Create a policy

While Enterprise Threat Protector (ETP) includes a default policy, you can configure a policy to define how your company handles known or suspected threats.

As a best practice, assign Security Connector to the malware and command and control (C&C) categories. A C&C threat indicates that a user’s machine is already compromised by the time it’s detected. To clean compromised machines, you can use Security Connector to identify infected machines and get the information you need for remediation.

To perform this task, you must be an ETP super administrator, delegated administrator, or a tenant administrator.
Note: A tenant administrator cannot enable the ETP proxy and complete any step related to the proxy.

How to

  1. In the navigation menu, select Configuration > Policies.
    Note: If you are trying the new Enterprise Center interface, in the navigation menu, select Policies > Policies.
  2. On the Policies page, click the plus sign icon.
  3. Enter a name and description for the policy in the Name and Description field.
  4. To configure a policy with settings from a predefined template, select one of these templates and click Continue:
    • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.
    • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.
    • Custom. Lets you define policy actions for known and suspected threats.
  5. To assign a location, click the link icon, select a location or multiple locations, and click Associate.
  6. Click the Settings tab.
  7. In the Proxy Settings area:
    1. To enable the ETP proxy, toggle Enable Proxy to on.
    2. To require that ETP Proxy authorizes connections from the on-premises proxy, enable Proxy Authorization. To use this setting, you must configure proxy credentials in ETP and in the on-premises proxy. For more information, see Proxy authorization.
    3. If you want to allow outbound traffic on a new origin port, in the Origin Ports field, enter the port number or port range. Separate each port number or range with a comma. By default, the full web proxy allows outbound traffic to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.
    4. If you are configuring proxy chaining or the full web proxy, enable Trust XFF Header. Your organization must be licensed for ETP Advanced Threat.
    5. To change the logging mode for ETP Proxy, click the Proxy Logging Mode menu and select a new logging mode. By default, Level 1 is selected to ensure that detailed data such as response or request headers are logged in HTTP or HTTPS threat events. For more information, see Proxy logging mode.
    6. To optimize traffic to Microsoft 365 apps and services, enable Optimize Microsoft 365 Traffic.
    7. If you want to apply the policy action of a threat category to risky domains that ETP Proxy detected are threats (for example, malware, phishing, or C&C threats), in the Risky Domains menu, make sure Classify is selected. Otherwise, you can select Allow to permit traffic to risky domains without analysis.
    8. If you want to apply the policy action of a threat category to file sharing domains that ETP Proxy detected are threats (for example, malware, phishing, or C&C threats), in the File Sharing menu, make sure Classify is selected. Otherwise, you can select Allow to permit traffic to file sharing domains.
      Note: If you block the File Sharing AUP category, the File Sharing field is not available.
    9. To select how requests are handled when ETP Proxy cannot validate a website’s origin certificate, in the Invalid Certificate Response menu, select Block - Error Page to block the request. Otherwise, you can select Bypass to bypass ETP Proxy.
    10. In the Default Action menu, select the action for unclassified traffic and for AUP categories that have no action assigned:
      • If you want traffic to bypass ETP Proxy, select Bypass. If you are licensed for ETP Advanced Threat, this option enables the selective proxy.
      • If you want to classify traffic that is not yet classified by ETP, select Classify. If you are licensed for ETP Advanced Threat, this option enables the full web proxy.
      • If you want to block traffic, select Block - Error Page.
      Note: If your organization is participating in the application visibility and control (AVC) beta, the default action setting is not available in the Settings tab. You configure this setting as part of an AVC configuration in the Access Control area.
  8. If you want to enable ETP Client as a proxy on the client computer or device, in the Overwrite Device Proxy Settings menu, select Yes or Only if there’s no local proxy. Otherwise, you can select No.
  9. If you enabled the proxy and your organization is licensed for Advanced Threat, go to the Payload Analysis section and toggle Enable Inline Payload Analysis to on.
  10. If you want to block files that cannot be scanned with ETP Proxy as part of inline payload analysis, enable Block Unscannable Files.
  11. If your organization is enabled for Advanced Sandbox, complete these steps:
    1. For downloads that range from 5 MB to 2 GB in size (large files), select an action. You can select the Block - Error Page, Allow, or the Allow and Scan action. For more information, see Static malware analysis of large files.
    2. If you selected Allow and Scan action for large files, the Dynamic Analysis toggle is available. To enable dynamic analysis, toggle this setting to on. For more information, see Dynamic malware analysis.
    3. For files that are greater than 2 GB (huge files), select an action. You can select either the Block - Error Page or the Allow action. For more information, see Payload analysis.
  12. In the Browsing Restrictions area, complete these steps:
    1. To enable SafeSearch, toggle Safe Search to on.
    2. To enable YouTube Restricted Mode, in the YouTube menu, select Strict or Moderate. Otherwise, you can select Unrestricted mode to allow unrestricted access to YouTube content.
  13. In the Other Settings area, complete these steps:
    1. Enable Forward Public IP to Origin to forward the user’s public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients. If you enabled the Optimize Microsoft 365 Traffic option, make sure you also enable this setting.
    2. In the Authentication Mode menu, you can select Require to require authentication, Optional to give users the option to skip authentication, or you can select None. This mode defines whether users are prompted to authenticate when accessing allowed websites in an Acceptable Use Policy (AUP).
    3. If you selected Require or Optional, select an identity provider.
  14. To define policy actions for a threat category, in the Threat tab, complete these steps:
    1. If you want to assign the same policy action to all known threat categories, in the Action menu beside the Known option, select an action. Otherwise, make sure the Known option is expanded to show the threat categories.
    2. For each threat category, select an action. For more information on policy actions, see Policy actions.
    3. If you select the Block action, select a specific response to the user. The Response to User menu is available when the Block action is selected.
    4. If Error Page is selected and you want to direct traffic to Security Connector, in the Security Connector menu, select a security connector. If you do not want to associate a Security Connector to an Error Page response, select None.
    5. If you want to configure the same policy actions to suspected threats, in the menu beside the Suspected option, select Same as Known. Otherwise, expand the Suspected option to view threat categories and complete steps 14b to 14d.
  15. If your organization is participating in the application visibility and control (AVC) beta, see Configure application visibility and control. Otherwise, see Configure an Acceptable Use Policy to configure an acceptable use policy.
  16. To assign a list to the policy, see Add a list to a policy.
  17. To configure custom headers, see Add a custom header.
  18. If you organization is participating in the data loss prevention (DLP) beta and you want to associate a DLP dictionary, complete these steps:
    1. Go to the Access Control tab.
    2. In the DLP tab, click the link icon and select a dictionary or multiple dictionaries.
    3. Click Associate. By default, DLP dictionaries are assigned the Monitor action.
    4. To assign the Block - Error Page action, select it from the Action menu.
      Note: You must have enabled ETP Proxy and inline payload analysis to complete this step. This feature is currently in beta and available to organizations that are licensed for ETP Advanced Threat.
  19. To enable alerts for a security category or list, toggle the Send Alert setting that’s available for each category or list on the Threat tab or the Custom Lists tab.
  20. Click Save.

Next steps

After creating a policy, you must deploy the configuration to the ETP network. For instructions see Deploy configuration changes.