Cisco ESA
This Integration is part of the Cisco Email Security Appliance (IronPort) Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-born threats, such as malware, spam and phishing attempts. This integration was integrated and tested with version 14.0 of Cisco Email Security Appliance.
Configure Cisco ESA on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Cisco ESA.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL Base URL, e.g., https://XXX.eu.iphmx.com True Username True Password True Maximum incidents per fetch Default is 50. Maximum is 100. False First fetch timestamp Timestamp in ISO format or number time unit,
e.g., 2022-01-01T00:00:00000Z, 12 hours, 7 days, 3 months, now.False Filter by The message field by which to fetch results. False Filter operator The message field operator by which to fetch results. False Filter value The message filter value by which to fetch results. False Recipient filter operator The message recipient filter operator by which to fetch results. False Recipient filter value The message recipient filter value by which to fetch results. False Time to live for the JWT connection token (in minutes). False Use system proxy settings False Trust any certificate (not secure) False Incident type False Fetch incidents False Click Test to validate the URLs, token, and connection.
Troubleshooting#
If you encounter multiple recurring errors similar to the following message:
By default, the integration assumes your JWT session tokens have a time to live of 30 minutes. If the time to live is shorter, it can lead to the authorization error above. To resolve this error, reduce the value for the Time to live for JWT session token parameter. By default, this value is 30 minutes and should only be reduced if these errors occur.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
cisco-esa-spam-quarantine-message-search#
Search messages in the spam quarantine.
Base Command#
cisco-esa-spam-quarantine-message-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| start_date | Start date in ISO format or <number> <time unit>, e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now. | Required |
| end_date | End date in ISO format or <number> <time unit>, e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now. | Required |
| filter_by | The message field by which to filter the results. Possible values are: from_address, to_address, subject. | Optional |
| filter_operator | Filter operator by which to filter the results. Possible values are: contains, is, begins_with, ends_with, does_not_contain. | Optional |
| filter_value | The value to search for. This is a user defined value. D.g., filterValue=abc.com. | Optional |
| recipient_filter_operator | Recipient operator filter by which to filter the results. Possible values are: contains, is, begins_with, ends_with, does_not_contain. | Optional |
| recipient_filter_value | Recipient filter by which to filter the results. | Optional |
| order_by | The attribute by which to order the data in the response. Possible values are: from_address, date, subject, size. | Optional |
| order_dir | Results order direction. Possible values are: asc, desc. | Optional |
| page | Page number of paginated results. Minimum value: 1. | Optional |
| page_size | Number of results per page. Maximum value 100. | Optional |
| limit | The maximum number of records to retrieve. Default is 50. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CiscoESA.SpamQuarantineMessage.envelopeRecipient | String | Recipient email address. |
| CiscoESA.SpamQuarantineMessage.toAddress | String | Recipient email address. |
| CiscoESA.SpamQuarantineMessage.subject | String | Email subject. |
| CiscoESA.SpamQuarantineMessage.date | String | Email due date. |
| CiscoESA.SpamQuarantineMessage.fromAddress | String | Sender email address. |
| CiscoESA.SpamQuarantineMessage.size | String | email size. |
| CiscoESA.SpamQuarantineMessage.mid | Number | Message ID. |
Command example#
!cisco-esa-spam-quarantine-message-search start_date=2weeks end_date=now page=3 page_size=2
Context Example#
Human Readable Output#
Spam Quarantine Messages List#
Showing page 3. Current page size: 2. |Mid|Date|From Address|To Address|Subject|Size| |---|---|---|---|---|---| | 1573 | 13 Oct 2022 11:56 (GMT +00:00) | Test Test test@test.com | "test@test.com" test@test.com | hello 1 | 10.20K | | 1571 | 13 Oct 2022 11:54 (GMT +00:00) | Test Test test@test.com | "test@test.com" test@test.com | test 2 | 10.20K |
cisco-esa-spam-quarantine-message-get#
Get spam quarantine message details.
Base Command#
cisco-esa-spam-quarantine-message-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| message_id | Message ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CiscoESA.SpamQuarantineMessage.envelopeRecipient | String | Message recipient. |
| CiscoESA.SpamQuarantineMessage.toAddress | String | Message recipient. |
| CiscoESA.SpamQuarantineMessage.messageBody | String | Message body. |
| CiscoESA.SpamQuarantineMessage.date | String | Message date. |
| CiscoESA.SpamQuarantineMessage.fromAddress | String | Message sender. |
| CiscoESA.SpamQuarantineMessage.subject | String | Message subject. |
| CiscoESA.SpamQuarantineMessage.mid | Number | Message ID. |
Command example#
!cisco-esa-spam-quarantine-message-get message_id=1572
Context Example#
Human Readable Output#
Spam Quarantine Message#
Found spam quarantine message with ID: 1572 |Mid|From Address|To Address|Date|Subject| |---|---|---|---|---| | 1572 | Test Test test@test.com | "test@test.com" test@test.com | 13 Oct 2022 11:56 (GMT +00:00) | hello |
cisco-esa-spam-quarantine-message-release#
Release quarantine emails.
Base Command#
cisco-esa-spam-quarantine-message-release
Input#
| Argument Name | Description | Required |
|---|---|---|
| message_ids | A comma-separated list of message IDs. | Required |
Context Output#
There is no context output for this command.
Command example#
!cisco-esa-spam-quarantine-message-release message_ids=1573
Human Readable Output#
Quarantined message 1573 successfully released.
cisco-esa-spam-quarantine-message-delete#
Delete quarantine emails.
Base Command#
cisco-esa-spam-quarantine-message-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| message_ids | A comma-separated list of message IDs to delete. | Required |
Context Output#
There is no context output for this command.
Command example#
!cisco-esa-spam-quarantine-message-delete message_ids=1574
Human Readable Output#
Quarantined message 1574 successfully deleted.
cisco-esa-list-entry-get#
Get spam quarantine blocklist/safelist entry.
Base Command#
cisco-esa-list-entry-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| entry_type | List entry type. Possible values are: blocklist, safelist. | Required |
| page | Page number of paginated results. Minimum value: 1. | Optional |
| page_size | Number of results per page. Maximum value 100. | Optional |
| limit | The maximum number of records to retrieve. Default is 50. | Optional |
| order_by | The attribute by which to order the data in the response. Possible values are: recipient, sender. | Optional |
| order_dir | Results order direction. Possible values are: asc, desc. | Optional |
| view_by | View results by. Possible values are: recipient, sender. Default is recipient. | Optional |
| search | Search for recipients or senders in blocklist/safelist with 'contains' operator. e.g., test@test.com, test.com This is only supported for the argument view_by=recipient. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CiscoESA.ListEntry.Blocklist.senderList | String | Sender list. |
| CiscoESA.ListEntry.Blocklist.recipientAddress | String | Recipient address. |
| CiscoESA.ListEntry.Blocklist.recipientList | String | Recipient list. |
| CiscoESA.ListEntry.Blocklist.senderAddress | String | Sender address. |
| CiscoESA.ListEntry.Safelist.senderList | String | Sender list. |
| CiscoESA.ListEntry.Safelist.recipientAddress | String | Recipient address. |
| CiscoESA.ListEntry.Safelist.recipientList | String | Recipient list. |
| CiscoESA.ListEntry.Safelist.senderAddress | String | Sender address. |
Command example#
!cisco-esa-list-entry-get entry_type=safelist page=2 page_size=3 view_by=recipient order_by=recipient order_dir=desc
Context Example#
Human Readable Output#
Safelist Entries#
Showing page 2. Current page size: 3. |Recipient Address|Sender List| |---|---| | test4@test.com | test@test.com | | test3@test.com | test@test.com | | test2@test.com | test@test.com |
cisco-esa-list-entry-add#
Add spam quarantine blocklist/safelist entry.
Base Command#
cisco-esa-list-entry-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| entry_type | List entry type. Possible values are: blocklist, safelist. | Required |
| view_by | Add list entry by recipient/sender. When view_by = recipient, recipient_addresses and sender_list are mandatory. When view_by = sender, sender_addresses and recipient_list are mandatory. Possible values are: recipient, sender. Default is recipient. | Optional |
| recipient_addresses | A comma-separated list of recipient addresses to add. | Optional |
| sender_list | A comma-separated list of senders to add. | Optional |
| sender_addresses | A comma-separated list of sender addresses to add. | Optional |
| recipient_list | A comma-separated list of recipients to add. | Optional |
Context Output#
There is no context output for this command.
Command example#
!cisco-esa-list-entry-add entry_type=blocklist view_by=recipient recipient_addresses=test@test.com sender_list=t1@test.com,t2@test.com
Human Readable Output#
Successfully added t1@test.com, t2@test.com senders to test@test.com recipients in blocklist.
cisco-esa-list-entry-append#
Append spam quarantine blocklist/safelist entry.
Base Command#
cisco-esa-list-entry-append
Input#
| Argument Name | Description | Required |
|---|---|---|
| entry_type | List entry type. Possible values are: blocklist, safelist. | Required |
| view_by | Append list entry by recipient/sender. When view_by = recipient, recipient_addresses and sender_list are mandatory. When view_by = sender, sender_addresses and recipient_list are mandatory. Possible values are: recipient, sender. Default is recipient. | Optional |
| recipient_list | A comma-separated list of recipients to append. | Optional |
| sender_list | A comma-separated list of senders to append. | Optional |
| recipient_addresses | A comma-separated list of recipient addresses to append. | Optional |
| sender_addresses | A comma-separated list of sender addresses to append. | Optional |
Context Output#
There is no context output for this command.
Command example#
!cisco-esa-list-entry-append entry_type=blocklist recipient_addresses=test@test.com sender_list=t4@test.com
Human Readable Output#
Successfully appended t4@test.com senders to test@test.com recipients in blocklist.
cisco-esa-list-entry-edit#
Edit spam quarantine blocklist/safelist entry. Using this command will override the existing value.
Base Command#
cisco-esa-list-entry-edit
Input#
| Argument Name | Description | Required |
|---|---|---|
| entry_type | List entry type. Possible values are: blocklist, safelist. | Required |
| view_by | Edit list entry by recipient/sender. When view_by = recipient, recipient_addresses and sender_list are mandatory. When view_by = sender, sender_addresses and recipient_list are mandatory. Possible values are: recipient, sender. Default is recipient. | Optional |
| recipient_list | A comma-separated list of recipients to edit. | Optional |
| sender_list | A comma-separated list of senders to edit. | Optional |
| recipient_addresses | A comma-separated list of recipient addresses to edit. | Optional |
| sender_addresses | A comma-separated list of sender addresses to edit. | Optional |
Context Output#
There is no context output for this command.
Command example#
!cisco-esa-list-entry-edit entry_type=blocklist view_by=recipient recipient_addresses=test@test.com sender_list=t5@test.com,t6@test.com
Human Readable Output#
Successfully edited test@test.com recipients' senders to t5@test.com, t6@test.com in blocklist.
cisco-esa-list-entry-delete#
Delete spam quarantine blocklist/safelist entry.
Base Command#
cisco-esa-list-entry-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| entry_type | List entry type. Possible values are: blocklist, safelist. | Required |
| view_by | Delete list entry by recipient/sender. When view_by = recipient, recipient_list is mandatory. When view_by = sender, sender_list is mandatory. Possible values are: recipient, sender. Default is recipient. | Optional |
| recipient_list | List of recipient/sender addresses to delete. | Optional |
| sender_list | List of recipient/sender addresses to delete. | Optional |
Context Output#
There is no context output for this command.
Command example#
!cisco-esa-list-entry-delete entry_type=blocklist view_by=recipient recipient_list=test@test.com
Human Readable Output#
Successfully deleted test@test.com recipients from blocklist.
cisco-esa-message-search#
Search tracking messages.
Base Command#
cisco-esa-message-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| start_date | Start date in ISO format or <number> <time unit>, e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now. | Required |
| end_date | End date in ISO format or <number> <time unit>, e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now. | Required |
| page | Page number of paginated results. Minimum value: 1. | Optional |
| page_size | Number of results per page. Maximum value 100. | Optional |
| limit | The maximum number of records to retrieve. Default is 50. | Optional |
| sender_filter_operator | Sender filter operator. Possible values are: contains, is, begins_with. | Optional |
| sender_filter_value | Sender filter value. | Optional |
| recipient_filter_operator | Recipient filter operator. Possible values are: contains, is, begins_with. | Optional |
| recipient_filter_value | Recipient filter value. | Optional |
| subject_filter_operator | Subject filter operator. Possible values are: contains, is, begins_with. | Optional |
| subject_filter_value | Subject filter value. | Optional |
| attachment_name_operator | Attachment name operator. Possible values are: contains, is, begins_with. | Optional |
| attachment_name_value | Attachment name value. | Optional |
| file_sha_256 | SHA256 must be 64 characters long and can contain only "0-9" and "a-f" characters. e.g. e0d123e5f316bef78bfdf5a008837577e0d123e5f316bef78bfdf5a008837577. | Optional |
| custom_query | Custom query for cisco ESA's advanced filters. Syntax: <key>=<value>;<key>=<value>;<key>=<value> e.g., graymail=True;message_delivered=True. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CiscoESA.Message.hostName | String | Email gateway hostname. |
| CiscoESA.Message.friendly_from | String | Friendly formatted sender email address. |
| CiscoESA.Message.isCompleteData | String | Whether the entire data was pulled. |
| CiscoESA.Message.messageStatus | String | Message delivery status. |
| CiscoESA.Message.recipientMap | String | Recipients list. |
| CiscoESA.Message.senderIp | String | Sender IP address. |
| CiscoESA.Message.mailPolicy | String | Matched mail policy. |
| CiscoESA.Message.senderGroup | String | Matched sender group. |
| CiscoESA.Message.subject | String | Subject of email message. |
| CiscoESA.Message.mid | Number | Message ID. |
| CiscoESA.Message.senderDomain | String | Domain of email message sender. |
| CiscoESA.Message.finalSubject | String | Extended email subject. |
| CiscoESA.Message.direction | String | Message direction, incoming or outgoing. |
| CiscoESA.Message.icid | Number | An Injection Connection ID (ICID). A numerical identifier for an individual SMTP connection to the system. |
| CiscoESA.Message.replyTo | String | Email message reply to. |
| CiscoESA.Message.timestamp | String | Time of the email message. |
| CiscoESA.Message.messageID | String | Extended message ID. |
| CiscoESA.Message.verdictChart | String | Verdict visual chart ID. |
| CiscoESA.Message.recipient | String | Recipients email addresses list. |
| CiscoESA.Message.sender | String | Sender email address. |
| CiscoESA.Message.serialNumber | String | Cisco ESA email gateway serial number. |
| CiscoESA.Message.allIcid | Number | ICIDs list. |
| CiscoESA.Message.sbrs | String | Sender Base Reputation Scores. |
Command example#
!cisco-esa-message-search start_date=1month end_date=now page=3 page_size=2 subject_filter_operator=contains subject_filter_value=test
Context Example#
Human Readable Output#
Messages List#
Showing page 3. Current page size: 2. |Mid|All Icid|Serial Number|Sender|Recipient|Subject|Message Status|Timestamp|Sender Ip|Sbrs| |---|---|---|---|---|---|---|---|---|---| | 1438 | 29969 | test-test | test@test.com | test@test.com | test | 1438: Quarantined by Anti-Spam/Graymail | 2022-10-03T11:54:28Z | 1.1.1.1 | 3.5 | | 758 | 19653 | test-test | test@test.com | test@test.com | test123 | 758: Quarantined by Anti-Spam/Graymail | 2022-09-20T15:03:40Z | 1.1.1.1 | 3.5 |
cisco-esa-message-details-get#
Get message details.
Base Command#
cisco-esa-message-details-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| serial_number | Email gateway serial number. | Required |
| message_ids | Message ID list. | Required |
| injection_connection_id | Injection connection ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CiscoESA.Message.sdrAge | String | Sender domain reputation age. |
| CiscoESA.Message.attachments | String | Message attachments. |
| CiscoESA.Message.hostName | String | Email gateway hostname. |
| CiscoESA.Message.isCompleteData | Boolean | Whether the entire data was pulled. |
| CiscoESA.Message.messageStatus | String | Message delivery status. |
| CiscoESA.Message.mailPolicy | String | Matched mail policy. |
| CiscoESA.Message.senderGroup | String | Matched sender group. |
| CiscoESA.Message.subject | String | Subject of email message. |
| CiscoESA.Message.showSummaryTimeBox | Boolean | Whether to display the summary timebox. |
| CiscoESA.Message.sdrCategory | String | Sender domain reputation category. |
| CiscoESA.Message.mid | Number | Message ID. |
| CiscoESA.Message.sendingHostSummary.reverseDnsHostname | String | Sending host reverse DNS hostname. |
| CiscoESA.Message.sendingHostSummary.ipAddress | String | Sending host IP address. |
| CiscoESA.Message.sendingHostSummary.sbrsScore | String | Sending host sender base reputation scores. |
| CiscoESA.Message.direction | String | Message direction, incoming or outgoing. |
| CiscoESA.Message.smtpAuthId | String | SMTP authorization ID. |
| CiscoESA.Message.midHeader | String | Message ID header. |
| CiscoESA.Message.timestamp | String | Email message time. |
| CiscoESA.Message.showDLP | Boolean | Whether the DLP report is available. |
| CiscoESA.Message.messageSize | String | Email message size. |
| CiscoESA.Message.sdrReputation | String | Sender domain reputation. |
| CiscoESA.Message.showURL | Boolean | Whether the URL report is available. |
| CiscoESA.Message.recipient | String | Message recipient email address. |
| CiscoESA.Message.sender | String | Message sender email address. |
| CiscoESA.Message.showAMP | Boolean | Whether the AMP report is available. |
| CiscoESA.Message.summary.timestamp | String | Event summary time. |
| CiscoESA.Message.summary.description | String | Event summary description |
| CiscoESA.Message.summary.lastEvent | Boolean | Whether this is the last summary event. |
| CiscoESA.Message.allIcid | Number | ICIDs list. |
| CiscoESA.Message.headerFrom | String | Email message header from. |
Command example#
!cisco-esa-message-details-get serial_number=test-test message_ids=1576 injection_connection_id=36859
Context Example#
Human Readable Output#
Message Details#
Found message with ID 1576. |Mid|All Icid|Subject|Sender|Recipient|Timestamp|Message Size|Sending Host Summary|Message Status|Direction|Mail Policy|Sender Group|Show AMP|Show DLP|Show URL| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 1576 | 36859 | hello 4 | test@test.com | test@test.com | 2022-10-13T11:56:23Z | 9.17 (KB) | reverseDnsHostname: mail-test.test.test.test.com (verified)
ipAddress: 1.1.1.1
sbrsScore: 3.5 | Quarantined by Anti-Spam/Graymail | incoming | DEFAULT | ACCEPTLIST | false | false | false |Message Summary#
Description Timestamp Last Event Incoming connection (ICID 36859) has sender_group: ACCEPTLIST, sender_ip: 1.1.1.1 and sbrs: 3.5 2022-10-13T11:56:22Z false Protocol SMTP interface Data 1 (IP 1.1.1.1) on incoming connection (ICID 36859) from sender IP 1.1.1.1. Reverse DNS host mail-test.test.test.test.com verified yes. 2022-10-13T11:56:22Z false (ICID 36859) ACCEPT sender group ACCEPTLIST match sbrs[0.0:10.0] SBRS 3.5 country Ireland 2022-10-13T11:56:22Z false Incoming connection (ICID 36859) successfully accepted TLS protocol TLSv1.2 cipher test-test-test. 2022-10-13T11:56:23Z false Message 1576 Sender Domain: test.com 2022-10-13T11:56:23Z false Start message 1576 on incoming connection (ICID 36859). 2022-10-13T11:56:23Z false Message 1576 enqueued on incoming connection (ICID 36859) from test@test.com. 2022-10-13T11:56:23Z false Message 1576 direction: incoming 2022-10-13T11:56:23Z false Message 1576 Domains for which SDR is requested: reverse DNS host: mail-test.test.test.test.com, helo: test.test.test.com, env-from: test.com, header_from: Not Present, reply_to: Not Present 2022-10-13T11:56:23Z false Message 1576 Consolidated Sender Threat Level: Neutral, Threat Category: N/A, Suspected Domain(s) : N/A (other reasons for verdict). Sender Maturity: 30 days (or greater) for domain: test.com 2022-10-13T11:56:23Z false Message 1576 on incoming connection (ICID 36859) added recipient (test@test.com). 2022-10-13T11:56:23Z false Message 1576 SPF: mailfrom identity test@test.com Pass 2022-10-13T11:56:23Z false Message 1576 DKIM: pass signature verified (d=test.test.com s=selector2-test-test-com i=@test.test.com) 2022-10-13T11:56:23Z false Message 1576: DMARC Verification skipped (No record found for the sending domain). 2022-10-13T11:56:23Z false Message 1576 contains message ID header 'test@test.test.com'. 2022-10-13T11:56:23Z false Message 1576 original subject on injection: hello 4 2022-10-13T11:56:23Z false Message 1576 Domains for which SDR is requested: reverse DNS host: mail-test.test.test.test.com, helo: test.test.test.com, env-from: test.com, header_from: test.com, reply_to: Not Present 2022-10-13T11:56:23Z false Message 1576 Consolidated Sender Threat Level: Neutral, Threat Category: N/A, Suspected Domain(s) : N/A (other reasons for verdict). Sender Maturity: 30 days (or greater) for domain: test.com 2022-10-13T11:56:23Z false Message 1576 (9389 bytes) from test@test.com ready. 2022-10-13T11:56:23Z false Message 1576 has sender_group: ACCEPTLIST, sender_ip: 1.1.1.1 and sbrs: 3.5 2022-10-13T11:56:23Z false Message 1576 matched per-recipient policy DEFAULT for inbound mail policies. 2022-10-13T11:56:23Z false Message 1576 scanned by Anti-Spam engine: SLBL. Interim verdict: Positive 2022-10-13T11:56:23Z false Message 1576 scanned by Anti-Spam engine: SLBL. Final verdict: Positive 2022-10-13T11:56:23Z false Incoming connection (ICID 36859) lost. 2022-10-13T11:56:23Z false Message 1576 scanned by Anti-Virus engine McAfee. Interim verdict: CLEAN 2022-10-13T11:56:23Z false Message 1576 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN 2022-10-13T11:56:23Z false Message 1576 scanned by Anti-Virus engine. Final verdict: Negative 2022-10-13T11:56:23Z false Message 1576 scanned by Advanced Malware Protection engine. Final verdict: SKIPPED(no attachment in message) 2022-10-13T11:56:23Z false Message 1576 scanned by Outbreak Filters. Verdict: Negative 2022-10-13T11:56:24Z false Message 1576 queued for delivery. 2022-10-13T11:56:24Z false Remote procedure call connection (RCID 1) started for message 1576 to local Spam Quarantine. 2022-10-13T11:56:27Z false Message 1576 quarantined in Spam Quarantine. 2022-10-13T11:56:27Z true
cisco-esa-message-amp-details-get#
Get message AMP summary details.
Base Command#
cisco-esa-message-amp-details-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| serial_number | Email gateway serial number. | Required |
| message_ids | Message ID list. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CiscoESA.AMPDetail.sdrAge | String | Sender domain reputation age. |
| CiscoESA.AMPDetail.attachments | String | Message attachments. |
| CiscoESA.AMPDetail.hostName | String | Email gateway hostname. |
| CiscoESA.AMPDetail.direction | String | Message direction, incoming or outgoing. |
| CiscoESA.AMPDetail.messageStatus | String | Message delivery status. |
| CiscoESA.AMPDetail.senderGroup | String | Matched sender group. |
| CiscoESA.AMPDetail.subject | String | Email message subject. |
| CiscoESA.AMPDetail.sdrCategory | String | Sender domain reputation category. |
| CiscoESA.AMPDetail.mid | Number | Message ID. |
| CiscoESA.AMPDetail.ampDetails.timestamp | String | AMP event summary details timestamp. |
| CiscoESA.AMPDetail.ampDetails.description | String | AMP event summary details description. |
| CiscoESA.AMPDetail.ampDetails.lastEvent | Boolean | AMP event summary details last event. |
| CiscoESA.AMPDetail.smtpAuthId | String | SMTP authorization ID. |
| CiscoESA.AMPDetail.midHeader | String | Message ID header. |
| CiscoESA.AMPDetail.timestamp | String | Email message time. |
| CiscoESA.AMPDetail.messageSize | String | Email message size. |
| CiscoESA.AMPDetail.sdrThreatLevels | String | Sender domain reputation threat levels. |
| CiscoESA.AMPDetail.sdrReputation | String | Sender domain reputation. |
| CiscoESA.AMPDetail.recipient | String | Message recipient email address. |
| CiscoESA.AMPDetail.sender | String | Message sender email address. |
| CiscoESA.AMPDetail.showAMPDetails | Boolean | Whether to show AMP details. |
| CiscoESA.AMPDetail.allIcid | Number | ICIDs list. |
| CiscoESA.AMPDetail.headerFrom | String | Email header from. |
Command example#
!cisco-esa-message-amp-details-get message_ids=741,742,743 serial_number=test-test
Context Example#
Human Readable Output#
Message AMP Report Details#
Found AMP details for message ID 741, 742, 743. |Mid|All Icid|Subject|Sender|Recipient|Attachments|Timestamp|Message Size|Message Status|Direction|Sender Group| |---|---|---|---|---|---|---|---|---|---|---| | 741,
742,
743 | 19599 | Fwd: test | test@test.com | test@test.com | bear.jpg | 2022-09-20T13:31:15Z | 439.26 (KB) | Quarantined by Multiple Engines | incoming | ACCEPTLIST |Message AMP Report Details Summary#
Description Timestamp File reputation query initiating. File Name = bear.jpg, MID = 741, File Size = 325663 bytes, File Type = image/jpeg 2022-09-20T13:31:18Z Response received for file reputation query from Cache. File Name = bear.jpg, MID = 741, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = 23a9113530549916cd5b410edee79cb5a0fc01233eb9051f9c882a2e7c3fbfbe, upload_action = Recommended to send the file for analysis, verdict_source = AMP, Suspected Malware Categories = None 2022-09-20T13:31:18Z File not uploaded for analysis. MID = 741 File SHA256[23a9113530549916cd5b410edee79cb5a0fc01233eb9051f9c882a2e7c3fbfbe] file mime[image/jpeg] Reason: The file type is not configured for analysis 2022-09-20T13:31:18Z
cisco-esa-message-dlp-details-get#
Get message DLP summary details.
Base Command#
cisco-esa-message-dlp-details-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| serial_number | Email gateway serial number. | Required |
| message_ids | Message ID list. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CiscoESA.DLPDetail.direction | String | Message direction, incoming or outgoing. |
| CiscoESA.DLPDetail.smtpAuthId | String | SMTP authorization ID. |
| CiscoESA.DLPDetail.sdrAge | String | Sender domain reputation age. |
| CiscoESA.DLPDetail.sender | String | Message sender email address. |
| CiscoESA.DLPDetail.midHeader | String | Message ID header. |
| CiscoESA.DLPDetail.timestamp | String | Email message time. |
| CiscoESA.DLPDetail.sdrCategory | String | Sender domain reputation category. |
| CiscoESA.DLPDetail.hostName | String | Email gateway hostname. |
| CiscoESA.DLPDetail.mid | Number | Message ID. |
| CiscoESA.DLPDetail.attachments | String | Message attachments. |
| CiscoESA.DLPDetail.messageSize | String | Email message size. |
| CiscoESA.DLPDetail.dlpDetails.violationSeverity | String | DLP details violation severity. |
| CiscoESA.DLPDetail.dlpDetails.dlpMatchedContent.messagePartMatch.classifier | String | DLP matched content classifier. |
| CiscoESA.DLPDetail.dlpDetails.dlpMatchedContent.messagePartMatch.classifierMatch | String | DLP matched content classifier match. |
| CiscoESA.DLPDetail.dlpDetails.dlpMatchedContent.messagePart | String | DLP matched content message part. |
| CiscoESA.DLPDetail.dlpDetails.mid | String | DLP message ID. |
| CiscoESA.DLPDetail.dlpDetails.riskFactor | Number | DLP risk factor. |
| CiscoESA.DLPDetail.dlpDetails.dlpPolicy | String | DLP policy. |
| CiscoESA.DLPDetail.sdrThreatLevels | String | Sender domain reputation threat levels. |
| CiscoESA.DLPDetail.sdrReputation | String | Sender domain reputation. |
| CiscoESA.DLPDetail.messageStatus | String | Message delivery status. |
| CiscoESA.DLPDetail.allIcid | Number | ICIDs list. |
| CiscoESA.DLPDetail.senderGroup | String | Matched sender group. |
| CiscoESA.DLPDetail.recipient | String | Message recipient email address. |
| CiscoESA.DLPDetail.subject | String | Email message subject. |
| CiscoESA.DLPDetail.headerFrom | String | Email header from. |
Command example#
!cisco-esa-message-dlp-details-get message_ids=1131 serial_number=test-test
Context Example#
Human Readable Output#
Message DLP Report Details#
Found DLP details for message ID 1131. |Mid|All Icid|Subject|Sender|Recipient|Timestamp|Message Size|Message Status|Direction|Sender Group| |---|---|---|---|---|---|---|---|---|---| | 1131 | 20460 | Fw: DLP | test@test.com | test@test.com | 2022-09-21T08:42:32Z | 29.67 (KB) | Delivered | outgoing | RELAY_O365 |
Message DLP Report Details Summary#
Mid Violation Severity Risk Factor Dlp Policy 1131 HIGH 72 US HIPAA and HITECH (Low Threshold)
cisco-esa-message-url-details-get#
Get message URL summary details.
Base Command#
cisco-esa-message-url-details-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| serial_number | Email gateway serial number. | Required |
| message_ids | Message ID list. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CiscoESA.URLDetail.sdrAge | String | Sender domain reputation age. |
| CiscoESA.URLDetail.attachments | String | Message attachments. |
| CiscoESA.URLDetail.showURLDetails | Boolean | Whether to show URL event details. |
| CiscoESA.URLDetail.urlDetails.timestamp | String | URL event details timestamp. |
| CiscoESA.URLDetail.urlDetails.description | String | URL event details description. |
| CiscoESA.URLDetail.hostName | String | Email gateway hostname. |
| CiscoESA.URLDetail.direction | String | Message direction, incoming or outgoing. |
| CiscoESA.URLDetail.messageStatus | String | Message delivery status. |
| CiscoESA.URLDetail.senderGroup | String | Matched sender group. |
| CiscoESA.URLDetail.subject | String | Email message subject. |
| CiscoESA.URLDetail.sdrCategory | String | Sender domain reputation category. |
| CiscoESA.URLDetail.mid | Number | Message ID. |
| CiscoESA.URLDetail.smtpAuthId | String | SMTP authorization ID. |
| CiscoESA.URLDetail.midHeader | String | Message ID header. |
| CiscoESA.URLDetail.timestamp | String | Email message time. |
| CiscoESA.URLDetail.messageSize | String | Email message size. |
| CiscoESA.URLDetail.sdrThreatLevels | String | Sender domain reputation threat levels. |
| CiscoESA.URLDetail.sdrReputation | String | Sender domain reputation. |
| CiscoESA.URLDetail.recipient | String | Message recipient email address. |
| CiscoESA.URLDetail.sender | String | Message sender email address. |
| CiscoESA.URLDetail.allIcid | Number | ICIDs list. |
| CiscoESA.URLDetail.headerFrom | String | Email header from. |
Command example#
!cisco-esa-message-url-details-get message_ids=737,738,739 serial_number=test-test
Context Example#
Human Readable Output#
Message URL Report Details#
Found URL details for message ID 737, 738, 739. |Mid|All Icid|Subject|Sender|Recipient|Attachments|Timestamp|Message Size|Message Status|Direction|Sender Group| |---|---|---|---|---|---|---|---|---|---|---| | 737,
738,
739 | 19598 | Fwd: test | test@test.com | test@test.com | bear.jpg | 2022-09-20T13:31:08Z | 439.25 (KB) | Quarantined by Multiple Engines | incoming | ACCEPTLIST |Message URL Report Details Summary#
Description Timestamp Message 737 URL: http://1.1.1.1:8080/, URL reputation: -6.8, Condition: URL Reputation Rule. 2022-09-20T13:31:12Z Message 737 URL: https://test.com/test/, URL reputation: -6.6, Condition: URL Reputation Rule. 2022-09-20T13:31:12Z Message 737 URL: http://1.1.1.1:8080, URL reputation: -6.8, Condition: URL Reputation Rule. 2022-09-20T13:31:12Z Message 737 rewritten URL u'http://1.1.1.1:8080'. 2022-09-20T13:31:12Z Message 737 rewritten URL u'https://test.com/test/'. 2022-09-20T13:31:12Z Message 737 rewritten URL u'http://1.1.1.1:8080/'. 2022-09-20T13:31:12Z Message 737 rewritten URL u'https://test.com/test/'. 2022-09-20T13:31:12Z
cisco-esa-report-get#
Get statistics reports. Note that each report type is compatible with different arguments. Refer to Addendum for Cisco Secure Email Gateway ("Secure Email Reporting" sheet in the file), to view the dedicated arguments for each report type. https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa14-0/api/AsyncOS-14-0-API-Addendum.xlsx
Base Command#
cisco-esa-report-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| report_type | Report Type. Possible values are: mail_incoming_traffic_summary, reporting_system, mail_vof_threat_summary, mail_vof_specific_threat_summary, mail_amp_threat_summary. Default is mail_incoming_traffic_summary. | Optional |
| custom_report_type | Custom report type. Specify this argument to get a report that does not exist in the report_type argument. | Optional |
| start_date | Start date in ISO format or <number> <time unit>, e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now. | Required |
| end_date | End date in ISO format or <number> <time unit>, e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now. | Required |
| order_by | The attribute by which to order the data in the response. For example, orderBy=total_clean_recipients. | Optional |
| order_dir | The report sort order direction. Possible values are: asc, desc. | Optional |
| top | The number of records with the highest values to return. | Optional |
| filter_value | The filter value to search for. | Optional |
| filter_by | The filter field to use. Filter the data to be retrieved according to the filter property and value. | Optional |
| filter_operator | The filter operator. Filter the response data based on the value specified. Possible values are: begins_with, is. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CiscoESA.Report.type | String | Report type. |
| CiscoESA.Report.resultSet | Number | Report results summary. |
Command example#
!cisco-esa-report-get start_date=2weeks end_date=now report_type=mail_incoming_traffic_summary
Context Example#
Human Readable Output#
Report type: mail_incoming_traffic_summary#
Report UUID: 6535f7b3-0d35-411b-ab76-42e27ea661ce |Blocked Dmarc|Blocked Invalid Recipient|Blocked Reputation|Blocked Sdr|Bulk Mail|Detected Amp|Detected Spam|Detected Spam Certain|Detected Spam Suspect|Detected Virus|Detected Virus Per Msg|Failed Dkim|Failed Spf|Ims Spam Increment Over Case|Malicious Url|Marketing Mail|Social Mail|Threat Content Filter|Total Clean Recipients|Total Graymail Recipients|Total Mailbox Auto Remediated Recipients|Total Recipients|Total Spoofed Emails|Total Threat Recipients|Verif Decrypt Fail|Verif Decrypt Success| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 1 | 12 | 1345 | 0 | 1 | 0 | 19 | 15 | 4 | 0 | 0 | 0 | 0 | 0 | 3 | 4 | 0 | 4 | 179 | 5 | 0 | 1567 | 1 | 1383 | 0 | 0 |