User-Reported Phishing

Business email compromise scenario: An employee receives what looks like a suspicious or phishing email. They report it directly within their email program. The email is forwarded to a specific email security system’s inbox, and the email’s logs are forwarded to Logpoint SIEM. Because the email comes from this specific inbox, an alert is triggered, an incident is created and this playbook starts.

User-Reported Phishing investigates the reported phishing emails by leveraging a User-Reported Phishing Investigation sub-playbook. When a user reports an email as suspected phishing, the playbook creates response tasks and compiles the results into a report sent to your security team. The playbook leverages the sub-playbook to assess aggregated data for compiling information, such as the sender's authenticity, email domain and header/ body and count the number of recipients. The analysis measures the likelihood of the email being phishing.

1. Trigger - retrieves the information from the Logpoint SIEM incident such as the start and end time of the incident, the query which runs the incident, rows_count, name and incident ID.

2. Query - runs the query in the Logpoint SIEM. The $(orig_query) parameter takes the incident's query defined in the Trigger action block as the value and the whole query is run again using the distinct_count command to give the number of distinct counts of sender, subject, message ID, server and receiver fields in JSON format.

3. For Each: It loops the query results from the Query action block through each element in sender, subject, message ID,server and receiver fields and feeds them into the sub-playbook.

4. Playbook the User-Reported Phishing Investigation retrieves input for server, receiver, sender, subject and message ID from the For Each action block and incident ID and initiator from the Trigger action block.

5. End - maps the mentioned parameters: the value of Sender, MID (message ID for the email), reported_by and Subject fields from the sub-playbook. The values seen from Results in Monitoring are further analyzed by the security team.