Secure Email and Web Manager Integration

Cisco Secure Email and Web Manager (formerly SMA Email) centralizes management and reporting functions across multiple Cisco email security appliances. Once configured, the Secure Email and Web Manager integration provides details associated with sightings of observables that can be enriched via the Email Message Tracking API (AsyncOS 12.0).

Integration with Secure Email and Web Manager allows you to understand email as a threat vector by visualizing message, sender, and target relationships in the context of a threat. You can search for multiple email addresses, subject lines, and attachments at once to understand how a threat has spread.

The following observables can be enriched by the Secure Email and Web Manager integration:

Observable Type Investigate UI Syntax

IP address

ip:“4.2.2.2”

Domain

domain:"cisco.com"

Sender email address

email:“noreply@cisco.com”

Cisco Message ID (MID)

cisco_mid:“12345”

Email message header

email_messageid:“123-abc-456@cisco.com"

SHA-256 file hash

sha256:“sha256filehash”

Email attachment file name

file_name:“invoice.pdf”

The Secure Email and Web Manager Message Tracking API will return the observed relations between the following observable types:

  • SHA-256 filehash

  • IP address

  • Domain

  • Filename

  • Email message-ID header

  • Email subject

  • Email address

  • URL

  • Cisco MID

  • Module configuration

  • User settings

The integration of Secure Email and Web Manager requires the use of Security Services Exchange. The Security Services Exchange allows a Secure Email and Web Manager to register with the Exchange and you provide explicit permission to access the registered devices. The process involves linking your Secure Email and Web Manager to Security Services Exchange via a token that is generated when you are ready to link it.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Email and Web Manager integration.

  3. Click Get Started. The Secure Email and Web Manager integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Secure Email and Web Manager integration in Cisco XDR.

You can perform the following tasks after you integrate Secure Email and Web Manager with Cisco XDR:

  • Dashboard - Add Secure Email and Web Manager cards to a dashboard in Control Center to view data, such as incoming mail summary. For details, see Configure Dashboards and Cards. For a list of available Secure Email and Web Manager cards, see Integration Cards.

  • Investigations - Start a new investigation into any combination of IP addresses, domain names, email addresses, Cisco MIDs, email message header, SHA-256 hashes, and email attachment file names and the results will include any records of them found in your Secure Email and Web Manager. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Secure Email and Web Manager has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in Secure Email and Web Manager. Available actions include remedial actions on messages (Cisco Message ID and Email Message ID observables only) using the Initiate Deletion, Initiate Forward, or Initiate Forward/Delete option in the Pivot menu.