Malicious Insider Containment


This playbook demonstrates an automated response plan to handling malicious insiders within the environment.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Insider Threat, Security Monitoring, SOC Automation


Account Compromise, Account Sharing, Cloud Security, IAM Analytics, Insider Threat, SaaS

Security Impact

An insider threat can range from current employees to contractors, and even former employees that have not had their account access disabled. By detecting suspicious behavior and allowing an analyst to review the alert and user information a decision can be made for how to handle the alert raised.

Alert Volume

Very Low


Stage 5

Data Sources

Audit Trail

   How to Implement

This playbook can be triggered off of any alert that has a user account that needs to be investigated further. A prompt in the playbook allows an analyst to review the alert and information about the user before deciding on how to proceed.

   How To Respond

Although this playbook has actions for Active Directory, it can be easily modified to support investigating users in other systems such as AWS.


Malicious Insider Containment Help

Simply deploy Phantom and work with your technical team to deploy this.

Screenshot of Demo Data