Automate remediation for the Cortex Advanced Email Security module

Abstract

Automated response actions through the Cortex Advanced Email Security module improve efficiency and reduce noise.

The lightweight, real-time response engine inside the Advanced Email Security module executes automatic policy-driven actions to quickly respond to email threats before they manifest. Build your policy from the rules you configure by customizing the out-of-the-box templates.

Define the rules for your email security policy in Email Remediation Response Rules, located in ModulesEmail SecurityRemediationRules.

Review all the remediation actions initiated by your policy in the Email Remediation Action Center, located in ModulesEmail SecurityRemediationAction Center.

The automated email response engine provides the following advantages:

  • Accelerated response: Execution of time-sensitive email response actions directly within the application interface, significantly reducing response latency.

  • Unified audit and visibility: A single source of truth for all response activities. Every email action, whether through the engine or through playbooks, is seamlessly logged and fully auditable.

  • Optimized analyst workflow: SOC analyst efficiency through intuitive controls and a zero-switch environment, ensuring investigations move quickly and without interruption.

The email response engine supports the following actions:

  • Soft delete email

  • Undelete Email

  • Report as phishing

  • Send warning email

  • Move Email to Folder

  • Mark as Safe

  • Mark as Malicious

Note

For extra automated actions, use the playbooks, scripts, and commands in the Cortex XSIAM automation engine. For more information, see Automation in Cortex XSIAM.