🎣
Phishing
Social engineering attack delivered via email, SMS, or messaging platforms designed to harvest credentials or deliver malicious payloads.
29 runbook nodes8 lifecycle stages covered
Triage
(5 nodes)Bound the Investigation Timeframe
P1Timeframe Bounding
30min
View node
Identify Patient Zero (First Compromised System)
P1Patient Zero
60min
View node
Analyze Suspicious Email for BEC Indicators
P1BEC Email Analysis
45min
View node
Phishing Email Triage and Indicator Extraction
P1Phishing Triage
30min
View node
Validate the Initial Access Vector
P2Access Validation
45min
View node
Containment
(3 nodes)Preservation
(4 nodes)Collection
(6 nodes)Phishing Artifact Collection: Headers, URLs, Attachments
P1Phishing Artifact Collection
60min
View node
EDR Telemetry Collection
P2EDR Collection
120min
View node
M365 Unified Audit Log Collection
P2M365 UAL Collection
90min
View node
Azure AD Sign-In and Audit Log Collection
P2Azure AD Logs
60min
View node
Identify Alternative Evidence When Primary Logs Are Missing
P2Missing Log Fallback
60min
View node
Coordinate Log Collection from Third-Party Vendors
P3Third-Party Logs
120min
View node