SlashNext Phishing Incident Response

Details
Content
Dependencies
Version History

This community edition of SlashNext Phishing Incident Response is intended for organization to try the world’s largest, real-time phishing intelligence database for accurate, definitive binary verdicts on suspicious URLs and download phishing forensics including webpage screenshots, HTML and text. This edition is for organizations that need a direct annual subscription to SlashNext Phishing Incident Response, the world’s largest, real-time phishing intelligence database for accurate, definitive binary verdicts on suspicious URLs and download phishing forensics including webpage screenshots, HTML and text. For more information go to: https://www.slashnext.com/technology-partners/cortex-xsoar/

Automate phishing incident response and threat hunting with SlashNext’s on-demand URL analysis and enrichment. SlashNext Incident Response provides a scalable, cloud-based analysis engine purpose-built for analyzing suspicious URLs for phishing and social engineering attacks. Patented SEER™ threat detection engine uses virtual browsers and machine learning to dynamically analyze webpage contents (images, text etc.) and server behavior. Mature machine learning algorithms enable definitive, binary verdicts (not threat scores) with >99.07% precision.

Benefits

Fully Automate URL Analysis: Enables full automated analysis of suspected phishing URLs by extracting and scanning URLs or hosts from suspicious emails or logs automatically
Improve Productivity: Eliminate countless hours of analysis and further research on inconclusive results with suspicious URLs for improved performance of incident response and threat hunting
Rapid Detection: High-precision phishing URL analysis and enrichment enables rapid detection of genuine threats, with near zero false positives
Remediate Sites and Takedown Threat Sources: Rich forensic data including screenshots, threat status, URLs, HTML and text downloads enable users to carefully plan a strategy to remediate sites or takedown threat sources
Comprehensive Threat Coverage: Detect all major types of phishing and social engineering threats with rich forensics data for additional analysis and reporting
Overcome Evasion Tactics: SlashNext SEER™ technology conducts run-time analysis with virtual browsers to overcome evasion techniques to detect unknown threats, including those hosted on compromised websites and legitimate hosting infrastructure

SlashNext Advantage

SlashNext leads the industry with the greatest speed at internet scale, fast and highly scalable cloud-based sync API, developed on top of big data architecture.

Highly Accurate, Zero-hour Detection: 3x greater accuracy vs. the top security vendors with 99.07% detection rate and 1 in 1M FP rate. SEER™ technology detects zero-hour threats missed by URL inspection and domain reputation technologies by following all re-directs and multi-stage attacks to the final destination for detection on compromised websites and legitimate hosting infrastructure
Smart and Predictive: Overcome evasive tactics such as URL redirection, CAPTCHA and inspection blocking based on IP, to detect phishing webpages missed by other security solutions
Fast and Highly Scalable: SlashNext Incident response operates at cloud scale, using millions of virtual browsers to analyze millions of suspicious URLs on demand, with millisecond response time
Comprehensive Coverage: Total phishing detection for corporate credential theft, social engineering, Scareware and Rogue software webpages
Robust List of API Commands: Customize playbooks and take advantage of the full capabilities of SlashNext Incident Response technology
Fast and Highly Scalable: SlashNext Incident response operates at cloud scale, using millions of virtual browsers to analyze millions of suspicious URLs on demand, with millisecond response time
Smart and Predictive: Overcome evasive tactics such as URL redirection, CAPTCHA and inspection blocking based on IP, to detect phishing webpages missed by other security solutions
Playbooks for automating abuse inbox management and online brand protection

SlashNext Platform Architecture

Architecture

Package Includes

URL Intelligence and Forensics
Incident Response and Threat Hunting
Online Brand Reputation

Playbooks

Phishing IR Playbook for Abuse Inbox Management: Fully automates the investigation and response to suspicious emails reported by internal employees and external customers to your organization’s abuse inbox. Accurate binary verdict (not a threat score) eliminates countless hours of analysis and further research on inconclusive results for improved performance of incident response
Online Brand Protection Detect and Respond Playbook: Fully automates the process of reviewing the emails sent by customers and the public to online brand abuse inboxes. It detects brand impersonators and malicious URLs using deep inspection of website content and packages everything required to request a take-down (IOCs, forensics, and screenshots) into an email sent to the abuse department to simply forward to the domain registrar

Useful Links

Benefits

Fully Automate URL Analysis: Enables full automated analysis of suspected phishing URLs by extracting and scanning URLs or hosts from suspicious emails or logs automatically
Improve Productivity: Eliminate countless hours of analysis and further research on inconclusive results with suspicious URLs for improved performance of incident response and threat hunting
Rapid Detection: High-precision phishing URL analysis and enrichment enables rapid detection of genuine threats, with near zero false positives
Remediate Sites and Takedown Threat Sources: Rich forensic data including screenshots, threat status, URLs, HTML and text downloads enable users to carefully plan a strategy to remediate sites or takedown threat sources
Comprehensive Threat Coverage: Detect all major types of phishing and social engineering threats with rich forensics data for additional analysis and reporting
Overcome Evasion Tactics: SlashNext SEER™ technology conducts run-time analysis with virtual browsers to overcome evasion techniques to detect unknown threats, including those hosted on compromised websites and legitimate hosting infrastructure

SlashNext Advantage

SlashNext leads the industry with the greatest speed at internet scale, fast and highly scalable cloud-based sync API, developed on top of big data architecture.

Highly Accurate, Zero-hour Detection: 3x greater accuracy vs. the top security vendors with 99.07% detection rate and 1 in 1M FP rate. SEER™ technology detects zero-hour threats missed by URL inspection and domain reputation technologies by following all re-directs and multi-stage attacks to the final destination for detection on compromised websites and legitimate hosting infrastructure
Smart and Predictive: Overcome evasive tactics such as URL redirection, CAPTCHA and inspection blocking based on IP, to detect phishing webpages missed by other security solutions
Fast and Highly Scalable: SlashNext Incident response operates at cloud scale, using millions of virtual browsers to analyze millions of suspicious URLs on demand, with millisecond response time
Comprehensive Coverage: Total phishing detection for corporate credential theft, social engineering, Scareware and Rogue software webpages
Robust List of API Commands: Customize playbooks and take advantage of the full capabilities of SlashNext Incident Response technology
Fast and Highly Scalable: SlashNext Incident response operates at cloud scale, using millions of virtual browsers to analyze millions of suspicious URLs on demand, with millisecond response time
Smart and Predictive: Overcome evasive tactics such as URL redirection, CAPTCHA and inspection blocking based on IP, to detect phishing webpages missed by other security solutions
Playbooks for automating abuse inbox management and online brand protection

SlashNext Platform Architecture

Architecture

Package Includes

URL Intelligence and Forensics
Incident Response and Threat Hunting
Online Brand Reputation

Playbooks

Phishing IR Playbook for Abuse Inbox Management: Fully automates the investigation and response to suspicious emails reported by internal employees and external customers to your organization’s abuse inbox. Accurate binary verdict (not a threat score) eliminates countless hours of analysis and further research on inconclusive results for improved performance of incident response
Online Brand Protection Detect and Respond Playbook: Fully automates the process of reviewing the emails sent by customers and the public to online brand abuse inboxes. It detects brand impersonators and malicious URLs using deep inspection of website content and packages everything required to request a take-down (IOCs, forensics, and screenshots) into an email sent to the abuse department to simply forward to the domain registrar

Useful Links

Automations

Name	Description
BrandImpersonationDetection	Analyzes the forensic data to detect brand impersonation attacks. This script uses the HMRC brand as an example, please modify the attributes associated with your company’s brand.

Integrations

Name	Description
SlashNext Phishing Incident Response (Partner Contribution)	SlashNext Phishing Incident Response integration allows Cortex XSOAR users to fully automate analysis of suspicious URLs. For example, IR teams responsible for abuse inbox management can extract links or domains out of suspicious emails and automatically analyze them with the SlashNext SEER threat detection cloud to get definitive, binary verdicts (malicious or benign) along with IOCs, screen shots, and more. Automating URL analysis can save IR teams hundreds of hours versus manually triaging these emails or checking URLs and domains against less accurate phishing databases and domain reputation services.

Name

Description

SlashNext Phishing Incident Response (Partner Contribution)

SlashNext Phishing Incident Response integration allows Cortex XSOAR users to fully automate analysis of suspicious URLs. For example, IR teams responsible for abuse inbox management can extract links or domains out of suspicious emails and automatically analyze them with the SlashNext SEER threat detection cloud to get definitive, binary verdicts (malicious or benign) along with IOCs, screen shots, and more. Automating URL analysis can save IR teams hundreds of hours versus manually triaging these emails or checking URLs and domains against less accurate phishing databases and domain reputation services.

Playbooks

Name	Description
Abuse Inbox Management Detect & Respond	When combined with ‘SlashNext Abuse Management Protection’, this playbook fully automates the identification and remediation of phishing emails found in Microsoft 365 user inboxes. Using the indicators of compromise, URL, domain, and IP, found in the original email, it searches and remediates other emails containing the same IOCs.
Online Brand Protection Detect and Respond	Analyzes the domains and URLs in suspicious emails, reported by end users, to determine if the phishing campaign is impersonating your company’s brand. Playbook can then trigger a domain take down email, with forensic evidence, to a target address.
Abuse Inbox Management Protection	Analyzes the URLs, domains, and IPs in suspicious emails, reported by end users, and returns a binary verdict (malicious or benign) and forensic information including screenshot of attack page, threat name and type, threat status, and first/last seen date

Automations

Name	Description
BrandImpersonationDetection	Analyzes the forensic data to detect brand impersonation attacks. This script uses the HMRC brand as an example, please modify the attributes associated with your company’s brand.

Integrations

Name	Description
SlashNext Phishing Incident Response (Partner Contribution)	SlashNext Phishing Incident Response integration allows Cortex XSIAM users to fully automate analysis of suspicious URLs. For example, IR teams responsible for abuse inbox management can extract links or domains out of suspicious emails and automatically analyze them with the SlashNext SEER threat detection cloud to get definitive, binary verdicts (malicious or benign) along with IOCs, screen shots, and more. Automating URL analysis can save IR teams hundreds of hours versus manually triaging these emails or checking URLs and domains against less accurate phishing databases and domain reputation services.

Name

Description

SlashNext Phishing Incident Response (Partner Contribution)

SlashNext Phishing Incident Response integration allows Cortex XSIAM users to fully automate analysis of suspicious URLs. For example, IR teams responsible for abuse inbox management can extract links or domains out of suspicious emails and automatically analyze them with the SlashNext SEER threat detection cloud to get definitive, binary verdicts (malicious or benign) along with IOCs, screen shots, and more. Automating URL analysis can save IR teams hundreds of hours versus manually triaging these emails or checking URLs and domains against less accurate phishing databases and domain reputation services.

Playbooks

Name	Description
Abuse Inbox Management Protection	Analyzes the URLs, domains, and IPs in suspicious emails, reported by end users, and returns a binary verdict (malicious or benign) and forensic information including screenshot of attack page, threat name and type, threat status, and first/last seen date
Online Brand Protection Detect and Respond	Analyzes the domains and URLs in suspicious emails, reported by end users, to determine if the phishing campaign is impersonating your company’s brand. Playbook can then trigger a domain take down email, with forensic evidence, to a target address.
Abuse Inbox Management Detect & Respond	When combined with ‘SlashNext Abuse Management Protection’, this playbook fully automates the identification and remediation of phishing emails found in Microsoft 365 user inboxes. Using the indicators of compromise, URL, domain, and IP, found in the original email, it searches and remediates other emails containing the same IOCs.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
JsonWhoIs	By: Cortex XSOAR
Microsoft Exchange On-Premise	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (11)

Pack Name	Pack By
Microsoft Exchange On-Premise	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
JsonWhoIs	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Microsoft Exchange Online	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

1.3.9 - R1282807 (August 18, 2024)

Integrations

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.10.14.99865.

Related pull requests:
- 35045

Download

1.3.8 - 1061293 (June 2, 2024)

Scripts

BrandImpersonationDetection

Updated the Docker image to: demisto/python3:3.10.14.95956.

Related pull requests:
- 34631
- 34076
- 34074
- 34075
- 34071
- 34072
- 34073

Download

1.3.7 - 1000160 (May 7, 2024)

Integrations

SlashNext Phishing Incident Response

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.10.14.92207.

Related pull requests:
- 33388

Download

1.3.6 - R995825 (May 5, 2024)

Integrations

SlashNext Phishing Incident Response

Documentation and metadata improvements.

Related pull requests:
- 28838

Download

1.3.5 - 5976562 (August 7, 2023)

Integrations

SlashNext Phishing Incident Response

Documentation and metadata improvements.

Related pull requests:
- 28700

Download

1.3.4 - R5866730 (July 25, 2023)

Scripts

BrandImpersonationDetection

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28182

Download

1.3.3 - R5692327 (July 5, 2023)

Integrations

SlashNext Phishing Incident Response

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27848

Download

1.3.2 - R5540680 (June 15, 2023)

Integrations

SlashNext Phishing Incident Response

Added support for the integrationReliability, feedExpirationPolicy and feedExpirationInterval integration parameters.
Updated the Docker image to: demisto/python3:3.10.5.31928.

Related pull requests:
- 20407

Download

1.3.1 - R2146019 (December 21, 2021)

Integrations

SlashNext Phishing Incident Response

Updated the Docker image to: demisto/python3:3.9.8.24399.

Download

1.3.0 - 1859014 (October 28, 2021)

Integrations

SlashNext Phishing Incident Response

Added new commands url and slashnext-url-reputation for checking the url reputation from SlashNext cloud.

Playbooks

Abuse Inbox Management Protection

Updated the URL enrichment path to mtach with host enrichment path and updated the tags accordingly.

Download

1.2.4 - 7772209 (September 25, 2021)

Scripts

BrandImpersonationDetection

Updated the Docker image to: demisto/python3:3.9.7.24076.

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	September 23, 2020
Last Release	August 18, 2024

Phishing

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.