Forum Discussion
Automate pending actions
Hi Evald Markinzon
We want to automate as much as possible, so for these actions we want ZAP and native SafeLinks to automatically handle deleting emails and blocking URL.
These extra pending actions are being generated in large volumes and create too many false positives, so we've decided to always reject them and perform these actions manually when necessary.
To avoid alert fatigue and to better highlight the other Actions we need to evaluate, we want to automatically reject these actions so they don't flood the list.
MicrosoftHi Joachim83
Beyond what was already discussed regrading the redundant actions, and your preference for manual investigation. Could you please elaborate more on the false-positives issue that you mentioned?
Would be great if you could provide any concrete details so we can investigate this further and improve our investigation logic accordingly.
In generel e-mail identified as Phishing starts an investigation that creates 4 different E-mail Soft Delete actions and one Block URL action for every URL in the email.
Some of these e-mails are false positives, as an example e-mails from the shipping company postnord.no is regularly detected as phishing. It is very easy for someone to approve these pending actions withouth proper investigation and then legitime e-mails and URL's are deleted and blocked for the entire organization.
If we just let them be and await for them to expire, then the other actions we actually want to look into are harder to notice in the sea of pending actions.
- Lior Ben Porat
Thank you for the quick response Joachim83
In this case, would you consider the email that initiated the investigation to be a false positive? or only the emails/URLs found by the investigation?
Usually both, an e-mail can be detected as phishing because it contains a false positive malicious URL, then the investigation also detects it as phishing and creates Block URL's and soft delete actions.