Phishing Investigation - Generic v2

Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.

The final remediation tasks are always decided by a human analyst.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Extract Indicators From File - Generic v2
  • Domain Enrichment - Generic v2
  • URL Enrichment - Generic v2
  • Block Indicators - Generic v2
  • Search And Delete Emails - Generic
  • Calculate Severity - Generic v2
  • Process Email - Generic
  • File Enrichment - Generic v2
  • Detonate File - Generic
  • IP Enrichment - External - Generic v2
  • Email Address Enrichment - Generic v2.1


  • Builtin


  • DBotPredictPhishingWords
  • AssignAnalystToIncident
  • CheckEmailAuthenticity
  • Set


  • setIncident
  • send-mail
  • closeInvestigation

Playbook Inputs

NameDescriptionDefault ValueSourceRequired
RoleThe default role to assign the incident to.AdministratorRequired
SearchAndDeleteEnable the "Search and Delete" capability (can be either "True" or "False").
In case of a malicious email, the "Search and Delete" sub-playbook will look for other instances of the email and delete them pending analyst approval.FalseOptional
BlockIndicatorsEnable the "Block Indicators" capability (can be either "True" or "False").
In case of a malicious email, the "Block Indicators" sub-playbook will block all malicious indicators in the relevant integrations.FalseOptional
AuthenticateEmailWhether the authenticity of the email should be verified, using SPF, DKIM and DMARC.FalseOptional
OnCallSet to true to assign only user that is currently on shift. Requires Cortex XSOAR v5.5 or later.falseOptional

Playbook Outputs

There are no outputs for this playbook.

Playbook Image