Phantom Operates on Data Sources
Use any type and source of security data to trigger Phantom into action, such as incidents, threat indicators, vulnerabilities, emails, and more. Phantom gives you full access to the contents of your security data for the purposes of automated decision making.
You can either push your data to Phantom, or pull it from a number of externally supported SIEM or analytics tools.
Phantom Executes Playbooks
Playbooks are the codification of your Security Operations (SecOps) plan. In practice, they’re high-level Python scripts that Phantom interprets in order to execute your mission. Playbooks hook into the Phantom Platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.
Playbooks Call Actions
Actions are the high-level primitives that Phantom uses within playbooks. Phantom integrates with over 670+ APIs and over 135+ Apps. Examples include:
Detonate a file in a supported sandbox
Perform a geolocation lookup on a given IP address
Look for a particular file on endpoints
Block a URL on perimeter devices
Disconnect a device from the network via NAC
Actions are exposed by Phantom Apps
Phantom Apps extend the platform by integrating third-party security products and tools. Most security technologies have RESTful APIs, command line interfaces, or other management interfaces that allow Phantom Apps to connect and execute actions. Apps expose the set of actions that they support back to the Phantom Platform.
View all Phantom Apps
Apps Connect to Assets
Assets are the security and infrastructure assets that you integrate with the Phantom Platform. Examples include: firewalls, endpoint products, reputation services, sandboxes, directory services, and SIEMs.