Playbook Series: Enrich Security Events with External Threat Intelligence

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the sample playbooks included with the Phantom 2.0 platform release. 

The Phantom platform can automatically gather threat intelligence for you and enrich inbound security events. With the added context on hand you can reduce redundant steps in your investigations, achieve faster decision making, and improve your overall productivity.

VPE - Inestigate Playbook .pngScreenshot from the Phantom platform’s new visual playbook editor.

As shown in the above diagram, the Phantom platform ingests a security event from your infrastructure and triggers the Event Investigation playbook, automating 19 common investigation steps:

  • detonate file – Execute a file in a sandbox and retrieve the analysis results.
  • get file – Download a sample from a repository.
  • get file info – Retrieve information about a file.
  • detonate url – Load a URL in a sandbox and retrieve the analysis results.
  • domain reputation – Query a reputation service for domain reputation.
  • file reputation – Query a reputation service for file reputation.
  • ip reputation – Query a reputation service for IP reputation.
  • geolocate ip – Query a geolocation service for IP location.
  • hunt domain – Look for a domain in a threat intelligence database.
  • hunt file – Look for a file in a threat intelligence database.
  • hunt ip – Look for IP information within a threat intelligence database.
  • hunt url – Look for URL information within a threat intelligence database.
  • lookup domain – Query DNS records for a Domain or Host Name.
  • lookup ip – Query Reverse DNS records for an IP.
  • reverse domain – Find IPs that point to this domain and other domain names that share the same attributes.
  • reverse ip – Find domain names that share an IP.
  • url reputation – Query a reputation service for URL reputation.
  • whois domain – Run a whois query for the given domain.
  • whois ip – Execute a whois lookup on a given IP address.

The Phantom sample playbook shown here supports many external sources of threat intelligence:

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

One thought on “Playbook Series: Enrich Security Events with External Threat Intelligence

Comments are closed.