Playbook: Investigate IP Address Performing Reconnaissance Activity

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan. This example covers one of the sample playbooks included with the Phantom platform. 

Whether from an intrusion detection system or through log analysis, security devices can generate alerts when reconnaissance activity is detected.

The Phantom platform can receive these alerts and automate key investigation steps on the source IP and DNS domain. If one or both of the source attributes are determined to be malicious, Phantom can enrich the alert with the results of its investigation and escalate it up to a human analyst for further action.

recon-sample-playbookScreenshot from the Phantom platform’s visual playbook editor.

As shown in the above diagram, the Phantom platform ingests the reconnaissance alert and triggers the Reconnaissance Investigation playbook automating the following steps

  • Query for the IP address and Domain reputation from configured intelligence provider(s)
  • Automatically dismiss alerts which are false positives
  • Automatically escalate alerts which indicate malicious activity

Automating this process in Phantom has several benefits including

  • Increased efficiency by automating routine investigations
  • Reduced time-to-know from minutes/hours to seconds for malicious activity
  • Ensuring your processes are handled accurately and consistently every time

Did you know that Phantom playbooks are Python-based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published in our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: