Set Up a Phishing Investigation Pipeline with Cortex XSOAR and Intezer

Intezer's AutonomusDR plan is designed to integrate with your endpoint security and phishing alert tools, giving you an alert pipeline for automating triage and investigation. To learn more about the EDR integration, browse Intezer EDR Connect.

This article will explain integrating Intezer with Cortex XSOAR to make a phishing investigation pipeline for triaging emails with suspicious URLs and attachments.

If you already have a source for phishing alerts connected to XSOAR (such as an abuse mailbox), jump to step 2.

Step 1: Setting up an abuse mailbox (with Gmail)

Step 2: Installing Intezer module

Step 3: Setting up the playbook

Step 4: Understanding Intezer's phishing investigation pipeline sub-playbook

Step 5: Generating a test incident

 

To get Intezer's phishing sub-playbook in yml format and assistance in setting it up, please contact support@intezer.com.

 

Step 1: Setting up an abuse mailbox (with Gmail) in Cortex XSOAR

In this step, we will set up an XSOAR integration with an abuse mailbox. This mailbox serves as a destination where all suspicious emails are sent. The XSOAR integration listens to this mailbox and fetches every new email, which will then be treated as an incident by XSOAR.

1. Browse to the XSOAR Marketplace, search for “Gmail Single User” under Integrations and install the integration. The installed integration can be found in the “Settings” menu in Cortex XSOAR under Integrations, as shown here:

From the "Settings" menu in Cortex XSOAR, after the Gmail Single User integration is installed:

2. From the Gmail Single User integration in Cortex XSOAR, click “add instance” to set up the connection with your mailbox.

2.1 Now, from Instance Settings, fill in the name and the email address of the mailbox, as shown here:

2.2 You are also asked to fill an auth code.

To get your auth code: Run the !gmail-auth-link command in the command line at the bottom of your screen to start the auth flow. The command output will guide you to click on a link to a Google sign-in page so that you can sign in to your abuse mailbox account.

Now, you will be provided with an auth code. Pate the code in the dedicated input box.

2.3 Test abuse mailbox connection by running !gmail-auth-test in the command line.

 

Step 2: Installing the Intezer integration

To enable Intezer’s phishing playbook, we will first install Intezer's XSOAR integration module.

1. Browse to the marketplace, search “Intezer” under “Integrations” and install the integration. The installed integration can then be found in “Settings”, under “Integrations”, as shown below:

2. Click “add instance” to set up the connection with Intezer.

3. Fill in a name for your instance and your Intezer API key.

 

Step 3: Setting up the playbook

Import the playbook:

1. To get Intezer's phishing sub-playbook in yml format and assistance in setting it up, please contact support@intezer.com.
2. From the XSOAR Playbooks page, browse to the “New Playbook” area and click on the button with a cloud icon to import the yml file.

3. Now that the playbook file is uploaded to the system create a new “master” playbook that will call the imported playbook.

4. Create a new task that will contain the imported playbook.

5. Edit the playbook, browse to the uploaded sub-playbook and perform the following:

5.1 Make sure the Context is Shared Globally, which means that all of the email data will also transfer into the sub-playbook.

5.2 Browse to the Loop tab and set it to “For Each Input”, which means that the playbook will run for each File/URL uploaded (if there is more than one).

 

Step 4: Understanding Intezer's phishing pipeline sub-playbook

The playbook analyzes attachments and URLs in the email incident so that Intezer can investigate and triage incoming phishing emails for you.

It is divided into two separate streams that work simultaneously: File analysis and URL analysis. Below is a visual of the flow, then a list of the six automated tasks:

 

 

 

1) Is Intezer Module Enabled - The playbook starts with a conditional task that checks if the Intezer module is enabled:

• YES = Move to File & URL analyze streams.
• ELSE = Go to the end of the playbook (calculate severity task)

After the first task, the playbook splits into analyzing the files and/or URLs discovered:

File analyze stream for triage:

2) Is there a file to analyze - checks if the “File” field is defined (exists):

• YES = Move to “Get File Analysis”
• ELSE = Go to the end of the playbook (calculate severity task)

3) Get file analysis & check if the analysis exists - Gets the file “SHA256” and tries to pull an existing analysis for the attachment in Intezer - checks if the task returned “true” in the “ExistsInIntezer”:

• YES = Go to get the analysis result. That means an analysis already exists, and uploading the attachment is not necessary.
• ELSE = Go to “Intezer - Analyze Attachment”
• ERROR PATH = This path is unique for this stage only. It’s being used when the Get File Analysis task returns an “analysis expired” error, which means the file hash exists in Intezer, but its analysis expired. In this case, the file needs to be uploaded again.

4) Intezer - Analyze attachment - Gets the file “entryID” (uploads the entire file to Intezer), analyzes it, and returns an Analysis ID.

5) Generic polling & get analysis result - Gets the Analysis ID and returns the final verdict for the attachment. More on generic polling here.

6) Calculate severity - Calculate and assign the incident severity based on various calculations' highest returned severity level. More on calculating severity here.

 

URL analyze stream for triage:

2) Is there a URL to analyze - Check if the “URL” field is defined (exists).

• YES = Move to “Intezer - Analyze URL”
• ELSE = Go to the end of the playbook (calculate severity task)

3) Intezer - Analyze URL - Gets the URL and sends it to Intezer for analysis.

4) Generic polling & get analysis result -  Gets the Analysis ID and returns the final verdict for the attachment. More on generic polling here.

5) Calculate severity - Calculate and assign the incident severity based on various calculations' highest returned severity level. More on calculating severity here.

 

Step 5: Generating a test incident and viewing analysis results

Let's generate a test incident to ensure that our phishing pipeline is in place and learn how to analyze the incident.

1. Send an email to the dedicated phishing mailbox containing attachments and URLs to analyze.
2. Go to the “Incidents” view and open the relevant incident. Note - it might take a minute to go through the playbook, so the severity will be first set to unknown until the analysis is finished. Be patient :)

    3. Triage: the main field we are interested in is the “Malicious or Suspicious Indicators.”

3.1 When the verdict returned from Intezer is Malicious - the field will show the entire verdict and a link to the analysis itself when you click on “Intezer”, as shown here:

Here's an example of Intezer's analysis result for a suspicious URL in Cortex XSOAR:

Clicking the "analysis_url" link in the Analysis Report will bring you to Intezer's full analysis of the suspicious URL, including screenshots of the website. In this example, Intezer shows more details about the malicious URL and we can also see it is a fake Microsoft website for stealing credentials:

 

3.2 When the file is Clean - the field will be empty. To see all verdicts, you can navigate to the  “indicators” page at Threat Intel -> XSOAR Indicators and type the following query: (reputation:*) AND investigationIDs:"<Incident ID>"

 

Learn more about how Intezer analyzes URLs and attachments:

• Analyzing URLs with Intezer
• Analyzing Files or Hashes with Intezer