Playbook: Investigate and Block Newly Discovered and Publicly-Accessible Server Services on Your Local Network

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan.

SIEM platforms, like Splunk used in this example playbook, collect and aggregate log data from your security infrastructure. They can also alert you to a newly discovered server service that is publicly accessible on your local network.

The Phantom platform can receive and enrich the alert with additional contextual data before prompting you to make a decision or taking an automated block action.

phantom_playbook-block_new_server_connectionsWatch community member Ryan Kranz demonstrate this playbook.

As shown in the above diagram, the Phantom platform ingests the connection to a new service alert and triggers an Investigation and Action playbook automating the following steps

  • Query for the server device’s profile information from Windows Server
  • Query for the requesting IP/Domain information from
  • Query for the server’s available services from Shodan
  • Automate the reconfiguration of Cisco firewalls to block access to the new service

Automating this process in Phantom has several benefits including

  • Limiting the possibility of data exfiltration
  • Reducing the time from awareness-to-response from minutes or hours down to seconds
  • Ensuring your processes are handled accurately and consistently every time

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: