cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1221
Views
5
Helpful
8
Replies
Highlighted
Beginner

Quarantine mails based on Threat Category

Is it possible to quarantine mails based on the threat category?

 

I can see in the message details an entry "Threat Category: Phishing" and in the SMA I can search for them in the Sender Domain Reputation report also in the message tracking , but how can I quarantine them?

 

There are several threat categories: Banking fraud, bogon, botnets, cryptojacking, phishing, etc…

 

Maybe via message filter? It seems there is no way via Content Filter.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi mdemerutis,

 

As of now you can create message filter with condition on "sdr-reputation" and "sdr-age". I also tried to look into some internal documents related to SDR, but there was no filter on the basis of "Threat Category" which i came across. Below are the sample message filters mentioned in the user guide which you can refer to:

 

Link of User Guide for reference:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0110010.html#id_87828

 

There is a section which talks about Message Filters and Content Filters, also highlight 2 sample message filters.

If you want a condition to be added in Content filter specific to "Threat Category" you can reach to your Cisco Account Manager or Cisco TAC to file a Enhancement Request for the required condition.

 

Since you also mentioned about occurrence of "Consolidated Sender Reputation" being prone to false positive, you can submit SDR disputes by opening a support request with the Cisco Technical Assistance Center (TAC).

View solution in original post

8 REPLIES 8
Highlighted
Cisco Employee

Hello mdemerutis,

 

Since the disposition is on Sender Domain Reputation, you can Quarantine these emails with Content Filters. As "Threat Category: Phishing" will always associate to a "Consolidated Sender Reputation" which has dispositions as Awful, Poor, Tainted, Weak etc.

 

You can create a Content Filter on GUI > Mail Policies > Incoming Content Filter > Add Filter.

1) Add condition as Domain Reputation and select the desired range under "Sender Domain Reputation Verdict".

2) Add Action as Quarantine.

 

Regards,

Aakash Sengar

Highlighted

 

Hi aasengar, thx for your reply.

 

I have found that quarantining mails based on the "Consolidated Sender Reputation" is prone to false positives, at least in my environment, but also I have notice that the verdict of "Threat Category: Phishing" is very accurate, that's way I was hoping to be able to quarantine only by "Threat Category: Phishing" instead of the "Consolidated Sender Reputation".

 

Right now I'm using your suggestion to rewrite the subject of mails with SDR awful and poor through a content filter.

 

You know if there is a way to call for "Consolidated Sender Reputation" and "Threat Category" info through a content filter or message filter?

Highlighted

Hi mdemerutis,

 

As of now you can create message filter with condition on "sdr-reputation" and "sdr-age". I also tried to look into some internal documents related to SDR, but there was no filter on the basis of "Threat Category" which i came across. Below are the sample message filters mentioned in the user guide which you can refer to:

 

Link of User Guide for reference:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0110010.html#id_87828

 

There is a section which talks about Message Filters and Content Filters, also highlight 2 sample message filters.

If you want a condition to be added in Content filter specific to "Threat Category" you can reach to your Cisco Account Manager or Cisco TAC to file a Enhancement Request for the required condition.

 

Since you also mentioned about occurrence of "Consolidated Sender Reputation" being prone to false positive, you can submit SDR disputes by opening a support request with the Cisco Technical Assistance Center (TAC).

View solution in original post

Highlighted


Thx aasengar, I will take a look in to filing and Enhancement Request.
Highlighted


@mdemerutis wrote:

Thx aasengar, I will take a look in to filing and Enhancement Request.

Hi, just wondering: Did you get anywhere with this? I am facing the exact same issue and I was hoping this has already been solved. 

Thanks!

Highlighted

Hi,

 

Currently, the feature is not available for content filter and below is the enhancement request for the same:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq98917

 

Cheers,

Pratham

Highlighted
Beginner

The threat category you have mentioned is getting identified with Outbreak Filters and the subject tag is getting prepended there.  You can modify this accordingly to the policy requirement.  I don't think this is because of reputation because reputation will be applied only in the SMTP connection and will not modify the email properties like adding tag to Subject.

Highlighted

Are you saying that Outbreak filters react to the Threat Category assigned by SDR? That would be news to me. I was under the assumption that Outbreak Filters solely work based on the Outbreak Filter rules, not on SDR.