How to Automatically quarantine phishing emails identified by the email security gateway

Creating a Security Orchestration, Automation, and Response (SOAR) rule involves defining specific conditions, actions, and workflows to automate responses to security incidents. Here is an example of how to create a basic SOAR rule for Phishing Emails:

1. Define the Trigger Condition:

Trigger: New email detected by the email security gateway.        

Conditions: Email subject contains specific keywords associated with phishing (e.g., "password reset," "urgent action required").        

Severity: Medium to high.        

2. Specify the Actions to Be Taken:

Action 1: Quarantine the email.        

Action 2: Add the sender's IP address to the firewall blocklist.        

Action 3: Create a ticket in the incident management system.        

Action 4: Notify the security team via email/slack/other communication channel.        

3. Implement the Workflow:

Step 1: Check if the email subject contains phishing keywords.        

Step 2: If yes, quarantine the email and add sender's IP to the blocklist.        

Step 3: Create an incident ticket with details of the phishing attempt.        

Step 4: Notify the security team.        

Step 5: Log the incident in the security incident log.        

4. Set Conditions for Automation:

Time: Apply the rule in real-time as soon as the phishing email is detected.        

Exclusions: Exclude trusted sources or specific email addresses/domains from this rule if necessary.        

5. Test and Refine:

Test the rule in a controlled environment to ensure it behaves as expected.        

Refine the rule based on test results and feedback from security analysts.        

6. Document the Rule:

Document the rule, including its trigger conditions, actions, and workflow.

Specify the purpose, expected behavior, and any exceptions.

Keep the documentation up-to-date if there are changes to the rule.

7. Monitor and Review:

Monitor the SOAR system to ensure the rule is functioning correctly.

Regularly review the effectiveness of the rule and adjust as needed based on the evolving threat landscape.

Similarly we can create many more SOAR rule like that "Automatically respond to suspicious login attempts detected in the system logs" etc.

Remember, SOAR rules can be highly customized based on specific security requirements and the tools/systems in use within an organization. Additionally, collaboration with security analysts and IT teams is essential to creating effective and efficient automation rules that enhance the overall security posture of the organization.