PhishLabs IOC EIR
This Integration is part of the PhishLabs Pack.#
This integration was integrated and tested with V1.0 of PhishLabs IOC EIR api
Use Cases
- Get live EIR from PhishLabs
- Get EIR by filters from PhishLabs
Detailed Description
Phishlabs Email Incident Response (EIR) is a solution that protects against threats that make it past your email security stack and into your employee inboxes. With Email Incident Response, enterprises can detect, prevent, and respond to these threats.
- Suspicious Email Analysis
- Email Threat Intelligence
Configure PhishLabs IOC EIR on Cortex XSOAR
- Navigate to Settings > Integrations Servers & Services .
- Search for PhishLabs IOC EIR.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://example.net)
- User
- Source Reliability. Reliability of the source providing the intelligence data. (The default value is B - Usually reliable)
- Fetch incidents
- First fetch timestamp ( e.g., 12 hours, 7 days)
- Fetch limit
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the new instance.
Fetch Incidents
Fetch incidents done by the following configuration:
- Fetch limit - limit amount of incidents by fetch
- First fetch timestamp - date for starting collecting incidents (1 days ago, 1 hours ago etc)
- Incident type
[
{
"name": "PhishLabs IOC - EIR: INC0528925",
"occurred": "2019-10-15T16:31:09Z",
"rawJSON": {
"id": "INC0528925",
"service": "EIR",
"title": "Deploymentliste release 10.0 in PROD am 15.10.2019",
"description": "",
"status": "Closed",
"details": {
"caseType": "Response",
"classification": "No Threat Detected",
"subClassification": "No Threat Detected",
"severity": null,
"emailReportedBy": "johnnydepp@gmail.com",
"submissionMethod": "Attachment",
"sender": "johnnydepp@gmail.com",
"emailBody": "Test",
"urls": [
{
"url": "google.com",
"malicious": false,
"maliciousDomain": false
}
],
"attachments": [],
"furtherReviewReason": null,
"offlineUponReview": false
},
"created": "2019-10-15T16:31:08Z",
"modified": "2019-10-15T16:31:09Z",
"closed": "2019-10-15T16:31:09Z",
"duration": 0
}
}
]
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- phishlabs-ioc-eir-get-incidents
- phishlabs-ioc-eir-get-incident-by-id
1. phishlabs-ioc-eir-get-incidents
Get EIR incidents from PhishLabs-IOC EIR service (dafault limit 25 incidents)
Base Command
phishlabs-ioc-eir-get-incidents
Input
| Argument Name | Description | Required |
|---|---|---|
| status | Filter incidents that are opened or closed. | Optional |
| created_after | Return Incidents created on or after the given timestamp Timestamp is in RFC3339 format(2019-04-12T23:20:50Z) | Optional |
| created_before | Return Incidents created on or before the given timestamp Timestamp is in RFC3339 format(2019-04-12T23:20:50Z) | Optional |
| closed_after | Return Incidents closed on or after the given timestamp Timestamp is in RFC3339 format(2019-04-12T23:20:50Z) | Optional |
| closed_before | Return Incidents closed on or before the given timestamp Timestamp is in RFC3339 format(2019-04-12T23:20:50Z) | Optional |
| sort | Return Incidents sorted by the given column. | Optional |
| direction | Return Incidents sorted by the given order. This will be applied to the given sort parameter. | Optional |
| limit | Limit amounts of incidents (0-50, default 25) | Optional |
| offset | Offset from last incident | Optional |
| period | Period to query on 1 days, 2 hours | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| PhishLabsIOC.EIR.CaseType | String | Incident reason type |
| PhishLabsIOC.EIR.Classification | String | Incident classification |
| PhishLabsIOC.EIR.SubClassification | String | Detailed classification |
| PhishLabsIOC.EIR.Severity | String | Incident severity |
| PhishLabsIOC.EIR.SubmissionMethod | String | Email submission method |
| PhishLabsIOC.EIR.FurtherReviewReason | String | Incident further review reason |
| PhishLabsIOC.EIR.ID | String | Id of incident |
| PhishLabsIOC.EIR.Title | String | Title of reported incident |
| PhishLabsIOC.EIR.Description | String | Description of reporeted incident |
| PhishLabsIOC.EIR.Status | Boolean | Status of reported incident |
| PhishLabsIOC.EIR.Created | Date | Date of incident creation |
| PhishLabsIOC.EIR.Modified | Date | Date of incident last modified |
| PhishLabsIOC.EIR.Closed | Date | Date of incident closing |
| PhishLabsIOC.EIR.Duration | Number | Duration until closing incident in seconds |
| PhishLabsIOC.EIR.EmailReportedBy | String | User who reported the incident |
| PhishLabsIOC.EIR.Email.EmailBody | String | Email body |
| PhishLabsIOC.EIR.Email.Sender | String | Email sender |
| PhishLabsIOC.EIR.Email.URL.URL | String | Url found in body |
| PhishLabsIOC.EIR.Email.URL.Malicious | Boolean | Is the url malicious? |
| PhishLabsIOC.EIR.Email.URL.MaliciousDomain | Boolean | Is the url domain malicious? |
| PhishLabsIOC.EIR.Email.Attachment.FileName | String | Name of the attached file |
| PhishLabsIOC.EIR.Email.Attachment.MimeType | String | Attachemt mime type |
| PhishLabsIOC.EIR.Email.Attachment.MD5 | String | Attachemt md5 hash |
| PhishLabsIOC.EIR.Email.Attachment.SHA256 | String | Attachemt sha256 hash |
| PhishLabsIOC.EIR.Email.Attachment.Malicious | Boolean | Is the file malicious? |
| Email.To | String | The recipient of the email. |
| Email.From | String | The sender of the email. |
| Email.Body/HTML | String | The plain-text version of the email. |
| File.Name | String | The full file name (including file extension). |
| File.SHA256 | Unknown | The SHA256 hash of the file. |
| File.MD5 | String | The MD5 hash of the file. |
| File.Malicious.Vendor | String | The vendor that reported the file as malicious. |
| File.Malicious.Description | String | A description explaining why the file was determined to be malicious. |
| URL.Data | String | The URL |
| URL.Malicious.Vendor | String | The vendor reporting the URL as malicious. |
| URL.Malicious.Description | String | A description of the malicious URL. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | String | The actual score. |
Command Example
!phishlabs-ioc-eir-get-incidents limit=3
Context Example
{
"DBotScore": [
{
"Indicator": "https://google.com",
"Score": 1,
"Type": "URL",
"Vendor": "PhishLabs IOC - EIR"
}
],
"Email": [
{
"Body/HTML": "Example body",
"From": "LinkedIn Sales Navigator not@domain.com",
"To": "Michael Mammele not@domain.com"
},
{
"Body/HTML": "Example body",
"From": "Tony Prince not@domain.com",
"To": "Tony Prince not@domain.com"
},
{
"Body/HTML": "Example body",
"From": "FileDoc2 not@domain.com",
"To": "John LaCour not@domain.com"
}
],
"File": [],
"PhishLabsIOC": {
"EIR": [
{
"CaseType": "Link",
"Classification": "No Threat Detected",
"Closed": "2019-11-05T23:23:06Z",
"Created": "2019-11-05T22:05:52Z",
"Description": "",
"Duration": 4635,
"Email": {
"Attachment": [],
"EmailBody": "Example body",
"Sender": "LinkedIn Sales Navigator not@domain.com",
"URL": [
{
"Malicious": false,
"MaliciousDomain": false,
"URL": "https://google.com"
}
]
},
"EmailReportedBy": "Michael Mammele not@domain.com",
"FurtherReviewReason": null,
"ID": "INC0682881",
"Modified": "2019-11-05T23:23:06Z",
"Severity": null,
"Status": "Closed",
"SubClassification": "No Threat Detected",
"SubmissionMethod": "Attachment",
"Title": "See who else can influence your deals"
}
]
}
Human Readable Output
PhishLabs IOC - EIR - incidents
| ID | Title | Status | Created | Classification | SubClassification | EmailReportedBy |
|---|---|---|---|---|---|---|
| INC0682881 | See who else can influence your deals | Closed | 2019-11-05T22:05:52Z | No Threat Detected | No Threat Detected | Michael Mammele not@domain.com |
| INC0682040 | FW: Tuesday, November 5, 2019 | Closed | 2019-11-05T20:30:48Z | Malicious | Link - Phishing | Tony Prince not@domain.com |
| INC0681982 | Tuesday, November 5, 2019 | Closed | 2019-11-05T20:25:22Z | Malicious | Link - Phishing | John LaCour not@domain.com |
2. phishlabs-ioc-eir-get-incident-by-id
Returns a single Incident based on the given ID.
Base Command
phishlabs-ioc-eir-get-incident-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| incident_id | ID of Incident, Get it from previous command | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| PhishLabsIOC.EIR.CaseType | String | Incident reason type |
| PhishLabsIOC.EIR.Classification | String | Incident classification |
| PhishLabsIOC.EIR.SubClassification | String | Detailed classification |
| PhishLabsIOC.EIR.Severity | String | Incident severity |
| PhishLabsIOC.EIR.SubmissionMethod | String | Email submission method |
| PhishLabsIOC.EIR.FurtherReviewReason | String | Incident further review reason |
| PhishLabsIOC.EIR.ID | String | Id of incident |
| PhishLabsIOC.EIR.Title | String | Title of reported incident |
| PhishLabsIOC.EIR.Description | String | Description of reporeted incident |
| PhishLabsIOC.EIR.Status | Boolean | Status of reported incident |
| PhishLabsIOC.EIR.Created | Date | Date of incident creation |
| PhishLabsIOC.EIR.Modified | Date | Date of incident last modified |
| PhishLabsIOC.EIR.Closed | Date | Date of incident closing |
| PhishLabsIOC.EIR.Duration | Number | Duration until closing incident in seconds |
| PhishLabsIOC.EIR.EmailReportedBy | String | User who reported the incident |
| PhishLabsIOC.EIR.Email.EmailBody | String | Email body |
| PhishLabsIOC.EIR.Email.Sender | String | Email sender |
| PhishLabsIOC.EIR.Email.URL.URL | String | Url found in body |
| PhishLabsIOC.EIR.Email.URL.Malicious | Boolean | Is the url malicious? |
| PhishLabsIOC.EIR.Email.URL.MaliciousDomain | Boolean | Is the url domain malicious? |
| PhishLabsIOC.EIR.Email.Attachment.FileName | String | Name of the attached file |
| PhishLabsIOC.EIR.Email.Attachment.MimeType | String | Attachemt mime type |
| PhishLabsIOC.EIR.Email.Attachment.MD5 | String | Attachemt md5 hash |
| PhishLabsIOC.EIR.Email.Attachment.SHA256 | String | Attachemt sha256 hash |
| PhishLabsIOC.EIR.Email.Attachment.Malicious | Boolean | Is the file malicious? |
| Email.To | String | The recipient of the email. |
| Email.From | String | The sender of the email. |
| Email.Body/HTML | String | The plain-text version of the email. |
| File.Name | String | The full file name (including file extension). |
| File.SHA256 | Unknown | The SHA256 hash of the file. |
| File.MD5 | String | The MD5 hash of the file. |
| File.Malicious.Vendor | String | The vendor that reported the file as malicious. |
| File.Malicious.Description | String | A description explaining why the file was determined to be malicious. |
| URL.Data | String | The URL |
| URL.Malicious.Vendor | String | The vendor reporting the URL as malicious. |
| URL.Malicious.Description | String | A description of the malicious URL. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | String | The actual score. |
Command Example
!phishlabs-ioc-eir-get-incident-by-id incident_id=INC0671150
Context Example
{
"DBotScore": [
{
"Indicator": "https://google.com",
"Score": 1,
"Type": "URL",
"Vendor": "PhishLabs IOC - EIR"
}
],
"Email": [
{
"Body/HTML": "Example body",
"From": "LinkedIn Sales Navigator not@domain.com",
"To": "Michael Mammele not@domain.com"
}
],
"File": [],
"PhishLabsIOC": {
"EIR": [
{
"CaseType": "Link",
"Classification": "No Threat Detected",
"Closed": "2019-11-05T23:23:06Z",
"Created": "2019-11-05T22:05:52Z",
"Description": "",
"Duration": 4635,
"Email": {
"Attachment": [],
"EmailBody": "Example body",
"Sender": "LinkedIn Sales Navigator not@domain.com",
"URL": [
{
"Malicious": false,
"MaliciousDomain": false,
"URL": "https://google.com"
}
]
},
"EmailReportedBy": "Michael Mammele not@domain.com",
"FurtherReviewReason": null,
"ID": "INC0682881",
"Modified": "2019-11-05T23:23:06Z",
"Severity": null,
"Status": "Closed",
"SubClassification": "No Threat Detected",
"SubmissionMethod": "Attachment",
"Title": "See who else can influence your deals"
}
]
}