Playbook Series: Phishing: Automate and Orchestrate Your Investigation and Response

Phishing emails are not a new type of threat to most security professionals, but dealing with the growing volume and potential impact of them require an innovative solution. Today’s entry to our Playbook Series focuses on automating your Incident Response (IR) workflow for this common threat.

The Phantom platform includes a sample playbook for phishing that can help you triage, investigate, and respond to phishing email threats. By using the Phantom platform, you can customize the playbook to automatically triage every inbound suspicious email in seconds. Moreover, by integrating the platform with your file analysis platform (i.e. sandbox) and threat intelligence services, you can analyze files and retrieve threat intelligence on the URLs, DNS domains, and IPs relating to a particular suspicious email. Finally, you can define logic sequences that, based on the investigation results, will take actions on your behalf to mitigate the threat or escalate the incident up to you for supervisory action.


phishing_playbook.pngA visual representation of the phishing playbook as viewed using the Phantom 2.0 platform.


As shown in the above diagram, the Phantom platform ingests a suspicious email from your investigation queue (commonly an email mailbox on your mail server) and triggers the Phishing playbook, automating 15 triage, investigation, and remediation steps:

  • file reputation – Query a threat intelligence service for a file’s reputation.
  • detonate file – Analyze the file in a sandbox and retrieve the analysis results.
  • hunt file – Look for instances of the file on managed endpoints.
  • get system attributes – Gets the attributes of a computer/system.
  • url reputation – Query a threat intelligence service for a URL’s reputation.
  • detonate url – Load a URL in a sandbox and retrieve the analysis results.
  • get screenshot – Get a screenshot of a rendered URL.
  • domain reputation – Query a threat intelligence service for a domain’s reputation.
  • ip reputation – Query a threat intelligence service for an IP’s reputation.
  • geolocate ip – Queries a geolocation service for an IP’s location information.
  • hunt url – Look for information about a URL that could reveal attribution information.
  • lookup ip – Query Reverse DNS records for an IP.
  • whois domain – Run a whois query on the given domain.
  • whois ip – Execute whois lookup on the given IP address.
  • delete email – Deletes an email from the email server.

The benefits of automating your phishing IR workflow are numerous:

  • Free up analysts to research the latest phishing tactics.
  • Increase the efficiency and productivity of your SecOps team.
  • Create a precise and repeatable process that allows you to accurately measure success.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition.

Chris Simmons

Posted by


Show All Tags
Show Less Tags