Create a MISP event on a phishing incident with a link
Purpose of the playbook
This playbook creates a MISP event for a phishing incident. The playbook sets default tags (taxonomies) and clusters on event and attributes. The playbook asks the analysts for the typical elements (e-mail headers, e-mail body, phishing URL) found in phishing cases and encodes these as attributes and objects in the event. The playbook creates relationships between the objects. The attributes are tagged with PAP and course-of-action matrix. The playbook queries MISP events and the enabled OSINT feeds for matches. If there is a phishing URL in the e-mail then URLscan is queried and the historical scan results and screenshots are collected. The URL is then submitted to Lookyloo for analysis. Where possible, the phishing URL is also reported to organisations such as Google, Microsoft and Phishtank. A final report with a list of indicators is summarised in the playbook and sent to Mattermost or Slack. The results can also be added as an alert to TheHive or as a case to DFIR-IRIS (to be discussed for implementation).
External resources used by this playbook
URLscan, Lookyloo, Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional), Google Safe Browsing, Microsoft Security Intelligence, Phishtank
cudeso
commented
1 year ago
The title of the playbook
Create a MISP event on a phishing incident with a link
Purpose of the playbook
This playbook creates a MISP event for a phishing incident. The playbook sets default tags (taxonomies) and clusters on event and attributes. The playbook asks the analysts for the typical elements (e-mail headers, e-mail body, phishing URL) found in phishing cases and encodes these as attributes and objects in the event. The playbook creates relationships between the objects. The attributes are tagged with PAP and course-of-action matrix. The playbook queries MISP events and the enabled OSINT feeds for matches. If there is a phishing URL in the e-mail then URLscan is queried and the historical scan results and screenshots are collected. The URL is then submitted to Lookyloo for analysis. Where possible, the phishing URL is also reported to organisations such as Google, Microsoft and Phishtank. A final report with a list of indicators is summarised in the playbook and sent to Mattermost or Slack. The results can also be added as an alert to TheHive or as a case to DFIR-IRIS (to be discussed for implementation).
External resources used by this playbook
URLscan, Lookyloo, Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional), Google Safe Browsing, Microsoft Security Intelligence, Phishtank
Target audience
SOC, CSIRT
Breefly list the execution steps or workflow
No response