Playbook: Automate Malware Analysis from FireEye Email Alerts

Today’s post continues an ongoing series on Playbooks, which Phantom uses to automate and orchestrate your security operations plan.

Perhaps you’re getting alerts like this example:

Category: Malware.Binary.doc
Type: malware-object
File Hash : b2ca691912e267c2a014fd0241345f9b2
File Name: /3r9MOT3f7pz6HLJSX-1-shipping_5077025.doc

It’s a trigger for further investigation, and depending on the number of steps it could take 30 minutes or more to complete the work… each time you receive an alert.

This Phantom Playbook automates the analysis.  It’s triggered when an email malware alert is received from FireEye:

Automate Malware Analysis_FireEye Alert

Phantom first uses Splunk to query for all potential recipients, followed by collecting the profiles from all affected users via Active Directory.  Next, Phantom orchestrates hunt file actions in Carbon Black and iSight Partners before finishing the playbook with a file reputation check on VirusTotal and Cylance.  This information is presented back to the security team for further review and to aid in remediation.  The run time on this Phantom Playbook is under a minute.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

CP Morey
VP, Products & Marketing

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit:

One thought on “Playbook: Automate Malware Analysis from FireEye Email Alerts

Comments are closed.