Suspicious E-mail Investigation
This scenario covers a user-reported phishing attempt: quick triage, email analysis, proxy log correlation, and automated URL and attachment scanning via the built-in Phishing workflow.
Scenario
A user forwards a suspicious email to the SOC. The SIEM generates an alert of type Suspicious e-mail with the sender address, subject line, and any embedded URLs or attachments as observables.
Create the case
Open Alerts and locate the alert. Click Preview, check the Similar cases tab to confirm there is no open duplicate, then select the Suspicious e-mail template from the Import alert as dropdown and click Yes, Import.
The case is created with title prefix from the template and the following tasks:
Task |
Group |
Action |
|---|---|---|
Reply and acknowledge the user |
Communication |
Confirm receipt of the report to the user who forwarded the email. |
Quick analysis of reported email |
Identification |
Review headers, sender domain, and subject. Note any embedded URLs or attachments. |
Analyze the suspicious email |
Verification |
Run analyzers on extracted observables (URLs, domains, file hashes). |
Search proxy logs |
Identification |
Check whether any user clicked the embedded URL in the email. |
Before closing the case |
Enrichment |
Record findings, update TTPs, tag any confirmed IOCs. |
Communication |
Communication |
Notify affected users and relevant teams of the outcome. |
Add observables and run analyzers
Open the Observables tab and click Add Observable. Add the sender domain, any embedded URLs, and file hashes from attachments. Set Is IOC on confirmed malicious indicators.
Select the URL and domain observables, click Run Analyzers, and run the analyzers configured for those types. Results appear in the Observables tab once jobs complete.
Automated phishing workflow
Cases tagged automation_phishing are picked up automatically by the Phishing
n8n workflow. The workflow runs on a schedule and for each matching case:
Fetches all observables from the case.
Routes URLs to a URL analyzer and file attachments to a file analyzer via Automation.
Calculates a risk score from the combined analyzer results.
If the risk is high: raises the case severity and blocks the malicious URL via an Automation responder, then sends an email notification to the affected user.
If the risk is low: closes the case automatically.
To activate automation, add the tag automation_phishing to the case.
Close the case
After all tasks are complete, click Close case. Select True Positive if the email was confirmed malicious, or False Positive if clean. Set Impact to Yes if any user clicked the link or opened the attachment, otherwise No. Enter a Summary and click Close case.