Cisco Email Security How–to Guide

Configure Mailbox Auto Remediation for Office 365

Cisco Public

How-To Configure Mailbox Auto

Remediation for Office 365 on
Cisco Email Security
Based on AsyncOS 10.0

1 2016
© © 2016
Cisco
Cisco
and/or
and/or
its affiliates.
its affiliates.
All rights
All rights
reserved.
reserved.
 Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public

Contents

About This Document 3

Introduction to Office 365 Mailbox
Auto Remediation 3
Verifying Feature Keys in Cloud Email Security 4
Building a Public and Private Certificate
and Key Pair 5
Register Your CES Cluster as an
Application in Azure 6
Modify the Manifest to Reference
the RSA Certificate 8
Upload Private Key and Other Certificate
Parameters to the CES Cluster 9
Configuring Remedial Actions
on Delivered Messages 11
Troubleshooting Mailbox Remediation 12

2 © 2016 Cisco and/or its affiliates. All rights reserved.

 Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public

About This Document
Microsoft Exchange has become the standard email system used by
midsize to large-scale organizations globally. With the rise of cloud
applications, Microsoft has introduced Office 365. Cisco Email Security
has been protecting Exchange from spam, phishing attacks and viruses
for over a decade and recently has enhanced malware protection with
Advanced Malware Protection (AMP). While the email security portfolio
encompasses other protections, this guide explains how Microsoft
Office 365 customers can protect their mailboxes from malicious zero-
day attacks such as ransomware. It steps the reader through the details
of setting up Office 365 Mailbox Auto Remediation integrated with AMP.
This document is for Cisco engineers and customers who will deploy
Cisco® Cloud Email Security using AsyncOS® 10.0 or higher.
This document covers:
• Overview of Office 365 Mailbox Auto Remediation
• Creating a certificate
• Registering Cisco Cloud Email Security (CES) as an Azure app
• Troubleshooting
Note: The graphics present the most recent version of the Azure Active
Directory user interface. As that changes over time, customers will need
to consult Microsoft tech articles to supplement the tasks described
here.
However, other details need to be considered that address how Cisco
CES gains access to a user’s Office 365 mailbox to remediate the
message.
Cisco CES uses Azure Active Directory to gain access to the Office
365 mailboxes. After CES receives the retrospective update about
the malicious file (Figure 1), it requests an access token from Azure. If
communication is secured between CES and Azure, and CES is granted
permission to access the Office 365 application, then an access token
is provided (Figure 2). At that point the remediation action is allowed to
proceed as indicated in step 5 of Figures 1 and 2.
This guide is to cover how to integrated ESA/CES with O365 for auto
remediation only. The reader of this guide is required to know how
to setup AMP on Email Security. For more details, see the chalk-talk
“Cisco Email Security Malware Auto-Remediation for Office 365” or
reference the “How-to Guide – Protect Against File-Based Attacks.”
(https://www.youtube.com/watch?v=kYTY6OwQ6f8&list=PLFT-9JpKjRT
ANXKBmLbQ611TPYLXbUL_0&index=18).
Figure 1. Retrospection
Mailbox Auto Remediation in Action ACME.com
AMP Threat Grid

Introduction to Office 365 Mailbox Auto Remediation

2 Files Reputation?
Overview of Operation

A file can turn malicious anytime, even after it has reached a user’s
mailbox. Cisco Advanced Malware Protection (AMP) can identify this 3 Good Reputation
development as new information emerges and will push retrospective SMA

alerts to an on-premises appliance or Cisco Cloud Email Security 4 A later update: @bce-acme.com
ESA Cluster Bad Reputation
(CES) cluster. With AsyncOS® 10.0, you get more than just alerting.
If your organization is using Office 365 to manage mailboxes, you can 1 Cisco Cloud DLP, A/V, A/S,
configure CES to perform auto-remediation actions on the messages in Email Security Encryption
5
a user’s mailbox when the threat verdict changes. This process is briefly Remediate
Microsoft Office 365

illustrated in Figure 1 below. Message

3 © 2016 Cisco and/or its affiliates. All rights reserved.

 Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public

Figure 2. Remediation
Step Purpose
Authenticating Access with Azure
Modify the manifest to reference Configures Azure to recognize
your RSA certificate the public key sent from the CES
cluster when it requests Office
Microsoft Azure AMP Threat Grid 365 permissions. Certificate-to-
public-key references are put in
manifest. The modified manifest
Requesting Access
to O365 Mailbox Access Token is uploaded to Azure.

Upload the private key and other The private key is uploaded to
SMA
certificate parameters to the CES CES. Configures client ID, tenant
@bce-acme.com cluster ID, and thumbprint.
ESA Cluster

Cisco Cloud
Access Token
Verifying Feature Keys in Cloud Email Security
DLP, A/V, A/S,
Email Security Encryption 1. Log in to your Cloud Email Security account.
5 Microsoft Office 365
Remediate 2. Click: System Administration > Feature Keys.
Message
3. Verify that File Reputation and File Analysis are active.

This document addresses setting up the Azure service as follows: Figure 3. Verifying Feature Keys

Step Purpose

Verify feature keys for Cisco AMP Mailbox Auto Remediation relies
analysis and AMP reputation on AMP’s intelligence for making
a remediation.

Create a certificate and a key pair Secures communication between

Azure and CES.

Register your CES cluster as Specifies the permissions

an application on Azure Active that CES has in Office 365
Directory mailboxes. Permissions carried
in token (Figure 2). Manifest is
downloaded.

4 © 2016 Cisco and/or its affiliates. All rights reserved.

 Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public

Building a Public and Private Certificate and Key Pair  elect Local time for the time zone that the Cisco CES cluster is
7. S
1. Download the Certificate and Key generating tool. hosted in.
We are using a tool called XCA 8. Click: Apply.
(https://sourceforge.net/projects/xca/?source=typ_redirect). 9. Click the Key usage tab.
Note: If you already have an x509 certificate and private key pair, 10. As shown in Figure 5, on the Key usage tab, choose the following
then skip to the section. three options:
“Register Your CES cluster as an Application in Azure” in this guide.
• Digital Signature
2. Create a certificate and private key pair. • Key Encipherment
3. As shown in Figure 4, fill out the Distinguished name fields. • E-mail Protection
4. Click the Extensions tab. 11. Click: OK. Your certificate and private key pair will be created.
5. In the section called “X509v3 Basic Constraints,” specify the
Figure 5. Choosing Key Usage Options
certificate type as Certification Authority.
6. Also on the Extensions tab (not shown), specify the time range for
which the certificate is valid.
Figure 4. Filling Out the Distinguished Name Fields

12. Click the Certificate tab and highlight the certificate name (Figure 6).
13.  Click: Export. Download the certificate to a directory that is
convenient to access with Microsoft PowerShell.
Note: Avoid long directory paths to make PowerShell use easier.

14. Click the Private Keys tab, highlight the private key name, and click:
Export.
 15. Download the private key to the same directory.

5 © 2016 Cisco and/or its affiliates. All rights reserved.

 Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public

Figure 6. Downloading the Certificate and Private Key Register Your CES Cluster as an Application in Azure
1. Access the Azure user interface: https://portal.azure.com/
2. Click: More Services > App Registrations (Figure 8).
Figure 8. Accessing the Registration Form

16. Using WordPad, verify that the structure of the certificate and
private key pair as shown in Figure 7.
Figure 7. Verifying the Certificate and Private Key Pair Structure

3. Click: +Add (Figure 9).

4. Specify the App Name.
5. For application type: Web app/API.
6. Sign-on URL in the form:
https://<company_domain.com>/ManualRegistration

Note: This is the URL where users can sign in and use your appliance.

6 © 2016 Cisco and/or its affiliates. All rights reserved.

 Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public

Figure 9. Adding the Application Figure 11. Selecting Permissions

7. Click: Create.
Figure 12. Delegating Permissions
8. Under API Access, click: Required permissions (Figure 10).
9. In the API listing, select Office 365 Exchange Online.
10. At the bottom of the page click: Select.
Figure 10. Selecting the API

11. As shown in Figure 11, for Application Permissions select:

• Use Exchange Web Services with full access to…
• Send Mail as any user
• Read mail in all mailboxes 12. As shown in Figure 12, for Delegated Permissions select:
• Read and write mail in all mailboxes • Send mail as a user
• Read and write user mail
• Read user mail

7 © 2016 Cisco and/or its affiliates. All rights reserved.


• Access mailboxes as the signed-in user via Exchange Web Services
13. Click: Select.
14. Click: Done.
15. Download the Manifest (Figure 13).
a. In the tool bar beneath the app name, click: Manifest.
b. In the Edit Manifest menu click: Download.
c. Save the manifest to the directory containing your certificate.
Figure 13. Downloading the Manifest
Modify the Manifest to Reference the RSA Certificate
Note: Additional references to these steps are in Chapter 21 of the User
Guide, “Automatically Remediating Messages in Office 365 Mailboxes”
(http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa10-0/
ESA_10-0_User_Guide.pdf).
1. Secure the communication between the Office 365 services and
the CES cluster by updating the application manifest with the key
credentials from the public key certificate. As shown in line 12 of
Figure 14, the parameter “keyCredentials” must be updated to
include the JSON shown below:
JSON (referenced from Chapter 21 of the User Guide)
12 “keyCredentials”: [
{ $bin = $cer.GetCertHash()
“customKeyIdentifier” :
“$base64Thumbprint _from_step_2”,
“keyId”: “$keyid_from_step2”,
“type”: “AsymmetricX509Cert”,
8 © 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public
“usage”: “Verify”,
“value”: “$base64Value_from_step2”
}
],
Do this by opening the manifest in WordPad and copying the JSON as
described above.
Figure 14. Updating the Key Credentials
2. Derive keyCredentials from your RSA certificate by using PowerShell.
When they are derived, retrieve them by using PowerShell commands.
a. Log in to PowerShell and change to the directory that contains
your certificate and private key pair.
3. Derive keyCredentials by running the following commands:
$cer = New-Object System.Security.Cryptography.
X509Certificates.X509Certificate2
$cer.Import(“C:\Users\kbfloyd\Cert_Demo\bce-acme.crt”)
$bin = $cer.GetRawCertData()
$base64Value = [System.Convert]::ToBase64String($bin)
$base64Thumbprint = [System.
Convert]::ToBase64String($bin)
$keyid = [System.Guid]::NewGuid().ToString()
 Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public

Note that the parameter for $cer.Import points to the directory in our 5. Upload the manifest to your Azure account (Figure 17). If you get
example. (See Figure 15.) an error on upload, check for carriage returns as described in the
previous step.
Figure 15   $cer.Import
Figure 17.  Uploading the Manifest

b) Retrieve the key credentials by running the following in PowerShell

(Figure 16):

– $base64Thumbprint
– $keyid
– $base64Value

Note: Copy the $base64Thumbprint value to WordPad for later

reference.
Figure 16.  Retrieving the Key Credentials

Upload Private Key and Other Certificate Parameters to the

CES Cluster
1. Retrieve the Client ID from your account. This value is stored as the
Application ID in the Azure Active Directory.
Click: App Registrations > App_Name > Settings
Copy the Client ID as shown in Figure 18.
In our example Client ID =
1c5f70b9-a305-48a8-98aa-ede69edcb2e6
4. Copy the key credentials into your manifest.
Note: Remove any automatic carriage returns that may be included
when pasting the $base64 value.

9 © 2016 Cisco and/or its affiliates. All rights reserved.


Figure 18.  Retrieving the Client ID
2. Retrieve the Tenant ID.
Click: App Registrations > Endpoints.
Under Federation Metadata Document, any of the URLs can be
copied. (See Figure 19.) The number string needs to be copied from
the full URL string.
In our example:
https://login.windows.net/688a9cf0-b444-4768-890d-
168fc921d268/federationmetadata/2007-06/federationmetadata.xml
Tenant ID = 688a9cf0-b444-4768-890d-168fc921d268
Figure 19.  Retrieving the Tenant ID
10 © 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public
3. Gather these three values together to be uploaded to your CES
cluster:
Client ID: 1c5f70b9-a305-48a8-98aa-ede69edcb2e6
Tenant ID: 688a9cf0-b444-4768-890d-168fc921d268
Thumbprint: 1kRRZsGNn8NlGEZhX11zrHphcE7=
4. Log in to your cluster.
Click:
System Administration > Mailbox Settings > Edit Settings.
Enter the Client ID, Tenant ID, and Thumbprint (Figure 20).
5. Upload your Certificate Private Key.
6. Click: Submit and Commit Changes.
7. You should be prompted with: Certificate Private Key Successfully
Uploaded.
Figure 20.  Entering the Client ID, Tenant ID, and Thumbprint
 Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public

Figure 21.  Verifying Auto Remediation Functionality Figure 22.  Incoming Mail Policies

3. Click the link in the Advanced Malware Protection column of the mail
policy to modify.
4. Scroll to the bottom of the configuration options and select Enable
8. Office 365 Mailbox Auto Remediation should be functional at this Mailbox Auto Remediation.
time. Verify this by:
5. As shown in Figure 23, choose the “Action to be taken on
• Clicking: Check Connection message(s) in user’s mailbox”:
• Enter a valid Office 365 mailbox address • Forward to
• Click: Test Connection • Delete
Your results should be the same as in Figure 21. • Forward to and Delete (Recommended)
Configuring Remedial Actions on Delivered Messages Figure 23.  Configuring Remedial Actions
1. On the ESA or CES portal, log in with the correct credentials and
select Mail Policies > Incoming Mail Policies.
2. For the Email Policy required, edit the Advanced Malware Protection
(AMP) section as shown in Figure 22

11 © 2016 Cisco and/or its affiliates. All rights reserved.

 Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public

Monitoring Mailbox Remediation Results Troubleshooting Mailbox Remediation

1. You can view the details of the mailbox remediation results using the
Mailbox Auto Remediation report page.
a. Log in to your CES Security Management Appliance
b. Click: Email > Reporting > Mailbox Auto Remediation as shown in
Figure 24.
From here you can view details such as:
Problem While trying to check the connection between your appliance
and Office 365 services on the Mailbox Settings page (System
Administration > Mailbox Settings), you receive an error message:
Connection Unsuccessful.
Solution Depending on the response from the server, do one of the
following:

• A list of recipients for whom the mailbox remediation was successful Error Message Reason and Solution
or unsuccessful
The SMTP address has no You have entered an email
• Remedial actions taken on messages mailbox associated with address that is not part of the
• The filenames associated with a SHA-256 hash it. Office 365 domain.
Figure 24.  Viewing the Results
Enter a valid email address and
check the connection again.

Application with You have entered an invalid Client

identifier ‘<client_id>’
was not found in the
directory <tenant_id>.
ID.
Modify the Client ID on the
Mailbox Settings page and check
the connection again.

No service namespace You have entered an invalid

named ‘<tenant_id>’ was
found in the data store.
Tenant ID.
Modify the Tenant ID on the
Mailbox Settings page and check
the connection again.

Error validating You have entered an invalid

credentials. Credential
validation failed.
certificate thumbprint.
Modify the certificate thumbprint
on the Mailbox Settings page and
check the connection again.

12 © 2016 Cisco and/or its affiliates. All rights reserved.

 Cisco Email Security How–to Guide
Configure Mailbox Auto Remediation for Office 365
Cisco Public

Error Message Reason and Solution

Error validating You have entered an incorrect

credentials. Client certificate thumbprint or you have
assertion contains an uploaded an invalid or incorrect
invalid signature. certificate private key.

Verify that:

• You have entered the correct

thumbprint.
• You have uploaded the correct
certificate private key.
• The certificate private key is
not expired.
• The time zone of your
appliance matches the time
zone in the certificate private
key.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco
and any other company. (1110R) C07-738370-00  12/16