Cisco Email Security Appliance for IBM

QRadar

Version Number: 1.0.3

Date: Mar 05, 2020

Copyright © 2020 Cisco

1
Contents
1 Introduction ........................................................................................................................ 3
1.1. Overview ..................................................................................................................... 3
1.2. About this Document .................................................................................................. 3
1.3. About the application .................................................................................................. 3
1.4. Custom Field Properties of DSM ................................................................................ 4
2 General ............................................................................................................................... 6
1.1. Installation ................................................................................................................... 6
2.1 Configuring Log Source .............................................................................................. 8
1. Cisco ESA Gateway Logs Source ........................................................................... 8
2. Cisco ESA Log Source .......................................................................................... 10
2.2 Generation of Authentication Token ......................................................................... 10
2.3 Configuring the Cisco ESA App ............................................................................... 11
2.4 Configuring the Cisco Email Security Virtual Appliance. ........................................ 11
2.4.1 Reroute ESA traffic to a Specific port. .............................................................. 12
3 Cisco Email Security App................................................................................................ 14
3.1 General ...................................................................................................................... 14
3.1.1 Time Range Selector .......................................................................................... 14
3.2 Monitoring Tab ......................................................................................................... 15
3.2.1 Overview ............................................................................................................ 15
3.2.2 Mail Flow Summary .......................................................................................... 16
3.2.3 Mail Flow Details .............................................................................................. 17
3.2.4 Outbreak Filtering .............................................................................................. 20
3.2.5 Connections by Country .................................................................................... 21
3.3 Tracking Tab ............................................................................................................. 21
3.3.1 Overview ............................................................................................................ 21
3.3.2 Messages ............................................................................................................ 22
3.3.3 Rejected Connections......................................................................................... 24
4 Troubleshooting ............................................................................................................... 26
5 Legal Notice ..................................................................................................................... 27
5.1 Confidentiality Notice ............................................................................................... 27

2
1 Introduction
1.1.Overview
The Cisco Email Security Application for IBM QRadar provide insight from multiple
security products and integrates them with QRadar. IBM Security QRadar and
Cisco combine to enable customers to reach compliance and security goals and
reduce the risk and severity of security breaches. The Cisco Email Security platform
helps the user to automate email security and contain threats faster and directly
from QRadar.

1.2. About this Document

This document explains how to deploy and use the Cisco Email Security
Application for IBM QRadar.

1.3. About the application

QRadar provides a robust solution for Security Information and Event
Management (SIEM), anomaly detection, incident forensics, and vulnerability
management.

Integrating the Cisco Email Security solutions with QRadar enables insight,
visibility, and actionable intelligence gleaned through the depth in defence and
comprehensive security services for all web and email traffic extended across the
enterprise to combat complex security threats. QRadar benefits by getting a rich
source of contextual data, enabling QRadar to identify and alert on anomalous
behaviour and threats, enabling you to reach your compliance and security goals.

When you set up Cisco Email Security Application for QRadar, it integrates
all the data from Cisco Email Security platform and allows you to view the
data in graphical form in the QRadar console.

Prerequisites

• IBM QRadar version 7.3.1 patched to 20190228154648 and above.

• Administration privileges
• Email Security Virtual Appliance Version: 13.5.1-277 and above

3
1.4. Custom Field Properties of DSM
Screenshot for Custom field property

4
5
2 General
1.1. Installation
1. Login to QRadar and go to Admin tab.
2. Select Extension Management Services.
3. Install the application as a QRadar Plugin (For more details plugin
installation, click here)
4. After the installation, deploy changes in QRadar.

6
7
2.1 Configuring Log Source
1. From the Admin tab on the QRadar navigation bar, scroll down to Log
Sources.
2. Click on Add to create a new log source.
3. Enter the required parameters for creating log source.
4. Configure the 2 Log Source as shown below.
5. After Configuration save and deploy changes.
1. Cisco ESA Gateway Logs Source

ESA Gateway Log Source is mainly used to flatten multiline syslog to a single line. For a more
secure communication and QCA compatibility users can use TLS Syslog.

1.1. Configuring Gateway Log Source Using TLS Syslog

Create a log source with “Cisco ESA Gateway”, use “Universal DSM” as the DSM and
Protocol as “TLS Syslog”. Configure the other parameters as shown in the Screenshot.

8
Fig: Cisco ESA Gateway Log Source with TLS Syslog
NOTE: 1)Ensure Coalescing is turned OFF.

2)Check if latest TLS syslog protocol is used.

9
2. Cisco ESA Log Source

NOTE: Ensure Coalescing is turned OFF

Fig2: Cisco ESA Log Source

2.2 Generation of Authentication Token

1. Login to QRadar and go to Admin tab.

2. Select Authorized Services.

3. Click on Add Authorized Service

10
 4. Enter the details and generate the authentication token.

5. After generating the token Deploy Changes.

Note! As a best practice we recommend users to generate Service token every 90 days

2.3 Configuring the Cisco ESA App

1. From the Admin tab on the QRadar navigation bar, scroll down and open Cisco ESA
App Settings.

2. Enter the Authentication Token generated in previous step and other details and click
on Submit.

NOTE: If Authentication token is not present ,then the app will not load.

2.4 Configuring the Cisco Email Security Virtual Appliance.

Step 1: System Administration >>Log Subscription

Step 2: Give a Log Name ,Select Syslog Push

11
Step 3: Enter the IP of QRadar and Select TCP Protocol.

Note :Syslog push will push the logs on port 514.

All Mail log to be push on Port 6514 which is the port for TLS Syslog in QRadar, Since the
option is not available yet ,on Email Security Appliance. We need to reroute the traffic on
from ESA to port 6514 based on user selection.

2.4.1 Reroute ESA traffic to a Specific port.

Based on the selected protocol(TLS Syslog) users can specify the port to which ESA , traffic
should be routed.

TLS Syslog use port 6514

Users can Reroute ESA Traffic in two ways

• Change the rules in firewall to reroute the traffic from ESA to QRadar on port 6514
• User can also modify the Iptables within QRadar to route the traffic on port 6514
Configuring iptables for TLS Syslog

12
Steps
1>Using SSH, log in to QRadar as the root user.
2>Type the following command to edit the IPtables file:
vi /opt/qradar/conf/iptables-nat.post

The IPtables NAT configuration file is displayed.

3> Type the following command to instruct QRadar to redirect syslog events from TCP port
514 to TLS port 6514:

-A PREROUTING -p tcp --dport 514 -j REDIRECT --to-port <new-port> -s <IP address>

Where:
IP address is the IP address of your ESA server.
New port is the port number that is configured in the TCP Multiline protocol

You must include a redirect for each ESA IP address that sends events to your QRadar
Console or Event Collector.

Example:
-A PREROUTING -p tcp --dport 514 -j REDIRECT --to-port 6514 -s 192.168.0.21

4> Save your IPtables NAT configuration.

You are now ready to configure IPtables on your QRadar Console or Event Collector to
accept events from your ESA servers.

5> Type the following command to edit the IPtables file:

vi /opt/qradar/conf/iptables.post

The IPtables configuration file is displayed.

6> Type the following command to instruct QRadar to allow communication from your
ESA servers:

-I QChain 1 -m udp -p udp --src <IP_address> --dport <New port> -j ACCEPT

Where:

13
 IP address is the IP address of your ESA server.
New port is the port number that is configured in the TLS protocol .

You must include a redirect for each ESA IP address that sends events to your QRadar
Console or Event Collector.
Example:

-I QChain 1 -m tcp -p tcp --src 192.168.0.21 --dport 6514 -j ACCEPT

7>Type the following command to update IPtables in QRadar:

/opt/qradar/bin/iptables_update.pl

3 Cisco Email Security App

3.1 General
Information displayed in Cisco Email Security App for Syslog

To navigate to the Cisco Email Security Application, in IBM QRadar:

1. From the QRadar Homepage, click the Cisco ESA tab.

3.1.1 Time Range Selector

The Time range selector tool can be used by the user to display information for a certain
timeframe. By default, the application shows the data of Last 7 Days.

User can select the predefined date ranges as well as can click on the Custom and select
Custom Date Ranges.

14
 3.2 Monitoring Tab
The Monitoring Tab contains the below sub tabs:
• Mail Flow Reports
1. Mail Flow Summary
2. Mail Flow Details
3. Connections by country
• Email Threat Reports
1. Macro Detection
2. Outbreak Filtering
3. URL Filtering
4. Virus Filtering

3.2.1 Overview
The monitoring tabs contains following dropdowns:

• Dropdown for selecting sub tabs

• Incoming and Outgoing
• Hosts
• Domain and IP address inside Mail Flow Details tab

15
3.2.2 Mail Flow Summary
Mail Flow Summary tab contains two menus:

1. Incoming
2. Outgoing

16
3.2.3 Mail Flow Details
Mail Flow Details tab contains two tabs:

1. IP Address
2. Domain

Both of these tabs contain two menus:

1. Incoming
• Incoming menu contains 3 charts:
1. Top Senders by Total Threat Messages

17
 2. Top Senders by Clean Messages
3. Top Senders by Graymail Messages

2. Outgoing
• Outgoing menu contains two charts:
1. Top Senders by Total Threat Messages
2. Top Senders by Clean Messages

Mail Flow Details also provides search option based on IP Address and Domain.

18
19
3.2.4 Outbreak Filtering
Outbreak Filtering tab contains two charts:

1. Threat Summary
2. Hit Messages from Incoming Messages

20
3.2.5 Connections by Country
Connection by Country contains one chart of Top Incoming Mail Connections by Country

3.3 Tracking Tab

Tracking tab enables the user to search the information based on filters in basic search and
advance search.

3.3.1 Overview
Tracking tab contains two tabs:

1. Messages
2. Rejected Connections

21
3.3.2 Messages
Messages tab enables user to search based on hosts present and operators such as begins with,
is, contains, is empty.

Messages tab contains basic and advance search filters.

After clicking on search button when search gets completed it provides option for more details
search and for modify filters.

22
23
3.3.3 Rejected Connections
Rejected Connections tab contains filter option based on Sender IP.

24
25
4 Troubleshooting

1. App not Loading with data.

Check if the Authorization token is present in the ESA App settings page.
2. All the data not available in the charts?
Check if you have disabled coalescing for the Log sources.

3. In this section, we are going to run few tcpdump commands in QRadar, to verify if
ESA Logs are available in QRadar database, if the ESA Dashboard is not loading with
data, or the Log Activity search does not show the ESA Events.
Take SSH to QRadar console

Run this command > tcpdump -nnAs0 -i any host <<ESA Ip>> and port
<<port>>. Wait for few minutes if the Events are available on your ISE for the
subscribed topic, then you should see events showing up in LEEF Format.

4. Upload the following logs with the case can help our engineers assist you further:
• qradar.error
• startup.log
• app.log
To get qradar.error logs, first we need to SSH to QRadar Console
qradar.error logs are available in this location: /var/log/qradar.error
To get startup.log and app.log, first we need to get inside ESA App docker:
Login to QRadar console (putty/terminal)

Get the ESA APP ID execute this command: /opt/qradar/support/recon ps

The startup.log and app.log are available in this location:

/store/docker/volumes/qapp-<<App ID>>/log

Replace App ID with ESA App ID from Step 2

For example: /store/docker/volumes/qapp-110

26
5 Legal Notice
5.1 Confidentiality Notice
This document transmission (and/or the documents accompanying it) is for the
sole use of the intended recipient(s) and may contain information protected by the
attorney-client privilege, the attorney-work-product doctrine or other applicable
privileges or confidentiality laws or regulations. If you are not an intended
recipient, you may not review, use, copy, disclose or distribute this message or any
of the information contained in this message to anyone. If you are not the intended
recipient, contact the sender by reply e-mail and destroy all copies of this message
and attachments.

27