Playbook Series: Trigger a Playbook from an IOC

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

A simple script and Playbook can automatically post an IOC (e.g. IP address, file hash, etc.) to Phantom to kick off a Playbook.  Perhaps you want a Playbook to run an investigation when a specific file hash is detected.  Mark that Playbook active and let it do the investigation every time a new hash needs to be investigated.

Note: You can download the script and Playbook to use in your Phantom deployment.

Here are the steps to set up and use it:

  1. Create a new REST asset (Administration / Assets) on your Phantom instance (Product Vendor: Generic, Product Name: ‘REST Data Source’):
    • In the asset settings, chose ‘any’ as the IP of the host from where you want to post the hash since you want any user to be posting it.
    • Give the label (in Ingest Settings) section as ‘filehash’.
    • You can choose any label but remember to update the script to whatever label you give to the container.
  2. When you are done creating & saving the REST asset, you will get the Auth token on the ingest settings tab. Update the script to use this auth token.
  3. Also update the address of Phantom instance.
  4. To use the script, all you need to do is: python2.7 <hash>.
  5. Now on Phantom you should be able to see the filehash container.
  6. You can create your Playbook that does all the actions on cef.fileHash and mark it as active.
    • Once marked active it will automatically run every time a new hash is posted.
  7. The Playbook is simply doing a VirusTotal lookup and sending an email with the results.
    • Update the Playbook for whatever email address you want this result to go to.

Here is the email from this Playbook:

Screen Shot 2016-04-25 at 5.18.20 PM

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

Sourabh Satish
CTO & Co-Founder

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: