Details
Content
Dependencies
Version History

Integration with Hoxhunt to manage Hoxhunt incidents

Hoxhunt Integration for Cortex XSOAR

The Hoxhunt Integration automates the ingestion and processing of phishing threats identified in Hoxhunt, enabling streamlined threat response workflows by bringing Hoxhunt-reported incidents into Cortex XSOAR for analysis, enrichment, and remediation.

Use Cases

Synchronize incident status between Hoxhunt and Cortex XSOAR for consistent lifecycle management.
Automatically ingest phishing incidents reported in Hoxhunt into Cortex XSOAR for analysis and response.
Add analytical notes to Hoxhunt incidents directly from Cortex XSOAR workflows.
Remove threats from Hoxhunt incidents.
Send SOC feedback to Hoxhunt when closing an incident in Cortex XSOAR.
Update incident sensitivity based on internal policies.

What does this pack do

Fetch Hoxhunt Incidents: Pulls phishing incidents from Hoxhunt into Cortex XSOAR for centralized management and response.
Synchronize Incident Data: Ensures up-to-date incident data in both Hoxhunt and Cortex XSOAR, maintaining lifecycle alignment between platforms.
Incident Enrichment: Adds detailed threat information to incidents, including screenshots, to support rapid analyst review of phishing evidence.
Add and Update Incident Notes: Allows analysts to add contextual notes and updates to Hoxhunt incidents from Cortex XSOAR, aiding collaborative investigation.
Remove Threats from Incidents: Enables the removal of threats linked to an incident, streamlining cleanup of false positives or low-priority threats.
Send SOC Feedback: Allows SOC teams to provide structured feedback to Hoxhunt, including custom messages, as part of incident resolution.
Set Incident Sensitivity and Classification: Sets incident sensitivity and classification directly from Cortex XSOAR, aligning with organizational policies.
Update Incident State: Manages incident state transitions, such as between "Open" and "Resolved," ensuring real-time status updates.

Prerequisites

Hoxhunt external API key: Ensure access to Hoxhunt with necessary permissions.
Acquirable from Hoxhunt admin panel https://admin.hoxhunt.com/account-settings/access-tokens

Main playbook: Hoxhunt - Enrich Incident

Run for incidents fetched from Hoxhunt into XSOAR

Enrich Incident's main function is to provide a visual reference for the first threat in the Hoxhunt incident, adding additional context to the incident within XSOAR. The screenshot can be used for further review or as part of an investigation report.

Summary of playbook features

Automated Screenshot: Takes a screenshot of the first threat URL.
Simple Workflow: Completes automatically with minimal manual intervention, enriching the incident with visual content.

Pack Contributors:

Harri Ruuttila
Sam U Chan

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Hoxhunt Integration for Cortex XSOAR

Use Cases

Synchronize incident status between Hoxhunt and Cortex XSOAR for consistent lifecycle management.
Automatically ingest phishing incidents reported in Hoxhunt into Cortex XSOAR for analysis and response.
Add analytical notes to Hoxhunt incidents directly from Cortex XSOAR workflows.
Remove threats from Hoxhunt incidents.
Send SOC feedback to Hoxhunt when closing an incident in Cortex XSOAR.
Update incident sensitivity based on internal policies.

What does this pack do

Fetch Hoxhunt Incidents: Pulls phishing incidents from Hoxhunt into Cortex XSOAR for centralized management and response.
Synchronize Incident Data: Ensures up-to-date incident data in both Hoxhunt and Cortex XSOAR, maintaining lifecycle alignment between platforms.
Incident Enrichment: Adds detailed threat information to incidents, including screenshots, to support rapid analyst review of phishing evidence.
Add and Update Incident Notes: Allows analysts to add contextual notes and updates to Hoxhunt incidents from Cortex XSOAR, aiding collaborative investigation.
Remove Threats from Incidents: Enables the removal of threats linked to an incident, streamlining cleanup of false positives or low-priority threats.
Send SOC Feedback: Allows SOC teams to provide structured feedback to Hoxhunt, including custom messages, as part of incident resolution.
Set Incident Sensitivity and Classification: Sets incident sensitivity and classification directly from Cortex XSOAR, aligning with organizational policies.
Update Incident State: Manages incident state transitions, such as between "Open" and "Resolved," ensuring real-time status updates.

Prerequisites

Hoxhunt external API key: Ensure access to Hoxhunt with necessary permissions.
Acquirable from Hoxhunt admin panel https://admin.hoxhunt.com/account-settings/access-tokens

Main playbook: Hoxhunt - Enrich Incident

Run for incidents fetched from Hoxhunt into XSOAR

Summary of playbook features

Automated Screenshot: Takes a screenshot of the first threat URL.
Simple Workflow: Completes automatically with minimal manual intervention, enriching the incident with visual content.

Pack Contributors:

Harri Ruuttila
Sam U Chan

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Hoxhunt-classifier	Classifies Hoxhunt incidents
Hoxhunt-mapper-outgoing
Hoxhunt-mapper-incoming

Incident Fields

Name	Description
Hox Notes	Notes written for the incident
Hox Send Feedback	Set to true if feedback should be sent to users when incident is resolved.
Hox Threat Indicators	Combined threat indicators from all of incident's threats
Hox FT Links	Links for the first threat in the incident
Hox FT Email To	Who the first threat in incident was sent to?
Hox User Actions	All user actions taken in incident's threats combined
Hox FT ID	First threat ID of the incident.
Hox Global Report Count	How many times the threat has been reported accross organisations
Hox FT Subject	Subject of the first threat in the incident
Hox FT Attachments	Attachments for the first threat in the incident
Hox VIP Report Count	How many reports came from VIP users?
Hox FT Email From	Sender of the first threat in incident
Hox URL	Raw URL for incident in Hoxhunt Response platform
Hox Has Sensitive Information	Has the incident been marked to contain sensitive information?
Hox ID	Unique incident identifier
Hox Phish Report Count	How many reports were marked as phishing?
Hox Report Count	How many threat reports does the incident contain?
Hox Incident Rule Actions	What incident rule actions have been taken for the incident?
Hox FT Body Link	URL to fetch the first threat body
Hox Reported At Limit	Date in the past for specifying which users to send feedback to based on when an incident-related threat was last reported. For example, if set to 7 days, only users who have reported emails related to the threat in the last 7 days are provided with feedback
Hox FT Message Id	Message Id of the first threat in the incident
Hox External Classification	Classification given for the incident by external SOC
Hox Inbox Report Count	How many people reported the threat from their inbox?
Hox Message To Users	An optional message to send to employees when closing an incident
Hox Likely Target Entity	Who does the incident target (organisation, individual or inconclusive).
Hox State	State of the incident (open, resolved)
Hox Last Reported At	What was the latest report date for the incident
Hox FT Maliciousness Probability	Maliciousness probability for first threat in incident given by Hoxhunt ML model
Hox Internal Classification	Classification given for the incident by Hoxhunt
Hox FT Internal Classification	Classification given for the first threat in incident by Hoxhunt
Hox First Reported At	What was the first report date for the incident

Incident Types

Name	Description
Hoxhunt Campaign
Hoxhunt User Acted
Hoxhunt BEC

Integrations

Name	Description
Hoxhunt (Deprecated) (Partner Contribution)	Deprecated. Use Hoxhunt V2 instead.
Hoxhunt v2 (Partner Contribution)	Use the Hoxhunt integration to send feedback to reporters of incidents, set incident sensitivity, and apply SOC classification to incidents.

Layouts

Name	Description
Hoxhunt Layout

Playbooks

Name	Description
Hoxhunt - Enrich Incident	Enriches the incidents pulled from Hoxhunt with additional information.

Classifiers

Name	Description
Hoxhunt-classifier	Classifies Hoxhunt incidents
Hoxhunt-mapper-outgoing
Hoxhunt-mapper-incoming

Incident Fields

Name	Description
Hox ID	Unique incident identifier
Hox Has Sensitive Information	Has the incident been marked to contain sensitive information?
Hox Internal Classification	Classification given for the incident by Hoxhunt
Hox FT Links	Links for the first threat in the incident
Hox FT Message Id	Message Id of the first threat in the incident
Hox FT Attachments	Attachments for the first threat in the incident
Hox Reported At Limit	Date in the past for specifying which users to send feedback to based on when an incident-related threat was last reported. For example, if set to 7 days, only users who have reported emails related to the threat in the last 7 days are provided with feedback
Hox Message To Users	An optional message to send to employees when closing an incident
Hox FT Maliciousness Probability	Maliciousness probability for first threat in incident given by Hoxhunt ML model
Hox Report Count	How many threat reports does the incident contain?
Hox Threat Indicators	Combined threat indicators from all of incident's threats
Hox Last Reported At	What was the latest report date for the incident
Hox VIP Report Count	How many reports came from VIP users?
Hox Phish Report Count	How many reports were marked as phishing?
Hox External Classification	Classification given for the incident by external SOC
Hox FT ID	First threat ID of the incident.
Hox User Actions	All user actions taken in incident's threats combined
Hox Global Report Count	How many times the threat has been reported accross organisations
Hox Inbox Report Count	How many people reported the threat from their inbox?
Hox FT Email To	Who the first threat in incident was sent to?
Hox Notes	Notes written for the incident
Hox URL	Raw URL for incident in Hoxhunt Response platform
Hox Likely Target Entity	Who does the incident target (organisation, individual or inconclusive).
Hox FT Body Link	URL to fetch the first threat body
Hox FT Email From	Sender of the first threat in incident
Hox State	State of the incident (open, resolved)
Hox FT Internal Classification	Classification given for the first threat in incident by Hoxhunt
Hox FT Subject	Subject of the first threat in the incident
Hox Send Feedback	Set to true if feedback should be sent to users when incident is resolved.
Hox Incident Rule Actions	What incident rule actions have been taken for the incident?
Hox First Reported At	What was the first report date for the incident

Incident Types

Name	Description
Hoxhunt Campaign
Hoxhunt User Acted
Hoxhunt BEC

Integrations

Name	Description
Hoxhunt v2 (Partner Contribution)	Use the Hoxhunt integration to send feedback to reporters of incidents, set incident sensitivity, and apply SOC classification to incidents.
Hoxhunt (Deprecated) (Partner Contribution)	Deprecated. Use Hoxhunt V2 instead.

Layouts

Name	Description
Hoxhunt Layout

Playbooks

Name	Description
Hoxhunt - Enrich Incident	Enriches the incidents pulled from Hoxhunt with additional information.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
PAN-OS by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

2.0.0 - 1834150 (December 18, 2024)

Classifiers

New: Hoxhunt-classifier

New: Classifies Hoxhunt incidents

Incident Fields

New: Hox FT Email To
New: Display incident's first threat's email address
New: Hox User Actions
New: Display user actions taken in any threat of the Hoxhunt incident
New: Hox FT ID
New: Display incident's first threat's email address
New: Hox ID
New: Display incident's Hoxhunt id
New: Hox Has Sensitive Information
New: Display if incident has sensitive information
New: Hox FT Body Link
New: Display incident's first threat's body resource url
New: Hox Global Report Count
New: Display global Hoxhunt report count%
New: Hox Message To Users
New: Display an optional message to send to employees when closing an incident
New: Hox Internal Classification
New: Display classification given for the incident by Hoxhunt
New: Hox FT Maliciousness Probability
New: Display malicious probability for incident's first threat
New: Hox Incident Rule Actions
New: Display what incident rule actions have been taken for the incident
New: Hox Likely Target Entity
New: Display who does the incident target (organisation, individual or inconclusive).
New: Hox FT Message Id
New: Display message id of the first threat in the incident
New: Hox Reported At Limit
New: Display date in the past for specifying which users to send feedback to based on when an incident-related threat was last reported. For example, if set to 7 days, only users who have reported emails related to the threat in the last 7 days are provided with feedback
New: Hox Report Count
New: Display How many threat reports does the incident contain?
New: Hox External Classification
New: Display classification given for the incident by external SOC"
New: Hox FT Links
New: Display links for the first threat in the incident
New: Hox Notes
New: Display notes written for the incident"
New: Hox FT Internal Classification
New: Display classification given for the first threat in incident by Hoxhunt
New: Hox First Reported At
New: Display what was the first report date for the incident
New: Hox Phish Report Count
New: Display how many reports were marked as phishing?
New: Hox State
New: Display state of the incident (open, resolved)
New: Hox FT Email From
New: Display sender of the first threat in incident
New: Hox Threat Indicators
New: Display if feedback should be sent to users when incident is resolved.
New: Display combined threat indicators from all of incident's threats
New: Hox FT Attachments
New: Display attachments for the first threat in the incident
New: Hox VIP Report Count
New: Display how many reports came from VIP users?
New: Hox URL
New: Raw URL for incident in Hoxhunt Response platform
New: Hox FT Subject
New: Display subject of the first threat in the incident
New: Hox Last Reported At
New: Display what was the latest report date for the incident
New: Hox Inbox Report Count
New: Display how many people reported the threat from their inbox
New: Hox Send Feedback
New: Display if feedback should be sent to users when incident is resolved.

Incident Types

New: Hoxhunt Campaign
New: Campaign incident type from Hoxhunt
New: Hoxhunt BEC
New: BEC incident type from Hoxhunt
New: Hoxhunt User Acted
New: User Acted incident type from Hoxhunt

Integrations

Hoxhunt (Deprecated)

Deprecated. Use Hoxhunt v2 instead.

New: Hoxhunt v2

New: Use the Hoxhunt integration to send feedback to reporters of incidents, set incident sensitivity, and apply SOC classification to incidents.

Layouts

New: Hoxhunt Layout
New: Updated layout

Mappers

New: Hoxhunt-mapper-incoming

New: Introduced incident mirroring capabilities between Cortex XSOAR and Hoxhunt. This allows for bi-directional synchronization of incident states and updates.

New: Hoxhunt-mapper-outgoing

New: Introduced incident mirroring capabilities between Cortex XSOAR and Hoxhunt. This allows for bi-directional synchronization of incident states and updates.

Playbooks

New: Hoxhunt - Enrich Incident

New: Enriches the incidents pulled from Hoxhunt with additional information.

Related pull requests:
- 37717
- 37019

Download

1.0.1 - 1809308 (December 15, 2024)

Integrations

Hoxhunt

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37567
- 37564
- 37565

Download

1.0.0 - 1741355 (August 27, 2024)

Integration with Hoxhunt to manage Hoxhunt incidents

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	August 27, 2024
Last Release	December 18, 2024

Incident Response

Phishing

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.