A Cortex XSOAR customer has a phishing use case in which a playbook has been implemented with one of the steps blocking a malicious URL found in an email reported by one of the users.
What would be the appropriate next step in the playbook?
A Cortex XSOAR customer has a phishing use case in which a playbook has been implemented with one of the steps blocking a malicious URL found in an email reported by one of the users.
What would be the appropriate next step in the playbook?
After blocking a malicious URL found in an email, the next critical step would be to inform the CISO (Chief Information Security Officer) about the incident. This ensures that the organization's leadership is aware of the potential threat and can take necessary actions such as further investigation, response coordination, and communication with other stakeholders. Disabling the user's email account, confirming with the user, or changing the password are actions that depend on further assessment and instructions from the security team. Immediate notification to the CISO keeps the incident response process aligned with the organization's security policies and procedures.
the most appropriate next step is to email the user to confirm that the reported email was phishing. This confirmation is crucial for maintaining effective communication and ensuring proper incident handling.
i think D is correct
C is correct, the remediation options are search & delete email and block indicators
Per the Cortex Help Center Documentation
I think C is not correct, it should be D