cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2722
Views
5
Helpful
8
Replies

Quarantine mails based on Threat Category

mdemerutis
Level 1
Level 1

Is it possible to quarantine mails based on the threat category?

 

I can see in the message details an entry "Threat Category: Phishing" and in the SMA I can search for them in the Sender Domain Reputation report also in the message tracking , but how can I quarantine them?

 

There are several threat categories: Banking fraud, bogon, botnets, cryptojacking, phishing, etc…

 

Maybe via message filter? It seems there is no way via Content Filter.

1 Accepted Solution

Accepted Solutions

Hi mdemerutis,

 

As of now you can create message filter with condition on "sdr-reputation" and "sdr-age". I also tried to look into some internal documents related to SDR, but there was no filter on the basis of "Threat Category" which i came across. Below are the sample message filters mentioned in the user guide which you can refer to:

 

Link of User Guide for reference:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0110010.html#id_87828

 

There is a section which talks about Message Filters and Content Filters, also highlight 2 sample message filters.

If you want a condition to be added in Content filter specific to "Threat Category" you can reach to your Cisco Account Manager or Cisco TAC to file a Enhancement Request for the required condition.

 

Since you also mentioned about occurrence of "Consolidated Sender Reputation" being prone to false positive, you can submit SDR disputes by opening a support request with the Cisco Technical Assistance Center (TAC).

View solution in original post

8 Replies 8

aasengar
Cisco Employee
Cisco Employee

Hello mdemerutis,

 

Since the disposition is on Sender Domain Reputation, you can Quarantine these emails with Content Filters. As "Threat Category: Phishing" will always associate to a "Consolidated Sender Reputation" which has dispositions as Awful, Poor, Tainted, Weak etc.

 

You can create a Content Filter on GUI > Mail Policies > Incoming Content Filter > Add Filter.

1) Add condition as Domain Reputation and select the desired range under "Sender Domain Reputation Verdict".

2) Add Action as Quarantine.

 

Regards,

Aakash Sengar

 

Hi aasengar, thx for your reply.

 

I have found that quarantining mails based on the "Consolidated Sender Reputation" is prone to false positives, at least in my environment, but also I have notice that the verdict of "Threat Category: Phishing" is very accurate, that's way I was hoping to be able to quarantine only by "Threat Category: Phishing" instead of the "Consolidated Sender Reputation".

 

Right now I'm using your suggestion to rewrite the subject of mails with SDR awful and poor through a content filter.

 

You know if there is a way to call for "Consolidated Sender Reputation" and "Threat Category" info through a content filter or message filter?

Hi mdemerutis,

 

As of now you can create message filter with condition on "sdr-reputation" and "sdr-age". I also tried to look into some internal documents related to SDR, but there was no filter on the basis of "Threat Category" which i came across. Below are the sample message filters mentioned in the user guide which you can refer to:

 

Link of User Guide for reference:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0110010.html#id_87828

 

There is a section which talks about Message Filters and Content Filters, also highlight 2 sample message filters.

If you want a condition to be added in Content filter specific to "Threat Category" you can reach to your Cisco Account Manager or Cisco TAC to file a Enhancement Request for the required condition.

 

Since you also mentioned about occurrence of "Consolidated Sender Reputation" being prone to false positive, you can submit SDR disputes by opening a support request with the Cisco Technical Assistance Center (TAC).


Thx aasengar, I will take a look in to filing and Enhancement Request.


@mdemerutis wrote:

Thx aasengar, I will take a look in to filing and Enhancement Request.

Hi, just wondering: Did you get anywhere with this? I am facing the exact same issue and I was hoping this has already been solved. 

Thanks!

Hi,

 

Currently, the feature is not available for content filter and below is the enhancement request for the same:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq98917

 

Cheers,

Pratham

Narasimhan VS
Level 1
Level 1

The threat category you have mentioned is getting identified with Outbreak Filters and the subject tag is getting prepended there.  You can modify this accordingly to the policy requirement.  I don't think this is because of reputation because reputation will be applied only in the SMTP connection and will not modify the email properties like adding tag to Subject.

Are you saying that Outbreak filters react to the Threat Category assigned by SDR? That would be news to me. I was under the assumption that Outbreak Filters solely work based on the Outbreak Filter rules, not on SDR. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: