Cisco Secure Email Monitoring

Updated Feb 16, 2024

Configure Cisco Secure Email monitoring

Arctic Wolf® can monitor Cisco Secure Email® logs and alert you about suspicious or malicious activity.

Notes:

  • Logs are forwarded from Cisco Secure Email to your S3 bucket at 10 minute intervals.
  • There is no additional cost from Arctic Wolf to configure AWS monitoring for Cisco Secure Email.

Requirements

Steps

  1. Obtain your AWS account number.
  2. Provide your AWS credentials to Arctic Wolf.
  3. Configure an AWS Trail.
  4. Deploy an AWS CloudTrail stack.
  5. Subscribe to the Arctic Wolf SNS topic.
  6. Deploy an AWS S3 stack.
  7. Create an IAM policy.
  8. Create an IAM user.
  9. Create an access key.
  10. Configure log forwarding from Cisco Secure Email.

Step 1: Obtain your AWS account number

Note: If you have already configured AWS monitoring with Arctic Wolf, proceed to Deploy an AWS S3 stack.

  1. Sign in to the AWS Management console.

  2. In the menu bar, click Support > Support Center.

  3. Find your Account Number.

    AWS Management console with the account number visible

  4. Copy the Account Number value, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

Step 2: Provide your AWS credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the Cloud Services list, select Cisco Secure Email (S3 Ingestion).

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Account ID — Enter the AWS account number.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  7. Click Test and submit credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

Step 3: Configure an AWS Trail

  1. Sign in to the AWS Management Console with administrator permissions.

  2. In the navigation menu, click Services > All services > CloudTrail.

  3. In the navigation menu, click Trails.

  4. Configure these settings:

    • Region — Select All.

    • S3 bucket — Enter the name of the S3 bucket that you selected for Cisco Secure Email log storage.

    • StatusGreen status check mark

    All other settings can have any value.

    Tip: You can edit an existing trail to match these settings.

Step 4: Deploy an AWS CloudTrail stack

  1. Sign in to the AWS Management Console with administrator permissions.

  2. In the navigation menu, beside your username, click Region.

  3. Select the region that contains the S3 bucket that you selected to store Cisco Secure Email logs.

  4. In the Services menu, in the Management & Governance section, click CloudFormation.

  5. On the CloudFormation page, click Create stack > With new resources (standard).

  6. On the Create Stack page, configure these settings:

    • Prepare template — Select the Template is ready option.
    • Template Source — Select the Amazon S3 URL option.
  7. In the Amazon S3 URL field, enter https://arcticwolf-public.s3.us-west-2.amazonaws.com/install/aws-templates/us001/latest/alternate_primary_template.json.

  8. Click Next.

  9. In the Name field, enter a unique name for your stack. For example, ArcticWolf.

  10. In the Parameter section, if you:

    • Do not have any existing trails that you want to use — Keep the cloudtrailTrail field empty.

    • Have an existing trail that you want to use — In the cloudtrailTrail field, enter the Amazon Resource Name (ARN) of the existing Trail that you want to use for Arctic Wolf.

      Note: The ARN of the CloudTrail can be found in the CloudTrail console. In the CloudTrail console, select the existing Trail that you want to use from the Trail list. Find the path similar to CloudTrail > Trail > arn:aws:cloudtrail:us-east-2:12345678910:trail/nameoftrail. Copy the entire ARN starting with arn:aws:cloudtrail.

  11. Click Next.

  12. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as desired.

  13. Click Next.

  14. On the Review page, read the Capabilities section.

  15. Select all checkboxes.

    Note: The stack is not created correctly if you do not select all checkboxes.

  16. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5 to 10 minutes to complete.

  17. Verify that the base stack and all nested stacks have a status of CREATE_COMPLETE to make sure that the CloudFormation stacks were successfully created.

Step 5: Subscribe to the Arctic Wolf SNS topic

The CloudFormation stacks create a Simple Notification Service (SNS) topic in your AWS account. Arctic Wolf uses this SNS topic to identify changes to your CloudTrail account. Make sure that the Arctic Wolf Simple Queue Service (SQS) endpoint is subscribed to your AWNSNSTopic.

Note: Only complete these steps for the primary region.

  1. In the AWS Management Console, in the navigation menu, click Services > All services > Simple Notification Service.

  2. In the navigation menu, click Topics.

  3. In the filter field, enter AWNSNSTopic to find the corresponding topic.

  4. In the Name column, click the link for the Arctic Wolf SNS topic.

  5. On the Subscriptions page, review the subscription Status. If the value is:

    • Confirmed — The SNS subscription is successfully confirmed.
    • Pending:
      1. Select the checkbox for the subscription, and then click Request confirmation.

        A message appears, indicating that the subscription confirmation was requested.

      2. Wait some minutes, and then refresh the page.

      3. If the Status continues to display Pending, contact your CST for assistance. Include your 12-digit AWS account number.

Step 6: Deploy an AWS S3 stack

  1. Sign in to the AWS console as a user, or as an IAM role that has AdministratorAccess or an equivalent IAM policy.

  2. Select the region where your S3 bucket was created.

    Note: Arctic Wolf recommends that you use US West (Oregon) or US East (N. Virginia), known as us-west-2 and us-east-1 respectively, to make sure that all recommended AWS services are available. See Supported AWS regions for more information.

  3. On the CloudFormation Service page, click Create stack > With new resources.

  4. Configure these settings:

    • Prepare template — Select the Template is ready checkbox.
    • Template Source — Select the Amazon S3 URL checkbox.
  5. On a new browser tab, go to the MDR Dashboard, and then copy the AWS stack URL.

  6. Copy the Simple Storage Service (S3) Logs stack URL from the MDR Dashboard, and then paste it into the Amazon S3 URL field.

  7. Click Next.

  8. In the Specify stack details section, in the Stack name field, enter a name for the S3 log forwarding stack. For example, ArcticWolf-S3LogForward.

    Note: This name helps you identify resources that are created to collect and forward security events to Arctic Wolf. Make sure it is unique.

  9. In the Parameters section, in the bucketName field, enter the name of the S3 bucket that will be used to save logs.

  10. If the bucket is used for:

    • Storing security logs only — Keep the prefixPath field empty.

    • Multiple purposes — In the prefixPath field, enter a prefix to monitor for new objects. For example,<myservice>/logs.

      Only applicable data is forwarded to Arctic Wolf to lower AWS costs.

      Note: When entering the prefixPath value, do not include a trailing slash, /.

  11. If the logs sent to the S3 bucket:

    • Use standard SSE-S3 encryption — Keep the kmsKey field empty.

    • Have SSE-KMS encryption that encrypts them with a KMS key — Enter the ARN of the KMS key in the kmsKey field.

      See Configure GuardDuty to Export Logs for more information.

  12. Click Next

    You are redirected to the Configure stack options page. Do not make changes on this page.

  13. Click Next.

  14. On the Review page, read the Capabilities section.

  15. Select all checkboxes.

    Note: The stack is not created correctly if you do not select all checkboxes.

  16. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5 to 10 minutes to complete.

  17. Verify that the base stack and all nested stacks have a status of CREATE_COMPLETE to make sure that the CloudFormation stacks were successfully created.

Step 7: Create an IAM policy

  1. Sign in to the AWS IAM console.

  2. In the Access Management section, click Policies.

  3. Click Create policy.

  4. In the Select a service section, select S3.

  5. In the Access level section, click Write.

  6. Select the PutObject checkbox.

  7. In the Resources section, click Specific.

  8. Click Add Arn.

  9. Click either Visual or Text, and then enter the Amazon Resource Name (ARN) of the S3 bucket that will be used to store Cisco Secure Email logs.

    Tip: See Amazon S3 resources for more information.

  10. Click Add ARNs.

  11. Click Next.

  12. Enter details about the policy as needed. For example, a description or tags.

  13. Click Create Policy.

Step 8: Create an IAM user

Note: You can use an existing IAM user and attach the policy that you created in Create an IAM policy. However, Arctic Wolf suggests creating a new IAM user to make sure that the user only has the permissions needed to configure Cisco Secure Email monitoring.

  1. Sign in to the AWS IAM console.

  2. In the Access Management section, click Users.

  3. Click Add users.

  4. Enter a name for the IAM user.

  5. Click Next.

  6. Select Attach policies directly, and then select the policy that you created in Create an IAM policy.

  7. Click Next.

  8. Click Create user.

Step 9: Create an access key

  1. In the AWS IAM console, click Users.

  2. Click Preferences.

  3. Click the Access key ID toggle to the on position.

  4. Click Confirm.

  5. On the Users page, select the user that you created in Create an IAM user.

  6. Click Security credentials.

  7. In the Access keys section, click Create access key.

  8. Click Other.

  9. Click Next.

  10. Enter a description for the access key.

  11. Click Create access key.

  12. Copy the Access Key and Secret Access Key, and then save them in a safe, encrypted location. You will provide them to Arctic Wolf later.

Note: You can not access these keys after you close this screen.

Step 10: Configure log forwarding from Cisco Secure Email

  1. Sign in to the Cisco Secure Email Cloud Gateway.
  2. Click System Administration > Log Subscriptions.
  3. For each Cisco Secure Email client that you want Arctic Wolf to monitor, complete these steps:
    1. Do one of these actions:
      • If you have a log subscription configured — Select the name of the subscription from the list.
      • If you do not have a log subscription configured — Click Add Log Subscription.
    2. In the Log Type list, select Consolidated Event Logs.
    3. In the Log Fields section, in the Available Log Fields list, select all log fields.
    4. Click Add >.
    5. In the Retrieval Method section, select the AWS S3 Push option, and then configure these settings:
      • S3 Bucket Name — Enter the name of the S3 bucket to forward logs to.
      • S3 Access Key — Enter the access key from Create an access key.
      • S3 Secret Key — Enter the secret key from Create an access key.
    6. Click Submit.
  4. Click Commit Changes > Submit Changes.

Next steps