Overview

Agari is an email protection product, protecting against phishing, business email compromise scams and other advanced email threats.

Integrating Agari into Hunters will allow collection and ingestion of key data types into the datalake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.

Supported data types

Agari's Phishing Defense API provides two data types.

  1. Messages - Information on every email message monitored by Agari, including information on the domain's reputation, attachment hashes for comparing with vetted IOC data and more.

  2. Policy Events - Various security policies in Agari will trigger on messages and will create policy events for messages from suspicious domains, external emails to C-Level personnel, etc.

Sending data to Hunters

API Integration

Hunters support API collection for Agari events. In order to enable it, supply the following API keys in the Hunters platform:

  • Client ID

  • Client Secret

To get the keys, follow the next guide:

  1. Log into your Agari product

  2. Click on your username in the upper right and select Settings

  3. Click on the Generate API Secret link to generate an API client_id and client_secret (the link will read Regenerate API Secret if you have already generated an API client ID/secret previously)

  4. Copy both the client_id and client_secret that are generated and store them somewhere safe

Expected Format

In case Agari events are already being collected on your environment, it is possible to ship them to Hunters via a shared blob storage such as AWS S3. The expected format for the events is:

Agari Phishing Defense Messages Sample

{
"authenticity": {
"additionalProp": "string"
},
"date": {
"additionalProp": "string"
},
"domain_reputation": {
"additionalProp": "string"
},
"from": {
"additionalProp": "string"
},
"from_domain": {
"additionalProp": "string"
},
"id": {
"additionalProp": "string"
},
"mail_from": {
"additionalProp": "string"
},
"message_id": {
"additionalProp": "string"
},
"message_trust_score": {
"additionalProp": "string"
},
"reply_to": {
"additionalProp": "string"
},
"sbrs": {
"additionalProp": "string"
},
"subject": {
"additionalProp": "string"
},
"timestamp_ms": {
"additionalProp": "string"
},
"to": {
"additionalProp": "string"
},
"attachment_extensions": {
"additionalProp": "string"
},
"attachment_filenames": {
"additionalProp": "string"
},
"attachment_sha256": {
"additionalProp": "string"
},
"attachment_types": {
"additionalProp": "string"
},
"attack_types": {
"additionalProp": "string"
},
"dkim_result": {
"additionalProp": "string"
},
"dmarc_result": {
"additionalProp": "string"
},
"domain_dmarc_policy": {
"additionalProp": "string"
},
"domain_tags": {
"additionalProp": "string"
},
"enforcement_action": {
"additionalProp": "string"
},
"enforcement_folder": {
"additionalProp": "string"
},
"enforcement_result": {
"additionalProp": "string"
},
"expanded_from": {
"additionalProp": "string"
},
"forwarded_from": {
"additionalProp": "string"
},
"has_attachment": {
"additionalProp": "string"
},
"has_malicious_attachment": {
"additionalProp": "string"
},
"ip": {
"additionalProp": "string"
},
"message_details_link": {
"additionalProp": "string"
},
"message_read_status": {
"additionalProp": "string"
},
"org_domain": {
"additionalProp": "string"
},
"policy_ids": {
"additionalProp": "string"
},
"ptr_name": {
"additionalProp": "string"
},
"sender_approval_state": {
"additionalProp": "string"
},
"sender_type": {
"additionalProp": "string"
},
"spf_result": {
"additionalProp": "string"
},
"authentication_results": {
"additionalProp": "string"
},
"dkim_d_tag": {
"additionalProp": "string"
},
"matched_policies": {
"additionalProp": "string"
},
"risk_reason": {
"additionalProp": "string"
},
"sending_ip_address": {
"additionalProp": "string"
},
"download_message_link": {
"additionalProp": "string"
}
}

Agari Phishing Defense Policy Sample

[
{
"id": 0,
"summary": true,
"alert_definition_name": "string",
"created_at": "string",
"updated_at": "string",
"notified_original_recipients": true,
"admin_recipients": "string",
"policy_action": "string",
"policy_enabled": true
}
]