Skip to content

Cisco Email Security (Ironport)

Cisco Email Security is defense against phishing, business email compromise, and ransomware. Cyderes utilizes this information to track and monitor email for malicious entry points.

Chronicle Data Types

  • CISCO_EMAIL_SECURITY

Configuration

  1. In the Cisco Ironport ESA console, navigate to System Administration -> Log Subscriptions
  2. Select a log name to be sent to the Chronicle workspace. For example: antivirus_logs.
  3. Input the necessary information about the CYCLOPS forwarder (Virtual IP address and port)
  4. Repeat for any additional log files that will be sent to Chronicle

IMPORTANT: Cisco Ironport ESA outputs logs by default to port 514. The Cyderes onboarding team will provide a higher port number to send ESA logs to. Please contact Cyderes for answers to any questions.

For a detailed list and explanation of the available log types please see the following documentation.

Single Log Line (SLL)

Using SLL to consolidate each message event into a single log line will currently give the best parsing output using Cyderes' custom ESA parser. The configuration steps are found on Cisco's doc site here: SLL: configuration