IP Investigate and Report


This playbook executes multiple investigative actions to determine if an IP address is malicious and sends a summary of the output in an email.

Content Mapping

This content has been mapped to the local saved searches:

  • Errors in the last hour [Remove]
  • Generate MITRE Enterprise List [Remove]

Use Case

Security Monitoring, SOC Automation


Cloud Security, Command and Control, Data Exfiltration, Endpoint Compromise, SaaS

Security Impact

Using this playbook to investigate an IP address security teams can quickly assess whether or not an IP is malicious as well as additional information if there are any domains pointing at it.

Alert Volume

Very Low


Stage 5

Data Sources

Network Communication

   How to Implement

There are multiple searches that can be used in conjunction with this playbook. Using an IP address the playbook performs a number of investigative steps before sending a notification via email.

   How To Respond

Using the ingested alerts, events can be investigated to get additional contextual information about the artifacts in the alerts. Notice that the playbook will also attempt to find any malicious domains associated with an IP. This data can be used with other playbooks to take action or automate threat hunting. Additional actions to consider adding would be a sandbox action to visit any domains discovered to get further details.


IP Investigate and Report Help

Simply deploy Phantom and work with your technical team to deploy this.

Screenshot of Demo Data