Doc type

Demonstration Guide

Cisco Email Security Application Office 365

Threat Analyzer v2

Created in Partnership with Technical Marketing Engineers, Cisco Email Security.
Last Updated: 15-MARCH-2019

About This Demonstration

This guide for the preconfigured demonstration includes:

About This Demonstration

Limitation

Requirements

About This Solution

Topology

Get Started

Scenario 1. Microsoft Azure Application Creation

Scenario 2. Launching the Cisco Threat Analyzer for O365

Scenario 3. Generating the Threat Analyzer Report

Scenario 4. Understanding the Threat Analyzer Report

Appendix A. Troubleshooting

Appendix B. Frequently Asked Questions (FAQ)

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 21

Doc type
Demonstration Guide

Limitations

Cisco Email Security’s Threat Analyzer Tool for O365 has the following limitations:

• All Mailboxes option will scan 50 mailboxes by default. You can modify the value of mailboxes to be scanned.

• Scanning is limited to 2.5K mails per mailbox.

• All scanning option is limited to 999 mailboxes.

Requirements
The table below outlines the requirements for this preconfigured demonstration.

Table 1. Requirements

Required Optional
Laptop Cisco AnyConnect®

Laptop with Cisco AnyConnect®

About This Solution

As more customers make the transition from traditional on-premise Microsoft Exchange to cloud-based Microsoft Office 365 as part of
their mail strategy, the need for a more stringent email security solution becomes more prevalent.

This demonstration walks through showcasing the value of the no cost to use, no impact, Cisco Email Security Application Office 365
Threat Analyzer. This tool, coupled with Cisco Email Security, scans identified Microsoft Office 365 mailboxes via an Application
Programming Interface (API), and provides a report containing valuable insight of threats in their Microsoft Office 365 email
environment, threats such as Spam, Virus, Graymail, and Malware.

NOTE: Use of this tool is not meant to provide remediation of any messages or threats identified via the report.

Cisco Email Security delivers industry-leading inbound and outbound email cleansing and control, offering high availability email
protection against the constant, dynamic, rapidly changing threats affecting email today in a variety of form factors to fit customer
needs.

For additional information about Cisco Cloud Email Security, visit http://www.cisco.com/go/emailsecurity. Here you will find detailed
information on Cisco Email Security features and benefits, available form factors, Cisco differentiators, and more.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 21

Doc type
Demonstration Guide

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.

Figure 1. dCloud Topology

Figure 2. Physical Topology

Table 2. Equipment Details

Name Description Host Name (FQDN) IP Address Username Password

Email Security Cisco Email Security Appliance running Threat esa.dcloud.cisco.com 198.18.133.146 admin C1sco12345
Appliance Analyzer Tool for O365
Workstation 1 Windows 7 workstation used for accessing TA wkst1.dcloud.cisco.com 198.18.133.36 administrator C1sco12345

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 21

Doc type
Demonstration Guide

Get Started

BEFORE PRESENTING

Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.

It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

FOR SCHEDULED CISCO EMAIL SECURITY’S THREAT ANALYZER TOOL FOR O365

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Initiate your dCloud session. [Show Me How]

NOTE: It may take up to 10 minutes for your session to become active.

2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on your
laptop [Show Me How]

Workstation 1: 198.18.133.36, Username: administrator, Password: C1sco12345

NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud Remote Desktop
client works best for accessing an active session with minimal interaction. However, many users experience connection and performance
issues with this method.

IMPORTANT! The Threat Analyzer Tool is pre-configured. There is no need to administrate or alter any of the configured values for the
associated scanning engines with-in the vESA. Any direct administration of the vESA may result in unexpected reporting and/or errors.

If there are configuration changes needed, any Partner may request to have an On-Prem instance launched for their usage. Please
consult the On-Prem Cisco Threat Analyzer for O365 page for more information.

NOTE: All actions for Scenario 1 must be performed by the customer within their environment.

Before any scanning can commence, the customer must register the Cisco Threat Analyzer for O365 in their Microsoft Azure
environment and grant the necessary permissions. Once this is completed, they must provide their Client ID/Application ID and Tenant
IDs. Without this information, the API within the Cisco dCloud environment cannot be registered.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 21

Doc type
Demonstration Guide

Scenario 1. Microsoft Azure Application Creation

VALUE PROPOSITION: Microsoft Azure is a platform as a service (PaaS) solution for building and hosting solutions using Microsoft's
products and in their data centers. It is a comprehensive suite of cloud products that allow users to easily create enterprise-class
applications without having to build out their own infrastructure.

For security, the tie in to Threat Analyzer is read-only. This helps you protect business and personal information by enabling you to
manage user identities and credentials plus control access.

Prior to running the Threat Analyzer tool, you will need to create the API connection from Microsoft Azure to the Threat Analyzer. This
information will be provided from the customer side. Scenario 1 can be copied and provided to the customer in order for them to have
the instruction set to open the API and provide the needed Client ID and Application ID.

Prerequisites

• Office 365 account subscription. Make sure that your Microsoft Office 365 account subscription includes access to Exchange, such
as an Enterprise E3 or Enterprise E5 account.

• Microsoft Azure administrator account and access to http://portal.azure.com

• Both the Microsoft Office 365 and Microsoft Azure AD accounts are tied properly to an active user@domain.com email address,
and you are able to send and receive emails via that domain and account.

Registering the Application

1. Log into your Microsoft Azure Portal (https://portal.azure.com)

2. Click Azure Active Directory.

3. Click App registrations.

4. Click New application registration and then fill in the following required fields:

• Name: Threat Analyzer (or the name of your choice)

• Application Type: Web app / API

• Sign-on URL: https://www.cisco.com/sign-on

5. Click Create.

6. Click Settings.

a. Click Required permissions.

b. Click + Add.

c. Click Select an API and then choose Microsoft Graph in the API list.

d. At the bottom, click Select.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 21

Doc type
Demonstration Guide

e. Select the following permissions Application Permissions:

• Read all groups

• Read directory data

• Read mail in all mailboxes

f. Scroll down and similarly, select the below permissions on Delegated Permissions:

• Read user mail

• Read all groups

• Read directory data

g. At the bottom, click Select.

h. Click Done.

i. Finally, click Grant permissions to ensure that your new permissions are applied to the application.

NOTE: Grant Permissions

If Grant Permissions is NOT applied after completing the above steps, the application will fail to connect to the Threat Analyzer tool, and you
will receive an API error.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 21

Doc type
Demonstration Guide

Edit the Manifest

NOTE: If you are copying from your laptop and pasting into WKST1, use a text editor, like Notepad, to save the data until it is needed. If you
opened and configured the Azure postal inside WKST1, use <Ctrl>+<Alt>+<Shift> to copy and paste the data and/or IDs. For Apple Mac users
the key combination to copy from the local machine to the workstation in dCloud is <CTRL>+<OPTION>+<SHIFT> - this brings up the remote
desktop clipboard and allows the data to be exchanged.

1. From your main Registered app pane, click Manifest.

2. Copy the following as-is and replace keyCredentials line:

"keyCredentials": [{
"customKeyIdentifier": "B2ybFYpimVk+etGYPZX9QvIAgw8=",
"keyId": "169acc09-1d17-4235-8eb1-22a387b494c4",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value":
"MIIDiTCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkNBMQ4wDAYDVQQ
KEwVDaXNjbzEMMAoGA1UECxMDRVNBMQwwCgYDVQQDEwNFU0ExIDAeBgkqhkiG9w0BCQEWEWVzYS10bWVAY2lzY28uY29tMB4XDTE3MDcxODA
wMDAwMFoXDTI3MDcxNzIzNTk1OVowdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQHEwJDQTEOMAwGA1UEChMFQ2lzY28xDDA
KBgNVBAsTA0VTQTEMMAoGA1UEAxMDRVNBMSAwHgYJKoZIhvcNAQkBFhFlc2EtdG1lQGNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggE
PADCCAQoCggEBAKEpwf9e/Fyh2tc4r+9+J59SXOKwWx9ODu7K5P7I2KTa2QwPyahp+ehvOGvbknAnwhnJ+d1mwy5NsoQ9MQtcAmrZQXaeqJG
mf2Nke/AwQXkth8uDrIWo9D5FCuU35W0+C4Hv2Gn1BBt38mvItReaye5Iqe8Nr2shI8k8kCYa3Gk5jWnp02LllcRETo9/CwWAfhaE6T9XlAR
XevB6M9Y6Ua0zu2sM4MIdeR74+1D3ZIK57yElGubuymZ7AsrYWVrQ1iM5rJpemS/kNsSrULsZl4PX63/eRw9lvY1HK9+yOYdI6J4aSaQl8jR
h1hEHdzZowPq82dCsNptGEaCUsGZuYdcCAwEAAaMkMCIwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA0GCSqGSIb3DQEBBQU
AA4IBAQAK6H5v3mq+ng1gqnQ3pX+K6PjMTYrDTKrkM+6slaV1jv9TRHfM5xrQjInkO+evQrCnnn/Pg6AhkfYbivFsMZiN0yTUind9lNgIOx/
ZJqcsnZrr3M8Y8xLa7zrM6sxV5fNzpun2Ly0fKHN90eNpTyixp31rgINLCmsm9w9UqV5+VVkubt0c9fS2BQOSsJzR613kfvCPjI4h7ppYypc
ERnNgXxlJrJGcu4F6Hzsf2QJVhlYgKN8+VoBhtlmlX7EqaoTloH53f7/b4lB2pG9DT7raE9IkGJ3Hw2AtoQQwLIjYivYKwd6JO3+pO3w2KzD
pJ7GQPNW6UzN4waITfDMevcRz"
}],

NOTE: The value string that begins with MIIDiTCC and ends with DMevcRz must be on a single line. Notepad text editor is recommended to
edit the string.

3. In the Edit Manifest pane toolbar, click Save.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 21

Doc type
Demonstration Guide

Getting your Client ID and Tenant ID

1. Your Client ID in the Azure portal is named Application ID. This can be found from the main pane of the application you have
created:

2. Your Tenant ID can be found in the first level App Registrations > Endpoints pane:

• Your Tenant ID is inside this string, copy any one of the strings listed on the right:

Example:
...windows.net/688a9cde-c495-44d8-afb2-ae1234567890/federationmetadata/2007-06/federationmetadata.xml

Here, for this example, the Tenant ID is 688a9cde-c495-44d8-afb2-ae1234567890.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 21

Doc type
Demonstration Guide

NOTE: This will be in hexadecimal format, with the following notation: 8:4:4:4:12

For example, 1234abcd-12ab-34cd-12ab-123456789abcd

For this document’s examples as shown, the final IDs are:

• Client ID = Application ID: 9cb701e7-7ad4-4855-acef-48fa01d8713e

• Tenant ID: 688a9cde-c495-44d8-afb2-ae1234567890

Azure Application Creation Complete

At this time, you have the following info created:

• Client ID (or Application ID)

• Tenant ID

You are ready to start the Threat Analyzer tool!

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 21

Doc type
Demonstration Guide

Scenario 2. Launching the Cisco Threat Analyzer for O365

VALUE PROPOSITION: The Cisco Threat Analyzer for O365 Tool can be run directly from the Cisco dCloud environment using the
Remote Desktop or by using Cisco AnyConnect to establish a (VPN) Virtual Private Network to a Cisco VPN server [Show me How].

The instructions below assume you are utilizing the dCloud workstation and Remote Desktop option. Please refer to the details listed
under the Info or Session Details section of the Cisco dCloud session for access via VPN.

Start the Cisco Threat Analyzer for O365

1. Connect to the Workstation 1 in dCloud using the steps in the Get Started section.

2. On the desktop, open the Cisco Threat Analyzer shortcut.

3. Google Chrome launches and the ReadMe document will load as the landing page.

4. To launch the tool, click the Cisco Threat Analyzer bookmark.

5. Log in with the access credentials as provided:

• username: admin

• password: C1sco12345

6. Enter the following information:

• Customer Name: Your Company Name (for example Outdoor Sports, Inc.)

• Client ID: (from Scenario 1)

• Tenant ID: (from Scenario 1)

• Thumbprint: B2ybFYpimVk+etGYPZX9QvIAgw8= (See Note here)

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 21

Doc type
Demonstration Guide

NOTE: If you are copying from your laptop and pasting into WKST1, use a text editor, like Notepad, to save the ID until it is needed. If you
opened and configured the Azure postal inside WKST1, use <Ctrl>+<Alt>+<Shift> to copy and paste the IDs. For Apple Mac users the key
combination to copy from the local machine to the workstation in dCloud is <CTRL>+<OPTION>+<SHIFT> - this brings up the remote
desktop clipboard and allows the data to be exchanged.

NOTE: Alternatively, the thumbprint may be copied directly from a file located on the desktop called “Client and Tenant IDs.rtf”

7. Click Browse for the Certificate Private Key.

• In the File Upload window, select demo.pem from the C:\Users\Administrator\Downloads\Supporting Info folder

NOTE: The self-signed certificate and private key are pre-defined to streamline the scan task. If the customer has concerns using them, we
can utilize the steps provided for On-Prem steps to generate the needed certificate(s) and keyCredentials, Thumbprint. Please consult
Certificate: Unix/Linux (utilizing openssh) and Certificate: Windows (utilizing Windows PowerShell). A Partner may also request to
have an On-Prem instance launched for their usage. Please consult the On-Prem Cisco Threat Analyzer for O365 page for more
information.

8. Click Validate. A brief confirmation message displays while API is checked.

9. Once validation is completed, you can select one of the following to start the scan:

• LDAP Groups

• Following Mailboxes

• Following Mailboxes are not

• All Mailboxes

(*) Please be sure that you have had the pre-scan conversation with your customer to identify which mailboxes they wish to have
included, or not included, in the scan. Keep in mind that the scan will take a look at emails and attachments. The scan provided by the
Cisco Threat Analyzer for O365 tool is not intended to be an all-inclusive scan, but only a brief overview of threats and mail messages
from the inbox of their mailboxes identified.

10. Click Start Scan.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 21

Doc type
Demonstration Guide

NOTE: It may take a few moments to fetch the mailboxes over the API once the Start Scan button has been clicked. Once the mailboxes have
been fetched, the Dashboard will be displayed, with the scan running and in progress.

[Example: Cisco Threat Analyzer Dashboard]

Please be sure to monitor the dashboard for updates and activity. At the top of the dashboard you will find the mailbox scan progress
percentage, number of mailboxes scanned, and also the number of mailboxes skipped. If there is a # next to the mailboxes skipped,
you may click that # to be provided reasons for the mailbox(es) to not have been scanned.

If you wish to stop the scan for any reason, click Stop Scan and wait for the dashboard to update and refresh.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 21

Doc type
Demonstration Guide

Scenario 3. Generating the Threat Analyzer Report

VALUE PROPOSITION: Gain visibility into threats that may have gone undetected in your Office 365 inboxes. Identify security
vulnerabilities present in Office 365 mailboxes. And determine whether malicious URLs, malware and spam are present in your Office
365 email.

1. Once the scan is complete, click Export to generate the customer-facing PDF.

2. A PDF named emailScanReport.pdf will be generated and saved to C:\Users\Administrator\Downloads.

3. Using the Box – Cisco Log in bookmark, log into Box and upload your report to your Box account.

[Example: Cisco Threat Analyzer for Office 365 Report]

4. The results of the report are tabulated from the vESA itself. While the dCloud session is still scheduled and available, you may log-
in to the vESA in order to view the results and associated scanning reports by clicking on the Cisco vESA bookmark from the
Google Chrome browser. Once your dCloud session is completed or expired, the vESA and associated Threat Analyzer report will
no longer be available. All data is scrubbed and removed from the dCloud session once the session is completed or expired.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 21

Doc type
Demonstration Guide

Scenario 4. Understanding the Threat Analyzer Report

VALUE PROPOSITION: Results in the report are formatted in an easy to understand graphical display format .

The results of the report are tabulated from the vESA itself. While the dCloud session is still scheduled and available, you may log-in to
the vESA in order to view the results and associated scanning reports by clicking on the Cisco vESA bookmark from the Google
Chrome browser, or access the vESA from your local workstation/laptop via AnyConnect. (See Topology and Get Started in this
document for details.)

(*) If you are not familiar with the vESA user interface, you may be interested to review the Cisco Email Security Instant Demo, also
available from dCloud!

Page 1 (of 3)

Page 1 is a cover page for the customer facing report.

This contains the statistics for the scan results, including the
number of mailboxes scanned, number of mailboxes skipped,
and the elapsed time (how long the scan took to complete).

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 21

Doc type
Demonstration Guide

Page 2 (of 3)

Page 2 contains the percentage of Spam, Graymail, and Threat

Messages.

Spam Messages pertains to the “Spam Detected” from the vESA

Overview > Incoming Mail Summary. To see a breakdown of
these messages, visit Monitor > Incoming Mail and review the
Incoming Mail Details section.

Graymail Messages pertains to the Marketing, Social

Networking, and Bulk Messages from the vESA Overview >
Incoming Mail Summary. To see a breakdown of these
messages, visit Monitor > Incoming Mail and review the
Incoming Mail Details section.

Threat Messages are represented from Outbreak Filters

scanning. In order to understand the breakdown for these
percentages visit Monitor > Outbreak Filters and review the
Threats by Type, Threat Summary, and Threat Details.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 21

Doc type
Demonstration Guide

Page 3 (of 3)

Page 3 continues the breakout of Outbreak Filters, showcasing

the Threat Campaigns provided from Monitor > Outbreak
Filters and review of the Threat Summary.

Malicious Attachment Types are provided from Monitor >

Advanced Malware Protection from the Incoming Malware
Threat Files table.

Finally, Threat Attachments are provided as well from Monitor >

Advanced Malware Protection and the Incoming Malware
Threat Files table. (You may see the full SHA of these files by
viewing the vESA and the Advanced Malware Protection
reporting page with the associated table.)

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 21

Doc type
Demonstration Guide

vESA Reports

From the vESA UI itself, you can generally browse through the available reports from
Monitor > <name>.

Not all reports will align properly. This is due to the fact that when the API is opened from
Microsoft Azure/Microsoft O365 to the Cisco Threat Analyzer Tool, all mail is bundled into the
one incoming connection and listener on the vESA. This is why from Monitor > Incoming
Mail the Incoming Mail Details table only contains one row of “No Domain Information” and
the associated percentages of the mail traffic.

Remember, the Cisco Threat Analyzer Tool is only meant to showcase what Cisco Email Security
can detect from messages in the inbox of existing O365 mailboxes.

Please utilize the results of the services made available on the tool to move onto a proper
proof-of-value (PoV) with Cisco Email Security. The customer will then be able to see results
from the connection level, security scanning, and delivery of their mail traffic – and will be
able to view and interact directly with the full-on reporting capabilities that Cisco Email
Security and Cisco Security Management provides from their own Cisco Email Security
(CES) environment.

[Example: vESA UI]

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 21

Doc type
Demonstration Guide

Appendix A. Troubleshooting

TIP! For any issues within dCloud instance, please open a support case from your dCloud session.

The following troubleshooting notes are provided from the Cisco Threat Analyzer for Microsoft Office 365 page:
https://docs.ces.cisco.com/docs/troubleshooting

NOTE: Not all scenarios will be applicable for Threat Analyzer Tool instances scheduled and run from dCloud.

API error upon log-in to the Threat Analyzer Tool

1. Review the interface configuration of the vESA to assure that AsyncOS API (Monitoring) is enabled for AsyncOS API HTTP
(6080). You do NOT need to enable AsyncOS API HTTPS (6443).

2. Review your network and/or firewall to assure that port 6080 is allowed for the IP address you have configured. If you are using
network address translation (NAT), assure that you have the interface properly mapped.

When logging in to the Threat Analyzer Tool UI...

• the "Logging In..." pop-up spins

• the page will not load

1. Review to make sure that you started the scan from the CLI by running startofflinescan

2. Review to make sure that you started the scan with the proper interface's IP address

3. Review the Running the Threat Analyzer Tool directions

API error during credentials validation

1. Review the Client ID (Application ID), Tenant ID. Assure that you have copied them over correctly from Microsoft Azure during the
application creation steps.

2. Assure you are using the correct Thumbprint and the same .pem certificate that was used during the application creation steps.

3. Review the offlinescan_logs to see if there are any specific errors.

4. Worst case scenario delete your application in Microsoft Azure and re-perform the application creation steps.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 21

Doc type
Demonstration Guide

offlinescan_logs show...

• "Error while requesting token AADSTS90002: Tenant 'a2745a99-9999-999a-b999-cf78f467999a' not found. This may happen
if there are no active subscriptions for the tenant. Check with your subscription administrator."

Check to make sure you have not transposed your Application ID and Tenant ID.

offlinescan_logs show...

• "Error in requesting token: AADSTS70002: Error validating credentials. AADSTS50012: Client assertion is not within its valid
time range."

Adjust the time manually on the CLI of the vESA using the command settime:
analyzer.lab> settime

WARNING: Changes to system time will take place immediately and do not require the user to run the commit
command.

Current time Thu Jan 17 15:27:06 2019 GMT.

Please enter the time in MM/DD/YYYY HH:MM:SS format.
[]> 01/18/2019 15:27:36

Time set to Fri Jan 18 15:27:36 2019 GMT.

Typically, setting the time forward by one (1) day will correct the error. If you had configured an NTP server, it is possible that the port
for NTP (123) is not open on the network/firewall for your vESA.

offlinescan_logs show...

• "Failed to connect to <name> mailbox with error Group not Exists"

Review the LDAP group name entered on the Email Scan Setup page. You may need to validate that the AD group exists. Log in to
the Exchange Admin Center to review the Display Name(s).

offlinescan_logs show...

• "Tue Jan 15 19:25:58 2019 Info: Unable to read attachments(s) from the recipient's (sam@myexamplebank.com) mailbox"

• "Tue Jan 15 19:29:26 2019 Info: Skipping one message from the recipient's (sam@myexamplebank.com) mailbox since error
((552, 'size limit exceeded', u'tess@trainingcenterexample.com')) has occured"

These are OK to ignore. The attachment was either corrupt, too large to scan, or in a non-support format to be scanned. If 'size limit
exceeded', this is just the size of the message was larger than the support mail size of the vESA itself - 25 MB.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 21

Doc type
Demonstration Guide

offlinescan_logs show...

• "Failed to connect to %20joe@example.com mailbox with error User Not Exist"

If you have entered in comma-separated values for the mailboxes to be scanned, you have copied over improper spacing. "%20" is
ASCII code for (space). Reformat your comma-separated list to not include spaces.

Example: bob@example.com,joe@example.com

No results showing on the dashboard

• The scan is running and showing progress; however, results are not being posted to the dashboard for Spam, Graymail, etc.:

First, patience! The Threat Analyzer relies on the vESA to consume the reporting and message data in order to build the dashboard
results and final report. Allow this to elapse at least one (1) hour.

If this continues to show 0% results, this is usually due to a firewall and API port (6080). Review the network and firewall configuration
for your vESA. Assure the port is open. The firewall may need a reset, as traffic through the port is not allowing the reporting data to
properly.

IMPORTANT! For any issues within dCloud instance, please open a support case from your dCloud session.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 21

Doc type
Demonstration Guide

Appendix B. Frequently Asked Questions (FAQ)

FAQ are not maintained with-in this document. Please consult the Cisco Threat Analyzer for Microsoft Office 365 site for up-to-date
FAQ for the Threat Analyzer Tool:

https://docs.ces.cisco.com/docs/frequently-asked-questions-faq-threat-analyzer-tool

What’s Next?

• To begin a customer evaluation of Cisco Email Security visit https://order.ces.cisco.com/eval/

• To learn more about Cisco Email Security visit http://www.cisco.com/go/emailsecurity

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 21