Cisco ESA (Cisco IronPort) and XSOAR Integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cisco ESA (Cisco IronPort) and XSOAR Integration

L1 Bithead

Hi all,

 

I'm facing an issue with my integration between Cisco ESA and XSOAR. When I search for specific emails that contain attachments or subjects in Arabic, the SOAR can fetch and display them without any problem. However, when I try to search specifically using an Arabic subject line, the SOAR fails to perform the search.

 

Has anyone encountered a similar issue or have any recommendations on how to resolve this? Any help would be greatly appreciated!

 

Thank you in advance.

5 REPLIES 5

L3 Networker

Could you share which integration command you are using for this?

Kindly find below the used command:

!cisco-sma-message-search end_date=now start_date="2 days" subject_filter_operator=contains subject_filter_value="_Subject_Name_"

I found that it can fetch the results successfully, the main problem was searching with subjects or attachments that have more than one word.

For example, if I search for subject "Forward Test", the query does not return any results.

However, if I search for just Forward" or "Test" individually, it successfully fetches the results.

 

Any suggestion to solve this issue would be greatly appreciated

L3 Networker

Looking at the integration code and the API document by Cisco, it does look to follow the API guide (https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-5-1/api_guide/b_Secure_Email_API_Guide_15-5...). I included a screenshot of where the integration submits GET request to the API endpoint.

 

 

I do want to point out that in XSOAR, parameters (end_date, start_date, subject_filter_operator, etc.) are set under params variable but according to the API documentation, the endpoint is expecting "endDate=2018-11-23T00:00:00.000Z&limit=25&offset=0&orderBy=
received&orderDir=desc&quarantineType=pvo&quarantines=Outbreak,Virus,File+Analysis,Unclassified,Policy&startDate" format where each parameter is concatenated with "&". I would test this format and how XSOAR is submitting the request to make sure they are both supported.


If you have an API tool like Postman, I would test submitting requests to the endpoint by setting these variables up to verify if the endpoint accepts subjectFilterValue:

 

params = assign_params(
envelopeSenderfilterOperator=sender_filter_operator,
envelopeSenderfilterValue=sender_filter_value,
envelopeRecipientfilterOperator=recipient_filter_operator,
envelopeRecipientfilterValue=recipient_filter_value,
subjectfilterOperator=subject_filter_operator,
subjectfilterValue=subject_filter_value,
ciscoHost=cisco_host,
searchOption=search_option,
offset=offset,
limit=limit,
fileSha256=file_sha_256,
attachmentNameOperator=attachment_name_operator,
attachmentNameValue=attachment_name_value,
**format_custom_query_args(custom_query),
)

return self._http_request("GET",f"message-tracking/messages?startDate={start_date}&endDate={end_date}",params=params,)

 

 

 

L1 Bithead

@Omar_Hany Try url encoding your subject and then passing it as value to the argument subject_filter_value. If you try "Forward%20Test" instead of "Forward Test" it might work. 

  • 512 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!