IP Investigate and Report
This playbook executes multiple investigative actions to determine if an IP address is malicious and sends a summary of the output in an email.
This content has been mapped to the local saved searches:
- Errors in the last hour [Remove]
- Generate MITRE Enterprise List [Remove]
How to Implement
There are multiple searches that can be used in conjunction with this playbook. Using an IP address the playbook performs a number of investigative steps before sending a notification via email.
How To Respond
Using the ingested alerts, events can be investigated to get additional contextual information about the artifacts in the alerts. Notice that the playbook will also attempt to find any malicious domains associated with an IP. This data can be used with other playbooks to take action or automate threat hunting. Additional actions to consider adding would be a sandbox action to visit any domains discovered to get further details.
IP Investigate and Report Help
Simply deploy Phantom and work with your technical team to deploy this.