Hello Andreas,
From what I understand, you are here talking in the context of the HAT overview (under Mail Policies tab in GUI), it is the first check that the emails coming into the ESA appliance hit.
In this HAT overview, we have various sendergroups created such as WHITELIST, SUSPECTLIST, BLACKLIST, UNKNOWNLIST, RELAYLIST etc.
Each sendergroup is assigned a range of SBR score on the ESA appliance locally (most of the time WHITELIST and RELAYLIST are not given any score range).
Each emails coming to the ESA appliance is sent by a MTA (Mail Transfer Agent) having a particular IP address assigned to it. As soon as email reaches, the ESA checks for the probability of the score (as it is a highly dynamic entity) for the given IP address from its Sender Base Reputation services which connects to a cloud infrastructure (referred to as Cisco TALOS) and fetch the score for the email received.
Based on the score, the email falls under one of the sendergroup created and is acted upon by the mail flow policy attached to the sendergroup.
In mail flow policies, we define the number of connection is allowed to be formed, any security feature to be used etc.
After this, the email passes along further to the email pipeline in the workqueue (having all the engines processing such as Anti-spam, Antivirus etc).
Please find below some articles which will provide you with more information on the same:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_0101.htmlhttps://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118381-technote-esa-00.htmlCisco TALOS site:
https://talosintelligence.comI hope the above information helps in your understanding.
Cheers,
Pratham