Agari

  • Updated on Jan 27, 2025
  • Published on May 11, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Agari Messages

✅

✅

agari_phishing_defense_messages

NDJSON

API

Agari Policy Events

✅

✅

agari_phishing_defense_policy_events

NDJSON

API

Overview

imageAgari is an email protection product, protecting against phishing, business email compromise scams and other advanced email threats.

Integrating Agari into Hunters allows collection and ingestion of key data types into the data lake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.

Supported data types

Messages

Table name: agari_phishing_defense_messages

Information on every email message monitored by Agari, including information on the domain's reputation, attachment hashes for comparing with vetted IOC data and more.

Policy Events

Table name: agari_phishing_defense_policy_events

Various security policies in Agari will trigger on messages and will create policy events for messages from suspicious domains, external emails to C-Level personnel, etc.

Send data to Hunters

Hunters support API collection for Agari events. To enable it, supply the following API keys in the Hunters platform:

  • Client ID

  • Client Secret

To connect Agari logs:

  1. Log in to your Agari instance.

  2. Click on your username in the upper right and select Settings.

  3. Click on the Generate API Secret link to generate an API client_id and client_secret (the link will read Regenerate API Secret if you have already generated an API client ID/secret previously).

  4. Copy both the client_id and client_secret that are generated and store them somewhere safe.

  5. Complete the process on the Hunters platform, following this guide.

Expected format

In case Agari events are already being collected on your environment, it is possible to ship them to Hunters via a shared storage such as AWS S3. Below are the expected formats per data type:

Agari Phishing Defense Messages sample

{
"authenticity": {
"additionalProp": "string"
},
"date": {
"additionalProp": "string"
},
"domain_reputation": {
"additionalProp": "string"
},
"from": {
"additionalProp": "string"
},
"from_domain": {
"additionalProp": "string"
},
"id": {
"additionalProp": "string"
},
"mail_from": {
"additionalProp": "string"
},
"message_id": {
"additionalProp": "string"
},
"message_trust_score": {
"additionalProp": "string"
},
"reply_to": {
"additionalProp": "string"
},
"sbrs": {
"additionalProp": "string"
},
"subject": {
"additionalProp": "string"
},
"timestamp_ms": {
"additionalProp": "string"
},
"to": {
"additionalProp": "string"
},
"attachment_extensions": {
"additionalProp": "string"
},
"attachment_filenames": {
"additionalProp": "string"
},
"attachment_sha256": {
"additionalProp": "string"
},
"attachment_types": {
"additionalProp": "string"
},
"attack_types": {
"additionalProp": "string"
},
"dkim_result": {
"additionalProp": "string"
},
"dmarc_result": {
"additionalProp": "string"
},
"domain_dmarc_policy": {
"additionalProp": "string"
},
"domain_tags": {
"additionalProp": "string"
},
"enforcement_action": {
"additionalProp": "string"
},
"enforcement_folder": {
"additionalProp": "string"
},
"enforcement_result": {
"additionalProp": "string"
},
"expanded_from": {
"additionalProp": "string"
},
"forwarded_from": {
"additionalProp": "string"
},
"has_attachment": {
"additionalProp": "string"
},
"has_malicious_attachment": {
"additionalProp": "string"
},
"ip": {
"additionalProp": "string"
},
"message_details_link": {
"additionalProp": "string"
},
"message_read_status": {
"additionalProp": "string"
},
"org_domain": {
"additionalProp": "string"
},
"policy_ids": {
"additionalProp": "string"
},
"ptr_name": {
"additionalProp": "string"
},
"sender_approval_state": {
"additionalProp": "string"
},
"sender_type": {
"additionalProp": "string"
},
"spf_result": {
"additionalProp": "string"
},
"authentication_results": {
"additionalProp": "string"
},
"dkim_d_tag": {
"additionalProp": "string"
},
"matched_policies": {
"additionalProp": "string"
},
"risk_reason": {
"additionalProp": "string"
},
"sending_ip_address": {
"additionalProp": "string"
},
"download_message_link": {
"additionalProp": "string"
}
}

Agari Phishing Defense Policy sample

[
{
"id": 0,
"summary": true,
"alert_definition_name": "string",
"created_at": "string",
"updated_at": "string",
"notified_original_recipients": true,
"admin_recipients": "string",
"policy_action": "string",
"policy_enabled": true
}
]