10-13-2024 01:35 PM - edited 10-13-2024 01:38 PM
Hi all,
I'm facing an issue with my integration between Cisco ESA and XSOAR. When I search for specific emails that contain attachments or subjects in Arabic, the SOAR can fetch and display them without any problem. However, when I try to search specifically using an Arabic subject line, the SOAR fails to perform the search.
Has anyone encountered a similar issue or have any recommendations on how to resolve this? Any help would be greatly appreciated!
Thank you in advance.
10-15-2024 01:37 AM
Kindly find below the used command:
!cisco-sma-message-search end_date=now start_date="2 days" subject_filter_operator=contains subject_filter_value="_Subject_Name_"
10-15-2024 02:40 AM
I found that it can fetch the results successfully, the main problem was searching with subjects or attachments that have more than one word.
For example, if I search for subject "Forward Test", the query does not return any results.
However, if I search for just Forward" or "Test" individually, it successfully fetches the results.
Any suggestion to solve this issue would be greatly appreciated
10-15-2024 08:32 AM
Looking at the integration code and the API document by Cisco, it does look to follow the API guide (https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-5-1/api_guide/b_Secure_Email_API_Guide_15-5...). I included a screenshot of where the integration submits GET request to the API endpoint.
I do want to point out that in XSOAR, parameters (end_date, start_date, subject_filter_operator, etc.) are set under params variable but according to the API documentation, the endpoint is expecting "endDate=2018-11-23T00:00:00.000Z&limit=25&offset=0&orderBy=
received&orderDir=desc&quarantineType=pvo&quarantines=Outbreak,Virus,File+Analysis,Unclassified,Policy&startDate" format where each parameter is concatenated with "&". I would test this format and how XSOAR is submitting the request to make sure they are both supported.
If you have an API tool like Postman, I would test submitting requests to the endpoint by setting these variables up to verify if the endpoint accepts subjectFilterValue:
params = assign_params(
envelopeSenderfilterOperator=sender_filter_operator,
envelopeSenderfilterValue=sender_filter_value,
envelopeRecipientfilterOperator=recipient_filter_operator,
envelopeRecipientfilterValue=recipient_filter_value,
subjectfilterOperator=subject_filter_operator,
subjectfilterValue=subject_filter_value,
ciscoHost=cisco_host,
searchOption=search_option,
offset=offset,
limit=limit,
fileSha256=file_sha_256,
attachmentNameOperator=attachment_name_operator,
attachmentNameValue=attachment_name_value,
**format_custom_query_args(custom_query),
)
return self._http_request("GET",f"message-tracking/messages?startDate={start_date}&endDate={end_date}",params=params,)
10-15-2024 10:50 AM
@Omar_Hany Try url encoding your subject and then passing it as value to the argument subject_filter_value. If you try "Forward%20Test" instead of "Forward Test" it might work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
