Using Phishing Triage with Orchestration Tools
Updated 2 years ago
by
TruSTAR
You can use information created by the Phishing Triage Intel Workflow within your orchestration tools. Obtaining information such as Normalized Indicator Scores or Priority Event Scores can then be wrapped into a playbook that further automates the investigation and management of phishing emails.
The Phishing Triage feature set in TruSTAR provides access to the following tasks in Demisto:
- Get Phishing Submissions
- Get Phishing Indicators
- Set Triage Status
Getting Phishing Submissions
Purpose: Fetches emails submitted to the Phishing Triage Enclave in TruSTAR.
!trustar-get-phishing-submissions
Task Input
Parameter | Description |
priority_event_score | Score of email submission |
from_time | Start of time window (defaults to 24 hours ago) (YYYY-MM-DD HH:MM:SS) |
to_time | End of time window (defaults to current time) (YYYY-MM-DD HH:MM:SS) |
status | A list of triage statuses for submissions (UNRESOLVED,CONFIRMED,IGNORED); only email submissions marked with at least one of these statuses will be returned |
Task Output
Field | Description |
submissionId | The ID of the phishing email submission. |
title | The subject of the email submission. |
priorityEventScore | The score of the email submission. |
status | The current triage status of the email submission. Accepted status options: "CONFIRMED”, "IGNORED”, or "UNRESOLVED”. |
context | An array of structures containing original and normalized indicators scores for each indicator in the email submission. |
Sample Output
context | {'indicatorType': 'IP', 'indicatorValue': '119.81.93.82', 'sourceKey': 'virustotal', 'normalizedIndicatorScore': 3, ‘originalIndicatorScore’: {‘name’: ‘Detections’, ‘value’: ‘54/65’}},{'indicatorType': 'IP', 'indicatorValue': '124.160.116.194', 'sourceKey': 'virustotal', 'normalizedSourceScore': -1, ‘originalIndicatorScore’: {‘name’: ‘null’, ‘value’: ‘null’} },{'indicatorType': 'IP', 'indicatorValue': '185.7.215.175', 'sourceKey': 'virustotal', 'normalizedIndicatorScore': -1, ‘originalIndicatorScore’: {‘name’: ‘null’, ‘value’: ‘null’} } |
priorityEventScore | 3 |
status | phishing/unresolved |
submissionId | 666fae30-ff2d-4bfd-b1c9-27d7611f430a |
title | Executive Spear Phish |
Getting Phishing Indicators
Purpose: Fetches the Indicators found in phishing emails submitted to the Phishing Triage enclave.
!trustar-get-phishing-indicators
Task Input
Parameter | Description |
priority_event_score | Score of email submission |
normalized_indicator_score | Normalized Indicator Score. |
from_time | Start of time window (defaults to 24 hours ago) (YYYY-MM-DD HH:MM:SS) |
to_time | End of time window (defaults to current time) (YYYY-MM-DD HH:MM:SS) |
status | A list of triage statuses for submissions; only email submissions marked with at least one of these statuses will be returned. Options are 'UNRESOLVED', 'CONFIRMED', 'IGNORED' |
Task Output
Field | Description |
indicatorType | The type of Indicator. Available types are IP, URL, EMAIL_ADDRESS, MD5, SHA1, SHA256. |
value | The indicator’s value. |
sourceKey | The intelligence source where the indicator originated. |
normalizedIndicatorScore | The Normalized Score of the Indicator. |
originalIndicatorScore | The Original Score provided by the external intelligence source for the indicator. |
Original Indicator Score
The Indicator’s score, as provided by the intelligence source.
Field | Type | Description |
name | String | The name of the score type, e.g. “Risk Score” or “Malicious Confidence” |
value | String | The value of the score, as directly extracted from the source, e.g. “HIGH” or “78”
|
Sample Output
indicatorType | IP |
normalizedIndicatorScore | 3 |
originalIndicatorScore | {‘name’: ‘Detections’, ‘value’: ‘54/65’} |
sourceKey | virustotal |
value | 119.81.93.82 |
Setting Phishing Triage Status
Purpose: Sets the status of a phishing email submission with one or more status tags. By default, every submission is tagged with unresolved status. Status tag options are:
- Confirmed: Emails that have been confirmed as phishing emails.
- Ignored: Emails that after review are determined to not be phishing emails
- Unresolved: the default status for all emails
!trustar-set-triage-status
Task Input
Parameter | Description |
submission_id | ID of the email submission |
status | Submission status |
Task Output
(200) No Content
Sample Output
OK
Sample Playbook
This sample playbook, combined with TruSTAR’s ability to automatically move Indicators from confirmed phishing emails to a Phishing Indicator Enclave that is directly connected to a SIEM, provides an end-to-end workflow that reduces your organization’s risk exposure from user-reported phishing emails.
As part of the Phishing Triage feature set, the TruSTAR team built a sample playbook that performs the following tasks:
- Demisto gets the most recent “unresolved” phishing emails from TruSTAR.
- In the playbook, TruSTAR implemented a conditional task that triggers the following:
- Priority Event Score = 2 or 3 automatically confirmed as phishing.
- Priority Event Score = 1 assigns a manual task for later review.
- Priority Event score = 0 or -1 is automatically ignored
- Once the playbook iterates over all collected emails, you would have completed the task of labeling the emails.
