/
playbook-Phishing_-_Indicators_Hunting.yml
366 lines (360 loc) · 9.91 KB
/
playbook-Phishing_-_Indicators_Hunting.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
id: Phishing - Indicators Hunting
version: -1
name: Phishing - Indicators Hunting
description: |
Hunt indicators related to phishing with available integrations and then handle the results. Handling the results will include setting relevant incident fields which will be displayed in the layout and optionally, opening new incidents according to the findings.
Current integration in this playbook:
- Microsoft 365 Defender (using "Advanced Hunting")
Note that this playbook should be used as a sub-playbook inside a phishing incident and not as a main playbook.
starttaskid: "0"
tasks:
"0":
id: "0"
taskid: ae9d5f25-f689-44b5-8644-1d1ff8da2c53
type: start
task:
id: ae9d5f25-f689-44b5-8644-1d1ff8da2c53
version: -1
name: ""
iscommand: false
brand: ""
description: ''
nexttasks:
'#none#':
- "1"
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 1710,
"y": 1990
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"1":
id: "1"
taskid: 2f9c6950-28fb-4994-8d79-5dfe301cd2e2
type: playbook
task:
id: 2f9c6950-28fb-4994-8d79-5dfe301cd2e2
version: -1
name: Microsoft 365 Defender - Threat Hunting Generic
description: |
This playbook retrieves email data based on the `URLDomain`, `SHA256`, `IPAddress`, and `MessageID` inputs. The output is a unified object with all of the retrieved emails based on the following sub-playbooks outputs:
- **Microsoft 365 Defender - Get Email URL clicks**:
Retrieves data based on URL click events.
- **Microsoft 365 Defender - Emails Indicators Hunt**:
Retrieves data based on several different email events.
Read the playbook's descriptions in order to get the full details.
playbookName: Microsoft 365 Defender - Threat Hunting Generic
type: playbook
iscommand: false
brand: ""
nexttasks:
'#none#':
- "3"
scriptarguments:
IPAddress:
complex:
root: inputs.DBotScore
filters:
- - operator: isEqualString
left:
value:
simple: inputs.DBotScore.Type
iscontext: true
right:
value:
simple: ip
ignorecase: true
- - operator: isEqualString
left:
value:
simple: inputs.DBotScore.Score
iscontext: true
right:
value:
simple: "3"
accessor: Indicator
transformers:
- operator: uniq
ListenerMailbox:
complex:
root: inputs.ListenerMailbox
SHA256:
complex:
root: inputs.DBotScore.Indicator
filters:
- - operator: isEqualString
left:
value:
simple: inputs.DBotScore.Type
iscontext: true
right:
value:
simple: file
ignorecase: true
- operator: isEqualString
left:
value:
simple: inputs.DBotScore.Type
iscontext: true
right:
value:
simple: hash
ignorecase: true
- - operator: greaterThanOrEqual
left:
value:
simple: inputs.DBotScore.Score
iscontext: true
right:
value:
simple: "3"
- - operator: stringHasLength
left:
value:
simple: inputs.DBotScore.Indicator
iscontext: true
right:
value:
simple: "64"
transformers:
- operator: uniq
URLDomain:
complex:
root: inputs.DBotScore
filters:
- - operator: isEqualString
left:
value:
simple: inputs.DBotScore.Type
iscontext: true
right:
value:
simple: URL
ignorecase: true
- operator: isEqualString
left:
value:
simple: inputs.DBotScore.Type
iscontext: true
right:
value:
simple: domain
ignorecase: true
- - operator: greaterThanOrEqual
left:
value:
simple: inputs.DBotScore.Score
iscontext: true
right:
value:
simple: "3"
accessor: Indicator
transformers:
- operator: uniq
ResultsLimit:
simple: "50"
SearchTimeframe:
simple: "7"
Timeout:
simple: "180"
separatecontext: true
continueonerrortype: ""
loop:
iscommand: false
exitCondition: ""
wait: 1
max: 100
view: |-
{
"position": {
"x": 1710,
"y": 2150
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: true
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"2":
id: "2"
taskid: 45f91f5a-63cd-4eb1-89c5-9c4d45a9201e
type: playbook
task:
id: 45f91f5a-63cd-4eb1-89c5-9c4d45a9201e
version: -1
name: Phishing - Handle Microsoft 365 Defender Results
description: |-
This playbook is used to handle the results from the "Microsoft 365 Defender - Threat Hunting Generic" playbook inside a phishing incident. It will perform the following actions:
1) Set the relevant incident fields based on the results, such as "Clicked URLs", "Malicious URL Viewed", and "Malicious URL Clicked".
2) In case the relevant playbook inputs were configured, it will create new incidents for each email returned in the results. First, it will try to retrieve the original emails' files and then it will create an incident for each retrieved email.
3) Link the newly created incidents to the main originating incident.
Note that this playbook should only be used inside a phishing incident and not as a main playbook.
playbookName: Phishing - Handle Microsoft 365 Defender Results
type: playbook
iscommand: false
brand: ""
nexttasks:
'#none#':
- "4"
scriptarguments:
CreateNewIncidents:
complex:
root: inputs.EmailHuntingCreateNewIncidents
EmailBrand:
simple: MicrosoftGraphMail
RetrievedEmails:
complex:
root: Microsoft365Defender
accessor: RetrievedEmails
separatecontext: true
continueonerrortype: ""
loop:
iscommand: false
exitCondition: ""
wait: 1
max: 100
view: |-
{
"position": {
"x": 1710,
"y": 2560
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"3":
id: "3"
taskid: e480e0e4-cf08-4ac6-8897-48cf53991382
type: condition
task:
id: e480e0e4-cf08-4ac6-8897-48cf53991382
version: -1
name: Any emails found using Microsoft 365 Defender?
description: Did the previous task returned any emails in its output?
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "4"
"yes":
- "2"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
complex:
root: Microsoft365Defender
accessor: RetrievedEmails
iscontext: true
right:
value: {}
continueonerrortype: ""
view: |-
{
"position": {
"x": 1710,
"y": 2345
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"4":
id: "4"
taskid: 4a0761e3-523a-46c5-89d0-2e4daa11ebfc
type: title
task:
id: 4a0761e3-523a-46c5-89d0-2e4daa11ebfc
version: -1
name: Done
type: title
iscommand: false
brand: ""
description: ''
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 1710,
"y": 2740
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
view: |-
{
"linkLabelsPosition": {
"3_2_yes": 0.48
},
"paper": {
"dimensions": {
"height": 815,
"width": 380,
"x": 1710,
"y": 1990
}
}
}
inputs:
- key: DBotScore
value:
complex:
root: DBotScore
required: false
description: |-
The DBotScore object containing these keys:
- Indicator
- Type
- Score
playbookInputQuery:
- key: EmailHuntingCreateNewIncidents
value:
simple: "False"
required: false
description: When "True", the "Phishing - Handle Microsoft 365 Defender Results" sub-playbook will create new phishing incidents for each email that contains one of the malicious indicators. Default is "False".
playbookInputQuery:
- key: ListenerMailbox
value: {}
required: false
description: The mailbox of the listening integration. In case it is provided, the emails found in it will be ignored.
playbookInputQuery:
outputs: []
quiet: true
tests:
- No tests (auto formatted)
fromversion: 6.8.0
contentitemexportablefields:
contentitemfields: {}
system: true