Skip to Content

Palo Alto Networks PSE-Cortex: Efficient Phishing Response Playbook for Cortex XSOAR

By: Author Alex Lim

Posted on

Categories Exam

Learn the next steps in a Cortex XSOAR phishing playbook. Discover how to manage cybersecurity incidents effectively and ensure optimal protection for your organization.

Table of Contents

Question

A Cortex XSOAR customer has a phishing use case in which a playbook has been implemented with one of the steps blocking a malicious URL found in an email reported by one of the users.
What would be the appropriate next step in the playbook?

A. Email the CISO to advise that malicious email was found.
B. Disable the user’s email account.
C. Email the user to confirm the reported email was phishing.
D. Change the user’s password.

Answer

C. Email the user to confirm the reported email was phishing.

Explanation

In the context of a Cortex XSOAR phishing playbook, it is essential to maintain a structured and methodical approach to incident response. After a malicious URL has been blocked, the next logical step is to confirm the incident with the reporting user. This step ensures the following:

  1. Verification: Confirming with the user that the email they reported was indeed phishing helps to verify the incident and gather any additional information the user might provide.
  2. User Awareness: Communicating with the user educates them about the outcome, reinforcing their awareness and vigilance against phishing attempts. This can improve the organization’s overall security posture.
  3. Further Actions: Depending on the user’s feedback, additional steps can be determined, such as scanning the user’s device for any compromise or extending the investigation if the phishing attempt appears to be part of a broader campaign.

While the other options could be considered in specific contexts, they are not immediate next steps in this scenario:

  • A. Email the CISO to advise that a malicious email was found: Informing the CISO is important but typically part of a broader incident report rather than an immediate next step.
  • B. Disable the user’s email account: This step is drastic and would generally be reserved for cases where there is clear evidence that the account has been compromised.
  • D. Change the user’s password: Changing the password might be necessary if there’s suspicion of account compromise but is not directly related to confirming a reported phishing email.

Thus, the most appropriate next step is to email the user to confirm that the reported email was phishing. This confirmation is crucial for maintaining effective communication and ensuring proper incident handling.

Palo Alto Networks PSE-Cortex certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Palo Alto Networks PSE-Cortex exam and earn Palo Alto Networks PSE-Cortex certification.