Email Security Blog

Agari Azure Sentinel Data Connector Automates Triage for Phishing Attacks Targeting Office 365 Email

Brent Sleeper April 6, 2021 Email Security

Building on a long partnership and tradition of innovation with Microsoft, Agari is excited to announce the launch of an Azure Sentinel Data Connector that supports triage of suspected phishing attacks within Office 365 email environments. This comes at an important time.

Email threat actors typically follow the biggest and potentially most lucrative targets. So it’s no surprise that large scale phishing campaigns—including significant attacks from Russian- and Chinese-backed groups—have been ramping up against organizations that have migrated to O365 to enhance their flexibility, scalability, and productivity. The move to support an increasingly mobile and virtual workforce in light of the COVID-19 pandemic has only accelerated this trend.

When it comes to keeping email and the larger integrated productivity suite safe from cyberattacks, these same organizations are now turning to Azure Sentinel for many of the same reasons—productivity and collaboration via a single, integrated solution set. In this case, it’s an integrated view of alerts and threats to support prioritized remediation.

With the new Agari Azure Sentinel Data Connector, Agari is the only solution that enables email threat intelligence to be quickly and easily integrated into the Sentinel dashboard. This enables fast, active sharing of IOCs and threat intelligence into Sentinel, and correlation with other matching events to reduce remediation and response time through the use of predefined rules and triggers. The objective: prevent infiltration of networks by threat actors and exfiltration of proprietary information.

Increased Visibility into Email Threat Data, Easier than Ever Before

Microsoft Azure Sentinel is a scalable, cloud-native Security Information Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), and User and Entity Behavior Analytics (UEBA) platform. It’s designed to protect corporate investments in Microsoft cloud infrastructure, which can dramatically reduce management and overhead costs while future-proofing business.

Generally speaking, SIEM tools unify security alerts into a common data store and user interface, providing added support for prioritizing alerts and investigative workflows. And SOAR tools add orchestration, automated playbooks, case management dashboards and more.

But with cyber-alert fatigue on the rise—and with more employee-reported phishing attacks than they can possibly handle—SOC teams can quickly become overwhelmed. Even with the market-leading SIEM, SOAR, and UEBA capabilities of Azure Sentinel, a lack of integrated, email-specific workflows can create blind spots in an organization’s security posture, limiting the ability to support prioritization, forensic analysis, impact analysis, triage, remediation and reporting.

As a result, analysts are forced to pivot across multiple consoles for data collection, false positives mitigation, and more, as well as perform repetitive manual tasks throughout the lifecycle of an incident.

Enter: Agari Integrated Threat Data

Agari’s identity-based defenses have the proven ability to continuously and rapidly detect, respond to, and remediate advanced email threats. And our cloud-first solutions are built with open APIs to deliver better security, reduce costs, and support a dynamic and agile environment.

With the ability to trigger events within O365, control users via Active Directory, and automate management of login, desktop, and security events, teams gain a granular level of control and visibility into the threats to their email ecosystem. This rich visibility from email security, which is the first line of defense, can be incorporated into Sentinel’s analytical playbooks and dashboards to orchestrate protection processes and safeguard the entire infrastructure.

The integration of Agari threat data into Azure Sentinel gives analysts the flexibility to slice and investigate data in multiple ways. Some of the functional aspects of that integration include:

  • Azure Sentinel Data Connector defines what types of data to access from Agari solutions, including Agari Phishing Defense, Agari Brand Protection, and Agari Phishing Response
  • This creates a functional data lake to correlate data points across different data sets to identify email security events of interest and patterns of suspicious activity
  • Data coming from any number of adjacent logs can be operationalized
  • The connector supports Default Dashboard to view raw logs and run queries, and enables the creation of custom logs via the Kusto query language

The Only Solution for Fast, Easy Threat Data Integration with Sentinel

Agari is the only solution to allow you to very quickly integrate email threat intelligence into Sentinel. Among the many benefits, you can:

  • Operationalize indicators of compromise (IOC) and other threat data directly from Agari
  • Enable fast, active sharing of IOCs and threat intelligence into Sentinel to find other events that match
  • Create rules and triggers to reduce remediation and response time
  • Leverage Microsoft Graph APIs to query risks detected by the Identity Protection Tool
  • Create dashboards to enable quick visual inspection and identity policy hits on top attacks, top users attacked, previously undetected phishing emails, and RUF data from the Threat Feed to monitor for domain abuse

And best of all, there’s no need to jump through hoops transforming syslog or STIX TAXXI feeds.

Taking Email Threat Data Out of the Messaging Silo

This level of integration takes email out of the messaging silo, bringing threat intelligence directly into Sentinel’s SOAR capabilities—something not possible with antiquated, legacy email security controls that require specialized knowledge and result in slow remediation and response.

With the ability to track security incidents through a single pane of glass, teams can maximize the effectiveness of Azure Sentinel and quickly remediate email threats before they lead to costly fraud or data breaches—which according to Gartner, is the single best use case for these technologies.

Along the way, SOC teams are able to respond more quickly with automated, orchestrated collaborative workflows, as well as create standard security and compliance playbooks and simplified ticket tracking via case management.

As fraud actors continue to refine their evasion and obfuscation techniques, enterprises can no longer depend on siloed and fragmented point solutions to effectively protect their employees, customers, suppliers, and partners. Azure Sentinel is at the forefront of a growing trend toward consolidation and integration in the security stack.

To learn more about integrating Agari email threat intelligence with Azure Sentinel, read our solution brief now.

Agari Blog Image

July 7, 2021 Chris Sestito

Catching Lookalike Domains with Image-Based Analysis

Reading is like riding a bicycle:  once you master it, it feels easy and automatic,…

Agari Blog Image

April 29, 2021 Brent Sleeper

Powerful New Agari Phishing Defense Integration Comes to Cortex XSOAR

As we expand our integrations with industry leaders, we’re very excited to highlight a new…

Agari Blog Image

April 28, 2021 Seth Knox

Frost Radar Names Agari as a Leader in Email Security

Three months ago, when I joined Agari as the Chief Marketing Officer, I knew that…

Agari Blog Image

April 14, 2021 Patrick Peterson

Protecting Digital Communications During the Digital Transformation: A Look Back at Trust 2021

While we’re all Zoomed, Webexed and Teamed out after thirteen months of the pandemic, cybercriminals…

Agari Blog Image

January 24, 2021 Art Chavez

Email Security: Agari Delivers a Whole New Level of Actionable Insight to Outpace Threat Actors

CISOs and their teams are about to get some serious performance enhancers in their high-stakes…

mobile image