Phishing remains the primary vector for credential theft. Manual triage takes a SOC analyst an average of 45 minutes per email. With Cortex XSOAR, we reduce this MTTR to under 3 minutes.
Playbook Architecture
A production-grade phishing playbook must operate autonomously through ingestion, enrichment, and containment before engaging a human analyst.
- Ingestion: Configure the IMAP or EWS integration to monitor the `phishing@company.com` abuse inbox. Map email headers, body, and attachments to incident fields.
- Indicator Extraction: Run the `ExtractIndicators` script to pull URLs, IPs, domains, and file hashes from the email body and attachments.
- Enrichment: Automatically cross-reference extracted indicators against VirusTotal, CrowdStrike Falcon, and Palo Alto AutoFocus.
- Detonation: Send unverified attachments to a WildFire sandbox for dynamic analysis.
Automated Response Actions
If the enrichment phase returns a Malicious verdict (Score: 3), the playbook immediately executes containment logic:
1. !ad-disable-account username="${incident.reportedby}"
2. !panorama-block-ip ip="${incident.malicious_ips}"
3. !exchange-search-and-delete message-id="${incident.emailmessageid}"
2. !panorama-block-ip ip="${incident.malicious_ips}"
3. !exchange-search-and-delete message-id="${incident.emailmessageid}"