LogoLogo
Get Demo
  • 💫NEXT-GENERATION PRODUCT
    • Introduction
    • Getting Started
      • 1. Invite System Users
      • 2. Add Target Users
        • Add Users via CSV
        • Add users via SCIM
          • SCIM Setup in Azure AD
          • SCIM Setup in Okta
          • SCIM Setup in Onelogin
          • SCIM Setup in Jumpcloud
        • Add users via LDAP
        • Add Users via API
      • 3. Email Deliverability
        • Microsoft 365
          • M365: Direct Email Creation
          • M365: Whitelisting
        • Google Workspace
          • Google: Direct Email Creation
          • Google: Whitelisting
        • Exchange 2013 and 2016
      • 4. Track Opened Emails
      • 5. Allow Phishing URLs
        • Whitelist for Office 365
        • Whitelist for Google Workspace
        • Whitelist for Exchange 2013/2016
        • Whitelist in Security Solutions
      • 6. Setup Phishing Reporter
        • Step 1. Download Phishing Reporter
        • Step 2. Deploy Phishing Reporter
          • How to Deploy Add-In in Microsoft 365
          • How to Deploy Add-In in Exchange Admin Center
          • How to Deploy Add-In in Google Workspace
          • How to Deploy Add-In in Outlook
            • Troubleshooting Phishing Reporter Add-In on Outlook Desktop
      • 7. Incident Responder Setup
        • Step 1. Integrate Threat Intel Partners
        • Step 2. Mail Configurations
          • Microsoft 365
          • Google Workspace (Gsuite)
          • Exchange (EWS)
    • Platform
      • Dashboard
        • Dashboard Widgets
        • Incident Responder Widgets
        • Threat Sharing Widgets
        • Phishing Simulator Widgets
      • Threat Intelligence
      • Email Threat Simulator
        • Start Scan
        • View Scan Report
        • Create Trusted Account on Exchange
        • Start Scan on O365 Email Account
        • Start Scan on Google Workspace Email Account
      • Threat Sharing
        • Communities
        • Incidents
      • Phishing Simulator
        • Manage Phishing Scenarios
          • Phishing Scenarios
          • Email Templates
          • Landing Pages
        • Phishing Campaign Manager
        • Phishing Campaign Reports
        • Settings
          • DNS Services and Domains
          • Exclude IP Address
      • Callback Simulator
        • Manage Callback Scenarios
          • Callback Scenarios
          • Callback Email Templates
          • Callback Templates
        • Callback Campaign Manager
        • Callback Campaign Reports
        • Settings
          • Callback Phone Numbers
      • Vishing Simulator
        • Vishing Templates
        • Vishing Campaign Manager
        • Vishing Campaign Reports
      • Smishing Simulator
        • Manage Smishing Scenarios
          • Smishing Scenarios
          • Text Message Templates
          • Landing Page Templates
        • Smishing Campaign Manager
        • Smishing Campaign Reports
        • Settings
          • Manage DNS and Domains
          • Exclude IP Addresses
      • Quishing Simulator
        • Manage Quishing Scenarios
          • Quishing Scenarios
          • Quishing Templates
          • Quishing Landing Page Templates
        • Quishing Campaign Manager
        • Quishing Campaign Reports
        • Settings
          • DNS and Domains
          • Excluding IP Address
      • Awareness Educator
        • Training Library
        • Enrollments
        • Certificates
        • Training Reports
        • Training Completion Queries
      • Incident Responder
        • Incident Responder Dashboard
        • Investigations
        • Integrations
        • Playbook
        • Mail Configurations
          • Microsoft 365
          • Exchange
          • Google Workspace
        • Cross Company Integration
      • Phishing Reporter
        • Phishing Reporter Customization
        • Phishing Reporter Deployment
          • How to Deploy the Add-in in Microsoft 365
          • Phishing Reporter Page View Failure Due to Deprecated Exchange Online Tokens
          • Microsoft Ribbon Phishing Reporter
          • Microsoft Page View Phishing Reporter
          • How to Deploy the Add-in in Exchange Admin Center
          • How to Deploy the Add-in in Google Workspace
          • Phishing Reporter Announcement Email Template
        • Diagnostic Tool
        • Integrating Microsoft Phishing Reporting Button with Keepnet
        • Integrating Microsoft Defender with Keepnet Phishing Reporter
        • Troubleshooting Phishing Reporter on Outlook Desktop
      • Reports
        • Advanced Reports
        • Executive Reports
        • Scheduled Reports
        • Gamification Report
      • Company
        • Target Users
        • Companies
          • Company Groups
        • Company Settings
          • Privacy
            • Account Privacy
            • Data Privacy
          • AI Ally Settings
          • SMTP Settings
          • Direct Email Creation
            • Direct Email Creation for Google Workspace
            • Direct Email Creation for Microsoft 365
          • Notification Templates
          • Google User Provisioning
          • REST API
          • White Labeling
          • Proxy Settings
          • SAML Settings
            • How to Configure SAML on ADFS
            • How to Configure SAML on Google Workspace
            • How to Configure SAML on Azure AD
            • How to Configure SAML on CyberArk
            • How to Configure SAML on Okta
          • SCIM Settings
            • Getting Started with SCIM
            • Azure AD SCIM Integration
            • Okta SCIM Integration
            • Onelogin SCIM Integration
            • Jumpcloud SCIM Integration
          • SIEM Integrations
            • Splunk Integration
            • Syslog Integration
          • LDAP
          • Allowed Domains
        • System Users
          • People
          • Roles
        • Audit Log
        • Job Log
      • Free Phishing Email Analysis Service
    • Miscellaneous
      • Whitelisting
        • How to Whitelist an IP Address in Office 365
        • How to Whitelist an IP Address in Exchange 2013 and 2016
        • How to Whitelist an IP Address in Google Workspace
        • How to Whitelist in Mimecast
        • Whitelisting in Other Security Solutions
        • Whitelisting the Pictures on Microsoft Outlook Apps
        • Keepnet Tools Whitelisting Guidelines
        • Understanding Email Delivery Errors
        • Tracking Email Opens in Phishing Simulations
      • User Profile
      • Multi-Factor Authentication (MFA) Settings
      • On-Premise Requirement Checker
      • Platform Requirements
        • Portal UI Requirements
        • Phishing Reporter Requirements
        • Diagnostic Tool Requirements
      • Maintenance Tool
      • Understanding the Preferred Language Setting
  • 📚RESOURCES
    • Platform Security
    • Volume & Performance
    • Customer Help Desk
    • Product Update/Maintenance
    • Research Methodology
    • Release Notes
      • 2025
      • 2024
      • 2023
      • 2022
      • 2021
      • 2020
  • ⚖️Legal Hub
    • For Customers
      • Customer Terms of Service
      • Product Specific Terms
      • Jurisdiction Specific Terms
      • Data Processing Agreement
      • Regional Data Hosting Policy
      • Product and Services Catalog
      • Acceptable Use Policy
      • Keepnet Security Program
      • Microsoft CoPilot Usage Policy
    • For Everyone
      • Website
        • Terms of Use
        • Privacy Policy
        • Cookie Policy
      • Free Phishing Email Analysis
        • Terms of Service
        • Privacy Policy
      • Transparency Report
Powered by GitBook

Copyright © Keepnet Labs LTD. All rights reserved.

On this page
  • Shortcuts
  • FAQ
  • Q: If a harmful email triggers an auto-investigation, will the same repeated email trigger auto-investigation each time?
  • Q: Does the incident responder violate the user's privacy?
  • Q: Is it possible to centralise the distribution of add-in?
  • Q: Are the emails sent by users for analysis securely stored on the server?
  • Q: Can I integrate this solution with the security products I have?
  • Q: How do you report the incidents analysed, investigated and responded to?
  • Q: How do you analyse the emails? Which tools are used for analysis?
  • Q: If the suspicious email analysed is found to be malicious, can we delete this email from the inboxes without any intervention?
  • Q: What are the dependencies of the plugin? Java, Flash or something else?
  • Q: Can the plugin be disabled by individual users?
  • Q: When this tool is running, it will be using a certain port. What port will it be?
  • Q: Can emails reported on the Incident Responder be sent to Proofpoint for analysis?
  • Use cases
  • Introduction
  • Use Case: I want to automate the technical analysis and investigation of suspicious emails in under a minute
  • Use Case: I want a system that integrates with my other Threat Intelligence / Sharing and incident response solutions
  • Use Case: I want to make sure that the privacy of users is protected
  • Use case: I want the service to work on mobile as well as desktop devices
  • Use case: I want an interface/management console, which can manage each incident
  • Use Case: I have a single master tenant on O365 but manage multiple business units under that tenant. I would like to restrict the Incident Responder integration to specific groups within the Master tenant.

Was this helpful?

Export as PDF
  1. NEXT-GENERATION PRODUCT
  2. Platform

Incident Responder

PreviousTraining Completion QueriesNextIncident Responder Dashboard

Last updated 2 months ago

Was this helpful?

This section provides a brief description of the Incident Responder. This guide will provide instructions on how to use the Incident Responder platform. The analyses a suspicious email, and according to the results, it takes action at the inbox level. The product also analyses the URLs, IPs, and Files with the engines of different technologies it is integrated where it enables an institution to acquire the technologies that it doesn’t have.

Shortcuts

FAQ

Q: If a harmful email triggers an auto-investigation, will the same repeated email trigger auto-investigation each time?

A: No. A single auto-investigation is initiated for identical harmful reported emails, targeting specific malicious elements (Sender IP, Link, Attachment Hash). There is no need to start auto-investigation each time for the same reported harmful email after the first one is started and actively working. The auto-investigation remains active for a day and then expires.

Q: Does the incident responder violate the user's privacy?

A: No, it does not. No one, including the Company Admins who manage the platform's interface, can view the contents of any email in the inbox.

Q: Is it possible to centralise the distribution of add-in?

A: Yes, it is. Many institutions manage the add-in (install, uninstall, enable, disable) with central administration tools, such as Microsoft SCCM, IBM Bigfix.

Q: Are the emails sent by users for analysis securely stored on the server?

A: The platform generates a random key which is unique for each customer then encrypts all reported emails on disk with AES 256 algorithm.

Q: Can I integrate this solution with the security products I have?

Q: How do you report the incidents analysed, investigated and responded to?

A: Yes, you have the feature for an automatic investigation by which and you can detect and remove the suspicious email or any of its variants in any of your users' inboxes, and you can automatically report it.

Q: How do you analyse the emails? Which tools are used for analysis?

Q: If the suspicious email analysed is found to be malicious, can we delete this email from the inboxes without any intervention?

A: Yes, you have a feature for automatic investigation. With this, you can detect and remove the suspicious email and/or any of its versions in any of your users' inboxes, which you can automatically report.

Q: What are the dependencies of the plugin? Java, Flash or something else?

A: There are no dependencies that is required to download on users computer in order to use Phishing Reporter plugin.

Q: Can the plugin be disabled by individual users?

A: This depends on your company policy. If the user has a right to disable it, then it can be disabled. Many organisations handle these processes by GPO.

Q: When this tool is running, it will be using a certain port. What port will it be?

A: Add-in to connect to the server is through https (default port 443).

Q: Can emails reported on the Incident Responder be sent to Proofpoint for analysis?

Use cases

Introduction

Primary use cases for Incident Responder are centered around the following:

  1. I want an incident response system that can automate the technical analysis and investigation of suspicious, malicious emails in under a minute.

  2. I want to integrate Incident Responder with other Threat Intelligence / Sharing and Incident Response solutions already purchased.

  3. I want to make sure that the privacy of users is protected.

  4. I want the service to work on mobile as well as desktop devices.

  5. I want an interface/management console, which can manage each incident.

Incident Responder satisfies the criteria of each of these use cases; please see more below:

Use Case: I want to automate the technical analysis and investigation of suspicious emails in under a minute

Receiving a suspicious email is not great, but with Incident Responder, you’re able to take the right steps to protect your organisation from any malicious attacks from suspected emails and resulting in damaging data breaches. Use the details we know from Phishing Reporter about this discovered Incident and start a New Investigation. This will enable investigators to determine how far the executed attack from the suspicious email has so far penetrated defences by use of filters to ascertain what particular departments or individuals etc., have been affected.

Playbooks are an essential feature of Incident Responder as it automates and initiates investigations without too much oversight from the user. We suggest that you monitor how they are performing and tweak/edit them occasionally to get the best information and results from the investigations.

Incident Analysis is then carried out on the suspicious email within the Incident Response platform as well as other third-party technologies to provide the best results. Act to take the best, effective and quick response to the results and make your organization, colleagues and systems safer, more secure and resilient to prevent the risk of future incidents.

Use Case: I want a system that integrates with my other Threat Intelligence / Sharing and incident response solutions

Integrations are commonplace in the information security community, and Incident Responder is no different in being flexible to be used in alliance with other platforms. The New Integration feature walks users through the stages of integrating another cybersecurity solution. Remember to make active the new Integration as the last step to complete Threat Intelligence and Incident Response coverage.

Use Case: I want to make sure that the privacy of users is protected

Privacy concerns are of paramount importance in an incident response platform, and Incident Responder addresses these. Both Users and Company Administrators who manage the platform do not have access to the contents of any emails in the users’ inboxes.

Use case: I want the service to work on mobile as well as desktop devices

The Incident Responder service can be used on both mobile as well as desktop devices.

Use case: I want an interface/management console, which can manage each incident

It is human nature to lose track of what’s going on in a hectic information security environment. Incident Responder mitigates this risk with a comprehensive dashboard which provides an overview into how many users are on the Phishing Reporter platform, Reported Emails, Incidents are undergoing investigation, Top Rules, Incident Analysis and ROI.

It is recommended that you use the Reports generated from the use of the Incident Responder in conjunction with authorised third party technologies to achieve the best results. Reports can be used in line with the organisation’s own procedures and help avert potential cyber threats in the future. Threat Sharing / Threat Intelligence platforms are ideal places in which reported Incidents can be used for the wider benefit of a particular industry or sector.

Yes, it’s possible to integrate with your master (single) tenant via the graph API, then you can restrict the API integration to a distribution group in Azure AD. i.e., you can decide which user mailboxes to integrate with (it does not have to be all of them). Please follow the steps below:

A: Yes, it is possible to integrate any solution. There are many platforms such as DNS Firewall, Sandbox, exploitation tool platforms. . Please view your support page.

A: We analyze suspicious emails by Header, Body and Attachment using our third-party engines integrated into our interface. It is possible to add a new analysis service .

A: Yes, you can use to retrieve reported emails, including Links, Sender IP, and Attachments, and then submit them to Proofpoint via their APIs for analysis.

Use Case: I have a single master tenant on O365 but manage multiple business units under that tenant. I would like to restrict the integration to specific groups within the Master tenant.

You need to implement the graph API settings for Incident Responder (following our standard configuration, which includes making the API work for “all’ users - )

Then you need to limit access to the App from Azure AD as it relates to Exchange Online ()

💫
See the integrations here
here
Keepnet Labs' APIs
Incident Responder
https://doc.keepnetlabs.com/Next-Generation-Product/platform/incident-responder/mail-configurations/microsoft-365
https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access
Incident Responder
How can I start an investigation to find malicious emails on email users
How can I integrate anaylsis engines that the platform supports into my company profile
How to create automated playbook rules
How can I integrate O365, Exchange or Google Workspace to start an investigation on the email server
How can I customize the Phishing Reporter add-on and how can I deploy it to the email users after customization
How to see reported emails and their analyses results
How to understand widgets on the Incident Responder