Hi all,
I am writing phishing investigation playbook, I want to validate SPF, DKIM, and DMARC status for the sender domain on Google SecOps SOAR playbook. Is there any integration which supports this action?
Thanks!
Question
Is there any way to Validate SPF, DKIM, and DMARC status for the sender domain on SOAR
+3- Bronze 4
+14- Bronze 5
Hi
Does ‘Analyze Headers’ work for you?
Validates SPF, DMARC, ARC, and DKIM records in the email. It will also check to see if any of the relay servers are blocklisted by querying multiple RBLs and enrich them with geo-location and IP whois information. It accepts a JSON object containing a list of Email headers.
https://docs.cloud.google.com/chronicle/docs/soar/marketplace/power-ups/email-utilities#analyze-headers
Alternatively, if you just have a domain, you could look to use a service (ensuring it doesn’t break their TOS) that allows you to perform a lookup of a domain itself. For example, easydmarc.com/tools/dmarc-lookup?domain=DOMAINHERE.COM
and utilizing a playbook with a HTTP action to send a get request, changing the value after domain= to the domain you want to lookup.
Kind Regards,
Ayman
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.