Submissions to Talos

Efficacy Guide using Cisco Secure Email

General Submissions and Support

Continued efficacy issues rely on valid samples and submissions in order to have Talos take next-level action for the rules and thresholds we have discussed so far.

Efficacy issues range from daily Spam vs. Ham, Web or email reputation. Customers are welcome to submit these via Talos > Reputation Support.

Cisco Secure Email also provides email submission Cisco Secure Email Submission Add-in and Plug-in for Outlook. Please see the following for further assistance with submissions, How to Submit Email Messages to Cisco.

All submissions are provided directly to the same corpus managed by Talos. These submissions are needed for any open support cases.

Single submission

If you have received misclassified messages for an end-user, you or the end-user can directly submit the message(s) via the submission methods listed above. Please note, you may be asked for the CID (from Talos Email Status Portal) or the Subject, Time/Date, and further information regarding the submission(s) available for any support request that you open. (Please see Support Cases.)

Enable message or content filters to BCC Talos submissions automatically

Next-level submissions via automation are sometimes required and asked for by Cisco Support. Why? If you are targeted and consistently receiving the same multiple messages and threats, it would be in your best interest to provide a clean and unaltered message to Talos for investigation. Continually submitting single messages is time-consuming and frustrating.

In order to provide these, best practices for submissions are:

Message Filter

SubmitToCiscoBccFilter:
if ( only-body-contains('\\b<<replace with text>>\\b', 1) ) {
    insert-header("IronPort-Submission", "<<customer name>>, <<reason for submission>>");
    bcc("[email protected]", "$Subject", "$EnvelopeFrom");
}
What is "\\b" ?

The metacharacter "\b" is an anchor like the caret and the dollar sign. It matches at a position that is called a “word boundary”. This match is zero-length.

There are four different positions that qualify as word boundaries:
• Before the first character in the string, if the first character is a word character.
• After the last character in the string, if the last character is a word character.
• Between a word character and a non-word character following right after the word character.
• Between a non-word character and a word character following right after the non-word character

🚧

Attention

You will want to replace <<replace with text>> with specific keyword, text, that the targeted mail campaign(s) that you wish to have the submissions sent to Talos for further review. You will need to insert your customer name in <<customer name>> and provide valid <<reason for submission>> for the header.

Message Filters are regex-driven rules that the email administrator can write. Message filters are applied before per-policy scanning occurs in the email pipeline. Any message that matches the conditions specified in your regex statement will be subjected to the actions as written.

Click image to enlargeClick image to enlarge

Click image to enlarge

Content Filter

A Content Filter may be used as an alternative to Message Filters for submitting messages to Talos. A Content Filter requires a little more setup, but the Content Filter may be applied against a specific group or policy name in order to provide submissions for those end-users only.

In order to use a Content Filter for submissions please perform the following from the Gateway/Cloud Gateway UI:

  1. Mail Policies > Incoming Content Filters
  2. Click Add Filter...
  3. Provide the Content Filter a name, "SubmitToCiscoBccFilter"
  4. (Optional) Click Add Condition...
You will want to replace \<<replace with text\>> with specific keyword, text, that the targeted mail campaign(s) that you wish to have the submissions sent to Talos for further review.You will want to replace \<<replace with text\>> with specific keyword, text, that the targeted mail campaign(s) that you wish to have the submissions sent to Talos for further review.

You will want to replace <<replace with text>> with specific keyword, text, that the targeted mail campaign(s) that you wish to have the submissions sent to Talos for further review.

  1. Click OK
  2. Next, add two (2) actions. For the first click Add Action and select Add/Edit Header. Name the header and specify values for the header as follows:
Be sure to replace <<customer name>> and <<reason for submission>>Be sure to replace <<customer name>> and <<reason for submission>>

Be sure to replace CUSTOMER NAME and REASON FOR SUBMISSION

  1. Click OK
  2. For the second action click Add Action and select Send Copy (Bcc:). Use the email address "[email protected]" and add $EnvelopeRecipient for the return path as follows:
  1. Click OK
  2. Click Submit
  3. Next, navigate to Mail Policies > Incoming Mail Policies
  4. For the Policy Name of the policy you wish to enable the new Content Filter, click in the Content Filters column
  5. In the Enable column, click the checkbox for SubmitToCiscoBccFilter
  6. Click Submit
  7. Click Commit Changes and follow through the rest of the commit as needed

Content filters are similar to message filters, except that they are applied later in the email pipeline — after message filtering, after a message has been “splintered” into a number of separate messages for each matching mail policy, and after the message has undergone anti-spam and anti-virus scanning.

Click image to enlargeClick image to enlarge

Click image to enlarge

You will be able to track how many messages were detected and sent via your Message Filter or Content Filter from Filter Reports on your appliance:

  1. From Monitoring, select Filter Reports > Message Filters
  2. or Filter Reports > Content Filters

Look for the "SubmitToCiscoBccFilter" based on which you had configured, Message Filter, or Content Filter.

Remember to disable Message or Content Filter

Once you have reached a resolution the reason to enable automated submissions, please remember to disable or remove the Message or Content Filter from your configuration!

Guide Checklist

At this time, we have completed the following:

Once you have set up any Message Filters or Content Filters for submitting samples directly to Talos, proceed on to the next section of this document.


What’s Next
Did this page help you?