2018 Cisco and/or its affiliates. All rights reserved.1

How-To Configure Mailbox Auto Remediation for Office 365 on Cisco Email Security

2018 Cisco and/or its affiliates. All rights reserved.

Cisco Email Security Howto GuideConfigure Mailbox Auto Remediation for Office 365 Cisco Public

2018 Cisco and/or its affiliates. All rights reserved.2

Contents

About This Document 3

Introduction to Office 365 Mailbox Auto Remediation 3

Verifying Feature Keys in Cloud Email Security 4

Building a Public and Private Certificate and Key Pair 5

Register Your CES Cluster as an Application in Azure 6

Modify the Manifest to Reference the RSA Certificate 8

Upload Private Key and Other Certificate Parameters to the CES Cluster 10

Configuring Remedial Actions on Delivered Messages 11

Troubleshooting Mailbox Remediation 12

Cisco Email Security Howto GuideConfigure Mailbox Auto Remediation for Office 365 Cisco Public

2018 Cisco and/or its affiliates. All rights reserved.3

About This DocumentMicrosoft Exchange has become the standard email system used by midsize to large-scale organizations globally. With the rise of cloud applications, Microsoft has introduced Office 365. Cisco Email Security has been protecting Exchange from spam, phishing attacks and viruses for over a decade and recently has enhanced malware protection with Advanced Malware Protection (AMP). While the email security portfolio encompasses other protections, this guide explains how Microsoft Office 365 customers can protect their mailboxes from malicious zero-day attacks such as ransomware. It steps the reader through the details of setting up Office 365 Mailbox Auto Remediation integrated with AMP.

This document is for Cisco engineers and customers who will deploy Cisco Cloud Email Security using AsyncOS 10.0 or higher.

This document covers:

Overview of Office 365 Mailbox Auto Remediation Creating a certificate Registering Cisco Cloud Email Security (CES) as an Azure app Troubleshooting

Note: The graphics present the most recent version of the Azure Active Directory user interface. As that changes over time, customers will need to consult Microsoft tech articles to supplement the tasks described here.

Introduction to Office 365 Mailbox Auto RemediationOverview of Operation

A file can turn malicious anytime, even after it has reached a users mailbox. Cisco Advanced Malware Protection (AMP) can identify this development as new information emerges and will push retrospective alerts to an on-premises appliance or Cisco Cloud Email Security (CES) cluster. With AsyncOS, you get more than just alerting. If your organization is using Office 365 to manage mailboxes, you can configure CES to perform auto-remediation actions on the messages in a users mailbox when the threat verdict changes. This process is briefly illustrated in Figure 1 below.

However, other details need to be considered that address how Cisco CES gains access to a users Office 365 mailbox to remediate the message.

Cisco CES uses Azure Active Directory to gain access to the Office 365 mailboxes. After CES receives the retrospective update about the malicious file (Figure 1), it requests an access token from Azure. If communication is secured between CES and Azure, and CES is granted permission to access the Office 365 application, then an access token is provided (Figure 2). At that point the remediation action is allowed to proceed as indicated in step 5 of Figures 1 and 2.

This guide is to cover how to integrated ESA/CES with O365 for auto remediation only. The reader of this guide is required to know how to setup AMP on Email Security. For more details, see the chalk-talk Cisco Email Security Malware Auto-Remediation for Office 365 or reference the How-to Guide Protect Against File-Based Attacks.

Additionally, this link will direct you to the Security Chalk Talk Cisco Email Security Malware Auto-Remediation for Office 365.

Figure 1. Retrospection

SMA

ESA ClusterA later update:Bad Reputation

Cisco CloudEmail Security

Microsoft Oce 365

DLP, A/V, A/S,Encryption

RemediateMessage

@bce-acme.com

1

5

4

Good Reputation3

Files Reputation?

AMP Threat Grid

Mailbox Auto Remediation in Action ACME.com

2

Cisco Email Security Howto GuideConfigure Mailbox Auto Remediation for Office 365 Cisco Public

2018 Cisco and/or its affiliates. All rights reserved.4

Figure 2. Remediation

SMA

ESA Cluster

Access Token

Access Token

Cisco CloudEmail Security

Microsoft Oce 365

Microsoft Azure

DLP, A/V, A/S,Encryption

RemediateMessage

@bce-acme.com

5

AMP Threat Grid

Authenticating Access with Azure

Requesting Accessto O365 Mailbox

This document addresses setting up the Azure service as follows:

Step Purpose

Verify feature keys for Cisco AMP analysis and AMP reputation

Mailbox Auto Remediation relies on AMPs intelligence for making a remediation.

Create a certificate and a key pair Secures communication between Azure and CES.

Register your CES cluster as an application on Azure Active Directory

Specifies the permissions that CES has in Office 365 mailboxes. Permissions carried in token (Figure 2). Manifest is downloaded.

Step Purpose

Modify the manifest to reference your RSA certificate

Configures Azure to recognize the public key sent from the CES cluster when it requests Office 365 permissions. Certificate-to-public-key references are put in manifest. The modified manifest is uploaded to Azure.

Upload the private key and other certificate parameters to the CES cluster

The private key is uploaded to CES. Configures client ID, tenant ID, and thumbprint.

Verifying Feature Keys in Cloud Email Security1. Log in to your Cloud Email Security account.2. Click: System Administration > Feature Keys.3. Verify that File Reputation and File Analysis are active.

Figure 3. Verifying Feature Keys

Cisco Email Security Howto GuideConfigure Mailbox Auto Remediation for Office 365 Cisco Public

2018 Cisco and/or its affiliates. All rights reserved.5

Building a Public and Private Certificate and Key Pair1. Download the Certificate and Key generating tool.

We are using a tool called XCANote: If you already have an x509 certificate and private key pair, then skip to the section. Register Your CES cluster as an Application in Azure in this guide.

2. Create a certificate and private key pair. 3. As shown in Figure 4, fill out the Distinguished name fields.4. Click the Extensions tab.5. In the section called X509v3 Basic Constraints, specify the

certificate type as Certification Authority. 6. Also on the Extensions tab (not shown), specify the time range for

which the certificate is valid.

Figure 4. Filling Out the Distinguished Name Fields

7. Select Local time for the time zone that the Cisco CES cluster is hosted in.

8. Click: Apply.9. Click the Key usage tab.10. As shown in Figure 5, on the Key usage tab, choose the following

three options: Digital Signature Key Encipherment E-mail Protection

11. Click: OK. Your certificate and private key pair will be created.

Figure 5. Choosing Key Usage Options

12. Click the Certificate tab and highlight the certificate name (Figure 6).13. Click: Export. Download the certificate to a directory that is

convenient to access with Microsoft PowerShell. Note: Avoid long directory paths to make PowerShell use easier.

14. Click the Private Keys tab, highlight the private key name, and click: Export.

15. Download the private key to the same directory.

Cisco Email Security Howto GuideConfigure Mailbox Auto Remediation for Office 365 Cisco Public

https://sourceforge.net/projects/xca/?source=typ_redirect

2018 Cisco and/or its affiliates. All rights reserved.6

Figure 6. Downloading the Certificate and Private Key

16. Using WordPad, verify that the structure of the certificate and private key pair as shown in Figure 7.

Figure 7. Verifying the Certificate and Private Key Pair Structure

Register Your CES Cluster as an Application in Azure1. Access the Azure user interface: https://portal.azure.com/2. Click: More Services > App Registrations (Figure 8).

Figure 8. Accessing the Registration Form

3. Click: +Add (Figure 9).4. Specify the App Name.5. For application type: Web app/API.6. Sign-on URL in the form:

https:///ManualRegistration

Note: This is the URL where users can sign in and use your appliance.

Cisco Email Security Howto GuideConfigure Mailbox Auto Remediation for Office 365 Cisco Public

https://portal.azure.com/https:///ManualRegistration

2018 Cisco and/or its affiliates. All rights reserved.7

Figure 9. Adding the Application

7. Click: Create.8. Under API Access, click: Required permissions (Figure 10).9. In the API listing, select Office 365 Exchange Online.10. At the bottom of the page click: Select.

Figure 10. Selecting the API

11. As shown in Figure 11, for Application Permissions select: Use Exchange Web Services with full access to Send Mail as any user Read mail in all mailboxes Read and write mail in all mailboxes

Figure 11. Selecting Permissions

Figure 12. Delegating Permissions

12. As shown in Figure 12, for Delegated Permissions select: Send mail as a user Read and write user mail Read user mail Access mailboxes as the signed-in user via Exchange Web Services

Cisco Email Security Howto GuideConfigure Mailbox Auto Remediation for Offi