cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
514
Views
10
Helpful
7
Replies
Beginner

Cisco ESA External Threat Feeds

Dear all. yesterday I configured External Threat Feed in cisco esa. In order test it I send malicious url from my personal email to corporate email. that email directly send to Outbreak quarantine and approximately 1 hour later that email released from quarantine and forwarded to corporate email along with SUSPICIOUS warning message. Now I have a question. How can I test whether external threat feed works or not? Shouldn't it catch malicious urls sent inside email?

7 REPLIES 7
Cisco Employee

Re: Cisco ESA External Threat Feeds

Hey Ccns90,

External threat feeds requires the correct URLs to query as the source.
To verify if the source is returning results for the ETF to work you can verify inside the "threatfeeds" log files.

When an email is sent in and depending on where you deployed your ETF (HAT level, filter/content filters etc) the logs (mail_logs) will return if it was matched under a threat feed.

Sample:
Thu Jun 7 20:48:10 2018 Info: MID 91 Threat feeds source 'S1' detected malicious URL:
'http://digimobil.mobi/' in attachment(s): malurl.txt. Action: Attachment stripped

Thanks,
Mathew
Cisco Employee

Re: Cisco ESA External Threat Feeds

Hi Ccns90,

I hope the below article and video will be able to help you with the testing part on the External Threat Feeds:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0101001.html

https://www.youtube.com/watch?v=rmnQt6pBrZo <--- (link found on the internet)

Regards,
Pratham

Beginner

Re: Cisco ESA External Threat Feeds

Hi. I did exact same think shown youtube video you sent. It connected to puplic servers successfuly. And i created content filter appropriately. But was not be able to proof that this etf really works. Bad urls got blocked by url filters none of the url got blocked by etf

Cisco Employee

Re: Cisco ESA External Threat Feeds

Hi Ccns90,

We would need to check the config and logs to see what exactly happened or why the ETF feature did not work. I would suggest opening a case with Cisco TAC, we would be happy to check the config and share reason as to why ETF did not work. 

Rgds,

Gagan

Collaborator

Re: Cisco ESA External Threat Feeds

Url filters are part of content filters. Just reorder your content filters so that the ETF filter happens first...
Cisco Employee

Re: Cisco ESA External Threat Feeds

@Ccns90  This is my first recommendation as well.

Content filters works off an ordering - ensure you set the URL filtering below ETF and re-do your test to verify results.

If the URL filtering is already taking action then it leaves nothing for the ETF feature.

 

In the event the ordering is done and it's still not matching, then we'll need to look a bit more deeper into it.

 

Thanks @Ken Stieers  for bringing up this point.

 

Regards,

Mathew

Highlighted
Beginner

Re: Cisco ESA External Threat Feeds

Thanks for all of your reply. I reordered content filter(first ETF and then URL filter). I sent malicious url inside email then only url filter catches it not ETF.