Malicious Insider Containment
This playbook demonstrates an automated response plan to handling malicious insiders within the environment.
This content is not mapped to any local saved search. Add mapping
How to Implement
This playbook can be triggered off of any alert that has a user account that needs to be investigated further. A prompt in the playbook allows an analyst to review the alert and information about the user before deciding on how to proceed.
How To Respond
Although this playbook has actions for Active Directory, it can be easily modified to support investigating users in other systems such as AWS.
Malicious Insider Containment Help
Simply deploy Phantom and work with your technical team to deploy this.