Playbook Series: 30 Minutes to 40 Seconds at The Blackstone Group

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will, are synchronized via Git, and published on our public community GitHub repository.   You can read more about Phantom and Playbooks here.

The spotlight Playbook for today comes from one of our customers, The Blackstone Group.  It’s a simple example with a great ROI.  With Phantom, The Blackstone Group automated a manual process that took 30 minutes or more each time, down to 40 seconds!  Here’s how they did it:

Blackstone Playbook

In this scenario, a high fidelity alert is generated with Splunk which triggers Phantom to launch a Playbook automating the following actions:

  • Connect with Carbon Black and perform a “hunt file” action which will hunt for a file on the network by querying for a hash of the file on the Carbon Black device.
  • Next, Phantom connects to VirusTotal to perform a “file reputation” lookup which in essence queries VirusTotal for any file reputation information.
  • Finally, Phantom performs a query of VirusTotal for URL reputation information.

This information is brought back into Phantom and presented to the analyst for further analysis.  This further analysis, as well as any additional actions, can also be automated within a Playbook.  For example, you could block the file hash within Active Directory.

You can see how Playbooks and Security Automation can give back time in your day.  Who couldn’t use extra time?  The Blackstone Group said it best, “Automation with Phantom enables us to process malware email alerts in about 40 seconds vs. 30 minutes or more.”

The savings are substantial for an organization that sees even an average volume of events.   You can read more about the ROI of Automation & Orchestration here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.  Interested in a Playbook we haven’t already covered?  Submit your request for future coverage.

Ken Schar
Security Engineering

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: