Data Sources

Phantom Operates on Data Sources

Use any type and source of security data to trigger Phantom into action, such as incidents, threat indicators, vulnerabilities, emails, and more. Phantom gives you full access to the contents of your security data for the purposes of automated decision making.

You can either push your data to Phantom, or pull it from a number of externally supported SIEM or analytics tools.

Phantom Operates on Data Sources

Phantom Executes Playbooks

Playbooks are the codification of your Security Operations (SecOps) plan. In practice, they’re high-level Python scripts that Phantom interprets in order to execute your mission. Playbooks hook into the Phantom Platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.


Playbooks Call Actions

Actions are the high-level primitives that Phantom uses within playbooks. Phantom integrates with over 1,000+ APIs and over 200+ Apps. Examples include:

  • Detonate File
    Detonate File

    Detonate a file in a supported sandbox

  • Geolocate IP
    Geolocate IP

    Perform a geolocation lookup on a given IP address

  • Hunt File
    Hunt File

    Look for a particular file on endpoints

  • Block URL
    Block URL

    Block a URL on perimeter devices

  • Quarantine Device
    Quarantine Device

    Disconnect a device from the network via NAC

Playbooks Call Actions
Actions are exposed by Phantom Apps
Phantom Apps

Actions are exposed by Phantom Apps

Phantom Apps extend the platform by integrating third-party security products and tools. Most security technologies have RESTful APIs, command line interfaces, or other management interfaces that allow Phantom Apps to connect and execute actions. Apps expose the set of actions that they support back to the Phantom Platform.

View all Phantom Apps


Apps Connect to Assets

Assets are the security and infrastructure assets that you integrate with the Phantom Platform. Examples include: firewalls, endpoint products, reputation services, sandboxes, directory services, and SIEMs.

Apps Connect to Assets