We have another exciting partner and community playbook lined up for the Tech Session this week! We are featuring a new Phantom app that integrates with PhishMe’s Phishing Defense Cloud. We talk often about the depth, or completeness, of Phantom apps. The PhishMe app is no exception, providing seven actions that span ingestion as well as investigation. In addition to the depth of actions, the action results returning from these actions are rich with contextual information, useful for pivoting throughout the playbook’s execution.
Join the session tomorrow to learn about these actions:
- on poll — Action to ingest threats
- get report — Get threat details
- hunt domain — Look for information about a domain
- hunt ip — Look for information about an IP
- hunt file — Look for information about a file
- hunt url — Look for information about a URL
- test connectivity — Validate the asset configuration for connectivity
We have built a useful triage and response playbook that leverages the PhishMe app in several ways. The playbook is triggered by the ingestion of intelligence information from PhishMe. Ingestion occurs through the on poll action and can poll based on a configurable time interval. The threat data is stored as artifacts in Phantom that are organized by data type, as shown below.
Each artifact has a severity that has been set by PhishMe. The playbook starts by pivoting on this value. If there are any artifacts with a severity of ‘High,’ then the playbook pulls the full report from the PhishMe cloud service and creates a ticket that stores the report information. The playbook then proceeds to block any high-severity Indicators (e.g. IP, domain, URL, file hash) and updates the previously created ticket. In closing for that Course of Action (COA), the container severity is set to ‘High’ and the container is closed.
An alternate course of action is taken if there are no ‘High’ severity artifacts ingested. This logic is part of the decision block at the beginning of the playbook. If there are no artifacts of high severity, automated investigation of the indicators are executed by running a series of reputation lookups. The reputation results are checked for the number of positives that were returned. If a ‘positives’ threshold has been exceeded, the severity of the container is set to high indicating escalation is required.
Community users will have access to this playbook and will be able to modify or extend it to fit their use case or environment. Keep us up to date on any new playbooks you have in mind that can leverage the new PhishMe App! You can contact us here at Phantom using our community Slack channel.
Please join us this Friday, April 7, 2017 at 12:00 PM ET / 9:00 AM PT to learn more about this exciting new integration between the Phantom platform and the PhishMe Phishing Defense Cloud. Mike Saurbaugh, Director of Technical Alliances at PhishMe, will join Phantom for this session.
Register for the session today!