Enrich Security Events with External Threat Intelligence

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the sample playbooks included with the Phantom 2.0 platform release. 

Register for the upcoming webinar on Friday, October 21st at 12 PM EDT. Learn all about Phantom V2.0 and their extended coverage.

The Phantom platform can automatically gather threat intelligence for you and enrich inbound security events. With the added context on hand, you can reduce redundant steps in your investigations, achieve faster decision making, and improve your overall productivity.


As shown in the above diagram, the Phantom platform ingests a security event from your infrastructure and triggers the EventInvestigation playbook, automating 19 common investigation steps:

  • detonate file – Execute a file in a sandbox and retrieve the analysis results.
  • get file – Download a sample from a repository.
  • get file info – Retrieve information about a file.
  • detonate url – Load a URL in a sandbox and retrieve the analysis results.
  • domain reputation – Query a reputation service for domain reputation.
  • file reputation – Query a reputation service for file reputation.
  • ip reputation – Query a reputation service for IP reputation.
  • geolocate ip – Query a geolocation service for IP location.
  • hunt domain – Look for a domain in a threat intelligence database.
  • hunt file – Look for a file in a threat intelligence database.
  • hunt ip – Look for IP information within a threat intelligence database.
  • hunt url – Look for URL information within a threat intelligence database.
  • lookup domain – Query DNS records for a Domain or Host Name.
  • lookup ip – Query Reverse DNS records for an IP.
  • reverse domain – Find IPs that point to this domain and other domain names that share the same attributes.
  • reverse ip – Find domain names that share an IP.
  • url reputation – Query a reputation service for URL reputation.
  • whois domain – Run a whois query for the given domain.
  • whois ip – Execute a whois lookup on a given IP address.

The Phantom sample playbook, shown here supports many external sources of threat intelligence:

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Phantom
Phantom is the 1st purpose-built, community-powered security automation & orchestration platform that integrates existing products to provide a layer of “connective tissue” between them. Phantom executes digital “Playbooks” to achieve in seconds what may take hours to accomplish with the dozens of products enterprises use daily. Join the community at phantom.us/join.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?