> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tracecat.com/llms.txt
> Use this file to discover all available pages before exploring further.

# PhishLabs

> Reference for the Tracecat PhishLabs integration: registered actions, required secrets, expected inputs, and example workflow usage.

## Get case data

Action ID: `tools.phishlabs.get_case_data`

Get PhishLabs case API data.

Reference: [https://caseapi.phishlabs.com/v1/data/docs/](https://caseapi.phishlabs.com/v1/data/docs/)

### Secrets

Required secrets:

* `phishlabs`: required values `PL_USERNAME`, `PL_PASSWORD`.

### Input fields

<ParamField path="case_status" type="array[string]">
  Filter cases based on the case status. Default is "Pending Input".

  Default: `[
      "Pending Input"
    ]`.
</ParamField>

<ParamField path="case_type" type="array[string]">
  Filter cases by case type.

  Default: `[]`.
</ParamField>

<ParamField path="max_records" type="integer">
  Maximum number of cases to return. Default is 100, minimum is 20, maximum is 200.

  Default: `100`.
</ParamField>

<ParamField path="verify_ssl" type="boolean">
  If False, disables SSL verification for internal networks.

  Default: `true`.
</ParamField>

## Get feed data

Action ID: `tools.phishlabs.get_feed_data`

Get PhishLabs feed API data.

Reference: [https://feed.phishlabs.com/redoc#operation/Feed\_GetBAFeed](https://feed.phishlabs.com/redoc#operation/Feed_GetBAFeed)

### Secrets

Required secrets:

* `phishlabs`: required values `PL_CUSTOMER_ID`, `PL_USERNAME`, `PL_PASSWORD`.

### Input fields

<ParamField path="from_date" type="string">
  The start date of date range (date and time). eg. 2023-01-01 10:00.

  Default: `null`.
</ParamField>

<ParamField path="grpcatid" type="integer">
  Include the integer that maps to the type of incident you want returned. Default is 0.

  Default: `0`.
</ParamField>

<ParamField path="incident_status" type="string">
  The status of the incident as it appears in the Web App. Default is "Requires Input".

  Default: `"Requires Input"`.
</ParamField>

<ParamField path="to_date" type="string">
  The end date of date range (date and time). eg. 2023-01-07 10:00.

  Default: `null`.
</ParamField>

<ParamField path="verify_ssl" type="boolean">
  If False, disables SSL verification for internal networks.

  Default: `true`.
</ParamField>

## Get threat intel data

Action ID: `tools.phishlabs.get_threat_data`

Get PhishLabs Threat Intel API data.

Reference: [https://threatintel.phishlabs.com/redoc/incidentexternalapi](https://threatintel.phishlabs.com/redoc/incidentexternalapi)

### Secrets

Required secrets:

* `phishlabs`: required values `PL_CLIENT_ID`, `PL_CLIENT_SECRET`.

### Input fields

<ParamField path="incident_severity_codes" type="array[string]">
  The severity of incidents to be returned. 'Low', 'Medium', 'High'

  Default: `[]`.
</ParamField>

<ParamField path="incident_status_codes" type="array[string]">
  The status code(s) of the incident.

  Default: `[
      "RequiresInput",
      "RequiresApproval"
    ]`.
</ParamField>

<ParamField path="incident_type_code" type="string">
  The type of Incident to be returned. 'SocialMedia' or 'DarkWeb'

  Default: `null`.
</ParamField>

<ParamField path="page_size" type="integer">
  The number of records to return per page.

  Default: `200`.
</ParamField>

<ParamField path="threat_type_codes" type="array[string]">
  The type of Threats to be returned. Threat Types ending with "SM" are Social Media, "DW" are Dark Web.

  Default: `[]`.
</ParamField>
