You can familiarize yourself with the phishing layout, before you make any changes. The phishing content pack includes fields specific to phishing investigations, including attachment type, size, email body, email headers, reporter email address, etc., which are included in the phishing incident layout. You can create new sections, add buttons, add custom fields, etc. To view the layout, select
→ → → → .You can see the following tabs:
Incident Summary
In the Incident Summary tab, there are seven out of the box tabs. We will concentrate on the following tabs (as these are customizable):
Case info
This Case info tab contains a summary of the relevant information an analyst may require about the phishing incident (such as type, severity, playbook, etc.), timeline information (when the incident occurred, created, updated, etc.), Work Plan information (tasks that require manual intervention, such as manual tasks or tasks with an error status), team members, a link to a Phishing Campaign incident (if relevant), etc.
Investigation
The investigation tab provides more in-depth information, including email headers and analysis, machine learning checks, macro code (if present in an attachment), the email text, HTML image, attachments, indicators, and information such as the email sender, subject, and ID.
If the phishing incident is part of a phishing campaign, the incident is linked to the Phishing Campaign incident type (you can also see a link in the Linked Incidents section in the Case Info tab).
New/Edit Form
Contains information relevant to creating or editing a phishing incident.
In addition to ingesting phishing incidents from an email inbox, you can also manually create a phishing incident in Cortex XSOAR. The new incident layout for phishing incidents enables you to populate a phishing incident by uploading the email as an EML or MSG file.
Close Form
Contains information relevant to closing a phishing incident.
Incident Quick View
Contains summary information relating to the phishing incident.