Splunk SOAR Playbooks: Suspicious Email Domain Enrichment

Despite the myriad pathways to initial access on our networks, phishing remains the single most popular technique for attackers. The open nature of email and our reliance on it for communication make it difficult for defenders to classify messages, so it is no surprise that suspicious email investigation is a top use case for automation. Today, we are releasing a new community playbook for Splunk SOAR (previously Splunk Phantom) to help enrich suspicious email events. This playbook focuses specifically on domain names contained in the ingested email, and it uses Cisco Umbrella Investigate to add the risk score, risk status and domain category to the event in Spunk SOAR. When an analyst is assigned an event, this will allow faster recognition of the purpose of the email, and the domain enrichment will also provide a connection point to take further action on the output.

Whether or not you’re new to automation and orchestration, this simple, out-of-the-box playbook will help you detect and contain suspicious emails quickly.

The Playbook: Suspicious Email Domain Enrichment

The playbook starts off by fetching the whole text of the event and all of its artifacts, then running a regular expression against that text to extract any email addresses it contained within. From there, two separate domain reputation queries are run on the domains from the extracted email addresses, as well as any domains that were extracted upon email ingestion. Taken together, these should analyze any domains from the email headers and body. The next step is a query against Cisco Umbrella Investigate to determine the risk scores, risk status and categorizations of those domains. Umbrella provides a wealth of threat intelligence about domain names backed by Cisco’s threat research and broad visibility into internet traffic, so this often produces valuable insights into the purpose of a domain and the potential for harm. The remainder of the playbook formats key fields from the domain reputation result and presents them in a note to the analyst.

See It In Action

Deploying The Playbook

Here are the steps to get this playbook and use it:

  1. If you don’t already have Splunk SOAR, you can sign up and download the free community version

  2. Configure the Cisco Umbrella Investigate app on Splunk SOAR:

    1. Navigate to Home>Apps>Unconfigured Apps>Search for “Cisco Umbrella Investigate”>Configure New Asset
    2. Give the asset a name such as “umbrella_investigate”
    3. On the “Asset Settings” page, provide the API key from the Umbrella web application

  3. Choose and configure an email ingestion app, such as IMAP, Microsoft Exchange or GSuite for GMail

  4. Configure and activate the playbook:

    1. Navigate to Home > Playbooks and search for “suspicious_email_domain_enrichment.” If it’s not there, use the Update from Source Control button and select community to download new community playbooks
    2. Click on the playbook name to open it
    3. Resolve the playbook import wizard by selecting the newly created app
    4. Set the label to email (or whichever name was chosen above in the email configuration)
    5. Set the playbook to Active
    6. Save the playbook

Taking It Further

This playbook starts the enrichment process for a suspicious email, but there are many possibilities for additional response. For instance, domain names with risk scores higher than a certain threshold could be used to initiate a “block domain” or “delete email” action to prevent the user from following a link in a phishing email. Similarly, endpoint protection tools could be used to track activity on a potentially infected endpoint to monitor for users that may have followed a phishing link and been exposed to credential theft or client-side malware. We have another community playbook that uses the Network Resolution and Web data models in Splunk Enterprise to search for web traffic related to a phishing email, which would be a natural complement to this playbook.

This blog is part of a series called “SOAR in Seconds,” where our distinguished Splunk SOAR experts guide you through how to use out-of-the-box playbooks and other features to automate repetitive tasks.

----------------------------------------------------
Thanks!
Philip Royer

/en_us/blog/fragments/the-essential-guide-to-soar
Style
two-column

Related Articles

Predicting Cyber Fraud Through Real-World Events: Insights from Domain Registration Trends
Security
12 Minute Read

Predicting Cyber Fraud Through Real-World Events: Insights from Domain Registration Trends

By analyzing new domain registrations around major real-world events, researchers show how fraud campaigns take shape early, helping defenders spot threats before scams surface.
When Your Fraud Detection Tool Doubles as a Wellness Check: The Unexpected Intersection of Security and HR
Security
4 Minute Read

When Your Fraud Detection Tool Doubles as a Wellness Check: The Unexpected Intersection of Security and HR

Behavioral analytics can spot fraud and burnout. With UEBA built into Splunk ES Premier, one data set helps security and HR reduce risk, retain talent, faster.
Splunk Security Content for Threat Detection & Response: November Recap
Security
1 Minute Read

Splunk Security Content for Threat Detection & Response: November Recap

Discover Splunk's November security content updates, featuring enhanced Castle RAT threat detection, UAC bypass analytics, and deeper insights for validating detections on research.splunk.com.
Security Staff Picks To Read This Month, Handpicked by Splunk Experts
Security
2 Minute Read

Security Staff Picks To Read This Month, Handpicked by Splunk Experts

Our Splunk security experts share their favorite reads of the month so you can follow the most interesting, news-worthy, and innovative stories coming from the wide world of cybersecurity.
Behind the Walls: Techniques and Tactics in Castle RAT Client Malware
Security
10 Minute Read

Behind the Walls: Techniques and Tactics in Castle RAT Client Malware

Uncover CastleRAT malware's techniques (TTPs) and learn how to build Splunk detections using MITRE ATT&CK. Protect your network from this advanced RAT.
AI for Humans: A Beginner’s Field Guide
Security
12 Minute Read

AI for Humans: A Beginner’s Field Guide

Unlock AI with the our beginner's field guide. Demystify LLMs, Generative AI, and Agentic AI, exploring their evolution and critical cybersecurity applications.
Splunk Security Content for Threat Detection & Response: November 2025 Update
Security
5 Minute Read

Splunk Security Content for Threat Detection & Response: November 2025 Update

Learn about the latest security content from Splunk.
Operation Defend the North: What High-Pressure Cyber Exercises Teach Us About Resilience and How OneCisco Elevates It
Security
3 Minute Read

Operation Defend the North: What High-Pressure Cyber Exercises Teach Us About Resilience and How OneCisco Elevates It

The OneCisco approach is not about any single platform or toolset; it's about fusing visibility, analytics, and automation into a shared source of operational truth so that teams can act decisively, even in the fog of crisis.
Data Fit for a Sovereign: How to Consider Sovereignty in Your Digital Resilience Strategy
Security
5 Minute Read

Data Fit for a Sovereign: How to Consider Sovereignty in Your Digital Resilience Strategy

Explore how digital sovereignty shapes resilient strategies for European organisations. Learn how to balance control, compliance, and agility in your data infrastructure with Cisco and Splunk’s flexible, secure solutions for the AI era.
/en_us/blog/fragments/about-splunk
/en_us/blog/fragments/subscribe-footer