Automating Email Triage in Splunk SOAR
Overview
In today's cybersecurity landscape, phishing remains one of the most prevalent and damaging attack vectors. Automated responses to phishing threats can help streamline the detection, analysis, and mitigation of these threats. One powerful tool for this purpose is the RL - Email Triage Playbook, designed for Splunk SOAR (Security Orchestration, Automation, and Response). This playbook automates the process of retrieving and analyzing potential phishing emails reported by end users and submitting them for malware analysis via ReversingLabs Spectra Analyze.
In this blog post, we'll walk you through setting up and using this playbook to bolster your organization’s phishing defenses.
Playbook Overview
The ReversingLabs - Reported Email Triage is a Splunk SOAR playbook built to streamline the investigation and response process for suspicious emails reported by end users. It automates the following actions:
- Retrieving reported phishing emails from a dedicated Exchange Online mailbox.
- Submitting email attachments (i.e., the original reported email) to ReversingLabs Spectra Analyze appliance for malware detonation and analysis.
- Returning detailed threat insights based on the analysis results.
By leveraging Microsoft Graph API and ReversingLabs Spectra Analyze, this playbook reduces the manual effort required by your SOC team and speeds up the threat detection process.
Setting Up The Playbook
Step 1: Import the Playbook
First, import the RL - Email Triage Playbook into your Splunk SOAR instance. This can be done via the playbook management interface. Once imported, ensure all actions are mapped to the appropriate Splunk SOAR apps (e.g., Microsoft 365 Defender, Microsoft Graph for Office 365, and ReversingLabs Spectra Analyze).
Step 2: Configure the Dedicated Mailbox
Make sure your Exchange Online mailbox (e.g., secops@company.com) is configured to receive phishing reports. Users can use the built-in reporting button which sends a copy to this mailbox, where the playbook will retrieve them for analysis.
Step 3: Set Up API Access in Microsoft Entra ID
Navigate to Entra ID → App Registrations and create a new registration for the playbook. Add the required permissions to this app registration and grant admin consent:
| Permission | Description |
|---|---|
| Mail.Read | Allows the playbook to read emails from a user's mailbox. |
| Mail.ReadBasic | Grants basic read access to the mailbox. |
| Mail.ReadWrite (Optional) | If you need the playbook to modify or delete messages in the mailbox. |
| SecurityAlert.Read.All | Allows reading security alerts for all users. |
| SecurityAlert.ReadWrite.All | Allows reading and updating security alerts. |
| SecurityIncident.Read.All | Allows reading security incidents for all users. |
| SecurityIncident.ReadWrite.All | Allows reading and updating security incidents. |
Next, create a client secret. Save the client ID and secret value for the next step.
Step 4: Configure Microsoft Apps in Splunk SOAR
In Splunk SOAR, install the Microsoft Graph for Office 365 app and the Microsoft 365 Defender app and create a new asset for each. Use the application client ID and secret value generated from your Entra ID app registration created in Step 3.
Step 5: Set Up ReversingLabs Spectra Analyze Integration
Go to the Connectors section in Splunk SOAR and add the ReversingLabs A1000v2 app. Create a new asset with a valid Spectra Analyze host URL and API token to allow the playbook to submit attachments for detonation and analysis.
Step 6: Review and Test the Playbook
Once the connectors are configured, run a test case with a reported phishing email. The playbook will:
- Retrieve the reported email from the dedicated mailbox.
- Extract the original phishing email attached to the message.
- Submit the email attachment to ReversingLabs Spectra Analyze for detonation.
- Return analysis results, indicating if the email contains malicious content.
How the Playbook Works
Once the playbook is up and running, the workflow automates the email triage process in the following steps:
- Start: The playbook is triggered when a phishing email is reported by a user.
- Retrieve Email: The playbook queries the dedicated mailbox to find the reported email and extracts the attached phishing message.
- Submit to ReversingLabs: The attached email (or any attachments within the reported email) is submitted to a ReversingLabs Spectra Analyze appliance for analysis.
- Receive Analysis Results: The results of the malware analysis are returned to Splunk SOAR, indicating whether the email contains any malicious content.
- End: The playbook concludes and provides the threat details to the SOC team for further investigation if necessary.
Example
This example shows how ReversingLabs can help to automatically triage user reported emails with Splunk SOAR. Below is a screenshot of a sample alert generated by Microsoft Defender for Office 365 when a user reports an email for review:
By running the playbook, the original email is retrieved and uploaded to the Spectra Analyze appliance, where it is run through static analysis via Spectra Core:
After a few seconds, Spectra Analyze determines that the email contains a malicious attachment that matches the threat Win32.Trokan.Swrot:
The playbook also gets a summary of this report and adds a formatted view to the analyst view:
Here is a simple video demonstration:
Conclusion
The ReversingLabs - Reported Email Triage is a powerful tool for automating the triage of phishing emails. By integrating Microsoft Graph, Exchange Online, and ReversingLabs Spectra Analyze, the playbook streamlines the process of identifying, analyzing, and mitigating phishing threats, reducing the time spent by security analysts on manual investigation.
By setting up this playbook in your Splunk SOAR instance, you can ensure that user-reported phishing emails are processed quickly and efficiently, helping your organization stay ahead of email threats.