agent hive
Join the Waitlist

SECOPS

Phishing Webhook Intake and Investigation Log

Accepts phishing reports from a mail-gateway or browser-extension webhook, enriches the IOCs, has an agent draft an investigation writeup.

CategorySecOps
Enginepaperclip
Difficultyintermediate
Triggerwebhook
Steps6
Setup~15 min

How it runs

The automated pipeline, trigger to output.

  • TriggerInbound phishing report webhookHTTP webhook
  • ActionParse and normalize IOCs from payload
  • ActionEnrich IOCs via reputation APIHTTP webhook
  • ActionAgent drafts findings and containmentOpenAI
  • ActionFile structured case in security logNotionNotion
  • OutputPost case heads-up to SOC channelSlack

What it does

Receives machine-submitted phishing reports (from a secure email gateway, browser plugin, or SIEM) via webhook and produces a documented investigation. An agent reviews the enriched IOCs, writes findings and recommended containment, and records a structured case in your Notion security log.

When to use it

Use this when reports arrive programmatically rather than from a human inbox, and you keep a searchable investigation record in Notion. Good for teams that want every report to leave an auditable case file with analyst-ready narrative, not just raw indicators.

How it works

  1. 1An inbound webhook delivers a phishing report payload (sender, URLs, headers, recipient).
  2. 2A parsing step extracts and normalizes the IOCs from the payload.
  3. 3The IOCs are enriched against a reputation API over HTTP.
  4. 4An agent reviews the enriched evidence, writes findings, a verdict, and recommended containment steps.
  5. 5A structured case page — IOC table, narrative, and containment checklist — is created in the Notion security log.
  6. 6A short heads-up with the case link is posted to the SOC Slack channel.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect HTTP webhookTrigger any URL on agent actions.
  2. 2
    Connect OpenAIModels, embeddings, files.
  3. 3
    Connect NotionPages, databases, comments.
  4. 4
    Connect SlackChannels, DMs, threads, mentions.
  5. 5
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  6. 6
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  7. 7
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Scheduled AWS Access-Key Age Sweep and Forced Rotation

Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.

Correlate Datadog WAF anomaly alert with Cloudflare evidence

When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.

Exposed-Secret Incident Triage and Remediation Agent

An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.

Non-Rotatable Leaked Secret to PagerDuty Escalation

Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.

GitHub Secret-Scan Hit to Auto-Revoke and Rotate

When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Browse all SecOps

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows