Playbook Series: Phishing: Automate and Orchestrate Your Investigation and Response

Security Splunk

Phishing emails are not a new type of threat to most security professionals, but dealing with the growing volume and potential impact of them require an innovative solution. Today’s entry to our Playbook Series focuses on automating your Incident Response (IR) workflow for this common threat.

The Phantom platform includes a sample playbook for phishing that can help you triage, investigate, and respond to phishing email threats. By using the Phantom platform, you can customize the playbook to automatically triage every inbound suspicious email in seconds. Moreover, by integrating the platform with your file analysis platform (i.e. sandbox) and threat intelligence services, you can analyze files and retrieve threat intelligence on the URLs, DNS domains, and IPs relating to a particular suspicious email. Finally, you can define logic sequences that, based on the investigation results, will take actions on your behalf to mitigate the threat or escalate the incident up to you for supervisory action.

A visual representation of the phishing playbook as viewed using the Phantom 2.0 platform.

As shown in the above diagram, the Phantom platform ingests a suspicious email from your investigation queue (commonly an email mailbox on your mail server) and triggers the Phishing playbook, automating 15 triage, investigation, and remediation steps:

The benefits of automating your phishing IR workflow are numerous:

Interested in seeing how Phantom playbooks can help your organization? Get the free Phantom Community Edition.

----------------------------------------------------
Thanks!
Chris Simmons

Related Articles

Staff Picks for Splunk Security Reading July 2023
Security
3 Minute Read

Staff Picks for Splunk Security Reading July 2023

Welcome to the July 2023 edition of our Splunk staff picks blog, featuring a list of presentations, whitepapers, and customer case studies that we feel are worth a read.
Making Sense of the New SEC Cybersecurity Rules and What They Could Mean for Your Company
Security
2 Minute Read

Making Sense of the New SEC Cybersecurity Rules and What They Could Mean for Your Company

The United States Securities and Exchange Commission’s (SEC) July 26 approval of new cybersecurity 'incident' disclosure rules is top of mind for every public company, and understanding what it means and how companies will be held accountable is crucial.
Security Staff Picks To Read This Month, Handpicked by Splunk Experts
Security
2 Minute Read

Security Staff Picks To Read This Month, Handpicked by Splunk Experts

Our Splunk security experts share their favorite reads of the month so you can follow the most interesting, news-worthy, and innovative stories coming from the wide world of cybersecurity.