topic Re: Cisco ESA (Cisco IronPort) and XSOAR Integration in Cortex XSOAR Discussions

Cisco ESA (Cisco IronPort) and XSOAR Integration

Omar_Hany — Sun, 13 Oct 2024 20:38:41 GMT

Hi all,

I'm facing an issue with my integration between Cisco ESA and XSOAR. When I search for specific emails that contain attachments or subjects in Arabic, the SOAR can fetch and display them without any problem. However, when I try to search specifically using an Arabic subject line, the SOAR fails to perform the search.

Has anyone encountered a similar issue or have any recommendations on how to resolve this? Any help would be greatly appreciated!

Thank you in advance.

Re: Cisco ESA (Cisco IronPort) and XSOAR Integration

yuki_sato — Mon, 14 Oct 2024 15:22:25 GMT

Could you share which integration command you are using for this?

Re: Cisco ESA (Cisco IronPort) and XSOAR Integration

Omar_Hany — Tue, 15 Oct 2024 08:37:53 GMT

Kindly find below the used command:

!cisco-sma-message-search end_date=now start_date="2 days" subject_filter_operator=contains subject_filter_value="_Subject_Name_"

Re: Cisco ESA (Cisco IronPort) and XSOAR Integration

Omar_Hany — Tue, 15 Oct 2024 09:40:36 GMT

I found that it can fetch the results successfully, the main problem was searching with subjects or attachments that have more than one word.

For example, if I search for subject "Forward Test", the query does not return any results.

However, if I search for just Forward" or "Test" individually, it successfully fetches the results.

Any suggestion to solve this issue would be greatly appreciated

Re: Cisco ESA (Cisco IronPort) and XSOAR Integration

yuki_sato — Tue, 15 Oct 2024 15:32:56 GMT

Looking at the integration code and the API document by Cisco, it does look to follow the API guide (https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-5-1/api_guide/b_Secure_Email_API_Guide_15-5-1/b_ESA_API_Guide_chapter_010.html). I included a screenshot of where the integration submits GET request to the API endpoint.

I do want to point out that in XSOAR, parameters (end_date, start_date, subject_filter_operator, etc.) are set under params variable but according to the API documentation, the endpoint is expecting "endDate=2018-11-23T00:00:00.000Z&limit=25&offset=0&orderBy=
received&orderDir=desc&quarantineType=pvo&quarantines=Outbreak,Virus,File+Analysis,Unclassified,Policy&startDate" format where each parameter is concatenated with "&". I would test this format and how XSOAR is submitting the request to make sure they are both supported.

If you have an API tool like Postman, I would test submitting requests to the endpoint by setting these variables up to verify if the endpoint accepts subjectFilterValue:

params = assign_params(
envelopeSenderfilterOperator=sender_filter_operator,
envelopeSenderfilterValue=sender_filter_value,
envelopeRecipientfilterOperator=recipient_filter_operator,
envelopeRecipientfilterValue=recipient_filter_value,
subjectfilterOperator=subject_filter_operator,
subjectfilterValue=subject_filter_value,
ciscoHost=cisco_host,
searchOption=search_option,
offset=offset,
limit=limit,
fileSha256=file_sha_256,
attachmentNameOperator=attachment_name_operator,
attachmentNameValue=attachment_name_value,
**format_custom_query_args(custom_query),
)

return self._http_request("GET",f"message-tracking/messages?startDate={start_date}&endDate={end_date}",params=params,)

Re: Cisco ESA (Cisco IronPort) and XSOAR Integration

akoppad — Tue, 15 Oct 2024 17:50:12 GMT

@Omar_Hany Try url encoding your subject and then passing it as value to the argument subject_filter_value. If you try "Forward%20Test" instead of "Forward Test" it might work.