02-22-2021 10:03 AM
Hello,
Our customer would like to know if there a way to log all URLs seen by the ESA during email inspection?
I mean even if the ESA thinks the URL is not malicious we would like to get a trace of all url so that we can investigate in case a user receive something bad.
The idea would be that by searching the URL in the logs we can see which users received it.
I was thinking of an URL reputation content filter with a condition:
if URL Reputation is -10;10 or noscore then add a log entry.
But does this dramaticaly use more ressources on the appliance? and is it a best practices ?
Thanks for any advices
Solved! Go to Solution.
02-22-2021 10:40 AM
That is a good way to do it.
If I remember well only the first 25 URL's are being logged to avoid major performance issues with that feature.
We log 2.900.000 emails for all URL's a day and our ESA keep up.
So you should be fine,
Marc
NB A pretty good technote : https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html
02-22-2021 10:40 AM
That is a good way to do it.
If I remember well only the first 25 URL's are being logged to avoid major performance issues with that feature.
We log 2.900.000 emails for all URL's a day and our ESA keep up.
So you should be fine,
Marc
NB A pretty good technote : https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html
03-31-2021 07:49 AM
Hey Marc,
How exactly are you logging all urls? I'm using a content filter, all the things I'm trying don't seem to work. ($URL, $MatchedContent)
Ken
03-31-2021 08:39 AM
Hello Ken,
Do you have a condition for each type of URL? (Neutral, Malicious, Clean, None)
If I remember my tests, you have to make a Content Filter for each "Reputation".
Then in the mail logs you should see sometinh like:
Wed Nov 5 21:11:11 2014 Info: MID 182 URL http:// www .yahoo.com has reputation 8.39 matched url-reputation-rule
Hope it helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide