Secure Email and Web Manager Integration

Cisco Secure Email and Web Manager (formerly SMA Email) centralizes management and reporting functions across multiple Cisco email security appliances. Once configured, the Secure Email and Web Manager integration provides details associated with sightings of observables that can be enriched via the Email Message Tracking API (AsyncOS 12.0).

Integration with Secure Email and Web Manager allows you to understand email as a threat vector by visualizing message, sender, and target relationships in the context of a threat. You can search for multiple email addresses, subject lines, and attachments at once to understand how a threat has spread.

The following observables can be enriched by the Secure Email and Web Manager integration:

Observable Type Investigate UI Syntax

IP address

ip:“4.2.2.2”

Domain

domain:"cisco.com"

Sender email address

email:“noreply@cisco.com”

Cisco Message ID (MID)

cisco_mid:“12345”

Email message header

email_messageid:“123-abc-456@cisco.com

SHA-256 file hash

sha256:“sha256filehash”

Email attachment file name

file_name:“invoice.pdf”

The Secure Email and Web Manager Message Tracking API will return the observed relations between the following observable types:

  • SHA-256 filehash

  • IP address

  • Domain

  • Filename

  • Email message-ID header

  • Email subject

  • Email address

  • URL

  • Cisco MID

  • Module configuration

  • User settings

The integration of Secure Email and Web Manager requires the use of Security Services Exchange. The Security Services Exchange allows a Secure Email and Web Manager to register with the Exchange and you provide explicit permission to access the registered devices. The process involves linking your Secure Email and Web Manager to Security Services Exchange via a token that is generated when you are ready to link it.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Email and Web Manager integration.

  3. Click Get Started. The Secure Email and Web Manager integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Secure Email and Web Manager integration in Cisco XDR.

You can perform the following tasks after you integrate Secure Email and Web Manager with Cisco XDR:

  • Dashboard Tiles - Add Secure Email and Web Manager tiles to a dashboard in Control Center to view data, such as incoming mail summary. For details, see Configure Dashboards and Tiles. For a list of available Secure Email and Web Manager tiles, see Integration Tiles.

  • Investigate - Start a new investigation by searching on suspicious indicators of compromise to extract observables for enrichment. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to perform remedial actions on messages (Cisco Message ID and Email Message ID observables only) using the Initiate Deletion, Initiate Forward, or Initiate Forward/Delete option in the Pivot menu. For details, see the Email Remediation section in the Pivot menu Help topic.