SOC - Bulk Ingest Phishing Emails - Template Playbook Overview

this document provides detailed information about the soc bulk ingest phishing emails template playbook configured to run on a cron schedule, this playbook retrieves emails, processes them by adding observables, and creates or updates records users need to configure the following components get phishing emails custom email data extraction correlate note these playbooks can and should be duplicated and the placeholder create teds alert list component swapped out to match the technology stack in your organization this ensures the playbook works seamlessly with your chosen vendor’s tools overview objective automate the bulk ingestion of phishing emails, extract relevant data, enrich observables, and update or create cim records key workflow steps scheduled tasks retrieve reported phishing emails using the get phishing emails component fetched emails are processed into standardized email teds objects custom data fields are extracted and added using the custom email data extraction component observables are enriched, and correlation logic identifies related records results are used to create or update cim records accessing the playbook to access the playbook navigate to orchestration in the swimlane platform click on playbooks select soc bulk ingest phishing emails template loop based email processing in the playbook the playbook processes emails iteratively, ensuring each email is uniquely handled here’s how it works email retrieval the get phishing emails component fetches a list of reported phishing emails from the configured email vendor data standardization emails are transformed into standardized email teds objects deduplication emails are checked for duplicates using the duplicate phishing email detected component to avoid redundant processing enrichment the enrich observables component adds threat intelligence (ti) data for associated observables the link knowledge base articles component associates relevant kbas with the email correlation correlates email data with existing records using the correlate component case creation based on predefined criteria, phishing emails are escalated into cases for further investigation configuring the key components of soc bulk ingest phishing emails get phishing emails purpose retrieves a list of reported phishing emails for processing details placeholder component that can be replaced with vendor specific integration components (vics) to output teds data configuration replace the get phishing emails component with the vic appropriate to your email vendor configure the email vendor settings to ensure proper retrieval of phishing emails inputs email configuration settings parameters to connect with the email vendor (e g , api credentials, filters) outputs email teds objects a list of standardized teds objects containing phishing email data, including email subject email sender email received timestamp custom email data extraction purpose extracts or adds custom data fields to the email teds object, handling non standardized data fields configuration open the custom email data extraction component define the custom fields to be added the key of custom email data should match the custom field added to the cim application the value should correspond to the user provided data ensure the output object includes the custom email data field for downstream processing note in order to automatically map custom fields to the cim application, make sure the field names exactly match the field key values in the application definition otherwise, the playbook run results in an error input email teds object containing standardized email data output custom email data object containing the extracted or added custom fields correlate purpose correlates the ingested email data with existing cim records for contextual analysis configuration open the correlate component map fields from the email teds object and custom data to the correlation logic ensure the output includes cim tracking ids an array of tracking ids for correlation correlation context additional context generated during correlation add correlation logic to the parallel node, followed by append variable and update variable nodes input email teds object containing standardized email data custom data object containing additional custom fields output cim tracking ids array of tracking ids correlation context contextual data from the correlation supporting components in the playbook these components play a critical role in the workflow but do not require user configuration enrich observables enriches observables like urls, ips, or domains and creates or finds mapped threat intelligence (ti) record ids duplicate phishing email detected checks for duplicate emails to prevent redundant processing link knowledge base articles associates phishing emails with relevant knowledge base articles for immediate context and resolution testing and validation simulate the ingestion process by running the playbook manually validate that emails are correctly retrieved and transformed into teds objects custom fields are populated as expected correlation rules are applied correctly, and relevant records are matched review the playbook's output to ensure accurate processing of phishing emails debug and refine configurations as needed deployment activate the playbook after testing monitor execution logs to ensure smooth operation adjust configurations in the get phishing emails , custom email data extraction , and correlate components as requirements evolve this documentation outlines the configuration and usage of the soc bulk ingest phishing emails playbook, focusing on the key components users need to configure for further assistance, consult the turbine documentation or contact your system administrator