Using PhishML
PhishML is a PhishER machine-learning module that analyzes messages forwarded to your PhishER platform. Following analysis, PhishML generates three confidence values for each message. These three values represent the percentage of certainty that a message is clean, spam, or a threat. You can view the confidence values of a message from the Action pane of the Message Details screen (click to view).
Once PhishML is enabled, you have the option to set a custom Confidence Threshold value for each category (clean, spam, and threat). PhishML's confidence values must meet or exceed the active threshold values in order for a message to be tagged as clean, spam, or a threat.
PhishML is constantly learning based on the messages that are tagged by members of the PhishER user community. This approach means that the learning model is constantly provided with new data to improve its accuracy. A higher accuracy allows more messages to be automatically prioritized or dispositioned via Rules and Actions.
During the tagging process, PhishML applies one of the following tags to qualifying messages: PML:THREAT, PML:CLEAN, or PML:SPAM. Using PhishML tags, you can create custom actions to automate the dispositioning and prioritization of messages in your PhishER Inbox.
To learn more about PhishER Settings, click the links below.
Jump to:
Setting Up PhishML
Creating Recommended PhishML Actions
PhishML Enabled
To enable PhishML on your PhishER platform, follow the steps below:
- Navigate to PhishER > Settings > KnowBe4 Labs > PhishML.
- Toggle the PhishML Enabled button.
Confidence Threshold
A Confidence Threshold is the minimum percentage of certainty PhishML must meet or exceed in order to tag a message as clean, spam, or a threat. You have the option to activate or inactivate each threshold value by clicking on the toggle buttons to the left of the Clean, Spam, and Threat labels. Please note, PhishML will only apply tags to qualifying messages if the confidence threshold is active.
By default, the threshold values are: Clean 95, Spam 95, and Threat 95. However, each confidence threshold can be set to a custom value ranging anywhere between 51-100. To set a custom threshold value, click and drag the slider to the left or right (try the interactive slider below).
Clean | |||
Spam | |||
Threat |
PhishML Tags
After analysis, PhishML will apply one of the following tags to your email(s):
PhishML Tags |
|
Tag | Description |
PML:CLEAN | The tag added to your message when PhishML evaluates a message as being clean based on the active confidence threshold. |
PML:SPAM | The tag added to your message when PhishML evaluates a message as being spam based on the active confidence threshold. |
PML:THREAT | The tag added to your message when PhishML evaluates a message as being a threat based on the active confidence threshold. |
PML:BYPASSED | The tag added to your message when PhishML times out. If you re-run rules and actions against the message, PhishML will add the appropriate tag (PML:CLEAN, PML:SPAM, or PML:THREAT). |
PhishML Tags and Actions
To learn more about some recommended settings for the PhishML thresholds, visit our PhishER FAQ article.
Listed below are the settings for three actions that we recommend using for your organization to help identify and respond to email threats faster.
This action will help your organization identify and prioritize messages that are potentially malicious and may require further analysis.
-
For Choose how this action should be triggered, we recommend you select the following settings:
- Specify Tags
- HAS ANY PML:THREAT
To add a tag:- Click on Add new tag and type in the desired name of your tag.
- Then, press the Enter or Return key on your keyboard.
- Specify Tags
-
For Choose the action to be taken on matched messages, we recommend you select the following settings:
- Set Status In Review
Set Priority Critical
Set Category Threat
-
For Choose how you would like to report this action, we recommend using one of the following options:
For this option, we recommend that you create a custom email response that will automatically send to the recipients of your choice. Visit our How to Create a Custom Email Template in PhishER article for more information.
If the Send Email option is selected, we suggest the additional settings below:
- (Optional) For Choose whether or not to halt further actions, click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:THREAT tag before other actions are triggered.
- For Choose QuickActions settings, we recommend keeping the default settings.
- For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
For this option, we recommend that you create an additional action that sends an auto response to selected recipients when you run it manually. To do this, complete part one and two listed below.
Part 1: Select the remaining settings for your PML:THREAT (High Priority Messages) action
- For Choose how you would like to report this action, select None.
- (Optional) For Choose whether or not to halt further actions, click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:THREAT tag before other actions are triggered.
- For Choose QuickActions settings, we recommend keeping the default settings.
- For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
Part 2: Create an Auto Response QuickAction
- For Choose how this action should be triggered, we recommend you select Manual Trigger Only. This will prevent the action from running automatically. Instead, you can run it manually by selecting it from the Run Action drop-down menu or the QuickActions bar (see step 5).
- For Choose the action to be taken on matched messages, we recommend keeping the default settings.
- For Choose how you would like to report this action, we recommend you select Send Email. Using the Email Template, create a custom email response. Visit our How to Create a Custom Email Template in PhishER article for more information.
- For Choose whether or not to halt further actions, we recommend keeping the default settings.
- For Choose QuickActions settings, we recommend you click on the checkbox to the left of Include this action in the QuickAction bar. The action will now display in the QuickActions bar of your PhishER Inbox and in the Actions sidebar of the Message Details screen. Visit here for more information about QuickActions.
- For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
This action will help your organization identify and prioritize messages that are considered to be safe or non-threatening.
-
For Choose how this action should be triggered, we recommend you select the following settings:
- Specify Tags
- HAS ANY PML:CLEAN
To add a tag:- Click on Add new tag and type in the desired name of your tag.
- Then, press the Enter or Return key on your keyboard.
- Specify Tags
-
For Choose the action to be taken on matched messages, we recommend you select the following settings:
- Set Status Resolved
Set Priority Medium
Set Category Clean
-
For Choose how you would like to report this action, we recommend using one of the following options:
For this option, we recommend that you create a custom email response that will automatically send to the recipients of your choice. Visit our How to Create a Custom Email Template in PhishER article for more information.
If the Send Email option is selected, we suggest the additional settings below:
- (Optional) For Choose whether or not to halt further actions, we recommend you click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:CLEAN tag before other actions are triggered.
- For Choose QuickActions settings, we recommend keeping the default settings.
- For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
For this option, we recommend that you create an additional action that sends an auto response to selected recipients when you run it manually. To do this, complete part one and two listed below.
Part 1: Select the remaining settings for your PML:CLEAN (Medium Priority Messages) action
- For Choose how you would like to report this action, select None.
- (Optional) For Choose whether or not to halt further actions, we recommend you click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:CLEAN tag before other actions are triggered.
- For Choose QuickActions settings, we recommend keeping the default settings.
- For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
Part 2: Create an Auto Response QuickAction
- For Choose how this action should be triggered, we recommend you select Manual Trigger Only. This will prevent the action from running automatically. Instead, you can run it manually by selecting it from the Run Action drop-down menu or the QuickActions bar (see step 5).
- For Choose the action to be taken on matched messages, we recommend keeping the default settings.
- For Choose how you would like to report this action, we recommend you select Send Email. Using the Email Template, create a custom email response. Visit our How to Create a Custom Email Template in PhishER article for more information.
- For Choose whether or not to halt further actions, we recommend keeping the default settings.
- For Choose QuickActions settings, we recommend you click on the checkbox to the left of Include this action in the QuickAction bar. The action will now display in the QuickActions bar of your PhishER Inbox and in the Actions sidebar of the Message Details screen. Visit here for more information about QuickActions.
- For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
This action will help your organization identify and prioritize messages that are determined to be unsolicited or unwanted but not likely to be malicious.
-
For Choose how this action should be triggered, we recommend you select the following settings:
- Specify Tags
- HAS ANY PML:SPAM
To add a tag:- Click on Add new tag and type in the desired name of your tag.
- Then, press the Enter or Return key on your keyboard.
- Specify Tags
-
For Choose the action to be taken on matched messages, we recommend you select the following settings:
- Set Status Resolved
Set Priority Low
Set Category Spam
-
For Choose how you would like to report this action, we recommend using one of the following options:
For this option, we recommend that you create a custom email response that will automatically send to the recipients of your choice. Visit our How to Create a Custom Email Template in PhishER article for more information.
If the Send Email option is selected, we suggest the additional settings below:
- (Optional) For Choose whether or not to halt further actions, we recommend you click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:SPAM tag before other actions are triggered.
- For Choose QuickActions settings, we recommend keeping the default settings.
- For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
For this option, we recommend that you create an additional action that sends an auto response to selected recipients when you run it manually. To do this, complete part one and two listed below.
Part 1: Select the remaining settings for your PML:SPAM (Low Priority Messages) action
- For Choose how you would like to report this action, select None.
- (Optional) For Choose whether or not to halt further actions, we recommend you click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:SPAM tag before other actions are triggered.
- For Choose QuickActions settings, we recommend keeping the default settings.
- For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
Part 2: Create an Auto Response QuickAction
- For Choose how this action should be triggered, we recommend you select Manual Trigger Only. This will prevent the action from running automatically. Instead, you can run it manually by selecting it from the Run Action drop-down menu or the QuickActions bar (see step 5).
- For Choose the action to be taken on matched messages, we recommend keeping the default settings.
- For Choose how you would like to report this action, we recommend you select Send Email. Using the Email Template, create a custom email response. Visit our How to Create a Custom Email Template in PhishER article for more information.
- For Choose whether or not to halt further actions, we recommend keeping the default settings.
- For Choose QuickActions settings, we recommend you click on the checkbox to the left of Include this action in the QuickAction bar. The action will now display in the QuickActions bar of your PhishER Inbox and in the Actions sidebar of the Message Details screen. Visit here for more information about QuickActions.
- For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
Related Resources:
Comments
0 comments
Article is closed for comments.