For any phishing threat or attack, a SOC team needs to go through the following processes sequentially:
Detection
Identification
Analysis
Remediation
Each of the high-level processes might contain a number of sub-processes that require step-by-step actions to be performed. You can use playbooks to detect, identify, analyze and remediate an event.
The Phishing content pack comes out of the box with a number of playbooks, such as the Phishing - Generic v3, Process Email - Generic v2, Calculate Severity By Email Authenticity, etc. You can customize these out-of-the-box playbooks, or create your own playbook.