Document toolboxDocument toolbox

Agari Phishing Defense collector

Service description

Agari Phishing defense is a cloud-based service that protects employees against phishing and Business Email Compromise (BEC) attacks.

The Devo Agari Phishing Defense integration collects data from the Agari API and ingests it into Devo where it is made available for analysts to query.

Data source description

The following data is ingested into Devo:

Data source

Description

API endpoint

Devo table

Data source

Description

API endpoint

Devo table

Message

Metadata about email messages processed by the Agari service.

/v1/ep/messages

mail.agari.phishing_defense.messages

Policy events

Details on policy events triggered by the Agari service.

/v1/ep/policy_events

mail.agari.phishing_defense.policy_events

Configuration

In order to configure the Devo Agari Phishing Defense integration you need to:

  1. Log in to your Agari product.

  2. Click on your username in the upper right and select Settings.

  3. Click on the Generate API Secret link to generate an API client_id and client_secret (the link will read Regenerate API Secret if you have already generated an API client ID/secret previously).

  4. Copy both the client_id and client_secret that are generated and store them somewhere safe.

Keep your client_id and client_secret secure.

API clients can use your client_id and client_secret to gain access to the APIs as your user. Keep these values somewhere safe and secure. Never share them with anyone.

For security purposes, the client_secret will not be displayed again, however, you can generate a new one whenever needed by following the steps above.

Running the collector

We use a piece of software called Collector Server to host and manage all our available collectors.

To enable the collector for a customer:

  1. In the Collector Server GUI, access the domain in which you want this instance to be created

  2. Click Add Collector and find Agari Phishing Defense - Integrations Factory.

  3. In the Version field, select the latest value.

  4. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

  5. In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.

  6. In the Parameters section, establish the Collector Parameters as follows below:

Editing the JSON configuration

{ "agari_phishing_defense": { "id": 111, "enabled": true, "requests_per_second": 5, "credentials": { "client_id": "<INSERT AGARI CLIENT ID>", "client_secret": "<INSERT AGARI CLIENT SECRET>" }, "services": { "policies": { "request_period_in_seconds": 60, }, "messages": { "request_period_in_seconds": 60, } } } }

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Agari phishing defense_10.png

Change log

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.2.0

Aug 29, 2023

IMPROVEMENTS

Upgraded DCSDK from 1.1.4 to 1.9.2

  • Store lookup instances into DevoSender to avoid creation of new instances for the same lookup

  • Ensure service_config is a dict into templates

  • Ensure special characters are properly sent to the platform

  • Changed log level to some messages from info to debug

  • Changed some wrong log messages

  • Upgraded some internal dependencies

  • Changed queue passed to setup instance constructor

  • Added log traces for knowing the execution environment status (debug mode)

  • Fixes in the current puller template version

  • Improved log trace details when runtime exceptions happen

  • Refactored source code structure

  • New “templates” functionality

  • Functionality for detecting some system signals for starting the controlled stopping

  • Input objects sends again the internal messages to devo.collectors.out table

  • Upgraded DevoSDK to version 3.6.4 to fix a bug related to a connection loss with Devo

  • Refactored source code structure

  • Changed way of executing the controlled stopping

  • Minimized probabilities of suffering a DevoSDK bug related to “sender” to be null

  • Ability to validate collector setup and exit without pulling any data

  • Ability to store in the persistence the messages that couldn’t be sent after the collector stopped

  • Ability to send messages from the persistence when the collector starts and before the puller begins working

  • Ensure special characters are properly sent to the platform

  • Added a lock to enhance sender object

  • Added new class attrs to the setstate and getstate queue methods

  • Fix sending attribute value to the setstate and getstate queue methods

  • Added log traces when queues are full and have to wait

  • Added log traces of queues time waiting every minute in debug mode

  • Added method to calculate queue size in bytes

  • Block incoming events in queues when there are no space left

  • Send telemetry events to Devo platform

  • Upgraded internal Python dependency Redis to v4.5.4

  • Upgraded internal Python dependency DevoSDK to v5.1.3

  • Fixed obfuscation not working when messages are sent from templates

  • New method to figure out if a puller thread is stopping

  • Upgraded internal Python dependency DevoSDK to v5.0.6

  • Improved logging on messages/bytes sent to Devo platform

  • Fixed wrong bytes size calculation for queues

  • New functionality to count bytes sent to Devo Platform (shown in console log)

  • Upgraded internal Python dependency DevoSDK to v5.0.4

  • Fixed bug in persistence management process, related to persistence reset

  • Aligned source code typing to be aligned with Python 3.9.x

  • Inject environment property from user config

  • Obfuscation service can be now configured from user config and module definiton

  • Obfuscation service can now obfuscate items inside arrays

  • Ensure special characters are properly sent to the platform

  • Changed log level to some messages from info to debug

  • Changed some wrong log messages

  • Upgraded some internal dependencies

  • Changed queue passed to setup instance constructor

  • Upgrade internal dependencies

Recommended version

v1.1.0

Jun 24, 2022

FEATURES VULNS

This release includes the following changes:

  • The resilience has been improved with a new feature that restart the collector when the Devo connections is lost and it cannot be recovered.

  • All critical and high vulnerabilities have been mitigated.

Recommended version