AI-Analyzed User-Reported Phishing Email to XDR Detection
Details
Automates analysis of user-reported phishing emails by monitoring a mailbox, enriching email data, and generating an XDR detection with analyst guidance. ⚠️ This Workflow uses AI, properly test before using in production!
Description
Prerequisites
Before installing this workflow, ensure the following targets are available:
-
Email Target
- Microsoft O365 email target is supported
- Used to monitor a dedicated mailbox for user-reported emails
-
OpenAI Target
- OpenAI or Azure OpenAI target
- Used to generate analyst-ready detection descriptions
-
Optional Notification Targets
- Email address for SOC notifications
- Webex space (optional)
Installation Steps
-
Add an Email Target
- Configure an O365 Email Target with access to a dedicated mailbox.
- This mailbox will be used for phishing submissions.
-
Install the Workflow
- During installation, select Automate it when prompted.
- Create an email automation rule that monitors the mailbox for new messages, using the earlier created Target.
-
Configure Automation Rule
- This triggers the workflow when a new email arrives in the monitored mailbox, using the earlier created Target.
- No additional filtering is required.
-
Add an OpenAI Target
- Configure an OpenAI or Azure OpenAI target. Currently it is set to use GPT-4o. Make sure this model is available for this target.
- Ensure the target is accessible to this workflow for AI-based analysis.
-
Set Input Variables
- SOC Notification Email: Email address to receive detection notifications.
- Webex Space ID (optional): Space to receive notifications.
Usage
- End users report suspicious emails by forwarding them as an attachment to the monitored mailbox.
- The workflow automatically analyzes the email and creates an XDR detection.
- If an email is forwarded incorrectly, the workflow replies with instructions to resend it as an attachment.
- SOC analysts review the generated detection and take appropriate action.
Notes
- This workflow assumes detections are created only when suspicious or malicious observables are present.
- Webex notifications are optional; email notifications are recommended for initial deployments.
- ⚠️ This Workflow uses AI, properly test before using in production!
Required targets
This workflow requires the following targets to be available before it can be run.
Integration targets
- Cisco XDR
- Webex
Custom targets
- Microsoft O365 Email Target
- OpenAI (GPT-4o) Target
About
Author
Christopher van der Made
Version
v1.0
Integration
Average rating
No ratings yet
Authorship
Community
Contact and support information
External links
Related workflows
Community
This scheduled workflow executes a search query in Cisco Secure Malware Analytics for new private samples submitted and convinced as malicious.
Community
When triggered, this workflow will review the Secure Endpoint machines about installed antivirus (AV) applications in Orbital and send a Webex Alert on new non-approved AV app.
Community
When triggered, this workflow will review the Secure Endpoint machines and local admin users in Orbital and send a Webex Alert on new non-approved admin user.
Community
This workflows runs a (scheduled) "Cisco XDR Integration Module Healthcheck" and posts a message to Webex if such a healthcheck fails.
Cisco Managed
This workflow works with an incident automation rule or playbook to create a Webex room when incidents are created in Cisco XDR.
Cisco Managed
This workflow works with an incident automation rule to send Webex messages when a new incident is created in Cisco XDR.