PRJ-2026-04-abnormal-security: Cisco ESA → Abnormal Security Migration

1. Project Summary

Field	Value
PRJ ID	PRJ-2026-04-abnormal-security
Owner	Evan Rosado (added to project)
Priority	P1
Category	Email Security / Platform Migration
Status	Active — newly assigned
Type	Migration: Cisco ESA (inline) → Abnormal Security (API)
Strategic Context	CHLA shifting from Cisco to Microsoft security stack

Field

Value

PRJ ID

PRJ-2026-04-abnormal-security

Owner

Evan Rosado (added to project)

Priority

P1

2. Purpose

Migrate email security from Cisco ESA (inline/MX gateway) to Abnormal Security (API-based behavioral AI). Part of CHLA’s broader strategic shift from Cisco to Microsoft security ecosystem.

2.1. Strategic Context: Cisco → Microsoft

CHLA is moving away from Cisco security products across the board:

Domain	Retiring (Cisco)	Replacing With
Email Security	Cisco ESA (inline gateway)	Abnormal Security (API-based, M365 Graph)
SIEM	QRadar (IBM, legacy)	Microsoft Sentinel (Azure, KQL)
XDR/EDR	Cisco XDR	Microsoft Defender XDR
Network Access Control	Cisco ISE (STAYING — no Microsoft equivalent)	—

Domain

Retiring (Cisco)

Replacing With

Email Security

Cisco ESA (inline gateway)

Abnormal Security (API-based, M365 Graph)

SIEM

QRadar (IBM, legacy)

Microsoft Sentinel (Azure, KQL)

XDR/EDR

Cisco XDR

Microsoft Defender XDR

Network Access Control

Cisco ISE (STAYING — no Microsoft equivalent)

—

ISE is the exception — Microsoft has no NAC product. This makes the MSCHAPv2 → EAP-TLS migration and Linux 802.1X work even more critical since ISE is the one Cisco product that stays.

2.2. Why Abnormal Over ESA

Factor	Cisco ESA (Inline)	Abnormal (API)
Deployment	MX record change, mail flows through appliance	M365 Graph API, no mail flow change, deploys in minutes
Detection	Signature + reputation (known threats)	Behavioral AI (unknown threats, BEC, account takeover)
Single Point of Failure	YES — if ESA goes down, mail stops	NO — mail delivery unaffected
Log Integration	Syslog to SIEM	API to Sentinel (native Azure integration)
Maintenance	Firmware, HA, certificates, MX management	SaaS — vendor managed

Factor

Cisco ESA (Inline)

Abnormal (API)

Deployment

MX record change, mail flows through appliance

M365 Graph API, no mail flow change, deploys in minutes

Detection

Signature + reputation (known threats)

Behavioral AI (unknown threats, BEC, account takeover)

Single Point of Failure

YES — if ESA goes down, mail stops

NO — mail delivery unaffected

Log Integration

Syslog to SIEM

API to Sentinel (native Azure integration)

Maintenance

Firmware, HA, certificates, MX management

SaaS — vendor managed

3. Scope

3.1. In Scope

Abnormal Security API integration with M365
ESA decommission planning (MX record cutover)
Log source migration (ESA syslog → Abnormal API → Sentinel)
Policy configuration (detection rules, auto-remediation)
User communication (phishing reporting workflow changes)
Integration with Sentinel analytics rules

3.2. Out of Scope

M365 tenant configuration (separate team)
Defender XDR deployment (separate project)
ISE — not affected by this migration

3.3. Dependencies

Microsoft Sentinel access (acquired 2026-04-01)
Monad ETL pipeline (for log transformation)
M365 Graph API permissions (tenant admin approval)

4. Metadata

Field	Value
PRJ ID	PRJ-2026-04-abnormal-security
Author	Evan Rosado
Created	2026-04-01
Last Updated	2026-04-01
Status	Active
Next Review	2026-04-15

Field

Value

PRJ ID

PRJ-2026-04-abnormal-security

Author

Evan Rosado

Created

2026-04-01

Last Updated

2026-04-01

Status

Active

Next Review

2026-04-15