Hi,
I have Splunk 8.1.4 with Splunk Add-on for CISCO ESA 1.5.0. I also have the old app Cisco Secuirty Suite that even though it does not support Splunk 8.1.4, it shows results so I planned to get inspired by its query for Message tracking--> Transaction details.
index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" subject="*TEST*"
I think the ESA events are getting correctly to Splunk, I use Syslog Connector for Splunk.
The test I performed is the following :
1. send an email from my corporate email to GMAIL with the subject TEST
2. simply reply from gmail.
With the above query I would expect to see two events but I only see the outgoing event.
I tried to filter by recipient and it thrown zero results.
index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="xxxx@yyy.zz" dest_interface="*" policy_direction="*"
If I do a simpler query without the transaction command, I can see an event with the right internal recipient which corresponds to the incoming email that I could not find previously. But in that event there is no field subject.
index=cisco eventtype=cisco-esa recipient="xxxx@yyy.zz"
Could someone help me out with some query that consolidate inbound /outbound emails with filtering capabilities?
thanks
just to clarify a bit more, my final goal is to have a very similar dashboard like the one available for Exchange in ITSI but using only ESA events.