Playbook: Investigate Suspicious Outbound Connections

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

SIEM platforms, like Splunk, collect and aggregate log data from your security infrastructure. When configured, these platforms can alert you to a suspicious outbound connection from your managed networks or endpoints.

When an analyst receives a suspicious outbound connection alert from the SIEM, there are several investigation actions commonly executed to gather context about the source and destination. The gathering of information is highly repetitive and can consume a significant amount of time. This makes the context gathering ideally suited for automation.

The Phantom platform can receive these alerts, enrich the alert with additional contextual data, like source device information and destination domain reputation, and automatically generate a service ticket for further analysis and decision making.


(Community Member Ryan Kranz demos this Playbook here)

With Phantom, the Splunk alert can be ingested and trigger an Investigation Playbook automating the following steps:

  • Query for the source device’s profile information from Windows Server
  • Query for the destination domain’s owner information from
  • Query for the destination IP’s available services from Shodan
  • Create a ticket within the ServiceNow platform for further investigation and decision making

Automating this process in Phantom has several benefits including reducing the time to execution from minutes or hours down to seconds, as well as ensuring the process is handled accurately and consistently every time.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

Chris Simmons
Director, Product Marketing

About Phantom:

Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: