Agari Phishing Defense
Agari Phishing Defense Pack.#
This Integration is part of theAgari Phishing Defense stops phishing, BEC, and other identity deception attacks that trick employees into harming your business. This integration was integrated and tested with a standard version of Agari Phishing Defense.
#
Configure Agari Phishing Defense in CortexParameter | Description | Required |
---|---|---|
url | URL to connect to Agari | True |
apikey | API Key | True |
apisecret | Secret Key | True |
max_fetch | Maximum number of incidents to fetch every time | True |
first_fetch | First fetch time interval | False |
fetch_policy_actions | Policy Action | False |
exclude_alert_type | Exclude alerts | False |
policy_filter | Fetches policy events to limit the amount of data. Can be applied to specific fields | False |
incidentType | Incident type | False |
isFetch | Fetch incidents | False |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
apd-list-policy-eventsRetrieves a list of policy events.
#
Base Commandapd-list-policy-events
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of items to be returned in the paged response. | Optional |
start_date | The earliest date time (UTC) a search should target (ISO 8601 format). Formats accepted: YYYY-MM-dd YYYY-MM-ddTHH:mm:ss N days N hours Example: 2020-05-01 2020-05-01T00:00:00 2 days 5 hours. | Optional |
end_date | The latest date time (UTC) a search should target (ISO 8601 format). Formats accepted: YYYY-MM-dd YYYY-MM-ddTHH:mm:ss N days N hours Example: 2020-05-01 2020-05-01T00:00:00 2 days 5 hours. | Optional |
page_id | To page through a collection of policy events. | Optional |
sort | A comma-delimited string that specifies the field ordering to be applied to the response. Example: created_at DESC, id ASC. | Optional |
add_fields | A comma-delimited list of optional fields to add to the default payload. Additional fields would add data in the entry context. | Optional |
rem_fields | A comma-delimited list of fields to remove from the default payload. Limited fields would return limited data in entry context. | Optional |
fields | A comma-delimited list of fields to include in the payload. Limited fields would return limited data in entry context. | Optional |
filter | Search filters that can be applied to the response. | Optional |
exclude_alert_types | Exclude policy types such as 'MessageAlert' or 'SystemAlert'. | Optional |
policy_name | Find by policy name. | Optional |
policy_action | Filter by policy action: 'deliver', 'mark-spam', 'move', 'inbox', 'delete' and 'none'. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AgariPhishingDefense.Alert.alert_definition_name | String | Alert definition name. |
AgariPhishingDefense.Alert.id | String | Unique alert id. |
AgariPhishingDefense.Alert.summary | String | Summary of the alert. |
AgariPhishingDefense.Alert.policy_action | String | Alert policy action. |
AgariPhishingDefense.Alert.policy_enabled | Boolean | Indicates if policy is enabled. |
AgariPhishingDefense.Alert.updated_at | Date | Updated time of the alert. The format is ISO8601. |
AgariPhishingDefense.Alert.created_at | Date | Created time of the alert. The format is ISO8601. |
AgariPhishingDefense.Alert.admin_recipients | Unknown | List of notified admin recipients. |
AgariPhishingDefense.Alert.notified_original_recipients | Boolean | Indicates whether the original recipient was notified. |
#
Command Example!apd-list-policy-events limit=2
#
Context Example#
Human Readable Output#
Policy Events
Event ID Alert Definition Name Policy Action Notified Original Recipients Created Updated 549904303 Spoof of Partner Domains none false 2020-12-03T04:32:23Z 2020-12-03T04:32:23Z 549904302 Untrusted Messages none false 2020-12-03T04:32:23Z 2020-12-03T04:32:23Z
#
apd-list-message-dataRetrieves a list of messages.
#
Base Commandapd-list-message-data
#
InputArgument Name | Description | Required |
---|---|---|
start_date | The earliest date time (UTC) a search should target (ISO 8601 format). Formats accepted: YYYY-MM-dd YYYY-MM-ddTHH:mm:ss N days N hours Example: 2020-05-01 2020-05-01T00:00:00 2 days 5 hours. | Optional |
end_date | The latest date time (UTC) a search should target (ISO 8601 format). Formats accepted: YYYY-MM-dd YYYY-MM-ddTHH:mm:ss N days N hours Example: 2020-05-01 2020-05-01T00:00:00 2 days 5 hours. | Optional |
add_fields | A comma-delimited list of optional fields to add to the default payload. Additional fields would add data in the entry context. | Optional |
rem_fields | A comma-delimited list of fields to remove from the default payload. Limited fields would return limited data in entry context. | Optional |
fields | A comma-delimited list of fields to include in the payload. Limited fields would return limited data in entry context. | Optional |
limit | The maximum number of items to be returned in the paged response. | Optional |
page_id | To page through a collection of message data. | Optional |
sort | A comma-delimited string that specifies the field ordering to be applied to the response. | Optional |
search | Search using advanced search syntax. Format: field operator operand {and/or field operator operand} Example: has_attachment=true and ip='10.0.0.0' sbrs in [3.5, 2.6] domain_reputation is not null sbrs gt 3 sbrs>=3 and domain_tags eq internal | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AgariPhishingDefense.Message.has_attachment | Boolean | Has attachment. |
AgariPhishingDefense.Message.ip | String | IP address. |
AgariPhishingDefense.Message.message_id | String | The Global message ID. |
AgariPhishingDefense.Message.ptr_name | String | PTR name. |
AgariPhishingDefense.Message.sbrs | String | SBRS. |
AgariPhishingDefense.Message.id | String | The internal message ID. |
AgariPhishingDefense.Message.authenticity | Number | Authenticity score. |
AgariPhishingDefense.Message.to | String | Message recipient. |
AgariPhishingDefense.Message.date | String | Date in ISO format. |
AgariPhishingDefense.Message.timestamp_ms | Number | Timestamp in ms since epoch. |
AgariPhishingDefense.Message.from | String | Sender's email. |
AgariPhishingDefense.Message.from_domain | String | From domain. |
AgariPhishingDefense.Message.subject | String | Message subject. |
AgariPhishingDefense.Message.domain_reputation | Number | Reputation of sender domain. |
AgariPhishingDefense.Message.message_trust_score | Number | Risk score. |
AgariPhishingDefense.Message.message_details_link | String | Link to message details. |
AgariPhishingDefense.Message.domain_tags | Unknown | List of domain tags. |
AgariPhishingDefense.Message.mail_from | String | Mail from domain. |
AgariPhishingDefense.Message.reply_to | String | Reply-to address. |
AgariPhishingDefense.Message.uris | Unknown | List of URIs. |
AgariPhishingDefense.Message.attachment_extensions | Unknown | List of message attachment extensions. |
AgariPhishingDefense.Message.attachment_filenames | Unknown | List of message attachment filenames. |
AgariPhishingDefense.Message.attachment_sha256 | Unknown | List of message attachment SHA256 hashes. |
AgariPhishingDefense.Message.attachment_types | Unknown | List of message attachment types. |
AgariPhishingDefense.Message.attack_types | Unknown | List of attack type classifications. |
AgariPhishingDefense.Message.dkim_result | String | DKIM result. |
AgariPhishingDefense.Message.dmarc_result | String | DMARC result. |
AgariPhishingDefense.Message.domain_dmarc_policy | String | DMARC policy for domain. |
AgariPhishingDefense.Message.enforcement_action | String | Enforcement action. |
AgariPhishingDefense.Message.enforcement_folder | String | Enforcement folder. |
AgariPhishingDefense.Message.enforcement_result | String | Enforcement result. |
AgariPhishingDefense.Message.expanded_from | String | Expanded from. |
AgariPhishingDefense.Message.forwarded_from | String | Forwarded from. |
AgariPhishingDefense.Message.has_malicious_attachment | Boolean | Has malicious attachment. |
AgariPhishingDefense.Message.message_read_status | Boolean | Message read status. |
AgariPhishingDefense.Message.org_domain | String | Organization domain. |
AgariPhishingDefense.Message.policy_ids | Unknown | List of triggered policy IDs. |
AgariPhishingDefense.Message.sender_approval_state | String | Sender approval state. |
AgariPhishingDefense.Message.sender_type | String | Sender type. |
AgariPhishingDefense.Message.spf_result | String | SPF result. |
#
Command Example!apd-list-message-data limit=2
#
Context Example#
Human Readable Output#
Messages
ID From To Subject Message Trust Score Domain Reputation IP Authenticity Attack Types Date 785d91a8-34fb-11eb-bf90-f6ba445dac4f Accounts@abc.com acoyle@xyz.com Please approve and forward expense report "December Expenses" 0.6 9.0 1.2.3.4 0.085819915 spoof (Domain spoof) 2020-12-03T02:07:02+00:00 7852dc68-34fb-11eb-bf90-f6ba445dac4f help@xyz.com aarmstrong@xyz.com Please approve and forward expense report "December Expenses" 0.8 8.6 2.2.3.4 0.07902577 spoof (Domain spoof) 2020-12-03T02:07:02+00:00
#
apd-remediate-messageRemediate suspected message.
#
Base Commandapd-remediate-message
#
InputArgument Name | Description | Required |
---|---|---|
id | The primary identifier to remediate a message (UUID). To retrieve the ID execute the apd-list-message-data command. | Required |
operation | An operation to remediate a message. Remediation operation is either 'delete' or 'move'. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!apd-remediate-message id="0e43a684-2e0e-11eb-815a-0a8f2da72108" operation="move"
#
Context Example#
Human Readable OutputMessage ID - 0e43a684-2e0e-11eb-815a-0a8f2da72108 remediated successfully with operation 'move'.