Playbook: Triage Reconnaissance Alerts

Security Splunk

Your existing security infrastructure probably observes lots of scanning, or reconnaissance, activity every day. While a great portion of this activity can be attributed to the noise generated on the Internet, it can also be an early warning signal to a full on attack. A classic problem for security teams is dealing with this type of high volume activity in a way that doesn’t consume the team’s time and doesn’t miss these early indicators of more nefarious activity.

This is a perfect scenario where Phantom can help. The Phantom platform can receive these alerts and automate key investigation steps on the source IP and DNS domain. If one or both of the source attributes is determined to be malicious, Phantom can enrich the alert with the results of its investigation and escalate it up to a human analyst for further action.

Screenshot of a Phantom investigation playbook as viewed in the Phantom visual playbook editor.

As shown in the above diagram, the Phantom platform ingests the reconnaissance alert and triggers the Reconnaissance Investigation playbook automating the following steps

Automating this process in Phantom has several benefits including

Interested in seeing how Phantom playbooks can help your organization? Get the free Phantom Community Edition.

----------------------------------------------------
Thanks!
Chris Simmons

Related Articles

Detecting Password Spraying Attacks: Threat Research Release May 2021
Security
5 Minute Read

Detecting Password Spraying Attacks: Threat Research Release May 2021

The Splunk Threat Research team walks you through a new analytic story to help SOC analysts detect adversaries executing password spraying attacks, and highlights a few detections from the May 2021 releases.
Yes, Virginia, There is a -Santa Claus- Way to Detect Unemployment Fraud
Security
4 Minute Read

Yes, Virginia, There is a -Santa Claus- Way to Detect Unemployment Fraud

Fraud rates for Unemployment Insurance Benefits (UIB) and Pandemic Unemployment Assistance (PUA) are out of control. Use these detections to start detecting unemployment fraud now.
CI/CD Detection Engineering: Failing, Part 3
Security
4 Minute Read

CI/CD Detection Engineering: Failing, Part 3

In part 3 of our now 4-part series, we walk you through how we failed to use CircleCI to continually test detentions!