Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.
The final remediation tasks are always decided by a human analyst.
This playbook uses the following sub-playbooks, integrations, and scripts.
- Extract Indicators From File - Generic v2
- Domain Enrichment - Generic v2
- URL Enrichment - Generic v2
- Block Indicators - Generic v2
- Search And Delete Emails - Generic
- Calculate Severity - Generic v2
- Process Email - Generic
- File Enrichment - Generic v2
- Detonate File - Generic
- IP Enrichment - External - Generic v2
- Email Address Enrichment - Generic v2.1
|Role||The default role to assign the incident to.||Administrator||Required|
|SearchAndDelete||Enable the "Search and Delete" capability (can be either "True" or "False").|
|In case of a malicious email, the "Search and Delete" sub-playbook will look for other instances of the email and delete them pending analyst approval.||False||Optional|
|BlockIndicators||Enable the "Block Indicators" capability (can be either "True" or "False").|
|In case of a malicious email, the "Block Indicators" sub-playbook will block all malicious indicators in the relevant integrations.||False||Optional|
|AuthenticateEmail||Whether the authenticity of the email should be verified, using SPF, DKIM and DMARC.||False||Optional|
|OnCall||Set to true to assign only user that is currently on shift. Requires Cortex XSOAR v5.5 or later.||false||Optional|
There are no outputs for this playbook.