Skip to main content

Cisco Email Security Appliance (IronPort)

This Integration is part of the Cisco Email Security Appliance (IronPort) Pack.#

Cisco Email Security protects against ransomware, business email compromise, spoofing, and phishing

Configure Cisco Email Security Appliance (IronPort) on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cisco Email Security Appliance (IronPort).

  3. Click Add instance to create and configure a new integration instance.

    Server URL (e.g.
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Retrieve email security appliance statistical reports.

Base Command#



Argument NameDescriptionRequired
time_rangeUse this attribute to retrieve report(s) for a specified duration. Must provide either this or duration argument. Possible values are: 1d, 1h.Optional
report_typeThe type of report to fetch. Possible values are: mail_authentication_summary, mail_dlp_outgoing_traffic_summary, mail_incoming_malware_threat_file_detail_summary, mail_incoming_traffic_summary, mail_mailbox_auto_remediation, mail_outgoing_traffic_summary, mail_security_summary, mail_sender_group_summary, mail_system_capacity, mail_authentication_incoming_domain_ip, mail_content_filter_incoming, mail_dmarc_incoming_traffic_summary, mail_env_sender_rate_limit, mail_env_sender_stats, mail_fed_content_filter_incoming, mail_hvm_msg_filter_stats, mail_incoming_hat_connections, mail_incoming_malware_threat_file_detail, mail_incoming_web_interaction_track_malicious_users, mail_incoming_web_interaction_track_urls, mail_md_attachment_incoming_file_type, mail_md_attachment_outgoing_file_type, mail_outgoing_web_interaction_track_malicious_users, mail_outgoing_web_interaction_track_urls, mail_msg_filter_stats, mail_sender_group_detail, mail_subject_stats, mail_url_category_summary, mail_url_domain_summary, mail_url_reputation_summary, mail_vof_threat_summary, mail_vof_threats_by_level, mail_vof_threats_by_threat_type, mail_vof_threats_by_time_threshold, mail_vof_threats_by_type, mail_vof_threats_rewritten_url, mail_authentication_incoming_domain, mail_content_filter_outgoing, mail_destination_domain_detail, mail_dlp_outgoing_policy_detail, mail_incoming_domain_detail, mail_incoming_ip_hostname_detail, mail_incoming_network_detail, mail_sender_domain_detail, mail_sender_ip_hostname_detail, mail_users_detail, mail_virus_type_detail.Required
maxUse this attribute to limit the number of results returned by the report. n is the number of results that you want the report to return and can assume values from 1 through 1000. Default is 30. Default is 30.Optional
durationAggregate report(s) for the specified duration. Supported values of TZD are Z , +hh:mm , or -hh:mm. Format should be YYYY-MM-DDThh:mmTZD/YYYY-MM-DDThh:mmTZD.Optional
entityUse this attribute to retrieve reports based on a specified entity such as email address, IP address, and so on. You can choose whether to exactly match the specified text or look for items starting with the specified text (for instance, starts with "ex" will match "").Optional
starts_withUse this attribute to retrieve items starting with the specified entity value. This attribute must be used in conjunction with the entity attribute and value must be set to true , for example, entity=us&starts_with=true .Optional

Context Output#

There is no context output for this command.

Command Example#

!ironport-report report_type=mail_authentication_summary time_range=1d

Context Example#

"IronPort": {
"MailAuthenticationSummary": {
"ReceivedAuth": 0,
"ReceivedConnAuthFail": 0,
"ReceivedConnAuthSuccess": 0,
"ReceivedConnCertFail": 0,
"ReceivedConnCertSuccess": 0,
"ReceivedConnNoauth": 0,
"ReceivedConnTotal": 0,
"ReceivedNoauth": 0,
"ReceivedTotal": 0

Human Readable Output#

IronPort Report#

Received AuthReceived Conn Auth FailReceived Conn Auth SuccessReceived Conn Cert FailReceived Conn Cert SuccessReceived Conn NoauthReceived Conn TotalReceived NoauthReceived Total