Using Custom Lists in Phantom Playbooks

Custom Lists are a powerful capability of the Phantom platform. Customers typically use Custom Lists to maintain a dynamic list of items that persists on the platform. The function also commonly serves a caching mechanism to reduce overburdening a service. Custom Lists are available on-platform to playbooks and externally to third-party systems. In this blog entry, we will explore the use of Custom Lists to enable threshold-based decision making with the Phantom platform.

To access Custom Lists in Phantom’s web-based UI, select Playbooks from the Main Menu, and then Custom Lists. In this section you can manually create and edit Custom Lists in a spreadsheet layout. Within a Phantom playbook, you can create, reference, modify, or delete any Custom List.

As an example, we will implement decision logic that uses the number of events over a certain time period.  Perhaps if you see one alert of this type in a day, then you might follow a workflow to investigate why it is happening.  If you see 500 alerts of this alert type in 5 minutes, however, then you might take an alternate workflow and escalate the incident to a human analyst with the highest priority.


CustomListsScreenshot of the Phantom platform web-based interface, showing an example Custom List.


The example Custom List tracks IP addresses with a count. There are three columns in this Custom List: IP address, observation count, and a timestamp indicating the last occurrence.  Using the count and the timestamp, you can understand the rate of the IP alerts over a period of time. You might also build in logic that uses these fields to age out old IP address alerts from the list. Finally, you can also see the magnitude of a potential outbreak, which might affect the response that is chosen.

This is just one example detailing how you can implement threshold-based alerts with the Phantom platform. If you would like to learn more or want to try the capability out for yourself, visit the Phantom Community site and reference the Phantom documentation on datastore_* API calls.

If you haven’t downloaded the free Phantom Community edition yet, you can get it now from the Phantom Community.

Paul Davis
Posted by

Paul Davis

Paul Davis is a seasoned IT Security Executive with a global reputation for building and delivering successful IT Security organizations and services. Paul is a sought-out individual with over 20 years of experience in delivering critical IT security services, security operations teams and solving business security challenges for top global companies. Companies that he has worked with include EDS, General Motors, GE, Cisco, Dow Chemical, The Washington Post, The United Nations, MCI, Prudential and Mitsui. Paul has been EDS’ Chief Information Security Officer at General Motors and Chief Security Officer at Dow Chemical and Director of Security Operations for a major financial exchange. His background includes incident response leadership, IT security operations, professional services, systems engineering, managed services and product support. Throughout his career, he has demonstrated strengths in leading change to meet business challenges, maximizing productivity / revenue, motivating teams and achieving customer satisfaction. He has a CISSP certification, and is a member of ISSA, IACs and the MIT Enterprise Forum of Cambridge.

Show All Tags
Show Less Tags