Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2888
Views
5
Helpful
3
Replies

URL Filtering: Log all URL seen by the ESA

Go to solution
REJR77
Level 1
Level 1

‎02-22-2021 10:03 AM

Hello,

Our customer would like to know if there a way to log all URLs seen by the ESA during email inspection?

I mean even if the ESA thinks the URL is not malicious we would like to get a trace of all url so that we can investigate in case a user receive something bad.

The idea would be that by searching the URL in the logs we can see which users received it.

 

I was thinking of an URL reputation content filter with a condition:

if URL Reputation is -10;10 or noscore then add a log entry.

But does this dramaticaly use more ressources on the appliance? and is it a best practices ?

 

Thanks for any advices

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎02-22-2021 10:40 AM

That is a good way to do it.

 

If I remember well only the first 25 URL's are being logged to avoid major performance issues with that feature.

We log 2.900.000 emails for all URL's a day and our ESA keep up.

 

So you should be fine,

 

Marc

 

NB A pretty good technote : https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎02-22-2021 10:40 AM

That is a good way to do it.

 

If I remember well only the first 25 URL's are being logged to avoid major performance issues with that feature.

We log 2.900.000 emails for all URL's a day and our ESA keep up.

 

So you should be fine,

 

Marc

 

NB A pretty good technote : https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to marc.luescherFRE

‎03-31-2021 07:49 AM

Hey Marc, 

 

How exactly are you logging all urls? I'm using a content filter, all the things I'm trying don't seem to work. ($URL, $MatchedContent)

 

Ken 

 

 

0 Helpful

Go to solution
REJR77
Level 1
Level 1
In response to Ken Stieers

‎03-31-2021 08:39 AM

Hello Ken,

Do you have a condition for each type of URL? (Neutral, Malicious, Clean, None)

If I remember my tests, you have to make a Content Filter for each "Reputation".

 

Then in the mail logs you should see sometinh like:

Wed Nov 5 21:11:11 2014 Info: MID 182 URL http:// www .yahoo.com has reputation 8.39 matched url-reputation-rule

Hope it helps

0 Helpful
Customers Also Viewed These Support Documents