Security Incident Phishing flow template The Security Incident - Phishing - Template allows you to perform a series of tasks designed to handle spear phishing emails on your network. Before you beginRole required: sn_si.write About this taskThis flow is triggered when the Category in a security incident is set to Spear Phishing. Procedure Open the security incident for this potential spear phishing attack, or create a new security incident. In Category, select Spear Phishing. Save the record. Scroll down and open the Response Tasks related list. The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the flow to end.Table 1. Response tasks in Spear Phishing Template Response task Action Results Is this a Phishing attack? Determine if this is a phishing attack. In the task, select Yes or No in Outcome. If you select Yes, the following tasks are executed in parallel: Scan Endpoint - Malware Found? Update Email Protection Software Remove Unread Phishing Email in Queue - For All Users If you select No, the flow ends. Scan Endpoint - Malware Found? After running a scan, determine whether malware was found.In the task, select Yes or No in Outcome. If you select Yes, the Remove Malware - Success? task is executed. If you select No, the Set State to Review task is executed. Remove Malware - Success? Determine whether the malware was successfully removed. In the task, select Yes or No in Outcome. If you select Yes, the Set State to Review task is executed.If you select No, the Wipe and reimage task is executed. Wipe and reimage If you did not successfully remove the malware found, this task instructs you to perform a wipe and reimage on the computers infected with the malware. After the task is complete, the Set State to Review task is executed. Update Email Protection Software If it was determined that this is a phishing attack, you are prompted to update your email protection software accordingly. When the task is complete, the Set State to Review task is executed. Remove Unread Phishing Email in Queue - For All Users Perform the steps necessary to remove the phishing email still in the queue for all of your users. When the task is complete, the Set State to Review task is executed. Set State to Review No action required. The State of the security incident is changed automatically to Review. The Schedule Security Awareness Training task is executed. Schedule Security Awareness Training Schedule training to heighten security awareness by your employees. Update the State field in the task as appropriate. When the task is complete, the flow ends. Related TasksSecurity Incident Confidential Data Exposure flow templateSecurity Incident Denial of Service flow templateSecurity Incident Lost Equipment flow templateSecurity Incident Malicious Software flow templateSecurity Incident Policy Violation flow templateSecurity Incident Reconnaissance flow templateSecurity Incident Rogue Server or Service flow templateSecurity Incident Spam flow templateSecurity Incident Unauthorized Access flow templateSecurity Incident Web/BBS Defacement flow template
Security Incident Phishing flow template The Security Incident - Phishing - Template allows you to perform a series of tasks designed to handle spear phishing emails on your network. Before you beginRole required: sn_si.write About this taskThis flow is triggered when the Category in a security incident is set to Spear Phishing. Procedure Open the security incident for this potential spear phishing attack, or create a new security incident. In Category, select Spear Phishing. Save the record. Scroll down and open the Response Tasks related list. The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the flow to end.Table 1. Response tasks in Spear Phishing Template Response task Action Results Is this a Phishing attack? Determine if this is a phishing attack. In the task, select Yes or No in Outcome. If you select Yes, the following tasks are executed in parallel: Scan Endpoint - Malware Found? Update Email Protection Software Remove Unread Phishing Email in Queue - For All Users If you select No, the flow ends. Scan Endpoint - Malware Found? After running a scan, determine whether malware was found.In the task, select Yes or No in Outcome. If you select Yes, the Remove Malware - Success? task is executed. If you select No, the Set State to Review task is executed. Remove Malware - Success? Determine whether the malware was successfully removed. In the task, select Yes or No in Outcome. If you select Yes, the Set State to Review task is executed.If you select No, the Wipe and reimage task is executed. Wipe and reimage If you did not successfully remove the malware found, this task instructs you to perform a wipe and reimage on the computers infected with the malware. After the task is complete, the Set State to Review task is executed. Update Email Protection Software If it was determined that this is a phishing attack, you are prompted to update your email protection software accordingly. When the task is complete, the Set State to Review task is executed. Remove Unread Phishing Email in Queue - For All Users Perform the steps necessary to remove the phishing email still in the queue for all of your users. When the task is complete, the Set State to Review task is executed. Set State to Review No action required. The State of the security incident is changed automatically to Review. The Schedule Security Awareness Training task is executed. Schedule Security Awareness Training Schedule training to heighten security awareness by your employees. Update the State field in the task as appropriate. When the task is complete, the flow ends. Related TasksSecurity Incident Confidential Data Exposure flow templateSecurity Incident Denial of Service flow templateSecurity Incident Lost Equipment flow templateSecurity Incident Malicious Software flow templateSecurity Incident Policy Violation flow templateSecurity Incident Reconnaissance flow templateSecurity Incident Rogue Server or Service flow templateSecurity Incident Spam flow templateSecurity Incident Unauthorized Access flow templateSecurity Incident Web/BBS Defacement flow template
