By Splunk June 08, 2016
Perhaps you've seen alerts like this example:
Device: 11.253.123.55
Category: Malware.Binary.doc
Type: malware-object
Sender: dougb@pdjskscomp.com
File Hash : b2ca691912e267c2a014fd0241345f9b2
File Name: /3r9MOT3f7pz6HLJSX-1-shipping_5077025.doc
It’s a trigger for further investigation, and depending on the number of steps your process has, it could take 30 minutes or more to complete the work--each time you receive an alert.
The Phantom Playbook below automates the analysis. It’s triggered when an email malware alert is received from FireEye:
Phantom first uses Splunk to query for all potential recipients, followed by collecting the profiles from all affected users via Active Directory. Next, Phantom orchestrates hunt file actions in Carbon Black and iSight Partners before finishing the playbook with a file reputation check on VirusTotal and Cylance. This information is presented back to the security team for further review and to aid in remediation. The run time on this Phantom Playbook is under a minute.
If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations. Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository. You can read more about Phantom and Playbooks here.
Interested in seeing how Phantom Playbooks can help your organization? Get the free Phantom Community Edition.
----------------------------------------------------
Thanks!
CP Morey