8Cortexby Palo Alto Networks| Cortex XSOAR for Managed Security Service Providers | White Paper2.Looking at the email “ingredients”—subject, emailaddress, attachments, etc.—the playbook assigns inci-dent severity by cross-referencing these details againstexternal threat databases.3.Next, the playbook extracts IOCs from the email andchecks for any reputational red flags in the SOC’s existingthreat intelligence tools.4.Once this enrichment is done, the playbook checkswhether any malicious indicators were found.ResponseDepending on whether malicious indicators were detectedin the suspected phishing email (see figure 6), one of twobranches will execute.If malicious indicators were detected:1.The playbook emails the affected user further instructions.2.It then scans all organizational mailboxes/endpoints toidentify and delete other instances of the suspected emailto avoid further damage.3.Finally, the playbook adds the malicious IOCs to black-lists/watchlists on the SOC’s other tools.If malicious indicators were not detected, some precautionsare still taken before confirming that the email is harmless:1.The playbook checks for any attachments in the emailand, if found, detonates them in a sandbox for furtheranalysis.2.If that analysis doesn’t throw up any alarms, the play-book can give way to analysts for qualitative and manualinvestigation. Once the analysts are satisfied the email isbenign, the playbook sends an email to the affected userapprising them of the false alarm.
