Setting Up Integrations

Share

Is this article helpful?

Last updated:

Integrate Threat Intel with Your PhishER Console

From the Threat Intel subtab of your PhishER Settings, you can configure the Threat Intel feature for your PhishER console. Threat Intel is powered by a Webroot integration with PhishER Plus. Webroot’s BrightCloud Web Classification & Web Reputation Service uses machine learning-based intelligence to analyze URLs for malicious content. This integration uses the Webroot API to allow PhishER to submit URLs for analysis, pull report data, and perform advanced search queries.

Note: Threat Intel is only available for accounts with PhishER Plus. You do not need a separate Webroot subscription to configure the Threat Intel feature.

After Threat Intel scans a URL, a threat analysis report will be available under the Domains & URLs subtab on the Message Details page of your PhishER console. For more information, see our PhishER Inbox Guide.

Configuring the Integration

To configure the integration, fill out the fields on the Threat Intel subtab of your PhishER Settings. For more information, see the screenshot and list below:

  1. Threat Intel Disabled or Threat Intel Enabled: Use this toggle to disable or enable the integration.
  2. (Optional) Automatic Scanning Settings: In this section, you can configure settings that allow Threat Intel to automatically scan parts of a message. To learn about these options, view the list below:
    • Automatically Scan All URLs: If you select this check box, all of the URLs in your PhishER Inbox will automatically be sent to Threat Intel.
  3. Update Threat Intel Settings: Click this button if you would like to save changes made to the integration settings in this section.
  4.  (Optional) Automatic Scanning Timeout: The Timeout if no response in seconds field displays the custom timeout period for your Threat Intel scan results. If Threat Intel does not return scan results in this timeout period, a TI_BYPASSED tag will be applied to the corresponding message. By default, the timeout period is 120 seconds. To learn more about the tags that can be applied to the message, read the Threat Intel Tags section of this article. 
  5. (Optional) Ignored Domains: This section displays the domains that you would like Threat Intel to ignore when running a scan.
  6. Update Shared Settings: If you would like to update the custom timeout period or the ignored domains for your integrations, click this button to open the Shared Integrations Settings pop-up window. In the pop-up window, you can enter a number of seconds in the Timeout if no response in seconds field to set a custom timeout period for your Threat Intel scan results. In the Ignored Domains field, you can enter the domains that you would like Threat Intel to ignore when running a scan. Enter each domain as a new line in the text box. If you add a domain to this list, any subdomains of that domain will be excluded as well. However, if you add a subdomain to the list, the domain will not be excluded. Wildcards (*) and Uniform Resource Identifiers (URIs) are not supported. 
    Important: For more information about KnowBe4 domains that should not be sent as links to Threat Intel, read the Excluding KnowBe4 Domains from Scans section of this article.

Scanning with Threat Intel

Once you integrate your Threat Intel account with your PhishER console, you can run a Threat Intel scan on domains and URLs. To run a Threat Intel scan on a specific domain or URL, click Scan on the Message Details page.

Note:If you enable Automatic Scanning, Threat Intel will automatically receive a hash of all domains or URLs in your PhishER Inbox.

When you run a Threat Intel scan on a domain or URL, the scan may take up to 15 minutes to complete. When the scan is complete, the analysis results will be displayed on the Message Details page of your PhishER console. Click Click to View Scan Results to view the results. For more information, read the Viewing Message Details section of our PhishER Inbox Guide.

Excluding KnowBe4 Domains from Scans

KnowBe4 uses multiple domains that should not be sent as links to Threat Intel. You can enter these ignored domains in the Shared Integrations Settings section on the Threat Intel subtab of your PhishER settings. To find and exclude the domains, follow the steps below:

  1. Log in to your KSAT console.
  2. Navigate to the Phishing tab, then select the Domains subtab. This subtab displays a list of our root phish link domains. For more information, read our Manage Phish Link Domains article.
    Note:If you don't have access to this subtab, you can contact our support team for a list of phish link domains.
  3. In a separate browser or tab, log in to your PhishER console.
  4. Navigate to Settings > Threat Intel.
  5. In the Shared Integrations Settings section, click Update Shared Settings.
  6. In the Ignored Domains field, enter the root domains from your KSAT console.
  7. Click Update Shared Settings.
  8. If you use more than one instance of the KSAT console, repeat steps 1-7 to exclude the root domains from all of your instances. For more information about KSAT instances, read our KnowBe4's Training Instances article.

Threat Intel Tags

Based on the scan results, Threat Intel will apply one or more tags to your messages. To learn about the threat Intel tags, view the list below:

  1. TI_BYPASSED: This tag is attached to your message when a Threat Intel scan times out. This tag is commonly attached with additional Threat Intel tags. You can set a custom timeout period under your Threat Intel Shared Integrations Settings.
    Note:If a Threat Intel timeout occurs, PhishER will still wait for your Threat Intel results to return. However, automated actions will not run against the item while Threat Intel scans it.
  2. TI_ERROR: This tag is attached to your message when a Threat Intel scan results in processing errors or when Threat Intel is unable to scan a domain or URL.
  3. TI_HIGH_RISK: This tag is attached to your message when a Threat Intel scan determines that a threat was detected and the scanned domains or URLs are a high risk.
  4. TI_IGNORED: This tag is attached to your message when URLs or domains found on your Ignored Domains list are detected on a message.
  5. TI_LOW_RISK: This tag is attached to your message when a Threat Intel scan determines that no threat was detected but the scanned domains or URLs are a low risk.
  6. TI_MODERATE_RISK: This tag is attached to your message when a Threat Intel scan determines that a possible threat was detected and the scanned domains or URLs are a moderate risk.
  7. TI_NOT_FOUND: This tag is attached to your message when a Threat Intel scan doesn’t return a match for the scanned domains or URLs.
  8. TI_PENDING: This tag is attached to your message when a Threat Intel scan is queued. This tag will be removed when the scan is completed.
  9. TI_SCANNED: This tag is attached to your message when a Threat Intel scan determines that no threat was detected from the scanned domains or URLs.
  10. TI_SUSPICIOUS: This tag is attached to your message when a Threat Intel scan determines that the scanned domains or URLs are suspicious.
Note:A message with multiple domains or URLs can have multiple TI tags since some scans may finish at different times or have different results.

Was this article helpful?

1 out of 1 found this helpful

Can't find what you're looking for?

Contact Support