PhishRod

Integration version: 3.0

Configure PhishRod integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
API Root	String	https://api.bitsighttech.com	Yes	API root of the PhishRod instance.
API Key	Password	N/A	Yes	API Key of the PhishRod account.
Client ID	Password	N/A	Yes	Client ID of the PhishRod account.
Username	String	N/A	Yes	Username of the PhishRod account.
Password	Password	N/A	Yes	Password of the PhishRod account.
Verify SSL	Checkbox	Checked	Yes	If enabled, verifies that the SSL certificate for the connection to the BitSight server is valid.

Actions

Ping

Description

Test connectivity to PhishRod with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run on

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful (is_success=true): "Successfully connected to the PhishRod server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful (is_success= false): "Failed to connect to the PhishRod server! Error is {0}".format(exception.stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful (is_success=true): "Successfully connected to the PhishRod server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful (is_success= false): "Failed to connect to the PhishRod server! Error is {0}".format(exception.stacktrace)

General

Update Incident

Description

Update an incident in PhishRod.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Incident ID	String	N/A	Yes	Specify the ID of the incident that needs to be updated.
Status	DDL	Delete Possible Values: Safe Delete	No	Specify the status for the incident.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Incident ID

String

N/A

Yes

Specify the ID of the incident that needs to be updated.

Status

DDL

Delete

Possible Values:

Safe
Delete

Specify the status for the incident.

Run on

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
    "statusMarked": false,
    "message": "Incident status is already marked."
}

Case Wall

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If statusmarked == "true" (is_success=true): "Successfully updated incident {incident id} in PhishRod. If statusmarked == "false" (is_success=false): "Incident {incident id} status was already modified previously in PhishRod." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Incident". Reason: {0}''.format(error.Stacktrace) If message != "Incident status is already marked." and ""statusMarked"": false" "Error executing action "Update Incident". Reason: {0}".format(message)"	General

Result type

Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If statusmarked == "true" (is_success=true): "Successfully updated incident {incident id} in PhishRod.

If statusmarked == "false" (is_success=false): "Incident {incident id} status was already modified previously in PhishRod."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Incident". Reason: {0}''.format(error.Stacktrace)

If message != "Incident status is already marked." and ""statusMarked"": false" "Error executing action "Update Incident". Reason: {0}".format(message)"

General

Mark Incident

Description

Mark an incident in PhishRod.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Incident ID	String	N/A	Yes	Specify the ID of the incident that needs to be marked.
Status	DDL	Mark For Secondary Analysis Possible Values: SMark For Secondary Analysis Mark As Spam Mask As Safe	No	Specify how the incidents need to be marked.
Comment	String	N/A	Yes	Specify the comment describing the reasons for the incident to be marked.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Incident ID

String

N/A

Yes

Specify the ID of the incident that needs to be marked.

Status

DDL

Mark For Secondary Analysis

Possible Values:

SMark For Secondary Analysis
Mark As Spam
Mask As Safe

Specify how the incidents need to be marked.

Comment

String

N/A

Yes

Specify the comment describing the reasons for the incident to be marked.

Run on

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
    "code": "200",
    "status": "Incident status has already been updated before."
}

Case Wall

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully marked the incident {incident id} in PhishRod." If the 200 status code is reported and status is "Incident status has already been updated before" (is_success = false): "Incident {incident id} was already marked previously in PhishRod. The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Mark Incident". Reason: {0}''.format(error.Stacktrace) If the 400 or 404 status code is reported: "Error executing action "Mark Incident". Reason: {0}".format(message)"	General

Result type

Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success=true): "Successfully marked the incident {incident id} in PhishRod."

If the 200 status code is reported and status is "Incident status has already been updated before" (is_success = false): "Incident {incident id} was already marked previously in PhishRod.

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Mark Incident". Reason: {0}''.format(error.Stacktrace)

If the 400 or 404 status code is reported: "Error executing action "Mark Incident". Reason: {0}".format(message)"

General

Connectors

PhishRod - Incidents Connector

Description

Pull information about incidents from PhishRod.

Configure PhishRod - Incidents Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Product Field Name	String	Product Name	Yes	Enter the source field name in order to retrieve the Product Field name.
Event Field Name	String	Event Field	Yes	Enter the source field name in order to retrieve the Event Field name.
Environment Field Name	String	N/A	No	Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment.
Environment Regex Pattern	String	.*	No	A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field through regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds)	PythonProcessTimeout	300	Yes	Timeout limit for the python process running the current script.
API Root	String	https://{instance}.phishrod.co	Yes	API root of the PhishRod instance.
API Key	Password	N/A	Yes	API key of the PhishRod account.
Client ID	Password	N/A	Yes	Client ID of the PhishRod account.
Username	String	N/A	Yes	Username of the PhishRod account.
Password	Password	N/A	Yes	Password of the PhishRod account.
Alert Severity Score	String	Medium	Yes	Set the severity for the alert based on the incident. Possible values: Informational, Low, Medium, High, Critical.
Use dynamic list as a blacklist	Checkbox	Unchecked	Yes	If enabled, the dynamic list is used as a blacklist.
Verify SSL	Checkbox	Checked	Yes	If enabled, verifies that the SSL certificate for the connection to the Crowdstrike server is valid.
Proxy Server Address	String	N/A	No	The address of the proxy server to use.
Proxy Username	String	N/A	No	The proxy username to authenticate with.
Proxy Password	Password	N/A	No	The proxy password to authenticate with.

Connector rules

Proxy support

The connector supports proxy.