MailRisk by Secure Practice (using Azure Functions) connector for Microsoft Sentinel
Data connector to push emails from MailRisk into Microsoft Sentinel Log Analytics.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | MailRiskEmails_CL |
| Data collection rules support | Not currently supported |
| Supported by | Secure Practice |
Query samples
All emails
MailRiskEmails_CL
| sort by TimeGenerated desc
Emails with SPF pass
MailRiskEmails_CL
| where spf_s == 'pass'
| sort by TimeGenerated desc
Emails with specific category
MailRiskEmails_CL
| where Category == 'scam'
| sort by TimeGenerated desc
Emails with link urls that contain the string "microsoft"
MailRiskEmails_CL
| sort by TimeGenerated desc
| mv-expand link = parse_json(links_s)
| where link.url contains "microsoft"
Prerequisites
To integrate with MailRisk by Secure Practice (using Azure Functions) make sure you have:
- Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
- API credentials: Your Secure Practice API key pair is also needed, which are created in the settings in the admin portal. If you have lost your API secret, you can generate a new key pair (WARNING: Any other integrations using the old key pair will stop working).
Vendor installation instructions
Note
This connector uses Azure Functions to connect to the Secure Practice API to push logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.
Please have these the Workspace ID and Workspace Primary Key (can be copied from the following), readily available.
Azure Resource Manager (ARM) Template
Use this method for automated deployment of the MailRisk data connector using an ARM Template.
Click the Deploy to Azure button below.
Select the preferred Subscription, Resource Group and Location.
Enter the Workspace ID, Workspace Key, Secure Practice API Key, Secure Practice API Secret
Mark the checkbox labeled I agree to the terms and conditions stated above.
Click Purchase to deploy.
Manual deployment
In the open source repository on GitHub you can find instructions for how to manually deploy the data connector.
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for