Content filters are rules that allow Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

The two primary components of content filters are:

• Conditions, which are the criteria that determine whether a message matches a content filter rule or not, such as message size, sender address, attachment type, etc.
• Actions, which are the operations that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as deliver, drop, quarantine, encrypt, etc.

The other options are not primary components of content filters on Cisco ESA.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 8-3 and page 8-4.

Outbreak filters and antivirus are two features that can be applied to either incoming or outgoing mail policies on Cisco ESA. Outbreak filters allow Cisco ESA to detect and block messages that contain new or emerging email threats, such as viruses, worms, phishing, or spam, by using real-time updates from Talos intelligence. Antivirus allows Cisco ESA to scan messages for known viruses and malware using one or two antivirus engines (Sophos and McAfee).

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 6-16 and page 7-2.

LDAP acceptance validation is a feature that allows the Cisco Secure Email Gateway to check if the recipient address of an incoming message exists in an LDAP directory before accepting it. This feature can help prevent spammers from sending emails with invalid recipient addresses and reduce the load on the appliance2. References = User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment) - Configuring LDAP Queries [Cisco Secure Email Gateway] - Cisco

• System: This is the default list of trusted certificate authorities that is provided by Cisco and updated automatically. It contains the certificates of well-known and widely used certificate authorities, such as VeriSign, Thawte, and GoDaddy.
• Custom: This is the list of additional certificate authorities that you can add manually or import from a file. It allows you to trust certificates that are issued by your own or third-party certificate authorities that are not included in the system list.

To combat backscatter, which is a type of spam that consists of bounce messages sent to forged sender addresses, the administrator must enable the Bounce Verification feature under Security Settings. This feature allows the appliance to verify whether a bounce message is legitimate or not by checking if the original message was sent from the appliance. If not, the bounce message is considered as backscatter and can be dropped or quarantined. References: [Cisco Secure Email Gateway Administrator Guide - Configuring Bounce Verification]

Content filters are rules that allow Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

The two primary components of content filters are:

• Conditions, which are the criteria that determine whether a message matches a content filter rule or not, such as message size, sender address, attachment type, etc.
• Actions, which are the operations that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as deliver, drop, quarantine, encrypt, etc.

The other options are not primary components of content filters on Cisco ESA.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 8-3 and page 8-4.

According to the Cisco Secure Email Threat Defense User Guide, the No Authentication option is only available if you are using a Cisco Secure Email Gateway (SEG) as your message source. This option allows visibility only, no remediation1.

The other options are not valid because:

• A. Basic Authentication is not a visibility and remediation mode for Cisco Secure Email Threat Defense. It is a method of authenticating users with a username and password2.
• C. Microsoft 365 Authentication is a visibility and remediation mode that allows you to use Microsoft 365 credentials to access Cisco Secure Email Threat Defense. It has two sub-options: Read/Write and Read. This mode is available for both Microsoft 365 and Gateway message sources1.
• D. Cisco Security Cloud Sign On is not a visibility and remediation mode for Cisco Secure Email Threat Defense. It is a service that manages user authentication for Cisco security products, including Cisco Secure Email Threat Defense3.

The safelist/blocklist (SLBL) is a feature that allows Cisco ESA to accept or reject messages from specific email addresses or domains, based on the configuration of mail flow policies or end user preferences.

The action that provides direct access to view the SLBL on Cisco ESA is to export the SLBL to a .csv file, which can be done from the web user interface by selecting Security Services > Safelist/Blocklist and clicking Export.

The other options do not provide direct access to view the SLBL on Cisco ESA.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 6-13 and page 6-14.

Enabling End-User Quarantine Access and pointing to an LDAP server for authentication is the action that must be taken to meet this requirement. End-User Quarantine Access is a feature that allows users to access their personal quarantine on Cisco ESA using their email address and password, without requiring an administrator account or access to Secure Email and Web Manager.

To enable End-User Quarantine Access on Cisco ESA, the administrator can follow these steps:

• Select Security Services > IronPort Anti-Spam > End User Safelist/Blocklist Settings and click Edit Settings.
• Under End User Quarantine Access, select Enable End User Quarantine Access.
• Under Authentication Server, select LDAP Server from the drop-down menu and choose an LDAP server profile from the drop-down menu.
• Click Submit.

The altsrchost command enables an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way. This command allows you to specify an alternate source host for messages that match a message filter. You can use this command to route messages to different virtual gateways based on the message content or attributes.

References: Securing Email with Cisco Email Security Appliance (SESA) v3.1, Module 5: Using Message Filters to Enforce Email Policies, Lesson 1: Using Message Filters

 The reason why the CEO did not receive an important message expected from a trusted sender after adding them to a safelist is because end-user safelists apply to antispam engines only. End-user safelists are lists of sender addresses or domains that end users can create and manage through their quarantine accounts or email clients. End-user safelists allow end users to accept or exempt messages from certain senders or domains from being identified as spam by the antispam engines. However, end-user safelists do not affect other filtering engines such as antivirus, outbreak filters, or content filters. References = User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment) - Safelists and Blocklists [Cisco Secure Email Gateway] - Cisco

Data Loss Prevention (DLP) is an outgoing mail policy feature that should be configured to catch this content before it leaves the network. DLP allows Cisco ESA to scan outgoing messages for sensitive or confidential data, such as credit card numbers, social security numbers, health records, etc., and apply appropriate actions, such as encrypt, quarantine, notify, etc., to prevent data leakage or loss.

The other options are not valid outgoing mail policy features to catch this content before it leaves the network, because they do not scan for sensitive or confidential data in messages.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 9-2 and page 9-3.

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-2240.pdf

Spam Quarantine End-User Authentication Query is a query that Cisco ESA performs against an LDAP server to validate the end-user credentials during login to the End-User Quarantine.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 10-9.

Content filters are rules that allow Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

The two primary components of content filters are:

• Conditions, which are the criteria that determine whether a message matches a content filter rule or not, such as message size, sender address, attachment type, etc.
• Actions, which are the operations that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as deliver, drop, quarantine, encrypt, etc.

The other options are not primary components of content filters on Cisco ESA.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 8-3 and page 8-4.

Forged Email Detection is a feature that allows Cisco ESA to detect and block messages that spoof the display names of internal senders in the From header, such as executives or managers, to trick recipients into opening malicious or fraudulent emails. To configure this feature, two steps are required:

• Configure a content dictionary with friendly names of internal senders that should not appear in the From header of external messages, such as Alpha Beta or John Smith.
• Configure a filter to use the Forged Email Detection rule and dictionary, which will compare the display name in the From header of incoming messages with the entries in the content dictionary, and apply the configured action if a match is found.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 9-8.

Undesirable URL protection is a feature that allows Cisco ESA to detect and block messages that contain URLs that lead to malicious or unwanted websites, such as phishing, malware, or adult content sites. To enable this feature, outbreak filters and antispam scanning must be enabled on Cisco ESA.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 6-17.

Geolocation-based filtering and senderbase reputation filtering are two features of Cisco Email Security that can be added to a Sender Group to protect an organization against email threats. Geolocation-based filtering allows Cisco ESA to accept or reject connections from email servers based on their geographic location, such as country or continent. Senderbase reputation filtering allows Cisco ESA to reject or throttle connections from email servers based on their reputation score, which is calculated by Talos using sensor information from various sources.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 5-4 and page 6-2.

The graymail management solution in the appliance comprises of two components: an integrated graymail scanning engine and a cloud-based Unsubscribe Service. The integrated graymail scanning engine identifies graymail messages using various criteria and assigns them to different categories. The cloud-based Unsubscribe Service provides an easy mechanism for end users to unsubscribe from unwanted messages by checking the reputation of the unsubscribe links and performing the unsubscribe process on behalf of the end user.

References: User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment), Chapter: Managing Graymail, Section: Graymail Management Solution in Email Security Appliance

Direct access via web browser requires authentication is the restriction that is in place for end users accessing the spam quarantine on Cisco Secure Email Gateway appliances. Spam quarantine is a feature that allows Cisco ESA to store messages that are suspected to be spam and allow end users or administrators to review them and release or delete them as needed.

End users can access their personal spam quarantine on Cisco ESA either by clicking on a link in a notification email or by entering their email address and password in a web browser. In both cases, authentication is required to ensure security and privacy.

The other options are not valid restrictions that are in place for end users accessing the spam quarantine on Cisco Secure Email Gateway appliances, because they are either not mandatory or not related to authentication.

References: [User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway], page 10-2 and page 10-3.

Cisco Talos is a cloud service that provides a reputation verdict for email messages based on the sender domain and other attributes such as IP address, sender behavior, message content, and attachment analysis. Cisco Talos is integrated with Cisco Secure Email Gateway and provides real-time threat intelligence and protection against spam, phishing, malware, and other email-borne threats.

The other options are not valid because:

• A. Cisco AppDynamics is a cloud service that provides application performance monitoring and optimization for enterprise applications. It does not provide reputation verdicts for email messages.
• B. Cisco Secure Email Threat Defense is a cloud service that provides visibility and remediation capabilities for email threats detected by Cisco Secure Email Gateway. It does not provide reputation verdicts for email messages.
• C. Cisco Secure Cloud Analytics is a cloud service that provides network visibility and threat detection for cloud environments. It does not provide reputation verdicts for email messages.

spf-status is the section of the filter that must be modified to correct this behavior. spf-status is a condition that determines whether a message matches the content filter rule based on the result of SPF verification, such as pass, fail, neutral, etc.

The content filter in the exhibit has a spf-status condition set to “Pass”, which means that it will match messages that passed SPF verification and apply the action of “Quarantine”. This is the opposite of what the network engineer intended to do.

To correct this behavior, the network engineer can modify the spf-status condition to “Fail”, which means that it will match messages that failed SPF verification and apply the action of “Quarantine”.

The other options are not valid sections of the filter that must be modified to correct this behavior, because they do not affect the spf-status condition.

References: [User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway], page 8-3 and page 8-4.

To allow phishing simul-ations to bypass antispam scanning, the administrator must add two components to the allow list: domains and senders. Domains are the email domains that are used in the phishing simulations, such as example.com or test.com. Senders are the email addresses that are used to send the phishing simulations, such as phish@example.com or test@test.com. By adding these components to the allow list, the administrator can prevent them from being blocked by antispam scanning and allow them to reach the end users for testing purposes. References: [Cisco Secure Email Gateway Administrator Guide - Creating Allow Lists]

ceo@example.com is the data that must be added to the dictionary to accomplish this goal. A content dictionary is a list of values that can be used as a condition in a content filter or a message filter. Forged Email Detection is a feature that allows Cisco ESA to detect and prevent email spoofing attacks, where the sender’s address or domain is forged to appear as someone else, such as the CEO of the organization.

To create a content dictionary for use with Forged Email Detection on Cisco ESA, the administrator can follow these steps:

• Select Mail Policies > Content Dictionaries and click Add Dictionary.
• Enter a name and description for the content dictionary, such as CEO Email.
• Under Dictionary Values, click Add Value.
• Enter the email address of the CEO, such as ceo@example.com.
• Click Submit.

The altsrchost command enables an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way. This command allows you to specify an alternate source host for messages that match a message filter. You can use this command to route messages to different virtual gateways based on the message content or attributes.

References: Securing Email with Cisco Email Security Appliance (SESA) v3.1, Module 5: Using Message Filters to Enforce Email Policies, Lesson 1: Using Message Filters

Determining Which Interface is Used for Mail Delivery Unless you specify the output interface via the deliveryconfig command or via a message filter ( alt-src-host ), or through the use of a virtual gateway, the output interface is selected by the AsyncOS routing table. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_011001.html?bookSearch=true

Secure unsubscribe option for end users. Mimicking an unsubscribe option is a popular phishing technique. For this reason, the end users are generally wary of clicking unknown unsubscribe links. For such scenarios, the cloud-based Unsubscribe Service extracts the original unsubscribe URI, checks the reputation of the URI, and then performs the unsubscribe process on behalf of the end user. This protects end users from malicious threats masquerading as unsubscribe links. https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-2-1/User_Guide/b_ESA_Admin_Guide_14-2-1/b_ESA_Admin_Guide_12_1_chapter_01110.html#id_101033

External spam quarantine is a feature that allows Cisco SMA to store and manage spam messages quarantined by multiple Cisco ESAs in one central location, providing a unified view and administration of the spam quarantine data.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 10-3.

A filter is a method that enables an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way. A filter is a rule that allows Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

To deliver a flagged message to a specific virtual gateway address using a filter, the engineer can create a content filter or message filter that matches the flag condition and applies an action of “deliver via alternate host” with the virtual gateway address as the parameter.

The other options are not methods that enable an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way, because they have more limitations or requirements than using a filter.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 8-3 and page 8-7.

The safelist is a list of email addresses or domains that are considered legitimate and trustworthy by Cisco ESA. When an email is received from a sender on the safelist, Cisco ESA skips antispam scanning for that message and delivers it to the recipient without any spam filtering.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 6-13.

The safelist/blocklist (SLBL) is a feature that allows Cisco ESA to accept or reject messages from specific email addresses or domains, based on the configuration of mail flow policies or end user preferences.

The action that provides direct access to view the SLBL on Cisco ESA is to export the SLBL to a .csv file, which can be done from the web user interface by selecting Security Services > Safelist/Blocklist and clicking Export.

The other options do not provide direct access to view the SLBL on Cisco ESA.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 6-13 and page 6-14.

ceo@example.com is the data that must be added to the dictionary to accomplish this goal. A content dictionary is a list of values that can be used as a condition in a content filter or a message filter. Forged Email Detection is a feature that allows Cisco ESA to detect and prevent email spoofing attacks, where the sender’s address or domain is forged to appear as someone else, such as the CEO of the organization.

To create a content dictionary for use with Forged Email Detection on Cisco ESA, the administrator can follow these steps:

• Select Mail Policies > Content Dictionaries and click Add Dictionary.
• Enter a name and description for the content dictionary, such as CEO Email.
• Under Dictionary Values, click Add Value.
• Enter the email address of the CEO, such as ceo@example.com.
• Click Submit.

The default port to deliver emails from the Cisco ESA to the Cisco SMA using the centralized Spam Quarantine is 6025. This is the default value for the Port setting in the External Spam Quarantine configuration on Cisco ESA. This port must be open on both Cisco ESA and Cisco SMA for the communication to work.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 10-4.

According to the [Cisco Secure Email Encryption Service Add-In User Guide], you can create an encryption profile that defines the encryption settings and options for your encrypted messages[2, p. 11]. You can also create an outgoing content filter that applies the encryption profile to the messages that match certain conditions, such as having [SECURE] in the subject header[2, p. 12]. This way, you can allow users to flag the messages that require encryption by adding [SECURE] to the subject line.

The other options are not valid because:

• A. Creating an encryption profile with [SECURE] in the Subject setting and enabling encryption on the mail flow policy will not work, as the Subject setting in the encryption profile is used to specify the subject line of the encrypted message envelope, not the original message[2, p. 11].
• B. Creating an outgoing content filter with no conditions and with the Encrypt and Deliver Now action configured with [SECURE] in the Subject setting will not work, as this will encrypt all outgoing messages regardless of whether they have [SECURE] in the subject line or not[2, p. 12].
• D. Creating a DLP policy manager message action with encryption enabled and applying it to active DLP policies for outgoing mail will not work, as this will encrypt messages based on DLP rules that detect sensitive data in the message content, not based on user flags in the subject line.

Spam threshold is a setting that determines the minimum score that a message must have to be classified as spam by Cisco ESA. The lower the threshold, the more aggressive the spam detection is.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 6-5.

STARTTLS is an SMTP extension that allows email servers to negotiate a secure connection using TLS or SSL encryption. Cisco ESA supports STARTTLS for both inbound and outbound email delivery.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 5-2.

To use DKIM for outbound email, the administrator must export the DNS TXT record from the Cisco Secure Email Gateway and provide it to the DNS registrar of the domain. This will allow the recipient servers to verify the DKIM signature of the email by querying the DNS record of the sender domain. References: [Cisco Secure Email Gateway Administrator Guide - Configuring DKIM Signing]