您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将 Agari 仿冒防御和品牌保护解决方案连接到 Azure SentinelConnect your Agari Phishing Defense and Brand Protection solutions to Azure Sentinel

重要

Agari 仿冒防御和品牌防护连接器目前处于 预览阶段The Agari Phishing Defense and Brand Protection connector is currently in PREVIEW. 请参阅 Microsoft Azure 预览版的补充使用条款 ,了解适用于 Azure 功能的其他法律条款,这些功能适用于 beta 版、预览版或其他情况下尚未公开上市。See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Agari 仿冒防御和品牌保护连接器可让你轻松地将品牌防护和网络钓鱼防御解决方案的日志连接到 Azure Sentinel,使你可以查看工作簿中的数据、查询数据以创建自定义警报,并结合它来改善调查。The Agari Phishing Defense and Brand Protection connector allows you to easily connect your Brand Protection and Phishing Defense solutions' logs to Azure Sentinel, so that you can view the data in workbooks, query it to create custom alerts, and incorporate it to improve investigation. Agari 的解决方案使用 Azure Functions 和 REST API 与 Azure Sentinel 集成。Agari's solutions integrate with Azure Sentinel using Azure Functions and REST API.

此外,品牌保护和网络钓鱼响应客户可以通过安全图形 API 利用威胁情报共享。In addition, Brand Protection and Phishing Response customers can take advantage of Threat Intelligence sharing via the Security Graph API.

备注

数据将存储在运行 Azure Sentinel 的工作区的地理位置。Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.

先决条件Prerequisites

若要将 Agari 的网络钓鱼防御和品牌保护解决方案连接到 Azure Sentinel,需要满足以下要求:The following are required to connect Agari's Phishing Defense and Brand Protection solutions to Azure Sentinel:

配置并连接 Agari 解决方案Configure and connect Agari solutions

Agari 解决方案可以使用 Azure Function App 将日志直接集成到 Azure Sentinel。Agari solutions can integrate and export logs directly to Azure Sentinel using an Azure Function App.

备注

此连接器使用 Azure Functions 连接到 Agari 的解决方案,以将其日志提取到 Azure Sentinel 中。This connector uses Azure Functions to connect to Agari's solutions to pull their logs into Azure Sentinel. 这可能会导致额外的数据引入成本。This may result in additional data ingestion costs. 有关详细信息,请查看 Azure Functions 定价 页。Check the Azure Functions pricing page for details.

  1. 收集你的 Agari API 凭据:Collect your Agari API credentials:

    确保具有 Agari 客户端 ID密钥Ensure you have your Agari Client ID and Secret keys. 可在 Agari 开发人员站点上找到相关说明。Instructions can be found on the Agari developers site.

  2. (可选) 启用安全图形 API:(Optional) Enable the Security Graph API:

    Agari Function App 允许通过安全图形 API 与 Azure Sentinel 共享威胁情报。The Agari Function App allows you to share threat intelligence with Azure Sentinel via the Security Graph API. 若要使用此功能,你将需要启用 Sentinel 威胁情报平台连接器 ,同时在 Azure Active Directory 中 注册应用程序To use this feature, you'll need to enable the Sentinel Threat Intelligence Platforms connector and also register an application in Azure Active Directory.

    此过程将提供以下三条信息,供你在部署 Function App 时使用: 图形租户 idGRAPH 客户端 idgraph 客户端机密This process will give you three pieces of information for use when deploying the Function App below: the Graph tenant ID, the Graph client ID, and the Graph client secret.

  3. 部署连接器和关联的 Azure Function App:Deploy the connector and the associated Azure Function App:

    1. 在 Azure Sentinel 门户中,选择 " 数据连接器"。In the Azure Sentinel portal, select Data connectors. 选择 " Agari 仿冒防御和品牌保护 (预览") ,然后单击 " 连接器" 页面Select Agari Phishing Defense and Brand Protection (Preview) and then Open connector page.

    2. 在 " 配置" 下,复制 "Azure Sentinel 工作区 ID " 和 "主密钥" 并粘贴。Under Configuration, copy the Azure Sentinel workspace ID and primary key and paste them aside.

    3. 选择“部署到 Azure”。Select Deploy to Azure. (可能需要向下滚动以查找按钮。 ) (You may have to scroll down to find the button.)

    4. 将显示 自定义部署 屏幕。The Custom deployment screen will appear.

      • 输入你的 Agari 客户端 ID客户端机密 (密钥) Enter your Agari Client ID and Client Secret (secret keys)

      • 输入 Azure Sentinel 工作区 ID工作区密钥 , (复制并放置的主密钥) 。Enter your Azure Sentinel Workspace ID and Workspace Key (primary key) that you copied and put aside.

      • 对于具有活动订阅的 Agari 解决方案,请选择 " True " 或 " False "。Select True or False for the Agari solutions you have active subscriptions for.

      • 如果已使用 "安全" 图形 API 创建了用于与 Azure Sentinel 共享 Ioc 的 Azure 应用程序,请选择 " True " 以 启用安全图形共享 ,然后输入 Graph 租户 IDgraph 客户端 idgraph 客户端机密If you have created an Azure Application to share IoCs with Azure Sentinel using the Security Graph API, select True for Enable Security Graph Sharing and enter the Graph tenant ID, the Graph client ID, and the Graph client secret.

    5. 选择“查看 + 创建”。Select Review + create. 验证完成后,单击 " 创建"。When the validation completes, click Create.

  4. 为 Function App 分配必要的权限:Assign the necessary permissions to your Function App:

    Agari 连接器使用环境变量来存储日志访问时间戳。The Agari connector uses an environment variable to store log access timestamps. 为了使应用程序能够写入此变量,必须将权限分配给系统分配的标识。In order for the application to write to this variable, permissions must be assigned to the system assigned identity.

    1. 在 Azure 门户中,导航到 " Function App"。In the Azure portal, navigate to Function App.

    2. 在 " Function App " 边栏选项卡中,从列表中选择 Function App,然后在 Function App 导航菜单中的 "设置" 下选择 "标识"。In the Function App blade, select your Function App from the list, then select Identity under Settings in the Function App's navigation menu.

    3. 在 " 系统分配 " 选项卡上,将 状态 设置为 "打开"。In the System assigned tab, set the Status to On.

    4. 选择 " 保存",将显示 " Azure 角色分配 " 按钮。Select Save, and an Azure role assignments button will appear. 请单击此按钮。Click it.

    5. 在 " Azure 角色分配 " 屏幕中,选择 " 添加角色分配"。In the Azure role assignments screen, select Add role assignment. 将 " 作用域 " 设置为 " 订阅",从 " 订阅 " 下拉菜单中选择订阅,并将 " 角色 " 设置为 " 应用配置数据所有者"。Set Scope to Subscription, select your subscription from the Subscription drop-down, and set Role to App Configuration Data Owner.

    6. 选择“保存”。Select Save.

查找数据Find your data

成功建立连接后,数据会显示在 CustomLogs 下的 日志 中,如下表所示:After a successful connection is established, the data appears in Logs under CustomLogs, in the following tables:

  • agari_apdtc_log_CL
  • agari_apdpolicy_log_CL
  • agari_bpalerts_log_CL

若要查询 Agari 解决方案数据,请在 "查询" 窗口中输入上述表名称之一。To query Agari solutions data, enter one of the above table names in the query window.

请参阅连接器页中的 " 后续步骤 " 选项卡,了解一些有用的示例查询。See the Next steps tab in the connector page for some useful sample queries.

验证连接Validate connectivity

可能需要长达20分钟的时间,日志才会开始出现在 Log Analytics 中。It may take up to 20 minutes until your logs start to appear in Log Analytics.

后续步骤Next steps

本文档介绍了如何将 Agari 仿冒防御和品牌保护解决方案连接到 Azure Sentinel。In this document, you learned how to connect Agari Phishing Defense and Brand Protection solutions to Azure Sentinel. 要详细了解 Azure Sentinel,请参阅以下文章:To learn more about Azure Sentinel, see the following articles: