I am having a tough time understanding how anyone is getting Cisco Ironport ESA data to map to the CIM for use in things like Enterprise Security. Where I work, I would say that email is the *most* likely vector of malware and/or phishing schemes that attempt to get credentials. Of course I want my ESA data to get matched to the threat intelligence feeds and notable events, but I haven't been able to get an answer from either official Splunk support, or even from vendors that want to sell me their threat intelligence platforms and/or other security tools.
In order to map email to the CIM, you at least have to have the points of data to match on. Src, dest, src_user, recipient, subject, file_name, url, filtering signatures and the all important action/filter_action. This data gives you the IOC matching points. The problem is that the Cisco ESA logs are sent to Splunk in a way that does not allow for easy recognition of all those points in a single "event".
Here is an example of a Cisco ESA "mail event", this was pulled from the Cisco ESA console's "message tracking" feature. This is the only place that I know how to get this complete of a picture. Otherwise by looking at the raw logs, each email flow process has events that are completely out of order, there is no expectation of being able to put them together with a single "mail ID".
13 Aug 2016 07:28:48 (GMT -04:00) Protocol SMTP interface CS DMZ (IP X.X.X.X) on incoming connection (ICID 122155365) from sender IP X.X.X.X. Reverse DNS host mail-relay-02.XXXXXX.com verified yes.
13 Aug 2016 07:28:48 (GMT -04:00) (ICID 122155365) ACCEPT sender group ACCEPTLIST match sbrs[1.0:10.0] SBRS 3.5
13 Aug 2016 07:28:48 (GMT -04:00) Incoming connection (ICID 122155365) successfully accepted TLS protocol (UNKNOWN:302) cipher DHE-RSA-AES256-SHA.
13 Aug 2016 07:28:49 (GMT -04:00) Start message 56789163 on incoming connection (ICID 122155365).
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 enqueued on incoming connection (ICID 122155365) from notifications@XXXXX.com.
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 on incoming connection (ICID 122155365) added recipient (Jeff.Kalifeh@XXXXXXX.com).
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 contains message ID header '<57af0470aa492_b1a211d933021393@XXXX.mail>'.
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 original subject on injection: Daily Recap for Friday, August 12
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 (19159 bytes) from notifications@XXXX.com ready.
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 matched per-recipient policy Test for inbound mail policies.
13 Aug 2016 07:28:49 (GMT -04:00) SMTP delivery connection (DCID 35832763) opened from Cisco IronPort interface X.X.X.X to IP address X.X.X.X on port 25.
13 Aug 2016 07:28:49 (GMT -04:00) Delivery connection (DCID 35832763) successfully accepted TLS protocol TLSv1 cipher ECDHE-RSA-AES256-SHA .
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 scanned by Anti-Spam engine: CASE. Final verdict: Negative
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 scanned by Anti-Virus engine. Final verdict: Negative
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 scanned by Advanced Malware Protection engine. Final verdict: CLEAN
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 scanned by Outbreak Filters. Verdict: Negative
13 Aug 2016 07:28:49 (GMT -04:00) Message 56789163 queued for delivery.
13 Aug 2016 07:28:49 (GMT -04:00) (DCID 35832763) Delivery started for message 56789163 to Jeff.Kalifeh@XXXXXXX.com.
13 Aug 2016 07:28:50 (GMT -04:00) (DCID 35832763) Delivery details: Message 56789163 sent to Jeff.Kalifeh@XXXXXX.com
13 Aug 2016 07:28:50 (GMT -04:00) Message 56789163 to Jeff.Kalifeh@mXXXXX.com received remote SMTP response '2.6.0 <57af0470aa492_b1a211d933021393@jobs-13.mail> [InternalId=72988006] Queued mail for delivery'.
( I X'ed out the domains and IPs.) So the typical method is to look for the MIDs, ICIDs, DCIDs, and attempt to weave them together to recreate this view. This could include some transactions, eval stuff, eventstats stuff, etc. But even then, the CIsco ESA mail flow process constantly rewrites the MIDs as certain things happen, such as matching a DLP rule, matching some content filtering rule, etc. Also keep in mind that the DCIDs and ICIDs can be different values for each MID depending on how many recipients the message went to or was sent to.
So determining if that "known bad" email spammer was successful in delivering a malware campaign to your organization becomes impossible. You need to know all the values of the "event", you need to see if it was blocked/allowed, you need to see the src/dest/everything to make that call. I am hoping that someone has figured this out, I mean Splunk ES basically requires having this figured out in order to provide visibility into Cisco ESA email events.
↧