Phishing Investigation - Generic


Use "Phishing Investigation - Generic v2" playbook instead

DEPRECATED. Use "Phishing Investigation - Generic v2" playbook instead. Investigates and remediates potential phishing incidents. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.

The final remediation tasks are always decided by a human analyst.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Process Email - Generic
  • Email Address Enrichment - Generic
  • Search And Delete Emails - Generic
  • Detonate File - Generic
  • Extract Indicators From File - Generic
  • Entity Enrichment - Generic
  • Block Indicators - Generic


  • Builtin


  • AssignAnalystToIncident
  • SendEmail
  • Set


  • send-mail
  • closeInvestigation

Playbook Inputs

NameDescriptionDefault ValueRequired
RoleThe default role to assign the incident to.AdministratorRequired
SearchAndDeleteEnable the Search and Delete capability. Can be, "True" or "False". In the case of a malicious email, the Search and Delete sub-playbook will look for other instances of the email and delete them pending analyst approval.FalseOptional
BlockIndicatorsEnable the Block Indicators capability. Can be, "True" or "False". In the case of a malicious email, the Block Indicators sub-playbook will block all malicious indicators in the relevant integrations.FalseOptional

Playbook Outputs

There are no outputs for this playbook.

Playbook Image