PhishER is a lightweight Security Orchestration, Automation and Response (SOAR) platform to orchestrate threat response and manage a high volume of potentially malicious email messages reported by users.
Blumira’s integration with PhishER allows you to retrieve event data from PhishER directly to your Blumira sensor. Now you can start centralizing logs and leveraging Blumira’s security insight to detect and respond to threats.
Forwarding to Sensor
This document talks through forwarding Syslog from PhishER to the Blumira Sensor: https://support.knowbe4.com/hc/en-us/articles/360013919314-PhishER-Settings#SYSLOG
PhishER supports third-party integration with Syslog. In order to use the integration feature, you must have PhishRIP enabled. Once you have PhishRIP enabled, navigate to PhishER > Settings > Integrations to configure integration settings for your PhishER platform. Here, you will see three sections: VirusTotal, Syslog, and the KMSAT Console. For integration with Blumira you will select Syslog.
The Syslog integration option can be used to log when actions are triggered in your PhishER platform. To add a Syslog setting, click on the New Syslog button in the top-right. This will open the Add Syslog Settings window.
- Name Custom name you would like to assign your Syslog server, such as PhishER-Blumira
- Protocol Select TLS from the drop-down
- Host Enter the host IP address of your Syslog server.
- This will be the External IP address that you are using to forward syslog messages through to your sensor. We suggest placing a sensor in a secured DMZ for this log collection and limiting access to the sensor to only KnowBe4’s public address space
- Port Enter 6514 for the port number of your Syslog server.
- Format Select JSON as the output Format
You will also need to configure a certificate and key for your sensor and add the necessary details to your sensor logger module using the module’s edit button, and choosing Update Parameters.