Playbook: Investigate IP Address Performing Reconnaissance Activity

Whether from an intrusion detection system or through log analysis, security devices can generate alerts when reconnaissance activity is detected.

The Phantom platform can receive these alerts and automate key investigation steps on the source IP and DNS domain. If one or both of the source attributes are determined to be malicious, Phantom can enrich the alert with the results of its investigation and escalate it up to a human analyst for further action.


Screenshot from the Phantom platform’s visual playbook editor.


As shown in the above diagram, the Phantom platform ingests the reconnaissance alert and triggers the Reconnaissance Investigation playbook automating the following steps:


  • Query for the IP address and Domain reputation from configured intelligence provider(s)
  • Automatically dismiss alerts which are false positives
  • Automatically escalate alerts which indicate malicious activity





Automating this process in Phantom has several benefits including:

  • Increased efficiency by automating routine investigations
  • Reduced time-to-know from minutes/hours to seconds for malicious activity
  • Ensuring your processes are handled accurately and consistently every time

Did you know that Phantom playbooks are Python-based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published in our public Community GitHub repository. You can read more about the Phantom platform and playbooks here.

Interested in seeing how Phantom playbooks can help your organization? Get the free Phantom Community Edition.



Chris Simmons

Posted by


Show All Tags
Show Less Tags