Auto Extract Indicators from a Phishing Email
use case auto extract, use case auto-extract, auto-extract
example, auto extract example
The following scenario shows how Auto Extract
is used in the
Process Email - Generic
playbook
to automatically extract and enrich a very specific group of indicators. This
playbook parses the headers in the original email used in a phishing
attack. It is important to parse the original email used in the
phishing attack and not the email that was forwarded to ensure that
you only extract the email headers from the malicious email and
not the one your organization uses to report phishing attacks.
- Navigate to thePlaybookspage and search for theProcess Email - Genericplaybook.
- Open theAdd original email details to contexttask, clickSetand selectParseEmailFiles.Under theOutputstab you can see all of the different data that the task extracts.
- Navigate to theAdvancedtab.UnderAuto extract indicators, ensure that theInlineoption is selected. This indicates that all of the outputs will be processed before the playbook moves ahead to the next task.
- Open theDisplay email information in layouttask. This task receives the data from the saved attachment tasks and sets the various data points to context.Under theAdvancedtab, ensure thatAuto extract indicatorsis set toNonebecause the indicators have already been extracted earlier in theExtract email artifacts and attachmentstask and there is no need to do it again..
