mail.knowbe4
- Former user (Deleted)
- Juan Tomás Alonso Nieto (Unlicensed)
Introduction
The tags beginning with mail.knowbe4 identify events generated by KnowBe4.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as mail.knowbe4. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
Technology | Brand | Type | Subtype |
|---|---|---|---|
knowbe4 |
|
|
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
| mail.knowbe4.phisher.webhooks | mail.knowbe4.phisher.webhooks |
Log samples
The following are sample logs sent to each of the mail.knowbe4 data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
mail.knowbe4.phisher.webhooks
2022-02-07 08:49:58.912 localhost=127.0.0.1 mail.knowbe4.phisher.webhooks: {"bad_attachments": [], "headers": [{"sha1": "c2e543ac9a8fa62ed73afef58e8802686cb60fb0", "headers": [{"Received": "from laptop-15.graves-prince.com (78ef:3c4:5678:78ef::1234) by db-37.mydomain.org with HTTPS; Wed, 26 Jan 2022 19:03:31 +0000"}, {"Authentication-Results": "dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=lt-16.mydomain.org;"}, {"Received": "from db-37.mydomain.org (abc:d56:78ef:1a2b::3c4) by laptop-15.graves-prince.com (78ef:3c4:5678:78ef::1234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.12; Wed, 26 Jan 2022 19:03:30 +0000"}, {"Received": "from db-37.mydomain.org ([fe80::3d58:9dcf:f23c:e43e]) by db-37.mydomain.org ([fe80::3d58:9dcf:f23c:e43e%7]) with mapi id 15.20.4930.017; Wed, 26 Jan 2022 19:03:30 +0000"}, {"Thread-Topic": "PhishER -> Devo test 1/26/2022"}, {"Thread-Index": "AdgS52Ec89awdFGDSiGm4el6S2X/4Q=="}, {"Accept-Language": "en-US"}, {"Content-Language": "en-US"}, {"X-Ms-Has-Attach": ""}, {"X-Ms-Exchange-Organization-Scl": "-1"}, {"X-Ms-Tnef-Correlator": "<johnsonstephanie@desktop-64.gallagher-harris.com>"}, {"X-Ms-Exchange-Organization-Messagedirectionality": "Originating"}, {"X-Ms-Exchange-Organization-Authsource": "db-37.mydomain.org"}, {"X-Ms-Exchange-Organization-Authas": "Internal"}, {"X-Ms-Exchange-Organization-Authmechanism": "04"}, {"X-Ms-Exchange-Organization-Network-Message-Id": "35ab41dc-48ff-4892-81a6-08d9e0fe8b03"}, {"X-Ms-Publictraffictype": "Email"}, {"Return-Path": "rhodesandrew@db-88.harper.com"}, {"X-Ms-Exchange-Organization-Expirationstarttime": "26 Jan 2022 19:03:31.1451 (UTC)"}, {"X-Ms-Exchange-Organization-Expirationstarttimereason": "OriginalSubmit"}, {"X-Ms-Exchange-Organization-Expirationinterval": "1:00:00:00.0000000"}, {"X-Ms-Exchange-Organization-Expirationintervalreason": "OriginalSubmit"}, {"X-Ms-Office365-Filtering-Correlation-Id": "35ab41dc-48ff-4892-81a6-08d9e0fe8b03"}, {"X-Ms-Traffictypediagnostic": "SA1PR06MB8456:EE_"}, {"X-Ms-Oob-Tlc-Oobclassifiers": "OLM:4125;"}, {"X-Microsoft-Antispam": "BCL:0;"}, {"X-Forefront-Antispam-Report": "CIP:192.168.168.234;CTRY:;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKI;H:db-37.mydomain.org;PTR:;CAT:NONE;SFS:;DIR:INB;"}, {"X-Ms-Exchange-Crosstenant-Originalarrivaltime": "26 Jan 2022 19:03:30.7901 (UTC)"}, {"X-Ms-Exchange-Crosstenant-Fromentityheader": "Hosted"}, {"X-Ms-Exchange-Crosstenant-Id": "9c7d751b-b1a4-4c4a-9343-12b2814ae031"}, {"X-Ms-Exchange-Crosstenant-Authsource": "db-37.mydomain.org"}, {"X-Ms-Exchange-Crosstenant-Authas": "Internal"}, {"X-Ms-Exchange-Crosstenant-Network-Message-Id": "35ab41dc-48ff-4892-81a6-08d9e0fe8b03"}, {"X-Ms-Exchange-Crosstenant-Mailboxtype": "HOSTED"}, {"X-Ms-Exchange-Crosstenant-Userprincipalname": "ACm83GhCbIy7IaPgQVObZSVB2ubSwCO9CVKbFExC9XeRB47lLAH50k33vx5o3itPI+uHqyiXwZ/jWZqU90BTDgaIHf9gy49qRIaD55TVJEw="}, {"X-Ms-Exchange-Transport-Crosstenantheadersstamped": "SA1PR06MB8456"}, {"X-Ms-Exchange-Transport-Endtoendlatency": "00:00:00.8291478"}, {"X-Ms-Exchange-Processed-By-Bccfoldering": "15.20.4930.017"}, {"X-Microsoft-Antispam-Mailbox-Delivery": "ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506458)(944626604)(920097)(425001)(930097);"}, {"X-Microsoft-Antispam-Message-Info": "y5zfbYtWd85J74TmtPXNmB6L0vdw2srcYVLtzd9No9R5hswKa+MUdqf5rY2CtFupdJKL8ZT+u75T//D3ut3/iQsRoBXkxo2+z5X2SwpSuu48c4mLiv0qKj7zn7f2ZmwmI5EmUUMTkUM2j15a3teQqurXG/jOr8yAS7nGGq3QV4Deuianuc1YdyNxEh7uFfCBXhFpV/yvfwSbygyRy0Pvn5gTXystp8JrO4LfbA3q/hHRp9MHIX37FdnW9R+qGjH58YRAorX0lzmLDqB8gdTSQpTULXMKx+Tk3mNNNJLdf15He48zcvT/J2DR2x0mKk2Hf32hteestvALAyiPBU8uyS4kcHeYfH4NXvH6pUFQoTHm4yC5lxxw+49ohFiPVPo/an+b7BxVGe/OlG+uBzOXH2NvW2MlJN2sxeKfT3vVkaZbXuH7gkOMhoATQzzFtpA4t2ryR9zjXlWLyMOI5Ow3i5UdeLcZiQGpY7ctympafU9q9xtgdIrb7yUJK+TF30T5CDPYHTWoeZ9L2+t+uU0bxPaXaOTn+gvDBbrndPj/cu68NXQxJgMBS+QqdjjdYHzHAazrFjTZDDd+2NrWCxFE/lNOt50PhTZeVqa1w2YeJvmx0PDTEO/OOobk7iaEuyTSKLNbm8AYLzrioWUUVxh/CTYYnJIcWAFh+5pIOFPZTasje+YrAeWKVz4YYs+S7DWXryjw/Cdcw1jxRQPKiweK8MmRuG4+6spD3fgdkbzCTA/ROna2+FXXgdTBUHgvc25/RgDGWdEBwUKXpvYSKiT04YHlENHM1xq3vkVVZQ9Onr0="}, {"Acceptlanguage": "en-US"}, {"X-Ms-Exchange-Organization-Originalclientipaddress": "127.233.30.0"}, {"X-Ms-Exchange-Organization-Originalserveripaddress": "abc:d56:78ef:1a2b::3c4"}, {"X-Ms-Has-Attach": ""}, {"Received": "Wed, 26 Jan 2022 14:03:31 -0500"}, {"X-Priority": "3"}, {"X-Msmail-Priority": "Normal"}, {"Thread-Index": "AdgS52Ec89awdFGDSiGm4el6S2X/4Q=="}, {"Message-Id": "<johnsonstephanie@desktop-64.gallagher-harris.com>"}, {"From": "\\"Morrissey, Kevin\\" <rhodesandrew@db-88.harper.com>"}, {"To": "\\"Morrissey, Kevin\\" <rhodesandrew@db-88.harper.com>"}, {"Subject": "PhishER -> Devo test 1/26/2022"}, {"Date": "Wed, 26 Jan 2022 14:03:30 -0500"}, {"Mime-Version": "1.0"}, {"Content-Type": "Multipart/alternative; charset=us-ascii; boundary=\\"00B0FEF1_message_boundary\\""}, {"Content-Description": "Multipart message"}], "filename": "rawHeaders.txt", "sha256": "34761194d15f74df95994bc4b7c589bc5804111e39192df8e0dd666876e65a29", "byte_size": 4641, "s3_url": "https://phisher-parts-production-eu-west-1.s3.eu-west-1.mydomain.net/675d21fc-63d7-40f8-ae7b-3d612dc60f0f/2022-01-26/nd1v49q60skosp6rfi4jn9t7m99h2287kd4dhpg1/34761194d15f74df95994bc4b7c589bc5804111e39192df8e0dd666876e65a29?response-content-disposition=attachment%3B%20filename%3D%22rawHeaders.txt%22%3B%20filename%2A%3DUTF-8%27%27rawHeaders.txt&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QIOEBILRS%2F20220126%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20220126T190501Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJHMEUCIQDEMdQElhAw1WmTqyBE9QA6n%2BTIoRFD6y7qXURDll3H5wIgdaOUGJ9YNDeDayFdQLjVUQryuLxTFGoIyG5lLqMg%2FQwqiAQIqv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDKXQ%2BPw36vZI0MY%2FIircA741FUTo9%2FXZo94F1qkn9VgyJUtf9qw%2FOjYBZexu2wOYx%2FhFoqs6sGupQFokzl0ZuVSJ44RV4R4bGlXiKLQEUU7eqvzxQlyCM9UdeBChQeXsLCeZeV6luH%2Fv1mw%2BfnifFZrTYYfuwZHNQdHM7qjHhSg8P98jHr4pn5IeFilmmsg52HutRRmgKBws%2Bm1miXhYxpP%2BcgI0dev%2Fygs93bOgiLfy54f9WrdmrnMqJwd%2FaTxIOQsCrPADjkUehwLtT9ub%2FEa8wIpgRXkSzHew%2Fq6Tp08GJeu%2B6l4maVfcEwbLUOZFBPMUFcSeDKO6QTStn712oVguOboBf2K3aBVu2wmE6CCkIjsvcvJtTBIJaDidtx2Vm7mli4c9PbOg8ngmcpmc3AlYPfe0vjbqvEaKEtIQhP6C1VH15g9PhhtNR9G3NOxV5q62%2Bp%2F5fbwCLV9r7gfKE2w0VEEVxXr4dXExggswIGOdqeuYIQjzauVTeN5Uteuj2IAVy1L9NPFoskMd5H9j4Z%2F9WvPLwZvtvVLDj9W76Wuk0W%2B%2FqO3Niiq0BbT6xb7dj08Gintt%2BeriEV%2BudZAR%2FrQwvxrBEmHSGmaK%2F3G3jM4YMdYcRmb%2B6SdV0OpmUn4MGITPcxdltx6WXolYMPGFxo8GOqUB%2FcF1EzhU2MwpLD4%2FiGEunQ0uA0b0rsKu3pLLeHY%2FEB75qJY9IB7BKf%2Fl44v8sqCnAeV59REZiTWdCy57gu3hNtO4OEJDxldMKouNaEpgi4Wtpez81nkt1RMHQ5LyrBE60BKb1vzsNP9Fft9UFoEqAW%2BEoAhhVlrBSaxguboloO6wtjEVL%2FZfjuDTmrRucSlVHXBIfVeTvNTeb2PiYCn4UtSLQKyx&X-Amz-SignedHeaders=host&X-Amz-Signature=2d139e707eda5bb9b75e52868749ab3a24742b5998f551cb6481540be1c45aee", "md5": "b49effba924c1541cad55b08cbfafb91"}], "addresses": {"cc": "", "reply_to": "", "reported_by": "edwardsilva@desktop-64.gallagher-harris.com", "from": "edwardsilva@desktop-64.gallagher-harris.com", "to": ["rhodesandrew@db-88.harper.com"]}, "attachments": [], "raw": [{"sha1": "f87d5b518a37b4747a5033131c305c5a55dc2a42", "filename": "", "sha256": "464116cc0c704e13951bbc0848b36f978e32b62ed2f4f50a29b8622ba256f9b9", "byte_size": 10823, "s3_url": "https://phisher-parts-production-eu-west-1.s3.eu-west-1.mydomain.net/675d21fc-63d7-40f8-ae7b-3d612dc60f0f/2022-01-26/nd1v49q60skosp6rfi4jn9t7m99h2287kd4dhpg1/464116cc0c704e13951bbc0848b36f978e32b62ed2f4f50a29b8622ba256f9b9?response-content-disposition=attachment%3B%20filename%3D%22%22%3B%20filename%2A%3DUTF-8%27%27&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QIOEBILRS%2F20220126%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20220126T190501Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJHMEUCIQDEMdQElhAw1WmTqyBE9QA6n%2BTIoRFD6y7qXURDll3H5wIgdaOUGJ9YNDeDayFdQLjVUQryuLxTFGoIyG5lLqMg%2FQwqiAQIqv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDKXQ%2BPw36vZI0MY%2FIircA741FUTo9%2FXZo94F1qkn9VgyJUtf9qw%2FOjYBZexu2wOYx%2FhFoqs6sGupQFokzl0ZuVSJ44RV4R4bGlXiKLQEUU7eqvzxQlyCM9UdeBChQeXsLCeZeV6luH%2Fv1mw%2BfnifFZrTYYfuwZHNQdHM7qjHhSg8P98jHr4pn5IeFilmmsg52HutRRmgKBws%2Bm1miXhYxpP%2BcgI0dev%2Fygs93bOgiLfy54f9WrdmrnMqJwd%2FaTxIOQsCrPADjkUehwLtT9ub%2FEa8wIpgRXkSzHew%2Fq6Tp08GJeu%2B6l4maVfcEwbLUOZFBPMUFcSeDKO6QTStn712oVguOboBf2K3aBVu2wmE6CCkIjsvcvJtTBIJaDidtx2Vm7mli4c9PbOg8ngmcpmc3AlYPfe0vjbqvEaKEtIQhP6C1VH15g9PhhtNR9G3NOxV5q62%2Bp%2F5fbwCLV9r7gfKE2w0VEEVxXr4dXExggswIGOdqeuYIQjzauVTeN5Uteuj2IAVy1L9NPFoskMd5H9j4Z%2F9WvPLwZvtvVLDj9W76Wuk0W%2B%2FqO3Niiq0BbT6xb7dj08Gintt%2BeriEV%2BudZAR%2FrQwvxrBEmHSGmaK%2F3G3jM4YMdYcRmb%2B6SdV0OpmUn4MGITPcxdltx6WXolYMPGFxo8GOqUB%2FcF1EzhU2MwpLD4%2FiGEunQ0uA0b0rsKu3pLLeHY%2FEB75qJY9IB7BKf%2Fl44v8sqCnAeV59REZiTWdCy57gu3hNtO4OEJDxldMKouNaEpgi4Wtpez81nkt1RMHQ5LyrBE60BKb1vzsNP9Fft9UFoEqAW%2BEoAhhVlrBSaxguboloO6wtjEVL%2FZfjuDTmrRucSlVHXBIfVeTvNTeb2PiYCn4UtSLQKyx&X-Amz-SignedHeaders=host&X-Amz-Signature=483f94e32801edcb94ed2aa6379b31404f212cdd75ca7c74a2c0fccd92480298", "md5": "ebdce5ad399c52b8c445e5ba1f0e2178"}], "phishml": {"confidence_spam": "0.00128627486992627", "confidence_clean": "0.998733103275299", "category": "clean", "confidence_threat": "0.0000105695444290177"}, "history": [{"date": "2022-01-26T19:05:01Z", "trigger_name": null, "causer_type": "Action", "event_type": "other", "trigger_type": null, "events": {"changed_fields": {"severity": ["low", "medium"]}}, "causer_name": "Potential Clean (NO PML)"}, {"date": "2022-01-26T19:05:00Z", "trigger_name": null, "causer_type": "Action", "event_type": "other", "trigger_type": null, "events": {"changed_fields": {"severity": ["unknown_severity", "low"], "category": ["unknown", "clean"], "action_status": ["received", "resolved"]}}, "causer_name": "CLEAN (PML:CLEAN)"}, {"date": "2022-01-26T19:05:00Z", "trigger_name": null, "causer_type": "Action", "event_type": "other", "trigger_type": null, "events": {"emails": [{"action_email_id": "e3d4307f-a557-4316-8d0e-0fa909e9875b", "to": ["edwardsilva@desktop-64.gallagher-harris.com"], "email": "Initial Feedback - All", "status": null}], "tags": {"added": ["RECEIPT FEEDBACK - ALL"]}}, "causer_name": "Feedback Receipt Message"}, {"date": "2022-01-26T19:04:59Z", "trigger_name": null, "causer_type": "Rule", "event_type": "other", "trigger_type": null, "events": {"tags": {"added": ["INTERNAL_MAIL"]}, "changed_fields": {"pipeline_status": ["processing", "processed"]}}, "causer_name": "Internal Emails"}, {"date": "2022-01-26T19:03:57Z", "trigger_name": null, "causer_type": "Integrations::PhishMl::Report", "event_type": "other", "trigger_type": null, "events": {"report": {"name": "Phish ML", "results": [{"field": "clean", "value": "99.87"}, {"field": "spam", "value": "0.13"}, {"field": "threat", "value": "0.00"}]}, "tags": {"added": ["PML:CLEAN"]}}, "causer_name": "Phish ML"}, {"date": "2022-01-26T19:03:44Z", "trigger_name": null, "causer_type": null, "event_type": "created", "trigger_type": null, "events": null, "causer_name": null}], "bad_links": [], "tags": ["RECEIPT FEEDBACK - ALL", "INTERNAL_MAIL", "PML:CLEAN"], "virustotal": [], "html": [{"sha1": "04aa0e944f7d668541f4c4f1e36ad0fbce1bb1a4", "filename": "messageBody.html", "sha256": "d53ff7d1d57d76c40a4ba1c494cb764a8e27b5d15fd4779719996dc9d8ee9d3a", "byte_size": 4700, "s3_url": "https://phisher-parts-production-eu-west-1.s3.eu-west-1.mydomain.net/675d21fc-63d7-40f8-ae7b-3d612dc60f0f/2022-01-26/nd1v49q60skosp6rfi4jn9t7m99h2287kd4dhpg1/d53ff7d1d57d76c40a4ba1c494cb764a8e27b5d15fd4779719996dc9d8ee9d3a?response-content-disposition=attachment%3B%20filename%3D%22messageBody.html%22%3B%20filename%2A%3DUTF-8%27%27messageBody.html&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QIOEBILRS%2F20220126%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20220126T190501Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJHMEUCIQDEMdQElhAw1WmTqyBE9QA6n%2BTIoRFD6y7qXURDll3H5wIgdaOUGJ9YNDeDayFdQLjVUQryuLxTFGoIyG5lLqMg%2FQwqiAQIqv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDKXQ%2BPw36vZI0MY%2FIircA741FUTo9%2FXZo94F1qkn9VgyJUtf9qw%2FOjYBZexu2wOYx%2FhFoqs6sGupQFokzl0ZuVSJ44RV4R4bGlXiKLQEUU7eqvzxQlyCM9UdeBChQeXsLCeZeV6luH%2Fv1mw%2BfnifFZrTYYfuwZHNQdHM7qjHhSg8P98jHr4pn5IeFilmmsg52HutRRmgKBws%2Bm1miXhYxpP%2BcgI0dev%2Fygs93bOgiLfy54f9WrdmrnMqJwd%2FaTxIOQsCrPADjkUehwLtT9ub%2FEa8wIpgRXkSzHew%2Fq6Tp08GJeu%2B6l4maVfcEwbLUOZFBPMUFcSeDKO6QTStn712oVguOboBf2K3aBVu2wmE6CCkIjsvcvJtTBIJaDidtx2Vm7mli4c9PbOg8ngmcpmc3AlYPfe0vjbqvEaKEtIQhP6C1VH15g9PhhtNR9G3NOxV5q62%2Bp%2F5fbwCLV9r7gfKE2w0VEEVxXr4dXExggswIGOdqeuYIQjzauVTeN5Uteuj2IAVy1L9NPFoskMd5H9j4Z%2F9WvPLwZvtvVLDj9W76Wuk0W%2B%2FqO3Niiq0BbT6xb7dj08Gintt%2BeriEV%2BudZAR%2FrQwvxrBEmHSGmaK%2F3G3jM4YMdYcRmb%2B6SdV0OpmUn4MGITPcxdltx6WXolYMPGFxo8GOqUB%2FcF1EzhU2MwpLD4%2FiGEunQ0uA0b0rsKu3pLLeHY%2FEB75qJY9IB7BKf%2Fl44v8sqCnAeV59REZiTWdCy57gu3hNtO4OEJDxldMKouNaEpgi4Wtpez81nkt1RMHQ5LyrBE60BKb1vzsNP9Fft9UFoEqAW%2BEoAhhVlrBSaxguboloO6wtjEVL%2FZfjuDTmrRucSlVHXBIfVeTvNTeb2PiYCn4UtSLQKyx&X-Amz-SignedHeaders=host&X-Amz-Signature=65b95ef5a38eefb34aef084dba16bd150d0187eaddbf77b88afae09701b602bd", "md5": "4feb09077ec5d3b5a74cec63bec7ecd6"}], "links": ["http://lt-16.mydomain.org", "http://db-31.mydomain.net", "https://mydomain.org/some_clientElevatorCo?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor", "https://www.mydomain.org/some_clientelevatorco/?hl=en", "https://www.mydomain.org/user/some_clientElevatorCompany", "https://www.mydomain.org/company/some_client_elevators", "http://db-31.mydomain.net/site/us/pages/Privacy.aspx"], "text": [{"sha1": "f9256b1608ac8f509309648df8b13e4d3aa04f8a", "filename": "messageBody.txt", "sha256": "b944588cc769d4f9acccb184375a109273c786ac633bf2bb9d758f18edaed48d", "byte_size": 636, "s3_url": "https://phisher-parts-production-eu-west-1.s3.eu-west-1.mydomain.net/675d21fc-63d7-40f8-ae7b-3d612dc60f0f/2022-01-26/nd1v49q60skosp6rfi4jn9t7m99h2287kd4dhpg1/b944588cc769d4f9acccb184375a109273c786ac633bf2bb9d758f18edaed48d?response-content-disposition=attachment%3B%20filename%3D%22messageBody.txt%22%3B%20filename%2A%3DUTF-8%27%27messageBody.txt&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QIOEBILRS%2F20220126%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20220126T190501Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJHMEUCIQDEMdQElhAw1WmTqyBE9QA6n%2BTIoRFD6y7qXURDll3H5wIgdaOUGJ9YNDeDayFdQLjVUQryuLxTFGoIyG5lLqMg%2FQwqiAQIqv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDKXQ%2BPw36vZI0MY%2FIircA741FUTo9%2FXZo94F1qkn9VgyJUtf9qw%2FOjYBZexu2wOYx%2FhFoqs6sGupQFokzl0ZuVSJ44RV4R4bGlXiKLQEUU7eqvzxQlyCM9UdeBChQeXsLCeZeV6luH%2Fv1mw%2BfnifFZrTYYfuwZHNQdHM7qjHhSg8P98jHr4pn5IeFilmmsg52HutRRmgKBws%2Bm1miXhYxpP%2BcgI0dev%2Fygs93bOgiLfy54f9WrdmrnMqJwd%2FaTxIOQsCrPADjkUehwLtT9ub%2FEa8wIpgRXkSzHew%2Fq6Tp08GJeu%2B6l4maVfcEwbLUOZFBPMUFcSeDKO6QTStn712oVguOboBf2K3aBVu2wmE6CCkIjsvcvJtTBIJaDidtx2Vm7mli4c9PbOg8ngmcpmc3AlYPfe0vjbqvEaKEtIQhP6C1VH15g9PhhtNR9G3NOxV5q62%2Bp%2F5fbwCLV9r7gfKE2w0VEEVxXr4dXExggswIGOdqeuYIQjzauVTeN5Uteuj2IAVy1L9NPFoskMd5H9j4Z%2F9WvPLwZvtvVLDj9W76Wuk0W%2B%2FqO3Niiq0BbT6xb7dj08Gintt%2BeriEV%2BudZAR%2FrQwvxrBEmHSGmaK%2F3G3jM4YMdYcRmb%2B6SdV0OpmUn4MGITPcxdltx6WXolYMPGFxo8GOqUB%2FcF1EzhU2MwpLD4%2FiGEunQ0uA0b0rsKu3pLLeHY%2FEB75qJY9IB7BKf%2Fl44v8sqCnAeV59REZiTWdCy57gu3hNtO4OEJDxldMKouNaEpgi4Wtpez81nkt1RMHQ5LyrBE60BKb1vzsNP9Fft9UFoEqAW%2BEoAhhVlrBSaxguboloO6wtjEVL%2FZfjuDTmrRucSlVHXBIfVeTvNTeb2PiYCn4UtSLQKyx&X-Amz-SignedHeaders=host&X-Amz-Signature=e05aa94209e9cdfcd590a5dab6e84fd31233d2065573e4c931da5127d034cac8", "md5": "c793df49c9242594345987824576f4b4"}]}
2022-02-07 08:49:59.760 localhost=127.0.0.1 mail.knowbe4.phisher.webhooks: {"bad_attachments": [], "headers": [{"sha1": "526ab8746a3132a5cc5d4bc6d49f9d0e0bf4d390", "headers": [{"Received": "from laptop-75.mydomain.net (5678:1234:abc:1a2b::d56) by web-09.mydomain.org with HTTPS; Wed, 26 Jan 2022 21:06:46 +0000"}, {"Received": "from lt-18.mcdaniel.com (abc:5678:1234:3c4::3c4) by laptop-75.mydomain.net (5678:1234:abc:1a2b::d56) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.15; Wed, 26 Jan 2022 21:06:45 +0000"}, {"Received": "from laptop-12.long-hoover.com (5678:cde:d56:5678:d56::abc) by lt-77.mydomain.com (abc:5678:1234:3c4::3c4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.15 via Frontend Transport; Wed, 26 Jan 2022 21:06:45 +0000"}, {"Authentication-Results": "spf=softfail (sender IP is 127.174.54.184) smtp.mailfrom=db-79.freeman.org; dkim=fail (signature did not verify) header.d=db-79.freeman.org;dmarc=fail action=none header.from=db-79.freeman.org;compauth=none reason=405"}, {"Received-Spf": "SoftFail (protection.outlook.com: domain of transitioning db-79.freeman.org discourages use of 127.174.54.184 as permitted sender)"}, {"Received": "from db-37.brown.com (127.174.54.184) by email-71.blair.com (127.8.243.208) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.15 via Frontend Transport; Wed, 26 Jan 2022 21:06:45 +0000"}, {"Received": "from pps.filterd (srv-32.mydomain.org [192.168.181.55]) by db-37.brown.com (192.168.194.139/192.168.194.139) with ESMTP id 20QJLxEG022260 for <theresaorr@laptop-99.blake-carter.com>; Wed, 26 Jan 2022 16:06:44 -0500"}, {"Authentication-Results-Original": "mydomain.com;\\tspf=pass smtp.mailfrom=vmiller@db-79.freeman.org;\\tdkim=pass header.d=db-79.freeman.org header.s=20210112;\\tdmarc=pass header.from=db-79.freeman.org"}, {"Received": "from desktop-11.phillips-price.info (desktop-11.phillips-price.info [192.168.137.117]) by db-37.brown.com (PPS) with ESMTPS id 3dtww1arp0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <theresaorr@laptop-99.blake-carter.com>; Wed, 26 Jan 2022 16:06:44 -0500"}, {"Received": "by desktop-11.phillips-price.info with SMTP id s61-20020a17090a69c300b001b4d0427ea2so5473194pjj.4 for <theresaorr@laptop-99.blake-carter.com>; Wed, 26 Jan 2022 13:06:44 -0800 (PST)"}, {"Dkim-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=db-79.freeman.org; s=20210112; h=return-receipt-to:from:to:subject:date:message-id:mime-version :thread-index:content-language:disposition-notification-to; bh=GbxQJY0VH2nRlEozukrtZlGN5Xf64/GrW5gvy9fP5to=; b=ZQb0gtoXXJ5ILobbuWy/ArIWKwr8FzkGoKkgRRUKLtppslSiSP1MwXIpZjdjiQPxg9 zk935yChRpg9Wv9LSxBWUQlQ4Gu2Mn5q9MDnKy9KP3Hk31e6HueUpuG8UhZWnbDK8MU7 PNPODrvcdweoTHysYjfDx4EODGm2HqwpyjhkvoBhBPkh3PU7YyOfBnSl/uE4nL+hovpY iTjRUR8fQQDdLnx07BvYtMXzefnUSR+hKhfD8NyXRL82sddDIdwT96OzTby078wBSBQn Vcl+eNSfkbDGrS5YXyxA4NlGBRI7520xuzKdNMJUaCqANfMV6Fc2oK2Ynn6KCNDCgedX Z1pg=="}, {"X-Google-Dkim-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:return-receipt-to:from:to:subject:date :message-id:mime-version:thread-index:content-language :disposition-notification-to; bh=GbxQJY0VH2nRlEozukrtZlGN5Xf64/GrW5gvy9fP5to=; b=Sa6djd4xvqWntwDRXd+NBPLBus8Tn0riWaix6wEznyijy7crwbhaRjWIwXVSdLzDh7 Bz3ksI+9hA+dr8M89B/3JusX/IUenxaevYwlEKX2iiAimpRRvI7VRnmJXsznOvOpGpdw p71L85/VRU6uhYWcpBppQRSiMszkkIv+G2QXyAgFJUBl7b3IZJZ0gF5jHrSp2eIxvhwe fl0KUgqPjgCR63b533slsdEIdwphApsCgF+PQWwc06bj+mmBiWm2/uDTL3RpQVBRHHjX RGVZjQso/mEavv2rPESUek6X3iXqIUY243e5CFDWcXiZ2vhiJdkU/ylTr1hxHUFoZJ5V hEWg=="}, {"X-Gm-Message-State": "AOAM531AMnhThCmuW9oNtgp+0rPizi01J82btfaBBvjiHZ08je0C2Rmw\\tE0HXVtpS58xOtHpX4/7xOHgKrsKB5cE="}, {"X-Google-Smtp-Source": "ABdhPJwPgNFV48lRIWkq3dKasLqgrTk8M4Lqs59wQU1dX4sc4abl5twtw2wDT2tbbowcD6UqEpm6tw=="}, {"X-Received": "by 78ef:cde:5678:abc:: with SMTP id pj4mr740732pjb.167.1643231202623; Wed, 26 Jan 2022 13:06:42 -0800 (PST)"}, {"Received": "from WhiteleafPC ([192.168.223.27]) by email-14.houston.org with ESMTPSA id d8sm3718091pjz.32.20192.168.65.157.06.41 for <theresaorr@laptop-99.blake-carter.com> (version=TLS1 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128); Wed, 26 Jan 2022 13:06:41 -0800 (PST)"}, {"Return-Receipt-To": "\\"Cathy Kelley\\" <vmiller@db-79.freeman.org>"}, {"Thread-Index": "AdgS+I34cJRhBH4hS/KuZwxdUF4cHQ=="}, {"Content-Language": "en-us"}, {"Disposition-Notification-To": "\\"Cathy Kelley\\" <vmiller@db-79.freeman.org>"}, {"X-Proofpoint-Guid": "OoOztg8fMtCmbXhkpjyJbfvTYVhzuLYZ"}, {"X-Proofpoint-Orig-Guid": "OoOztg8fMtCmbXhkpjyJbfvTYVhzuLYZ"}, {"X-Clx-Response": "1TFkXGxIRCkx6Fx8bHxEKWUQXaW9Cfm5QGl9daGsRClhYF2JlU1pGGE1ARmZ mEQp4ThdjU2NrexNYfhpfXhEKeUwXYXJJeB15fWN/R3kRCkNIFwcbHxsRCkNZFwcbGx8RCkNJFx oEGhoaEQpZTRdnZnIRCllJFxpxGhAadwYccRgZEBgadwYbGAYaEQpZXhdsbHkRCklGF0VeQ1l1Q kVZXk9OEQpDThdlRWVQXk0STGdeaUdIckJBWkBTYEhMXH5zfEJQX2ZzcBEKWFwXHwQaBBgeHwUb GgQbGxoEHQQbGRkQGx4aHxoRCl5ZF3BgG1IFEQpNXBceGxkRCkxaF3xpTV1rEQpFWRdvaxEKTF8 XegUFBQUFBQUFBW8RCk1OF2lrEQpMRhdva2tra2sRCkJPF2R+WE9mbnNJcFtPEQpDWhcYGhMEEh 8EGBscBB8YEQpCXhcbEQpCXBcbEQpeThcbEQpCSxdjU2NrexNYfhpfXhEKQkkXY1Nja3sTWH4aX 14RCkJFF2ZmBR1Je2gTGUkZEQpCThdjU2NrexNYfhpfXhEKQkwXYmVTWkYYTUBGZmYRCkJsF3pL SWh+XkBkBXxAEQpCQBdlG09DWlwSZBlAGxEKQlgXem5uHgF4QUUbE2kRClpYFxgRCnlDF2lORH9 lEmNyBQVLEQpZSxcTHBwZEQpwaBdiexJ4eH0dbXsZHhAdGhEKcGgXY3tiEh0fflsBZxMQHRoRCn BoF2Vwe0BGHlBSWx4SEB0aEQpwaBdmbGBSbmlMSFwdTBAcGhEKcGgXbEh5RR1mbXN6e04QHRoRC nBsF2B+Y15aG1tARFhMEBkaEQpwQxduBUJTbVpAfH4dbBAeEhEKbX4XGhEKWE0XSxEg"}, {"X-Clx-Shades": "MLX"}, {"X-Proofpoint-Virus-Version": "vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:192.168.2.743 definitions=2022-01-26_08,2022-01-26_01,2021-12-02_01"}, {"X-Proofpoint-Spam-Details": "rule=inbound_notspam policy=inbound score=0 phishscore=0 malwarescore=0 clxscore=18 lowpriorityscore=0 bulkscore=0 spamscore=0 mlxscore=0 priorityscore=515 suspectscore=0 mlxlogscore=314 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2201260122 domainage_hfrom=9663"}, {"Return-Path": "vmiller@db-79.freeman.org"}, {"X-Ms-Exchange-Organization-Expirationstarttime": "26 Jan 2022 21:06:45.4962 (UTC)"}, {"X-Ms-Exchange-Organization-Expirationstarttimereason": "OriginalSubmit"}, {"X-Ms-Exchange-Organization-Expirationinterval": "1:00:00:00.0000000"}, {"X-Ms-Exchange-Organization-Expirationintervalreason": "OriginalSubmit"}, {"X-Ms-Exchange-Organization-Network-Message-Id": "3e9e20e9-cf07-4e5f-5884-08d9e10fc295"}, {"X-Eopattributedmessage": "0"}, {"X-Eoptenantattributedmessage": "9c7d751b-b1a4-4c4a-9343-12b2814ae031:0"}, {"X-Ms-Exchange-Organization-Messagedirectionality": "Incoming"}, {"X-Ms-Publictraffictype": "Email"}, {"X-Ms-Exchange-Organization-Authsource": "laptop-12.long-hoover.com"}, {"X-Ms-Exchange-Organization-Authas": "Anonymous"}, {"X-Ms-Office365-Filtering-Correlation-Id": "3e9e20e9-cf07-4e5f-5884-08d9e10fc295"}, {"X-Ms-Traffictypediagnostic": "MW4PR06MB8378:EE_"}, {"X-Ms-Exchange-Organization-Scl": "-1"}, {"X-Ms-Oob-Tlc-Oobclassifiers": "OLM:5797;"}, {"X-Microsoft-Antispam": "BCL:0;"}, {"X-Forefront-Antispam-Report": "CIP:127.174.54.184;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:NSPM;H:db-37.brown.com;PTR:db-37.brown.com;CAT:NONE;SFS:;DIR:INB;"}, {"X-Ms-Exchange-Crosstenant-Originalarrivaltime": "26 Jan 2022 21:06:45.1993 (UTC)"}, {"X-Ms-Exchange-Crosstenant-Network-Message-Id": "3e9e20e9-cf07-4e5f-5884-08d9e10fc295"}, {"X-Ms-Exchange-Crosstenant-Id": "9c7d751b-b1a4-4c4a-9343-12b2814ae031"}, {"X-Ms-Exchange-Crosstenant-Authsource": "laptop-12.long-hoover.com"}, {"X-Ms-Exchange-Crosstenant-Authas": "Anonymous"}, {"X-Ms-Exchange-Crosstenant-Fromentityheader": "Internet"}, {"X-Ms-Exchange-Transport-Crosstenantheadersstamped": "MW4PR06MB8378"}, {"X-Ms-Exchange-Transport-Endtoendlatency": "00:00:00.9871016"}, {"X-Ms-Exchange-Processed-By-Bccfoldering": "15.20.4909.019"}, {"X-Microsoft-Antispam-Mailbox-Delivery": "ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506458)(944626604)(920097)(930097);"}, {"X-Microsoft-Antispam-Message-Info": "Z4VXbLmfVfdI4NeCUApggS13OzL7BnyJ6f4Oyq1xSR/yDAgkzqRCjVN9PWNbn19fCkRxhjFUiuCrnOxYtqvisz04B1Lbg+2CHl6gIXnRYi29lzIlJB8NAPiOf4EinwDxu9bKngqerTN0zgnLtX79YqMh6atGlafcDb417mTC5FG3sU7y8k/cie3eEY3kIvgAAK61uCvX6OINpjFJ5NZM1Oxgsma0501YwZacuBrZYKCESalroczi7+NhK7z/VVjRq5t7qlS5HiFzfZA6l0jCVMI9mahMdmi3nMUESWLiY/cfh4nmbNHCeQ+krzHywQqX7SXmsppICJiscOzdq7hJBtRAtHaFmAvQGmwuCkAcFXVcjL0PRX0FmFUnwgO5Eo95NRXhAoffc62PwbMy4QHQpKXt5JF6w7a+CtzQJLlxhexXkL/Rij/OKlHitpvAmbagPdLDM+m7KGcaXtY5ifOeg5uZSmJXhupWh7XTV6sPsvQneEtkBiAiFY3cJELjdHidQ4untLvhH4uCaCyQFmWq/uipgjrxBdnbbsvmmun0eJ7oiuxld313lAz/GpUySmL9SeyGWvnWLJc5Hoy20CY9WhbND6LmPdUObjqqI8YF/Vb8ew9SDQrpOgfLymVDGd2yho1p0d8PBBQk3wFiwoDvIAHFoT9k5XM110I3m9Hvhy0Y6SJzKWKBS9x9xSHm+Ndx7f0M7CpqKd7s+Z0mnMB5tSlX2a7bVNvuyeMRkkGozxddt+xHQuZYAgAMm/Pl4gvq/x2nXM3DGd/JDQUwSe0QtLd7jU5Cjp9u3CzqsmOrxduG9Go93zjMn4zEUTCcBXc/LfhhjBYseZQjLW6mWXQmuRboAiAbd56VSiiefknNHk/QTh2MpeseqDwjhxhQMgX70h1XvCHKkGunOe0xVCtHuvGBqbGnB0FC53Cux0zmWFCBOLotV+BQVb353XF0Hu1ClSoSekGD911QPg8WJyxcmaQ70o1hskYylmBVKKIE00xJu6JlHs4PpB402n+qfdJzh1cw1LaIlyAZK+GTPAY+T1SLsoORihp9aQ6hKamBbAheDvr7qe5+xuxUCCWC3j4QlSB9ObJH9GoOSNih949h2AepGV3a69MavRX6XNfeUEsUysCnT6WMfa1o150ts6qIM4QOVMCWtpbWXfubyQnAoOvSPlUMlK3b8l1xjpNbMRQnEKB4xf6teAshoU6PxXchio3h5z9T5fkhxJ2TMk+oBWfCOrMR+w8Wgki8wEgNSUBTIDWn6gX9XqRuEuqhiv7yI+fh/dVjtuEb5dnDxO4oCWQ79dLhBiJ437Du/wObwaTATTh6JSFBVR9nFZ/0/yL7Fj1T7RdzXheno1fhST9Oa7flbHASeq7Fdz/Su+kn6COaUyOiopv/pEuwme9frMmyBfmMJV30/BqhqGyS5A95u4o7jZrrSfsCxD7Teb96aYxstILX3wMs9cpVRCe6RpsU9ekTnCb6H5xnXQ+NiYr6UhI7oMjaDR7W+6eRmQDeLUAQx1zVxNK8jKKA2EaMMgSGyJmQVDAgjEkm0kaCHJfOJYobwCa+SXykyqHoGKz8MOaSl4lb0Zh5hAyyi4WWxI290wA2O3aKuZbKBUi/z8Yj0/sWiPzTi/P+WhuBxSQCaoLRvGS/V4lv+D2x6opW4UAcj2WTj+sSvcGGlyO3Te8AwKPKFnChcTfX+XTEMQjEqh/EdWjeXO4guRiVvr6Z5ISbWtFEDGSUmmrX2us4vgFTBnwVxwlbtHsUSOg7wg8uD6xY7DNnEZAKpjhYFd0auYMj8qixg+4fbqN6CadVvwGQXGuKHK6u2r4HcWVeaEKM3iZJDp1peUD4HlSUeM/4MoAMmGYf2uKiaY8QA9QH/U7SnqNAofvrJ1+GUVSQ46xBPMfIjha7AKtzdl4g4hyKQZwE6e9njAIcRJGJE2efWQvvX2Fi/iDrmpH/RHmaH41vb0ow6nMwick4YevY/e3pspBud+CZMtGSfPVub+9vA1DLe7Ag69V3WaXQBQ+TuWkN19ItrDypLrt6yZ/sLOVE0VV+3YfbyWtPJ5oAPNEL1ocy+LOGYrFSH6VQ+5nbfVt1/lHvIMrP02OcADR83CdvpzUJjJUtWkkyoVxEtJjFfnC1bsADJUKqyi3TjFTwFJhvG56vjAUhpHXfIuV0WOcSrblccQa2eHJhTp8DsIDd+a4XI+ZRl9CTCkKNHwVeBjudQhStem5aC6Z9XfLjjbUt5KZE"}, {"X-Ms-Exchange-Organization-Originalclientipaddress": "127.174.54.184"}, {"X-Ms-Exchange-Organization-Originalserveripaddress": "127.8.243.208"}, {"Received": "Wed, 26 Jan 2022 15:06:46 -0600"}, {"X-Priority": "3"}, {"X-Msmail-Priority": "Normal"}, {"Thread-Index": "AdgS+I34cJRhBH4hS/KuZwxdUF4cHQ=="}, {"Message-Id": "<!&!AAAAAAAAAAAYAAAAAAAAAOGYZgsA91lFpu9kSZdrSTrCgAAAEAAAAA05iXokKwNBrr+HgTGPTjkBAAAAAA==@db-79.freeman.org>"}, {"Disposition-Notification-To": "\\"Cathy Kelley\\" <vmiller@db-79.freeman.org>"}, {"From": "\\"Cathy Kelley\\" <vmiller@db-79.freeman.org>"}, {"To": "\\"Gary, Jessica\\" <frivera@email-89.lee.biz>"}, {"Subject": "[EXTERNAL] theresaorr@laptop-99.blake-carter.com"}, {"Date": "Wed, 26 Jan 2022 15:06:20 -0600"}, {"Mime-Version": "1.0"}, {"Content-Type": "Multipart/alternative; charset=windows-1252; boundary=\\"00B0FEEF_message_boundary\\""}, {"Content-Description": "Multipart message"}], "filename": "rawHeaders.txt", "sha256": "f9b968915a9de799e12824df3a164048ba8cee253e8cc4f58e55f7419a132eb9", "byte_size": 10786, "s3_url": "https://phisher-parts-production-eu-west-1.s3.eu-west-1.mydomain.net/675d21fc-63d7-40f8-ae7b-3d612dc60f0f/2022-01-26/dhi8s7ab7d4s9vccp40835pah1kimf68e19s7v81/f9b968915a9de799e12824df3a164048ba8cee253e8cc4f58e55f7419a132eb9?response-content-disposition=attachment%3B%20filename%3D%22rawHeaders.txt%22%3B%20filename%2A%3DUTF-8%27%27rawHeaders.txt&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QANKD357G%2F20220126%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20220126T211701Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIT%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJIMEYCIQDchNOz%2Fgr238%2BehE%2F9xT5Zk%2BHscDXHG8pVvlW6ppWebgIhANKi3%2BkoC479q4jaJUzMFWI7GvXI5JBC8%2F%2F7Gw5XmhGBKogECK3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMODIzMTkzMjY1ODI0IgyQNxitbhArfS6ei4Iq3AOB3RvNZ9Bpg%2BqWFF4BZWXhdRESmogQOLkshLPmgIVikeRNFE61h4I8TDSD9%2FZMUJzVtRIz0xuB8JeGnK7EidWuReMTiCCH1%2FShGrNR2NqiyvIvNWQ2BbeSfqDyC11nvXIQDTx62SFDlo2DMl5Gy%2BtNP7yid%2FsdJ8RjcAbc7NRcu7txZUTVm7XKcKrdGkCvJ6SU%2Fuien3O7F26UsLpXU%2FtrR6S2R5g7LvD%2BwI3VwEzukeaYH%2FTV%2BjiN8YyTMWGHgnWPRGI4tiHOagz2d8gDTDAy0%2FJe5tuQmMkmF69BA6flvMNJt8NJ%2BRrQMVOVRqMH7aqG3GXYKwZ5opIpmLkGpzkduUqxa9sTg5UcvEmHjZa2RGProjrrIO5In0%2F%2BOd7Bp2O3bVJ06kXhpNdTcqWfG%2BTUWdLvqe6B50vPpycZbpBYHbymmhptvVl%2BotVQ10EuXhQRj3dnySF0PY5DIFMP54ptTl1pciT7rG5Q9uYO%2FX5CHW%2FfBxplzOu%2BEns8B2NcQ6XvyaTWsVXIHUfskUxlu13tqBgKxT5sZo%2FPZJABKqTNE7rPpUMrF6MmwWXF%2Fj9JlsPGNPXW5Jvcko9wZPp7%2FaS7NL5SQgQXKk3ir55wNitpJYlUS7IiubGsFUREADDv0caPBjqkAZ%2F8zNDA0y2hAF7bRaSfuH%2FSFB%2Bu4r7R32TVINZSlsklscrUrl8SUTm6gCSWFgO6PQjSF%2F7usb2kmp%2FKPK%2FRL1PBPDexAPA%2BDp0HlxIL5vEuB3MaEUx1ukeqdPWaUeieMsChsM7zPc4PG6GU2b3aH7gmPL9mMrL%2BghlI8XzIp8Zze29QPVcEVBkbqzEKeBeSXpBJCx0cnYXPyjLMfzkCbh0svvcl&X-Amz-SignedHeaders=host&X-Amz-Signature=efc8fe184a5f6d5e1e4c2a8f48b8c7071efb306d558ff8b88d7ce4d2ddce6deb", "md5": "44c7ad2558e3d58f1e438f3dc2194470"}], "addresses": {"cc": "", "reply_to": "", "reported_by": "theresaorr@laptop-99.blake-carter.com", "from": "vmiller@db-79.freeman.org", "to": ["frivera@email-89.lee.biz"]}, "attachments": [], "raw": [{"sha1": "cb1880b6199777ddf53cf4d81e34980c1770cd2e", "filename": "", "sha256": "9f0fc537dd24c28c30308091d0c0f3388df71e678c8e74ce1d4e360fa0725c4c", "byte_size": 21147, "s3_url": "https://phisher-parts-production-eu-west-1.s3.eu-west-1.mydomain.net/675d21fc-63d7-40f8-ae7b-3d612dc60f0f/2022-01-26/dhi8s7ab7d4s9vccp40835pah1kimf68e19s7v81/9f0fc537dd24c28c30308091d0c0f3388df71e678c8e74ce1d4e360fa0725c4c?response-content-disposition=attachment%3B%20filename%3D%22%22%3B%20filename%2A%3DUTF-8%27%27&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QANKD357G%2F20220126%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20220126T211701Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIT%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJIMEYCIQDchNOz%2Fgr238%2BehE%2F9xT5Zk%2BHscDXHG8pVvlW6ppWebgIhANKi3%2BkoC479q4jaJUzMFWI7GvXI5JBC8%2F%2F7Gw5XmhGBKogECK3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMODIzMTkzMjY1ODI0IgyQNxitbhArfS6ei4Iq3AOB3RvNZ9Bpg%2BqWFF4BZWXhdRESmogQOLkshLPmgIVikeRNFE61h4I8TDSD9%2FZMUJzVtRIz0xuB8JeGnK7EidWuReMTiCCH1%2FShGrNR2NqiyvIvNWQ2BbeSfqDyC11nvXIQDTx62SFDlo2DMl5Gy%2BtNP7yid%2FsdJ8RjcAbc7NRcu7txZUTVm7XKcKrdGkCvJ6SU%2Fuien3O7F26UsLpXU%2FtrR6S2R5g7LvD%2BwI3VwEzukeaYH%2FTV%2BjiN8YyTMWGHgnWPRGI4tiHOagz2d8gDTDAy0%2FJe5tuQmMkmF69BA6flvMNJt8NJ%2BRrQMVOVRqMH7aqG3GXYKwZ5opIpmLkGpzkduUqxa9sTg5UcvEmHjZa2RGProjrrIO5In0%2F%2BOd7Bp2O3bVJ06kXhpNdTcqWfG%2BTUWdLvqe6B50vPpycZbpBYHbymmhptvVl%2BotVQ10EuXhQRj3dnySF0PY5DIFMP54ptTl1pciT7rG5Q9uYO%2FX5CHW%2FfBxplzOu%2BEns8B2NcQ6XvyaTWsVXIHUfskUxlu13tqBgKxT5sZo%2FPZJABKqTNE7rPpUMrF6MmwWXF%2Fj9JlsPGNPXW5Jvcko9wZPp7%2FaS7NL5SQgQXKk3ir55wNitpJYlUS7IiubGsFUREADDv0caPBjqkAZ%2F8zNDA0y2hAF7bRaSfuH%2FSFB%2Bu4r7R32TVINZSlsklscrUrl8SUTm6gCSWFgO6PQjSF%2F7usb2kmp%2FKPK%2FRL1PBPDexAPA%2BDp0HlxIL5vEuB3MaEUx1ukeqdPWaUeieMsChsM7zPc4PG6GU2b3aH7gmPL9mMrL%2BghlI8XzIp8Zze29QPVcEVBkbqzEKeBeSXpBJCx0cnYXPyjLMfzkCbh0svvcl&X-Amz-SignedHeaders=host&X-Amz-Signature=309b5131b1c24e189734d4788b9853782045926a49d785f61a8e23278edd1d6b", "md5": "750b4cd492a9c7315eb69e133e0e8263"}], "phishml": {"confidence_spam": "0.649605572223663", "confidence_clean": "0.000207245495403185", "category": "spam", "confidence_threat": "0.350217163562775"}, "history": [{"date": "2022-01-26T21:17:01Z", "trigger_name": null, "causer_type": "Action", "event_type": "other", "trigger_type": null, "events": {"changed_fields": {"severity": ["low", "high"], "category": ["spam", "threat"]}}, "causer_name": "Potential Threat (NO PML)"}, {"date": "2022-01-26T21:17:01Z", "trigger_name": null, "causer_type": "Action", "event_type": "other", "trigger_type": null, "events": {"changed_fields": {"severity": ["unknown_severity", "low"], "category": ["unknown", "spam"], "action_status": ["received", "resolved"]}}, "causer_name": "SPAM (PML:SPAM)"}, {"date": "2022-01-26T21:17:01Z", "trigger_name": null, "causer_type": "Action", "event_type": "other", "trigger_type": null, "events": {"emails": [{"action_email_id": "e3d4307f-a557-4316-8d0e-0fa909e9875b", "to": ["theresaorr@laptop-99.blake-carter.com"], "email": "Initial Feedback - All", "status": null}], "tags": {"added": ["RECEIPT FEEDBACK - ALL"]}}, "causer_name": "Feedback Receipt Message"}, {"date": "2022-01-26T21:17:00Z", "trigger_name": null, "causer_type": null, "event_type": "other", "trigger_type": null, "events": {"changed_fields": {"pipeline_status": ["processing", "processed"]}}, "causer_name": null}, {"date": "2022-01-26T21:17:00Z", "trigger_name": null, "causer_type": "Integrations::PhishMl::Report", "event_type": "other", "trigger_type": null, "events": {"report": {"name": "Phish ML", "results": [{"field": "clean", "value": "0.02"}, {"field": "spam", "value": "64.96"}, {"field": "threat", "value": "35.02"}]}, "tags": {"added": ["PML:SPAM"]}}, "causer_name": "Phish ML"}, {"date": "2022-01-26T21:17:00Z", "trigger_name": null, "causer_type": "Rule", "event_type": "other", "trigger_type": null, "events": {"tags": {"added": ["EXTERNAL"]}}, "causer_name": "External"}, {"date": "2022-01-26T21:16:56Z", "trigger_name": null, "causer_type": null, "event_type": "created", "trigger_type": null, "events": null, "causer_name": null}], "bad_links": [], "tags": ["RECEIPT FEEDBACK - ALL", "PML:SPAM", "EXTERNAL"], "virustotal": [], "html": [{"sha1": "c08e6b21b71e5ea3b9b2d21b600020c68772b013", "filename": "messageBody.html", "sha256": "addb3863fed1f036ad7dcfd77f7d0be33984cb9ec81f7429639a55756f585175", "byte_size": 7612, "s3_url": "https://phisher-parts-production-eu-west-1.s3.eu-west-1.mydomain.net/675d21fc-63d7-40f8-ae7b-3d612dc60f0f/2022-01-26/dhi8s7ab7d4s9vccp40835pah1kimf68e19s7v81/addb3863fed1f036ad7dcfd77f7d0be33984cb9ec81f7429639a55756f585175?response-content-disposition=attachment%3B%20filename%3D%22messageBody.html%22%3B%20filename%2A%3DUTF-8%27%27messageBody.html&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QANKD357G%2F20220126%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20220126T211701Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIT%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJIMEYCIQDchNOz%2Fgr238%2BehE%2F9xT5Zk%2BHscDXHG8pVvlW6ppWebgIhANKi3%2BkoC479q4jaJUzMFWI7GvXI5JBC8%2F%2F7Gw5XmhGBKogECK3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMODIzMTkzMjY1ODI0IgyQNxitbhArfS6ei4Iq3AOB3RvNZ9Bpg%2BqWFF4BZWXhdRESmogQOLkshLPmgIVikeRNFE61h4I8TDSD9%2FZMUJzVtRIz0xuB8JeGnK7EidWuReMTiCCH1%2FShGrNR2NqiyvIvNWQ2BbeSfqDyC11nvXIQDTx62SFDlo2DMl5Gy%2BtNP7yid%2FsdJ8RjcAbc7NRcu7txZUTVm7XKcKrdGkCvJ6SU%2Fuien3O7F26UsLpXU%2FtrR6S2R5g7LvD%2BwI3VwEzukeaYH%2FTV%2BjiN8YyTMWGHgnWPRGI4tiHOagz2d8gDTDAy0%2FJe5tuQmMkmF69BA6flvMNJt8NJ%2BRrQMVOVRqMH7aqG3GXYKwZ5opIpmLkGpzkduUqxa9sTg5UcvEmHjZa2RGProjrrIO5In0%2F%2BOd7Bp2O3bVJ06kXhpNdTcqWfG%2BTUWdLvqe6B50vPpycZbpBYHbymmhptvVl%2BotVQ10EuXhQRj3dnySF0PY5DIFMP54ptTl1pciT7rG5Q9uYO%2FX5CHW%2FfBxplzOu%2BEns8B2NcQ6XvyaTWsVXIHUfskUxlu13tqBgKxT5sZo%2FPZJABKqTNE7rPpUMrF6MmwWXF%2Fj9JlsPGNPXW5Jvcko9wZPp7%2FaS7NL5SQgQXKk3ir55wNitpJYlUS7IiubGsFUREADDv0caPBjqkAZ%2F8zNDA0y2hAF7bRaSfuH%2FSFB%2Bu4r7R32TVINZSlsklscrUrl8SUTm6gCSWFgO6PQjSF%2F7usb2kmp%2FKPK%2FRL1PBPDexAPA%2BDp0HlxIL5vEuB3MaEUx1ukeqdPWaUeieMsChsM7zPc4PG6GU2b3aH7gmPL9mMrL%2BghlI8XzIp8Zze29QPVcEVBkbqzEKeBeSXpBJCx0cnYXPyjLMfzkCbh0svvcl&X-Amz-SignedHeaders=host&X-Amz-Signature=9505c4903a2c186e6633a438939ded5ac340b0a57053d8fe357185175245e818", "md5": "4d98bfe85fdd8a5799bdf9f3528ffd9f"}], "links": [], "text": [{"sha1": "a96f87f13c0042f067635cfcf100f1d5e7e452fc", "filename": "messageBody.txt", "sha256": "d2337cc04af1dcfc803c75b124eb921e5ebfaf26efbef3d7cb046479eefba818", "byte_size": 710, "s3_url": "https://phisher-parts-production-eu-west-1.s3.eu-west-1.mydomain.net/675d21fc-63d7-40f8-ae7b-3d612dc60f0f/2022-01-26/dhi8s7ab7d4s9vccp40835pah1kimf68e19s7v81/d2337cc04af1dcfc803c75b124eb921e5ebfaf26efbef3d7cb046479eefba818?response-content-disposition=attachment%3B%20filename%3D%22messageBody.txt%22%3B%20filename%2A%3DUTF-8%27%27messageBody.txt&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QANKD357G%2F20220126%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20220126T211701Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIT%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJIMEYCIQDchNOz%2Fgr238%2BehE%2F9xT5Zk%2BHscDXHG8pVvlW6ppWebgIhANKi3%2BkoC479q4jaJUzMFWI7GvXI5JBC8%2F%2F7Gw5XmhGBKogECK3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMODIzMTkzMjY1ODI0IgyQNxitbhArfS6ei4Iq3AOB3RvNZ9Bpg%2BqWFF4BZWXhdRESmogQOLkshLPmgIVikeRNFE61h4I8TDSD9%2FZMUJzVtRIz0xuB8JeGnK7EidWuReMTiCCH1%2FShGrNR2NqiyvIvNWQ2BbeSfqDyC11nvXIQDTx62SFDlo2DMl5Gy%2BtNP7yid%2FsdJ8RjcAbc7NRcu7txZUTVm7XKcKrdGkCvJ6SU%2Fuien3O7F26UsLpXU%2FtrR6S2R5g7LvD%2BwI3VwEzukeaYH%2FTV%2BjiN8YyTMWGHgnWPRGI4tiHOagz2d8gDTDAy0%2FJe5tuQmMkmF69BA6flvMNJt8NJ%2BRrQMVOVRqMH7aqG3GXYKwZ5opIpmLkGpzkduUqxa9sTg5UcvEmHjZa2RGProjrrIO5In0%2F%2BOd7Bp2O3bVJ06kXhpNdTcqWfG%2BTUWdLvqe6B50vPpycZbpBYHbymmhptvVl%2BotVQ10EuXhQRj3dnySF0PY5DIFMP54ptTl1pciT7rG5Q9uYO%2FX5CHW%2FfBxplzOu%2BEns8B2NcQ6XvyaTWsVXIHUfskUxlu13tqBgKxT5sZo%2FPZJABKqTNE7rPpUMrF6MmwWXF%2Fj9JlsPGNPXW5Jvcko9wZPp7%2FaS7NL5SQgQXKk3ir55wNitpJYlUS7IiubGsFUREADDv0caPBjqkAZ%2F8zNDA0y2hAF7bRaSfuH%2FSFB%2Bu4r7R32TVINZSlsklscrUrl8SUTm6gCSWFgO6PQjSF%2F7usb2kmp%2FKPK%2FRL1PBPDexAPA%2BDp0HlxIL5vEuB3MaEUx1ukeqdPWaUeieMsChsM7zPc4PG6GU2b3aH7gmPL9mMrL%2BghlI8XzIp8Zze29QPVcEVBkbqzEKeBeSXpBJCx0cnYXPyjLMfzkCbh0svvcl&X-Amz-SignedHeaders=host&X-Amz-Signature=3bfb02cd7dc26722ab1f013b9222ce27c83a3e1ff72175a8a4755f7c30be690f", "md5": "29a296741666143eaa280416aaffc004"}]}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
bad_attachments |
|
| |
headers |
|
| |
addresses__cc |
|
| |
addresses__reply_to |
|
| |
addresses__reported_by |
|
| |
addresses__from |
|
| |
addresses__to |
|
| |
attachments |
|
| |
avalaible_data_raw |
|
| |
phishml__confidence_spam |
|
| |
phishml__confidence_clean |
|
| |
phishml__category |
|
| |
phishml__confidence_threat |
|
| |
history |
|
| |
bad_links |
|
| |
tags |
|
| |
virustotal |
|
| |
html |
|
| |
links |
|
| |
text |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |