Showing results for 
Search instead for 
Did you mean: 

ESA and Cisco Threat Response integration

I see how to integrate Cisco Threat Response with an SMA, AMP for endpoints, Threatgrid, etc. What I don't see is how to integrate with an ESA - ironport device directly. Is this possible, or do I need an SMA to take advantage of this? 


Re: ESA and Cisco Threat Response integration

At the moment yes, you need an SMA to get the ability to search for the various mail artifacts.

If you have AMP4E and ESA tied there, file directions will show up with the ESA as the client...
Hall of Fame Guru

Re: ESA and Cisco Threat Response integration

FYI: AsyncOS adds direct integration between ESA and CTR - no SMA needed.
Cisco Employee

Re: ESA and Cisco Threat Response integration


ESA can be directly integrated with the Cisco Threat Response, however, the prerequisite for the same is ESA should be running minimum AsyncOS 13.0.0-314 (LD) release.

When configuring Email Security Appliance (ESA) integration with Threat Response, you must first enable the integration in ESA. You then enable Threat Response in Security Services Exchange (SSE), add the device and register it. After this is completed, you add the ESA module in Threat Response.

Note: Customers with multiple ESAs reporting to an SMA can use the SMA Module configuration for Email Security. Customers that do not have an SMA, can use the ESA Module for integration.

1) In ESA, navigate to Networks > Cloud Service Settings > Edit Settings, enable Threat Response integration and confirm tha ESA is ready to accept a registration token.
2) In Threat Response, click the Settings icon (gear) and then click Devices > Manage Devices to be taken to Security Services Exchange
3) Enable Cisco Threat Response integration on the Cloud Services tab, and then click the Devices tab and click the + icon to add a new device.
4) Specify the token expiration time (the default is 1 hour), and click Continue.
5) Copy the generated token and confirm the device has been created.
6) Navigate to your ESA (Network > Cloud Service Settings) to insert the token, and then click Register.

Confirm successful registration by reviewing the status in Security Services Exchange and confirm the SMA is displayed on the Devices page in Threat Response.


In Threat Response, complete the Add New Email Security Appliance Module form:

++ Module Name - Leave the default name or enter a name that is meaningful to you.
++ Registered Device - From the drop-down list, choose the device you registered in Security Services Exchange.
++ Request Timeframe (days) - Enter the timeframe (in days) for querying the API endpoint (default is 30 days).


Click Save to complete the ESA module configuration.

I hope the above helps and answers your query.