Enterprise Settings
- Matthew Sywulak
SIEM Feed requires an additional license. Please contact support@inky.com to get more information.
SIEM Feed Settings
INKY can be configured to send events to a SIEM (security information and event management) system of your choice. Events include analysis results, user reports, and link clicks (only applies if you use INKY's link rewriting).
INKY does not have any direct integrations with a particular SIEM provider, however, if the SIEM provider can accept raw JSON via an HTTPS POST, INKY will send the events.
INKY sends events from the following INKY controlled IP addresses. If your SIEM endpoint requires an IP address allow list, you will need to add the following addresses.
3.231.237.226/32
100.24.129.5/32
3.132.108.44/32
3.132.222.232/32
100.21.157.149/32
34.210.15.192/32
Webhook URL (Required): Specify an HTTPS webhook URL that can receive a POST request with JSON data and is reachable from INKY's server IP addresses.
Disable SSL certificate validation (checked or unchecked) (e.g., if your webhook URL uses a self-signed certificate)
Enter any HTTP headers to send with the POST request (e.g., to provide an authentication token). Below are the typical HTTP headers added, however, your SIEM provider may require different ones.
Header name | Header value |
|---|---|
Content-Type | application/json |
Authorization | … |
Validate Webhook Configuration
Test connectivity between INKY's servers and the webhook configuration on this page by selecting “Validate Now”
This can be either your saved configuration or a newly entered configuration that has not yet been saved.
Success
When validating the configuration, you’ll receive a Success or Failure and additional logging that can be provided to INKY support to help address or give you the information required to make adjustments prior to validating again.
Failure Types:
401 Client Error: Unauthorized for url: This failure means that the authorization header set in the HTTP header section is incorrect or the token does not have access to the resource. Ensure that the authorization type provided is correct and is currently enabled in your SIEM provider.
Max Retries: Exceeding the maximum retries typical points to a firewall between the INKY sending servers and the SIEM. Please ensure that the IP addresses list above are allowed to POST to your configured endpoint.
Customize Your SIEM Provider and JSON Examples
Select which types of events should be included in your SIEM feed. For some event types, you can fine-tune exactly which messages should trigger events.
Analysis Result
{
"teamid": "phishpool",
"event_type": "analysis_result",
"identifier": "inky-event",
"data": {
"meta_data": {
"mail_from": "user@example.com",
"internal": false,
"helo_string": "mail-lj1-f196.google.com",
"sender_IP": "207.46.163.111",
"internaldate_utc_seconds": 1554813126,
"rcpt_to_addresses": [
"testing@phishpool.com"
],
"subject": "12121212",
"message_id": "<CAH_u+Z9YDiYonQUerqGQj=U8m-30Rw3UpdWU-hHySVUs1a2ohw@mail.gmail.com>",
"from_email": "janekane38312@gmail.com"
},
"inky_analysis": {
"suspicious_details": {
"SCL": 6,
"reason_htmls": [
"This is most likely a phishing email trying to trick you into doing something dangerous like installing software or revealing your personal information (e.g., passwords, phone numbers, or credit cards).",
"This is most likely spam or unwanted junk email. Be careful with any attachments or links."
],
"reason_ids": [
20,
15
],
"reason_short_codes": [
"phishing_content",
"spam_content"
],
"PCL": 8,
"threat_level": 2,
"short_reasons": [
"phishing_content",
"spam_content"
],
"reason_titles": [
"Phishing Content",
"Spam Content"
]
},
"threat_indicators": []
}
}
}
Link Click
{
"teamid": "phishpool",
"event_type": "link_click",
"identifier": "inky-event",
"data": {
"link_data": {
"continue_allowed": true,
"client_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36",
"tracking_id": 1203604,
"original_url": "http:\/\/sjkswimming.com?6h=TBBCSTUQQDDYQPBKBSSRmzQYCQi",
"alert_reason_html": "<div class=\"inky-alert inky-alert-danger\">You clicked a link in an email processed by INKY.<br><br>The link will take you to: <b>http:\/\/sjkswimming.com\/...<\/b><br><br><b>INKY classified the message containing this link as dangerous. <a href=\"https:\/\/localhost:1234\/details?id=cGhpc2hwb29sL3Rlc3RpbmdAcGhpc2hwb29sLmNvbS80NGJkODM2OGM5Yjc4YWY0Y2ViNjRlMjllMTI4N2QwNi8xNTU2NjU3MDAyLjcx\" target=\"blank\">Details<\/a><\/b><\/div>",
"timestamp": 1556657011,
"alert_level": 2,
"rewritten_url": "https:\/\/localhost:1234\/link?domain=sjkswimming.com&t=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eJxVj1tLwzAAhf9Lnosb6ZRZEF1XKOqaml6UwKC0aTTJkrY06Tod_nczHwRfD-fynTOYRgUCwK0dgv1ivzDyYGahteg-rmiv72_4XRGG27woMY4igl_C5zDPM_2FyRYL4AHLai1aVzFwYfjQ9-oi8pHVtlLsyFw79MCvg8Z8oJDPDbw1Oz9T1M-GRrebf7pGxyZfL1H8dEijBKZxck0kXZE3siTwVSCZqUQqlRSPKwTxjMT6hIoSIln6SbT53El6cgCis2zsajf-XivDPDAZNlZM10JVdduOzBgHZJmx7ujDH_rlskunJQi6SanvH_t0YSI.MEUCIFfBYKJA6WWnE2X-Hq8eb-2cQs8HKw-P8YfqlGEADXCrAiEAlW7mNY4RYlX8mffnHALzt6anD_-jmVW5f97RTmRimIc",
"client_ip": "127.0.0.1",
"confirmation_needed": true
},
"meta_data": {
"threat_level": 2,
"message_id": "<27013E93.1377A451@jackphelan.com>",
"rcpt_to_addresses": [
"testing@phishpool.com"
]
}
}
}
User Report
{
"teamid": "phishpool",
"event_type": "user_report",
"identifier": "inky-event",
"data": {
"inky_analysis": {
"reason_titles": [
"Brand Impersonation",
"Reported Phish",
"Phishing Content",
"Spammy Top-Level Domain"
],
"threat_level": 2
},
"user_data": {
"comment": "This is definitely not real!",
"opened_attachment": false,
"clicked_link": false,
"contact_email": "testing@phishpool.com",
"client_ip": "127.0.0.1",
"client_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36",
"label": "phish"
},
"meta_data": {
"message_id": "CA+8hhoBEwMTgEvtPrgiXpM3nWi0ffvzJ+OJKJ8G2JOar9Y-_CA@mail.gmail.com",
"from_email": "yukpergidugemsampaiod-taksangguppulangaja-95405@janganbilangpercaya.com"
}
}
}