I have had the pleasure of playing with PhishER for the last week and here are the things I would really love to see in this tool:
- Ability to respond to users and track their responses directly from the case. I know this isn't meant to replace a ticketing system, but using Actions to do this is super clunky. I am currently still sending Phish Alerts to our ticketing system because of how clunky interacting with users is.
- To add on top of the above, I think it would be great if you could set variables in Actions so that it would fill in information from the case. Something as simple as automatically putting the users first name in a place holder.
- The VirusTotal integration isn't great. It should not upload the attachments to VT. That feature should only run the hash of files against VT. I accidentally uploaded an internal document to VT, and any premium user can now go and download that file, so that's great. I was pretty shocked to see that is the default and only way to analyze against VT.
- API access. I want to be able to integrate this into my other SOAR tool.
- More integrations. Right now PhishER feels like a dumbed down version of The Hive and Cortex. Instead of uploading documents to VT, I would much rather upload them to my private sandbox (Cuckoo, FalconSandbox).
- Ability to add documentation to the case. Images, comments, files, etc. The Discussions tab is a clunky way of documenting things. Currently my work flow has me sending Phish Alerts to both PhishER and our ticketing system, using the ticketing system to inform the user when it's a harmless spam email, taking the artifacts from PhishER for legitimate phishing attempts and putting them through The Hive, and then documenting everything in The Hive. PhishER saves me time in that I don't have to analyze the email headers by hand, but outside of that...
- A road map for upcoming and planned features.
Please sign in to leave a comment.