Skip to content

Cisco ESA

Cisco ESA

About

The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-borne threats, such as malware, spam and phishing attempts. Because so many of today's attacks occur through email messages, having an email security gateway has become a necessity for most organizations.

Product Details

Vendor URL: Cisco Email Secure Gateway

Product Type: Email Security Appliance

Product Tier: Tier II

Integration Method: Syslog/SLL CEF (Single Log Line CEF is preferred over standard multi-line logs for parsing)

Integration URL: Cisco Ironport ESA - Cyderes Documentation

Log Guide: User Guide for AsyncOS 11.1 for Cisco Email Security Appliances - GD (General Deployment) Single Log Line (SLL)

Parser Details

Log Format: Syslog/CEF

Expected Normalization Rate: 90-100%

Data Label: CISCO_EMAIL_SECURITY

UDM Fields (list of all UDM fields leveraged in the Parser):

Event UDM Event Classification
default: false, set to true based on conditions in parser is_alert
default: false, set to true based on conditions in parser is_significant
ESAMID, ESAICID, ESADCID, ESAAttachmentDetails, cfp1, cs1, cs2, cs3, cs4, cs5 additional.fields
description product_description
Hard-Coded metadata.event_type
product_event_type metadata.product_event_type
injection_connection_id metadata.product_log_id
Hard-Coded metadata.product_name
product_version metadata.product_version
Hard-Coded metadata.vendor_name
Hard-Coded and application_protocol network.application_protocol
Hard-Coded network.direction
from network.email.from
message_id, ESAMID network.email.mail_id
ESAReplyTo network.email.reply_to
Subject, subject_message network.email.subject
receiver, duser network.email.to
cipher, ESATLSOutCipher network.tls.cipher
protocol, ESATLSOutProtocol network.tls.version
ESATLSOutProtocol network.tls.version_protocol
message_id, ESAMID principal.asset_id
hostname principal.hostname
ip principal.ip
processid principal.process.pid
Composited security_result
deviceExternalId src.asset.product_object_id
ESASenderGroup src.group.group_display_name
sourceHostName src.hostname
source_ip, sourceAddress src.ip
application target.application
hostname target.hostname
target_ip target.ip
port target.port

Product Event Types

Event Type
EMAIL_TRANSACTION
NETWORK_SMTP
SERVICE_START
SERVICE_STOP
GENERIC_EVENT

Log Sample

<14>Dec 10 05:59:47 Cyclops_ESA-SLL: CEF:0|Cisco|C600V Email Security Virtual Appliance|10.5.1-277|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|ESAMID=mid ESAICID=icid ESADCID=dcid startTime=Fri Dec 10 05:59:42 2021 endTime=Fri Dec 10 05:59:45 2021 deviceDirection=0 cs4Label=ExternalMsgID cs4='<cs4addr>' ESASenderGroup=UNKNOWNLIST sourceAddress=10.111.115.218 cfp1Label=SBRSScore cfp1=4.9 ESAHeloIP=10.111.115.218 ESATLSInProtocol=TLSv1.2 ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES128-GCM-SHA256 sourceHostName=host duser=email msg='Holiday meals at your club, basically ready to serve.' ESAReplyTo=email cs3Label=SDRThreatCategory cs3=N/A ESASDRDomainAge=26 years 8 months 18 days cs1Label=MailPolicy cs1=Incoming Mail Policy ESASPFVerdict=None ESADKIMVerdict=pass ESADMARCVerdict=pass ESAASVerdict=MARKETING_MAIL ESAAVVerdict=NEGATIVE ESAAMPVerdict=NOT_EVALUATED ESACFVerdict=MATCH ESAMFVerdict=NOT_EVALUATED ESADLPVerdict=NOT_EVALUATED act=DELIVERED deviceExternalId=deviceid

Sample Parsing

metadata.event_timestamp "2021-12-10T12:00:06.155564Z"
metadata.event_type "EMAIL_TRANSACTION"
metadata.vendor_name "Cisco"
metadata.product_name "C600V Email Security Virtual Appliance"
metadata.product_version "10.5.1-277"
metadata.product_event_type "ESA_CONSOLIDATED_LOG_EVENT"
metadata.description "Consolidated Log Event"
metadata.ingested_timestamp "2021-12-10T12:00:06.155564Z"
additional.cs3: _s_d_r_threat_category "N/A"
additional.ESADCID "dcid"
additional.cs1: _mail_policy "Incoming"
additional.ESAMID "mid"
additional.cfp1: _s_b_r_s_score "4.9"
additional.cs4: _external_msg_i_d "'<cs4addr>'"
additional.ESAICID "icid"
principal.hostname "Cyclops_ESA-SLL"
principal.asset_id "ESAMID:mid"
principal.asset.asset_id "ESAMID:mid"
src.hostname "host "
src.ip[0] "10.111.115.218"
src.group.group_display_name "UNKNOWNLIST"
src.asset.product_object_id "deviceid"
security_result[0].action[0] "ALLOW"
security_result[0].severity "INFORMATIONAL"
network.email.to[0] "email"
network.email.mail_id "mid"
network.email.subject[0] "Holiday meals at your club, basically ready to serve."
network.tls.cipher "ECDHE-RSA-AES128-GCM-SHA256"
network.tls.version_protocol "TLSv1.2"

Parser Alerting

loglevel sec_result.severity security_action is_alert
(blank) INFORMATIONAL ALLOW
Info INFORMATIONAL ALLOW
Informational (6) INFORMATIONAL ALLOW
Debug (7) INFORMATIONAL ALLOW
Trace INFORMATIONAL ALLOW
Notice (5) INFORMATIONAL ALLOW
Warning (4) MEDIUM ALLOW
High HIGH BLOCK
Error (3) HIGH BLOCK
Critical (2) CRITICAL BLOCK Y
Alert (1) CRITICAL BLOCK Y
Emergency (0) CRITICAL BLOCK Y

Rules

Coming Soon