CiscoESA

The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-born threats, such as malware, spam and phishing attempts.

Network Security · Cisco Email Security Appliance (IronPort)

Configuration parameters

  • base_url — Server URL (required)
  • credentials — Username (required)
  • max_fetch — Maximum incidents per fetch
  • first_fetch — First fetch timestamp
  • filter_by — Filter by
  • filter_operator — Filter operator
  • filter_value — Filter value
  • recipient_filter_operator — Recipient filter operator
  • recipient_filter_value — Recipient filter value
  • jwt_token_expiration_period — Time to live for JWT session token (in minutes).
  • proxy — Use system proxy settings
  • insecure — Trust any certificate (not secure)
  • incidentType — Incident type
  • isFetch — Fetch incidents

Commands (41)

  • cisco-esa-dictionary-add

    Add a new dictionary.

  • cisco-esa-dictionary-delete

    Delete a dictionary.

  • cisco-esa-dictionary-edit

    Edit a dictionary.

  • cisco-esa-dictionary-list

    Retrieve information of all dictionaries or a specific configured dictionary and their list of words.

  • cisco-esa-dictionary-words-add

    Add words to a specific dictionary.

  • cisco-esa-dictionary-words-delete

    Delete existing words from specific dictionary.

  • cisco-esa-dictionary-words-update

    Modify words in a specified content dictionary. Unlike `cisco-esa-dictionary-edit`, which overrides the entire dictionary, this command adds new terms or updates existing ones without removing existing terms.

  • cisco-esa-file-hash-create

    Create a new file hash list with specified hash entries.

  • cisco-esa-file-hash-list

    Retrieve all file hash lists or the contents of a specific list. File hash lists define allowed or blocked file signatures and can be used in Incoming Content Filter configurations to control file-based threats.

  • cisco-esa-file-hash-update

    Updates the provided file hash list. This command overrides all existing hash entries in the list.

  • cisco-esa-incoming-policy-user-add

    Add sender and recipient entries to an incoming mail policy.

  • cisco-esa-incoming-policy-user-list

    Retrieve user-defined sender/recipient entries from an incoming mail policy.

  • cisco-esa-incoming-policy-user-update

    Update sender and recipient entries in an existing incoming mail policy. This command overrides all existing sender and recipient entries with the provided values.

  • cisco-esa-list-entry-add

    Add spam quarantine blocklist/safelist entry.

  • cisco-esa-list-entry-append

    Append spam quarantine blocklist/safelist entry.

  • cisco-esa-list-entry-delete

    Delete spam quarantine blocklist/safelist entry.

  • cisco-esa-list-entry-edit

    Edit spam quarantine blocklist/safelist entry. Using this command will override the existing value.

  • cisco-esa-list-entry-get

    Get spam quarantine blocklist/safelist entry.

  • cisco-esa-message-amp-details-get

    Retrieve AMP (Advanced Malware Protection) summary for specified email messages. Provides insight into file analysis, disposition changes, malware detection, and retrospective verdicts triggered by Cisco's Threat Grid or AMP engine for attachments in the email.

  • cisco-esa-message-connection-details-get

    Retrieve metadata about the SMTP connection and transmission behavior of specified messages. Returns details such as SBRS (Sender Base Reputation Score), connection summary logs, and sender group classification to help understand how messages were handled at the connection layer.

  • cisco-esa-message-details-get

    Retrieves metadata and tracking information for email messages processed by the ESA. Includes sender/recipient details, timestamps, message status for example, delivered, dropped), message size, AMP and DLP visibility flags, and applied mail policies. Useful for auditing and threat tracking.

  • cisco-esa-message-dlp-details-get

    Get message DLP summary details.

  • cisco-esa-message-filter-create

    Create a new message filter. If the appliance accepts the filter but flags it as invalid (e.g. unknown listener/interface), the command returns success and surfaces the appliance warning in the human-readable output. For details on Cisco's filter rule language, see "Using Message Filters to Enforce Email Policies" in the Cisco Secure Email Gateway 16.0 Admin Guide: https://www.cisco.com/c/en/us/td/docs/security/esa/esa16-0/user_guide/b_ESA_Admin_Guide_16-0/b_ESA_Admin_Guide_12_1_chapter_01000.html. This command manages Message Filters only. For more granular, per-policy control over message handling, use Content Filters in the Cisco AsyncOS web UI.

  • cisco-esa-message-filter-delete

    Delete a message filter. This command manages Message Filters only. For more granular, per-policy control over message handling, use Content Filters in the Cisco AsyncOS web UI.

  • cisco-esa-message-filter-list

    Retrieve all message filters or a specific message filter by name. Message filters are evaluated early in the Work Queue, before security engines. This command manages Message Filters only. For more granular, per-policy control over message handling, use Content Filters in the Cisco AsyncOS web UI.

  • cisco-esa-message-filter-update

    Update an existing message filter. Only the supplied fields (`active`, `order`) are sent — at least one must be provided. This command manages Message Filters only. For more granular, per-policy control over message handling, use Content Filters in the Cisco AsyncOS web UI.

  • cisco-esa-message-remediation-details-get

    Retrieve historical remediation actions taken on messages, such as message deletions or recalls. Includes batch initiator details, message status, delivery timestamps, and whether the message was read, supporting audit and compliance tracking for retroactive threat actions.

  • cisco-esa-message-search

    Search tracking messages.

  • cisco-esa-message-url-details-get

    Retrieve URL summary details for specific email messages. This includes information about all URLs found within each message, such as rewritten URLs, timestamped access logs, and verdicts assigned by the email security engine.

  • cisco-esa-pvo-quarantine-list

    List all PVO quarantine rules or retrieve a specific rule by ID. PVO rules determine how messages are quarantined based on policy violations, detected viruses, or outbreak conditions.

  • cisco-esa-pvo-quarantine-message-delete

    Delete messages associated with a specific PVO quarantine rule. This command deletes all messages that match the specified rule from quarantine.

  • cisco-esa-pvo-quarantine-message-release

    Release messages associated with a specific PVO quarantine rule. This command releases all messages that match the specified rule from quarantine.

  • cisco-esa-report-get

    Get statistics reports. Note that each report type is compatible with different arguments. Refer to Addendum for Cisco Secure Email Gateway ("Secure Email Reporting" sheet in the file), to view the dedicated arguments for each report type. https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa14-0/api/AsyncOS-14-0-API-Addendum.xlsx

  • cisco-esa-spam-quarantine-message-delete

    Delete quarantine emails.

  • cisco-esa-spam-quarantine-message-get

    Get spam quarantine message details.

  • cisco-esa-spam-quarantine-message-release

    Release quarantine emails.

  • cisco-esa-spam-quarantine-message-search

    Search messages in the spam quarantine.

  • cisco-esa-url-list

    Retrieve all URL lists or a specific list by name. URL lists define allowed or blocked domains for email content scanning and can be used in URL filtering configurations within mail policies.

  • cisco-esa-url-list-create

    Create a new URL list.

  • cisco-esa-url-list-delete

    Delete one or more URL lists. You cannot delete lists that are in use.

  • cisco-esa-url-list-update

    Update URLs in an existing URL list. This command overrides all the URL entries in the list.