Skip to main content

Phishing - Indicators Hunting

This Playbook is part of the Phishing Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Hunt indicators related to phishing with available integrations and then handle the results. Handling the results will include setting relevant incident fields that will be displayed in the layout and optionally, opening new incidents according to the findings. Current integration in this playbook: Microsoft 365 Defender (using "Advanced Hunting")

Note that this playbook should be used as a sub-playbook inside a phishing incident and not as a main playbook.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Microsoft 365 Defender - Threat Hunting Generic
  • Phishing - Handle Microsoft 365 Defender Results


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
DBotScoreThe DBotScore object containing these keys:
- Indicator
- Type
- Score
EmailHuntingCreateNewIncidentsWhen "True", the "Phishing - Handle Microsoft 365 Defender Results" sub-playbook will create new phishing incidents for each email that contains one of the malicious indicators. Default is "False".FalseOptional
ListenerMailboxThe mailbox of the listening integration. In case it is provided, the emails found in it will be ignored.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Phishing - Indicators Hunting