Skip to main content

Phishing Investigation - Generic

This Playbook is part of the Deprecated Content (Deprecated) Pack.#


Use "Phishing Investigation - Generic v2" playbook instead.

DEPRECATED. Use "Phishing Investigation - Generic v2" playbook instead. Investigates and remediates potential phishing incidents. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.

The final remediation tasks are always decided by a human analyst.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Process Email - Generic
  • Email Address Enrichment - Generic
  • Search And Delete Emails - Generic
  • Detonate File - Generic
  • Extract Indicators From File - Generic
  • Entity Enrichment - Generic
  • Block Indicators - Generic


  • Builtin


  • AssignAnalystToIncident
  • SendEmail
  • Set


  • send-mail
  • closeInvestigation

Playbook Inputs#

NameDescriptionDefault ValueRequired
RoleThe default role to assign the incident to.AdministratorRequired
SearchAndDeleteEnable the Search and Delete capability. Can be, "True" or "False". In the case of a malicious email, the Search and Delete sub-playbook will look for other instances of the email and delete them pending analyst approval.FalseOptional
BlockIndicatorsEnable the Block Indicators capability. Can be, "True" or "False". In the case of a malicious email, the Block Indicators sub-playbook will block all malicious indicators in the relevant integrations.FalseOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#