Agari Message Remediation - Agari Phishing Defense

Investigates Agari policy events by obtaining the original message and attachments from the existing email integrations and remediates in Agari.

Agari Phishing Defense · 36 tasks · 10 inputs · 0 outputs

Inputs

  • APD Global Message ID — Global Message Id obtained from the incident.
  • AuthenticateEmail — Whether the authenticity of the email should be verified, using Authenticity Score.
  • OnCall — Set to true to assign only user that is currently on shift. Requires Cortex XSOAR v5.5 or later.
  • Role — The default role to assign the incident to.
  • ResolveIP — Resolve IP addresses to hostnames (DNS).
  • AutoRemeditaion — Whether Automatic remediate message or not.
  • RemediateAction — Default action for remediation of message.
  • UserEnrichmentEnable — Flag for enabling User Enrichment.
  • User Id — Id of User.
  • APD Internal Message ID — Internal Message Id obtained from the incident.

Commands used

closeInvestigation setIncident

Flowchart

yes yes yes Malicious No YES yes yes yes Suspicious Trusted Untrusted Start Start Is APD Global Message ID not empty? Is APD Global Message ID ... Done Done Process Email - Generic - Process Email - Generic Process Email - Generic Process Email - Generic Extract Indicators From File - Generic v2 - Extract Indicators From File - Generic v2 Extract Indicators From F... Extract Indicators From File ... Detonate File - Generic - Detonate File - Generic Detonate File - Generic Detonate File - Generic Indicator Enrichment Indicator Enrichment Investigation Investigation Should the email be authenticated? Should the email be authe... Email Authenticity Check Email Authenticity Check Calculate Severity - Generic v2 - Calculate Severity - Generic v2 Calculate Severity - Gene... Calculate Severity - Generic v2 Authenticate email - CheckEmailAuthenticity Authenticate email CheckEmailAuthenticity Save authenticity check result to incident field - setIncident Save authenticity check r... setIncident Assign to analyst - AssignAnalystToIncident Assign to analyst AssignAnalystToIncident Is the email malicious? Is the email malicious? Undetermined Undetermined Email is Malicious Email is Malicious Manually review the incident Manually review the incident Is the email malicious? Is the email malicious? Remeditation Remeditation User Enrichment User Enrichment Store the email address of the reporting user - Set Store the email address o... Set Email Address Enrichment - Generic v2.1 - Email Address Enrichment - Generic v2.1 Email Address Enrichment ... Email Address Enrichment - Ge... Save reporter email address in field - setIncident Save reporter email addre... setIncident Remediate Message - Agari Phishing Defense - Remediate Message - Agari Phishing Defense Remediate Message - Agari... Remediate Message - Agari Phi... Is User Enrichment enable? Is User Enrichment enable? Retrieve Email Data - Agari Phishing Defense - Retrieve Email Data - Agari Phishing Defense Retrieve Email Data - Aga... Retrieve Email Data - Agari P... Is APD Internal Message ID not empty? Is APD Internal Message I... Is APD Message Trust Score not empty? Is APD Message Trust Scor... Is APD Message Trust Score Untrusted, Suspicious or Trusted? Is APD Message Trust Scor... Set Email Authenticity variable to Fail - Set Set Email Authenticity va... Set Set Email Authenticity variable to Suspicious - Set Set Email Authenticity va... Set Set Email Authenticity variable to Pass - Set Set Email Authenticity va... Set Set Email Authenticity variable to value generated by Authenticate Email - Set Set Email Authenticity va... Set Entity Enrichment - Phishing v2 - Entity Enrichment - Phishing v2 Entity Enrichment - Phish... Entity Enrichment - Phishing v2 Close Investigation - closeInvestigation Close Investigation closeInvestigation