Mailbox Auto Remediation on Microsoft Exchange Online, Microsoft Exchange on-premise, hybrid, and multi-tenant deployments
A file can turn malicious anytime, even after it has reached the user’s mailbox. AMP can identify this as new information emerges and push retrospective alerts to your appliance. You can configure your appliance to perform auto-remedial actions on the messages in the user mailbox when the threat verdict changes.
The appliance can perform auto-remedial actions on the messages in the following mailbox deployments:
- Microsoft Exchange online – mailbox hosted on Microsoft Office 365
- Microsoft Exchange on-premise – a local Microsoft Exchange server
- Hybrid/Multiple tenant configuration – a combination of mailboxes configured across Microsoft Exchange Online and Microsoft Exchange on-premise deployments
For more information, see the “Automatically Remediating Messages in Mailboxes” chapter in the user guide.
The Cisco Email Security appliance now supports SAML 2.0 SSO to allow users to log in to the web interface (both legacy and new web interface) of the appliance using the same credentials used to access other SAML 2.0 SSO enabled services within the organization.
For more information, see the “Single Sign-On (SSO) Using SAML 2.0” section in the user guide.
The Cisco Email Security appliance now supports a new type of log subscription – ‘Consolidated Event Logs’ that summarizes each message event in a single logline. Using this log subscription, you can reduce the number of bytes of data (log information) sent to a Security Information and Event Management (SIEM) vendor or application for analysis.
The Consolidated Event Logs are in the Common Event Format (CEF) log message format that is widely used by most SIEM vendors.
For more information, see the “Logging” chapter in the user guide.
You can configure your email gateway to provide a safe view (safe-printed PDF version) of a message attachment detected as malicious or suspicious.
The safe view of the message attachment is delivered to the end-user and the original attachment is stripped from the message.
You can use the 'Safe Print' content filter action to safe print all message attachments that match a configured content filter condition.
The ability to safe print message attachments in the email gateway helps an organization to:
• Prevent message attachments with malicious or suspicious content from entering an organization network.
• View malicious or suspicious message attachments without being affected by malware.
• Deliver the original message attachment based on the end-user request.
For more information, see the “Configuring Email Gateway to Safe Print Message Attachments” chapter in the user guide.
You can integrate your appliance with Cisco Threat Response portal, and perform the following actions in the Cisco Threat Response portal:
- View the message tracking data from multiple appliances in your organization.
- Identify, investigate, and remediate threats observed in the message tracking.
- Resolve the identified threats rapidly and provide recommended actions to take against the identified threats.
- Document the threats in the portal to save the investigation, and enable collaboration of information among other devices on the portal.
For more information, see the “Integrating with Cisco Threat Response Portal” chapter in the user guide.
The Cisco Email Security appliance now includes the casebook and pivot menu widgets.
If you are using the Microsoft Internet Explorer browser to access your appliance, you will not be able to use the casebook widget.
You can perform the following actions in your appliance using the casebook and pivot menu widgets:
- Add an observable to a casebook to investigate for any threat analysis.
- Pivot an observable to a new case, an existing case, or other devices registered in the Cisco Threat Response portal (for example, AMP for Endpoints, Cisco Umbrella, Cisco Talos Intelligence, and so on) to investigate for threat analysis.
For more information, see the “Integrating with Cisco Threat Response Portal” chapter in the user guide.
The Cisco Email Security appliance now collects feature/interface usage statistics on the new web interface of the appliance that helps Cisco improve overall user experience. All data collected is anonymized. If you want to opt-out of this feature, navigate to System Administration >
General Settings > Usage Analytics page of the web interface to disable it.
For more information, see the “Collecting Usage Statistics of the Appliance on the New Web Interface” section in the user guide.
Cisco Email Security Appliance will be FIPS certified and has integrated the following FIPS 140-2 approved cryptographic module: Cisco Common Crypto Module (FIPS 140-2 Cert. #2984).
See the “FIPS Management” chapter in the user guide.
You can now search for messages based on the "Reply-To" header of the message.
For more information, see the “Tracking Messages” chapter of the user guide.
You can use the trailblazerconfig command to route your incoming and outgoing connections through HTTPS ports on the new web interface.
By default, trailblazerconfig CLI command is enabled on your appliance. You can see the inline help by typing the command: help trailblazerconfig.
For more information, see “trailblazerconfig” section of the CLI Reference guide.
The Metrics Bar widget enables you to view the real-time data of the file analysis done by the Cisco Threat Grid appliance on the Advanced Malware Protection report page.
For more information, see the “Advanced Malware Protection Page” section of the user guide.
You can categorize the IP address that you use to access the appliance using SSH as a persistent whitelist or blacklist. If the appliance or the ipblockd service is restarted, the IP address in the persistent blacklist or whitelist is retained.
You can use the sshconfig > access control subcommand in the CLI to categorize the IP address as a persistent whitelist or blacklist.
For more information, see the sshconfig section of the CLI Reference Guide for AsyncOS 13.0 for Email Security Appliances.
You can now create an exception list consisting of only full email addresses to bypass the Forged Email Detection content filter in Mail Policies > Address Lists.
You can use this exception list in the Forged Email Detection rule if you want the appliance to skip email addresses from the configured content filter.
The appliance now has a new web interface to search and view:
* Email Reports. You can now view email reports from the Reports drop-down based on the following categories:
– Email Threat Reports
– File and Malware Reports
– Connection and Flow Reports
– User Reports
– Filter Reports
For more information, see the “Email Security Monitor Pages on the New Web Interface” chapter in the user guide.
* Spam Quarantine
– You can now view and search for spam and suspected spam messages in Quarantine > Spam Quarantine > Search page in the web interface.
– You can view, add, and search for domains added in the safelist and blocklist in Quarantine > Spam Quarantine > Safelist or Blocklist page in the web interface.
For more information, see the "Spam Quarantine” chapter in the user guide.
* Policy, Virus and Outbreak Quarantines. You can view and search for policy, virus, and outbreak quarantines in Quarantine > Other Quarantine > Search page in the web interface.
For more information, see the “Centralized Policy, Virus, and Outbreak Quarantines” chapter in the user guide.
* Message Tracking. You can search for messages or a group of messages depending on your search criteria in Tracking > Search page in the web interface.
For more information, see the “Tracking Messages” chapter in the user guide.
- Make sure that you have enabled AsyncOS API on the appliance.
- Make sure that AsyncOS HTTPS API port is not enabled on multiple interfaces.
- By default, trailblazerconfig is enabled on the appliance.
– Make sure that the configured HTTPS port is opened on the firewall. The default HTTPS port is 4431.
– Also, ensure that your DNS server can resolve the hostname that you specified for accessing the appliance.
For more information, see the "Accessing the New Web Interface" section, page 15 of the Release Notes.
The Advanced Malware Protection Report page has the following enhancements:
- A new section - Incoming Malware Files by Category to view the percentage of blacklisted file SHAs received from the AMP for Endpoints console that is categorized as Custom Detection.
The threat name of a blacklisted file SHA obtained from AMP for Endpoints console is displayed as Simple Custom Detection in the Incoming Malware Threat Files section of the report.
- A new section - Incoming Malware Files by Category to view the percentage of blacklisted file SHAs based on the threshold settings that are categorized as Custom Threshold.
- You can click on the link in the More Details section of the report to view the file trajectory details of a blacklisted file SHA in the AMP for Endpoints console.
- A new verdict - Low Risk is introduced when no dynamic content is found in a file after file analysis. You can view the verdict details in the Incoming Files Handed by the AMP section of the report.
For more information, see the “Email Security Monitor pages on the New Web Interface” chapter in the user guide.
A new 'Aggressive' scanning profile is added to the Anti-Spam global settings. You can use this profile to assign a higher priority on incoming or outgoing messages detected as spam and to accept a higher chance of false positives.
If aggressive scanning profile option is enabled, the mail policy adjustments to Anti-Spam thresholds have a larger impact than when a Normal profile scanning is used. Therefore, you must review the existing Anti-Spam mail policy thresholds settings for the best balance of spam catch rate versus false positive potential.
You can enable this option in any one of the following ways:
- Security Services > IronPort Anti-Spam > Edit Global Settings in the web interface. See the “Managing Spam and Graymail” chapter in the user guide.
- antispamconfig command in the CLI. See the CLI Reference Guide for AsyncOS 13.0 for Email Security Appliances.
The How-Tos is a contextual widget that provides in-app assistance to users in the form of walkthroughs to accomplish complex tasks on your appliance.
The following are the walkthroughs that are added in this release:
- Single Sign-On Using SAML 2.0
- Remediate Malicious Messages in the Mailboxes Using Mailbox Auto Remediation
- Provide a Safe View of Malicious or Suspicious Message Attachments
- Configure Unified Common Event Format (CEF) Logging
The list of walkthroughs is cloud updateable. Make sure that you clear your browser cache to view an updated version of the How-Tos widget and pop-up window.
For more information, see the “Accessing the Appliance” chapter in the user guide or online help and the CLI Reference Guide for AsyncOS for Cisco Email Security Appliances.
To view the complete list of walkthroughs supported in each release, see Walkthroughs Supported in AysncOS for Cisco Email Security Appliances.
AsyncOS 13.0 Release Notes (https://cs.co/13_0_release_notes)
- Release notes
- User Guide
- CLI Reference Guide
- Cisco Content Security Virtual Appliance Installation Guide
- Open source used in AsyncOS 13.0 for Cisco Email Security Appliances
- AysnOS 13.0 API Getting Started Guide for Email Security Appliances
- AsyncOS 13.0 API – Addendum to the Getting Started Guide for Cisco Email Security Appliances
- Cisco Hybrid Email Security Overview Guide
- Cisco Cloud Email Security User Guide
- Release Notes for Hybrid Email Security
Updated 11 months ago