1. The Phishing provider ingested an alert into Siemplify regarding a suspicious phishing email. The email was marked as suspicious by the Phishing provider for the following reasons:
  • The email was sent by an external sender (notification@admin-server145.ml)
  • The email was received by the monitored mailbox of the CFO (finance@mycompany.com)
  • The email contain file attachment with file hash in sha256 (46930ec6d7ddf5fc7dc7e08fe5ec4bf6)
  • Siemplify Playbook sends external alert entities (sender address, file hash) to ThreatFuse for evaluation. The action returned the following results:
  • notification@admin-server145.ml – marked as malicious
  • 46930ec6d7ddf5fc7dc7e08fe5ec4bf6 – marked as malicious

  1. ThreatFuse identified that those malicious entities are associated with a malware campaign “Email Campaign – Dangerous Word Document Malware Associated with Trickbot C&C”.

  1. The Playbook creates a “Campaign” entity, marks it as malicious, and adds to the Case.

  1. Siemplify automation finds 6 similar cases and tags them with the name of the malware campaign. The case is escalated and the case stage is changed to “Investigation”. A Tier 2 Analyst can proceed with an investigation
  2. Investigation starts with querying ThreatFuse for URLs and hashes related to malicious entities. Related entities were successfully retrieved.
  3. Automation queries SIEM in order to find hosts that have interacted with malicious HASHes and URLs.
    The query returned the following result:
    Following hosts interacted with malicious entities: DESKTOP-8P0TH6Q,LP-Yair,HW-HOST-027.

  1. Siemplify automation creates entities for affected internal hosts and adds them to the case.
    An analyst can now proceed with the response process

Need more help with this?
Click here to open a Support ticket

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.