cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

6696
Views
25
Helpful
20
Replies
Dhanesh
Cisco Employee

ESA support for STIX/TAXII API

Hi,

Does Cisco ESA solution has support for STIX/TAXII API ?

20 REPLIES 20

Awesome!! That worked - Thanks for your help Marc!!

Does the message tracking detail indicate if a message was blocked due to matching criteria on a content filter / HAT list with external threat feed input?

I'm asking because I would like to create a validation plan in my test environment to see how the threat feeds are affecting traffic.

Not by default. I add a log entry in the content filter so I can see that info in the log.




You need to do some manual work for this to be easy for you. But first a warning, a lot of the free STIX/TAXII feeds are not the quality they should be. I would not take any decision only based on the results of a STIX /TAXI feed base don experience. Some of the better paid ones can be fully trusted.

 

Create three Policy Quarantines

TrapURLTAXII

TrapURLDomain

TrapURLFiles

 

then create content filters like :

 

TrapURLTaxii: if (url-external-threat-feeds (['HailATaxii_7days'], "", 1, 1)) { duplicate-quarantine("TrapURLTAXII"); log-entry("--TrapURLTAXII--"); }

 

TrapDomainTaxii: if (domain-external-threat-feeds (['HailATaxii_7days'], ['mail-from', 'from', 'reply-to'], "Domain_BypassList")) { duplicate-quarantine("TrapDomainTaxii"); log-entry("--TrapDomainTAXII--"); }

 

TrapFileTaxii: if (file-hash-etf-rule (['HailATaxii_7days'], "")) { duplicate-quarantine("TrapFilehashTaxii"); log-entry("--TrapFileTAXII--"); }

 

That way you can test in production without impacting life traffic.

 

Now you can either look at your hits in the 3 quarantines or grep the --string-- in mail_logs using CLI.

 

I hope that helps

 

-Marc

 

 

 

Hey Marc,



Would you be willing to name the good ones?



Ken




I will move deeper into using APIs/OS later. But to reply your query - this became mainly consumer API/OS associated page. Not so much approximately opening up and growing OSS for community and network API.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad