Playbook: Investigate IP Address Performing Reconnaissance Activity

Security Splunk

Whether from an intrusion detection system or through log analysis, security devices can generate alerts when reconnaissance activity is detected.

The Phantom platform can receive these alerts and automate key investigation steps on the source IP and DNS domain. If one or both of the source attributes are determined to be malicious, Phantom can enrich the alert with the results of its investigation and escalate it up to a human analyst for further action.

Screenshot from the Phantom platform’s visual playbook editor.

As shown in the above diagram, the Phantom platform ingests the reconnaissance alert and triggers the Reconnaissance Investigation playbook automating the following steps:

Automating this process in Phantom has several benefits including:

Did you know that Phantom playbooks are Python-based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations. Sample community playbooks can be customized at will and are synchronized via Git and published in our public Community GitHub repository. You can read more about the Phantom platform and playbooks here.

Interested in seeing how Phantom playbooks can help your organization? Get the free Phantom Community Edition.

----------------------------------------------------
Thanks!
Chris Simmons

Related Articles

A Deeper Dive into TruSTAR Intel Workflows
Security
4 Minute Read

A Deeper Dive into TruSTAR Intel Workflows

Learn about TruSTAR's API 2.0, featuring TruSTAR Intel Workflows. This blog post provides a look at some technical aspects of the Indicator Prioritization Intel Workflow.
Yes, Virginia, There is a -Santa Claus- Way to Detect Unemployment Fraud
Security
4 Minute Read

Yes, Virginia, There is a -Santa Claus- Way to Detect Unemployment Fraud

Fraud rates for Unemployment Insurance Benefits (UIB) and Pandemic Unemployment Assistance (PUA) are out of control. Use these detections to start detecting unemployment fraud now.
Splunk Security Content for Threat Detection & Response: November 2025 Update
Security
5 Minute Read

Splunk Security Content for Threat Detection & Response: November 2025 Update

Learn about the latest security content from Splunk.