Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CISCO ESA - simple search email query (sender, recipient,subject)

corti77
Communicator
‎07-12-2022 02:10 AM

Hi,

I have Splunk 8.1.4 with Splunk Add-on for CISCO ESA 1.5.0. I also have the old  app Cisco Secuirty Suite that even though it does not support Splunk 8.1.4, it shows results so I planned to get inspired by its query for Message tracking--> Transaction details.

 

index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" subject="*TEST*"

 

I think the ESA events are getting correctly to Splunk, I use Syslog Connector for Splunk. 

The test I performed is the following :

1. send an email from my corporate email to GMAIL with the subject TEST

2. simply reply from gmail.

With the above query I would expect to see two events but I only see the outgoing event.

I tried to filter by recipient and it thrown zero results.

 

index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="xxxx@yyy.zz" dest_interface="*" policy_direction="*"

 

If I do a simpler query without the transaction command, I can see an event with the right internal recipient which corresponds to the incoming email that I could not find previously. But in that event there is no field subject.

 

index=cisco eventtype=cisco-esa  recipient="xxxx@yyy.zz"

 

Could someone help me out with some query that consolidate inbound /outbound emails with filtering capabilities?

thanks

Labels (1)
Labels
Tags (3)
0 Karma
Reply

corti77
Communicator
‎07-12-2022 03:09 AM

just to clarify a bit more, my final goal is to have a very similar dashboard like the one available for Exchange in ITSI but using only ESA events.

ITSI_track_message.png

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...