Suspected phishing email alerts come from a range of sources of detection, such as SIEMs and logging services, and end-users who forward emails that tend to contain malicious content. It immediately activates a mechanism to warn affected end users about the potential malicious emails, as Mindflow aggregates the suspected phishing emails. Mindflow assigns an incident severity value and checks for reputational red flags by cross-referencing the data against external threat intelligence databases by looking at the header and content of the email, such as the subject, email address, and attachments.
Mindflow ingests threat feed data from an endpoint detection tool here and queries the tool for malicious indicators such as SHA1, MD5, and SHA256 for machine and endpoint names. Mindflow then retrieves files and hashes with SIEM data for cross-references and verifies whether any indicators have been collected and resolved by SIEM actions. Mindflow also notifies analysts if any malicious indicators have already been resolved by SIEM actions.
Mindflow communicates with the same endpoint tool for any indicators that have not been picked up by the SIEM to run queries across multiple endpoints that kill malicious processes and remove infected files. Mindflow updates the endpoint tool database with new indicator information after the queries have been run, to eliminate repeat offenses.
Mindflow correlates the data with data from other relevant security tools after receiving a potential threat notification from a vulnerability management tool, and then adds notes about the newly collected data. Mindflow also queries the vulnerability management tool for all vulnerability-related diagnoses, implications, and remedies.
It is added to the incident data if any vulnerability context is found. Mindflow calculates the severity of the incident based on the collected context and hands over control to security analysts for manual investigation and remediation of the vulnerability.
Mindflow ingests data from SIEMs, email boxes, malware analysis tools, and threat intelligence feeds, and then extracts any files that need to be detonated. Mindflow also uploads the file, which detonates the malware and generates a report, to the malware analysis tool. Mindflow updates relevant watchlists if the file is found to be malicious and takes further steps, such as quarantining infected endpoints, opening tickets, and reconciling data from other third-party threat feeds.
As an attached CSV or text file, Mindflow ingests a list of compromised indicators and extracts any compromised indicators (such as IPs, URLs, and hashes). On any threat intelligence tools that are deployed, Mindflow then hunts for the extracted compromised indicators. Mindflow checks endpoints, where applicable, and identifies if a malicious compromised indicator has compromised any endpoint. If any threat intelligence tool has detected malicious indicators, Mindflow updates the databases of other tools and watch lists.