Submissions to Talos
Efficacy Guide using Cisco Secure Email
General Submissions and Support
Continued efficacy issues rely on valid samples and submissions to have Talos take next-level action for the rules and thresholds we have discussed.
Efficacy issues range from daily Spam vs. Ham, Web, or email reputation. Customers are welcome to submit these via Talos > Reputation Support.
Cisco Secure Email also provides email submission Cisco Secure Email Submission Add-in and a Plug-in for Outlook. Please see the following for further assistance with submissions, How to Submit Email Messages to Cisco.
All submissions are provided directly to the same corpus managed by Talos. These submissions are needed for any open support requests.
Single submission
If you have received misclassified messages for an end-user, you or the end-user can directly submit the message(s) via the submission methods listed above. Please note, that you may be asked for the CID (from Talos Email Status Portal) or the Subject, Time/Date, and further information regarding the submission(s) available for any support request you open. (Please see Support Requests.)
Enable message or content filters to BCC Talos submissions automatically
Next-level submissions via automation are sometimes required and asked for by Cisco Support. Why? If you are targeted and consistently receiving the same multiple messages and threats, it would be in your best interest to provide a clean and unaltered message to Talos for investigation. Continually submitting single messages is time-consuming and frustrating.
To provide these, the best practices for submissions are:
Message Filter
SubmitToCiscoBccFilter:
if ( only-body-contains('\\b<<replace with text>>\\b', 1) ) {
insert-header("IronPort-Submission", "<<customer name>>, <<reason for submission>>");
bcc("[email protected]", "$Subject", "$EnvelopeFrom");
}
What is "\\b" ?
The metacharacter "\b" is an anchor like the caret and the dollar sign. It matches at a position that is called a “word boundary.” This match is zero-length.
Four different positions qualify as word boundaries:
• Before the first character in the string, if the first character is a word character.
• After the last character in the string, if the last character is a word character.
• Between a word character and a non-word character following right after the word character.
• Between a non-word character and a word character following right after the non-word character
Attention
You will want to replace <<replace with text>> with a specific keyword, text, that the targeted mail campaign(s) that you wish to have the submissions sent to Talos for further review. You will need to insert your customer name in <<customer name>> and provide a valid <<reason for submission>> for the header.
Message Filters are regex-driven rules that the email administrator can write. Message filters are applied before per-policy scanning occurs in the email pipeline. Any message that matches the conditions specified in your regex statement will be subjected to the actions as written.
Content Filter
A Content Filter may be an alternative to Message Filters for submitting messages to Talos. A Content Filter requires a little more setup, but the Content Filter may be applied against a specific group or policy name to provide submissions for those end-users only.
To use a Content Filter for submissions, please perform the following from the Gateway/Cloud Gateway UI:
- Mail Policies > Incoming Content Filters
- Click Add Filter...
- Provide the Content Filter a name, "SubmitToCiscoBccFilter"
- (Optional) Click Add Condition...
- Click OK
- Next, add two (2) actions. For the first click Add Action and select Add/Edit Header. Name the header and specify values for the header as follows:
- Click OK
- For the second action, click Add Action and select Send Copy (Bcc:). Use the email address "[email protected]" and add $EnvelopeRecipient for the return path as follows:
- Click OK
- Click Submit
- Next, navigate to Mail Policies > Incoming Mail Policies
- For the Policy Name of the policy you wish to enable the new Content Filter, click in the Content Filters column
- In the Enable column, click the checkbox for SubmitToCiscoBccFilter
- Click Submit
- Click Commit Changes and follow through with the rest of the commit as needed
Content filters are similar to message filters, except that they are applied later in the email pipeline — after message filtering, after a message has been “splintered” into several separate messages for each matching mail policy, and after the message has undergone anti-spam and anti-virus scanning.
You will be able to track how many messages were detected and sent via your Message Filter or Content Filter from Filter Reports on your appliance:
- From Monitoring, select Filter Reports > Message Filters
- or Filter Reports > Content Filters
Look for the "SubmitToCiscoBccFilter" based on which you had configured, Message Filter, or Content Filter.
Remember to disable Message or Content Filter
Once you have resolved the reason to enable automated submissions, please remember to disable or remove the Message or Content Filter from your configuration!
File Submissions
If this is a file, and it has passed through Cisco Secure Malware Analytics, you have the option to submit the file directly within your browser. From a submitted sample, click "Report FP/FN":
Guide Checklist
At this time, we have completed the following:
- Introduction
- Validate Detection Services
- Review of Bypass, Accept or Allow Lists
- Aggressive Profile for Anti-Spam
- Review and Validate MX Records
- Submissions to Talos
- Support Requests
- Security Review (Optional)
Once you have set up any Message Filters or Content Filters for submitting samples directly to Talos, proceed to the next section of this document.
Updated about 1 year ago