Playbook: Triage Reconnaissance Alerts

Your existing security infrastructure probably observes lots of scanning, or reconnaissance, activity every day. While a great portion of this activity can be attributed to the noise generated on the Internet, it can also be an early warning signal to a full on attack. A classic problem for security teams is dealing with this type of high volume activity in a way that doesn’t consume the team’s time and doesn’t miss these early indicators of more nefarious activity.

This is a perfect scenario where Phantom can help. The Phantom platform can receive these alerts and automate key investigation steps on the source IP and DNS domain. If one or both of the source attributes is determined to be malicious, Phantom can enrich the alert with the results of its investigation and escalate it up to a human analyst for further action.


recon-sample-playbookScreenshot of a Phantom investigation playbook as viewed in the Phantom visual playbook editor.


As shown in the above diagram, the Phantom platform ingests the reconnaissance alert and triggers the Reconnaissance Investigation playbook automating the following steps

  • Query for the IP address and Domain reputation from configured intelligence provider(s)
  • Automatically dismiss alerts which are false positives
  • Automatically escalate alerts which indicate malicious activity




Automating this process in Phantom has several benefits including

  • Increased efficiency by automating routine investigations
  • Reduced time-to-know from minutes / hours to seconds for malicious activity
  • Ensuring your processes are handled accurately and consistently every time

Interested in seeing how Phantom playbooks can help your organization? Get the free Phantom Community Edition.

Chris Simmons

Posted by


Show All Tags
Show Less Tags