Cisco ESA¶
About¶
The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-borne threats, such as malware, spam and phishing attempts. Because so many of today's attacks occur through email messages, having an email security gateway has become a necessity for most organizations.
Product Details¶
Vendor URL: Cisco Email Secure Gateway
Product Type: Email Security Appliance
Product Tier: Tier II
Integration Method: Syslog/SLL CEF (Single Log Line CEF is preferred over standard multi-line logs for parsing)
Integration URL: Cisco Ironport ESA - Cyderes Documentation
Log Guide: User Guide for AsyncOS 11.1 for Cisco Email Security Appliances - GD (General Deployment) Single Log Line (SLL)
Parser Details¶
Log Format: Syslog/CEF
Expected Normalization Rate: 90-100%
Data Label: CISCO_EMAIL_SECURITY
UDM Fields (list of all UDM fields leveraged in the Parser):
Event | UDM Event Classification |
---|---|
default: false, set to true based on conditions in parser | is_alert |
default: false, set to true based on conditions in parser | is_significant |
ESAMID, ESAICID, ESADCID, ESAAttachmentDetails, cfp1, cs1, cs2, cs3, cs4, cs5 | additional.fields |
description | product_description |
Hard-Coded | metadata.event_type |
product_event_type | metadata.product_event_type |
injection_connection_id | metadata.product_log_id |
Hard-Coded | metadata.product_name |
product_version | metadata.product_version |
Hard-Coded | metadata.vendor_name |
Hard-Coded and application_protocol | network.application_protocol |
Hard-Coded | network.direction |
from | network.email.from |
message_id, ESAMID | network.email.mail_id |
ESAReplyTo | network.email.reply_to |
Subject, subject_message | network.email.subject |
receiver, duser | network.email.to |
cipher, ESATLSOutCipher | network.tls.cipher |
protocol, ESATLSOutProtocol | network.tls.version |
ESATLSOutProtocol | network.tls.version_protocol |
message_id, ESAMID | principal.asset_id |
hostname | principal.hostname |
ip | principal.ip |
processid | principal.process.pid |
Composited | security_result |
deviceExternalId | src.asset.product_object_id |
ESASenderGroup | src.group.group_display_name |
sourceHostName | src.hostname |
source_ip, sourceAddress | src.ip |
application | target.application |
hostname | target.hostname |
target_ip | target.ip |
port | target.port |
Product Event Types¶
Event Type |
---|
EMAIL_TRANSACTION |
NETWORK_SMTP |
SERVICE_START |
SERVICE_STOP |
GENERIC_EVENT |
Log Sample¶
<14>Dec 10 05:59:47 Cyclops_ESA-SLL: CEF:0|Cisco|C600V Email Security Virtual Appliance|10.5.1-277|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|ESAMID=mid ESAICID=icid ESADCID=dcid startTime=Fri Dec 10 05:59:42 2021 endTime=Fri Dec 10 05:59:45 2021 deviceDirection=0 cs4Label=ExternalMsgID cs4='<cs4addr>' ESASenderGroup=UNKNOWNLIST sourceAddress=10.111.115.218 cfp1Label=SBRSScore cfp1=4.9 ESAHeloIP=10.111.115.218 ESATLSInProtocol=TLSv1.2 ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES128-GCM-SHA256 sourceHostName=host duser=email msg='Holiday meals at your club, basically ready to serve.' ESAReplyTo=email cs3Label=SDRThreatCategory cs3=N/A ESASDRDomainAge=26 years 8 months 18 days cs1Label=MailPolicy cs1=Incoming Mail Policy ESASPFVerdict=None ESADKIMVerdict=pass ESADMARCVerdict=pass ESAASVerdict=MARKETING_MAIL ESAAVVerdict=NEGATIVE ESAAMPVerdict=NOT_EVALUATED ESACFVerdict=MATCH ESAMFVerdict=NOT_EVALUATED ESADLPVerdict=NOT_EVALUATED act=DELIVERED deviceExternalId=deviceid
Sample Parsing¶
metadata.event_timestamp "2021-12-10T12:00:06.155564Z"
metadata.event_type "EMAIL_TRANSACTION"
metadata.vendor_name "Cisco"
metadata.product_name "C600V Email Security Virtual Appliance"
metadata.product_version "10.5.1-277"
metadata.product_event_type "ESA_CONSOLIDATED_LOG_EVENT"
metadata.description "Consolidated Log Event"
metadata.ingested_timestamp "2021-12-10T12:00:06.155564Z"
additional.cs3: _s_d_r_threat_category "N/A"
additional.ESADCID "dcid"
additional.cs1: _mail_policy "Incoming"
additional.ESAMID "mid"
additional.cfp1: _s_b_r_s_score "4.9"
additional.cs4: _external_msg_i_d "'<cs4addr>'"
additional.ESAICID "icid"
principal.hostname "Cyclops_ESA-SLL"
principal.asset_id "ESAMID:mid"
principal.asset.asset_id "ESAMID:mid"
src.hostname "host "
src.ip[0] "10.111.115.218"
src.group.group_display_name "UNKNOWNLIST"
src.asset.product_object_id "deviceid"
security_result[0].action[0] "ALLOW"
security_result[0].severity "INFORMATIONAL"
network.email.to[0] "email"
network.email.mail_id "mid"
network.email.subject[0] "Holiday meals at your club, basically ready to serve."
network.tls.cipher "ECDHE-RSA-AES128-GCM-SHA256"
network.tls.version_protocol "TLSv1.2"
Parser Alerting¶
loglevel | sec_result.severity | security_action | is_alert |
---|---|---|---|
(blank) | INFORMATIONAL | ALLOW | |
Info | INFORMATIONAL | ALLOW | |
Informational (6) | INFORMATIONAL | ALLOW | |
Debug (7) | INFORMATIONAL | ALLOW | |
Trace | INFORMATIONAL | ALLOW | |
Notice (5) | INFORMATIONAL | ALLOW | |
Warning (4) | MEDIUM | ALLOW | |
High | HIGH | BLOCK | |
Error (3) | HIGH | BLOCK | |
Critical (2) | CRITICAL | BLOCK | Y |
Alert (1) | CRITICAL | BLOCK | Y |
Emergency (0) | CRITICAL | BLOCK | Y |
Rules¶
Coming Soon