Professional Documents
Culture Documents
How-To Configure Mailbox Auto Remediation For Office 365 On Cisco Security
How-To Configure Mailbox Auto Remediation For Office 365 On Cisco Security
1 2016
© © 2016
Cisco
Cisco
and/or
and/or
its affiliates.
its affiliates.
All rights
All rights
reserved.
reserved.
Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public
Contents
About This Document However, other details need to be considered that address how Cisco
Microsoft Exchange has become the standard email system used by CES gains access to a user’s Office 365 mailbox to remediate the
midsize to large-scale organizations globally. With the rise of cloud message.
applications, Microsoft has introduced Office 365. Cisco Email Security Cisco CES uses Azure Active Directory to gain access to the Office
has been protecting Exchange from spam, phishing attacks and viruses 365 mailboxes. After CES receives the retrospective update about
for over a decade and recently has enhanced malware protection with the malicious file (Figure 1), it requests an access token from Azure. If
Advanced Malware Protection (AMP). While the email security portfolio communication is secured between CES and Azure, and CES is granted
encompasses other protections, this guide explains how Microsoft permission to access the Office 365 application, then an access token
Office 365 customers can protect their mailboxes from malicious zero- is provided (Figure 2). At that point the remediation action is allowed to
day attacks such as ransomware. It steps the reader through the details proceed as indicated in step 5 of Figures 1 and 2.
of setting up Office 365 Mailbox Auto Remediation integrated with AMP.
This guide is to cover how to integrated ESA/CES with O365 for auto
This document is for Cisco engineers and customers who will deploy remediation only. The reader of this guide is required to know how
Cisco® Cloud Email Security using AsyncOS® 10.0 or higher. to setup AMP on Email Security. For more details, see the chalk-talk
This document covers: “Cisco Email Security Malware Auto-Remediation for Office 365” or
reference the “How-to Guide – Protect Against File-Based Attacks.”
• Overview of Office 365 Mailbox Auto Remediation
(https://www.youtube.com/watch?v=kYTY6OwQ6f8&list=PLFT-9JpKjRT
• Creating a certificate ANXKBmLbQ611TPYLXbUL_0&index=18).
• Registering Cisco Cloud Email Security (CES) as an Azure app
Figure 1. Retrospection
• Troubleshooting
Mailbox Auto Remediation in Action ACME.com
Note: The graphics present the most recent version of the Azure Active
Directory user interface. As that changes over time, customers will need
to consult Microsoft tech articles to supplement the tasks described
here. AMP Threat Grid
A file can turn malicious anytime, even after it has reached a user’s
mailbox. Cisco Advanced Malware Protection (AMP) can identify this 3 Good Reputation
development as new information emerges and will push retrospective SMA
alerts to an on-premises appliance or Cisco Cloud Email Security 4 A later update: @bce-acme.com
ESA Cluster Bad Reputation
(CES) cluster. With AsyncOS® 10.0, you get more than just alerting.
If your organization is using Office 365 to manage mailboxes, you can 1 Cisco Cloud DLP, A/V, A/S,
configure CES to perform auto-remediation actions on the messages in Email Security Encryption
5
a user’s mailbox when the threat verdict changes. This process is briefly Remediate
Microsoft Office 365
Figure 2. Remediation
Step Purpose
Authenticating Access with Azure
Modify the manifest to reference Configures Azure to recognize
your RSA certificate the public key sent from the CES
cluster when it requests Office
Microsoft Azure AMP Threat Grid 365 permissions. Certificate-to-
public-key references are put in
manifest. The modified manifest
Requesting Access
to O365 Mailbox Access Token is uploaded to Azure.
Upload the private key and other The private key is uploaded to
SMA
certificate parameters to the CES CES. Configures client ID, tenant
@bce-acme.com cluster ID, and thumbprint.
ESA Cluster
Cisco Cloud
Access Token
Verifying Feature Keys in Cloud Email Security
DLP, A/V, A/S,
Email Security Encryption 1. Log in to your Cloud Email Security account.
5 Microsoft Office 365
Remediate 2. Click: System Administration > Feature Keys.
Message
3. Verify that File Reputation and File Analysis are active.
This document addresses setting up the Azure service as follows: Figure 3. Verifying Feature Keys
Step Purpose
Verify feature keys for Cisco AMP Mailbox Auto Remediation relies
analysis and AMP reputation on AMP’s intelligence for making
a remediation.
Building a Public and Private Certificate and Key Pair elect Local time for the time zone that the Cisco CES cluster is
7. S
1. Download the Certificate and Key generating tool. hosted in.
We are using a tool called XCA 8. Click: Apply.
(https://sourceforge.net/projects/xca/?source=typ_redirect). 9. Click the Key usage tab.
Note: If you already have an x509 certificate and private key pair, 10. As shown in Figure 5, on the Key usage tab, choose the following
then skip to the section. three options:
“Register Your CES cluster as an Application in Azure” in this guide.
• Digital Signature
2. Create a certificate and private key pair. • Key Encipherment
3. As shown in Figure 4, fill out the Distinguished name fields. • E-mail Protection
4. Click the Extensions tab. 11. Click: OK. Your certificate and private key pair will be created.
5. In the section called “X509v3 Basic Constraints,” specify the
Figure 5. Choosing Key Usage Options
certificate type as Certification Authority.
6. Also on the Extensions tab (not shown), specify the time range for
which the certificate is valid.
Figure 4. Filling Out the Distinguished Name Fields
12. Click the Certificate tab and highlight the certificate name (Figure 6).
13. Click: Export. Download the certificate to a directory that is
convenient to access with Microsoft PowerShell.
Note: Avoid long directory paths to make PowerShell use easier.
14. Click the Private Keys tab, highlight the private key name, and click:
Export.
15. Download the private key to the same directory.
Figure 6. Downloading the Certificate and Private Key Register Your CES Cluster as an Application in Azure
1. Access the Azure user interface: https://portal.azure.com/
2. Click: More Services > App Registrations (Figure 8).
Figure 8. Accessing the Registration Form
16. Using WordPad, verify that the structure of the certificate and
private key pair as shown in Figure 7.
Figure 7. Verifying the Certificate and Private Key Pair Structure
Note: This is the URL where users can sign in and use your appliance.
7. Click: Create.
Figure 12. Delegating Permissions
8. Under API Access, click: Required permissions (Figure 10).
9. In the API listing, select Office 365 Exchange Online.
10. At the bottom of the page click: Select.
Figure 10. Selecting the API
• Access mailboxes as the signed-in user via Exchange Web Services “usage”: “Verify”,
“value”: “$base64Value_from_step2”
13. Click: Select.
}
14. Click: Done. ],
15. Download the Manifest (Figure 13).
Do this by opening the manifest in WordPad and copying the JSON as
a. In the tool bar beneath the app name, click: Manifest. described above.
b. In the Edit Manifest menu click: Download. Figure 14. Updating the Key Credentials
c. Save the manifest to the directory containing your certificate.
Figure 13. Downloading the Manifest
Note that the parameter for $cer.Import points to the directory in our 5. Upload the manifest to your Azure account (Figure 17). If you get
example. (See Figure 15.) an error on upload, check for carriage returns as described in the
previous step.
Figure 15 $cer.Import
Figure 17. Uploading the Manifest
– $base64Thumbprint
– $keyid
– $base64Value
Figure 18. Retrieving the Client ID 3. Gather these three values together to be uploaded to your CES
cluster:
Client ID: 1c5f70b9-a305-48a8-98aa-ede69edcb2e6
Tenant ID: 688a9cf0-b444-4768-890d-168fc921d268
Thumbprint: 1kRRZsGNn8NlGEZhX11zrHphcE7=
Enter the Client ID, Tenant ID, and Thumbprint (Figure 20).
Click: App Registrations > Endpoints. 7. You should be prompted with: Certificate Private Key Successfully
Under Federation Metadata Document, any of the URLs can be Uploaded.
copied. (See Figure 19.) The number string needs to be copied from Figure 20. Entering the Client ID, Tenant ID, and Thumbprint
the full URL string.
In our example:
https://login.windows.net/688a9cf0-b444-4768-890d-
168fc921d268/federationmetadata/2007-06/federationmetadata.xml
Tenant ID = 688a9cf0-b444-4768-890d-168fc921d268
Figure 19. Retrieving the Tenant ID
Figure 21. Verifying Auto Remediation Functionality Figure 22. Incoming Mail Policies
3. Click the link in the Advanced Malware Protection column of the mail
policy to modify.
4. Scroll to the bottom of the configuration options and select Enable
8. Office 365 Mailbox Auto Remediation should be functional at this Mailbox Auto Remediation.
time. Verify this by:
5. As shown in Figure 23, choose the “Action to be taken on
• Clicking: Check Connection message(s) in user’s mailbox”:
• Enter a valid Office 365 mailbox address • Forward to
• Click: Test Connection • Delete
Your results should be the same as in Figure 21. • Forward to and Delete (Recommended)
Configuring Remedial Actions on Delivered Messages Figure 23. Configuring Remedial Actions
1. On the ESA or CES portal, log in with the correct credentials and
select Mail Policies > Incoming Mail Policies.
2. For the Email Policy required, edit the Advanced Malware Protection
(AMP) section as shown in Figure 22
• A list of recipients for whom the mailbox remediation was successful Error Message Reason and Solution
or unsuccessful
The SMTP address has no You have entered an email
• Remedial actions taken on messages mailbox associated with address that is not part of the
• The filenames associated with a SHA-256 hash it. Office 365 domain.
Figure 24. Viewing the Results
Enter a valid email address and
check the connection again.
Verify that:
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco
and any other company. (1110R) C07-738370-00 12/16