Splunk Search

CISCO ESA - simple search email query (sender, recipient,subject)

corti77
Contributor

Hi,

I have Splunk 8.1.4 with Splunk Add-on for CISCO ESA 1.5.0. I also have the old  app Cisco Secuirty Suite that even though it does not support Splunk 8.1.4, it shows results so I planned to get inspired by its query for Message tracking--> Transaction details.

 

index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" subject="*TEST*"

 

I think the ESA events are getting correctly to Splunk, I use Syslog Connector for Splunk. 

The test I performed is the following :

1. send an email from my corporate email to GMAIL with the subject TEST

2. simply reply from gmail.

With the above query I would expect to see two events but I only see the outgoing event.

I tried to filter by recipient and it thrown zero results.

 

index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="xxxx@yyy.zz" dest_interface="*" policy_direction="*"

 

If I do a simpler query without the transaction command, I can see an event with the right internal recipient which corresponds to the incoming email that I could not find previously. But in that event there is no field subject.

 

index=cisco eventtype=cisco-esa  recipient="xxxx@yyy.zz"

 

Could someone help me out with some query that consolidate inbound /outbound emails with filtering capabilities?

thanks

Labels (1)
Tags (3)
0 Karma

corti77
Contributor

just to clarify a bit more, my final goal is to have a very similar dashboard like the one available for Exchange in ITSI but using only ESA events.

ITSI_track_message.png

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...