Email Security Blog

Agari Azure Sentinel Data Connector Automates Triage for Phishing Attacks Targeting Office 365 Email

Agari April 6, 2021 Email Security

Building on a long partnership and tradition of innovation with Microsoft, Agari is excited to announce the launch of an Azure Sentinel Data Connector that supports triage of suspected phishing attacks within Office 365 email environments. This comes at an important time.

Email threat actors typically follow the biggest and potentially most lucrative targets. So it’s no surprise that large scale phishing campaigns—including significant attacks from Russian- and Chinese-backed groups—have been ramping up against organizations that have migrated to O365 to enhance their flexibility, scalability, and productivity. The move to support an increasingly mobile and virtual workforce in light of the COVID-19 pandemic has only accelerated this trend.

When it comes to keeping email and the larger integrated productivity suite safe from cyberattacks, these same organizations are now turning to Azure Sentinel for many of the same reasons—productivity and collaboration via a single, integrated solution set. In this case, it’s an integrated view of alerts and threats to support prioritized remediation.

With the new Agari Azure Sentinel Data Connector, Agari is the only solution that enables email threat intelligence to be quickly and easily integrated into the Sentinel dashboard. This enables fast, active sharing of IOCs and threat intelligence into Sentinel, and correlation with other matching events to reduce remediation and response time through the use of predefined rules and triggers. The objective: prevent infiltration of networks by threat actors and exfiltration of proprietary information.

Increased Visibility into Email Threat Data, Easier than Ever Before

Microsoft Azure Sentinel is a scalable, cloud-native Security Information Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), and User and Entity Behavior Analytics (UEBA) platform. It’s designed to protect corporate investments in Microsoft cloud infrastructure, which can dramatically reduce management and overhead costs while future-proofing business.

Generally speaking, SIEM tools unify security alerts into a common data store and user interface, providing added support for prioritizing alerts and investigative workflows. And SOAR tools add orchestration, automated playbooks, case management dashboards and more.

But with cyber-alert fatigue on the rise—and with more employee-reported phishing attacks than they can possibly handle—SOC teams can quickly become overwhelmed. Even with the market-leading SIEM, SOAR, and UEBA capabilities of Azure Sentinel, a lack of integrated, email-specific workflows can create blind spots in an organization’s security posture, limiting the ability to support prioritization, forensic analysis, impact analysis, triage, remediation and reporting.

As a result, analysts are forced to pivot across multiple consoles for data collection, false positives mitigation, and more, as well as perform repetitive manual tasks throughout the lifecycle of an incident.

Enter: Agari Integrated Threat Data

Agari’s identity-based defenses have the proven ability to continuously and rapidly detect, respond to, and remediate advanced email threats. And our cloud-first solutions are built with open APIs to deliver better security, reduce costs, and support a dynamic and agile environment.

With the ability to trigger events within O365, control users via Active Directory, and automate management of login, desktop, and security events, teams gain a granular level of control and visibility into the threats to their email ecosystem. This rich visibility from email security, which is the first line of defense, can be incorporated into Sentinel’s analytical playbooks and dashboards to orchestrate protection processes and safeguard the entire infrastructure.

The integration of Agari threat data into Azure Sentinel gives analysts the flexibility to slice and investigate data in multiple ways. Some of the functional aspects of that integration include:

  • Azure Sentinel Data Connector defines what types of data to access from Agari solutions, including Agari Phishing Defense, Agari Brand Protection, and Agari Phishing Response
  • This creates a functional data lake to correlate data points across different data sets to identify email security events of interest and patterns of suspicious activity
  • Data coming from any number of adjacent logs can be operationalized
  • The connector supports Default Dashboard to view raw logs and run queries, and enables the creation of custom logs via the Kusto query language

The Only Solution for Fast, Easy Threat Data Integration with Sentinel

Agari is the only solution to allow you to very quickly integrate email threat intelligence into Sentinel. Among the many benefits, you can:

  • Operationalize indicators of compromise (IOC) and other threat data directly from Agari
  • Enable fast, active sharing of IOCs and threat intelligence into Sentinel to find other events that match
  • Create rules and triggers to reduce remediation and response time
  • Leverage Microsoft Graph APIs to query risks detected by the Identity Protection Tool
  • Create dashboards to enable quick visual inspection and identity policy hits on top attacks, top users attacked, previously undetected phishing emails, and RUF data from the Threat Feed to monitor for domain abuse

And best of all, there’s no need to jump through hoops transforming syslog or STIX TAXXI feeds.

Taking Email Threat Data Out of the Messaging Silo

This level of integration takes email out of the messaging silo, bringing threat intelligence directly into Sentinel’s SOAR capabilities—something not possible with antiquated, legacy email security controls that require specialized knowledge and result in slow remediation and response.

With the ability to track security incidents through a single pane of glass, teams can maximize the effectiveness of Azure Sentinel and quickly remediate email threats before they lead to costly fraud or data breaches—which according to Gartner, is the single best use case for these technologies.

Along the way, SOC teams are able to respond more quickly with automated, orchestrated collaborative workflows, as well as create standard security and compliance playbooks and simplified ticket tracking via case management.

As fraud actors continue to refine their evasion and obfuscation techniques, enterprises can no longer depend on siloed and fragmented point solutions to effectively protect their employees, customers, suppliers, and partners. Azure Sentinel is at the forefront of a growing trend toward consolidation and integration in the security stack.

To learn more about integrating Agari email threat intelligence with Azure Sentinel, read our solution brief now.

Laptop with multiple paddle locks with key holes

May 27, 2022 John Wilson

SMTPS: Securing SMTP and the Differences Between SSL, TLS, and the Ports They Use

What is the difference between SMTPS and SMTP? SMTPS uses additional SSL or TLS cryptographic protocols…

Agari Blog Image

May 18, 2022 Ramon Peypoch

What Is Email Spoofing and How Do You Protect Against It?

What is Email Spoofing? Email spoofing is one of the most common forms of cybercriminal…

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

mobile image