06-12-2019 07:32 AM
I see how to integrate Cisco Threat Response with an SMA, AMP for endpoints, Threatgrid, etc. What I don't see is how to integrate with an ESA - ironport device directly. Is this possible, or do I need an SMA to take advantage of this?
06-12-2019 08:37 AM
03-24-2020 09:51 PM
03-25-2020 01:34 AM - edited 03-25-2020 01:42 AM
Hello,
ESA can be directly integrated with the Cisco Threat Response, however, the prerequisite for the same is ESA should be running minimum AsyncOS 13.0.0-314 (LD) release.
When configuring Email Security Appliance (ESA) integration with Threat Response, you must first enable the integration in ESA. You then enable Threat Response in Security Services Exchange (SSE), add the device and register it. After this is completed, you add the ESA module in Threat Response.
Note: Customers with multiple ESAs reporting to an SMA can use the SMA Module configuration for Email Security. Customers that do not have an SMA, can use the ESA Module for integration.
1) In ESA, navigate to Networks > Cloud Service Settings > Edit Settings, enable Threat Response integration and confirm tha ESA is ready to accept a registration token.
2) In Threat Response, click the Settings icon (gear) and then click Devices > Manage Devices to be taken to Security Services Exchange
3) Enable Cisco Threat Response integration on the Cloud Services tab, and then click the Devices tab and click the + icon to add a new device.
4) Specify the token expiration time (the default is 1 hour), and click Continue.
5) Copy the generated token and confirm the device has been created.
6) Navigate to your ESA (Network > Cloud Service Settings) to insert the token, and then click Register.
Confirm successful registration by reviewing the status in Security Services Exchange and confirm the SMA is displayed on the Devices page in Threat Response.
In Threat Response, complete the Add New Email Security Appliance Module form:
++ Module Name - Leave the default name or enter a name that is meaningful to you.
++ Registered Device - From the drop-down list, choose the device you registered in Security Services Exchange.
++ Request Timeframe (days) - Enter the timeframe (in days) for querying the API endpoint (default is 30 days).
Click Save to complete the ESA module configuration.
I hope the above helps and answers your query.
Cheers,
Pratham
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide