Agari Developer Documentation

Agari Developer Documentation

API Overview & Guide
Get started
Interactive API Reference
Get started

Analyzing Failure Samples in SIEM or SOAR

Collecting and analyzing data is all the rage right now, but data is only useful if you know what to do with it. Collecting BP Failure Samples is a basic capability of the Agari API, however this guide will help your organization go further and assist you in analyzing failure samples in a SIEM or SOAR tool. Your organization very likely has as one of your goals reviewing threats from malicious domains, as well as the goal of ensuring that SPF or DKIM pass on messages being sent in your company's name. BP provides your organization with a list of failure samples collected via RUF, containing a wealth of information that can further expand your threat analysis. The first step in this process is your SIEM tool ingesting all of the failure sample data from BP, as shown in the example below.

cURL request

curl --request GET
--url 'https://api.agari.com/v1/cp/failure_samples?start_date=2020-12-01&end_date=2020-12-14&add_fields=sbrs%2Cadditional_headers%2Curis'
--header 'Accept: application/json'

Python

import requests

url = "https://api.agari.com/v1/cp/failure_samples"

querystring = {"start_date":"2020-12-01","end_date":"2020-12-14","add_fields":"sbrs,additional_headers,uris"}

headers = {"Accept": "application/json"}

response = requests.request("GET", url, headers=headers, params=querystring)

print(response.text)

The call is simple but adds a few key fields to our standard Failure Sample end point. Adding the fields addition_headers, uris, and sbrs allows future pivoting on this failure sample data. We will be using these fields a little further on.

Once the data has been ingested into the your organization’s SIEM/SOAR product, you can build a reporting dashboard that provides the information key to your future investigations. Using one of the default fields to our advantage, you can search on origin:!legitimate.

Having the Brand Protection data in your SIEM allows you to add other sources of information to your dashboard for cross analysis. For example you can add URIs from emails that Brand Protect has deemed not legitimate to an Azure Sentinel Watchlist to use across Azure Sentinel to enrich the threat landscape data in your investigations, or to build more in-tune alerts on malicious URIs shared within your company email.

Simply adding the SBRS scores would add further functionality to your investigative processes, adding an additional layer of information to sift out false positives in the data. Filtering failure sample data on SBRS scores is not a function in Agari’s Brand Protect UI, but by pulling the data into a SIEM you can add the SBRS field to your search queries to pinpoint the most malicious messages quickly.

In either Azure Sentinel or the SIEM/SOAR product of your choosing, you can add alerts on failure samples that for example have an SBRS below -5.0, and these alerts will auto generate an incident for your SOC team. The SOC team can then determine the validity of the threat from the failure sample data, including the headers, URIs and DMARC information, and determine if there is a need to use a take-down service to eliminate the further spread of malicious emails under your company name.

Updated about a month ago


Analyzing Failure Samples in SIEM or SOAR


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.