Phishing Alerts Investigation

This playbook investigates and remediates potential phishing incidents produced by either an email security gateway or a SIEM product. It retrieves original email files from the email security gateway or email service provider and generates a response based on the initial severity, hunting results, and the existence of similar phishing incidents in XSOAR. No action is taken without an initial approval given by the analyst using the playbook inputs.

PhishingAlerts · 30 tasks · 16 inputs · 0 outputs

Inputs

  • Role — The default role to assign the incident to.
  • SearchAndDelete — Whether to enable the "Search and Delete" capability. For a malicious email, the Search and Delete sub-playbook looks for other instances of the email and deletes them pending analyst approval.
  • BlockIndicators — Whether to enable the "Block Indicators" capability. For a malicious email, the Block Indicators sub-playbook blocks all malicious indicators in the relevant integrations.
  • AuthenticateEmail — Whether the authenticity of the email should be verified using SPF, DKIM, and DMARC.
  • OnCall — Set to True to assign only to analysts on the current shift. Requires Cortex XSOAR v5.5 or later.
  • SearchAndDeleteIntegration — Determines which product and playbook is used to search and delete the phishing email from user inboxes. Set this to "O365" to use the O365 - Security And Compliance - Search And Delete playbook. Set this to "EWS" to use the Search And Delete Emails - EWS playbook.
  • O365DeleteType — The method to delete emails using the O365 - Security And Compliance - Search And Delete playbook. Can be "Soft" (recoverable), or "Hard" (unrecoverable). Leave empty to decide manually for each email incident. This is only applicable if the SearchAndDeleteIntegration input is set to O365.
  • O365ExchangeLocationExclusion — The exchange location. Determines from where to search and delete emails searched using O365 playbooks. Use the value 'All' to search all mailboxes, use 'SingleMailbox' to search and delete the email only from the recipient's inbox, or use 'Manual' to decide manually for every incident. Note: Searching all mailboxes may take a significant amount of time. This input is only applicable if the SearchAndDeleteIntegration input is set to O365.
  • SOCEmailAddress — The SOC email address to set if the playbook handles phishing alerts.
  • escalationRole — The role to assign the incident to if the incident severity is critical.
  • blockedAlertActionValue — A comma-separated list of optional values the email security device returns for blocked\denied\etc. emails.
  • SensitiveMailboxesList — The name of a list that contains the organization's sensitive users.
  • SearchThisWeek — Whether to search for similar emails in a week's time range or for all time.
  • CheckMicrosoftHeaders — Check Microsoft headers for BCL/PCL/SCL scores and set the "Severity" and "Email Classification" accordingly.
  • AutoBlockIndicators — Possible values: True/False. Default: True. Should the given indicators be automatically blocked, or should the user be given the option to choose? If set to True - no prompt will appear, and all provided indicators will be blocked automatically. If set to False - the user will be prompted to select which indicators to block.
  • UserVerification — Possible values: True/False. Whether to provide user verification for blocking IPs. False - No prompt will be displayed to the user. True - The server will ask the user for blocking verification and will display the blocking list.

Commands used

closeInvestigation linkIncidents

Flowchart

Yes yes yes No Yes Start Start Detonate File - Generic - Detonate File - Generic Detonate File - Generic Detonate File - Generic Remediation Remediation Indicator Enrichment Indicator Enrichment Extract Indicators From File - Generic v2 - Extract Indicators From File - Generic v2 Extract Indicators From F... Extract Indicators From File ... Investigation Investigation Triage Triage Manually remediate the incident Manually remediate the in... Should emails be searched and deleted? Should emails be searched... Should indicators be blocked automatically? Should indicators be bloc... Stop Remediation Timer Stop Remediation Timer Block Indicators Block Indicators Search & Delete Email Search & Delete Email Check Severity Check Severity Block Indicators Manually Block Indicators Manually Entity Enrichment - Phishing v2 - Entity Enrichment - Phishing v2 Entity Enrichment - Phish... Entity Enrichment - Phishing v2 Phishing Alerts - Check Severity - Phishing Alerts - Check Severity Phishing Alerts - Check S... Phishing Alerts - Check Severity Search And Delete Emails - Generic v2 - Search And Delete Emails - Generic v2 Search And Delete Emails ... Search And Delete Emails - Ge... Process Email - Generic v2 - Process Email - Generic v2 Process Email - Generic v2 Process Email - Generic v2 Email Headers Check - Generic - Email Headers Check - Generic Email Headers Check - Gen... Email Headers Check - Generic Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Search similar email incidents - SearchIncidentsV2 Search similar email inci... SearchIncidentsV2 Found similar incidents? Found similar incidents? Possible Phishing Campaign - Link Similar Incidents - linkIncidents Possible Phishing Campaig... linkIncidents Analysis resolution - Should continue with the investigation? Analysis resolution - Sho... Done Done Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Resolution Resolution Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3