate to IAM & Admin, then Roles. The logged in user should have the role Organization Administrator. Add the following role to them as well; Organization Policy Administrator 32. Go to IAM & Admin > Organization Policies and search for the policy iam.disableServiceAccountKeyCreation Edit the policy and switch enforcement to Off 33. Navigate back to the ETP Remediation project and then the APIs & services left-menu, click on OAuth consent screen (If this is the first time this setting is being used in this instance of Google Cloud, OAuth may not be configured. If this is the case, click on 'Get Started' and continue following the steps below.) 34. Check Internal for User Type, and click on CREATE 35. In App information, type ETP Authorization into the App name text field, then enter the email for the client's contact in User support email. Scroll down to Developer contact information and enter it again, then click SAVE AND CONTINUE. 36. Click SAVE AND CONTINUE in the Scopes section. 37. Click on Credentials in the left-menu, then + CREATE CREDENTIALS and Service Account. 38. In Service account details, type ETP Remediation Service Account into the Service account name text field. Click CREATE AND CONTINUE then DONE. 39. In Service Accounts, click on the email for the ETP Remediation Service Account. 40. In ETP Remediation Service Account, select KEYS in the top-menu, click on the drop-menu in ADD KEY, and select Create new key. 41. In Key type, select JSON, then click CREATE. (If you encounter this error when clicking create, the organization policy iam.disableServiceAccountKeyCreation will need to be disabled. Please refer to steps 31-33) 42. Click Allow to allow downloads. This will download a file. Create an email draft to support@ostra.net with the subject of 'Values for [Domain] ETP', attach the file, and send. ***Important: This step is necessary for Ostra to implement email remediation services on this client domain. However, remediation cannot be implemented on Google Workspace accounts on the Business Starter tier. Upgrading to Business Standard or higher is necessary. 43. Go back to the Routing tab on your browser. In the Admin left-menu, go to Security > Access and data control > API controls. 44. In API Controls, scroll down and click on MANAGE DOMAIN WIDE DELEGATION. 45. In Security > API Controls > Domain-wide Delegation, click Add new. 46. Before entering the Client ID, go to the browser tab for ETP Remediation Service Account, then click on the tab for DETAILS and copy the Unique ID. 47. Go back to the browser tab for Domain-wide Delegation and paste the Unique ID into the Client ID text field. 48. Copy and paste or type each of the following into the OAuth scopes text fields. https://mail.google.com https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.readonly Click AUTHORIZE. Confirm that all three scopes are present in the new API client. 49. All changes in Google Workspace have been completed. To finalize ETP implementation, add the following MX records in the domain registrar. All other MX records should be removed. MX Records (Scope: @) Priority Record 10 primary.us.email.fireeyecloud.com 20 alt1.us.email.fireeyecloud.com 30 alt2.us.email.fireeyecloud.com 40 alt3.us.email.fireeyecloud.com (See Knowledge Base articles for instructions on changing MX records in GoDaddy or mydomain.com.) 50. Send a test email to an existing mailbox in the client domain and cc' onboarding@ostra.net. The subject should be Test email for [domain]. The Onboarding Team will verify that inbound email is being filtered through ETP and reply all to confirm a successful deployment. Troubleshooting: - If the test email is not received in the client inbox, check the MX records. Enter the domain in mxtoolbox.com or another tool to verify that only the records above are listed. - Review all the steps to ensure all policies were created according to this guide. - Contact the Onboarding Team at onboarding@ostra.net or call (952) 521-8002. Please report any errors or omissions in this guide to onboarding@ostra.net.

How to Forward a Suspicious Email for Investigation Email Threat Prevention (ETP) is a tool that prevents most malicious emails from being delivered to your inbox by placing them in quarantine. However, some threats are too new and have not yet been identified as malicious by Trellix or Ostra before being delivered to your inbox. In other situations, the email itself doesn't raise any flags but contains a link to a site where the user is asked for login credentials, which will then be used to steal sensitive data. This is why it is important to always be vigilant and understand that cyber security tools are only one piece of securing your information.  Every time a potential threat is reported to Ostra, security analysts investigate and follow this protocol if it is indeed malicious:  Investigate if it was delivered to any other clients and remove it Block the sender or domain for all clients Report the threat to Trellix Run a full scan on the computer used to access the email if needed   What to Do   If you receive an email that looks suspicious and want Ostra to investigate it, please send it as an eml attachment. This will provide more useful information upfront than simply forwarding the email, and that will allow the security analyst to investigate right away instead of requesting and waiting for the eml file. Below, you will find instructions for forwarding the eml file in Outlook and Gmail.   *** If you clicked on a link or provided any personal information, be sure to include that information in the email to Support so that your case is prioritized accordingly. Also, please provide the device name so a scan can be initiated if endpoint protection is installed. ***     Instructions for Outlook   1. Click on the ellipsis for more options.   2. Click on Other reply actions, then Forward as attachment.    3. Add any relevant information in the body of the email. If your email signature does not include a phone number, please provide one in case the security analyst needs to reach you. Send to support@ostra.net to automatically generate a support ticket.     Instructions for Gmail   1. Check the box next to the email to be investigated, then click on the kebab (vertical ellipsis) for more options.   2. Click on Forward as attachment.   3. Add any relevant information in the body of the email. If your email signature does not include a phone number, please provide one in case the security analyst needs to reach you. Send to support@ostra.net to automatically generate a support ticket.

Instructions attached for ETP in one-arm mode.