KnowBe4 PhishER

the knowbe4 phisher connector allows for seamless integration with the phisher platform, enabling automated phishing threat management and analysis knowbe4 phisher is a comprehensive phishing response platform that enables security teams to prioritize, analyze, and respond to threats this connector allows swimlane turbine users to automate the management of phishing incidents by integrating with phisher's capabilities users can add comments, tags, download email files, and update message statuses directly within swimlane turbine, streamlining the incident response process the integration enhances operational efficiency, reduces response times, and improves threat categorization within the security operations workflow prerequisites to utilize the knowbe4 phisher connector within swimlane turbine, ensure you have the following prerequisites http bearer authentication with the following parameters url the endpoint url for the phisher api product api token your unique token to authenticate with the phisher api capabilities this connector provides the following capabilities add comment to multiple messages add comment add tags get all messages get message by id download eml using rawurl update message update multiple messages notes https //developer knowbe4 com/graphql/phisher/page/introduction configurations http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add comment appends a user defined comment to a specific phisher message identified by its 'id' endpoint url /graphql method post input argument name type required description id string required unique identifier comment string required parameter for add comment input example {"id" "4fa977fb eea6 4b5d bdd4 ad8176765342","comment" "test comment"} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data phishercommentcreate object response data data phishercommentcreate errors object response data data phishercommentcreate node object response data data phishercommentcreate node body string response data data phishercommentcreate node createdat string response data output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","content length" "115","connection" "keep alive","date" "mon, 20 nov 2023 19 15 57 gmt","x frame options" "sameorigin","x xss protection" "1; mode=block","x content type options" "nosniff","x download options" "noopen","x permitted cross domain policies" "none","referrer policy" "strict origin when cross origin","vary" "accept, origin","etag" "w/\\"c46a067f44b199493b5e908c1ebbded7\\"","cache control" "max age=0 add comment to multiple messages adds a specified comment to all knowbe4 phisher messages that match the provided query, using 'query' and 'comment' inputs endpoint url /graphql method post input argument name type required description query string required parameter for add comment to multiple messages comment string required parameter for add comment to multiple messages input example {"query" "query","comment" "test comment"} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data phishercommentscreate object response data data phishercommentscreate errors object response data data phishercommentscreate totalcount number response data output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","content length" "115","connection" "keep alive","date" "mon, 20 nov 2023 19 15 57 gmt","x frame options" "sameorigin","x xss protection" "1; mode=block","x content type options" "nosniff","x download options" "noopen","x permitted cross domain policies" "none","referrer policy" "strict origin when cross origin","vary" "accept, origin","etag" "w/\\"c46a067f44b199493b5e908c1ebbded7\\"","cache control" "max age=0 add tags adds specified tags to a phisher message by its unique id to improve categorization and response handling endpoint url /graphql method post input argument name type required description id string required unique identifier tags array required parameter for add tags input example {"id" "12345678 1234 1234 1234 123456789abc","tags" \["string"]} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data phishertagscreate object response data data phishertagscreate errors object response data data phishertagscreate nodes object response data data phishertagscreate nodes name string response data data phishertagscreate nodes type string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 2 may 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" {"phishertagscreate" {}}}} download eml using rawurl retrieve an email file from a specified url using the knowbe4 phisher connector; 'rawurl' parameter is required endpoint method get input argument name type required description rawurl string required raw url input example {"rawurl" "string"} output parameter type description file object attachments file file string output field file file file file name string name of the resource output example {"file" {"file" "string","file name" "example name"}} get all messages returns a paginated list of messages from knowbe4 phisher using a specified lucene query endpoint url /graphql method post input argument name type required description query string optional the lucene query to search against all boolean optional flag to request all items at once page number optional the page number you want to fetch per number optional number of items in each page minimum 25 items/page input example {"query" "","all"\ true,"page" 1,"per" 25} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data phishermessages object response data data phishermessages nodes array response data data phishermessages nodes actionstatus string response data data phishermessages nodes attachments array response data data phishermessages nodes attachments actualcontenttype string response data data phishermessages nodes attachments filename string response data data phishermessages nodes attachments md5 string response data data phishermessages nodes attachments reportedcontenttype string response data data phishermessages nodes attachments s3key string response data data phishermessages nodes attachments sha1 string response data data phishermessages nodes attachments sha256 string response data data phishermessages nodes attachments size number response data data phishermessages nodes attachments ssdeep string response data data phishermessages nodes attachments virustotal object response data data phishermessages nodes category string response data data phishermessages nodes comments array response data data phishermessages nodes comments file name string response data data phishermessages nodes comments file string response data data phishermessages nodes events array response data data phishermessages nodes events causer string response data data phishermessages nodes events createdat string response data data phishermessages nodes events eventtype string response data output example {"data" {"phishermessages" {"nodes" \[],"pagination" {}}}} get message by id retrieves a specific phisher message by the unique identifier, facilitating targeted analysis of phishing incidents endpoint url /graphql method post input argument name type required description id string required unique identifier input example {"id" "4fa977fb eea6 4b5d bdd4 ad8176765342"} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data phishermessage object response data data phishermessage actionstatus string response data data phishermessage attachments array response data data phishermessage attachments actualcontenttype string response data data phishermessage attachments filename string response data data phishermessage attachments md5 string response data data phishermessage attachments reportedcontenttype string response data data phishermessage attachments s3key string response data data phishermessage attachments sha1 string response data data phishermessage attachments sha256 string response data data phishermessage attachments size number response data data phishermessage attachments ssdeep string response data data phishermessage attachments virustotal object response data data phishermessage attachments virustotal permalink object response data data phishermessage attachments virustotal positives object response data data phishermessage attachments virustotal scanned object response data data phishermessage attachments virustotal sha256 object response data data phishermessage category string response data data phishermessage comments array response data data phishermessage comments file name string response data data phishermessage comments file string response data data phishermessage events array response data output example {"data" {"phishermessage" {"actionstatus" "active","attachments" \[],"category" "string","comments" \[],"events" \[],"from" "string","headers" \[],"id" "12345678 1234 1234 1234 123456789abc","links" \[],"phishmlreport" {},"pipelinestatus" "active","rawurl" "string","reportedby" "string","rules" \[],"severity" "string"}}} update message applies payload data to update a specific phisher message using the provided id endpoint url /graphql method post input argument name type required description id string required unique identifier payload object required parameter for update message payload category string optional parameter for update message payload status string optional status value payload severity string optional parameter for update message input example {"id" "4fa977fb eea6 4b5d bdd4 ad8176765342","payload" {"category" "unknown","status" "received","severity" "unknown severity"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data phishermessageupdate object response data data phishermessageupdate errors object response data data phishermessageupdate node object response data data phishermessageupdate node actionstatus string response data data phishermessageupdate node attachments array response data data phishermessageupdate node attachments actualcontenttype string response data data phishermessageupdate node attachments filename string response data data phishermessageupdate node attachments md5 string response data data phishermessageupdate node attachments reportedcontenttype string response data data phishermessageupdate node attachments s3key string response data data phishermessageupdate node attachments sha1 string response data data phishermessageupdate node attachments sha256 string response data data phishermessageupdate node attachments size number response data data phishermessageupdate node attachments ssdeep string response data data phishermessageupdate node attachments virustotal object response data data phishermessageupdate node category string response data data phishermessageupdate node comments array response data data phishermessageupdate node comments body string response data data phishermessageupdate node comments createdat string response data data phishermessageupdate node events array response data data phishermessageupdate node events causer object response data data phishermessageupdate node events createdat string response data output example {"data" {"phishermessageupdate" {"errors" {},"node" {}}}} update multiple messages updates multiple phisher messages at once using a lucene query and payload, improving message management efficiency endpoint url /graphql method post input argument name type required description query string required parameter for update multiple messages payload object required parameter for update multiple messages payload category string optional parameter for update multiple messages payload status string optional status value payload severity string optional parameter for update multiple messages input example {"query" "","payload" {"category" "unknown","status" "resolved","severity" "high"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data phishermessagesupdate object response data data phishermessagesupdate errors object response data data phishermessagesupdate updated number response data output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","content length" "115","connection" "keep alive","date" "mon, 20 nov 2023 19 15 57 gmt","x frame options" "sameorigin","x xss protection" "1; mode=block","x content type options" "nosniff","x download options" "noopen","x permitted cross domain policies" "none","referrer policy" "strict origin when cross origin","vary" "accept, origin","etag" "w/\\"c46a067f44b199493b5e908c1ebbded7\\"","cache control" "max age=0 response headers header description example cache control directives for caching mechanisms max age=0, private, must revalidate connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 140 content security policy http response header content security policy content type the media type of the resource application/json date the date and time at which the message was originated mon, 20 nov 2023 18 57 08 gmt etag an identifier for a specific version of a resource w/"c46a067f44b199493b5e908c1ebbded7" referrer policy http response header referrer policy strict origin when cross origin strict transport security http response header strict transport security max age=63113904; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding, accept, origin via http response header via 1 1 4173c7a8e447342f9200b2668a0cba0a cloudfront net (cloudfront) x amz cf id http response header x amz cf id aqfr8ewuepvax5otvohzhwywmjycq 5acmqwunhtiku6gxhioaslqg== x amz cf pop http response header x amz cf pop hyd57 p3 x cache http response header x cache miss from cloudfront x content type options http response header x content type options nosniff x download options http response header x download options noopen x frame options http response header x frame options sameorigin x permitted cross domain policies http response header x permitted cross domain policies none x request id a unique identifier for the request 31142ead f4c8 46a9 b680 c821933e6ac3 x runtime http response header x runtime 0 281383 x xss protection http response header x xss protection 1; mode=block