Phishing - Indicators Hunting

Hunt indicators related to phishing with available integrations and then handle the results. Handling the results will include setting relevant incident fields which will be displayed in the layout and optionally, opening new incidents according to the findings. Current integration in this playbook: - Microsoft 365 Defender (using "Advanced Hunting") Note that this playbook should be used as a sub-playbook inside a phishing incident and not as a main playbook.

Phishing · 5 tasks · 3 inputs · 0 outputs

Inputs

  • DBotScore — The DBotScore object containing these keys: - Indicator - Type - Score
  • EmailHuntingCreateNewIncidents — When "True", the "Phishing - Handle Microsoft 365 Defender Results" sub-playbook will create new phishing incidents for each email that contains one of the malicious indicators. Default is "False".
  • ListenerMailbox — The mailbox of the listening integration. In case it is provided, the emails found in it will be ignored.

Flowchart

yes Start Start Microsoft 365 Defender - Threat Hunting Generic - Microsoft 365 Defender - Threat Hunting Generic Microsoft 365 Defender - ... Microsoft 365 Defender - Thre... Phishing - Handle Microsoft 365 Defender Results - Phishing - Handle Microsoft 365 Defender Results Phishing - Handle Microso... Phishing - Handle Microsoft 3... Any emails found using Microsoft 365 Defender? Any emails found using Mi... Done Done