Suspicious Email Triage with EDR Correlation

Overview

A tier-2 triage playbook for suspicious emails that goes beyond URL and attachment scanning. It cross-references the findings with CrowdStrike Falcon endpoint detections to see if the indicators have already been seen on your network, then creates a Jira ticket with the full investigative timeline.

Who this is for: Tier-2 and tier-3 SOC analysts investigating potentially active phishing attacks

Why automate this

The real question for a suspicious email isn't 'is this URL malicious?'. It's 'have any of our endpoints already reached out to this URL?'. This playbook answers that by correlating email IOCs with CrowdStrike telemetry, turning passive email triage into active breach hunting.

How it works

1. 01

   Retrieve the suspicious email metadata and content

2. 02

   Check sender reputation with EmailRep

3. 03

   Scan all URLs with URLScan.io

4. 04

   Hash and analyze attachments with VirusTotal

5. 05

   Query CrowdStrike Falcon for endpoint detections matching the IOCs

6. 06

   Correlate email indicators with endpoint activity

7. 07

   Build an investigative timeline with all findings

8. 08

   Create a Jira ticket with the full triage report

9. 09

   Notify the security team in Slack

Impact

• Detects active compromise triggered by the suspicious email

• Correlates email and endpoint signals in one flow

• Creates a single investigative artifact in Jira

• Massively cuts investigation time for tier-2 analysts