Automated spam detection in Palo Alto Cortex XSOAR

Introduction

With our Managed Detect and Respond (MDR) service at NVISO we provide a managed Security Operations Center (SOC) for a large variety of clients across different industries. In our SOC, we rely heavily on automations performed by our SOAR platform Palo Alto Cortex XSOAR to minimize the manual tasks that need to be done by our SOC analysts. With our “automation first” principle, we have mostly automated all tasks of L1 analysis allowing our analyst to focus on actionable security alerts to faster detect attackers in the environment of our customers.

User Reported Phishing

 A common problem for all our clients is phishing emails. This still is the most common initial attack vector for successful intrusions in a corporate environment.  Through awareness campaigns, users are educated about the risks of phishing email and how to spot them. In the awareness trainings, they are encouraged to report suspicious emails for analysis.

As a part of the NVISO MDR service, we offer a managed phishing option to review all user reported phishing emails. If automated analysis and manual review by a SOC analysts have determined that it is a true positive, these phishing mails are deleted from all user mailboxes across the entire organization.

What we have seen in our SOC is that even though users have been educated on how to spot phishing emails, it is still difficult for them to make the distinction between phishing mails and spam. We estimate that over 70% of user reported phishing mails are actually spam. As each mail is still manually verified by a SOC analyst after automated analysis,  this generates a high workload in our SOC.

Automated Spam Detection

To decrease the workload of our SOC analysts, we have implemented an automated spam check against a privately hosted email sandbox. This sandbox has a built-in SpamAssassin deployment which returns a spam score. SpamAssassin is the #1 Open Source anti-spam platform maintained by the Apache Software foundation and is widely used to filter emails and block spam.

If the spam score is above a certain threshold, we can confidently say that the mail is spam. We automatically inform the user about the difference between spam and phishing and close the incident without any manual actions required.

Postmark Spamcheck XSOAR Integration

To enable you to implement this workflow yourself without the complex task of setting up and operating a SpamAssassin infrastructure, NVISO has created a Postmark Spamcheck XSOAR integration which you can use to get the Spam score of emails.

In this integration, we make use of the free public SpamCheck API created by Postmark:

https://spamcheck.postmarkapp.com/

This API allows you to send EML files to the Postmark SpamAssassin infrastructure without any cost for you.

The integration is available on the Cortex XSOAR marketplace and on the Demisto Github repository:

https://github.com/demisto/content/tree/master/Packs/PostmarkSpamcheck

The integration documentation can be found in the Cortex XSOAR documentation:

https://xsoar.pan.dev/docs/reference/integrations/postmark-spamcheck

Integration Setup

Open the Cortex XSOAR Marketplace, search for Postmark Spamcheck and install the integration:

Once installed, open Settings in XSOAR, Open the integrations tab and search for Postmark Spamcheck:

Click Add instance and set the name: leave the other settings to their default values.

Click Test to verify connectivity and click Save & exit:

The integration is now setup and ready for use.

Integration Usage

To get the spam score of an email, you will first need to have it available as an EML file in Cortex XSOAR. To do this you can use an integration such as EWS O365 from the EWS content pack to pull emails from a mailbox in Exchange Online.

Execute the following command to list emails available in the configured mailbox:

!ews-search-mailbox query="*"  selected-fields="subject"
!ews-search-mailbox results

Because reported phishing emails are added to the mail as an attachment, we need to retrieve the attachment with the mail itemId:

!ews-get-attachment item-id="AAMkADcwYmI0ZjcwLTI2NzItNDNhYi05N2Y5LThlZDkxOWUyZWE0YwBGAAAAAADtD+ENzUZfQ7HIUnhsJ9tOBwCOoK5ZS6vGTLYi98YtY9nrAAAAAAEMAACOoK5ZS6vGTLYi98YtY9nrAAEYi07gAAA="
!ews-get-attachment result

The entryID of the retrieve attachment is available in the Context Data:

Context Data

To only get the spam score of the reported phishing mail, execute the following command:

!postmark-spamcheck entryid=691@731f1b54-bdea-4d4a-860f-328527df0cd7 short=True
!postmark-spamcheck result

To get a full report with all the SpamAssassin rules that were hit, execute the following command:

!postmark-spamcheck entryid=691@731f1b54-bdea-4d4a-860f-328527df0cd7
!postmark-spamcheck result

The results of the postmark-spamcheck are also available in the Context Data which can be used in playbook:

Context Data

Based on the score returned by the postmark-spamcheck you can determine a threshold where you can confidently say that the reported phishing email is spam and take actions in your playbook accordingly.

Conclusion

In this blog post we introduced the free open-source Postmark Spamcheck integration for Palo Alto Cortex XSOAR created by the NVISO SOAR engineering team. This integration can be used in your playbooks for automated handling and analysis of reported phishing mails to determine the spam score and reducing the analyst workload in your SOC.

About the author

Wouter is an expert in the SOAR engineering team in the NVISO SOC. As the lead engineer and development process lead he is responsible for the design, development and deployment of automated analysis workflows created by the SOAR Engineering team to enable the NVISO SOC analyst to faster detect attackers in customers environments. With his experience in cloud and devops, he has enabled the SOAR engineering team to automate the development lifecycle and increase operational stability of the SOAR platform.

You can reach Wouter via his LinkedIn page.


Want to learn more about SOAR? Sign- up here and we will inform you about new content and invite you to our SOAR For Fun and Profit webcast.
https://forms.office.com/r/dpuep3PL5W

Leave a Reply