Welcome to the Agari Advance Threat Protection Quick Start Guide for users with O365.
This will provide you with an overall project overview with the steps required to deploy and start using the product. Please reach out to support or your Customer Success Team if you have any questions.
The latest fully detailed admin guide can be found here.
- Contact your CS Team to deploy a set of hosted sensors.
- Configure a journal rule to enable messages to start being sent to Agari.
- Add any SEG IP address to the Organizational page as MTAs.
- Contact your Customer Success Team or support to register your sensors to allow enforcement.
- Enable EWS API Enforcement by navigating to the sensors page and approving each sensor as an Exchange Global Admin.
- Add any publicly noticeable C-Level and Execs to their respectable Address Groups.
- At this point mail should now be flowing into the portal allowing you to analyze traffic.
Initial Tuning Overview
- After a few days of ingesting mail you will need to tag the domains that you own as Internal and partners you work with as Partner on the domains page.
- A few days after tagging you will want to approve any 3rd party senders on the Senders page.
- After tagging and approving 3rd party senders you will want to wait a week as we ingest more messages.
- Send any False Positives or False Negatives to your CS Team to help identify any manual tuning that needs to be done.
Taking Enforcement on Messages
- Enabling Enforcement is three different steps:
- Approve sensor API access ( step 5 in Setup Overview ).
- Enable Enforcement on Organization page.
- Enable Action per policy.
Configuration Overview Details
The first step is deploying a sensor and configuring a journal rule to allow mail to start being ingested. The pair of sensors should be located as close to the mail store as possible to allow the fastest API calls.
In O365 you will configure a journal rule to start sending copies of messages to Agari. The steps are found in the admin guide.
Once the journal rule is configured, mail should start flowing. Log into the Portal > Manage > Organization and in the MTA field add the IP address of your SEG. This will tell the product to ignore the last hop IP of your SEG. This can easily be added and removed as needed.
At this time we will have mail flowing, but we need to grant the sensor API access to be able to move messages. Go to Manage > Sensors, and for each sensor click the link for Register for Enforcement. This must be done for EACH sensor. You will need to use an Exchange Global Admin. Enabling this will not start moving any messages, only granting access and will not have any effect on mail flow.
In order to detect Imposters of C-Level and Executives, we need to know who your C-Level and Execs are. Go to Manage > Address Groups and add any public facing managers in the lists. The "Top Partners and Vendors" group is auto populated and will update on its own once a week. Additional help/examples can be seen by clicking the ? mark near the top/middle of the Address Groups page.
Initial Tuning Overview Details
After a couple of days of ingesting messages you will need to start tagging domains. You will want to wait a couple of days after getting mail flowing into the portal as the list is only from mail you have received. You will want to tag ALL Internal Domains, and the bulk of your partners you work with on a daily basis. In the portal, go to Analyze > Domains, select the 7 Days option in the top right to expand the search range. Here you will want to tag all your internal domains as Internal and partners/services that you fully trust as Partner. Internal and Partner tags help us to quickly understand from which domains your organization expects to see legitimate business email traffic.
* Internal should be used for any domain which your organization owns and uses for email.
* Partner should be used for any external domain from which you expect to see legitimate business email traffic.
These two tags are the only two tags that will increase the Reputation score. The other tags are for organizational/grouping reasons that you can leverage when making policies. You can also tag the same domain with multiple tags. You do not have to assign a tag to every domain, but tagging all the domains you own as "internal", and partners/services you use ( e.g atlassian) as "partner" will help with scoring messages.
Once you have tagged your Internal Domains, you will want to wait a couple more days and then start to approve 3rd party senders. 3rd party senders are systems you use that are intentionally spoofing your domain. It is almost like a virtual SPF record.
Now that everything has been properly labeled, tagged, and approved, we will start developing trends and patterns. Allow for a week of messages before making any more major changes.
Taking Enforcement on Messages
Enforcing on messages is where we take action on messages. There are two different types of enforcement; automated policies, and on-demand.
After the sensor has been grated API access, and the switch has been flipped in Manage > Organization, you will be able to do the on-demand enforcement action.
You are then able to start enabling automated enforcement actions per policy.
You have three available actionable options:
- Soft Delete from Users Mailbox.
- Move to a folder of your choice in users mailbox.
- Move to Inbox.