Skip to main content

Agari Phishing Defense

This Integration is part of the Agari Phishing Defense Pack.#

Agari Phishing Defense stops phishing, BEC, and other identity deception attacks that trick employees into harming your business. This integration was integrated and tested with a standard version of Agari Phishing Defense.

Configure Agari Phishing Defense in Cortex#

ParameterDescriptionRequired
urlURL to connect to AgariTrue
apikeyAPI KeyTrue
apisecretSecret KeyTrue
max_fetchMaximum number of incidents to fetch every timeTrue
first_fetchFirst fetch time intervalFalse
fetch_policy_actionsPolicy ActionFalse
exclude_alert_typeExclude alertsFalse
policy_filterFetches policy events to limit the amount of data. Can be applied to specific fieldsFalse
incidentTypeIncident typeFalse
isFetchFetch incidentsFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

apd-list-policy-events#


Retrieves a list of policy events.

Base Command#

apd-list-policy-events

Input#

Argument NameDescriptionRequired
limitThe maximum number of items to be returned in the paged response.Optional
start_dateThe earliest date time (UTC) a search should target (ISO 8601 format).
Formats accepted: YYYY-MM-dd
YYYY-MM-ddTHH:mm:ss
N days
N hours
Example: 2020-05-01
2020-05-01T00:00:00
2 days
5 hours.
Optional
end_dateThe latest date time (UTC) a search should target (ISO 8601 format).
Formats accepted: YYYY-MM-dd
YYYY-MM-ddTHH:mm:ss
N days
N hours
Example: 2020-05-01
2020-05-01T00:00:00
2 days
5 hours.
Optional
page_idTo page through a collection of policy events.Optional
sortA comma-delimited string that specifies the field ordering to be applied to the response. Example: created_at DESC, id ASC.Optional
add_fieldsA comma-delimited list of optional fields to add to the default payload. Additional fields would add data in the entry context.Optional
rem_fieldsA comma-delimited list of fields to remove from the default payload. Limited fields would return limited data in entry context.Optional
fieldsA comma-delimited list of fields to include in the payload. Limited fields would return limited data in entry context.Optional
filterSearch filters that can be applied to the response.Optional
exclude_alert_typesExclude policy types such as 'MessageAlert' or 'SystemAlert'.Optional
policy_nameFind by policy name.Optional
policy_actionFilter by policy action: 'deliver', 'mark-spam', 'move', 'inbox', 'delete' and 'none'.Optional

Context Output#

PathTypeDescription
AgariPhishingDefense.Alert.alert_definition_nameStringAlert definition name.
AgariPhishingDefense.Alert.idStringUnique alert id.
AgariPhishingDefense.Alert.summaryStringSummary of the alert.
AgariPhishingDefense.Alert.policy_actionStringAlert policy action.
AgariPhishingDefense.Alert.policy_enabledBooleanIndicates if policy is enabled.
AgariPhishingDefense.Alert.updated_atDateUpdated time of the alert. The format is ISO8601.
AgariPhishingDefense.Alert.created_atDateCreated time of the alert. The format is ISO8601.
AgariPhishingDefense.Alert.admin_recipientsUnknownList of notified admin recipients.
AgariPhishingDefense.Alert.notified_original_recipientsBooleanIndicates whether the original recipient was notified.

Command Example#

!apd-list-policy-events limit=2

Context Example#

{
"AgariPhishingDefense": {
"Alert": [
{
"alert_definition_name": "Spoof of Partner Domains",
"created_at": "2020-12-03T04:32:23Z",
"id": 549904303,
"notified_original_recipients": false,
"policy_action": "none",
"policy_enabled": true,
"summary": false,
"updated_at": "2020-12-03T04:32:23Z"
},
{
"alert_definition_name": "Untrusted Messages",
"created_at": "2020-12-03T04:32:23Z",
"id": 549904302,
"notified_original_recipients": false,
"policy_action": "none",
"policy_enabled": true,
"summary": false,
"updated_at": "2020-12-03T04:32:23Z"
}
]
}
}

Human Readable Output#

Policy Events#

Event IDAlert Definition NamePolicy ActionNotified Original RecipientsCreatedUpdated
549904303Spoof of Partner Domainsnonefalse2020-12-03T04:32:23Z2020-12-03T04:32:23Z
549904302Untrusted Messagesnonefalse2020-12-03T04:32:23Z2020-12-03T04:32:23Z

apd-list-message-data#


Retrieves a list of messages.

Base Command#

apd-list-message-data

Input#

Argument NameDescriptionRequired
start_dateThe earliest date time (UTC) a search should target (ISO 8601 format).
Formats accepted: YYYY-MM-dd
YYYY-MM-ddTHH:mm:ss
N days
N hours
Example: 2020-05-01
2020-05-01T00:00:00
2 days
5 hours.
Optional
end_dateThe latest date time (UTC) a search should target (ISO 8601 format).
Formats accepted: YYYY-MM-dd
YYYY-MM-ddTHH:mm:ss
N days
N hours
Example: 2020-05-01
2020-05-01T00:00:00
2 days
5 hours.
Optional
add_fieldsA comma-delimited list of optional fields to add to the default payload. Additional fields would add data in the entry context.Optional
rem_fieldsA comma-delimited list of fields to remove from the default payload. Limited fields would return limited data in entry context.Optional
fieldsA comma-delimited list of fields to include in the payload. Limited fields would return limited data in entry context.Optional
limitThe maximum number of items to be returned in the paged response.Optional
page_idTo page through a collection of message data.Optional
sortA comma-delimited string that specifies the field ordering to be applied to the response.Optional
searchSearch using advanced search syntax.
Format: field operator operand {and/or field operator operand}
Example: has_attachment=true and ip='10.0.0.0'
sbrs in [3.5, 2.6]
domain_reputation is not null
sbrs gt 3
sbrs>=3 and domain_tags eq internal
Optional

Context Output#

PathTypeDescription
AgariPhishingDefense.Message.has_attachmentBooleanHas attachment.
AgariPhishingDefense.Message.ipStringIP address.
AgariPhishingDefense.Message.message_idStringThe Global message ID.
AgariPhishingDefense.Message.ptr_nameStringPTR name.
AgariPhishingDefense.Message.sbrsStringSBRS.
AgariPhishingDefense.Message.idStringThe internal message ID.
AgariPhishingDefense.Message.authenticityNumberAuthenticity score.
AgariPhishingDefense.Message.toStringMessage recipient.
AgariPhishingDefense.Message.dateStringDate in ISO format.
AgariPhishingDefense.Message.timestamp_msNumberTimestamp in ms since epoch.
AgariPhishingDefense.Message.fromStringSender's email.
AgariPhishingDefense.Message.from_domainStringFrom domain.
AgariPhishingDefense.Message.subjectStringMessage subject.
AgariPhishingDefense.Message.domain_reputationNumberReputation of sender domain.
AgariPhishingDefense.Message.message_trust_scoreNumberRisk score.
AgariPhishingDefense.Message.message_details_linkStringLink to message details.
AgariPhishingDefense.Message.domain_tagsUnknownList of domain tags.
AgariPhishingDefense.Message.mail_fromStringMail from domain.
AgariPhishingDefense.Message.reply_toStringReply-to address.
AgariPhishingDefense.Message.urisUnknownList of URIs.
AgariPhishingDefense.Message.attachment_extensionsUnknownList of message attachment extensions.
AgariPhishingDefense.Message.attachment_filenamesUnknownList of message attachment filenames.
AgariPhishingDefense.Message.attachment_sha256UnknownList of message attachment SHA256 hashes.
AgariPhishingDefense.Message.attachment_typesUnknownList of message attachment types.
AgariPhishingDefense.Message.attack_typesUnknownList of attack type classifications.
AgariPhishingDefense.Message.dkim_resultStringDKIM result.
AgariPhishingDefense.Message.dmarc_resultStringDMARC result.
AgariPhishingDefense.Message.domain_dmarc_policyStringDMARC policy for domain.
AgariPhishingDefense.Message.enforcement_actionStringEnforcement action.
AgariPhishingDefense.Message.enforcement_folderStringEnforcement folder.
AgariPhishingDefense.Message.enforcement_resultStringEnforcement result.
AgariPhishingDefense.Message.expanded_fromStringExpanded from.
AgariPhishingDefense.Message.forwarded_fromStringForwarded from.
AgariPhishingDefense.Message.has_malicious_attachmentBooleanHas malicious attachment.
AgariPhishingDefense.Message.message_read_statusBooleanMessage read status.
AgariPhishingDefense.Message.org_domainStringOrganization domain.
AgariPhishingDefense.Message.policy_idsUnknownList of triggered policy IDs.
AgariPhishingDefense.Message.sender_approval_stateStringSender approval state.
AgariPhishingDefense.Message.sender_typeStringSender type.
AgariPhishingDefense.Message.spf_resultStringSPF result.

Command Example#

!apd-list-message-data limit=2

Context Example#

{
"AgariPhishingDefense": {
"Message": [
{
"attack_types": [
"spoof (Domain spoof)"
],
"authenticity": "0.085819915",
"date": "2020-12-03T02:07:02+00:00",
"domain_reputation": "9.0",
"domain_tags": [
"partner"
],
"enforcement_action": "move",
"enforcement_result": "pending",
"from": "Accounts@abc.com",
"from_domain": "abc.com",
"has_attachment": "false",
"id": "785d91a8-34fb-11eb-bf90-f6ba445dac4f",
"ip": "1.2.3.4",
"message_details_link": "https://apis.com/messages/785d91a8-34fb-11eb-bf90-f6ba445dac4f",
"message_id": "<facade2c8712345c91c755d17f1134cb@BY2PR12MB0054.abc.com>",
"message_trust_score": "0.6",
"policy_ids": [
9014,
9008,
2843446
],
"subject": "Please approve and forward expense report \"December Expenses\"",
"timestamp_ms": "1606961222000",
"to": "acoyle@xyz.com"
},
{
"attack_types": [
"spoof (Domain spoof)"
],
"authenticity": "0.07902577",
"date": "2020-12-03T02:07:02+00:00",
"domain_reputation": "8.6",
"domain_tags": [
"internal"
],
"enforcement_action": "move",
"enforcement_result": "pending",
"from": "help@xyz.com",
"from_domain": "xyz.com",
"has_attachment": "false",
"id": "7852dc68-34fb-11eb-bf90-f6ba445dac4f",
"ip": "2.2.3.4",
"message_details_link": "https://apis.com/messages/7852dc68-34fb-11eb-bf90-f6ba445dac4f",
"message_id": "<facade2c12345f9c91c755d17f1134cb@BY2PR12MB0054.xyz.com>",
"message_trust_score": "0.8",
"policy_ids": [
9014,
9009,
2843455
],
"subject": "Please approve and forward expense report \"December Expenses\"",
"timestamp_ms": "1606961222000",
"to": "aarmstrong@xyz.com"
}
]
}
}

Human Readable Output#

Messages#

IDFromToSubjectMessage Trust ScoreDomain ReputationIPAuthenticityAttack TypesDate
785d91a8-34fb-11eb-bf90-f6ba445dac4fAccounts@abc.comacoyle@xyz.comPlease approve and forward expense report "December Expenses"0.69.01.2.3.40.085819915spoof (Domain spoof)2020-12-03T02:07:02+00:00
7852dc68-34fb-11eb-bf90-f6ba445dac4fhelp@xyz.comaarmstrong@xyz.comPlease approve and forward expense report "December Expenses"0.88.62.2.3.40.07902577spoof (Domain spoof)2020-12-03T02:07:02+00:00

apd-remediate-message#


Remediate suspected message.

Base Command#

apd-remediate-message

Input#

Argument NameDescriptionRequired
idThe primary identifier to remediate a message (UUID). To retrieve the ID execute the apd-list-message-data command.Required
operationAn operation to remediate a message. Remediation operation is either 'delete' or 'move'.Required

Context Output#

There is no context output for this command.

Command Example#

!apd-remediate-message id="0e43a684-2e0e-11eb-815a-0a8f2da72108" operation="move"

Context Example#

{}

Human Readable Output#

Message ID - 0e43a684-2e0e-11eb-815a-0a8f2da72108 remediated successfully with operation 'move'.