Submissions to Talos

Efficacy Guide using Cisco Secure Email

General Submissions and Support

Continued efficacy issues rely on valid samples and submissions to have Talos take next-level action for the rules and thresholds we have discussed.

Efficacy issues range from daily Spam vs. Ham, Web, or email reputation. Customers are welcome to submit these via Talos > Reputation Support.

Cisco Secure Email also provides email submission Cisco Secure Email Submission Add-in and a Plug-in for Outlook. Please see the following for further assistance with submissions, How to Submit Email Messages to Cisco.

All submissions are provided directly to the same corpus managed by Talos. These submissions are needed for any open support requests.

Single submission

If you have received misclassified messages for an end-user, you or the end-user can directly submit the message(s) via the submission methods listed above. Please note, that you may be asked for the CID (from Talos Email Status Portal) or the Subject, Time/Date, and further information regarding the submission(s) available for any support request you open. (Please see Support Requests.)

Enable message or content filters to BCC Talos submissions automatically

Next-level submissions via automation are sometimes required and asked for by Cisco Support. Why? If you are targeted and consistently receiving the same multiple messages and threats, it would be in your best interest to provide a clean and unaltered message to Talos for investigation. Continually submitting single messages is time-consuming and frustrating.

To provide these, the best practices for submissions are:

Message Filter

SubmitToCiscoBccFilter:
if ( only-body-contains('\\b<<replace with text>>\\b', 1) ) {
    insert-header("IronPort-Submission", "<<customer name>>, <<reason for submission>>");
    bcc("[email protected]", "$Subject", "$EnvelopeFrom");
}
What is "\\b" ?

The metacharacter "\b" is an anchor like the caret and the dollar sign. It matches at a position that is called a “word boundary.” This match is zero-length.

Four different positions qualify as word boundaries:
• Before the first character in the string, if the first character is a word character.
• After the last character in the string, if the last character is a word character.
• Between a word character and a non-word character following right after the word character.
• Between a non-word character and a word character following right after the non-word character

🚧

Attention

You will want to replace <<replace with text>> with a specific keyword, text, that the targeted mail campaign(s) that you wish to have the submissions sent to Talos for further review. You will need to insert your customer name in <<customer name>> and provide a valid <<reason for submission>> for the header.

Message Filters are regex-driven rules that the email administrator can write. Message filters are applied before per-policy scanning occurs in the email pipeline. Any message that matches the conditions specified in your regex statement will be subjected to the actions as written.

1920

Click the image to enlarge

Content Filter

A Content Filter may be an alternative to Message Filters for submitting messages to Talos. A Content Filter requires a little more setup, but the Content Filter may be applied against a specific group or policy name to provide submissions for those end-users only.

To use a Content Filter for submissions, please perform the following from the Gateway/Cloud Gateway UI:

  1. Mail Policies > Incoming Content Filters
  2. Click Add Filter...
  3. Provide the Content Filter a name, "SubmitToCiscoBccFilter"
  4. (Optional) Click Add Condition...
739

You will want to replace <<replace with text>> with a specific keyword, text, that the targeted mail campaign(s) that you wish to have the submissions sent to Talos for further review.

  1. Click OK
  2. Next, add two (2) actions. For the first click Add Action and select Add/Edit Header. Name the header and specify values for the header as follows:
739

Be sure to replace CUSTOMER NAME and REASON FOR SUBMISSION

  1. Click OK
  2. For the second action, click Add Action and select Send Copy (Bcc:). Use the email address "[email protected]" and add $EnvelopeRecipient for the return path as follows:

  1. Click OK
  2. Click Submit
  3. Next, navigate to Mail Policies > Incoming Mail Policies
  4. For the Policy Name of the policy you wish to enable the new Content Filter, click in the Content Filters column
  5. In the Enable column, click the checkbox for SubmitToCiscoBccFilter
  6. Click Submit
  7. Click Commit Changes and follow through with the rest of the commit as needed

Content filters are similar to message filters, except that they are applied later in the email pipeline — after message filtering, after a message has been “splintered” into several separate messages for each matching mail policy, and after the message has undergone anti-spam and anti-virus scanning.

1920

Click the image to enlarge

You will be able to track how many messages were detected and sent via your Message Filter or Content Filter from Filter Reports on your appliance:

  1. From Monitoring, select Filter Reports > Message Filters
  2. or Filter Reports > Content Filters

Look for the "SubmitToCiscoBccFilter" based on which you had configured, Message Filter, or Content Filter.

👍

Remember to disable Message or Content Filter

Once you have resolved the reason to enable automated submissions, please remember to disable or remove the Message or Content Filter from your configuration!

File Submissions

If this is a file, and it has passed through Cisco Secure Malware Analytics, you have the option to submit the file directly within your browser. From a submitted sample, click "Report FP/FN":

Guide Checklist

At this time, we have completed the following:

Once you have set up any Message Filters or Content Filters for submitting samples directly to Talos, proceed to the next section of this document.


What’s Next