Playbook: Investigating Newly Discovered Linux Servers

This blog entry continues an ongoing series of articles describing Phantom Playbooks, which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform.

Introduction

A common security operations task involves investigating newly discovered servers on an organization’s network. Whether detected by a scanning system or through a network detection system, the playbook below is triggered into action once a ticket is created to investigate the newly discovered server.

The playbook gathers basic system information from a newly-detected CentOS 7 Linux server using the SSH protocol. The investigation steps are performed automatically when a new JIRA ticket is opened with the type “New Linux Server.” The results of the SSH commands are formatted and added to the original JIRA ticket as comments. The context added by this playbook saves analysts’ time and helps them quickly decide how to respond to the detection of a new server. The first run of the playbook will create a case on the Phantom Platform. Subsequent tickets are added to the existing Phantom Case to allow batch processing.

playbook-ssh-endpoint-investigate
Phantom Community Playbook: SSH Endpoint Investigate

Phantom Apps Used

This playbook uses two Phantom Apps:

Phantom-App-JIRA@150px

Phantom-App-SSH@150px

Playbook Workflow

Depending on the configuration of the JIRA asset, the Phantom Platform uses the JIRA App for Phantom to poll for new tickets on a regular interval. When a newly created ticket is detected, the Phantom Platform triggers this playbook. The playbook uses the following workflow:

  1. First, the new JIRA ticket details are retrieved from the ticketing system, parsed, and stored as artifacts in an event container on the Phantom Platform.
  2. Next, the playbook examines the ticket to determine if the type of ticket is “New Linux Server.” If the ticket type is anything else the playbook run ends.
  3. With a positive match on the ticket type, the playbook next searches for an existing case for this investigation type. If an existing case is found, the data for this new event is added to the existing case. If an existing case is not found, the playbook promotes the event to a case.
  4. After escalating the event to a case, the playbook calls on the SSH App for Phantom. An SSH connection to the server is established and the playbook executes an action to check the Linux version of the Server. If the server type is CentOS 7, playbook execution continues. Otherwise, the playbook generates a failure comment, inserts it into the JIRA ticket, and then ends the playbook run.
  5. If the target system is CentOS 7, the playbook again uses SSH to retrieve the server’s login history, then format it and adds the login details to the JIRA ticket.
  6. Next, the playbook uses SSH once more to retrieve information about all open ports on the server, formatting the results and then adding them to the JIRA ticket.
  7. Finally, the playbook run is complete and execution ends.

Note that this is an example playbook. You can easily customize this playbook to investigate other operating systems or perform additional security actions. You might also adapt this playbook to match the Phantom Apps and Assets that your organization uses. The playbook should ultimately model your Standard Operating Procedures (SOPs) for investigating newly detected servers on your network.

You can download this playbook from either the Phantom Community or access it via the Phantom Platform. The platform automatically synchronizes Phantom Community Playbooks to your installation if configured. If you don’t currently use the Phantom Platform, we invite you to download the free Community Edition today.

View other articles in this Playbook series here.