Auto Extract Indicators from a Phishing Email

use case auto extract, use case auto-extract, auto-extract example, auto extract example
The following scenario shows how Auto Extract is used in the Process Email - Generic playbook to automatically extract and enrich a very specific group of indicators.
  1. Navigate to the
    Playbooks
    page and search for the
    Process Email - Generic
    playbook.
    This playbook parses the headers in the original email used in a phishing attack. It is important to parse the original email used in the Phishing attack and not the email that was forwarded to make sure that you are only extracting and enriching the email headers from the malicious email and not the one your organization uses to report phishing attacks.
  2. Open the
    Add original email attachments to context
    task.
    Under the
    Outputs
    tab you can see all of the different data that the task extracts.
  3. Navigate to the
    Advanced
    tab.
    Under
    Auto extract indicators
    , ensure that the
    Inline
    option is selected. This indicates that all of the outputs will be processed before the playbook moves ahead to the next task.
  4. Open the
    Set incident with the Email object data
    task. This task receives the data from the
    Add original email attachments to context
    task and sets the various data points to context.
    Under the
    Advanced
    tab, ensure that
    Auto extract indicators
    is set to
    None
    because the indicators have already been enriched and there is no need to do it again.
In the above example, had we set the reputation.calc.algorithm.tasks server configuration to 1, we would not have had to go into the Advanced tab of the Set incident with the Email object data task and manually tell the task not to extract the indicators. It would use the system default.

Recommended For You