This KB article explains how to configure and administer Email Threat Isolation Service.

- What is Email Threat Isolation Service ?

The Symantec Email Threat Isolation solution stops advanced email attacks by insulating users from spear phishing, credential theft, and ransomware attacks. 

• Prevent spear phishing and ransomware attacks by isolating malicious links and downloads.
• Stop credential theft by safely rendering webpages in read-only mode.
• Prevent ransomware and other malware from infecting users by isolating email attachments.

Email Security.cloud

- How Email Threat Isolation is implemented and works ?

Web Isolation can be integrated with Symantec’s Email Security.cloud solution. Organizations that use Email Security select Isolation in the Email Security console, which means that the service scans inbound emails and rewrites all links. When the email recipient clicks the link, Email Threat Isolation returns an address that is based on the risk level of the website to which the link points (either the default risk level, or the custom risk level to isolate). If the website must be isolated, the service returns the Isolation Portal URL and isolates the requested website. Typically, the hostname is email-isolation.prod.fire.glass.

- How to configure Email Threat Isolation ?

• Verify that your offering has Email Threat Isolation Service.
• Enable Click-Time Protection URL Protection Settings, from Dashboard > Services >  Email Threat Detection & Response > Click Time Protection Settings
  
• Enable URL isolation, from Dashboard > Services > Email Threat Detection & Response > Click Time Protection Policy
  
• Enable Attachment Isolation, from Dashboard > Services > Email Threat Detection & Response > Attachment Isolation Settings.
  

- Note: The Email Threat Isolation service uses two components to scan both the body of an email and its attachments. URL Isolation works with the Click-time URL Protection service to identify malicious links in the body of an email. Attachment Isolation protects users from suspicious email attachments.

- How to configure Attachment Isolation settings ?

From Dashboard > Services > Email Threat Detection & Response > Attachment Isolation Settings

• Use the Apply to: list to choose whether to apply Attachment Isolation globally, or to one or more subdomains in the list.
• Select the Enable option to enable Attachment Isolation.
• Select the Enable offline access option to allow users to access attachments offline if they do not have an Internet connection. If a user lacks a connection, then email attachments are automatically downloaded to the user's device. Offline access is enabled by default.
• Select an Isolation Period ranging from 1-30 days from the list. During the time period specified here, Attachment Isolation scans attachments each time they are opened. After this period elapses, attachments are no longer scanned but users can still open the protected email attachment, and the original email attachment is automatically downloaded.
• Recipient Attachment Protection: All of your organization's users are protected by default. To exclude individual users or LDAP groups from using Attachment Isolation, add them to the Exceptions list. To protect only certain users or LDAP groups with Attachment Isolation, add them to the Protect Specific Users list and Protect Specific LDAP groups list respectively. Click Delete All to remove all groups and users from the lists.
• Attachment File Types to Isolate: All document types are enabled by default, which means that all will be isolated. To exclude individual file types from isolation, select the the file type(s) that you want to bypass isolation.

- How to configure Click-time Protection Policy to navigate URLs through Email Threat Isolation Service ?

• From your Dashboard > Services > Email Threat Detection & Response > Click Time Protection Policy Default policies are already enabled and cannot be modified, it is modified by System Default.
• Press on Add button and a new pop-up will appear to create a new rule, it will allow you to create a condition and action, IF - URL Risk Score & URL Category - and Then - Allow, Block and Pass to Isolation -, Allow and Block action will be taken by Click-time Protection Service and Pass to Isolation will allow you to navigate through Email Threat Isolation Service.
• URL Risk Score & URL Category are identified by Symantec WebPulse, Risk Score are from 0-10, where 0 is customer override, 1 is very safe and 10 is malicious, and each URL will be categorized, you can review URL categorization through Symantec Site review.
• Configuring URL Risk Score & URL Category with action Pass to Isolation, any URL written by Click-time Protection Service hitting URL Risk Score & URL Category policy will Pass it to an Isolated environment and URL will be navigated through hostname typically like this email-isolation.prod.fire.glass.

- Note: Click-time Protection Policies work in drop-down order, if policy matched no further policies are processed. Below an example:

If a URL with Risk Score "2", and categorized in Dynamic DNS Host it will be Isolated. Rule #7 did not match and Rule #8 matched.

- How to override specific URLs from being Isolated ?

From your 

• Dashboard > Services > Email Threat Detection & Response > Attachment Isolation Settings > Approved Sources.

• Adding a URL to Approved URLs or use Approved Senders Email address or sending domains, will make an exception based on your settings.

- Note: Approved Sources and Approved Senders lists applies at the global level.

- Note: Using (*) Wildcards for both lists is supported.

- Note: Click-time Protection Service will still re-write URLs but it will not be Isolated.

- How to view Email Threat Isolation Incidents ?

URL Isolation and Attachment Isolation incidents are logged whenever URLs and attachments are opened on the Email Threat Isolation platform. You can review these incidents in the sortable table in CNET Portal, download them in CSV format, or access them via a data feed.

• From Dashboard > Reports > Incidents>  Email Threat Isolation Incidents. Incidents table will show Items "URLs", Allowed or Isolated and Last access date. These incidents are only shown for the last 7 days.
• To view incidents for the last 30 days, you need to request a report. From Dashboard > Reports > Report request > Request a new report. Fill required information by Report Wizard, select Threat Isolation Incidents in Core Email Reports > Service Statistics.
• Pulling Email Threat Isolation feed service, details can be found in API Access tab in Email Threat Isolation Incidents.

- Additional Information can be found here:

https://techdocs.broadcom.com/us/en/symantec-security-software/email-security/email-security-cloud/1-0/about-email-anti-malware/email-threat-isolation-settings.html