SECOPS
Phishing Mailbox Triage with IOC Enrichment
Watches a shared phishing-report inbox, extracts URLs, domains, and sender details from each reported email, enriches them with reputation data.
How it runs
The automated pipeline, trigger to output.
- TriggerNew email in phishing-report inboxGmail
- ActionExtract IOCs (URLs, domains, sender, hashes)
- ActionEnrich IOCs via threat-intel reputation APIHTTP webhook
- ActionScore signals and write verdictOpenAI
- LogicBranch on verdict severity
- OutputPost triage card to SOC channelSlack
What it does
Turns a noisy phishing@ mailbox into clean, ranked SOC tickets. For every forwarded report it pulls out the indicators of compromise (IOCs), checks them against threat-intel sources, and tells the analyst whether the message is malicious, suspicious, or benign — with the evidence attached.
When to use it
Run this when employees forward suspected phishing to a shared inbox and your team is hand-checking each one. It removes the copy-paste of URLs into lookup tools and gives a same-minute verdict so real threats surface fast.
How it works
- 1A new email lands in the monitored Gmail phishing-report inbox and fires the trigger.
- 2A parsing step extracts sender address, reply-to, embedded URLs, and attachment hashes into a structured IOC list.
- 3Each URL and domain is checked against a reputation lookup over an HTTP threat-intel endpoint.
- 4An LLM scores the combined signals and writes a short verdict (malicious / suspicious / benign) with reasoning.
- 5A logic step branches on the verdict to set channel urgency.
- 6A formatted triage card — verdict, IOCs, and recommended action — is posted to the SOC Slack channel.
Set it up
What you configure once, before turning it on.
- 1Connect GmailRead, draft, send, label.
- 2Connect HTTP webhookTrigger any URL on agent actions.
- 3Connect OpenAIModels, embeddings, files.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.