Playbook: Using Filters, Decision-Making Logic, Custom Lists, User Prompts, and Scheduled Actions

In May of 2017, Phantom’s Co-Founder and CTO Sourabh Satish held two consecutive Tech Sessions covering capabilities of the Phantom Platform. In the sessions, Sourabh built a Phantom Playbook that you can use to respond to malware threats. The playbook integrated several capabilities that demonstrate the flexibility and power of the Phantom Platform, like how to:

  1. Filter Action results for use downstream in a playbook,
  2. Implement decision-making logic to determine if a Course of Action (CoA) should be executed,
  3. Work with Custom Lists that allow you to cache data globally (on the platform),
  4. Issue user prompts to an IR Analyst for human-in-the-loop supervision, and
  5. Create Scheduled Actions that execute at a designated time in the future.





tech-session-playbook-2017-05.pngSample Malware Response Playbook from May 2017 Tech Session Webinars





The playbook contains the following workflow:

  1. An artifact describing a suspicious file is ingested as part of an event, which triggers the playbook into action.
    • Note: The Phantom Platform normalizes ingested event data, storing recognized indicators and observables as artifacts inside the event’s container.
  2. The file reputation is retrieved. The reputation service used here is able to report the number of security vendors convicting the file as malicious.
  3. If more than 10 security vendors classify the file as malicious, playbook execution continues. Otherwise, the playbook run ends.
  4. If execution continues, the hash value associated with the file sample is retrieved and stored for later use.
  5. The playbook then branches into three parallel workflow streams, each operating independent of the others.
    • If the machine is not a test machine, the playbook changes the severity of the event, or event container, to high.
    • The platform identifies the associated endpoint host and process name using information from the original event, then issues a command to terminate that process on the endpoint.
    • Simultaneously, the playbook checks to see if an associated Command-and-Control (C&C) server IP is already being blocked by referencing a Custom List of blocked IPs that is stored on the Phantom Platform.
      • If the IPs are not already blocked, the Phantom Platform prompts an IR analyst to confirm if they want to issue a temporary block of the IPs.
      • If confirmation is received, Phantom adds the IP address to the Custom List of blocked IPs.
      • Next, it executes an Action to block the IP on configured firewalls.
      • Just after this step, the playbook schedules an Action to unblock the IP on the same firewalls 60 minutes after successfully issuing the block.
      • Upon successful removal of the block to the IP, the playbook removes the IP from the platform’s blocked IPs Custom List.
  • After each of the three execution paths ends, the playbook run ends.

Note that this is an example playbook. You can easily customize this playbook to modify the period of time an IP is blocked or add/remove additional security Actions. You might also adapt this playbook to match the Phantom Apps and Assets that your organization uses. The playbook should ultimately model your Standard Operating Procedures (SOPs) for malicious domains.

You can download this playbook from either the Phantom Community or access it via the Phantom Platform. The platform automatically synchronizes Phantom Community Playbooks to your installation, unless configured otherwise. If you don’t currently use the Phantom Platform, we invite you to download the free Community Edition today.

Chris Simmons

Chris Simmons

Posted by