Welcome to the Agari Phishing Defense Quick Start Guide for users with On-Prem Exchange Servers.
This will provide you with an overall project overview with the steps required to deploy and start using the product. Please reach out to support or your Customer Success Team if you have any questions.
- Deploy a pair of sensors near the mail store either from our OVA image or our Linux script.
- Configure a journal rule to enable messages to start being sent to Agari.
- Add any SEG IP address to the Organizational page as MTAs.
- Enable EWS API Enforcement by navigating to the Sensors page and approving each sensor as an Exchange Admin user with global impersonation rights.
- Add any publicly noticeable C-Level and Execs to their respectable Address Groups.
- At this point mail should now be flowing into the portal allowing you to analyze traffic.
Initial Tuning Overview
- After a few days of ingesting mail you will need to tag the domains that you own as Internal and partners you work with as Partner on the domains page.
- A few days after tagging you will want to approve any 3rd party senders on the Senders page.
- After tagging and approving 3rd party senders you will want to wait a week as we ingest more messages.
- Send any False Positives or False Negatives to your Customer Support Team to help identify any manual tuning that needs to be done.
Taking Enforcement on Messages
- Enabling Enforcement is three different steps:
- Approve sensor API access ( step 5 in Setup Overview ).
- Enable Enforcement on Organization page.
- Enable Action per policy.
Configuration Overview Details
The first step is deploying a sensor and configuring a journal rule to allow mail to start being ingested. The pair of sensors should be located as close to the mail store as possible to allow the fastest API calls.
In Exchange you will configure a journal rule to start sending copies of messages to Agari. The steps differ per version and exchange license, but all supported directions are found in the admin guide.
Once the journal rule is configured, mail should start flowing. Log into the Portal > Manage > Organization and in the MTA field add the IP address of your SEG. This will tell the product to ignore the last hop IP of your SEG. This can easily be added and removed as needed.
At this time we will have mail flowing, but we need to grant the sensor API access to be able to move messages. Go to Manage > Sensors, and for each sensor click the link for Register for Enforcement. This must be done for EACH sensor. You will need to use an Exchange Admin with impersonation rights. Enabling this will not start moving any messages, only granting access and will not have any effect on mailflow.
In order to detect Imposters of C-Level and Executives, we need to know who your C-Level and Execs are. Go to Manage > Address Groups and add any public facing managers in the lists. The Top Partners and Vendors group is auto populated and will update on its own once a week. Additional help/examples can be seen by clicking the "?" mark near the top/middle of the Address Groups page.
Initial Tuning Overview
After a couple of days of ingesting messages you will need to start tagging domains. You will want to wait a couple of days after getting mail flowing into the portal as the list is only from mail you have received. You will want to tag ALL Internal Domains, and the bulk of your partners you work with on a daily basis. In the portal, go to Analyze > Domains, select the "7 Days" option in the top right to expand the search range. Here you will want to tag all your internal domains as "Internal" and partners/services that you fully trust as "Partner". Internal and Partner tags help us to quickly understand from which domains your organization expects to see legitimate business email traffic.
* Internal should be used for any domain which your organization owns and uses for email.
* Partner should be used for any external domain from which you expect to see legitimate business email traffic.
These two tags are the only two tags that will increase the Reputation score. The other tags are for organizational/grouping reasons that you can leverage when making policies. You can also tag the same domain with multiple tags. You do not have to assign a tag to every domain, but tagging all the domains you own as "Internal", and partners/services you use ( e.g atlassian) as "Partner" will help with scoring messages.
Once you have tagged your Internal Domains, you will want to wait a couple more days and then start to approve 3rd party senders. 3rd party senders are systems you use that are intentionally spoofing your domain. It is almost like a virtual SPF record.
Now that everything has been properly labeled, tagged, and approved, we will start developing trends and patterns. Allow for a week of messages before making any more major changes.
Taking Enforcement on Messages
Enforcing on messages is where we take action on messages. There are two different types of enforcement; automated policies, and on-demand.
After the sensor has been granted API access, and the switch has been flipped in Manage > Organization, you will be able to do the on-demand enforcement action.
You are then able to start enabling automated enforcement actions per policy.
You have three available actionable options:
- Soft Delete from Users Mailbox.
- Move to a folder of your choice in users mailbox.
- Move to Inbox.