Playbook: Anomalous Geolocation on a Mobile Device

This Playbook automates the process for alerts like anomalous geolocation; when a mobile device reports its location on successive check-ins where it appears to be traveling at a speed faster than possible.  It could indicate a cloned mobile device or even malware.

Anomalous Geo Location on a Mobile Device

Once Phantom receives the alert from Splunk, the first action is to contact the user to determine if they have any information on the violation.  Phantom sends an automated email to the user.  The email is populated with data enriched from MobileIron and the Windows Active Directory server.

Phantom allows the user 160 minutes to respond before taking further action.

This example takes an aggressive approach when the user does not respond by opening a ticket in ServiceNow, blocking the device on the Palo Alto Networks firewall while simultaneously locating and wiping the device with MobileIron.

Less aggressive approaches are also possible.  For example, Phantom could pause for further approval after opening a ticket in step 4, giving an analyst a chance to review the case before proceeding with the action to block and wipe the phone.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition.


CP Morey

Posted by



Playbook: Anomalous Geolocation on a Mobile Device

Show All Tags
Show Less Tags

Join the Discussion