Skip to main content


Campaign 1.1.0 356353

This pack can help you find related phishing, spam or other types of email incidents and characterize campaigns.

When a suspicious email is detected, for example: phishing or spam, this pack can help you save investigation time by enabling you to efficiently and easily query past email incidents to find relevant incidents and identify an email campaign.

What does this pack do?

The pack includes the FindEmailCampaign script which enables you to:

  • Filter past email incidents according to multiple search criteria provided by the user as the script inputs. For example: incident types, email body and/or subject, email sender, similarity threshold between emails, and more.
  • Define criteria for a collection of related email incidents to be considered a campaign: minimum number of incidents and minimum number of unique recipients.

The script output indicates whether a campaign was identified. When a campaign is identified, more information about the campaign is provided: number of incidents involved in the campaign, indicators involved in the campaign and more.

How does this pack work?

  • An active instance of the integration you plan to use for fetching and ingesting suspicious email incidents, for example, Palo Alto Networks Cortex XDR, is required.
  • The Phishing content pack is required because the FindEmailCampaign script uses the FindDuplicateEmailIncidents script from that pack.


Cortex XSOAR


CertificationRead more
Supported ByCortex XSOAR
CreatedMarch 4, 2021
Last ReleaseMay 12, 2021

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.