Use the Typo Squatted Domain playbook

Rversion finale: Australia

Mis à jour 12 mars 2026

1 minute de lecture

Use this playbook to investigate misspelled domains and collaborating with the organization’s legal department for take-downs. The following steps give you a walkthrough of the actions, tasks, and subflows that are available in the Typo Squatted Domain playbook.

Avant de commencer

Role required:

sn_si.admin
flow_designer

Make sure you have installed Security Operations Spoke (sn_sec_spoke).

Procédure

When the playbook is triggered and starts executing, in Action 1, you need to check whether the observables are added to the Security Incident Response (SIR).
If the observables aren’t added to SIR, please add the observables before proceeding. If the observables aren’t available, then Action 10 is executed and the security incident is closed.
In Action 2, if the observables are added to the security incident, then the following actions are executed.
In Action 3, you need to attach the screenshot of the Typo Squatted domain to the security incident.

Figure 1. Typo Squatted Domain playbook
In Action 4, you need to attach the Whois information to the security incident.
In Action 5, based on the investigation done so far, the playbook checks whether this is a case of Typo Squatted domain or not.
If this isn’t a case of Typo Squatted domain, a manual response task is created in Action 5 and the flow ends.
In Action 6, if this is a case of Typo Squatted domain, then action 7 is executed.
In Action 7, you need to email and inform the Legal and other required teams that this is a case of Typo Squatted domain and take the necessary actions to eradicate it.
If this isn’t a case of Typo Squatted domain, a manual response task is created in Action 5 and the flow ends.
Figure 2. Case of Typo Squatted Domain
In Action 9, a response task is created for you to complete the post-incident review before closing the task.