SOAR Use Case: Alert Triage – Phishing Triage

Phishing is one of the most common attack techniques used by cyber criminals. It’s an easy way to either distribute malicious payloads or convince unsuspecting employees to link to external sites capable of distributing malware, and phishing attacks require minimal effort and skill to execute. A trained security analyst can easily identify most phishing attacks, but investigating each potential incidence is a time-consuming and largely manual process dependent, making it difficult to keep up with the high volume of potential phishing attacks.

Devo SOAR playbooks can automatically analyze emails to identify potential phishing attacks and triage alerts to rapidly detect true threats. Typically manual actions like extracting and submitting URLs and message headers to threat intelligence platforms and attachments to a sandbox technology for inspection can be fully automated. Each email can then be rapidly assigned an accurate risk score so that analysts can stay focused on investigating and remediating true positives.