The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the steps needed to configure Cisco Security Awareness (CSA) integration with the Cisco Secure Email Gateway.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on AsyncOS for SEG 14.0 and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Refer to:
1. https://secat.cisco.com/ for AMERICAS region
2. https://secat-eu.cisco.com/ for EUROPE region
Navigate to Environment > Users > Add New User
and fill in the Email, First Name, Last Name and Language fields and then click Save Changes
as shown in the image.
Note: A password needs to be set only for a CSA admin user who is authorised to create and launch simulations.
The role of the user can be selected once the user is created. You can select the role from the dropdown as indicated in this image:
Select the checkboxUser is Phishing Recipient > Save Changes
as shown in the image.
Verify that the user is added successfully and is listed when searched based on the email address in the Filter as shown in the image.
Navigate to Environments > Settings > Report API
tab and checkEnable Report API > Save Changes
.
Note: Make a note of the Bearer Token. You need this to integrate the SEG with CSA.
a. Navigate to Phishing Simulator > Simulations > Create New Simulation
and select a Template
from the available list as shown in the image.
b. Fill in this information:
c. Click on Import from Filters
and add the phishing email recipients to the Recipient List
as shown in the image .
You can filter users either by Language or Managers. Click on Add
as shown in the image.
Here is an example of the user that was created in Step 2. that is now added to the recipient list as shown in the image.
d. Set theDelivery Start
date and Save
changes to schedule the campaign as shown in the image.
Once the start date is chosen, the option to select the end date
for the campaign is enabled as shown in the image.
e. Click on Launch
to launch the campaign as shown in the image.
A two-factor authentication code can be requested after the launch button is clicked. Enter the code and click on Launch
as shown in the image.
Navigate to Phishing Simulator > Dashboards
. The current active simulation list provides the active simulations. You can also click on Export as PDF
and get the same report as shown in the image.
Example of a phishing simulation email in the recipient inbox.
When the recipient clicks the URL, this feedback page is shown to the user and this user appears as part of the Repeat Clickers list (who freely clicked on the phish URL) in CSA.
The Repeat Clickers list is shown underAnalytics > Standard Reports > Phishing Simulations > Repeat Clickers
as shown in the image.
Note: Under the section Create and Send Phishing Simulations
from CSA Cloud Service Step 3. when you enable Report API
, you have noted down the bearer token. Keep this handy.
On Secure Email Gateway GUI, navigate to Security Services > Cisco Security Awareness > Enable
.
Enter the Region and the CSA Token (Bearer Token obtained from CSA Cloud Service as shown in the previously mentioned Note) and submit and commit the changes.
CLI Configuration
Type csaconfig
to configure CSA via the CLI.
ESA (SERVICE)> csaconfig
Choose the operation you want to perform:
- EDIT - To edit CSA settings
- DISABLE - To disable CSA service
- UPDATE_LIST - To update the Repeat Clickers list
- SHOW_LIST - To view details of the Repeat Clickers list
[]> edit
Currently used CSA Server is: https://secat.cisco.com
Available list of Servers:
1. AMERICAS
2. EUROPE
Select the CSA region to connect
[1]>
Do you want to set the token? [Y]>
Please enter the CSA token for the region selected :
The CSA token should not:
- Be blank
- Have spaces between characters
- Exceed 256 characters.
Please enter the CSA token for the region selected :
Please specify the Poll Interval
[1d]>
Note: The CYBERSEC_AWARENESS_ALLOWED
Mailflow policy is created by default with all the scanning engines set to Off as shown here.
To allow simulated phishing campaign emails from CSA Cloud Service to bypass all scanning engines on Secure Email Gateway:
a. Create a New Sender Group and assign the CYBERSEC_AWARENESS_ALLOWED
Mail flow policy. Navigate to Mail Policies > HAT Overview > Add Sender Group
and select the policy CYBERSEC_AWARENESS_ALLOWED
and set the order to 1 and then Submit and Add Senders
.
b. Add a sender IP/domain
or Geo Location
from where the phishing campaign emails are initiated.
Navigate to Mail Polices > HAT Overview > Add Sender Group > Submit and Add Senders > Add the sender IP > Submit
and Commit
changes as shown in the image.
CLI Configuration:
1. Navigate to listenerconfig > Edit > Inbound (PublicInterface) > HOSTACCESS > NEW > New Sender Group
.
2. Create a new sender group with CYBERSEC_AWARENESS_ALLOWED
mail policy and, add a sender IP/domain from where the phishing campaign emails are initiated.
3. Set the order of the new Sender Group to 1 and use the Move
option under listenerconfig > EDIT > Inbound (PublicInterface) > HOSTACCESS > MOVE
.
4. Commit.
Note: The sender IP is the IP address of the CSA and is based on the region you selected. Refer to the table for the correct IP address to be used. Allow these IP addresses/hostnames in the firewall with port number 443 for SEG 14.0.0-xxx to connect to the CSA cloud service.
Once the phishing emails have been sent and the repeat clickers list populated in the SEG, an aggressive incoming mail policy can be created to take action on mail to those specific users.
Create a new aggressive Incoming Custom Mail Policy and enable Include Repeat Clickers List
check box in the recipient section.
From GUI, navigate to Mail Policies > Incoming Mail Policies > Add Policy > Add User > Include Repeat Clickers List > Submit
and Commit
the changes.
1. Navigate to csaconfig > SHOW_LIST
to see the details of the repeat clickers list.
ESA (SERVICE)> csaconfig
Choose the operation you want to perform:
- EDIT - To edit CSA settings
- DISABLE - To disable CSA service
- UPDATE_LIST - To update the Repeat Clickers list
- SHOW_LIST - To view details of the Repeat Clickers list
[]> show_list
List Name : Repeat Clickers
Report ID : 2020
Last Updated : 2021-02-22 22:19:08
List Status : Active
Repeat Clickers : 4
2. Navigate to csaconfig > UPDATE_LIST
if you would like to force update the repeat clickers list.
ESA (SERVICE)> csaconfig
Choose the operation you want to perform:
- EDIT - To edit CSA settings
- DISABLE - To disable CSA service
- UPDATE_LIST - To update the Repeat Clickers list
- SHOW_LIST - To view details of the Repeat Clickers list
[]> update_list
Machine: ESA An update for the Repeat Clickers list was initiated successfully.
3. Navigate to /data/pub/csa/
to see if the repeat clickers list has been downloaded or if there is an error. Here is the working setup:
Tue Jan 5 13:20:31 2021 Info: CSA: Connecting to the Cisco Security Awareness cloud service [https://secat.cisco.com/portal/api/license/info]
Tue Jan 5 13:20:31 2021 Info: CSA: Polling the Cisco Security Awareness cloud service to download the latest Repeat Clickers list.
Tue Jan 5 13:20:31 2021 Info: CSA: Trying to get the license expiry date: loop count 0
Tue Jan 5 13:20:31 2021 Info: CSA: Connecting to the Cisco Security Awareness cloud service [https://secat.cisco.com/portal/api/data/report/2020]
Tue Jan 5 13:20:31 2021 Info: CSA: Trying to download Repeat clickers list: loop count 0
Tue Jan 5 13:20:31 2021 Info: CSA: The update of the Repeat Clickers list was completed at [Tue Jan 5 13:20:29 2021]. Version: 1
Wed Jan 6 13:20:32 2021 Info: CSA: Polling the Cisco Security Awareness cloud service to download the latest Repeat Clickers list.
Here is an output when you have entered the incorrect token:
Fri Feb 19 12:28:39 2021 Info: CSA: Connecting to the Cisco Security Awareness cloud service [https://secat.cisco.com/portal/api/license/info]
Fri Feb 19 12:28:39 2021 Info: CSA: Trying to get the license expiry date: loop count 0
Fri Feb 19 12:28:39 2021 Info: CSA: Polling the Cisco Security Awareness cloud service to download the latest Repeat Clickers list.
Fri Feb 19 12:28:43 2021 Info: CSA: Connecting to the Cisco Security Awareness cloud service [https://secat.cisco.com/portal/api/data/report/2020]
Fri Feb 19 12:28:43 2021 Info: CSA: Trying to download Repeat clickers list: loop count 0
Fri Feb 19 12:28:44 2021 Warning: CSA: The download of the Repeat Clickers list from the Cisco Security Awareness cloud service failed because of an invalid token.
4. Navigate to
/data/log/heimdall/csa
to get detailed logs.
Working output:
2021-01-05 13:20:22,292 INFO csa Connecting to the Cisco Security Awareness cloud service [https://secat.cisco.com/portal/api/license/info]
Tue Jan 5 13:20:22 2021: DEBUG: csa: THR : ExpiryPoller Trying to get the license expiry date : loop count 0
2021-01-05 13:20:22,293 INFO csa Trying to get the license expiry date: loop count 0
2021-01-05 13:20:22,293 INFO csa Polling the Cisco Security Awareness cloud service to download the latest Repeat Clickers list.
2021-01-05 13:20:22,300 INFO requests.packages.urllib3.connectionpool Starting new HTTPS connection (1): secat.cisco.com
2021-01-05 13:20:27,343 INFO csa Connecting to the Cisco Security Awareness cloud service [https://secat.cisco.com/portal/api/data/report/2020]
Tue Jan 5 13:20:27 2021: DEBUG: csa: THR : CSAPoller Trying to download Repeat clickers list: loop count 0
2021-01-05 13:20:27,343 INFO csa Trying to download Repeat clickers list: loop count 0
2021-01-05 13:20:27,344 INFO requests.packages.urllib3.connectionpool Starting new HTTPS connection (1): secat.cisco.com
Tue Jan 5 13:20:29 2021: INFO: csa: THR : CSAPoller Downloaded Repeat Clicker List.
Tue Jan 5 13:20:29 2021: INFO: csa: THR : CSAPoller Updated the repeat clickers list at [Tue Jan 5 13:20:29 2021] with version [1]
2021-01-05 13:20:29,934 INFO csa The update of the Repeat Clickers list was completed at [Tue Jan 5 13:20:29 2021]. Version: 1
Tue Jan 5 13:20:32 2021: DEBUG: csa: THR : CSAPoller Queue is empty: No need of any config update
Tue Jan 5 13:20:32 2021: DEBUG: csa: THR : CSAPoller Waiting for timeout of [86400.0]s or notify signal
5. Navigate to data/csa/reports
to get the report id in encrypted format which contains the users.
6. The count of repeat clickers list can also be seen from the GUI. Navigate to Security Services > Cisco Security Awareness
as shown in the image.
Cisco Security Awareness page highlighting the number of repeat clickers" />
Revision | Publish Date | Comments |
---|---|---|
1.0 |
05-Apr-2023 |
Initial Release |