Skip to main content

Detect & Manage Phishing Campaigns

This Playbook is part of the Phishing Campaign Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook is used to find, create and manage phishing campaigns. When a number of similar phishing incidents exist in the system, the playbook can be used to do the following:

  1. Find and link related incidents to the same phishing attack (a phishing campaign).
  2. Search for an existing Phishing Campaign incident, or create a new incident for the linked Phishing incidents.
  3. Link all detected phishing incidents to the Phishing Campaign incident that was found or that was created previously.
  4. Update the Phishing Campaign incident with the latest data about the campaign, and update all related phishing incidents to indicate that they are part of the campaign.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • SetPhishingCampaignDetails
  • IsIntegrationAvailable
  • IsIncidentPartOfCampaign
  • SetByIncidentId
  • FindEmailCampaign


  • linkIncidents
  • createNewIncident
  • demisto-lock-release
  • closeInvestigation
  • investigate
  • demisto-lock-get
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
AutomaticallyLinkIncidentsWhether to automatically link the incidents that make up the campaign, to the phishing campaign incident. Can be True (default) or False. It is recommended not to change the default.TrueOptional
incidentTypeFieldNameThe name of the incident field in which the incident type is stored. Default is "type". Change this argument only if you're using a custom field for specifying the incident type.typeOptional
incidentTypesA comma-separated list of incident types by which to filter. Specify "None" to search through all incident types By default, the value is "Phishing" because the Phishing incident type is used out of the box.PhishingOptional
existingIncidentsLookbackThe date from which to search for similar incidents. Date format is the same as in the incidents query page. For example: "3 days ago", "2019-01-01T00:00:00 +0200".7 days agoOptional
queryAdditional text by which to query incidents to find similar Phishing incidents. Uses the same language to query incidents in the UI.Optional
limitThe maximum number of incidents to fetch. Determines how many incidents can be checked for similarity at the time of execution.1000Optional
emailSubjectThe name of the incident field that contains the email subject. By default this is `emailsubject` (because the email subject is stored under `${incident.emailsubject}`.emailsubjectOptional
emailBodyThe name of the incident field that contains the email body.emailbodyOptional
emailBodyHTMLThe name of the incident field that contains the HTML version of the email body.emailbodyhtmlOptional
emailFromThe name of the incident field that contains the email sender.emailfromOptional
statusScopeWhether to compare the new incident to closed incidents, non closed incidents, or all incidents. Can be "All", "ClosedOnly", or "NonClosedOnly". Default is "All".AllOptional
thresholdThe threshold to consider an incident as similar. The range of values is 0-1. If needed, make small adjustments and continue to evaluate the required value. It is recommended not to change the default value of `0.8`.|0.8Optional
maxIncidentsToReturnThe maximum number of incidents to display as part of a campaign. If a campaign includes a higher number of incidents, the results will contain only these amounts of incidents.200Optional
minIncidentsForCampaignThe minimum number of incidents to consider as a campaign. For example, if you specify `10`, but only `9` similar incidents are found, the script will not find them as part of a campaign.|3Optional
minUniqueRecipientsThe minimum number of unique recipients of similar email incidents to consider as a campaign. as a campaign.2Optional
fieldsToDisplayA comma-separated list of fields to display. For example, "emailclassification,closereason". If a list of fields is provided, and a campaign is detected, these incidents fields will be displayed.
Note - removing the "emailfrom", "recipients", or "severity" fields from this list will affect dynamic sections displayed in the campaign layout and render them useless.
AutomaticallyCloseIncidentsWhether to automatically close the incidents that make up the campaign. Can be True or False.FalseOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Detect & Manage Phishing Campaigns