Skip to content

KnowBe4

KnowBe4

About

PhishER processes user-reported phishing and other suspicious emails by grouping and categorizing emails based on rules, tags, and actions.

Product Details

Vendor URL: KnowBe4

Product Type: Email Security

Product Tier: Tier III

Integration Method: Webhook

Integration URL: Webhook Integration

Log Guide: n/a

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: KNOWBE4_PHISHER

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
"KnowBe4" metadata.vendor_name
"PhishER" metadata.product_name
type.causer_type metadata.description
type.causer_name metadata.product_event_type
addresses.reported_by principal.user.user_id
cc network.email.cc
addresses.from network.email.from
header.Message-Id network.email.mail_id
addresses.reply_to network.email.reply_to
subject network.email.subject
email network.email.to
text.filename src.file.full_path
text.md5 src.file.md5
text.sha1 src.file.sha1
text.sha256 src.file.sha256
text.byte_size src.file.size
text.s3_url src.resource_ancestors
"STORAGE_BUCKET" src.resource.resource_type
type.events.report.name security_result.about.resource.name
type.events.report.results security_result.detection_fields
spam-value security_result.confidence_details
tag security_result.category_details
phishml.category security_result.summary

Product Event Types

Product Event Description UDM Event
All All events EMAIL_UNCATEGORIZED

Log Sample

{"bad_attachments":[],"headers":[{"md5":"md5hash","sha1":"sha1hash","headers":[{"X-Ms-Exchange-Transport-Endtoendlatency":"00:00:00.5791316"},{"X-Ms-Exchange-Processed-By-Bccfoldering":"00.00.0000.000"}],"filename":"rawHeaders.txt","sha256":"sha256hash1","byte_size":11950,"s3_url":"s3bucket"}],"bad_links":[],"html":[],"addresses":{"cc":"","reply_to":"","reported_by":"reported_by@company.com","from":"from_email@company.com","to":["to_email@company.com"]},"attachments":[{"md5":"md5hashattach","sha1":"sha1attach","filename":"file1.JPG","sha256":"sha256hash2","byte_size":7270,"s3_url":"s3bucket"}],"raw":[{"md5":"md5hashraw","sha1":"sha1hashraw","filename":"","sha256":"sha256hashraw","byte_size":12903,"s3_url":"s3_bucket"}],"phishml":{"confidence_spam":"0.999163031578064","confidence_clean":"0.000854740617796779","category":"spam","confidence_threat":"0.0000121997682072106"},"history":[{"trigger_name":null,"causer_type":null,"event_type":"other","trigger_type":null,"events":{"changed_fields":{"pipeline_status":["processing","processed"]}},"causer_name":null,"date":"2022-09-16T20:48:40Z"},{"trigger_name":null,"causer_type":"Integrations::PhishMl::Report","event_type":"other","trigger_type":null,"events":{"report":{"name":"Phish ML","results":[{"field":"clean","value":"0.09"},{"value":"99.92","field":"spam"},{"field":"threat","value":"0.00"}]},"tags":{"added":["PML:SPAM"]}},"causer_name":"Phish ML","date":"2022-09-16T20:48:39Z"},{"trigger_name":null,"causer_type":null,"event_type":"created","trigger_type":null,"events":null,"causer_name":null,"date":"2022-09-16T20:48:14Z"}],"tags":["PML:SPAM"],"virustotal":[],"links":[""],"text":[{"md5":"md5hashtext","sha1":"sha1hashtext","filename":"messageBody.txt","sha256":"sha256hashtext","byte_size":303,"s3_url":"s3_bucket"}]}

Sample Parsing

metadata.description = "Integrations::PhishML::Report"
metadata.event_timestamp = "2021-12-20T23:54:46.6929430Z"
metadata.event_type = "EMAIL_UNCATEGORIZED"
metadata.vendor_name = "KnowBe4"
metadata.product_name = "PhishER"
metadata.product_event_type = "Phish ML"
metadata.ingested_timestamp = "2021-12-20T23:54:46.6929430Z"
principal.user.user_id = "reported_by@company.com"
src.file.sha256 = "sha256hashtext"
src.file.md5 = "md5hashtext"
src.file.sha1 = "sha1hashtext"
src.file.full_path = "messageBody.txt"
src.file.size = "303"
src.resource_type = "STORAGE_BUCKET"
src.resource_ancestors.name = "s3_bucket"
security_result.about.resource.name = "Phish ML"
security_result.category_details = "SPAM"
security_result.category_details = "PML:SPAM"
security_result.detection_fields.key = "Report results: clean"
security_result.detection_fields.value = "0.22"
security_result.detection_fields.key = "Report results: spam"
security_result.detection_fields.value = "99.76"
security_result.detection_fields.key = "Report results: threat"
security_result.detection_fields.value = "0.03"
security_result.summary = "spam"
security_result.confidence_details = "99.76"
network.email.from = "from_email@company.com"
network.email.to = "to_email@company.com"
network.email.mail_id = "Message-ID"
network.email.subject = "Subject"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon