Cisco ESA Ironport

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Cisco ESA Consolidated Event Logs

✅

✅

cisco_esa_consolidated_event_logs

CEF

S3


Overview

imageThe Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-borne threats, such as malware, spam and phishing attempts. Because so many of today's attacks occur through email messages, having an email security gateway has become a necessity for most organizations.

Integrating Cisco ESA into Hunters allows collection and ingestion of key data types into the data lake. Furthermore, email raw data will be used to auto-investigated and correlate related alerts.

Supported data types

Cisco ESA Consolidated Event Logs

Table name: cisco_esa_consolidated_event_logs

The Consolidated Event Logs summarizes each message event in a single log line. The logs are in the Common Event Format (CEF) log message format

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Cisco ESA logs via an intermediary AWS S3 bucket.

To connect Cisco ESA logs:

  1. Follow this guide by Cisco to enable the S3 push.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in CEF format.

Sun Mar 19 11:32:45 2023: CEF:0|Cisco|C600V Email Security Virtual Appliance|14.0.0-698|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=ABCD-DCBA ESAMID=123456789 ESADCID=7854321 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Sun Mar 19 11:32:44 2023 ESADLPVerdict=NOT_EVALUATED ESAGMVerdict=NEGATIVE suser=blackhole@tomki.com ESAMFVerdict=NO_MATCH act=DELIVERED ESAOFVerdict=NOT_EVALUATED duser=user@user.com
Sun Mar 19 11:32:45 2023: CEF:0|Cisco|C600V Email Security Virtual Appliance|14.0.0-698|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=FEFEFEFE-EFEFEFEF ESAMID=123124123 ESAICID=321321321 ESADCID=7778887 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Sun Mar 19 11:32:44 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=10.1.2.3 ESAFriendlyFrom="Temp Name" <temp@name.net> ESAGMVerdict=NEGATIVE startTime=Sun Mar 19 11:32:42 2023 deviceInboundInterface=ProductionMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=temp@name.net cs1Label=MailPolicy cs1=Production Users cs2Label=SenderCountry cs2=United States ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<temptemp@abcd.net>' ESAOFVerdict=NEGATIVE duser=user@user.com ESAHeloDomain=koko.shoko.com ESAHeloIP=7.6.7.6 ESAReplyTo=email@email.net cfp1Label=SBRSScore cfp1=3.5 ESASDRDomainAge=1 month cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'user@test.net'}, 'helo': {'result': 'None', 'sender': 'jojo@jojo.com'}} sourceHostName=domain.domain ESASenderGroup=UNKNOWNLIST sourceAddress=9.9.9.9 msg='Subject Message' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2