Skip to main content

PhishER

This Integration is part of the PhishER Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

KnowBe4 PhishER integration allows to pull events from PhishER system and do mutations This integration was integrated and tested with version 6.0.0 of XSOAR

Configure Phisher on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Phisher.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Your server URLTrue
    API KeyTrue
    First Fetch TimeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
    Fetch incidentsFalse
    Fetch LimitMaximum number of alerts per fetch. Default is 50, maximum is 100.False
    Incident typeFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

phisher-message-list#


Command to get messages from PhishER

Base Command#

phisher-message-list

Input#

Argument NameDescriptionRequired
limitThe maximum number of messages to fetch. Default is 50.Optional
queryThe Lucene query to search against.Optional
idID of specific message to retrieve. If ID is given query will be ignored.Optional
include_eventsWhether to include all message events in the result. Possible values are: False, True. Default is False.Optional

Context Output#

PathTypeDescription
Phisher.Message.actionStatusStringAction Status
Phisher.Message.attachmentsStringA collection of attachments associated with this message
Phisher.Message.categoryStringThe message's category
Phisher.Message.commentsStringA collection of comments associated with this message.
Phisher.Message.eventsStringA collection of events associated with this message.
Phisher.Message.fromStringSender's email
Phisher.Message.idStringUnique identifier for the message.
Phisher.Message.linksStringA collection of links that were found in the message.
Phisher.Message.phishmlReportStringThe PhishML report associated with this message
Phisher.Message.pipelineStatusStringPipeline Status
Phisher.Message.reportedByStringThe person who reported the message.
Phisher.Message.rawUrlStringURL where to download the raw message
Phisher.Message.rulesStringA collection of rules associated with this message.
Phisher.Message.severityStringThe message's severity
Phisher.Message.subjectStringSubject of the message.
Phisher.Message.tagsStringA collection of tags associated with this message.

Command Example#

!phisher-message-list id=00a43d65-5802-4df6-9c3c-f7d2024ddb0b

Context Example#

{
"Phisher": {
"Message": {
"actionStatus": "IN_REVIEW",
"attachments": [],
"category": "CLEAN",
"comments": [
{
"body": "Folarin Balogun",
"createdAt": "2021-08-17T14:43:22Z"
},
{
"body": "Emile Smith Rowe 10",
"createdAt": "2021-08-17T14:21:17Z"
},
{
"body": "Emile Smith Rowe",
"createdAt": "2021-08-17T14:20:32Z"
},
{
"body": "Chupi & Toto",
"createdAt": "2021-08-16T12:39:15Z"
}
],
"created at": "2021-07-07T15:18:58+00:00",
"from": "ekatsenelson@paloaltonetworks.com",
"id": "00a43d65-5802-4df6-9c3c-f7d2024ddb0b",
"links":[],
"phishmlReport": null,
"pipelineStatus": "PROCESSED",
"rawUrl": "https://phisher.example.com",
"reportedBy": "ekatsenelson@paloaltonetworks.com",
"rules": [],
"severity": "MEDIUM",
"subject": "Fwd: Your next career opportunity is... Right Here!",
"tags": [
{
"name": "SIA",
"type": "STANDARD"
},
{
"name": "DAVY KLAASEN",
"type": "STANDARD"
},
{
"name": "DUSAN TADIC",
"type": "STANDARD"
},
{
"name": "LENO",
"type": "STANDARD"
},
{
"name": "BALOGUN",
"type": "STANDARD"
},
{
"name": "RYAN GRAVENBERGH",
"type": "STANDARD"
}
]
}
}
}

Human Readable Output#

Messages#

IDStatusCategoryFromSeverityCreated At
00a43d65-5802-4df6-9c3c-f7d2024ddb0bIN_REVIEWCLEANekatsenelson@paloaltonetworks.comMEDIUM2021-07-07T15:18:58+00:00

phisher-create-comment#


Adds a comment to a PhishER message

Base Command#

phisher-create-comment

Input#

Argument NameDescriptionRequired
idMessage ID.Required
commentThe comment to add.Required

Context Output#

There is no context output for this command.

Command Example#

!phisher-create-comment id=00a43d65-5802-4df6-9c3c-f7d2024ddb0b comment="Test Comment"

Human Readable Output#

The comment was added successfully

phisher-update-message#


Updates a PhishER message status. User must provide at least one argument.

Base Command#

phisher-update-message

Input#

Argument NameDescriptionRequired
categoryMessage Category, can be: UNKNOWN,CLEAN,SPAM,THREAT . Possible values are: UNKNOWN, CLEAN, SPAM, THREAT.Optional
statusMessage Status, can be: RECEIVED,IN_REVIEW,RESOLVED. Possible values are: RECEIVED, IN_REVIEW, RESOLVED.Optional
severityMessage Severity, can be: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL. Possible values are: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL.Optional
idMessage ID.Required

Context Output#

There is no context output for this command.

Command Example#

!phisher-update-message id=00a43d65-5802-4df6-9c3c-f7d2024ddb0b category=THREAT severity=MEDIUM status=IN_REVIEW

Human Readable Output#

The message was updated successfully

phisher-tags-create#


Add tags to a given message

Base Command#

phisher-tags-create

Input#

Argument NameDescriptionRequired
idMessage ID.Required
tagsComma separated list of tags to add.Required

Context Output#

There is no context output for this command.

Command Example#

!phisher-tags-create id=00a43d65-5802-4df6-9c3c-f7d2024ddb0b tags="Tag1, Tag2"

Human Readable Output#

The tags were updated successfully

phisher-tags-delete#


Removes tags from a given message.

Base Command#

phisher-tags-delete

Input#

Argument NameDescriptionRequired
idMessage ID.Required
tagsComma separated list of tags to remove.Required

Context Output#

There is no context output for this command.

Command Example#

!phisher-tags-delete id=00a43d65-5802-4df6-9c3c-f7d2024ddb0b tags="Tag2"

Human Readable Output#

The tags were deleted successfully