Cisco ETD: Migration to Message Event Logs API with Enhanced Email Security Visibility

What Changed

Complete migration of Cisco ETD CCF connector from legacy API to the new Message Event Logs REST API. This is a breaking change that replaces the entire ingestion mechanism and data schema.

Security Impact (Visibility & Fidelity)

Critical Data Source Enhancement: The new Message Event Logs API provides comprehensive message visibility that was previously unavailable. The legacy connector only captured convicted messages (those with positive threat verdicts), creating a significant blind spot for email security monitoring.

Enhanced Coverage:

• Complete Message Stream: New API ingests all message events, not just convicted threats
• Action Context: Captures quarantine actions, folder movements, and remediation activities
• Event Lifecycle: Tracks both create (initial detection) and update (re-remediation) events
• Enriched Metadata: Provides full message object context in dynamic message field

P0 Impact Assessment: Deployments running the previous Cisco ETD connector version will experience a data format incompatibility. Existing queries targeting the legacy schema may break. The new connector creates table CiscoETDv2_CL with normalized fields (EventTime, EventType, MessageId, Verdict, Sender, Recipient, Subject) extracted via DCR transform.

Ingestion Mechanism

New CCF Architecture:

• Two-Stage Collection: Initial API call retrieves download links, secondary fetch downloads message data
• OAuth2 + API Key: JWT token authentication with x-api-key header requirement
• Enhanced Transform: DCR transformKql extracts structured fields from nested JSON at ingestion time
• Rate Limiting: 10 QPS with 60-minute query windows and retry logic

Workbook Updates: Updated visualization queries to target CiscoETDv2_CL table with new field mappings and verdict analysis excluding update events.

Per PR discussion: This API migration addresses limitations in threat visibility — the legacy API only provided convicted messages, missing clean emails and remediation context critical for comprehensive email security monitoring.

Affected Files

Solutions/Cisco ETD/Data Connectors/CiscoETD_ccp/CiscoETD_DCR.json
Solutions/Cisco ETD/Data Connectors/CiscoETD_ccp/CiscoETD_PollerConfig.json
Solutions/Cisco ETD/Data Connectors/CiscoETD_ccp/CiscoETD_Table.json
Solutions/Cisco ETD/Data Connectors/CiscoETD_ccp/CiscoETD_connectorDefinition.json
Solutions/Cisco ETD/Package/testParameters.json
Solutions/Cisco ETD/Workbooks/CiscoETD.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_CiscoETD.json, createUiDefinition.json, mainTemplate.json)