Incident Responder

1. Introduction

This guide will provide instructions on how to use the Incident Responder platform.
Figure 1: Incident Responder Dashboard
This includes:
  • The dashboard - how to navigate the layout to perform tasks and administer your account
  • How to report and analyze phishing email attacks and take action at the inbox level to prevent future attacks
  • Help to plan the prevention of future attacks

1.1. What is Incident Responder?

The Incident Responder module consists of the following components:
  • Phishing Reporter
  • Incident Analysis
  • Investigations
  • ROI Summary
Under these headings, you will find the following sections:
  • Top Rules: the most triggered rules from the Playbook
  • Recent Investigations: which have been recently performed
  • Reported Emails: suspicious email ls reported by users via Phishing Reporter with analysis and results.

2. Phishing Reporter

On the Incident Responder Dashboard, on the top row first is displayed the Phishing Reporter and the current number of users currently online who are using this.
Click on the top right corner of the Phishing Reporter box, and you will be taken directly to the module:
Figure 2: Phishing Reporter
On the top row, you will see displayed the following:
  • The number of users with the add-in
  • The number of users currently online
  • The number of users who are offline
  • The latest version of Phishing Reporter in use
Under this row on the right-hand side, you have the option to display different timelines.
In the main section of the Phishing Reporter, there are two tabs:
  • Users
  • Settings

2.1. Users

Under the Users tab, you will see a list of the users who are using the Phishing Reporter add-in. On the right-hand side, you will see three symbols:
  • Download: click here to export the list of users as an xlsx, csv or pdf file
  • Print: click here to print the list
  • Settings: select the data table settings here
Important note: the three symbols will remain greyed out until the Phishing Reporter add-in is installed.

2.2. Settings

Under the Settings tab, you will see the following setting options:
  • Add-in Settings
  • Email Settings
  • Other Settings
  • Diagnostic Tool
To help you further, please find a link on the right-hand side for the Installation and Configuration Guide (opens in a new window).

2.2.1 Add-in Settings

Fill in the required fields:
  • The Add-in Name is the name you would like to give to the Add-in.
  • The Brand Name is the name of the company/organization/department you would associate with the add-in.
  • Add-in Logo: you have the option to add a logo of your choice (recommended size is 60x60 pixels).
  • Dialogue Box Settings: customise the buttons and messages to be displayed
  • Warning Label: add the warning label to appear on the suspicious email
Then remember to Save Changes, and there is an option to Save and Download. You can also view the Download History.

2.2.2. Email Settings

Here you are able to send a copy of reported emails as an attachment. Remember to tick the check box for the option to send a notification email for reported emails. Fill in the required fields and again remember to Save Changes, and there is an option to Save and Download. You can also view the Download History.

2.2.3. Other Settings Proxy Settings

If your organization has Proxy Settings for both internal and external communications, to allow access for Phishing Reporter to Incident Responder services (Investigation, Reporting etc.), you will have to tick the relevant Proxy Setting Check Box to enable this. Enterprise Vault

If your organization is archiving emails using an Enterprise Vault, then you are able to scan with Phishing Reporter all archived emails in the vault by selecting the check box and then enter the Enterprise Vault URL.
With this integration, you will be able to investigate archived emails on Enterprise Vault.
You then have the option to enable the Enterprise Vault - please tick the check box and enter the Enterprise vault URL. Our Phishing Reporter will then scan all emails archived here in the vault when you start an investigation with the Incident Responder. For example, if you are looking for a particular email and this Enterprise Vault setting is ticked, then all emails in the vault will be scanned and discovered if located in this area.
This feature can be integrated into an Enterprise Vault such as the Symantec Enterprise Vault which is used by many enterprise companies to archive emails and as in this case, find malicious emails among those already archived emails.
Again remember to Save Changes, and there is an option to Save and Download. You can also view the Download History. Diagnostic Tool
This tool helps you check the status of the add-in and diagnose any problems. Optional Features include the option to check and enable all disabled add-ins automatically. Please tick the check box to enable this feature. Remember to Save Changes, and there is an option to Save and Download. You can also view the Download History. To learn more about Diagnostic Tool, view here.

3. Incident Analysis

In this section, you can view and analyse the Incidents from the emails reported via Phishing Reporter. The analysis is executed within the Incident Response platform as well as other third-party technologies, which provides you with the best results. You can then act and make the best, effective and quick response to the Incident Analysis’ results and make your organization, colleagues and systems safer and more secure to prevent the risk of future incidents.

4. Investigations

Figure 3: Investigations Dashboard
To view the Investigations section, click on the Investigations Heading or in the left-hand dropdown menu on the Incident Responder dashboard.
You will then see a list of the Incidents being investigated and four buttons on the right-hand side of the section. These are for the following:
  • + to start a New Investigation
  • Download: click here to export the list of investigations as an xlsx, csv or pdf file
  • Print: click here to print the list of investigations
  • Settings: select the data table settings here
To run a New Manual Investigation, either click on the:
  • + as described above
  • or the + Start a New Investigation button
To run an Automatic Investigation, select the Playbook module.

2.4.1. Start a New Investigation

Figure 4: Start a New Investigation
To start a New Investigation, fill out the following requested fields:
  • Investigation Name: enter the name you would like to use for the investigation
  • Target Users: use this filter to select the departments, groups or specific users you would like to investigate. The available filters are All Users, User Groups and Specific Users (for more information about setting up Users, User Groups and Specific Users, go to the Company Guide)
  • Search Criteria: define the criteria you would like to use for the New Investigation. These criteria will then be used to search for the emails you would like to investigate
  • Email Date Range: select the date range of emails sent in a specific timeframe
  • Select Sources: select the sources to be investigated
  • Duration: select how many days your investigation will run for
  • Action: select the action to be taken after the investigated email has been found
Then click on Save to start your Investigation or Cancel not to go ahead.
Important note: once your investigation is running, you will not be able to change or edit it. You can only stop the investigation and then create a new one with any changes you would like to make.
Your Investigation will now be listed as below:
Figure 5: List of Investigations
Below the list of Investigations is a toolbar: scroll across to see the full range of filters:
  • Incident: the name of the incident under investigation
  • Source: the type of investigation
  • Status: after the investigation has run, this will be displayed as expired
  • Date Created: the date when the investigation begins
  • Expiry Date: the date when the investigation ends
  • User Status: shows the stage of the investigation
  • Progress: how far the investigation has progressed
  • Actions: under this tab, you can view the Investigation Details or select Stop to halt the Investigation.

2.4.2. Investigation Details and Results

Figure 6: Investigation Details and Results
After selecting Details: the following Investigation Details and Results will be displayed as following:
  • The Status as Running or Expired
  • The Number of Users who could not be scanned
  • The Number of Total Users who were scanned
  • The Number of Emails scanned
  • The Duplicate button allows replicating the Investigation so it can be run again.
Under the Investigation Details and Results, the emails discovered will be listed. You can customise this view with the filter buttons on the right-hand side and the Download, Print and Settings options.
On the left-hand side, the mailbox folders scanned during the Investigation are displayed. For example, if an Investigation returns a result from the sent folder of the mailbox, it will be displayed under the sent folder seen here in Investigation Details and Results. If an email is found outside of the inbox folder, it will be displayed in Other.

5. ROI Summary

Under this tab, you can set up the ROI (Return on Investment): click on the Settings wheel and enter the Hourly Rate and Saved Time Per Task (Hours). Then click on Save to save your changes.

6. Playbook

A Playbook allows you to create rules for an Automatic Investigation. To set up a Playbook, go to the Incident Responder homepage, select Playbook in the dropdown menu and then click on + Add A Rule.

6.1. Creating a New Rule

Figure 7: Creating a New Rule

6.1.1 New Rule Info

To create a New Rule, fill in the requested information:
  • Rule Name
  • Description
  • Priority: assign the status of the new rule
  • Tags: define tags of the new rule
Choose to make the rule Active or Non-active. Then click on Next to go to Conditions.

6.1.2. Conditions

Here you are able to customize the filters of the New Rule setting out the Conditions. Once these have been selected, click on Next to go to the final stage Actions.

6.1.3. Actions

Select what Actions will be taken as a result of the New Rule:
  • Mark as
  • Analyse
  • Investigate
  • Notify
  • Tags
Click on +Add Action to add more actions for the New Rule.

7. Integrations

Figure 8: New Integration
To create a New Integration, go to the Incident Responder homepage, select Integrations in the dropdown menu and then click on New Integration.
Then enter the following information:
  • Integration Name
  • Description
  • Integration type
  • API Key generated by your provider and Test Connection
  • Tags
Make the New Integration Active - please note that uploading the originally attached files to integrated services may lead sensitive information to be compromised.
Then click on Save.

8. FAQ

Q: Does the incident responder violate the user's privacy?
A: No, it does not. No one, including the Company Admins who manage the platform's interface, cannot view the contents of any email in the inbox.
Q: Is it possible to centralise the distribution of add-in?
A: Yes, it is. Many institutions manage the add-in (install, uninstall, enable, disable) with central administration tools, such as Microsoft SCCM, IBM Bigfix.
Q: Are the emails sent by users for analysis securely stored on the server?
A: The platform generates a random key which is unique for each customer then encrypts all reported emails on disk with AES 256 algorithm. See logging mechanism here.
Q: Can an Attacker hijack Outlook Add-in?
A: The platform uses “Code Signing with Microsoft Authenticode” to protect tools against hacking attempt. For more information, please click here​.
Q: Can I integrate this solution with the security products I have?
A: Yes, it is possible to integrate any solution. There are many platforms such as DNS Firewall, Sandbox, exploitation tool platforms. See the integrations here. Please view your support page.
Q: How do you report the incidents analysed, investigated and responded to?
A: Yes, you have the feature for an automatic investigation by which and you can detect and remove the suspicious email or any of its variants in any of your users' inboxes, and you can automatically report it.
Q: How do you analyse the emails? Which tools are used for analysis?
A: We analyse suspicious emails by Header, body and attachment using our third-party engines integrated into our interface. It is possible to add a new analysis service here.
Q: If the suspicious email analysed is found to be malicious, can we delete this email from the inboxes without any intervention?
A: Yes, you have a feature for automatic investigation. With this, you can detect and remove the suspicious email and/or any of its versions in any of your users' inboxes, which you can automatically report.
Q: What are the dependencies of the plugin? Java, Flash or something else?
A:Nothing except .net 2.5 or higher versions.
Q: Can the plugin be disabled by individual users?
A: This depends on your company policy. If the user has a right to disable it, then it can be disabled. Many organisations handle these processes by GPO.
Q: When this tool is running, it will be using a certain port. What port will it be?
A: Add-in to connect to the server is through https (default port 443).

9. Use cases


Primary use cases for Incident Responder are centered around the following:
  1. 1.
    I want an incident response system that can automate the technical analysis and investigation of suspicious, malicious emails in under a minute.
  2. 2.
    I want to integrate Incident Responder with other Threat Intelligence / Sharing and Incident Response solutions already purchased.
  3. 3.
    I want to make sure that the privacy of users is protected.
  4. 4.
    I want the service to work on mobile as well as desktop devices.
  5. 5.
    I want an interface/management console, which can manage each incident.
Incident Responder satisfies the criteria of each of these use cases; please see more below:

Use Case: I want to automate the technical analysis and investigation of suspicious emails in under a minute

Receiving a suspicious email is not great, but with Incident Responder, you’re able to take the right steps to protect your organisation from any malicious attacks from suspected emails and resulting in damaging data breaches. Use the details we know from Phishing Reporter about this discovered Incident and start a New Investigation. This will enable investigators to determine how far the executed attack from the suspicious email has so far penetrated defences by use of filters to ascertain what particular departments or individuals etc., have been affected.
Playbooks are an essential feature of Incident Responder as it automates and initiates investigations without too much oversight from the user. We suggest that you monitor how they are performing and tweak/edit them occasionally to get the best information and results from the investigations.
Incident Analysis is then carried out on the suspicious email within the Incident Response platform as well as other third-party technologies to provide the best results. Act to take the best, effective and quick response to the results and make your organization, colleagues and systems safer, more secure and resilient to prevent the risk of future incidents.

Use Case: I want a system that integrates with my other Threat Intelligence / Sharing and incident response solutions

Integrations are commonplace in the information security community, and Incident Responder is no different in being flexible to be used in alliance with other platforms. The New Integration feature walks users through the stages of integrating another cybersecurity solution. Remember to make active the new Integration as the last step to complete Threat Intelligence and Incident Response coverage.

Use Case: I want to make sure that the privacy of users is protected

Privacy concerns are of paramount importance in an incident response platform, and Incident Responder addresses these. Both Users and Company Administrators who manage the platform do not have access to the contents of any emails in the users’ inboxes.

Use case: I want the service to work on mobile as well as desktop devices

The Incident Responder service can be used on both mobile as well as desktop devices.

Use case: I want an interface/management console, which can manage each incident

It is human nature to lose track of what’s going on in a hectic information security environment. Incident Responder mitigates this risk with a comprehensive dashboard which provides an overview into how many users are on the Phishing Reporter platform, Reported Emails, Incidents are undergoing investigation, Top Rules, Incident Analysis and ROI.
It is recommended that you use the Reports generated from the use of the Incident Responder in conjunction with authorised third party technologies to achieve the best results. Reports can be used in line with the organisation’s own procedures and help avert potential cyber threats in the future. Threat Sharing / Threat Intelligence platforms are ideal places in which reported Incidents can be used for the wider benefit of a particular industry or sector.

Use Case: I have a single master tenant on O365 but manage multiple business units under that tenant. I would like to restrict the Incident Responder integration to specific groups within the Master tenant.

Yes, it’s possible to integrate with your master (single) tenant via the graph API, then you can restrict the API integration to a distribution group in Azure AD. i.e., you can decide which user mailboxes to integrate with (it does not have to be all of them). Please follow the steps below:
  1. 1.
    You need to implement the graph API settings for Incident Responder (following our standard configuration, which includes making the API work for “all’ users -
  2. 2.
    Then you need to limit access to the App from Azure AD as it relates to Exchange Online (