Adding module 3

Author: Maddy-Cloudflare

src/assets/images/email-security/deployment/api-setup/api-and-journaling-deployment.png renamed to src/assets/images/learning-paths/secure-o365-email/api-and-journaling-deployment.png

@@ -0,0 +1,38 @@
+---
+title: Active directory sync
+pcx_content_type: how-to
+sidebar:
+  order: 2
+---
+
+Directories are folders to store user data. Email Security allows you to manage directories from the Cloudflare dashboard.
+
+To manage a Microsoft directory:
+
+1. Log in to [Zero Trust ](https://one.dash.cloudflare.com/).
+2. Select **Email security**.
+3. Select **Directories**.
+4. Under **Directory name**, select **MS directory**.
+5. From here, you can manage **Groups** or **Users** directories.
+
+Email Security allows you to view and manage your groups directory and their [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/detection-settings/impersonation-registry/). 
+When a group is added to the registry, all members are registered by default.
+
+To manage your group directory, on the **MS directory** page, select **Groups**.
+
+To add a single group to the registry:
+
+1. Select the group name you want to add.
+2. Select the three dots > **Add to registry**.
+
+To add multiple groups to the registry at once:
+
+1. Select the group names you want to add to the registry.
+2. Select the **Action** dropdown list.
+3. Select **Add to registry**.
+
+In addition, Email Security Allows you to:
+
+- [Remove groups from the registry](/cloudflare-one/email-security/directories/manage-ms-directories/manage-groups-directory/#remove-groups-from-registry)
+- [Filter the impersonation registry](/cloudflare-one/email-security/directories/manage-ms-directories/manage-groups-directory/#filter-impersonation-registry)
+- [Manage users in your directory](/cloudflare-one/email-security/directories/manage-ms-directories/manage-users-directory/)

src/assets/images/email-security/deployment/api-setup/ms365-api-deployment.png renamed to src/assets/images/learning-paths/secure-o365-email/ms365-api-deployment.png

@@ -0,0 +1,39 @@
+---
+title: Create allow policies
+pcx_content_type: how-to
+sidebar:
+  order: 4
+---
+
+Email Security allows you to configure allow policies. An allow policy exempts messages that match certain patterns from normal detection scanning. 
+
+You can choose how Email Security will handle messages that match your criteria:
+
+- **Trusted Sender**: Messages will bypass all [detections](/cloudflare-one/email-security/reference/dispositions-and-attributes/) and link following by Email Security. Typically, it only applies to phishing simulations from vendors such as KnowBe4.
+- **Exempt Recipient**: Will exempt messages from all Email Security [detections](/cloudflare-one/email-security/reference/dispositions-and-attributes/) intended for recipients matching this pattern (email address or regular expression only). Typically, this only applies to submission mailboxes for user reporting to security.
+- **Acceptable Sender**: Will exempt messages from the `SPAM`, `SPOOF`, and `BULK` [dispositions](/cloudflare-one/email-security/reference/dispositions-and-attributes/) (but not `MALICIOUS` or `SUSPICIOUS`). Commonly used for external domains and sources that send mail on behalf of your organization, such as marketing emails or internal tools.
+
+## Configure allow policies
+
+To configure allow policies:
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Email Security**.
+3. Select **Settings**, then go to **Detection settings** > **Allow policies**.
+4. On the **Detection settings** page, select **Add a policy**.
+5. On the **Add an allow policy** page, enter the policy information:
+    - **Input method**: Choose between **Manual input**, and **Uploading an allow policy**:
+        - **Manual input**:
+            - **Action**: Select one of the following to choose how Email Security will handle messages that match your criteria:
+                - **Trust sender**: Messages will bypass all detections and link following.
+                - **Exempt recipient**: Message to this recipient will bypass all detections.
+                - **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions.
+        - **Rule type**: Specify the scope of your policy. Choose one of the following:
+            - **Email addresses**: Must be a valid email.
+            - **IP addresses**: Can only be IPv4. IPv6 and CIDR are invalid entries.
+            - **Domains**: Must be a valid domain.
+            - **Regular expressions**: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email.
+        - **(Recommended) Sender verification**: This option enforces DMARC, SPF, or DKIM authentication. If you choose to enable this option, Email Security will only honor policies that pass authentication.
+            - **Notes**: Provide additional information about your allow policy.
+    - **Uploading an allow policy**: Upload a file no larger than 150 KB. The file can only contain `Pattern`, `Notes`, `Verify Email`, `Trusted Sender`, `Exempt Recipient` and `Acceptable Sender` fields. The first row must be a header row.
+6. Select **Save**.

src/content/docs/learning-paths/secure-o365-email/email-security-configuration/active-directory-sync.mdx

@@ -0,0 +1,30 @@
+---
+title: Impersonation registry
+pcx_content_type: how-to
+sidebar:
+  order: 3
+---
+
+Attackers often try to impersonate executives within an organization when sending malicious emails (with requests about banking information, trade secrets, and more), which is known as a Business Email Compromise (BEC) attack .
+
+This feature protects against these attacks by looking for spoofs of known key users in an organization . Information about key users you either synced with your directory or entered manually in the dashboard is used by Email Security to run enhanced scan techniques and find these spoofed emails.
+
+To add a user to the impersonation registry:
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Email Security**.
+3. Select **Settings** > **Impersonation registry**.
+4. Select **Add a user**.
+5. Select **Input method**: Choose between **Manual input**, **Upload manual list**, and **Select from existing directories**:
+    - **Manual input**: Enter the following information:
+        - **User info**: enter a valid **Display name**.
+        - **User email**: Enter one of the following:
+            - **Email address**: Enter all known email addresses, separated by a comma.
+            - **Regular expressions**: Must be valid Java expressions.
+    - **Upload manual list**: You can upload a file no larger than 150 KB containing all variables of potential emails. The file must contain `Display_Name` and `Email`, and the first row must be the header row.
+    - **Select from existing directories**:
+        - **Select directory**: Select your directory.
+        - **Add users or groups**: Choose the users or groups you want to register.
+6. Select **Save**.
+
+For more information on how to edit and remove users, refer to [Impersonation Registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/#edit-users). 

src/content/docs/learning-paths/secure-o365-email/email-security-configuration/create-allow-policies.mdx

@@ -0,0 +1,8 @@
+---
+title: Initial Email Security Configuration
+pcx_content_type: overview
+sidebar:
+  order: 1
+---
+
+With Email Security, there is limited manual configuration and tuning. The Active Directory sync, allow policies, and additional detections are important to consider when you set up the tool. 

src/content/docs/learning-paths/secure-o365-email/email-security-configuration/impersonation-registry.mdx

@@ -0,0 +1,61 @@
+---
+title: Set additional detections
+pcx_content_type: how-to
+sidebar:
+  order: 5
+---
+
+Email Security allows you to configure the following additional detections:
+
+- [Domain age](/cloudflare-one/email-security/detection-settings/additional-detections/#configure-domain-age)
+- [Blank email detection](/cloudflare-one/email-security/detection-settings/additional-detections/#configure-blank-email-detection)
+- [Automated Clearing House (ACH)](/cloudflare-one/email-security/detection-settings/additional-detections/#configure-ach-change-from-free-email-detection) change from free email detection.
+- [HTML attachment email detection](/cloudflare-one/email-security/detection-settings/additional-detections/#configure-html-attachment-email-detection)
+
+To configure additional detections:
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Email Security**.
+3. Select **Settings**.
+4. On the Settings page, go to **Detection settings** > **Additional detections**, and select **Edit**.
+
+## Configure domain age
+
+The domain age is the time since the domain has been registered.
+
+To configure a domain age:
+
+1. On the **Edit additional detections** page:
+    - Select **Malicious domain age**: Controls the threshold for a malicious disposition. Maximum of 100 days.
+    - Select **Suspicious domain age**: Controls the threshold for a suspicious disposition. Maximum of 100 days.
+2. Select **Save**.
+
+## Configure blank email detection
+
+Blank email detection detects emails with blank bodies and assigns a default disposition. You can choose between **Malicious** and **Suspicious** as dispositions.
+
+To enable blank email detection:
+
+1. On the **Edit additional detections** page, enable **Blank email detection**.
+2. Choose between **Malicious** and **Suspicious**.
+3. Select **Save**.
+
+## Configure ACH change from free email detection
+
+[Automated Clearing House (ACH)](https://en.wikipedia.org/wiki/Automated_clearing_house) is a banking term related to direct deposits. ACH change from free email detection detects payroll inquiries or change requests from free email domains and assigns a default disposition. You can choose between **Malicious** and **Suspicious** as dispositions.
+
+To enable ACH change from free email detection:
+
+1. On the **Edit additional detections** page, enable **ACH change from free email detection**.
+2. Choose between **Malicious** and **Suspicious**.
+3. Select **Save**.
+
+## Configure HTML Attachment Email Detection
+
+HTML attachment email detection detects HTM and HTML attachments in emails and assigns a default disposition.
+
+To enable HTML attachment email detection:
+
+1. On the **Edit additional detections** page, enable **HTML attachment email detection**.
+2. Choose between **Malicious** and **Suspicious**.
+3. Select **Save**.

src/content/docs/learning-paths/secure-o365-email/email-security-configuration/index.mdx

@@ -0,0 +1,17 @@
+---
+title: Testing before production deployment
+pcx_content_type: how-to
+sidebar:
+  order: 6
+---
+
+Email Security can be deployed quickly. Setting up the Graph API only takes a few minutes. 
+
+Email Security uses machine learning techniques to better understand your email environment. For this reason, there is a 5-7 day baseline period in which False Negative and False Positives are to be expected while the system learns what your normal mail patterns are. 
+
+Moving from a cold start straight into production is not recommended. 
+
+You can use the following testing methods which provide visibility during the baseline period without disruption to mail flow:
+
+- [Microsoft O365 Journaling Setup](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/office365-journaling/)
+- [Microsoft O365 Graph API Setup](/cloudflare-one/email-security/setup/post-delivery-deployment/api/)

src/content/docs/learning-paths/secure-o365-email/email-security-configuration/set-additional-detections.mdx

@@ -11,7 +11,7 @@ If you do not have a Cloudflare account, you can create one for free by referrin
 
 From there, your account team will create an Email Security account for you. To establish your tenant, you will need the following information:
 
-- *Average Monthly Inbound Message Volume*
-- *Number of Active Email Users*
-- *Domain(s)*
-- *Admin Email Address*
+- Average monthly inbound message volume
+- Number of active email users
+- At least one domain
+- Admin email address

src/content/docs/learning-paths/secure-o365-email/email-security-configuration/testing.mdx

@@ -8,4 +8,5 @@ sidebar:
 While there are multiple deployment methods, the easiest way to get started with Email Security is via the API deployment method.
 
 When you choose the [API deployment](/cloudflare-one/email-security/setup/post-delivery-deployment/api/), Email Security can both scan and take actions on emails after they have reached a user's inbox. 
+
 With a [Journaling setup](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/office365-journaling/) alone without API integration, Email Security can only scan emails after it has reached a user's inbox.