Cisco SEG Solution

Solution: CiscoSEG

CiscoSEG Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index

Attribute Value
Publisher Microsoft Corporation
Support Tier Microsoft
Support Link https://support.microsoft.com
Categories domains
Version 3.0.3
Author Microsoft - support@microsoft.com
First Published 2021-06-23
Solution Folder CiscoSEG
Marketplace Azure Marketplace · Popularity: 🟡 Low (32%)
Pre-requisites Common Event Format

The Cisco Secure Email Gateway (SEG) solution provides the capability to ingest Cisco SEG Consolidated Event Logs into Microsoft Sentinel.

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

Contents

Pre-requisites

This solution depends on 1 other solution(s):

Solution
Common Event Format

Data Connectors

This solution has 2 discovered data connector(s)⚠️ (not in Solution definition):

Connectors from dependency solutions:

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

Tables Used

This solution uses 1 table(s):

Table Used By Connectors Used By Content
CommonSecurityLog Common Event Format (CEF) (dependency), Common Event Format (CEF) via AMA (dependency), [Deprecated] Cisco Secure Email Gateway via AMA, [Deprecated] Cisco Secure Email Gateway via Legacy Agent Analytics, Hunting, Workbooks

Content Items

This solution includes 23 content item(s):

Content Type Count
Analytic Rules 11
Hunting Queries 10
Workbooks 1
Parsers 1

Analytic Rules

Name Severity Tactics Tables Used
Cisco SEG - DLP policy violation Medium Exfiltration CommonSecurityLog
Cisco SEG - Malicious attachment not blocked High InitialAccess CommonSecurityLog
Cisco SEG - Multiple large emails sent to external recipient Medium Exfiltration CommonSecurityLog
Cisco SEG - Multiple suspiciuos attachments received High InitialAccess CommonSecurityLog
Cisco SEG - Possible outbreak Medium InitialAccess CommonSecurityLog
Cisco SEG - Potential phishing link Medium InitialAccess CommonSecurityLog
Cisco SEG - Suspicious link High InitialAccess CommonSecurityLog
Cisco SEG - Suspicious sender domain Medium InitialAccess CommonSecurityLog
Cisco SEG - Unexpected attachment High InitialAccess CommonSecurityLog
Cisco SEG - Unexpected link Medium InitialAccess CommonSecurityLog
Cisco SEG - Unscannable attacment Medium InitialAccess CommonSecurityLog

Hunting Queries

Name Tactics Tables Used
Cisco SEG - DKIM failures InitialAccess CommonSecurityLog
Cisco SEG - DMARK failures InitialAccess CommonSecurityLog
Cisco SEG - Dropped incoming mails InitialAccess CommonSecurityLog
Cisco SEG - Dropped outgoing mails Exfiltration CommonSecurityLog
Cisco SEG - Failed incoming TLS connections InitialAccess CommonSecurityLog
Cisco SEG - Failed outgoing TLS connections Impact CommonSecurityLog
Cisco SEG - Insecure protocol Impact CommonSecurityLog
Cisco SEG - SPF failures InitialAccess CommonSecurityLog
Cisco SEG - Sources of spam mails InitialAccess CommonSecurityLog
Cisco SEG - Top users receiving spam mails InitialAccess CommonSecurityLog

Workbooks

Name Tables Used
CiscoSEG CommonSecurityLog

Parsers

Name Description Tables Used
CiscoSEGEvent - CommonSecurityLog (read)

Release Notes

Version Date Modified (DD-MM-YYYY) Change History
3.0.5 02-12-2024 Added Missed Column Parser
3.0.4 14-11-2024 Removed Deprecated Data Connector
3.0.3 08-07-2024 Deprecated Data Connector
3.0.2 03-05-2024 Repackaged for parser issue fix on reinstall
3.0.1 30-04-2024 Updated the Data Connector to fix conectivity criteria query
3.0.0 28-09-2023 Addition of new CiscoSEG AMA Data Connector

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index