CISCO ESA - simple search email query (sender, recipient,subject)

corti77 — Tue, 12 Jul 2022 10:11:08 GMT

Hi,

I have Splunk 8.1.4 with Splunk Add-on for CISCO ESA 1.5.0. I also have the old app Cisco Secuirty Suite that even though it does not support Splunk 8.1.4, it shows results so I planned to get inspired by its query for Message tracking--> Transaction details.

index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" subject="*TEST*"

I think the ESA events are getting correctly to Splunk, I use Syslog Connector for Splunk.

The test I performed is the following :

1. send an email from my corporate email to GMAIL with the subject TEST

2. simply reply from gmail.

With the above query I would expect to see two events but I only see the outgoing event.

I tried to filter by recipient and it thrown zero results.

index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="xxxx@yyy.zz" dest_interface="*" policy_direction="*"

If I do a simpler query without the transaction command, I can see an event with the right internal recipient which corresponds to the incoming email that I could not find previously. But in that event there is no field subject.

index=cisco eventtype=cisco-esa recipient="xxxx@yyy.zz"

Could someone help me out with some query that consolidate inbound /outbound emails with filtering capabilities?

thanks

Re: CISCO ESA - simple search email query (sender, recipient,subject)

corti77 — Tue, 12 Jul 2022 10:09:25 GMT

just to clarify a bit more, my final goal is to have a very similar dashboard like the one available for Exchange in ITSI but using only ESA events.

topic CISCO ESA - simple search email query (sender, recipient,subject) in Splunk Search

CISCO ESA - simple search email query (sender, recipient,subject)

Re: CISCO ESA - simple search email query (sender, recipient,subject)