Playbook Series: The evolution of the Phishing playbook

As we approach the one-year anniversary of the Phantom security automation and orchestration platform, we wanted to look back at how new releases of the platform have enabled more sophisticated playbooks. The Phishing playbook is a great example of how new platform developments have lifted the barriers to security automation.

  • Decision Blocks – Having the ability to insert conditional blocks into the workflow has allowed playbooks to better model real-world decision making, choosing the course of action that is most appropriate for a given scenario. For example, the Phishing playbook was evolved to get file reputation from a threat intelligence source and submit the file for dynamic analysis if the file was previously unknown.
  • Human In/On/Out-of-the-Loop Workflows – Teams often want the ability to participate in automation workflows. By combining decision blocks with user interactivity, you can interact with the workflow only if criteria are met. The Phishing playbook can be easily modified to support the level of interactivity desired.
  • App Integrations – Over the past year we have greatly increased the number of app integrations, adding new tools that integrate naturally with the Phishing playbook.

phishing_playbookA visual representation of the phishing playbook as viewed using the Phantom 2.0 platform.

These are just a few of the changes that the Phishing playbook and the Phantom platform have experienced as they have evolved over the past year. Please join us this Friday (December 2 @ Noon ET / 9 AM PT) where we will cover the year-long evolution of the Email Phishing playbook and the Phantom platform.  

You can register for the Tech Session here.

Chris Simmons
Director, Product Marketing

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.