Playbook: Anomalous Geolocation on a Mobile Device

Today’s post continues an ongoing series on Playbooks, which Phantom uses to automate and orchestrate your security operations plan.

This Playbook automates the process for alerts like anomalous geolocation; when a mobile device reports its location on successive check-ins where it appears to be traveling at a speed faster than possible.  It could indicate a cloned mobile device or even malware.

Anomalous Geo Location on a Mobile Device

Once Phantom receives the alert from Splunk, the first action is to contact the user to determine if they have any information on the violation.  Phantom sends an automated email to the user.  The email is populated with data enriched from MobileIron and the Windows Active Directory server.

Phantom allows the user 160 minutes to respond before taking further action.

This example takes an aggressive approach when the user does not respond by opening a ticket in ServiceNow, blocking the device on the Palo Alto Networks firewall while simultaneously locating and wiping the device with MobileIron.

Less aggressive approaches are also possible.  For example, Phantom could pause for further approval after opening a ticket in step 4, giving an analyst a chance to review the case before proceeding with the action to block and wipe the phone.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

CP Morey
VP, Products & Marketing

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: