Secure Email Threat Defense Integration

Email Threat Defense is a cloud-native solution leveraging superior threat intelligence from Cisco Talos. It has an API-enabled architecture for faster response times, complete email visibility, including internal emails, a conversation view for better contextual information, and tools for auto or manual remediation of threats lurking in Microsoft 365 mailboxes.

Secure Email Threat Defense integrates with Cisco XDR and Cisco XDR ribbon. XDR allows you to view and act on Secure Email Threat Defense information alongside data from your other Cisco security products. XDR ribbon allows you to navigate between Cisco security products, access casebook, search observables, and view incidents.

The telemetry sources for Secure Email Threat Defense integrated with Cisco XDR are shown below:

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Email Threat Defense integration.

  3. Click Enable. The Secure Email Threat Defense UI is displayed in a new tab.

  4. In the Secure Email Threat Defense, authorize Cisco XDR to integrate your Secure Email Threat Defense organization with your Cisco XDR account. For details on how to authorize Cisco XDR in Secure Email Threat Defense, see Authorize Cisco XDR for Secure Email Threat Defense in the Secure Email Threat Defense User Guide.

    The Secure Email Threat Defense integration is listed in the My Integrations area on the Cisco XDR Integrations page.

You can perform the following tasks after you integrate Secure Email Threat Defense with Cisco XDR:

  • Incidents - Malicious messages from Secure Email Threat Defense integration are correlated to EDR and network alerts by the recipient of the email message in Secure Cloud Analytics. Cisco XDR analyzes messages and correlates events based on the extracted username of the recipient, allowing suspicious or malicious user activity to be correlated across domains. This excludes common system users, such as administration, system, and root. You can set Secure Cloud Analytics to auto promote the Email Threat Defense alerts to Cisco XDR as incidents; however, by default, this is disabled to reduce noise. The correlated events are displayed as incidents in Cisco XDR with Secure Cloud Analytics as the source.

  • Investigate - Start a new investigation by searching on known Secure Email Threat Defense observables for enrichment. For details, see Investigate.

  • Dashboard Tiles - Add Secure Email Threat Defense tiles to a dashboard in Control Center to view data, such as total email traffic by direction. For details, see Configure Dashboards and Tiles. For a list of available Secure Email Threat Defense tiles, see Integration Tiles.

  • Pivot Menu - Use the Pivot menu to quarantine messages, initiate a search, and move to inbox in Secure Email Threat Defense with the following observables: email address, email message ID, email subject, file name, sender IP, SHA- 256, and URL.