KnowBe4¶
About¶
PhishER processes user-reported phishing and other suspicious emails by grouping and categorizing emails based on rules, tags, and actions.
Product Details¶
Vendor URL: KnowBe4
Product Type: Email Security
Product Tier: Tier III
Integration Method: Webhook
Integration URL: Webhook Integration
Log Guide: n/a
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: KNOWBE4_PHISHER
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
"KnowBe4" | metadata.vendor_name |
"PhishER" | metadata.product_name |
type.causer_type | metadata.description |
type.causer_name | metadata.product_event_type |
addresses.reported_by | principal.user.user_id |
cc | network.email.cc |
addresses.from | network.email.from |
header.Message-Id | network.email.mail_id |
addresses.reply_to | network.email.reply_to |
subject | network.email.subject |
network.email.to | |
text.filename | src.file.full_path |
text.md5 | src.file.md5 |
text.sha1 | src.file.sha1 |
text.sha256 | src.file.sha256 |
text.byte_size | src.file.size |
text.s3_url | src.resource_ancestors |
"STORAGE_BUCKET" | src.resource.resource_type |
type.events.report.name | security_result.about.resource.name |
type.events.report.results | security_result.detection_fields |
spam-value | security_result.confidence_details |
tag | security_result.category_details |
phishml.category | security_result.summary |
Product Event Types¶
Product Event | Description | UDM Event |
---|---|---|
All | All events | EMAIL_UNCATEGORIZED |
Log Sample¶
{"bad_attachments":[],"headers":[{"md5":"md5hash","sha1":"sha1hash","headers":[{"X-Ms-Exchange-Transport-Endtoendlatency":"00:00:00.5791316"},{"X-Ms-Exchange-Processed-By-Bccfoldering":"00.00.0000.000"}],"filename":"rawHeaders.txt","sha256":"sha256hash1","byte_size":11950,"s3_url":"s3bucket"}],"bad_links":[],"html":[],"addresses":{"cc":"","reply_to":"","reported_by":"reported_by@company.com","from":"from_email@company.com","to":["to_email@company.com"]},"attachments":[{"md5":"md5hashattach","sha1":"sha1attach","filename":"file1.JPG","sha256":"sha256hash2","byte_size":7270,"s3_url":"s3bucket"}],"raw":[{"md5":"md5hashraw","sha1":"sha1hashraw","filename":"","sha256":"sha256hashraw","byte_size":12903,"s3_url":"s3_bucket"}],"phishml":{"confidence_spam":"0.999163031578064","confidence_clean":"0.000854740617796779","category":"spam","confidence_threat":"0.0000121997682072106"},"history":[{"trigger_name":null,"causer_type":null,"event_type":"other","trigger_type":null,"events":{"changed_fields":{"pipeline_status":["processing","processed"]}},"causer_name":null,"date":"2022-09-16T20:48:40Z"},{"trigger_name":null,"causer_type":"Integrations::PhishMl::Report","event_type":"other","trigger_type":null,"events":{"report":{"name":"Phish ML","results":[{"field":"clean","value":"0.09"},{"value":"99.92","field":"spam"},{"field":"threat","value":"0.00"}]},"tags":{"added":["PML:SPAM"]}},"causer_name":"Phish ML","date":"2022-09-16T20:48:39Z"},{"trigger_name":null,"causer_type":null,"event_type":"created","trigger_type":null,"events":null,"causer_name":null,"date":"2022-09-16T20:48:14Z"}],"tags":["PML:SPAM"],"virustotal":[],"links":[""],"text":[{"md5":"md5hashtext","sha1":"sha1hashtext","filename":"messageBody.txt","sha256":"sha256hashtext","byte_size":303,"s3_url":"s3_bucket"}]}
Sample Parsing¶
metadata.description = "Integrations::PhishML::Report"
metadata.event_timestamp = "2021-12-20T23:54:46.6929430Z"
metadata.event_type = "EMAIL_UNCATEGORIZED"
metadata.vendor_name = "KnowBe4"
metadata.product_name = "PhishER"
metadata.product_event_type = "Phish ML"
metadata.ingested_timestamp = "2021-12-20T23:54:46.6929430Z"
principal.user.user_id = "reported_by@company.com"
src.file.sha256 = "sha256hashtext"
src.file.md5 = "md5hashtext"
src.file.sha1 = "sha1hashtext"
src.file.full_path = "messageBody.txt"
src.file.size = "303"
src.resource_type = "STORAGE_BUCKET"
src.resource_ancestors.name = "s3_bucket"
security_result.about.resource.name = "Phish ML"
security_result.category_details = "SPAM"
security_result.category_details = "PML:SPAM"
security_result.detection_fields.key = "Report results: clean"
security_result.detection_fields.value = "0.22"
security_result.detection_fields.key = "Report results: spam"
security_result.detection_fields.value = "99.76"
security_result.detection_fields.key = "Report results: threat"
security_result.detection_fields.value = "0.03"
security_result.summary = "spam"
security_result.confidence_details = "99.76"
network.email.from = "from_email@company.com"
network.email.to = "to_email@company.com"
network.email.mail_id = "Message-ID"
network.email.subject = "Subject"
Parser Alerting¶
This product currently does not have any Parser-based Alerting