Skip to main content

Detect & Manage Phishing Campaigns

This Playbook is part of the Phishing Campaign Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook is used to find, create and manage phishing campaigns. When a number of similar phishing incidents exist in the system, the playbook can be used to do the following:

  1. Find and link related incidents to the same phishing attack (a phishing campaign).
  2. Search for an existing Phishing Campaign incident or create a new incident for linked Phishing incidents.
  3. Link all detected phishing incidents to the Phishing Campaign incident that was found or created previously.
  4. Update the Phishing Campaign incident with the latest data about the campaign, and update all related phishing incidents to indicate that they are part of the campaign.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • IsIncidentPartOfCampaign
  • SetByIncidentId
  • FindEmailCampaign


  • investigate
  • createNewIncident
  • linkIncidents
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
AutomaticallyLinkIncidentsWhether to automatically link the incidents that make up the campaign to the phishing campaign incident. Can be True or False.TrueOptional
incidentTypeFieldNameThe name of the incident field in which the incident type is stored. Change this argument only if you are using a custom field for specifying the incident type.typeOptional
incidentTypesA comma-separated list of incident types from which to filter. Specify "None" to search all incident types.PhishingOptional
existingIncidentsLookbackThe date from which to search for similar incidents. Date format is the same as in the incidents query page. For example: "3 days ago", "2019-01-01T00:00:00 +0200".14 days agoOptional
queryAdditional text by which to query incidents.Optional
limitThe maximum number of incidents to fetch.1000Optional
emailSubjectThe name of the field that contains the email subject.emailsubjectOptional
emailBodyThe name of the field that contains the email body.emailbodyOptional
emailBodyHTMLThe name of the field that contains the HTML version of the email body.emailbodyhtmlOptional
emailFromThe name of the field that contains the email sender.emailfromOptional
statusScopeCompares the new incident to closed incidents, non closed incidents, or to all incidents. Can be All, ClosedOnly, or NonClosedOnly.AllOptional
thresholdThe threshold to consider the incident as similar. The range of values is 0-1.0.8Optional
maxIncidentsToReturnThe maximum number of incidents to display as part of a campaign. If a campaign includes a higher number of incidents, the results only contain these amounts of incidents.200Optional
minIncidentsForCampaignThe minimum number of incidents to consider as a campaign.3Optional
minUniqueRecipientsThe minimum number of unique recipients of similar email incidents to consider as a campaign.2Optional
fieldsToDisplayA comma-separated list of fields to display. For example, "emailclassification,closereason". If a list of fields is provided, and a campaign is detected, these incidents fields will be displayed.
Note: removing the "emailfrom", "recipients" or "severity" fields from this list, affects the dynamic sections displayed in the campaign layout and render it useless.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Detect & Manage Phishing Campaigns