Old UI
  • Documentation Platform
    • Technical Guide
      • Whitelisting
        • Whitelisting the Pictures on Microsoft Outlook Apps
      • Minimum Requirements
      • On-Premise Requirements
        • Restricting the Access to Portal According IP
          • How to Import SSL Certificates in IIS
        • Why does the disk on the server fill up fast?
      • Getting Started
      • Phishing Simulator
      • Awareness Educator
      • Incident Responder
        • How does investigation mechanism work?
          • Benefits of Phishing Incident Responder
          • Reverse Engineering Support
          • Privacy and Security
          • Audit
          • Integrations
        • API Settings
          • Configuration steps for Office 365: Microsoft Graph App Configuration
          • Exchange Mail Configuration
          • GSuite API Configuration Guide
          • Gsuite Mail Configration
        • Analysing Suspicious Emails
          • Starting an Automatic Incident Investigation
          • Starting a Manual Incident Investigation
          • Playbook
        • FAQ (Incident Responder&Phishing Reporter)
      • Phishing Reporter Add-In
        • Installation
        • Microsoft Defender Email Reporter Add-In
      • Email Threat Simulator (ETS)
        • Creating a Trusted Account for E-mail Security Tests
          • Restriction of the Authority of the Test Account
          • Restrict Email Address
          • Enable Mailbox Audit Logging for Test Account
        • Dashboard
        • Quick Scan
        • Advanced Scan
        • Interpretation of ETS Report
        • FAQ ( ETS)
      • Threat Intelligence
        • FAQ (Threat Intelligence)
      • Report Manager
        • Phishing Campaign Report List
          • Phishing Campaign Summary
          • Statistics
          • Opened Email
          • Clicked Link in The Phishing Campaign Email
          • Submitted Form
          • Opened Attachment
          • Phishing Reporter
          • Campaign No response
          • Email Delivery Report
          • Phishing User Compare
          • Departments
        • Training Campaign Reports
          • Training Summary
          • Training Statistics
          • Opened Training Email
          • Clicked Training Link
          • View Duration
          • No Response
          • Sending Report
          • Training User Compare
          • Exam
        • Users KPI
          • User-based Grade
          • Department-based Grade
          • Target Group based grade
          • Company-based grade
        • Advanced Reporting
      • Company
        • User Role Management
      • Advanced Settings
        • Allow Email Domains
        • White Labelling
        • LDAP Settings
        • SCIM Integrations
        • Notification Templates
          • Short Codes
          • Using Notification Templates
        • Data Anonymisation
      • Available for Option
      • API Guide
        • REST API for Incident Responder (IR) Operation
        • REST API for SSO Authentication
      • Diagnostic Tool
        • FAQ
    • Maintenance Tool
    • FAQ (All Modules)
      • Video Tutorials
        • Quick Start
        • Google Workspace API Configuration Guide
        • On Premise Requirement Checker Video
        • Phishing Reporter Installation & Deployment
Powered by GitBook
On this page
  • Defining Actions
  • Action 1: Marking the Email
  • Action 2: Tagging Users
  • Action 3: Notifying the Users
  • Action 4: Analysing the Email With a Specific Engine
  • Action 5: Starting An Investigation
  1. Documentation Platform
  2. Technical Guide
  3. Incident Responder
  4. Analysing Suspicious Emails

Playbook

PreviousStarting a Manual Incident InvestigationNextFAQ (Incident Responder&Phishing Reporter)

Last updated 2 years ago

Keepnet's Incident Response module meets enterprise needs by automating analysis and incident response processes to facilitate business. It helps businesses to start an investigation with certain criteria set as a rule set in the Playbook feature.

To set a rule, follow Incident Investigation > Playbook > New Rule path.

Defining Conditions

Then start typing your rule for Automatic Investigation. For instance, in the sample below, we define a new rule for the james@keepnetlabs.com. Then we click on the Next button to define set actions for anyone to get an email from james@keepnetlabs.com.

Defining Actions

Action 1: Marking the Email

We set actions when users get an email from james@keepnetlabs.com. In the screenshot below, anyone who gets an email from james@keepnetlabs.com will be notified with a mark in the email as Malicious.

Action 2: Tagging Users

You can tag the email by any statement. See the screenshot below.

Action 3: Notifying the Users

You can notify users by selecting your target user.

Action 4: Analysing the Email With a Specific Engine

You can analyse the email by selecting a specific engine like the screenshot below.

Action 5: Starting An Investigation

You can start an investigation by setting up the variables.

Adding a New Rule for Investigation
Defining the New Rule
Action 1. Marking the Email As Malicious
Tagging Users
Notifying the Users
Analysing the Email With a Specific Engine