07-23-2019 05:10 PM - edited 07-23-2019 05:11 PM
Is it possible to quarantine mails based on the threat category?
I can see in the message details an entry "Threat Category: Phishing" and in the SMA I can search for them in the Sender Domain Reputation report also in the message tracking , but how can I quarantine them?
There are several threat categories: Banking fraud, bogon, botnets, cryptojacking, phishing, etc…
Maybe via message filter? It seems there is no way via Content Filter.
Solved! Go to Solution.
07-25-2019 06:35 PM
Hi mdemerutis,
As of now you can create message filter with condition on "sdr-reputation" and "sdr-age". I also tried to look into some internal documents related to SDR, but there was no filter on the basis of "Threat Category" which i came across. Below are the sample message filters mentioned in the user guide which you can refer to:
Link of User Guide for reference:
There is a section which talks about Message Filters and Content Filters, also highlight 2 sample message filters.
If you want a condition to be added in Content filter specific to "Threat Category" you can reach to your Cisco Account Manager or Cisco TAC to file a Enhancement Request for the required condition.
Since you also mentioned about occurrence of "Consolidated Sender Reputation" being prone to false positive, you can submit SDR disputes by opening a support request with the Cisco Technical Assistance Center (TAC).
07-23-2019 10:37 PM
Hello mdemerutis,
Since the disposition is on Sender Domain Reputation, you can Quarantine these emails with Content Filters. As "Threat Category: Phishing" will always associate to a "Consolidated Sender Reputation" which has dispositions as Awful, Poor, Tainted, Weak etc.
You can create a Content Filter on GUI > Mail Policies > Incoming Content Filter > Add Filter.
1) Add condition as Domain Reputation and select the desired range under "Sender Domain Reputation Verdict".
2) Add Action as Quarantine.
Regards,
Aakash Sengar
07-24-2019 09:17 AM
Hi aasengar, thx for your reply.
I have found that quarantining mails based on the "Consolidated Sender Reputation" is prone to false positives, at least in my environment, but also I have notice that the verdict of "Threat Category: Phishing" is very accurate, that's way I was hoping to be able to quarantine only by "Threat Category: Phishing" instead of the "Consolidated Sender Reputation".
Right now I'm using your suggestion to rewrite the subject of mails with SDR awful and poor through a content filter.
You know if there is a way to call for "Consolidated Sender Reputation" and "Threat Category" info through a content filter or message filter?
07-25-2019 06:35 PM
Hi mdemerutis,
As of now you can create message filter with condition on "sdr-reputation" and "sdr-age". I also tried to look into some internal documents related to SDR, but there was no filter on the basis of "Threat Category" which i came across. Below are the sample message filters mentioned in the user guide which you can refer to:
Link of User Guide for reference:
There is a section which talks about Message Filters and Content Filters, also highlight 2 sample message filters.
If you want a condition to be added in Content filter specific to "Threat Category" you can reach to your Cisco Account Manager or Cisco TAC to file a Enhancement Request for the required condition.
Since you also mentioned about occurrence of "Consolidated Sender Reputation" being prone to false positive, you can submit SDR disputes by opening a support request with the Cisco Technical Assistance Center (TAC).
07-26-2019 07:57 AM
02-17-2020 07:27 AM
@mdemerutis wrote:
Thx aasengar, I will take a look in to filing and Enhancement Request.
Hi, just wondering: Did you get anywhere with this? I am facing the exact same issue and I was hoping this has already been solved.
Thanks!
02-17-2020 07:57 AM
Hi,
Currently, the feature is not available for content filter and below is the enhancement request for the same:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq98917
Cheers,
Pratham
07-24-2019 04:15 AM
The threat category you have mentioned is getting identified with Outbreak Filters and the subject tag is getting prepended there. You can modify this accordingly to the policy requirement. I don't think this is because of reputation because reputation will be applied only in the SMTP connection and will not modify the email properties like adding tag to Subject.
02-17-2020 07:29 AM
Are you saying that Outbreak filters react to the Threat Category assigned by SDR? That would be news to me. I was under the assumption that Outbreak Filters solely work based on the Outbreak Filter rules, not on SDR.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide