Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3919
Views
10
Helpful
7
Replies

Cisco ESA External Threat Feeds

ccna_security
Level 3
Level 3

‎06-25-2019 03:11 AM

Dear all. yesterday I configured External Threat Feed in cisco esa. In order test it I send malicious url from my personal email to corporate email. that email directly send to Outbreak quarantine and approximately 1 hour later that email released from quarantine and forwarded to corporate email along with SUSPICIOUS warning message. Now I have a question. How can I test whether external threat feed works or not? Shouldn't it catch malicious urls sent inside email?

Labels:
0 Helpful
7 Replies 7

Mathew Huynh
Cisco Employee
Cisco Employee

‎08-06-2019 07:45 PM

Hey Ccns90,

External threat feeds requires the correct URLs to query as the source.
To verify if the source is returning results for the ETF to work you can verify inside the "threatfeeds" log files.

When an email is sent in and depending on where you deployed your ETF (HAT level, filter/content filters etc) the logs (mail_logs) will return if it was matched under a threat feed.

Sample:
Thu Jun 7 20:48:10 2018 Info: MID 91 Threat feeds source 'S1' detected malicious URL:
'http://digimobil.mobi/' in attachment(s): malurl.txt. Action: Attachment stripped

Thanks,
Mathew

ppreenja
Cisco Employee
Cisco Employee

‎08-06-2019 10:07 PM

Hi Ccns90,

I hope the below article and video will be able to help you with the testing part on the External Threat Feeds:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0101001.html

https://www.youtube.com/watch?v=rmnQt6pBrZo <--- (link found on the internet)

Regards,
Pratham

ccna_security
Level 3
Level 3
In response to ppreenja

‎08-06-2019 10:58 PM

Hi. I did exact same think shown youtube video you sent. It connected to puplic servers successfuly. And i created content filter appropriately. But was not be able to proof that this etf really works. Bad urls got blocked by url filters none of the url got blocked by etf

0 Helpful

gkumarj
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-07-2019 09:52 AM

Hi Ccns90,

We would need to check the config and logs to see what exactly happened or why the ETF feature did not work. I would suggest opening a case with Cisco TAC, we would be happy to check the config and share reason as to why ETF did not work. 

Rgds,

Gagan

0 Helpful

Ken Stieers
VIP
VIP
In response to gkumarj

‎08-07-2019 10:09 AM

Url filters are part of content filters. Just reorder your content filters so that the ETF filter happens first...
0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎08-07-2019 03:14 PM

@ccna_security  This is my first recommendation as well.

Content filters works off an ordering - ensure you set the URL filtering below ETF and re-do your test to verify results.

If the URL filtering is already taking action then it leaves nothing for the ETF feature.

 

In the event the ordering is done and it's still not matching, then we'll need to look a bit more deeper into it.

 

Thanks @Ken Stieers  for bringing up this point.

 

Regards,

Mathew

0 Helpful

ccna_security
Level 3
Level 3
In response to Mathew Huynh

‎08-19-2019 02:11 AM

Thanks for all of your reply. I reordered content filter(first ETF and then URL filter). I sent malicious url inside email then only url filter catches it not ETF.

0 Helpful
Customers Also Viewed These Support Documents