Playbook Series: Evil Insiders

Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository. You can read more about Phantom and Playbooks here.

The spotlight Playbook for today helps identify a possible inside job.  Not the ‘prison tatt’ variety, but the case when a breach committed by or with the assistance of a person working on the premises where it occurred.

Evil Insider Playbook

(Note: Products in diagram are for illustrative purposes. Phantom supports these & others.)


This scenario is fairly simple, but useful.  For every failed login attempt:

  • Identify the user and target system.
  • It the user has not successfully logged in to the system in the last 3 months, send a “suspicious login” email and open a ticket.

The savings are substantial for an organization that sees even an average volume of events.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition.

CP Morey

Posted by



Playbook Series: Evil Insiders

Show All Tags
Show Less Tags

Join the Discussion