Cortex XSOAR supports multiple incident types. When incidents are ingested into Cortex XSOAR, they are classified by type. The Microsoft Exchange Online content pack, which we installed with the Phishing content pack, includes a classifier which assigns phishing email messages to the phishing type. For the phishing incident type, you can customize layouts, assign a default playbook, and define rules to extract indicators from incident fields and enrich them using commands and scripts.
To edit an incident type, the incident type must be detached or you must duplicate the incident type and edit the copy. When an incident type is detached, it no longer receives updates to the incident type from the related content pack. If you want to receive updates, duplicate the incident type instead of detaching it. The original incident type continues to receive updates, in this case, but the duplicate does not. For this tutorial, we will detach the incident type.
Go to → → → .
Select the Phishing type and click
Select the
Phishingincident type and click Edit.From the Settings tab, review the following:
In the Default playbook field, confirm the Phishing - Generic v3 playbook is selected.
In the Layout field, keep the default Phishing Incident v3 layout. We will later customize this layout.
We will create a post process rule later, but for now we will leave this blank.
In the Indicators Extraction Rules tab, review the fields that are being extracted.
You can see there are hundreds of incident fields, but only relevant fields are being extracted for phishing (Email Body, Email Reply To, Email Body HTML, Email Subject, etc. ) These extraction rules are specific to the Phishing incident type, and we want to keep these out-of-the-box settings for now. We can make changes to indicator extraction rules later, if we see that unnecessary indicators are being extracted or if we are missing extraction for specific fields.
If you have made any changes, click Save.