Phishing Triage and Response - Google Threat Intelligence

This playbook extracts email addresses from phishing alerts, enriches their associated domains using the GTI domain enrichment command, and evaluates the GTI Threat Score, severity, and verdict. Based on these enrichment results, the playbook automatically blocks the malicious or high-risk email addresses to prevent further compromise.

GoogleThreatIntelligence · 18 tasks · 1 input · 0 outputs

Inputs

  • email_addresses — Provide a comma-separated list of email addresses.

Commands used

domain findIndicators

Flowchart

yes yes yes yes yes Start Start Is Google Threat Intelligence integration enabled? Is Google Threat Intellig... Clear previous inputs - DeleteContext Clear previous inputs DeleteContext Check whether emails are available in playbook input Check whether emails are ... Fetch Indicators from Incident - findIndicators Fetch Indicators from Inc... findIndicators Check for indicators Check for indicators Check that domains are present or not Check that domains are pr... Domain Enrichment using GTI command - domain Domain Enrichment using G... domain Done Done Extract the domains from input - SetAndHandleEmpty Extract the domains from ... SetAndHandleEmpty Get the domains from Fetch indicators command - SetAndHandleEmpty Get the domains from Fetc... SetAndHandleEmpty For Domains, are any GTI parameters meets high-risk criteria For Domains, are any GTI ... Block Email - Generic v2 - Block Email - Generic v2 Block Email - Generic v2 Block Email - Generic v2 Extract Emails from input - SetAndHandleEmpty Extract Emails from input SetAndHandleEmpty Extract Emails from indicators - SetAndHandleEmpty Extract Emails from indic... SetAndHandleEmpty Email Collection by Enriched Domain - Google Threat Intelligence - Email Collection by Enriched Domain - Google Threat Intelligence Email Collection by Enric... Email Collection by Enriched ... Analyst Verification Prompt to Block Email Analyst Verification Prom... Check whether the user has selected any emails for blocking? Check whether the user ha...