Secure Email Appliance Integration

The Cisco Secure Email Appliance (formerly Email Security Appliance) provides advanced threat protection capabilities to detect, block, and remediate threats faster, prevent data loss, and secure important information in transit with end-to-end encryption. Once configured, the Secure Email Appliance module provides details associated with sightings of observables that can be enriched via the Email Message Tracking API. You can:

  • View the email reporting and message tracking data from multiple appliances in your organization.

  • Identify, investigate and remediate threats observed in the email reports and message tracking.

  • Resolve the identified threats rapidly and provide recommended actions to take against the identified threats.

  • Document the threats to save the investigation, and enable collaboration of information among other devices.

The Secure Email Appliance Message Tracking API returns the observed relations between the following observable types:

  • SHA-256 file hash

  • IP address

  • Domain

  • Filename

  • Email message-ID header

  • Email subject

  • Email address

  • URL

  • Cisco MID

  • Module configuration

  • User settings

The integration of an Secure Email Appliance integration requires the use of Security Services Exchange. The Security Services Exchange allows an Secure Email Appliance to register with the Exchange and you provide explicit permission to access the registered devices. The process involves linking your Secure Email Appliance to Security Services Exchange via a token that is generated when you are ready to link it.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Email Appliance integration.

  3. Click Get Started. The Secure Email Appliance integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Secure Email Appliance integration in Cisco XDR.

You can perform the following task after you integrate Secure Email Appliance with Cisco XDR:

  • Dashboard Tiles - Add Secure Email Appliance tiles to a dashboard in Control Center to view data, such as incoming threat messages summary from Secure Email Appliance. For details, see Configure Dashboards and Tiles. For a list of available Secure Email Appliance tiles, see Integration Tiles.
  • Investigate - Start a new investigation by searching on suspicious indicators of compromise to extract observables for enrichment. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to perform remedial actions on messages (Cisco Message ID and Email Message ID observables only) using the Initiate Deletion, Initiate Forward, or Initiate Forward/Delete option in the Pivot menu. For details, see the Email Remediation section in the Pivot menu Help topic.

  • Feeds - Configure the feeds URL to allow your email gateway to fetch feeds from Cisco XDR. For details, see Feeds.

  • Playbooks - Automation system workflows included in the Containment phase of the Cisco Managed Incident Playbook can be used to create and add intelligence feeds. See Response for more information.

  • Atomic Actions - The atomic actions for Secure Email Appliance can be used as building blocks in custom workflows. For details, see Atomic Actions.