Playbook: Investigate Suspicious Outbound Connections

SIEM platforms, like Splunk, collect and aggregate log data from your security infrastructure. When configured, these platforms can alert you to a suspicious outbound connection from your managed networks or endpoints.

When an analyst receives a suspicious outbound connection alert from the SIEM, there are several investigation actions commonly executed to gather context about the source and destination. The gathering of information is highly repetitive and can consume a significant amount of time. This makes the context gathering ideally suited for automation.

The Phantom platform can receive these alerts, enrich the alert with additional contextual data, like source device information and destination domain reputation, and automatically generate a service ticket for further analysis and decision making.



With Phantom, the Splunk alert can be ingested and trigger an Investigation Playbook automating the following steps:

  • Query for the source device’s profile information from Windows Server
  • Query for the destination domain’s owner information from
  • Query for the destination IP’s available services from Shodan
  • Create a ticket within the ServiceNow platform for further investigation and decision making

Automating this process in Phantom has several benefits including reducing the time to execution from minutes or hours down to seconds, as well as ensuring the process is handled accurately and consistently every time.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition.

Chris Simmons
Posted by

Chris Simmons

Chris Simmons is a Senior Product Marketing Manager with Splunk. Chris currently focuses on the Splunk Phantom platform and the Security Orchestration, Automation and Response segment of the security market. Previously, he led Product Marketing at Phantom and has held various product roles at IBM, Cisco, Sourcefire, and Fortinet.


Playbook: Investigate Suspicious Outbound Connections

Show All Tags
Show Less Tags

Join the Discussion