KnowBe4 PhishER

the knowbe4 phisher connector allows for seamless integration with the phisher platform, enabling automated phishing threat management and analysis knowbe4 phisher is a comprehensive phishing response platform that enables security teams to prioritize, analyze, and respond to threats this connector allows swimlane turbine users to automate the management of phishing incidents by integrating with phisher's capabilities users can add comments, tags, download email files, and update message statuses directly within swimlane turbine, streamlining the incident response process the integration enhances operational efficiency, reduces response times, and improves threat categorization within the security operations workflow prerequisites to utilize the knowbe4 phisher connector within swimlane turbine, ensure you have the following prerequisites http bearer authentication with the following parameters url the endpoint url for the phisher api product api token your unique token to authenticate with the phisher api capabilities this connector provides the following capabilities add comment to multiple messages add comment add tags get all messages get message by id download eml using rawurl update message update multiple messages configurations http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add comment appends a user defined comment to a specific phisher message identified by its 'id' endpoint url /graphql method post input argument name type required description id string required unique identifier comment string required parameter for add comment output parameter type description status code number http status code of the response reason string response reason phrase data object response data phishercommentcreate object output field phishercommentcreate errors object error message if any node object output field node body string request body data createdat string output field createdat example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "content length" "115", "connection" "keep alive", "date" "mon, 20 nov 2023 19 15 57 gmt", "x frame options" "sameorigin", "x xss protection" "1; mode=block", "x content type options" "nosniff", "x download options" "noopen", "x permitted cross domain policies" "none", "referrer policy" "strict origin when cross origin", "vary" "accept, origin", "etag" "w/\\"c46a067f44b199493b5e908c1ebbded7\\"", "cache control" "max age=0, private, must revalidate", "content security policy" "", "x request id" "31142ead f4c8 46a9 b680 c821933e6ac3" }, "reason" "ok", "json body" { "data" {} } } ] add comment to multiple messages adds a specified comment to all knowbe4 phisher messages that match the provided query, using 'query' and 'comment' inputs endpoint url /graphql method post input argument name type required description query string required parameter for add comment to multiple messages comment string required parameter for add comment to multiple messages output parameter type description status code number http status code of the response reason string response reason phrase data object response data phishercommentscreate object output field phishercommentscreate errors object error message if any totalcount number count value example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "content length" "115", "connection" "keep alive", "date" "mon, 20 nov 2023 19 15 57 gmt", "x frame options" "sameorigin", "x xss protection" "1; mode=block", "x content type options" "nosniff", "x download options" "noopen", "x permitted cross domain policies" "none", "referrer policy" "strict origin when cross origin", "vary" "accept, origin", "etag" "w/\\"c46a067f44b199493b5e908c1ebbded7\\"", "cache control" "max age=0, private, must revalidate", "content security policy" "", "x request id" "31142ead f4c8 46a9 b680 c821933e6ac3" }, "reason" "ok", "json body" { "data" {} } } ] add tags adds specified tags to a phisher message by its unique id to improve categorization and response handling endpoint url /graphql method post input argument name type required description id string required unique identifier tags array required parameter for add tags output parameter type description status code number http status code of the response reason string response reason phrase data object response data phishertagscreate object output field phishertagscreate errors object error message if any nodes object output field nodes name string name of the resource type string type of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 2 may 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "data" {} } } ] download eml using rawurl retrieve an email file from a specified url using the knowbe4 phisher connector; 'rawurl' parameter is required endpoint method get input argument name type required description rawurl string required raw url output parameter type description file object attachments file string output field file file name string name of the resource example \[ { "file" { "file" "string", "file name" "example name" } } ] get all messages returns a paginated list of messages from knowbe4 phisher using a specified lucene query endpoint url /graphql method post input argument name type required description query string optional the lucene query to search against all boolean optional flag to request all items at once page number optional the page number you want to fetch per number optional number of items in each page minimum 25 items/page output parameter type description status code number http status code of the response reason string response reason phrase data object response data phishermessages object response message nodes array output field nodes actionstatus string status value attachments array output field attachments actualcontenttype string type of the resource filename string name of the resource md5 string output field md5 reportedcontenttype string type of the resource s3key string output field s3key sha1 string output field sha1 sha256 string output field sha256 size number output field size ssdeep string output field ssdeep virustotal object output field virustotal category string output field category comments array output field comments file name string name of the resource file string output field file events array output field events causer string output field causer createdat string output field createdat eventtype string type of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {} } } ] get message by id retrieves a specific phisher message by the unique identifier, facilitating targeted analysis of phishing incidents endpoint url /graphql method post input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data phishermessage object response message actionstatus string status value attachments array output field attachments actualcontenttype string type of the resource filename string name of the resource md5 string output field md5 reportedcontenttype string type of the resource s3key string output field s3key sha1 string output field sha1 sha256 string output field sha256 size number output field size ssdeep string output field ssdeep virustotal object output field virustotal permalink object output field permalink positives object output field positives scanned object output field scanned sha256 object output field sha256 category string output field category comments array output field comments file name string name of the resource file string output field file events array output field events example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {} } } ] update message applies payload data to update a specific phisher message using the provided id endpoint url /graphql method post input argument name type required description id string required unique identifier payload object required parameter for update message category string optional parameter for update message status string optional status value severity string optional parameter for update message output parameter type description status code number http status code of the response reason string response reason phrase data object response data phishermessageupdate object response message errors object error message if any node object output field node actionstatus string status value attachments array output field attachments actualcontenttype string type of the resource filename string name of the resource md5 string output field md5 reportedcontenttype string type of the resource s3key string output field s3key sha1 string output field sha1 sha256 string output field sha256 size number output field size ssdeep string output field ssdeep virustotal object output field virustotal category string output field category comments array output field comments body string request body data createdat string output field createdat events array output field events causer object output field causer createdat string output field createdat example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {} } } ] update multiple messages updates multiple phisher messages at once using a lucene query and payload, improving message management efficiency endpoint url /graphql method post input argument name type required description query string required parameter for update multiple messages payload object required parameter for update multiple messages category string optional parameter for update multiple messages status string optional status value severity string optional parameter for update multiple messages output parameter type description status code number http status code of the response reason string response reason phrase data object response data phishermessagesupdate object response message errors object error message if any updated number output field updated example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "content length" "115", "connection" "keep alive", "date" "mon, 20 nov 2023 19 15 57 gmt", "x frame options" "sameorigin", "x xss protection" "1; mode=block", "x content type options" "nosniff", "x download options" "noopen", "x permitted cross domain policies" "none", "referrer policy" "strict origin when cross origin", "vary" "accept, origin", "etag" "w/\\"c46a067f44b199493b5e908c1ebbded7\\"", "cache control" "max age=0, private, must revalidate", "content security policy" "", "x request id" "31142ead f4c8 46a9 b680 c821933e6ac3" }, "reason" "ok", "json body" { "data" {} } } ] response headers header description example cache control directives for caching mechanisms max age=0, private, must revalidate connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 140 content security policy http response header content security policy content type the media type of the resource application/json date the date and time at which the message was originated mon, 20 nov 2023 19 15 57 gmt etag an identifier for a specific version of a resource w/"e3e9ebf85e5bdde42710965a891dbad1" referrer policy http response header referrer policy strict origin when cross origin strict transport security http response header strict transport security max age=63113904; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary accept, origin via http response header via 1 1 4173c7a8e447342f9200b2668a0cba0a cloudfront net (cloudfront) x amz cf id http response header x amz cf id aqfr8ewuepvax5otvohzhwywmjycq 5acmqwunhtiku6gxhioaslqg== x amz cf pop http response header x amz cf pop hyd57 p3 x cache http response header x cache miss from cloudfront x content type options http response header x content type options nosniff x download options http response header x download options noopen x frame options http response header x frame options sameorigin x permitted cross domain policies http response header x permitted cross domain policies none x request id a unique identifier for the request 31142ead f4c8 46a9 b680 c821933e6ac3 x runtime http response header x runtime 0 497786 x xss protection http response header x xss protection 1; mode=block notes phisher api documentation https //developer knowbe4 com/graphql/phisher/page/introduction