Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1248
Views
0
Helpful
3
Replies

ESA how to add incoming content filter on Outbreak Level 2

Tralblazr
Level 1
Level 1

‎03-08-2018 09:36 AM - edited ‎03-08-2019 07:34 PM

I am attempting to create an content filter on emails that have Outbreak Level equal to 2.  I recently been tasked with changing the typical Outbreak threshold from 3-5 to also include level 2 emails.  I ran a query on the number of these emails that come through CES monthly and there are far more (200k+) than any other level. I would like to further review these emails by creating a content filter and sending these emails to a newly created Quarantine.  I'm currently stuck on the Condition that would catch these emails and follow the Action of quarantining these emails to my new location.  What Condition would work for these Level 2 emails?  My thinking is to use the 'Other Header' condition but I'm not sure of the syntax I should be using.

Labels:
0 Helpful
3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

‎03-08-2018 03:43 PM

Outbreak filter scanning happens at the end of the work queue processing, right after content filters. 

 

Hence, a content filter cannot be added to take action on outbreak levels. 

 

Regards 

Libin Varghese 

0 Helpful

Tralblazr
Level 1
Level 1
In response to Libin Varghese

‎03-16-2018 10:18 AM

If that is the case, how can I forward those emails that are released to go into the users' quarantine?  We would like to have these emails quarantined for a 'cleaner' Inbox experience.

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to Tralblazr

‎03-16-2018 05:53 PM

Hello tralblazr,

 

I believe when emails are marked by rules on outbreak filters, they are sent to the outbreak quarantine (this is fixed and cannot be altered for Viral outbreaks).

 

But other threats (generally URLs which may trigger the outbreak filters) you find under message modification options. If you change the threat level to your desired level 2(which means only take the message modification settings seen here) and where it says "Alternate Destination mail host (Other Threats Only):" put in 'the.euq.queue' - this will force any emails which matches threat level set here under other treats triggered on outbreak filter rules, to go straight to the end user quarantines.

 

While this would meet the requirements in this circumstance, I would recommend to use it at your own discretion; perhaps test it on yourself or some specific users to see if it really does meet your requirement before putting it into full production.

 

Regards,

Matthew

0 Helpful
Customers Also Viewed These Support Documents