* [Blog](https://www.paloaltonetworks.com.au/blog) * [Security Operations](https://www.paloaltonetworks.com.au/blog/security-operations/) * [Must-Read Articles](https://www.paloaltonetworks.com.au/blog/security-operations/category/must-read-articles/) * Playbook of the Week: Phi... # Playbook of the Week: Phishing for Trouble with Cortex XSOAR [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-phishing-for-trouble-with-cortex-xsoar%2F) [](https://twitter.com/share?text=Playbook+of+the+Week%3A+Phishing+for+Trouble+with+Cortex+XSOAR&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-phishing-for-trouble-with-cortex-xsoar%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-phishing-for-trouble-with-cortex-xsoar%2F&title=Playbook+of+the+Week%3A+Phishing+for+Trouble+with+Cortex+XSOAR&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-phishing-for-trouble-with-cortex-xsoar/&ts=markdown) \[\](mailto:?subject=Playbook of the Week: Phishing for Trouble with Cortex XSOAR) Link copied By [Brendan Powers](https://www.paloaltonetworks.com/blog/author/brendan-powers/?ts=markdown "Posts by Brendan Powers") Jul 01, 2022 3 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown) [Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown) [SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown) [XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown) A threat actor's greatest asset is time. The countdown starts from the moment their phishing attack arrives in your organization's inbox. From then on, the likelihood of a careless employee -- your weakest link -- falling for the click-only malware bomb increases with each passing moment that threat goes undetected. In the case of a sustained phishing campaign, your analysts are getting stuck in the high volume of persistent alerts that call for coordination between multiple security products and communication with end-users. As a result, the most destructive response to a phishing campaign involves the manual triage of incoming alerts. After deciding whether the email is malicious, the analyst must perform manual response actions to raise its severity across multiple siloed tools. These actions are high-quantity, repetitive, and don't require critical thinking. Unfortunately, they also cost you time and money, but what if you could decrease investigation time by 75%? ## **Automate Your Phishing Response** To boost the speed of the game, your security team must use every tool that can automatically investigate and respond to an email-based phishing incident. In addition to [classifying malicious emails](https://www.paloaltonetworks.com/blog/security-operations/phishing-email-classifier-in-cortex-xsoar/), **Cortex XSOAR's** [Phishing Pack](https://xsoar.pan.dev/marketplace/details/Phishing) has fully automated playbooks that react rapidly to suspected phishing attacks and can seamlessly integrate across multiple endpoint systems. It can be installed from the XSOAR Marketplace in an instant to serve your organization with the following features: 1. Retrieve emails from user inboxes or ingest them using mail listeners. 2. Create a phishing incident within Cortex XSOAR associated with the email. 3. Extract and enrich all indicators from email attachments. 4. Analyze files and provide reputation using your sandbox and threat intelligence integrations. 5. Generate a screenshot of the email and embedded links and calculate reputation for all indicators involved. 6. Run checks for SSL certificates of URLs, email address breach involvement, domain-squatting, and email authenticity using SPF, DKIM, and DMARC checks. 7. Identify similar phishing incidents of the same campaign, providing visibility and manual or automatic actions to respond to such incidents. 8. Calculate severity for the incident based on the provided initial severity, indicator reputations, email authenticity check, and critical assets, if any are involved. 9. Remediate the incident by blocking malicious indicators and searching for and deleting malicious emails upon analyst approval. 10. Engage with the end-user regarding the incident, such as notifying them of receipt of the email and providing further instructions if an email is suspected to be malicious. ![This image shows a phishing incident playbook work plan within the Cortex XSOAR’s Phishing Pack](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/word-image-76.png) ***This image shows a phishing incident playbook work plan within the Cortex XSOAR's Phishing Pack*** Consider how long it takes to manually perform all of the above tasks while knowing a threat actor is attacking your organization. For example, the Palo Alto SOC calculated that an average manual investigation of phishing emails took **45 minutes** , but XSOAR Phishing Automation cut that down to **8 minutes**: a 75% decrease in SOC effort. This pack facilitates analyst investigations by automating your organization's response to manual alerts. By downloading the [XSOAR Phishing Content Pack](https://xsoar.pan.dev/marketplace/details/Phishing), you're giving back ownership to your analysts of their time. **To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)** **We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones.** ## **Please Suggest Other Ideas or Vote!** If you like these ideas or would like to suggest other ideas, please collaborate with us through the Cortex XSOAR Aha page: [https://xsoar.ideas.aha.io/ideas](https://xsoar.ideas.aha.io/ideas) [](https://xsoar.ideas.aha.io/ideas) [![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/word-image-77.png)](https://xsoar.ideas.aha.io/ideas) *** ** * ** *** ## Related Blogs ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automated Rapid Response to 3CXDesktopApp Supply Chain Attack](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-automated-rapid-response-to-3cxdesktopapp-supply-chain-attack/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automated Rapid Response to Microsoft Outlook for Windows Vulnerability](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-automated-rapid-response-to-microsoft-outlook-for-windows-vulnerability/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automating Your Threat Intelligence with Cortex XSOAR](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-automating-your-threat-intelligence-with-cortex-xsoar/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automating Attack Surface Management with Cortex XSOAR](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-automating-attack-surface-management/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Playbook of the Week: Automating Cortex XDR Investigation and Response](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-automating-cortex-xdr-investigation-and-response/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: ServiceNow Ticket Mirroring with Cortex XSOAR](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-servicenow-ticket-mirroring-with-cortex-xsoar/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language