So, for all, to be clear:

with AsyncOS13 will we be able to have the attachment with the corresponding hash? Since we have 2 ESA and one SMA it should be available for us for free.

Why we need those hashes? Because we wanna to integrate into our soc with some other systems that need hash values.

Thansk everybody for the support.

With above ESA appliances, you will be able to setup Cisco Security account and you can use the security account to login to Cisco Threat response, depend on the location of your data center, you have to choose the CTR console. Below is the one for U.S

https://visibility.amp.cisco.com/

You need to integrate then Cisco Threat Response with SMA then, steps can be find in below link:

https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma12-0/user_guide/b_SMA_Admin_Guide_12_0/b_NGSMA_Admin_Guide_chapter_00.html

If you have Amp license with ESA then you can enable AMP in the incoming mail policy. 

Once enabled, AMP engine inside ESA is going to calculate the hash of the attached file and check the reputation of it in its database over cloud and will come up with 3 verdicts as follow:

Good or clean : attachment will be allowed

Malicous: quarentine

Unknown: it will send complete file to sandboxing to threat grid ( cloud based ) for further analysis. Till results came back , We have 2 options. Either hold the file untill verdict come back or allow the file to download and quarantine the file later on if negative score or verdict come back from cloud. This feature is called 'MAR'.

With above being said, from configuration perspective you have to enable AMP in incoming policy and and AMP will take care for the rest.

For the sandboxing, if you have AMP license then by default 200 files are allowed to be submitted by AMP per day.

in addition to above, your hash of the file will not be send to external system, however you can send mail logs to external syslog server using SCP push.

Hash is a fingerprint of a file that is a unique value. This hash is use to check the reputation of the file, incase of ESA, AMP engine as described above will be using this hash to check the reputation of the file. See the attached snapshots for reference.

Below is the link to configure pushing logs to external server:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200985-Configuring-SCP-push-of-mail-logs-on-ESA.html

Hi there,

I am not from sales so can only tell you how we are using it - since it is free :

a) allow us to paste file hashes and URL for analysis using Cisco threat sources as well as some others like Virustotal with one paste, instead of checking mutliple sources

b) allow us to see which email user got an email message with a matching URL or file hash and what the verdict was

c) paste a list of reported IOC into the investigation window, see if any of this was seen in our email and Umbrella architecture.

I hope that helps

Marc

adding to @marc.luescherFRE , Cisco Threat Response or CTR comes free when you buy select Cisco security products such as AMP4E, Umbrella, Cisco Email Security and list is keep expanding :)

Hi all,

i've successfully registered to Cisco Threat Response, the question is, how can i now view hashes of what is attached to our emails directly into SMA?

Thanks

This is a three step process:

a) go into your SMA under network / cloud services / enable cloud services and wait about 15 Min

b) check if cloud services are enabled

c) got to CTR under settings icon (gear) , devices, manage devices, click + to add a new device give it a shortname like SMA1 and use the default token expiration time of 1 hour, press continue

d) copy the generated token and enter it into the register token setting on the SMA which should display.

e) from now on CTR will query the SMA as well.

I hope that helps

-Marc

done everything, device registered, i can do query, but always returning "timeout error"

i would suggest u to re-add the integration. i just tried yesterday ESA integration with CTR. Everything looks good and straightforward. Let me know if you want to see any thing from my dashboards .

Just realize better solution has been posted above , removing my feedback :)