-
Notifications
You must be signed in to change notification settings - Fork 15
/
Email_Headers_Check_-_Generic.yml
449 lines (443 loc) · 11.6 KB
/
Email_Headers_Check_-_Generic.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
id: Email Headers Check - Generic
version: 1
contentitemexportablefields:
contentitemfields:
packID: CommonPlaybooks
packName: Common Playbooks
itemVersion: 2.2.1
fromServerVersion: 6.0.0
toServerVersion: ""
definitionid: ""
vcShouldKeepItemLegacyProdMachine: false
name: Email Headers Check - Generic
description: |-
This playbook executes one sub-playbook and one automation to check the email headers:
- **Process Microsoft's Anti-Spam Headers** - This playbook stores the SCL, BCL and PCL scores if they exist to the relevant incident fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score).
- **CheckEmailAuthenticity** - This automation checks email authenticity based on its SPF, DMARC, and DKIM.
starttaskid: "0"
tasks:
"0":
id: "0"
taskid: 8a051d0a-d5f5-4124-8880-075daac9dba2
type: start
task:
id: 8a051d0a-d5f5-4124-8880-075daac9dba2
version: -1
name: ""
iscommand: false
brand: ""
nexttasks:
'#none#':
- "2"
- "5"
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 450,
"y": 50
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"1":
id: "1"
taskid: 092d94ca-e418-4245-88d5-a1f35d256a5e
type: condition
task:
id: 092d94ca-e418-4245-88d5-a1f35d256a5e
version: -1
name: Should the email be authenticated?
description: Whether the email should be authenticated using DKIM, SPF and DMARC.
This checks whether "AuthenticateEmail" output is set to "True" and whether
there are headers from an email to authenticate.
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "8"
"yes":
- "3"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isEqualString
left:
value:
simple: inputs.AuthenticateEmail
iscontext: true
right:
value:
simple: "True"
ignorecase: true
- - operator: isExists
left:
value:
complex:
root: Email
accessor: HeadersMap
iscontext: true
continueonerrortype: ""
view: |-
{
"position": {
"x": 210,
"y": 410
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"2":
id: "2"
taskid: bfdfc6d8-8402-4e48-8cec-697ff2279d0c
type: title
task:
id: bfdfc6d8-8402-4e48-8cec-697ff2279d0c
version: -1
name: Email Authenticity Check
type: title
iscommand: false
brand: ""
nexttasks:
'#none#':
- "1"
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 210,
"y": 250
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"3":
id: "3"
taskid: 09550a3e-968f-410f-8da9-a42da68c2bb7
type: regular
task:
id: 09550a3e-968f-410f-8da9-a42da68c2bb7
version: -1
name: Authenticate email
description: Checks the authenticity of an email based on the email's SPF, DMARC,
and DKIM.
scriptName: CheckEmailAuthenticity
type: regular
iscommand: false
brand: ""
nexttasks:
'#none#':
- "4"
scriptarguments:
headers:
complex:
root: Email
accessor: Headers
transformers:
- operator: uniq
reputationcalc: 1
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 210,
"y": 660
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"4":
id: "4"
taskid: f79d35d3-f80d-4fe2-86d6-dc0c8fa63815
type: regular
task:
id: f79d35d3-f80d-4fe2-86d6-dc0c8fa63815
version: -1
name: Save authenticity check result to incident field
description: Save the verdict regarding the authenticity of the email in an
incident field.
script: Builtin|||setIncident
type: regular
iscommand: true
brand: Builtin
nexttasks:
'#none#':
- "8"
scriptarguments:
emailauthenticitycheck:
complex:
root: Email
accessor: AuthenticityCheck
transformers:
- operator: replace
args:
limit: {}
replaceWith:
value:
simple: Undetermined
toReplace:
value:
simple: undetermined
- operator: replace
args:
limit: {}
replaceWith:
value:
simple: Pass
toReplace:
value:
simple: pass
- operator: replace
args:
limit: {}
replaceWith:
value:
simple: Fail
toReplace:
value:
simple: fail
- operator: replace
args:
limit: {}
replaceWith:
value:
simple: Suspicious
toReplace:
value:
simple: suspicious
reputationcalc: 1
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 210,
"y": 845
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"5":
id: "5"
taskid: 58182459-633c-410d-864e-3109d4a89a04
type: title
task:
id: 58182459-633c-410d-864e-3109d4a89a04
version: -1
name: Microsoft's Headers Check
type: title
iscommand: false
brand: ""
nexttasks:
'#none#':
- "6"
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 692.5,
"y": 250
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"6":
id: "6"
taskid: 9a63beaa-ee45-413f-8709-b6ea855a0a1a
type: condition
task:
id: 9a63beaa-ee45-413f-8709-b6ea855a0a1a
version: -1
name: Check Microsoft's Headers?
description: Whether to check for Microsoft headers
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "8"
"yes":
- "7"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isEqualString
left:
value:
simple: inputs.CheckMicrosoftHeaders
iscontext: true
right:
value:
simple: "True"
continueonerrortype: ""
view: |-
{
"position": {
"x": 692.5,
"y": 410
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"7":
id: "7"
taskid: 6b3d9368-e148-4eb1-828b-347102b51815
type: playbook
task:
id: 6b3d9368-e148-4eb1-828b-347102b51815
version: -1
name: Process Microsoft's Anti-Spam Headers
description: |-
This playbook stores the SCL, BCL and PCL scores (if they exist) to the associated incident fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score).
It also does the following:
1) Sets the email classification to "spam" if the "SCL" score is equal or higher than 5.
2) Sets the incident severity according to the playbook inputs (default is: PCL/BCL - Medium, SCL - Low). The severity of the incident is set only when one (or more) of the following occurs:
- PCL (Phishing Confidence Level) score is between and including 4-8: The message content is likely to be phishing.
- BCL (Bulk complaint level) score is between and including 4-7: The message is from a bulk sender that generates a mixed number of complaints. Between and including 8-9: The message is from a bulk sender that generates a high number of complaints.
- SCL (Spam confidence level) score is between and including 5-6: Spam filtering marked the message as Spam. 9: Spam filtering marked the message as High confidence spam)
For more information on SCL/BCL/PCL, see the following Microsoft documentation:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/bulk-complaint-level-values?view=o365-worldwide
https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps?view=exchserver-2019
playbookName: Process Microsoft's Anti-Spam Headers
type: playbook
iscommand: false
brand: ""
nexttasks:
'#none#':
- "8"
scriptarguments:
BCL-Severity:
simple: "2"
PCL-Severity:
simple: "2"
SCL-Severity:
simple: "1"
separatecontext: true
continueonerrortype: ""
view: |-
{
"position": {
"x": 692.5,
"y": 845
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: true
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"8":
id: "8"
taskid: 12fb0802-bbe5-44be-8c53-2aa07ccf9dc6
type: title
task:
id: 12fb0802-bbe5-44be-8c53-2aa07ccf9dc6
version: -1
name: Done
type: title
iscommand: false
brand: ""
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 450,
"y": 1040
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
system: true
view: |-
{
"linkLabelsPosition": {
"1_3_yes": 0.48,
"1_8_#default#": 0.33,
"6_7_yes": 0.58,
"6_8_#default#": 0.32
},
"paper": {
"dimensions": {
"height": 1055,
"width": 862.5,
"x": 210,
"y": 50
}
}
}
inputs:
- key: AuthenticateEmail
value:
simple: "False"
required: false
description: Whether the authenticity of the email should be verified using SPF,
DKIM and DMARC.
playbookInputQuery: null
- key: CheckMicrosoftHeaders
value:
simple: "False"
required: false
description: Whether to Check Microsoft headers for BCL/PCL/SCL scores and set the
"Severity" and "Email Classification" accordingly.
playbookInputQuery: null
outputs:
- contextPath: Email.AuthenticityCheck
description: 'Possible values are: Fail / Suspicious / Undetermined / Pass'
type: Unknown
- contextPath: Email.MicrosoftHeadersSeverityCheck
description: |
Possible Values:
Medium: PCL or BCL scores are equal to or greater than 4.
High: BCL score is equal to or greater than 8.
type: unknown