Phishing is the fraudulent attempt to obtain sensitive information, such as user names, passwords and credit card details by disguising an entity as trustworthy in an electronic communication. It is usually carried out by email spoofing or instant messaging, and often directs users to enter personal information at a fake website which matches the look and feel of a legitimate site.
Malware can also play a role in phishing attempts. For example, users can be duped into downloading and running a file on their machine, which in turn infects their machine and possibly other machines.
This tutorial takes you through the process of setting up a phishing incident in Cortex XSOAR. Use this template as a base resource to design and implement your own automated response to a phishing incident.
For this tutorial, you will need a dedicated phishing inbox using EWS, a VirusTotal API key, Active Directory, and Palo Alto Networks Wildfire. You can also configure alternative integrations, following the basic principles of this tutorial. For example, instead of EWS, you could use Gmail. If you have another sandbox integration available, you can substitute that for Palo Alto Networks Wildfire. For threat intelligence, you might use Recorded Future v2 instead of VirusTotal.
Note
Cortex XSOAR v6.9 and later includes the Cortex XSOAR Deployment Wizard for Phishing. After installing the Phishing content pack, the Deployment Wizard provides assistance with configuring integrations and playbook parameters. This tutorial provides step by step guidance for planning and implementing your response to phishing incidents, and can be used either as a supplement to the Deployment Wizard or on its own. If you use this tutorial with the Deployment Wizard, certain steps, such as navigating to specific pages to modify settings, are automated.
Note
You can also manage phishing alert incidents generated from email security gateways using the PhishingAlerts content pack.
To get up and running with a phishing incident in Cortex XSOAR, follow these stages.
Stage | Section | Description |
|---|---|---|
1. | Planning | Before installing Cortex XSOAR, plan how you are going to ingest incidents into Cortex XSOAR, what analysts need to investigate, how to deal with the response, what integrations you need, etc. |
2. | Install and Configure Content Packs | To begin, install the relevant content packs from the Cortex XSOAR Marketplace and add the required instances. In this example, we are going to add the Phishing content pack, the Microsoft Exchange Online content pack, which includes the EWS O365 integration to ingest incidents, the VirusTotal content pack for the VirusTotal integration for data enrichment, etc. In addition, we will install the Phishing Campaign and Phishing URL content packs. |
3 | Customize the Phishing Layout | Review the phishing incident layout, create new custom fields, and edit the phishing incident layout. |
4. | Classify and Map Fields | Classification enables you to have a better control of the type and structure of incoming incidents. Map the fields so you can see these fields in the incident layout. |
5. | Add Pre-Process Rule | Add pre-process rules to perform certain actions on incidents as they are ingested into Cortex XSOAR. For example, drop identical incidents and link to existing incidents. |
6. | Review and Customize Phishing Playbooks | Playbooks are triggered either when an incident is created or when you run them manually as part of an investigation. In this example, we use the Phishing - Generic v3 playbook. |
7. | Create Post-Process Rules | Once the incident is complete and you are ready to close it, you can run various post-processing actions on the incident. |
8. | Summary | Once everything is set up, analysts can start investigating incidents. |