Using Phishing Triage with Orchestration Tools

Updated 1 month ago by Elvis Hovor

You can use information created by the Phishing Triage feature set within your orchestration tools. Obtaining information such as Normalized Indicator Scores or Priority Event Scores can then be wrapped into a playbook that further automates the investigation and management of phishing emails.

This functionality is currently only offered within Demisto.

The Phishing Triage feature set in TruSTAR provides access to the following tasks in Demisto:

  • Get Phishing Submissions
  • Get Phishing Indicators
  • Set Triage Status

 Getting Phishing Submissions

Purpose: Fetches emails submitted to the Phishing Triage Enclave in TruSTAR.

!trustar-get-phishing-submissions

Task Input

Parameter

Description

priority_event_score

Score of email submission

from_time

Start of time window (defaults to 24 hours ago) (YYYY-MM-DD HH:MM:SS)

to_time

End of time window (defaults to current time) (YYYY-MM-DD HH:MM:SS)

status

A list of triage statuses for submissions (UNRESOLVED,CONFIRMED,IGNORED); only email submissions marked with at least one of these statuses will be returned

Task Output

Field

Description

submissionId

The ID of the phishing email submission.

title

The subject of the email submission.

priorityEventScore

The score of the email submission.

status

The current triage status of the email submission. Accepted status options: "CONFIRMED”, "IGNORED”, or "UNRESOLVED”.

context

An array of structures containing original and normalized indicators scores for each indicator in the email submission.

Sample Output

context

{'indicatorType': 'IP', 'indicatorValue': '119.81.93.82', 'sourceKey': 'virustotal', 'normalizedIndicatorScore': 3,  ‘originalIndicatorScore’: {‘name’: ‘Detections’, ‘value’: ‘54/65’}},
{'indicatorType': 'IP', 'indicatorValue': '124.160.116.194', 'sourceKey': 'virustotal', 'normalizedSourceScore': -1, ‘originalIndicatorScore’: {‘name’: ‘null’, ‘value’: ‘null’} },
{'indicatorType': 'IP', 'indicatorValue': '185.7.215.175', 'sourceKey': 'virustotal', 'normalizedIndicatorScore': -1,  ‘originalIndicatorScore’: {‘name’: ‘null’, ‘value’: ‘null’} }

priorityEventScore

3

status

phishing/unresolved

submissionId

666fae30-ff2d-4bfd-b1c9-27d7611f430a

title

Executive Spear Phish

Getting Phishing Indicators

Purpose: Fetches the Indicators found in phishing emails submitted to the Phishing Triage enclave.

!trustar-get-phishing-indicators

Task Input

Parameter

Description

priority_event_score

Score of email submission

normalized_indicator_score

Normalized Indicator Score.

from_time

Start of time window (defaults to 24 hours ago) (YYYY-MM-DD HH:MM:SS)

to_time

End of time window (defaults to current time) (YYYY-MM-DD HH:MM:SS)

status

A list of triage statuses for submissions; only email submissions marked with at least one of these statuses will be returned. Options are 'UNRESOLVED', 'CONFIRMED', 'IGNORED'

Task Output

Field

Description

indicatorType

The type of Indicator. Available types are IP, URL, EMAIL_ADDRESS, MD5, SHA1, SHA256.

value

The indicator’s value.

sourceKey

The intelligence source where the indicator originated.

normalizedIndicatorScore

The Normalized Score of the Indicator.

originalIndicatorScore

The Original Score provided by the external intelligence source for the indicator.

Original Indicator Score

The Indicator’s score, as provided by the intelligence source.

Field

Type

Description

name

String

The name of the score type, e.g. “Risk Score” or “Malicious Confidence”

value

String

The value of the score, as directly extracted from the source, e.g. “HIGH” or “78”

 

Sample Output

indicatorType

IP

normalizedIndicatorScore

3

originalIndicatorScore

{‘name’: ‘Detections’, ‘value’: ‘54/65’}

sourceKey

virustotal

value

119.81.93.82

Setting Phishing Triage Status

Purpose: Sets the status of a phishing email submission with one or more status tags. By default, every submission is tagged with unresolved status. Status tag options are:

  • Confirmed: Emails that have been confirmed as phishing emails.
  • Ignored: Emails that after review are determined to not be phishing emails
  • Unresolved: the default status for all emails
!trustar-set-triage-status

Task Input

Parameter

Description

submission_id

ID of the email submission

status

Submission status 

Task Output

(200) No Content

Sample Output

OK

Sample Playbook

This sample playbook, combined with TruSTAR’s ability to automatically move Indicators from confirmed phishing emails to a Phishing Indicator Enclave that is directly connected to a SIEM, provides an end-to-end workflow that reduces your organization’s risk exposure from user-reported phishing emails. 

As part of the Phishing Triage feature set, the TruSTAR team built a sample playbook that performs the following tasks:

  1. Demisto gets the most recent “unresolved” phishing emails from TruSTAR. 
  2. In the playbook, TruSTAR implemented a conditional task that triggers the following:
  • Priority Event Score = 2 or 3 automatically confirmed as phishing. 
  • Priority Event Score = 1 assigns a manual task for later review. 
  • Priority Event score = 0 or -1 is automatically ignored
  1. Once the playbook iterates over all collected emails, you would have completed the task of labeling the emails.


How Did We Do?