Playbook: Automatically Secure Compromised Accounts

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

Flashpoint gives their threat intelligence subscribers the ability to see compromised user names, passwords, email addresses, and other credentials.  This information can be ingested daily and distributed over email.

When an analyst receives an email from Flashpoint, the first step is to check the information against the organization’s known users to identify accounts that may have been compromised.  Typically, this manual process includes opening the email, searching for the pertinent information, and then identifying, notifying, & disabling any compromised users.  It’s a process that can consume a significant amount of time, and one that is well suited for automation.

With Phantom, Flashpoint intelligence can be ingested via email to trigger an Investigation Playbook automating the following steps:

  • Identify users who have been compromised
  • Obtain user attributes
  • Query for suspicious activity
  • Notify the user of the compromise
  • Force a password reset
  • Optionally disable the user account

Flashpoint Phantom Playbook

Automating this process in Phantom has several benefits including reducing the time to execution from minutes or hours down to seconds, as well as ensuring the process is handled accurately and consistently every time.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

Rob Truesdell
Director, Product Management

About Phantom:

Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: