Question

Cisco Ironport eMail Security Appliance integration with UEAB. Why did it not work?

  • 2 April 2022
  • 3 replies
  • 185 views

Userlevel 1

Hi,

I´m struggeling with the integration of the Cisco Ironport eMail Security Appliance as UEBA source.

The LogPoint documenation - Data Sources For UEBA — UEBA Guide latest documentation (logpoint.com) - indicates the ESA is supported.

The corresponding UEBA matching query is  - device_category=Email* sAMAccountName=* receiver=* datasize=* | fields,log_ts,sender,receiver,userPrincipalName,sAMAccountName,datasize,subject,status,file,file_count

The ESA never sends a combination of receiver and datasize. The ESA only logs a combination auf sender and datazize.   The ESA´s  sender & receiver logs are linked only via the MID “message_identifier”

Has anyone seen or did  this integration with Cisco´s ESA and UEBA?  Is it running in the correct way?

 

Thanks.

BR

Johann


3 replies

Userlevel 1
Badge +3

Hello Johann,

As far as I know, the Cisco Ironport ESA supports sending logs in syslog format which contains all of the sender, receiver, datasize fields in the same message, to be parsed and normalized accordingly. For example : 

<13>Feb 24 04:10:35 192.168.1.1 2022-02-24 04:10:35 +01:00 192.168.1.1 logpoint-intern-company-mail-sll-log: CEF:0|Cisco|C695 Email Security Appliance|14.0.1-033|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=C4F7D5D5E582-WZP23250PJJ ESAMID=28118928 ESAICID=11133452 ESADCID=13169974 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NEGATIVE ESACFVerdict=NO_MATCH endTime=Fri Feb 24 04:10:35 2021 ESADLPVerdict=NOT_EVALUATED dvc=192.168.2.2 ESAAttachmentDetails={'LA finance 6338318 Ringhoffer_W\xc3\xa4lzfr\xc3\xa4smaschine Rich. 201.00100.pdf': {'BodyScanner': {}}, 'image008_acb3d59f-1695-4daa-81e7-040ef4d5e326.png': {'BodyScanner': {}}} ESAFriendlyFrom=<harry.david@aw-finance.de> ESAGMVerdict=NOT_EVALUATED startTime=Fri Feb 24 04:10:35 2021 deviceOutboundInterface=Outbound deviceDirection=1 ESAMailFlowPolicy=RELAY suser=harry.david@aw-finance.de cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=not enabled ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<440d4203cf794c21983b420502f0ab76@aw-finance.de>' ESAMsgSize=254680 ESAOFVerdict=NOT_EVALUATED duser=larry.david@cw-finance.com ESAHeloDomain=finance.de ESAHeloIP=192.168.40.61 cfp1Label=SBRSScore cfp1=not enabled sourceHostName=unknown ESASenderGroup=RELAYLIST sourceAddress=192.168.40.61 msg='\=?iso-8859-1?Q?AW:_dearange_LA_6338218_-housen&_Co._KG_V?\= \=?iso-8859-1?Q?krezag-_W\=E4lzfr\=E4smaschine_david_R_200_?\= \=?iso-8859-1?Q?CNC_(Bj._12.2000_-_SN_2/017/00)_+_gurung?\= \=?iso-8859-1?Q?/Serwema?\=' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=DHE-RSA-AES256-SHA256 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2

Here, sender = suser, receiver = duser and datasize = ESAMsgSize fields.

Additionally, in the older versions, Cisco Ironport ESA also used to send logs in multiple lines , all of which used to be joined by the message_identifier field. If you are receiving the logs in multiple lines, make sure you use the Email Parser  and corresponding Cisco IronPort Compiled Normalizer while configuring the Syslog Processing Policy which combines all of these multi line messages and uses the normalizer accordingly.

 

Regards,

 

Userlevel 3
Badge +3

Hi Johann.

If you still have challenges after Gaurav´s post/answer then please open a Support Ticket and we can help you look into this problem.

Regards,

Brian Hansen, LogPoint

Userlevel 1

Hi Gaurav,
Hi Brian,

the missing link in my understanding was the Email Parser which must be configured in this scenario. 

The CiscoIronPort ESA  sender and receicer  events are logged always in seperate events/logs. The Email parser merge this events during the parsing process.  This is the prerequisite for the compiled ESA normalizer and to get the information in the atequate form to match the eMail UEBA query.

Thanks.

Regards,

Johann

Reply