Phishing - Search Related Incidents (Defender 365)

This playbook should only be used as a sub-playbook inside the "Phishing - Handle Microsoft 365 Defender Results" playbook. It searches through existing Cortex XSOAR incidents based on retrieved email message IDs and returns data only for emails that are not found in existing incidents.

Phishing · 8 tasks · 1 input · 4 outputs

Inputs

  • RetrievedEmails — Emails retrieved by the "Microsoft 365 Defender - Threat Hunting Generic" playbook.

Outputs

  • EmailFilesRetrieval.Subject — The subject of the emails to be retrieved.
  • EmailFilesRetrieval.InternetMessageId — The Message-ID of the emails to be retrieved.
  • EmailFilesRetrieval.RecipientEmailAddress — The recipient email address of the emails to be retrieved.
  • EmailFilesRetrieval — An object containing the subject, internet message ID, and recipient email address of the emails to be retrieved.

Flowchart

Start Start Get related incidents using prepared query - GetIncidentsByQuery Get related incidents usi... GetIncidentsByQuery Read the results (file) - ReadFile Read the results (file) ReadFile Load results data as json - LoadJSON Load results data as json LoadJSON Incidents search - prepare query - SetAndHandleEmpty Incidents search - prepar... SetAndHandleEmpty Done Done Extract emails without an incident (EmailFilesRetrieval) - SetAndHandleEmpty Extract emails without an... SetAndHandleEmpty Remove duplicate emails from results (based on Message-ID) - SetAndHandleEmpty Remove duplicate emails f... SetAndHandleEmpty