This document describes the process to Integrate Cisco SecureX with Email Security Appliance (ESA) and how to see the ESA module in the SecureX dashboard.
Cisco recommends that you have knowledge of these topics:
Cisco Security Services Exchange
Email Security Appliance
The information in this document is based on these software and hardware versions:
Cisco Security Services Exchange
Cisco SecureX 1.54
ESA C100V on software version 13.0.0-392
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
In order to configure the Integration SecureX and ESA, log in to your Email Security Virtual Appliance and follow these quick steps:
Step 1. Navigate Cloud Service Settings
Once in the ESA, navigate to the context menu Network > Cloud Service Settings, in order to see the currently SecureX / Threat Response Status (Disabled / Enabled) as shown in the image.
Step 2. Edit Settings
Until now SecureX / Threat Response feature in the ESA is disabled, in order to enable the feature, click on Edit Settings as shown in the image:
Step 3. Enable Cloud Services
Select the checkbox Enable, then choose the Cisco SecureX / Threat Response Server, please see the image below:
Note: The default selection for the Cisco SecureX /Threat Response Server URL is AMERICAS (api-sse.cisco.com). For EUROPE businesses, click the drop-down menu and choose EUROPE (api.eu.sse.itd.cisco.com)
Step 4. Submit and Commit changes
It is required to submit and commit the changes, in order to save and apply any change. Now if the ESA interface is refreshed a Registration token is requested in order to register the Integration, as shown in the image below.
Note: You can see a Success message: Your changes have been committed.
Step 5. Generate the Registration Token in SSE
1.- Once in the SecureX portal, navigate to Integrations > Devices > Manage Devices, please see the next image.
2.- Manage Devices link redirects you to the Security Services Exchange (SSE), once there, click on the icon Add Devices and Generate Tokens as shown in the image.
3.- Click on Continue in order to generate the Token, once the Token is generated, click on Copy to Clipboard, as shown in the image.
Tip: You can select the number of devices to add (from 1 and up to 100) and also select the Token expiration time (1hr, 2hrs, 4hrs, 6hrs, 8hrs, 12hrs, 01 days, 02 days, 03 days, 04 days and 05 days).
Step 6. Save Registration Token in the ESA
Once the Registration Token is generated, paste it in the Cloud Services Settings section in the ESA, as the image below.
Note: You can see a Success message: A request to register your appliance with the Cisco SecureX / Threat Response portal is initiated. Navigate back to this page after some time to check the appliance status.
Step 7. Verify that the ESA device is registered
You can navigate to the SSE portal, click on Refresh, and in the Search Tab look at your ESA device, as shown in the image.
Add the ESA module in Cisco SecureX
In this section you can find the steps to add the ESA module in Cisco SecureX portal, please navigate to the SecureX portal and add a new ESA module.
1.- Once you are in the SecureX portal, navigate to Integrations > Add New Module, as shown in the image.
2.- Choose the module type, in this case, the module is an Email Security Appliance module as the image below.
3.- Enter the fields: Module Name, Registered Device (select the one previously registered) and Request Timeframe (days), and Save, as shown in the image.
4.- Once the ESA module is added in SecureX, you can add a specific Dashboard (Click on New Dashboard) for each Integration/Module or a General Dashboard with diverse modules, as shown in the image.
5.- When you create the Dashboard, you can give it a name, expand the module and select the ESA options you would like to see in the Dashboard, also you can add options from other added modules, then click on Save, as the image below.
In order to verify the SecureX and ESA Integration, you can see the selected options from the ESA module in the SecureX Dashboard. As an example, we can see the generated emails from the ESA GUI in Message Tracking, and those emails are also shown in the SecureX portal, as the image below.
If you are a CES customer or if you manage your ESA devices via an SMA, you can only connect to Threat Response via your SMA. Please ensure your SMA runs AsyncOS 13.6.2 or higher. If you do not manage your ESA with an SMA and you integrate the ESA directly, ensure it is at AsyncOS version 13.0 or higher.
If you do not see your issue below, please open a support case.
ESA device is not shown in the SSE portal
If your ESA device is not shown in the SSE portal, please ensure to have enabled Cisco SecureX Threat Response service in the SSE portal, navigate to Cloud Services, and enable the services, as the image below:
ESA is not requesting the Registration token
Please ensure to commit the changes, once the Cisco SecureX / Threat Response service has been enabled, otherwise, the changes won't be applied to the Cloud Service Settings section in the ESA, see the image below.
Registration failed because of an invalid or expired token
If you see the error message: "The registration failed because of an invalid or expired token. Ensure that you use a valid token when registering your appliance with the Cisco Threat Response portal" in the ESA GUI, as the image below:
Please ensure that the token is generated from the correct Cloud:
Also, remember that the Registration token has an expiration time (select the most convenient time to complete the Integration in time), as shown in the image.
SecureX Dashboard is not showing information regarding the ESA module
You can select a wider time range in the available tiles, from Last Hour to Last 90 Days, as the image below.
Other examples could be that we see the message "There was a problem. Try again later." or even the error message "There was a client error in the ESA module: E4017: Device is offline " as shown in the images below.
Verify if the ESA device is still shown as registered over the SSE portal, probably the ESA device was des-registered and it is no longer visible under the SSE > Devices Tab. Please try to add a new ESA module in the SecureX portal.
SecureX ESA tile / CTR ESA module showing error "There was an unexpected Error on the ESA module"
ESA requires AsyncOS API HTTP & HTTPS configuration enabled over the management interface to communicate with SecureX/CTR portal.
For an on prem ESA configure this setting from ESA portal GUI, go to “Network > IP Interfaces > Management interface > AsyncOS API” and enable HTTP and HTTPS.
Network > IP Interfaces
ESA Management Inteface
Async API > HTTP & HTTPS
For a CES (Cloud Based ESA) this configuration will need to be done from the backend by an ESA TAC engineer, it will require access to the support tunnel of the impacted CES
You can find the steps to configure the SecureX and ESA Integration in the next video.