CiscoESA
The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-born threats, such as malware, spam and phishing attempts.
Network Security · Cisco Email Security Appliance (IronPort)
Configuration parameters
base_url— Server URL (required)credentials— Username (required)max_fetch— Maximum incidents per fetchfirst_fetch— First fetch timestampfilter_by— Filter byfilter_operator— Filter operatorfilter_value— Filter valuerecipient_filter_operator— Recipient filter operatorrecipient_filter_value— Recipient filter valuejwt_token_expiration_period— Time to live for JWT session token (in minutes).proxy— Use system proxy settingsinsecure— Trust any certificate (not secure)incidentType— Incident typeisFetch— Fetch incidents
Commands (41)
-
cisco-esa-dictionary-addAdd a new dictionary.
-
cisco-esa-dictionary-deleteDelete a dictionary.
-
cisco-esa-dictionary-editEdit a dictionary.
-
cisco-esa-dictionary-listRetrieve information of all dictionaries or a specific configured dictionary and their list of words.
-
cisco-esa-dictionary-words-addAdd words to a specific dictionary.
-
cisco-esa-dictionary-words-deleteDelete existing words from specific dictionary.
-
cisco-esa-dictionary-words-updateModify words in a specified content dictionary. Unlike `cisco-esa-dictionary-edit`, which overrides the entire dictionary, this command adds new terms or updates existing ones without removing existing terms.
-
cisco-esa-file-hash-createCreate a new file hash list with specified hash entries.
-
cisco-esa-file-hash-listRetrieve all file hash lists or the contents of a specific list. File hash lists define allowed or blocked file signatures and can be used in Incoming Content Filter configurations to control file-based threats.
-
cisco-esa-file-hash-updateUpdates the provided file hash list. This command overrides all existing hash entries in the list.
-
cisco-esa-incoming-policy-user-addAdd sender and recipient entries to an incoming mail policy.
-
cisco-esa-incoming-policy-user-listRetrieve user-defined sender/recipient entries from an incoming mail policy.
-
cisco-esa-incoming-policy-user-updateUpdate sender and recipient entries in an existing incoming mail policy. This command overrides all existing sender and recipient entries with the provided values.
-
cisco-esa-list-entry-addAdd spam quarantine blocklist/safelist entry.
-
cisco-esa-list-entry-appendAppend spam quarantine blocklist/safelist entry.
-
cisco-esa-list-entry-deleteDelete spam quarantine blocklist/safelist entry.
-
cisco-esa-list-entry-editEdit spam quarantine blocklist/safelist entry. Using this command will override the existing value.
-
cisco-esa-list-entry-getGet spam quarantine blocklist/safelist entry.
-
cisco-esa-message-amp-details-getRetrieve AMP (Advanced Malware Protection) summary for specified email messages. Provides insight into file analysis, disposition changes, malware detection, and retrospective verdicts triggered by Cisco's Threat Grid or AMP engine for attachments in the email.
-
cisco-esa-message-connection-details-getRetrieve metadata about the SMTP connection and transmission behavior of specified messages. Returns details such as SBRS (Sender Base Reputation Score), connection summary logs, and sender group classification to help understand how messages were handled at the connection layer.
-
cisco-esa-message-details-getRetrieves metadata and tracking information for email messages processed by the ESA. Includes sender/recipient details, timestamps, message status for example, delivered, dropped), message size, AMP and DLP visibility flags, and applied mail policies. Useful for auditing and threat tracking.
-
cisco-esa-message-dlp-details-getGet message DLP summary details.
-
cisco-esa-message-filter-createCreate a new message filter. If the appliance accepts the filter but flags it as invalid (e.g. unknown listener/interface), the command returns success and surfaces the appliance warning in the human-readable output. For details on Cisco's filter rule language, see "Using Message Filters to Enforce Email Policies" in the Cisco Secure Email Gateway 16.0 Admin Guide: https://www.cisco.com/c/en/us/td/docs/security/esa/esa16-0/user_guide/b_ESA_Admin_Guide_16-0/b_ESA_Admin_Guide_12_1_chapter_01000.html. This command manages Message Filters only. For more granular, per-policy control over message handling, use Content Filters in the Cisco AsyncOS web UI.
-
cisco-esa-message-filter-deleteDelete a message filter. This command manages Message Filters only. For more granular, per-policy control over message handling, use Content Filters in the Cisco AsyncOS web UI.
-
cisco-esa-message-filter-listRetrieve all message filters or a specific message filter by name. Message filters are evaluated early in the Work Queue, before security engines. This command manages Message Filters only. For more granular, per-policy control over message handling, use Content Filters in the Cisco AsyncOS web UI.
-
cisco-esa-message-filter-updateUpdate an existing message filter. Only the supplied fields (`active`, `order`) are sent — at least one must be provided. This command manages Message Filters only. For more granular, per-policy control over message handling, use Content Filters in the Cisco AsyncOS web UI.
-
cisco-esa-message-remediation-details-getRetrieve historical remediation actions taken on messages, such as message deletions or recalls. Includes batch initiator details, message status, delivery timestamps, and whether the message was read, supporting audit and compliance tracking for retroactive threat actions.
-
cisco-esa-message-searchSearch tracking messages.
-
cisco-esa-message-url-details-getRetrieve URL summary details for specific email messages. This includes information about all URLs found within each message, such as rewritten URLs, timestamped access logs, and verdicts assigned by the email security engine.
-
cisco-esa-pvo-quarantine-listList all PVO quarantine rules or retrieve a specific rule by ID. PVO rules determine how messages are quarantined based on policy violations, detected viruses, or outbreak conditions.
-
cisco-esa-pvo-quarantine-message-deleteDelete messages associated with a specific PVO quarantine rule. This command deletes all messages that match the specified rule from quarantine.
-
cisco-esa-pvo-quarantine-message-releaseRelease messages associated with a specific PVO quarantine rule. This command releases all messages that match the specified rule from quarantine.
-
cisco-esa-report-getGet statistics reports. Note that each report type is compatible with different arguments. Refer to Addendum for Cisco Secure Email Gateway ("Secure Email Reporting" sheet in the file), to view the dedicated arguments for each report type. https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa14-0/api/AsyncOS-14-0-API-Addendum.xlsx
-
cisco-esa-spam-quarantine-message-deleteDelete quarantine emails.
-
cisco-esa-spam-quarantine-message-getGet spam quarantine message details.
-
cisco-esa-spam-quarantine-message-releaseRelease quarantine emails.
-
cisco-esa-spam-quarantine-message-searchSearch messages in the spam quarantine.
-
cisco-esa-url-listRetrieve all URL lists or a specific list by name. URL lists define allowed or blocked domains for email content scanning and can be used in URL filtering configurations within mail policies.
-
cisco-esa-url-list-createCreate a new URL list.
-
cisco-esa-url-list-deleteDelete one or more URL lists. You cannot delete lists that are in use.
-
cisco-esa-url-list-updateUpdate URLs in an existing URL list. This command overrides all the URL entries in the list.