Phishing Tackle Box

We’ve just rolled out our new Phishing Tackle Box in the Extensions Library to help give folks a head start in handling phishing attacks in a more distributed, work-from-home setting. The tackle box contains a variety of InsightConnect workflows built to automate several different steps within a phishing investigation. This includes:

Phishing Alerts: Get phishing alerts sent to you directly in Slack or Microsoft Teams - your choice. These direct alerts + the details they provide make it easy to stay on top of threats without having to pull up a million different tools.

Indicator Enrichment: You want to make sure you’ve positively identified a phishing attempt before you take any action. Automate the extraction and enrichment of data from that potential attempt to aid in the identification process.

Email Remediation: Once you’ve positively identified a phishing attempt, it’s time to respond. These workflows provide various response options, including email deletion, blocking, and viewing any others who may’ve been targeted.

User Containment: If a threat has led to compromised user credentials, you want to disrupt the attacker and perform containment measures ASAP. These workflows facilitate that containment process to help prevent attackers from gaining further ground.

The Phishing Tackle Box is intended to address the main use cases within the phishing sphere, but if you have suggestions for new or existing workflows, let us know. Our ChatOps (eg, Slack/Microsoft Teams stuff) workflows in particular have been a big ask lately, and we’re always open to more ideas surrounding those.

The tackle box workflows do vary in size and complexity, and we want to make sure they accomplish what you need them to in your environment. If you have any questions or need some help wrangling them, let us know here.

1 Like

First of many Tackle Boxes to come! So excited for this!

Just a note that tripped me up when I was importing the “Post Phishing Alerts to Slack” workflow into my own environment:

For the Python 3 step to Combine and Remove Duplicates, you don’t actually need to use actual credentials. Additional authentication info is only needed if you need to import 3rd party python libraries (not needed for this workflow)! However, the plugin does require that you use a credential, so you can create one, but just put in “[]” for the Third-Party Modules field and that should let you save it successfully.