In your PhishER platform, you can use PhishML to disposition messages and prioritize email threats from your users’ inboxes. PhishML is a machine-learning feature that analyzes messages in your PhishER Inbox and determines the percentage of certainty, or confidence value, that each message is clean, spam, or a threat.
PhishML allows you to set the thresholds that a message’s confidence values must meet or exceed to qualify for automatic dispositioning. Then, you can create actions that use PhishML tags to automate the dispositioning and prioritization of messages in your PhishER Inbox.
PhishML is continuously learning and improving its accuracy based the language used in the content of reported emails. After extracting text and ignoring embedded content in messages, PhishML compares the language to patterns observed from other messages analyzed in PhishER.
Enabling PhishML
To enable PhishML for your PhishER platform, follow the steps below:
- Log in to your PhishER platform.
- Navigate to Settings > PhishML.
- Turn on the Enable PhishML toggle.
Note:The first time you enable PhishML, a Terms and Conditions dialog box will appear. Prior to using PhishML, you are required to review and accept KnowBe4's Privacy Policy and Terms of Service. Once you have reviewed both items, click I Accept.
- Select the check box next to each category that you would like PhishML to provide a confidence value for when it analyzes a message.
- (Optional) To set a custom threshold value for each category, click and drag the interactive slider to the left or right. For more information, see the Setting Confidence Values and Thresholds section below.
- Click Save to update your PhishML settings.
Setting Confidence Values and Thresholds
PhishML generates three confidence values for each message that it analyzes. Confidence values represent the percentage of certainty that a message is clean, spam, or a threat. You can view the confidence values of a message from the Actions subtab of the sidebar on the Message Details page.
A confidence threshold is the minimum percentage of certainty that PhishML must meet or exceed for a message to tag it as clean, spam, or a threat. PhishML only applies tags to qualifying messages if the confidence threshold is active. From your PhishER Settings, you can enable or disable confidence thresholds. Once you enable a confidence threshold, you can click and drag the slider next to it to set a custom threshold value. Each confidence threshold can be set to any custom value between 51 and 100. By default, each confidence threshold value is set to 95.
We recommend setting a lower confidence threshold value of less than 80 if you would like to increase the number of messages that are automatically tagged by PhishML as clean, spam, or a threat. We suggest setting a lower confidence threshold for PhishML to identify messages that are either spam or a threat. This setting allows PhishER admins to quickly resolve or eliminate safe messages and prioritize messages that need further analysis or review.
We recommend setting a higher confidence threshold value of higher than 85 if you would like to decrease the number of messages that are tagged by PhishML as clean, spam, or a threat. We suggest setting a higher confidence threshold for PhishML to identify messages that are clean. This setting allows PhishER admins to prioritize messages that need further analysis or review.
PhishML Tags
Based on its analysis, PhishML applies a tag to each of your messages. From the Actions subtab of the sidebar on the Message Details page, you can view the tag that PhishML attached to a message. You can also add and remove tags. To learn about the PhishML tags, see the list below:
- PML:CLEAN: This tag is attached to your message when PhishML determines that a message is clean based on your confidence threshold.
- PML:SPAM: This tag is attached to your message when PhishML determines that a message is spam based on your confidence threshold.
- PML:THREAT: This tag is attached to your message when PhishML determines that a message is a threat based on your confidence threshold.
- PML:BYPASSED: This tag is attached to your message when PhishML times out. You can retry by re-running rules and actions against the message. Then, if PhishML is successful, the appropriate tag will be added to the message.
Creating Recommended Actions with PhishML Tags
Once you set up PhishML, we recommend that you set up three actions with PhishML tags to help your organization identify and respond to email threats quickly. To learn about the settings for each recommended action, see the subsections below.
PML:THREAT (High Priority Messages)
You can create this action to help your organization identify and prioritize messages that are potentially malicious and may require further analysis. To create this action, set steps 1, 2, and 3 to match the following settings:
- Choose how this action should be triggered: We recommend that you select the Specify Tags option. Then, select Has Any and enter “PML:THREAT” as the tag.
-
Choose the action to be taken on matched messages: We recommend that you select the Set Status, Set Priority, and Set Category options. Then, set the drop-down menus to match the settings listed below:
- Set Status: Select In Review.
- Set Priority: Select Critical.
- Set Category: Select Threat.
-
Choose how you would like to report this action: We recommend one of the following options:
- Create a custom email response that will automatically send to selected recipients. To learn more about this option, see the Creating a Custom Email for Your PhishML Action section of this article.
- Create a QuickAction that sends an automated response to selected recipients when you run the QuickAction manually. To learn more about this option, see the Creating a QuickAction for Your PhishML Action section of this article.
Once you have selected these settings, you can configure the remaining settings for the action. For more recommended settings, see the Creating a Custom Email for Your PhishML Action section and the Creating a QuickAction for Your PhishML Action section below. For general information about the remaining settings, see our How to Create and Manage PhishER Actions article.
PML:CLEAN (Medium Priority Messages)
You can create this action to help your organization identify and prioritize messages that are considered to be safe. To create this action, set steps 1, 2, and 3 to match the following settings:
- Choose how this action should be triggered: We recommend that you select the Specify Tags option. Then, select Has Any and enter “PML:CLEAN” as the tag.
-
Choose the action to be taken on matched messages: We recommend that you select the Set Status, Set Priority, and Set Category options. Then, set the drop-down menus to match the settings listed below:
- Set Status: Select Resolved.
- Set Priority: Select Medium.
- Set Category: Select Clean
-
Choose how you would like to report this action: We recommend one of the following options:
- Create a custom email response that will automatically send to selected recipients. To learn more about this option, see the Creating a Custom Email for Your PhishML Action section of this article.
- Create a QuickAction that sends an automated response to selected recipients when you run the QuickAction manually. To learn more about this option, see the Creating a QuickAction for Your PhishML Action section of this article.
Once you have selected these settings, you can configure the remaining settings for the action. For more recommended settings, see the Creating a Custom Email for Your PhishML Action section and the Creating a QuickAction for Your PhishML Action section below. For general information about the remaining settings, see our How to Create and Manage PhishER Actions article.
PML:SPAM (Low Priority Messages)
You can create this action to help your organization identify and prioritize messages that are determined to be unsolicited but not likely to be malicious. To create this action, set steps 1, 2, and 3 to match the following settings:
- Choose how this action should be triggered: We recommend that you select the Specify Tags option. Then, select Has Any and enter “PML:SPAM” as the tag.
-
Choose the action to be taken on matched messages: We recommend that you select the Set Status, Set Priority, and Set Category options. Then, set the drop-down menus to match the settings listed below:
- Set Status: Select Resolved.
- Set Priority: Select Low.
- Set Category: Select Spam.
-
Choose how you would like to report this action: We recommend one of the following options:
- Create a custom email response that will automatically send to selected recipients. To learn more about this option, see the Creating a Custom Email for Your PhishML Action section of this article.
- Create a QuickAction that sends an automated response to selected recipients when you run the QuickAction manually. To learn more about this option, see the Creating a QuickAction for Your PhishML Action section of this article.
Once you have selected these settings, you can configure the remaining settings for the action. For more recommended settings, see the Creating a Custom Email for Your PhishML Action section and the Creating a QuickAction for Your PhishML Action section below. For general information about the remaining settings, see our How to Create and Manage PhishER Actions article.
Creating a Custom Email for Your PhishML Action
To send a notification automatically when you run an action, you can create a custom email response that PhishER will automatically send to your selected recipients. To learn how to customize this email response, see our How to Create a Custom Email Template in PhishER article.
To set up an email response and configure the remaining settings for your action, set steps 3, 4, 5, and 6 to match the following settings:
- Choose how you would like to report this action: We recommend that you select Send Email.
- (Optional) Choose whether or not to halt further actions: We recommend that you select the Stop executing further actions check box. If you select this option, you can review all messages with your action’s PhishML tag before other actions are triggered.
- Choose QuickActions settings: We recommend keeping the default settings.
- Choose whether or not to permanently delete matching messages: We recommend keeping the default settings.
Creating a QuickAction for Your PhishML Action
To report your action manually, you can create a QuickAction. When you run this QuickAction, it will automatically send an email response to selected recipients.
To create a QuickAction and configure the remaining settings for your action, set steps 3, 4, 5, and 6 to match the following settings:
- Choose how you would like to report this action: We recommend that you select None.
- (Optional) Choose whether or not to halt further actions: Select the Stop executing further actions check box. If you select this option, you can review all messages with your action’s PhishML tag before other actions are triggered.
- Choose QuickActions settings: We recommend keeping the default settings.
- Choose whether or not to permanently delete matching messages: We recommend keeping the default settings.
Once you save your new action, you’ll need to create a QuickAction that will automatically send an email response when you run it. To create this QuickAction, set the new action steps to match the following settings:
- Choose how this action should be triggered: We recommend that you select Manual Trigger Only. This setting prevents the action from running automatically. You can run it manually by selecting it from the Run drop-down menu or the QuickActions bar. See step 5 below for more information.
- Choose the action to be taken on matched messages: We recommend that you keep the default settings.
- Choose how you would like to report this action: We recommend that you select Send Email. Using the Email Template, create a custom email response. To learn how to customize this email response, see our How to Create a Custom Email Template in PhishER article.
- Choose whether or not to halt further actions: We recommend that you keep the default settings.
- Choose QuickActions settings: We recommend that you select the check box to the left of Include this action in the QuickAction bar. The action will now display in the QuickActions bar of your PhishER Inbox and in the Actions subtab of the Message Details page.
- Choose whether or not to permanently delete matching messages: We recommend keeping the default settings.