Setting Up Integrations

Integrate Syslog with Your PhishER Platform

From the Syslog subtab of your PhishER Settings, you can configure the Syslog servers connected to your PhishER platform. System Logging Protocol, or Syslog, is a protocol that generates logs for network devices or servers. You can integrate Syslog servers with your PhishER platform to log when PhishER actions are triggered.

Connecting a New Syslog Server

To connect a Syslog server to your PhishER platform, follow the steps below:

  1. Log in to your PhishER platform.
  2. Navigate to Settings > Syslog.
  3. Click the New Syslog button in the top-right corner of the page.
  4. In the Add Syslog Settings pop-up window that opens, configure your Syslog server settings. To learn more about these settings, see the screenshot and list below:
    1. Name: In this field, enter a custom name for your Syslog server.
    2. Protocol: From the drop-down menu, select one of the following protocols: TCP, UDP, TLS, or TLS_INSECURE.
    3. Host: In this field, enter the host IP address of your Syslog server.
    4. Port: In this field, enter the port number of your Syslog server.
    5. Format: From the drop-down menu, select one of the following Syslog output formats: JSON, CEF, or LEEF. To learn more about these formats, see the Syslog Output Formats section of this article.
    Syslog Settings Page
  5. Click Create.

Once your Syslog server is integrated with your PhishER platform, your organization can track and log events that occur in your platform. You can connect as many Syslog servers as you would like. If you create a PhishER action, you can select the Send to Syslog option under the Choose how you would like to report this action step.Syslog option

Then, you can use the drop-down menu to select one of your Syslog servers. When your action is run, your Syslog server will log the event.

Managing Your Connections

From the Syslog subtab of your PhishER Settings, you can view all of your Syslog server connections. You can click a Syslog server’s name to open the Update Syslog Settings pop-up window. Then, you can update the information for that Syslog server.

For more information about the Syslog settings, see the screenshot and list below:Syslog page

  1. New Syslog: Click this button to create a new Syslog server connection to your PhishER account.
  2. Name: This column displays the name of the Syslog server.
  3. Host: This column displays the host IP address of the Syslog server.
  4. Port: This column displays the port number of the Syslog server.
  5. Protocol: This column displays the protocol that the Syslog server uses to transport messages from the client to the server.
  6. Format: This column displays the output format for the Syslog server’s reports.
  7. Actions: This column displays the actions available to run on a Syslog entry. You can click the trash can icon to delete the entry.

Syslog Output Formats

You can select a JSON, CEF, or LEEF output format for your Syslog reports. For examples of each output format, see the subsections below.

JSONCEFLEF

JSON

For an example of a JSON output format, see below:

{ "receivedAt":"2019-05-20T17:39:43.351851Z", "reportedAt":"2019-05-20T17:39:39Z", "sender":"sender@yourDomain.com", "reporter":"reporter@yourDomain.com", "subject":"JSON Syslog Example", "priority":"medium", "category":"spam", "status":"received", "action":"Action 1", "tags":"TagSet" "permalink":"[[Unique URL]]" }

For more information about the attributes in this output format, see the table below:

Attribute Description
receivedAt

This attribute indicates the date and time of when the PhishER Inbox received the message.

Date and Time Format: yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'

reportedAt

This attribute indicates the date and time of when a user reported the message.

Date and Time Format: yyyy-MM-dd'T'HH:mm:ss.SS'Z'

sender This attribute indicates the email address associated with the original source of the message.
reporter This attribute indicates the email address of the user who reported the message.
subject This attribute indicates the text found in the subject line of the original message.
priority This attribute indicates the message’s priority. PhishER uses the following priority levels: Low, Medium, High, Critical, and Unknown.
category This attribute indicates the message’s category. PhishER uses the following categories: Clean, Spam, Threat, and Unknown.
status This attribute indicates the message’s current state of PhishER analysis. PhishER uses the following statuses: Received, In Review, and Resolved.
action This attribute indicates the name of the PhishER action that triggered this report.
tags This attribute indicates the label attached to the message based on the message's attributes.
permalink This attribute indicates the URL specific to the message in your PhishER Inbox.

CEF

For an example of a CEF output format, see below:

start=1543962447998 rt=1543962447998 duser=destUserName@yourDomain.com suser=sourceUserName@yourDomain.com cat=unknown act=Action1 cs2Label=Status cs2=received cs3Label=Subject cs3=CEF Syslog Example cs4Label=Tags cs4=TagSet cs6Label=Permalink cs6=[[Unique URL]]

For more information about the attributes in this output format, see the table below:

Attribute Description
start

This attribute indicates the date and time of when the PhishER Inbox received the message. The date and time are represented in milliseconds.

Date and Time Format: yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'

rt

This attribute indicates the date and time of when a user reported the message.

Date and Time Format: yyyy-MM-dd'T'HH:mm:ss.SS'Z'

duser This attribute indicates the email address of the user who reported the message.
suser This attribute indicates the email address associated with the original source of the message.
cat This attribute indicates the message’s category. PhishER uses the following categories: Clean, Spam, Threat, or Unknown.
act This attribute indicates the name of the PhishER action that triggered this report.
cs2Label=Status This attribute indicates the message’s current state of PhishER analysis. PhishER uses the following statuses: Received, In Review, or Resolved.
cs3Label=Subject This attribute indicates the text found in the subject line of the original message.
cs4Label=Tags This attribute indicates the label attached to the message based on the message's attributes.
cs6Label=Permalink This attribute indicates the URL specific to the message in your PhishER Inbox.

LEF

For an example of a LEEF output format, see below:

start=1541008403775 rt=1541009403775 duser=destUserName@yourDomain.com usrName=userName@yourDomain.com cat=Threat act=Test Action cs2Label=Status cs2=Pending cs3Label=Priority cs3=High cs4Label=Subject cs4=Testing Emailcs5Label=Tags cs5=Tag1,Tag2 cs6Label=Permalink cs6=[[Unique URL]]

For more information about the attributes in this output format, see the table below:

Attribute Description
start

This attribute indicates the date and time of when the PhishER Inbox received the message. The date and time are represented in milliseconds.

Date and Time Format: yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'

rt

This attribute indicates the date and time of when a user reported the message.

Date and Time Format: yyyy-MM-dd'T'HH:mm:ss.SS'Z'

duser This attribute indicates the email address of the user who reported the message.
usrName This attribute indicates the email address associated with the original source of the message.
cat This attribute indicates the message’s category. PhishER uses the following categories: Clean, Spam, Threat, or Unknown.
act This attribute indicates the name of the PhishER action that triggered this report.
cs2Label=Status This attribute indicates the message’s current state of PhishER analysis. PhishER uses the following statuses: Pending, Received, In Review, or Resolved.
cs3Label=Priority This attribute indicates the message’s priority. PhishER uses the following priorities: Low, Medium, High, Critical, or Unknown.
cs4Label=Subject This attribute indicates the text found in the subject line of the original message.
cs5Label=Tags This attribute indicates the label attached to the message based on the message's attributes.
cs6Label=Permalink This attribute indicates the URL specific to the message in your PhishER Inbox.

Can't find what you're looking for?

Contact Support