* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Playbook of the Week: Spe...

# Playbook of the Week: Speed Up Phishing Response with the Cortex XSOAR Deployment Wizard

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-speed-up-phishing-response-with-the-cortex-xsoar-deployment-wizard%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Speed+Up+Phishing+Response+with+the+Cortex+XSOAR+Deployment+Wizard&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-speed-up-phishing-response-with-the-cortex-xsoar-deployment-wizard%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-speed-up-phishing-response-with-the-cortex-xsoar-deployment-wizard%2F&title=Playbook+of+the+Week%3A+Speed+Up+Phishing+Response+with+the+Cortex+XSOAR+Deployment+Wizard&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-speed-up-phishing-response-with-the-cortex-xsoar-deployment-wizard/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Speed Up Phishing Response with the Cortex XSOAR Deployment Wizard)  
Link copied  
By [Guy Liberman](https://www.paloaltonetworks.com/blog/author/guy-liberman/?ts=markdown "Posts by Guy Liberman")  
Feb 03, 2023  
4 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[Phishing](https://www.paloaltonetworks.com/blog/tag/phishing/?ts=markdown)  
[Phishing response](https://www.paloaltonetworks.com/blog/tag/phishing-response/?ts=markdown)  
[security orchestration](https://www.paloaltonetworks.com/blog/tag/security-orchestration/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)

## **Phishing Response Remains Critical**

Phishing is involved in almost 40% of security incidents, according to the [2022 Unit 42 Incident Response Threat Report](https://www.paloaltonetworks.com/unit42/2022-incident-response-report). Attacks that once relied on poorly written phishing emails to find victims have rapidly increased in sophistication and targeting due to the growing amount of personal information easily found on the internet.

SOC analysts might encounter many types of phishing attacks daily, from opportunistic campaigns to spear phishing, including attachments or just probing for more information. Attackers use phishing techniques to deliver malicious payloads or harvest information for sale or future use. Since phishing email deployment only requires the click of a button, the sheer volume of emails to analyze can be overwhelming and quickly consume SOC resources. If we know analysts are faced with these threats, we need to equip them with the proper tools.

With Cortex XSOAR, phishing responses can easily be automated and it is one of the most popular use cases for automation.

### **The Cortex XSOAR Phishing Pack**

The [Phishing pack](https://cortex.marketplace.pan.dev/marketplace/details/Phishing/) helps organizations reduce the time spent managing phishing alerts and provides a standardized, methodical process to handle phishing. The main playbook helps to:

* Facilitate analyst investigation by automating phishing alert response and custom phishing incident fields, views, and layouts.
* Orchestrate across multiple products, including cross-referencing against external threat databases.

The pack also leverages machine learning to intelligently identify phishing campaigns targeting multiple users in the organization, linking them together and allowing full interaction and control over the campaign from within the incident layout.

### **How Does It Work?**

The phishing content pack helps automate phishing response via the following steps:

* Retrieves emails from user inboxes or ingests them using mail listeners
* Creates a phishing incident within Cortex XSOAR
* Extracts and enriches indicators from email attachments
* Analyzes files and provides reputation using available sandbox and threat intelligence integrations
* Generates a screenshot of the email and embedded links and calculates reputation for all indicators involved
* Runs checks for SSL certificates of URLs, email address breach involvement, domain-squatting, and email authenticity using SPF, DKIM, and DMARC checks
* Identifies similar phishing incidents of the same campaign, providing visibility and manual or automatic actions to respond
* Calculates severity for the incident based on the provided initial severity, indicator reputations, email authenticity check, and critical assets
* Remediates the incident by blocking malicious indicators and searching for and deleting malicious emails upon analyst approval
* Engages with the end user regarding the incident, such as notifying them of receipt of the email and providing further instructions if an email is found to be malicious

As part of this pack, you will also get out-of-the-box phishing incident views, a full layout, and automation scripts. These are all easily customizable to suit the needs of your organization.

### **What Is the Deployment Wizard?**

Cortex XSOAR introduced the use case deployment wizard to ease the integration process and playbook parameter configurations ([about the wizard](https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/marketplace/content-pack-installation/install-a-content-pack/use-the-use-case-deployment-wizard)). The deployment wizard was introduced earlier this year to help customers adopt automation from the XSOAR marketplace faster and more efficiently. The wizard has three main phases:

* Configuring ingestion of the alerts (phishing emails)
* Configuring the main playbook
* Configuring any supporting integrations

## **Let's Fish for Phishing**

1. Select the Phishing pack from the Marketplace.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-1.png)  
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-2.png)

2. Select the Email Gateway to use and support integrations.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-3.png)  
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-4.png)

3. Install the packs that were added to the cart

4. Subscribe to the [pack](https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-release-notes/cortex-soar-release-information/cortex-soar-new-features) (from version 6.8)

5. Enter the phishing Wizard Process

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-5.png)  
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-6.png)

6. Configure fetching integration and set fetch configuration to true to enable automatic retrieval of emails

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-7.png)  
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-8.png)

7. Set Playbook Parameters according to the organization's preferences. These can be reconfigured in later stages.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-9.png)

8. Configure supporting integrations, preconfigured integrations will be marked in green.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-10.png)  
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179237-11.png)

9. Validate that everything is configured and turn on your use case by enabling fetching source in step 4.

10. Stop Phishing!

For more information on the Cortex XSOAR Phishing pack, including a quick demo, visit the [Phishing](https://cortex.marketplace.pan.dev/marketplace/details/Phishing/) page on the Cortex Marketplace. If you need to respond to phishing alerts ingested from email gateway integrations, check out the [Phishing Alerts](https://xsoar.pan.dev/docs/reference/packs/Phishing-Alerts) content pack (Phishing content pack required).

To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)

We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones.

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook Of The Week - New Features for Better Response to Phishing Campaigns](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-new-features-for-better-response-to-phishing-campaigns/)  
[#### Playbook of the Week: Microsoft Office and Windows HTML RCE CVE-2023-36884 Rapid Response](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-microsoft-office-and-windows-html-rce-cve-2023-36884-rapid-response/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the week: Streamlining SOC Communications](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-soc-communications/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automating SecOps Ticketing](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-secops-ticketing/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Suspicious SSO? Check It Out with XSOAR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-suspicious-sso-check-it-out-with-xsoar/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Using ChatGPT in Cortex XSOAR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/using-chatgpt-in-cortex-xsoar/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language