Playbook Series: Hunt for Community-Sourced IOCs and Artifacts in Your Environment

Most security teams would love to be able to follow up on every Indicator of Compromise (IOC) or artifact that they receive from the security community at large. Whether the piece of intelligence comes from trusted circles or from threat intelligence providers, the reality today is that security teams have many more “tips” than they have time to adequately investigate. The teams often have to prioritize their threat hunting activities, leading to the possibility of missing the crucial tip that would have led to the prevention of a successful attack.

The scenario described above highlights the power of Phantom security automation and orchestration. The Phantom platform can receive community-based intelligence and automatically execute enrichment and threat hunting steps for every IOC and artifact within your environment. Phantom can eliminate intelligence that is not found in your environment. But more importantly, it can identify the threats that are present and begin an automated investigation and/or action playbook or escalate the intelligence up to a human analyst for further analysis and decision making.

threat-hunting-sample-onboarding-playbookScreenshot from the Phantom platform’s new visual playbook editor. The Threat Hunting playbook is just one of the many real-world samples available with Phantom 2.0.


As shown in the above diagram, the Phantom platform ingests threat intelligence from a community source and then triggers the Threat Hunting playbook automating the following steps

  • Enrich an IOC/artifact with context from other threat intelligence sources
  • Search for the IOC/artifact in logs collected by the SIEM platform
  • Search for the IOC/artifact on managed endpoints in real time
  • Automatically dismiss intelligence items which are false positives
  • Automatically escalate intelligence items found within the local environment

Automating this process in Phantom has several benefits including

  • Increased scalability—Follow up on every tip coming from your communities
  • Increased security—Never miss a real attack due to volume or workload
  • Increased efficiency—Save time by automating key context-gathering steps and provide a big-picture view to human analysts
  • Increased precision—Ensure your processes are handled accurately and consistently every time

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

Chris Simmons
Director, Product Marketing

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be fully customized and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: