Skip to main content

Cisco Security Management Appliance

This Integration is part of the CiscoSMA Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

The Security Management Appliance (SMA) is used to centralize services from Email Security Appliances (ESAs) and Web Security Appliances (WSAs). This integration was integrated and tested with version 12.0 of Cisco Security Management Appliance.

Configure Cisco Security Management Appliance on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cisco Security Management Appliance.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLBase URL, e.g., https://XXX.eu.iphmx.comTrue
    UsernameTrue
    PasswordTrue
    Maximum incidents per fetchDefault is 50. Maximum is 100.False
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days).Timestamp in ISO format or &lt;number&gt; &lt;time unit&gt;,
    e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now.
    False
    Filter byMessage field by which to filter the results.False
    Filter operatorOperator on the message field.False
    Filter valueThe value to search for.False
    Recipient filter operatorRecipient operator filter.False
    Recipient filter valueRecipient filter value to fetch by message field.False
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
    Incident typeFalse
    Fetch incidentsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cisco-sma-spam-quarantine-message-search#


Search messages in the spam quarantine.

Base Command#

cisco-sma-spam-quarantine-message-search

Input#

Argument NameDescriptionRequired
start_dateStart date in ISO format or <number> <time unit>,
e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now.
Required
end_dateEnd date in ISO format or <number> <time unit>,
e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now.
Required
filter_byField by which to filter the results. Possible values are: from_address, to_address, subject.Optional
filter_operatorFilter operator. Possible values are: contains, is, begins_with, ends_with, does_not_contain.Optional
filter_valueThe value to search for. This is a user defined value, e.g., filterValue=abc.com.Optional
recipient_filter_operatorRecipient operator filter. Possible values are: contains, is, begins_with, ends_with, does_not_contain.Optional
recipient_filter_valueRecipient filter value.Optional
order_byHow the results should be ordered. Possible values are: from_address, date, subject, size.Optional
order_dirDirection in which the results should be ordered. Possible values are: asc, desc.Optional
pagePage number of paginated results.
Minimum value is 1.
Optional
page_sizeNumber of results per page. Maximum value is 100.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
CiscoSMA.SpamQuarantineMessage.envelopeRecipientStringMessage recipient.
CiscoSMA.SpamQuarantineMessage.toAddressStringMessage recipient.
CiscoSMA.SpamQuarantineMessage.subjectStringMessage subject.
CiscoSMA.SpamQuarantineMessage.dateStringMessage date.
CiscoSMA.SpamQuarantineMessage.fromAddressStringMessage sender.
CiscoSMA.SpamQuarantineMessage.sizeStringMessage size.
CiscoSMA.SpamQuarantineMessage.midNumberMessage ID.

Command example#

!cisco-sma-spam-quarantine-message-search start_date=2weeks end_date=now page=3 page_size=2

Context Example#

{
"CiscoSMA": {
"SpamQuarantineMessage": [
{
"date": "11 Sep 2022 07:55 (GMT)",
"envelopeRecipient": [
"test@test.com"
],
"fromAddress": [
"Test Test <t1@test.com>"
],
"mid": 70,
"size": "17.60K",
"subject": "test 2",
"toAddress": [
"test@test.com <test@test.com>"
]
},
{
"date": "11 Sep 2022 07:55 (GMT)",
"envelopeRecipient": [
"test@test.com"
],
"fromAddress": [
"Test Test <t1@test.com>"
],
"mid": 69,
"size": "17.70K",
"subject": "hello",
"toAddress": [
"test@test.com <test@test.com>"
]
}
]
}
}

Human Readable Output#

Spam Quarantine Messages List#

Showing page 3. Current page size: 2. |Mid|Date|From Address|To Address|Subject|Size| |---|---|---|---|---|---| | 70 | 11 Sep 2022 07:55 (GMT) | Test Test t1@test.com | "test@test.com" test@test.com | test 2 | 17.60K | | 69 | 11 Sep 2022 07:55 (GMT) | Test Test t1@test.com | "test@test.com" test@test.com | hello | 17.70K |

cisco-sma-spam-quarantine-message-get#


Get spam quarantine message.

Base Command#

cisco-sma-spam-quarantine-message-get

Input#

Argument NameDescriptionRequired
message_idMessage ID.Required

Context Output#

PathTypeDescription
CiscoSMA.SpamQuarantineMessage.envelopeRecipientStringMessage recipient.
CiscoSMA.SpamQuarantineMessage.toAddressStringMessage recipient.
CiscoSMA.SpamQuarantineMessage.messageBodyStringMessage body.
CiscoSMA.SpamQuarantineMessage.dateStringMessage date.
CiscoSMA.SpamQuarantineMessage.fromAddressStringMessage sender.
CiscoSMA.SpamQuarantineMessage.subjectStringMessage subject.
CiscoSMA.SpamQuarantineMessage.midNumberMessage ID.

Command example#

!cisco-sma-spam-quarantine-message-get message_id=64

Context Example#

{
"CiscoSMA": {
"SpamQuarantineMessage": {
"attachments": [],
"date": "11 Sep 2022 06:07 (GMT)",
"envelopeRecipient": [
"test@test.com"
],
"fromAddress": [
"Test Test <t1@test.com>"
],
"messageBody": "Received: from esa2.test.eu.iphmx.com ([2.2.2.2]) by sma1.test.eu.iphmx.com with ESMTP; 11 Sep 2022 06:07:11 +0000Received-SPF: Pass (esa2.test.eu.iphmx.com: domain of t1@test.com designates 22.22.22.22 as permitted sender) identity=mailfrom; client-ip=22.22.22.22; receiver=esa2.test.eu.iphmx.com; envelope-from=t1@test.com; x-sender=t1@test.com; x-conformance=spf_only; x-record-type=v=spf1; x-record-text=v=spf1 ip4:8.8.8.8/15 ip4:1.1.1.1/16 ip4:1.1.1.1/14 ip4:1.1.1.1/17 ip1.1.1.1/48 ip1.1.1.1/49 ip1.1.1.1/50 ip1.1.1.1/51 ip1.1.1.1/52 include:spfd.protection.outlook.com -allAuthentication-Results: esa2.test.eu.iphmx.com; spf=Pass smtp.mailfrom=t1@test.com; dkim=pass (signature verified) header.i=@Qmasters.onmicrosoft.comX-Ironport-Dmarc-Check-Result: validskipIronPort-SDR: 631d7b0e_gYHRKFozU63bNGUcBmI6bZxMVbnKq771Bg3g/PXeqXGnCcb en8XOitOlv+hcIvMhGPgHjLS3GSW298LZ8xVyrA==X-IronPort-RemoteIP: 22.22.22.22X-IronPort-MID: 427X-IronPort-Reputation: 3.5X-IronPort-Listener: MailFlowX-IronPort-SenderGroup: ACCEPTLISTX-IronPort-MailFlowPolicy: $ACCEPTEDX-SLBL-Result: BLOCK-LISTEDX-IronPort-AV: E=McAfee;i=6500,9779,10466; a=427X-IronPort-AV: E=Sophos;i=5.93,307,1654549200; d=scan'208,217;a=427X-Amp-Result: SKIPPED(no attachment in message)X-Amp-File-Uploaded: FalseX-IPAS-Result: =?us-ascii?q?vGpBb5TsaWco2WF0CJmG5A=3D=3D?=Received: from mail-eopbgr150082.outbound.protection.outlook.com (HELO EUR01-DB5-obe.outbound.protection.outlook.com) ([22.22.22.22]) by esa2.test.eu.iphmx.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Sep 2022 09:07:10 +0300ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=/saT6U5NS0IZCdFJ8PRhIOdlfgGhCHg==ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1 mx.microsoft.com 1; spf=pass smtp.mailfrom=qmasters.co; dmarc=pass action=none header.from=qmasters.co; dkim=pass header.d=qmasters.co; arc=noneDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Qmasters.onmicrosoft.com; s=selector2-Qmasters-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8EDhl0WksFhflNDqiZFXIJI/gERNfydqE0p9gIt/k1E=; b=/0nVjDfeQJk=Received: from AS4P192MB1694.EURP192.PROD.OUTLOOK.COM (1.1.1.11) by GV1P192MB1739.EURP192.PROD.OUTLOOK.COM (1.1.1.115) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.20; Sun, 11 Sep 2022 06:07:08 +0000Received: from AS4P192MB1694.EURP192.PROD.OUTLOOK.COM ([1.1.1.1ddbc:6c6a:6e24:2ddc]) by AS4P192MB1694.EURP192.PROD.OUTLOOK.COM ([1.1.1.1ddbc:6c6a:6e24:2ddc%5]) with mapi id 15.20.5612.022; Sun, 11 Sep 2022 06:07:08 +0000From: Test Test &lt;t1@test.com&gt;To: test@test.com &lt;test@test.com&gt;Subject: test1Thread-Topic: test1Thread-Index: AdjFpLjMMletPLuSTiamq2aPR00gtw==Date: Sun, 11 Sep 2022 06:07:07 +0000Message-ID:-Language: en-US, he-ILContent-Language: en-USX-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Emailx-ms-traffictypediagnostic: AS4P192MB1694:EE_|GV1P192MB1739:EE_x-ms-office365-filtering-correlation-id: 1f4793f4-e7cb-44f4-45d0-08da93bbdbabx-ms-exchange-senderadcheck: 1x-ms-exchange-antispam-relay: 0x-microsoft-antispam: BCL:0;x-microsoft-antispam-message-info: 4DkFMorvBGYa2L7kv5m1ibET5n0EvYTCLJhZmOPqKgjLW+eH0zwrxtxJBRcchZ1ZkamOBS+alGY0FGLHiHyUMavSvkdOvmk526KzQDiXoY5xcIHN6un/c6CzO9pcvrGN2D3aPGL5NGw16o+lG/TlArEoyjMC5PM/forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4P192MB1694.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230016)(4636009)(346002)(376002)(136003)(366004)(39830400003)(396003)(2906002)(8936002);DIR:OUT;Q?C1JbgP7At7ztN6x7KY7DAv3gpBtr1wcCZy2aTMfk?=Content-Type: multipart/alternative;\tboundary=_000_AS4P192MB1694E446958C283FF6146212AB459AS4P192MB1694EURP_MIME-Version: 1.0X-OriginatorOrg: qmasters.coX-MS-Exchange-CrossTenant-AuthAs: InternalX-MS-Exchange-CrossTenant-AuthSource: AS4P192MB1694.EURP192.PROD.OUTLOOK.COMX-MS-Exchange-CrossTenant-Network-Message-Id: 1f4793f4-e7cb-44f4-45d0-08da93bbdbabX-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2022 06:07:07.9480 (UTC)X-MS-Exchange-CrossTenant-fromentityheader: HostedX-MS-Exchange-CrossTenant-id: ed363dfd-16fd-4038-8e58-9237411a84e5X-MS-Exchange-CrossTenant-mailboxtype: HOSTEDX-MS-Exchange-CrossTenant-userprincipalname: oeEevxfXcCiCthJ0sdKmama9rN1O92XcZ3RYCBNpAtJGc1YO+C9f+UGf6qp4y0t2aVaTNORJqi/cQeynDtX1hQ==X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1P192MB1739",
"mid": 64,
"subject": "test1",
"toAddress": [
"test@test.com <test@test.com>"
]
}
}
}

Human Readable Output#

Spam Quarantine Message#

Found spam quarantine message with ID: 64 |Mid|From Address|To Address|Date|Subject| |---|---|---|---|---| | 64 | Test Test t1@test.com | "test@test.com" test@test.com | 11 Sep 2022 06:07 (GMT) | test1 |

cisco-sma-spam-quarantine-message-release#


Release spam quarantined message.

Base Command#

cisco-sma-spam-quarantine-message-release

Input#

Argument NameDescriptionRequired
message_idsComma-separated list of message IDs.Required

Context Output#

There is no context output for this command.

Command example#

!cisco-sma-spam-quarantine-message-release message_ids=65

Human Readable Output#

Quarantined message 65 successfully released.

cisco-sma-spam-quarantine-message-delete#


Delete spam quarantined message.

Base Command#

cisco-sma-spam-quarantine-message-delete

Input#

Argument NameDescriptionRequired
message_idsComma-separated list of message IDs.Required

Context Output#

There is no context output for this command.

Command example#

!cisco-sma-spam-quarantine-message-delete message_ids=66

Human Readable Output#

Quarantined message 66 successfully deleted.

cisco-sma-list-entry-get#


Get spam quarantine blocklist/safelist entry.

Base Command#

cisco-sma-list-entry-get

Input#

Argument NameDescriptionRequired
entry_typeList entry type. Possible values are: blocklist, safelist.Required
pagePage number of paginated results.
Minimum value is 1.
Optional
page_sizeNumber of results per page. Maximum value is 100.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional
order_byHow the results should be ordered. Possible values are: recipient, sender.Optional
order_dirDirection in which the results should be ordered. Possible values are: asc, desc.Optional
view_byView results by. Possible values are: recipient, sender. Default is recipient.Optional
searchSearch for recipients or senders in blocklist/safelist with 'contains' operator.
e.g., test@test.com, test.com
This is only supported for the argument view_by=recipient.
Optional

Context Output#

PathTypeDescription
CiscoSMA.ListEntry.Blocklist.senderListStringSender list.
CiscoSMA.ListEntry.Blocklist.recipientAddressStringRecipient address.
CiscoSMA.ListEntry.Blocklist.recipientListStringRecipient list.
CiscoSMA.ListEntry.Blocklist.senderAddressStringSender address.
CiscoSMA.ListEntry.Safelist.senderListStringSender list.
CiscoSMA.ListEntry.Safelist.recipientAddressStringRecipient address.
CiscoSMA.ListEntry.Safelist.recipientListStringRecipient list.
CiscoSMA.ListEntry.Safelist.senderAddressStringSender address.

Command example#

!cisco-sma-list-entry-get entry_type=safelist page=2 page_size=3 view_by=recipient order_by=recipient order_dir=desc

Context Example#

{
"CiscoSMA": {
"ListEntry": {
"Safelist": [
{
"recipientAddress": "test4@test.com",
"senderList": [
"t3@test.com"
]
},
{
"recipientAddress": "test3@test.com",
"senderList": [
"t3@test.com"
]
},
{
"recipientAddress": "test2@test.com",
"senderList": [
"testi@test.com"
]
}
]
}
}
}

Human Readable Output#

Safelist Entries#

Showing page 2. Current page size: 3. |Recipient Address|Sender List| |---|---| | test4@test.com | t3@test.com | | test3@test.com | t3@test.com | | test2@test.com | testi@test.com |

cisco-sma-list-entry-add#


Add spam quarantine blocklist/safelist entry.

Base Command#

cisco-sma-list-entry-add

Input#

Argument NameDescriptionRequired
entry_typeList entry type. Possible values are: blocklist, safelist.Required
view_byAdd list entry by recipient/sender.
When view_by = recipient: recipient_addresses and sender_list are mandatory.
When view_by = sender: sender_addresses and recipient_list are mandatory. Possible values are: recipient, sender. Default is recipient.
Optional
recipient_addressesA comma-separated list of recipients to add.Optional
sender_listA comma-separated list of senders to add.Optional
sender_addressesA comma-separated list of senders to add.Optional
recipient_listA comma-separated list of recipients to add.Optional

Context Output#

There is no context output for this command.

Command example#

!cisco-sma-list-entry-add entry_type=blocklist view_by=recipient recipient_addresses=test@test.com sender_list=t1@test.com,t2@test.com

Human Readable Output#

Successfully added t1@test.com, t2@test.com senders to test@test.com recipients in blocklist.

cisco-sma-list-entry-append#


Append spam quarantine blocklist/safelist entry.

Base Command#

cisco-sma-list-entry-append

Input#

Argument NameDescriptionRequired
entry_typeList entry type. Possible values are: blocklist, safelist.Required
view_byAppend list entry by recipient/sender.
When view_by = recipient: recipient_addresses and sender_list are mandatory.
When view_by = sender: sender_addresses and recipient_list are mandatory. Possible values are: recipient, sender. Default is recipient.
Optional
recipient_listA comma-separated list of recipients to append.Optional
sender_listA comma-separated list of senders to append.Optional
recipient_addressesA comma-separated list of recipients to append.Optional
sender_addressesA comma-separated list of senders to append.Optional

Context Output#

There is no context output for this command.

Command example#

!cisco-sma-list-entry-append entry_type=blocklist recipient_addresses=test@test.com sender_list=t4@test.com

Human Readable Output#

Successfully appended t4@test.com senders to test@test.com recipients in blocklist.

cisco-sma-list-entry-edit#


Edit the spam quarantine blocklist/safelist entry. Using this command will override the existing value.

Base Command#

cisco-sma-list-entry-edit

Input#

Argument NameDescriptionRequired
entry_typeList entry type. Possible values are: blocklist, safelist.Required
view_byEdit list entry by recipient/sender.
When view_by = recipient: recipient_addresses and sender_list are mandatory.
When view_by = sender: sender_addresses and recipient_list are mandatory. Possible values are: recipient, sender. Default is recipient.
Optional
recipient_listA comma-separated list of recipients to edit.Optional
sender_listA comma-separated list of senders to edit.Optional
recipient_addressesA comma-separated list of recipients to edit.Optional
sender_addressesA comma-separated list of senders to edit.Optional

Context Output#

There is no context output for this command.

Command example#

!cisco-sma-list-entry-edit entry_type=blocklist view_by=recipient recipient_addresses=test@test.com sender_list=t5@test.com,t6@test.com

Human Readable Output#

Successfully edited test@test.com recipients' senders to t5@test.com, t6@test.com in blocklist.

cisco-sma-list-entry-delete#


Delete a spam quarantine blocklist/safelist entry.

Base Command#

cisco-sma-list-entry-delete

Input#

Argument NameDescriptionRequired
entry_typeList entry type. Possible values are: blocklist, safelist.Required
view_byDelete list entry by recipient/sender.
When view_by = recipient: recipient_list is mandatory.
When view_by = sender: sender_list is mandatory. Possible values are: recipient, sender. Default is recipient.
Optional
recipient_listA comma-separated list of recipients to delete.Optional
sender_listA comma-separated list of senders to delete.Optional

Context Output#

There is no context output for this command.

Command example#

!cisco-sma-list-entry-delete entry_type=blocklist view_by=recipient recipient_list=test@test.com

Human Readable Output#

Successfully deleted test@test.com recipients from blocklist.

cisco-sma-message-search#


Search tracking messages.

Base Command#

cisco-sma-message-search

Input#

Argument NameDescriptionRequired
start_dateStart date in ISO format or <number> <time unit>,
e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now.
Required
end_dateEnd date in ISO format or <number> <time unit>,
e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now.
Required
pagePage number of paginated results.
Minimum value is 1.
Optional
page_sizeNumber of results per page. Maximum value is 100.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional
sender_filter_operatorSender filter operator. Possible values are: contains, is, begins_with.Optional
sender_filter_valueSender filter value.Optional
recipient_filter_operatorRecipient filter operator. Possible values are: contains, is, begins_with.Optional
recipient_filter_valueRecipient filter value.Optional
subject_filter_operatorSubject filter operator. Possible values are: contains, is, begins_with.Optional
subject_filter_valueSubject filter value.Optional
attachment_name_operatorAttachment name operator. Possible values are: contains, is, begins_with.Optional
attachment_name_valueAttachment name value.Optional
cisco_hostCisco host. Default is All_Hosts.Optional
file_sha_256SHA256 must be 64 characters long and can contain only "0-9" and "a-f" symbols.
E.g., e0d123e5f316bef78bfdf5a008837577e0d123e5f316bef78bfdf5a008837577.
Optional
custom_queryCustom query for cisco SMA's advanced filters.
Syntax: <key>=<value>;<key>=<value>;<key>=<value>
E.g., graymail=True;message_delivered=True.
Optional

Context Output#

PathTypeDescription
CiscoSMA.Message.hostNameStringEmail gateway hostname.
CiscoSMA.Message.friendly_fromStringFriendly formatted sender email address.
CiscoSMA.Message.isCompleteDataStringIs complete data pulled?
CiscoSMA.Message.messageStatusStringMessage delivery status.
CiscoSMA.Message.recipientMapStringRecipients list.
CiscoSMA.Message.senderIpStringSender IP address.
CiscoSMA.Message.mailPolicyStringMatched mail policy.
CiscoSMA.Message.senderGroupStringMatched sender group.
CiscoSMA.Message.subjectStringSubject of email message.
CiscoSMA.Message.dcidNumberDelivery Connection ID.
CiscoSMA.Message.midStringMessage ID.
CiscoSMA.Message.senderDomainStringDomain of email message sender.
CiscoSMA.Message.finalSubjectStringExtended email subject.
CiscoSMA.Message.directionStringMessage direction, incoming or outgoing.
CiscoSMA.Message.icidNumberAn Injection Connection ID (ICID) is a numerical identifier for an individual SMTP connection to the system.
CiscoSMA.Message.replyToStringEmail message reply to.
CiscoSMA.Message.timestampStringTime of email message.
CiscoSMA.Message.messageIDStringExtended message ID.
CiscoSMA.Message.verdictChartStringVerdict visual chart ID.
CiscoSMA.Message.recipientStringRecipients email addresses list.
CiscoSMA.Message.senderStringSender email address.
CiscoSMA.Message.serialNumberStringCisco ESA email gateway serial number.
CiscoSMA.Message.allIcidNumberICIDs list.
CiscoSMA.Message.sbrsStringSender Base Reputation Scores.

Command example#

!cisco-sma-message-search start_date=1month end_date=now page=3 page_size=2 subject_filter_operator=contains subject_filter_value=test

Context Example#

{
"CiscoSMA": {
"Message": [
{
"allIcid": [
13538
],
"unique_message_id": "433",
"dcid": [],
"direction": "incoming",
"finalSubject": {
"433": "test 2"
},
"friendly_from": [
"t1@test.com"
],
"hostName": "esa2.test.eu.iphmx.com",
"icid": 13538,
"isCompleteData": "N/A",
"mailPolicy": [
"DEFAULT"
],
"messageID": {
"433": "<AS4P192MB1694F8603766320A4C87D29AAB459@AS4P192MB1694.EURP192.PROD.OUTLOOK.COM>"
},
"messageStatus": {
"433": "Quarantined by Anti-Spam/Graymail"
},
"mid": [
433
],
"morDetails": {},
"recipient": [
"test@test.com"
],
"recipientMap": {
"433": [
"test@test.com"
]
},
"replyTo": "N/A",
"sbrs": "3.5",
"sender": "t1@test.com",
"senderDomain": "qmasters.co",
"senderGroup": "ACCEPTLIST",
"senderIp": "1.1.1.1",
"serialNumber": "423ADC9EBD9C5F1A7A64-B81D2582608C",
"subject": "test 2",
"timestamp": "2022-09-11T07:55:25Z",
"verdictChart": {
"433": "16140210"
}
},
{
"allIcid": [
13536
],
"unique_message_id": "431",
"dcid": [],
"direction": "incoming",
"finalSubject": {
"431": "test1"
},
"friendly_from": [
"t1@test.com"
],
"hostName": "esa2.test.eu.iphmx.com",
"icid": 13536,
"isCompleteData": "N/A",
"mailPolicy": [
"DEFAULT"
],
"messageID": {
"431": "<AS4P192MB1694630ADD929556BCEC2F09AB459@AS4P192MB1694.EURP192.PROD.OUTLOOK.COM>"
},
"messageStatus": {
"431": "Quarantined by Anti-Spam/Graymail"
},
"mid": [
431
],
"morDetails": {},
"recipient": [
"test@test.com"
],
"recipientMap": {
"431": [
"test@test.com"
]
},
"replyTo": "N/A",
"sbrs": "3.5",
"sender": "t1@test.com",
"senderDomain": "qmasters.co",
"senderGroup": "ACCEPTLIST",
"senderIp": "1.1.1.1",
"serialNumber": "423ADC9EBD9C5F1A7A64-B81D2582608C",
"subject": "test1",
"timestamp": "2022-09-11T07:55:15Z",
"verdictChart": {
"431": "16140210"
}
}
]
}
}

Human Readable Output#

Messages List#

Showing page 3. Current page size: 2. |Mid|All Icid|Serial Number|Sender|Recipient|Subject|Message Status|Timestamp|Sender Ip|Sbrs| |---|---|---|---|---|---|---|---|---|---| | 433 | 13538 | 423ADC9EBD9C5F1A7A64-B81D2582608C | t1@test.com | test@test.com | test 2 | 433: Quarantined by Anti-Spam/Graymail | 2022-09-11T07:55:25Z | 1.1.1.1 | 3.5 | | 431 | 13536 | 423ADC9EBD9C5F1A7A64-B81D2582608C | t1@test.com | test@test.com | test1 | 431: Quarantined by Anti-Spam/Graymail | 2022-09-11T07:55:15Z | 1.1.1.1 | 3.5 |

cisco-sma-message-details-get#


Get more details on the message.

Base Command#

cisco-sma-message-details-get

Input#

Argument NameDescriptionRequired
serial_numberEmail gateway serial number.Required
message_idsMessage ID list.Required
injection_connection_idInjection connection ID.Optional
delivery_connection_idDelivery connection ID.Optional

Context Output#

PathTypeDescription
CiscoSMA.Message.sdrAgeStringSender Domain Reputation age.
CiscoSMA.Message.attachmentsStringMessage attachments.
CiscoSMA.Message.hostNameStringEmail gateway hostname.
CiscoSMA.Message.directionStringMessage direction, incoming or outgoing.
CiscoSMA.Message.isCompleteDataBooleanIs complete data pulled?
CiscoSMA.Message.messageStatusStringMessage delivery status.
CiscoSMA.Message.mailPolicyStringMatched mail policy.
CiscoSMA.Message.senderGroupStringMatched sender group.
CiscoSMA.Message.subjectStringEmail message subject.
CiscoSMA.Message.showSummaryTimeBoxBooleanWhether to show the summary time box.
CiscoSMA.Message.sdrCategoryStringSender Domain Reputation category.
CiscoSMA.Message.midStringMessage ID.
CiscoSMA.Message.sendingHostSummary.reverseDnsHostnameStringSending host reverse DNS hostname.
CiscoSMA.Message.sendingHostSummary.ipAddressStringSending host IP address.
CiscoSMA.Message.sendingHostSummary.sbrsScoreStringSending host Sender Base Reputation scores.
CiscoSMA.Message.smtpAuthIdStringSMTP auth ID.
CiscoSMA.Message.midHeaderStringMessage ID header.
CiscoSMA.Message.timestampStringEmail message time.
CiscoSMA.Message.showDLPBooleanWhether the DLP report is available.
CiscoSMA.Message.messageSizeStringEmail message size.
CiscoSMA.Message.sdrThreatLevelsStringSender Domain Reputation threat levels.
CiscoSMA.Message.sdrReputationStringSender Domain Reputation.
CiscoSMA.Message.showURLBooleanWhether the URL report is available.
CiscoSMA.Message.recipientStringMessage recipient email address.
CiscoSMA.Message.senderStringMessage sender email address.
CiscoSMA.Message.showAMPBooleanWhether the AMP report is available.
CiscoSMA.Message.summary.timestampStringEvent summary time.
CiscoSMA.Message.summary.descriptionStringEvent summary description.
CiscoSMA.Message.summary.lastEventBooleanWhether the event summary is the last event.
CiscoSMA.Message.allIcidNumberICIDs list.
CiscoSMA.Message.headerFromStringEmail header from.

Command example#

!cisco-sma-message-details-get serial_number=423ADC9EBD9C5F1A7A64-B81D2582608C message_ids=322 injection_connection_id=10821 delivery_connection_id=4368

Context Example#

{
"CiscoSMA": {
"Message": {
"allIcid": [
10821
],
"ampTgCategories": [],
"attachments": "",
"unique_message_id": "322",
"direction": "incoming",
"headerFrom": "defender-noreply@microsoft.com",
"hostName": "esa2.test.eu.iphmx.com (2.2.2.2)",
"isCompleteData": true,
"mailPolicy": [
"DEFAULT"
],
"messageSize": "70.3 (KB)",
"messageStatus": "Delivered",
"mid": [
322
],
"midHeader": "<add53137-42a8-4753-af53-bad0752af24d@az.westeurope.production.microsoft.com>",
"recipient": [
"t2@test.com"
],
"sdrAge": "30 days (or greater)",
"sdrCategory": "N/A",
"sdrReputation": "Neutral",
"sdrThreatLevels": "3",
"sender": "azure-noreply@microsoft.com",
"senderGroup": "ACCEPTLIST",
"sendingHostSummary": {
"ipAddress": "7.7.7.7",
"reverseDnsHostname": "test.cloudapp.net (verified)",
"sbrsScore": "3.5"
},
"showAMP": false,
"showDLP": false,
"showSummaryTimeBox": true,
"showURL": false,
"smtpAuthId": "",
"subject": "Microsoft 365 Defender has detected a security threat",
"summary": [
{
"description": "Incoming connection (ICID 10821) has sender_group: ACCEPTLIST, sender_ip: 7.7.7.7 and sbrs: 3.5",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Protocol SMTP interface Data 1 (IP 2.2.2.2) on incoming connection (ICID 10821) from sender IP 7.7.7.7. Reverse DNS host test.cloudapp.net verified yes.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "(ICID 10821) ACCEPT sender group ACCEPTLIST match sbrs[0.0:10.0] SBRS 3.5 country Netherlands",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Incoming connection (ICID 10821) successfully accepted TLS protocol TLSv1.2 cipher ECDHE-RSA-AES256-GCM-SHA384.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 Sender Domain: microsoft.com",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Start message 322 on incoming connection (ICID 10821).",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 enqueued on incoming connection (ICID 10821) from azure-noreply@microsoft.com.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 direction: incoming",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 Domains for which SDR is requested: reverse DNS host: test.cloudapp.net, helo: test.cloudapp.net, env-from: microsoft.com, header_from: Not Present, reply_to: Not Present",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 Consolidated Sender Threat Level: Neutral, Threat Category: N/A, Suspected Domain(s) : N/A (other reasons for verdict). Sender Maturity: 30 days (or greater) for domain: test.cloudapp.net",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 on incoming connection (ICID 10821) added recipient (t2@test.com).",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 SPF: mailfrom identity azure-noreply@microsoft.com Pass",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 DKIM: pass signature verified (d=microsoft.com s=s1024-meo i=defender-noreply@microsoft.com)",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322: DMARC Message from domain microsoft.com, DMARC pass (SPF aligned True, DKIM aligned True),",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322: DMARC verification passed.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 contains message ID header '<add53137-42a8-4753-af53-bad0752af24d@az.westeurope.production.microsoft.com>'.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 original subject on injection: Microsoft 365 Defender has detected a security threat",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 Domains for which SDR is requested: reverse DNS host: test.cloudapp.net, helo: test.cloudapp.net, env-from: microsoft.com, header_from: microsoft.com, reply_to: Not Present",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 Consolidated Sender Threat Level: Neutral, Threat Category: N/A, Suspected Domain(s) : N/A (other reasons for verdict). Sender Maturity: 30 days (or greater) for domain: test.cloudapp.net",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 (71983 bytes) from azure-noreply@microsoft.com ready.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 has sender_group: ACCEPTLIST, sender_ip: 7.7.7.7 and sbrs: 3.5",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:18Z"
},
{
"description": "Message 322 matched per-recipient policy DEFAULT for inbound mail policies.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Incoming connection (ICID 10821) lost.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Message 322 scanned by Anti-Spam engine: CASE. Interim verdict: Negative",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Message 322 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Message 322 scanned by Anti-Spam engine: CASE. Final verdict: Negative",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Message 322 scanned by Anti-Virus engine McAfee. Interim verdict: CLEAN",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Message 322 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Message 322 scanned by Anti-Virus engine. Final verdict: Negative ",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Message 322 scanned by Advanced Malware Protection engine. Final verdict: SKIPPED(no attachment in message)",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Message 322 scanned by Outbreak Filters. Verdict: Negative",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Message 322 queued for delivery.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "SMTP delivery connection (DCID 4368) opened from Cisco IronPort interface 2.2.2.2 to IP address 1.1.1.1 on port 25.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "Delivery connection (DCID 4368) successfully accepted TLS protocol TLSv1.2 cipher ECDHE-RSA-AES256-GCM-SHA384 None.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "(DCID 4368) Delivery started for message 322 to t2@test.com.",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:19Z"
},
{
"description": "(DCID 4368) Delivery details: Message 322 sent to t2@test.com [('from', 'Microsoft 365 Defender <defender-noreply@microsoft.com>'), ('to', 't2@test.com')]",
"lastEvent": false,
"timestamp": "2022-09-07T10:11:20Z"
},
{
"description": "Message 322 to t2@test.com received remote SMTP response '2.6.0 <add53137-42a8-4753-af53-bad0752af24d@az.westeurope.production.microsoft.com> [InternalId=1511828495895, Hostname=test.test.PROD.OUTLOOK.COM] 92322 bytes in 0.189, 475.293 KB/sec Queued mail for delivery'.",
"lastEvent": true,
"timestamp": "2022-09-07T10:11:21Z"
}
],
"timestamp": "2022-09-07T10:11:18Z"
}
}
}

Human Readable Output#

Message Details#

Found message with ID 322. |Mid|All Icid|Subject|Sender|Recipient|Timestamp|Message Size|Sending Host Summary|Message Status|Direction|Mail Policy|Sender Group|Show AMP|Show DLP|Show URL| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 322 | 10821 | Microsoft 365 Defender has detected a security threat | azure-noreply@microsoft.com | t2@test.com | 2022-09-07T10:11:18Z | 70.3 (KB) | reverseDnsHostname: test.cloudapp.net (verified) ipAddress: 7.7.7.7 sbrsScore: 3.5 | Delivered | incoming | DEFAULT | ACCEPTLIST | false | false | false |

Message Summary#

DescriptionTimestampLast Event
Incoming connection (ICID 10821) has sender_group: ACCEPTLIST, sender_ip: 7.7.7.7 and sbrs: 3.52022-09-07T10:11:18Zfalse
Protocol SMTP interface Data 1 (IP 2.2.2.2) on incoming connection (ICID 10821) from sender IP 7.7.7.7. Reverse DNS host test.cloudapp.net verified yes.2022-09-07T10:11:18Zfalse
(ICID 10821) ACCEPT sender group ACCEPTLIST match sbrs[0.0:10.0] SBRS 3.5 country Netherlands2022-09-07T10:11:18Zfalse
Incoming connection (ICID 10821) successfully accepted TLS protocol TLSv1.2 cipher ECDHE-RSA-AES256-GCM-SHA384.2022-09-07T10:11:18Zfalse
Message 322 Sender Domain: microsoft.com2022-09-07T10:11:18Zfalse
Start message 322 on incoming connection (ICID 10821).2022-09-07T10:11:18Zfalse
Message 322 enqueued on incoming connection (ICID 10821) from azure-noreply@microsoft.com.2022-09-07T10:11:18Zfalse
Message 322 direction: incoming2022-09-07T10:11:18Zfalse
Message 322 Domains for which SDR is requested: reverse DNS host: test.cloudapp.net, helo: test.cloudapp.net, env-from: microsoft.com, header_from: Not Present, reply_to: Not Present2022-09-07T10:11:18Zfalse
Message 322 Consolidated Sender Threat Level: Neutral, Threat Category: N/A, Suspected Domain(s) : N/A (other reasons for verdict). Sender Maturity: 30 days (or greater) for domain: test.cloudapp.net2022-09-07T10:11:18Zfalse
Message 322 on incoming connection (ICID 10821) added recipient (t2@test.com).2022-09-07T10:11:18Zfalse
Message 322 SPF: mailfrom identity azure-noreply@microsoft.com Pass2022-09-07T10:11:18Zfalse
Message 322 DKIM: pass signature verified (d=microsoft.com s=s1024-meo i=defender-noreply@microsoft.com)2022-09-07T10:11:18Zfalse
Message 322: DMARC Message from domain microsoft.com, DMARC pass (SPF aligned True, DKIM aligned True),2022-09-07T10:11:18Zfalse
Message 322: DMARC verification passed.2022-09-07T10:11:18Zfalse
Message 322 contains message ID header 'add53137-42a8-4753-af53-bad0752af24d@az.westeurope.production.microsoft.com'.2022-09-07T10:11:18Zfalse
Message 322 original subject on injection: Microsoft 365 Defender has detected a security threat2022-09-07T10:11:18Zfalse
Message 322 Domains for which SDR is requested: reverse DNS host: test.cloudapp.net, helo: test.cloudapp.net, env-from: microsoft.com, header_from: microsoft.com, reply_to: Not Present2022-09-07T10:11:18Zfalse
Message 322 Consolidated Sender Threat Level: Neutral, Threat Category: N/A, Suspected Domain(s) : N/A (other reasons for verdict). Sender Maturity: 30 days (or greater) for domain: test.cloudapp.net2022-09-07T10:11:18Zfalse
Message 322 (71983 bytes) from azure-noreply@microsoft.com ready.2022-09-07T10:11:18Zfalse
Message 322 has sender_group: ACCEPTLIST, sender_ip: 7.7.7.7 and sbrs: 3.52022-09-07T10:11:18Zfalse
Message 322 matched per-recipient policy DEFAULT for inbound mail policies.2022-09-07T10:11:19Zfalse
Incoming connection (ICID 10821) lost.2022-09-07T10:11:19Zfalse
Message 322 scanned by Anti-Spam engine: CASE. Interim verdict: Negative2022-09-07T10:11:19Zfalse
Message 322 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.2022-09-07T10:11:19Zfalse
Message 322 scanned by Anti-Spam engine: CASE. Final verdict: Negative2022-09-07T10:11:19Zfalse
Message 322 scanned by Anti-Virus engine McAfee. Interim verdict: CLEAN2022-09-07T10:11:19Zfalse
Message 322 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN2022-09-07T10:11:19Zfalse
Message 322 scanned by Anti-Virus engine. Final verdict: Negative2022-09-07T10:11:19Zfalse
Message 322 scanned by Advanced Malware Protection engine. Final verdict: SKIPPED(no attachment in message)2022-09-07T10:11:19Zfalse
Message 322 scanned by Outbreak Filters. Verdict: Negative2022-09-07T10:11:19Zfalse
Message 322 queued for delivery.2022-09-07T10:11:19Zfalse
SMTP delivery connection (DCID 4368) opened from Cisco IronPort interface 2.2.2.2 to IP address 1.1.1.1 on port 25.2022-09-07T10:11:19Zfalse
Delivery connection (DCID 4368) successfully accepted TLS protocol TLSv1.2 cipher ECDHE-RSA-AES256-GCM-SHA384 None.2022-09-07T10:11:19Zfalse
(DCID 4368) Delivery started for message 322 to t2@test.com.2022-09-07T10:11:19Zfalse
(DCID 4368) Delivery details: Message 322 sent to t2@test.com [('from', 'Microsoft 365 Defender <defender-noreply@microsoft.com>'), ('to', 't2@test.com')]2022-09-07T10:11:20Zfalse
Message 322 to t2@test.com received remote SMTP response '2.6.0 add53137-42a8-4753-af53-bad0752af24d@az.westeurope.production.microsoft.com [InternalId=1511828495895, Hostname=test.test.PROD.OUTLOOK.COM] 92322 bytes in 0.189, 475.293 KB/sec Queued mail for delivery'.2022-09-07T10:11:21Ztrue

cisco-sma-message-amp-details-get#


Get message AMP summary details.

Base Command#

cisco-sma-message-amp-details-get

Input#

Argument NameDescriptionRequired
serial_numberEmail gateway serial number.Required
message_idsMessage ID list.Required

Context Output#

PathTypeDescription
CiscoSMA.AMPDetail.sdrAgeStringSender Domain Reputation age.
CiscoSMA.AMPDetail.attachmentsStringMessage attachments.
CiscoSMA.AMPDetail.hostNameStringEmail gateway hostname.
CiscoSMA.AMPDetail.directionStringMessage direction, incoming or outgoing.
CiscoSMA.AMPDetail.messageStatusStringMessage delivery status.
CiscoSMA.AMPDetail.senderGroupStringMatched sender group.
CiscoSMA.AMPDetail.subjectStringEmail message subject.
CiscoSMA.AMPDetail.sdrCategoryStringSender Domain Reputation category.
CiscoSMA.AMPDetail.midNumberMessage ID.
CiscoSMA.AMPDetail.ampDetails.timestampStringAMP event summary details timestamp.
CiscoSMA.AMPDetail.ampDetails.descriptionStringAMP event summary details description.
CiscoSMA.AMPDetail.ampDetails.lastEventBooleanAMP event summary details last event.
CiscoSMA.AMPDetail.smtpAuthIdStringSMTP auth ID.
CiscoSMA.AMPDetail.midHeaderStringMessage ID header.
CiscoSMA.AMPDetail.timestampStringEmail message time.
CiscoSMA.AMPDetail.messageSizeStringEmail message size.
CiscoSMA.AMPDetail.sdrThreatLevelsStringSender Domain Reputation threat levels.
CiscoSMA.AMPDetail.sdrReputationStringSender Domain Reputation.
CiscoSMA.AMPDetail.recipientStringMessage recipient email address.
CiscoSMA.AMPDetail.senderStringMessage sender email address.
CiscoSMA.AMPDetail.showAMPDetailsBooleanWhether to show AMP details.
CiscoSMA.AMPDetail.allIcidNumberICIDs list.
CiscoSMA.AMPDetail.headerFromStringEmail header from.

Command example#

!cisco-sma-message-amp-details-get message_ids=21 serial_number=42356DFA5D016457B182-3616BA148E19

Context Example#

{
"CiscoSMA": {
"AMPDetail": {
"allIcid": [
1269
],
"ampDetails": [
{
"description": "File reputation query initiating. File Name = test.jpg, MID = 21, File Size = 325663 bytes, File Type = image/jpeg",
"timestamp": "2022-08-24T10:05:55Z"
},
{
"description": "Response received for file reputation query from Cloud. File Name = test.jpg, MID = 21, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = 23a9113530549916cd5b410edee79cb5a0fc01233eb9051f9c882a2e7c3fbfbe, upload_action = Recommended to send the file for analysis, verdict_source = AMP",
"timestamp": "2022-08-24T10:05:56Z"
},
{
"description": "File not uploaded for analysis. MID = 21 File SHA256[23a9113530549916cd5b410edee79cb5a0fc01233eb9051f9c882a2e7c3fbfbe] file mime[image/jpeg] Reason: The file type is not configured for analysis",
"lastEvent": true,
"timestamp": "2022-08-24T10:05:56Z"
}
],
"ampTgCategories": [],
"attachments": [
"test.jpg"
],
"direction": "incoming",
"headerFrom": "t3@test.com",
"hostName": "esa1.test.eu.iphmx.com (1.1.1.1)",
"messageSize": "439.29 (KB)",
"messageStatus": "Quarantined by Content Filters",
"mid": [
21
],
"midHeader": "<CAMuXvaVQMGq8uzJQXmfyoYQB55rOCJ0nW9OKncfnuCAnEc5S4g@mail.gmail.com>",
"recipient": [
"test@test.com"
],
"sdrAge": "30 days (or greater)",
"sdrCategory": "N/A",
"sdrReputation": "Neutral",
"sdrThreatLevels": "3",
"sender": "t3@test.com",
"senderGroup": "ACCEPTLIST",
"sendingHostSummary": {},
"showAMPDetails": true,
"smtpAuthId": "",
"subject": "Fwd: test12345",
"timestamp": "2022-08-24T10:05:52Z"
}
}
}

Human Readable Output#

Message AMP Report Details#

Found AMP details for message ID 21. |Mid|All Icid|Subject|Sender|Recipient|Attachments|Timestamp|Message Size|Message Status|Direction|Sender Group| |---|---|---|---|---|---|---|---|---|---|---| | 21 | 1269 | Fwd: test12345 | t3@test.com | test@test.com | test.jpg | 2022-08-24T10:05:52Z | 439.29 (KB) | Quarantined by Content Filters | incoming | ACCEPTLIST |

Message AMP Report Details Summary#

DescriptionTimestamp
File reputation query initiating. File Name = test.jpg, MID = 21, File Size = 325663 bytes, File Type = image/jpeg2022-08-24T10:05:55Z
Response received for file reputation query from Cloud. File Name = test.jpg, MID = 21, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = 23a9113530549916cd5b410edee79cb5a0fc01233eb9051f9c882a2e7c3fbfbe, upload_action = Recommended to send the file for analysis, verdict_source = AMP2022-08-24T10:05:56Z
File not uploaded for analysis. MID = 21 File SHA256[23a9113530549916cd5b410edee79cb5a0fc01233eb9051f9c882a2e7c3fbfbe] file mime[image/jpeg] Reason: The file type is not configured for analysis2022-08-24T10:05:56Z

cisco-sma-message-dlp-details-get#


Get message DLP summary details.

Base Command#

cisco-sma-message-dlp-details-get

Input#

Argument NameDescriptionRequired
serial_numberEmail gateway serial number.Required
message_idsMessage ID list.Required

Context Output#

PathTypeDescription
CiscoSMA.DLPDetail.directionStringMessage direction, incoming or outgoing.
CiscoSMA.DLPDetail.smtpAuthIdStringSMTP auth ID.
CiscoSMA.DLPDetail.sdrAgeStringSender Domain Reputation age.
CiscoSMA.DLPDetail.senderStringMessage sender email address.
CiscoSMA.DLPDetail.midHeaderStringMessage ID header.
CiscoSMA.DLPDetail.timestampStringEmail message time.
CiscoSMA.DLPDetail.sdrCategoryStringSender Domain Reputation category.
CiscoSMA.DLPDetail.hostNameStringEmail gateway hostname.
CiscoSMA.DLPDetail.midNumberMessage ID.
CiscoSMA.DLPDetail.attachmentsStringMessage attachments.
CiscoSMA.DLPDetail.messageSizeStringEmail message size.
CiscoSMA.DLPDetail.dlpDetails.violationSeverityStringDLP details violation severity.
CiscoSMA.DLPDetail.dlpDetails.dlpMatchedContent.messagePartMatch.classifierStringDLP matched content classifier.
CiscoSMA.DLPDetail.dlpDetails.dlpMatchedContent.messagePartMatch.classifierMatchStringDLP matched content classifier match.
CiscoSMA.DLPDetail.dlpDetails.dlpMatchedContent.messagePartStringDLP matched content message part.
CiscoSMA.DLPDetail.dlpDetails.midStringDLP message ID.
CiscoSMA.DLPDetail.dlpDetails.riskFactorNumberDLP risk factor.
CiscoSMA.DLPDetail.dlpDetails.dlpPolicyStringDLP policy.
CiscoSMA.DLPDetail.sdrThreatLevelsStringSender Domain Reputation threat levels.
CiscoSMA.DLPDetail.sdrReputationStringSender Domain Reputation.
CiscoSMA.DLPDetail.messageStatusStringMessage delivery status.
CiscoSMA.DLPDetail.allIcidNumberICIDs list.
CiscoSMA.DLPDetail.senderGroupStringMatched sender group.
CiscoSMA.DLPDetail.recipientStringMessage recipient email address.
CiscoSMA.DLPDetail.subjectStringEmail message subject.
CiscoSMA.DLPDetail.headerFromStringEmail header from.

Command example#

!cisco-sma-message-dlp-details-get message_ids=84 serial_number=423ADC9EBD9C5F1A7A64-B81D2582608C

Context Example#

{
"CiscoSMA": {
"DLPDetail": {
"allIcid": [
3862
],
"ampTgCategories": [],
"attachments": "",
"direction": "outgoing",
"dlpDetails": {
"dlpMatchedContent": [
{
"messagePart": "Message",
"messagePartMatch": [
{
"classifier": "Credit Card Numbers",
"classifierMatch": [
"CVV Code Country/Currency Result
Amex 374245455400126 05/2023 Success
Amex 378282246310005",
"Visa 4917484589897107",
"Visa 4263982640269299 (3 matches)",
]
}
]
}
],
"dlpPolicy": "PCI-DSS (Payment Card Industry Data Security Standard)",
"mid": 84,
"riskFactor": 72,
"violationSeverity": "HIGH"
},
"headerFrom": "test@test.com",
"hostName": "esa2.test.eu.iphmx.com (2.2.2.2)",
"messageSize": "84.56 (KB)",
"messageStatus": "Delivered",
"mid": [
84
],
"midHeader": "<AM5PR10MB1649CD2104EBDB7ACB849744B6779@AM5PR10MB1649.EURPRD10.PROD.OUTLOOK.COM>",
"recipient": [
"t1@test.com"
],
"sender": "test@test.com",
"senderGroup": "RELAY_O365",
"sendingHostSummary": {},
"showDLPDetails": true,
"smtpAuthId": "",
"subject": "Fw: Re: ",
"timestamp": "2022-08-28T06:56:26Z"
}
}
}

Human Readable Output#

Message DLP Report Details#

Found DLP details for message ID 84. |Mid|All Icid|Subject|Sender|Recipient|Timestamp|Message Size|Message Status|Direction|Sender Group| |---|---|---|---|---|---|---|---|---|---| | 84 | 3862 | Fw: Re: | test@test.com | t1@test.com | 2022-08-28T06:56:26Z | 84.56 (KB) | Delivered | outgoing | RELAY_O365 |

Message DLP Report Details Summary#

MidViolation SeverityRisk FactorDlp Policy
84HIGH72PCI-DSS (Payment Card Industry Data Security Standard)

cisco-sma-message-url-details-get#


Get message URL summary details.

Base Command#

cisco-sma-message-url-details-get

Input#

Argument NameDescriptionRequired
serial_numberEmail gateway serial number.Required
message_idsMessage ID list.Required

Context Output#

PathTypeDescription
CiscoSMA.URLDetail.sdrAgeStringSender Domain Reputation age.
CiscoSMA.URLDetail.attachmentsStringMessage attachments.
CiscoSMA.URLDetail.showURLDetailsBooleanWhether to show URL event details.
CiscoSMA.URLDetail.urlDetails.timestampStringURL event details timestamp.
CiscoSMA.URLDetail.urlDetails.descriptionStringURL event details description.
CiscoSMA.URLDetail.hostNameStringEmail gateway hostname.
CiscoSMA.URLDetail.directionStringMessage direction, incoming or outgoing.
CiscoSMA.URLDetail.messageStatusStringMessage delivery status.
CiscoSMA.URLDetail.senderGroupStringMatched sender group.
CiscoSMA.URLDetail.subjectStringEmail message subject.
CiscoSMA.URLDetail.sdrCategoryStringSender Domain Reputation category.
CiscoSMA.URLDetail.midNumberMessage ID.
CiscoSMA.URLDetail.smtpAuthIdStringSMTP auth ID.
CiscoSMA.URLDetail.midHeaderStringMessage ID header.
CiscoSMA.URLDetail.timestampStringEmail message time.
CiscoSMA.URLDetail.messageSizeStringEmail message size.
CiscoSMA.URLDetail.sdrThreatLevelsStringSender Domain Reputation threat levels.
CiscoSMA.URLDetail.sdrReputationStringSender Domain Reputation.
CiscoSMA.URLDetail.recipientStringMessage recipient Email address.
CiscoSMA.URLDetail.senderStringMessage sender email address.
CiscoSMA.URLDetail.allIcidNumberICIDs list.
CiscoSMA.URLDetail.headerFromStringEmail header from.

Command example#

!cisco-sma-message-url-details-get message_ids=21 serial_number=42356DFA5D016457B182-3616BA148E19

Context Example#

{
"CiscoSMA": {
"URLDetail": {
"allIcid": [
1269
],
"ampTgCategories": [],
"attachments": [
"test.jpg"
],
"direction": "incoming",
"headerFrom": "t3@test.com",
"hostName": "esa1.test.eu.iphmx.com (1.1.1.1)",
"messageSize": "439.29 (KB)",
"messageStatus": "Quarantined by Content Filters",
"mid": [
21
],
"midHeader": "<CAMuXvaVQMGq8uzJQXmfyoYQB55rOCJ0nW9OKncfnuCAnEc5S4g@mail.gmail.com>",
"recipient": [
"test@test.com"
],
"sdrAge": "30 days (or greater)",
"sdrCategory": "N/A",
"sdrReputation": "Neutral",
"sdrThreatLevels": "3",
"sender": "t3@test.com",
"senderGroup": "ACCEPTLIST",
"sendingHostSummary": {},
"showURLDetails": true,
"smtpAuthId": "",
"subject": "Fwd: test12345",
"timestamp": "2022-08-24T10:05:52Z",
"urlDetails": [
{
"description": "Message 21 URL: http://9.9.9.9:8080/ , URL reputation: -6.8, Condition: URL Reputation Rule.",
"timestamp": "2022-08-24T10:05:56Z"
},
{
"description": "Message 21 URL: https://test.com/x1OrRZcf/onIpchhYNy4wy9f4/ , URL reputation: -6.6, Condition: URL Reputation Rule.",
"timestamp": "2022-08-24T10:05:56Z"
},
{
"description": "Message 21 URL: http://9.9.9.9:8080 , URL reputation: -6.8, Condition: URL Reputation Rule.",
"timestamp": "2022-08-24T10:05:56Z"
}
]
}
}
}

Human Readable Output#

Message URL Report Details#

Found URL details for message ID 21. |Mid|All Icid|Subject|Sender|Recipient|Attachments|Timestamp|Message Size|Message Status|Direction|Sender Group| |---|---|---|---|---|---|---|---|---|---|---| | 21 | 1269 | Fwd: test12345 | t3@test.com | test@test.com | test.jpg | 2022-08-24T10:05:52Z | 439.29 (KB) | Quarantined by Content Filters | incoming | ACCEPTLIST |

Message URL Report Details Summary#

DescriptionTimestamp
Message 21 URL: http://9.9.9.9:8080/ , URL reputation: -6.8, Condition: URL Reputation Rule.2022-08-24T10:05:56Z
Message 21 URL: https://test.com/test/test/ , URL reputation: -6.6, Condition: URL Reputation Rule.2022-08-24T10:05:56Z
Message 21 URL: http://9.9.9.9:8080 , URL reputation: -6.8, Condition: URL Reputation Rule.2022-08-24T10:05:56Z

cisco-sma-report-get#


Get statistics reports. Note that each report type is compatible with different arguments. Refer to the following link ("ESA Reporting" section in the file) in order to view the dedicated arguments for each report type. https://www.cisco.com/c/dam/en/us/td/docs/security/security_management/sma/sma12-0/AsyncOS-API-Addendum-GD_General_Deployment.xlsx.

Base Command#

cisco-sma-report-get

Input#

Argument NameDescriptionRequired
report_typeReport Type. Possible values are: mail_incoming_traffic_summary, reporting_system, mail_vof_threat_summary, mail_vof_specific_threat_summary, mail_amp_threat_summary. Default is mail_incoming_traffic_summary.Optional
custom_report_typeCustom report type.
Specify this argument in order to get a report that does not exist in the report_type argument.
Optional
start_dateStart date in ISO format or <number> <time unit>,
e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now.
Required
end_dateEnd date in ISO format or <number> <time unit>,
e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now.
Required
device_group_nameThe device group name. Default is Hosted_Cluster.Optional
device_nameThe device name.Optional
order_bySpecify the attribute by which to order the data in the response. For example, orderBy=total_clean_recipients.Optional
order_dirThe report order direction. Specify sort direction. Possible values are: asc, desc.Optional
topSpecify the number of records with the highest values to return.Optional
filter_valueThe value to search for.Optional
filter_byThe filter field to use. Filter the data to be retrieved according to the filter property and value.Optional
filter_operatorFilter the response data based on the value specified. Possible values are: begins_with, is.Optional

Context Output#

PathTypeDescription
CiscoSMA.Report.typeStringReport type.
CiscoSMA.Report.resultSetNumberReport results summary.

Command example#

!cisco-sma-report-get start_date=2weeks end_date=now device_group_name=Hosted_Cluster report_type=mail_incoming_traffic_summary

Context Example#

{
"CiscoSMA": {
"Report": {
"resultSet": [
{
"failed_dkim": 0
},
{
"total_graymail_recipients": 6
},
{
"detected_spam": 35
},
{
"malicious_url": 2
},
{
"total_spoofed_emails": 0
},
{
"verif_decrypt_success": 0
},
{
"detected_virus": 0
},
{
"threat_content_filter": 1
},
{
"blocked_invalid_recipient": 6
},
{
"blocked_sdr": 0
},
{
"marketing_mail": 5
},
{
"ims_spam_increment_over_case": 0
},
{
"total_mailbox_auto_remediated_recipients": 0
},
{
"detected_spam_certain": 35
},
{
"detected_spam_suspect": 0
},
{
"blocked_dmarc": 0
},
{
"total_threat_recipients": 3498
},
{
"total_recipients": 4069
},
{
"verif_decrypt_fail": 0
},
{
"detected_amp": 0
},
{
"bulk_mail": 1
},
{
"social_mail": 0
},
{
"total_clean_recipients": 565
},
{
"detected_virus_per_msg": 0
},
{
"failed_spf": 0
},
{
"blocked_reputation": 3454
}
],
"type": "mail_incoming_traffic_summary",
"uuid": "54db5cef-36a4-44a7-a121-37d9fb4e3971"
}
}
}

Human Readable Output#

Report type: mail_incoming_traffic_summary#

Report UUID: 54db5cef-36a4-44a7-a121-37d9fb4e3971 |Blocked Dmarc|Blocked Invalid Recipient|Blocked Reputation|Blocked Sdr|Bulk Mail|Detected Amp|Detected Spam|Detected Spam Certain|Detected Spam Suspect|Detected Virus|Detected Virus Per Msg|Failed Dkim|Failed Spf|Ims Spam Increment Over Case|Malicious Url|Marketing Mail|Social Mail|Threat Content Filter|Total Clean Recipients|Total Graymail Recipients|Total Mailbox Auto Remediated Recipients|Total Recipients|Total Spoofed Emails|Total Threat Recipients|Verif Decrypt Fail|Verif Decrypt Success| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 0 | 6 | 3454 | 0 | 1 | 0 | 35 | 35 | 0 | 0 | 0 | 0 | 0 | 0 | 2 | 5 | 0 | 1 | 565 | 6 | 0 | 4069 | 0 | 3498 | 0 | 0 |