What is Splunk Phantom?
팬텀은 보안장비의 운영을 자동화 하는 SOAR(Security Orchestration, Automation and Response)
솔루션 입니다
Security Orchestration
보안 오케스트레이션은 복잡한 인프라 환경에서 일련의 상호 의존적인 보안 작업을 머신 기반으로 조정합니다.
Security Automation
보안 자동화는 머신이 보안 조치를 자동으로 실행합니다.
Security Response
보안 대응은 이벤트 및 인시던트, 내역 관리 등 대응과 관련된 일련의 과정을 워크 플로우 기반으로 대응합니다.
KEY Concept
많은 보안장비들이 API를 제공하며, 이 API를 이용하면 프로그램을 이용해 해당 장비를 손쉽게 관리, 조작, 제어할 수 있습니다.
하지만 API를 효과적으로 사용하기 위해서는 뛰어난 개발 역량이 필요하며, 이는 많은 기업들이 API를 활용하지 못하는 이유이기도 합니다.
스플렁크 팬텀은 각 기업에서 제공하는 API를 UI로 전환하여 누구나 쉽게 API를 사용할 수 있습니다.
< Paloalto API를 이용하기 위한 개발코드 예시 >
< Splunk Phantom UI를 이용한 방화벽 관리 앱 >
스플렁크 팬텀에 방화벽, IPS, 이메일 등 장치가 연결되면 사용자는 PlayBook 이라고 불리는 UI 기반의 맵을 제작할 수 있습니다.
팬텀은 PlayBook에 정의된 일련의 플로우를 기준으로 시스템에서 발생하는 이벤트를 순차적으로 처리, 이상징후를 탐지하고 대응을 수행합니다.
Supported Veondors
| Vendor | App | Summary |
|---|---|---|
| A10 | LADS | This app supports containment actions like 'block ip' or 'unblock ip' using the A10 Lightning Application Delivery System (LADS). |
| AbuseIPDB | AbuseIPDB | This app integrates with AbuseIPDB to perform investigative actions |
| Aella Data | Aella Data Starlight | This app integrates with an Aella Data installation to implement ingestion and investigative actions |
| Amazon | Alexa | Connects to Alexa Web Information Services for lookup url. |
| Anomali | ThreatStream | Integrates a variety of reputation and lookup actions from the Anomali ThreatStream threat intelligence platform. |
| Apache | Kafka | This app implements ingesting and sending data on the Apache Kafka messaging system |
| Arbor Networks | Arbor Networks APS | This app integrates with Arbor Networks APS to execute containment and corrective actions |
| Atlassian | HipChat | This app integrates with HipChat to support different generic and investigative actions |
| Atlassian | Jira | This app supports a variety of ticket management actions on JIRA |
| Aurea | AlertFind | Integrate with AlertFind to enable notification actions |
| AWS | AWS Athena | This app supports investigative actions on AWS Athena |
| AWS | AWS Community App | App Review - AWS App by GE |
| AWS | AWS Community App 2 | AWS Community App - BAH |
| AWS | AWS IAM | This app integrates with Amazon Web Services Identity Access Management (AWS IAM) to support various containment, corrective and investigate actions |
| AWS | AWS Lambda | This app integrates with AWS Lambda to perform lambda functions |
| AWS | AWS S3 | This app integrates with AWS S3 to perform investigative actions |
| Axonius | Axonius | This app integrates with the Axonius Cybersecurity Asset Management Platform to enrich asset data for investigations |
| Basis Technology | Cyber Triage | Initiates a remote endpoint collection to support an investigation using Cyber Triage |
| Bay Dynamics | Risk Fabric | This app supports retrieving entity risk scores from Risk Fabric |
| Best Practical | Request Tracker | This app allows ticket management on Request Tracker by implementing investigative and manipulative actions on the tickets |
| BMC Software | RemedyForce | This app allows ticket management on RemedyForce by implementing actions like create ticket and update ticket. |
| BMC Software | Remedy | This app supports ticket management functions on incidents in BMC Remedy. |
| Carbon Black | CB Defense | This app integrates with an instance of Carbon Black defense to run investigative actions |
| Carbon Black | CB Response | This app supports executing various endpoint-based investigative and containment actions on Carbon Black Response |
| Carbon Black | CB Protection | This app supports various investigative and containment actions on Carbon Black Enterprise Protection (formerly Bit9) |
| Censys | Censys | This app implements investigative actions to get information from the censys search engine |
| Certly | Certly | Implements url reputation action by querying the Certly web API |
| Check-Point-Software | Firewall | This app supports a variety of endpoint and network based containment actions on Check Point Firewall |
| Cherwell | Cherwell | This app implements various ticketing actions on Cherwell |
| Cisco | Cisco ASA | This app supports containment actions like 'block ip' in addition to investigative actions like 'get config' and 'get version' on a Cisco ASA device. |
| Cisco | Cisco Catalyst | This app supports containment actions like 'set system vlan' in addition to investigative actions like 'get config' and 'get version' on a Cisco Catalyst switch. |
| Cisco | Cisco ESA | This app supports investigation on the Cisco Email Security Appliance (ESA) device. |
| Cisco | Cisco FireAMP | This app allows users to connect to FireAMP with actions such as list endpoints, hunt url, and hunt ip. |
| Cisco | Cisco Firepower | This app interfaces with Cisco Firepower devices to add or remove IPs or networks to a Firepower Network Group Object, which is configured with an ACL |
| Cisco | Cisco FireSIGHT | This app implements investigative actions on the FireSIGHT device |
| Cisco | Cisco ISE | This app implements investigative and containment actions like 'quarantine device', 'terminate session' and 'list sessions' etc. on a Cisco ISE device. |
| Cisco | Cisco Router BGP RTBH | This app interfaces with Cisco IOS-XE devices to create a blackhole for configured IPs or networks in Cisco BGP networks. |
| Cisco | Cisco Spark | Integrate with Cisco Spark to implement investigative actions |
| Cisco | Cisco Tetration | This app supports variety of investigative actions on Cisco Tetration Analytics |
| Cisco | Cisco Umbrella | This app allows management of a domain list on the OpenDNS Umbrella Security platform by implementing actions like 'block domain', 'unblock domain' and 'list blocked domains'. |
| Cisco | Duo Security | Use Duo Auth API to authenticate actions. |
| Cisco | Meraki | This app interfaces with the Cisco Meraki cloud managed devices. The search string specified is used to match a value in the client MAC address or description field. The default dashboard URL is dashboard.meraki.com. The API Key is generated in your account profile. An account with read only privileges is acceptable. |
| Cisco | PhishTank Phish Verification System | This app implements URL investigative capabilities utilizing PhishTank |
| ClickSend | ClickSend | This app integrates with ClickSend to send SMS messages |
| CloudPassage | CloudPassage | This app supports a variety of investigative actions on CloudPassage Halo |
| Code42 | Code42 | This app integrates with Code42 to execute various containment, corrective and investigative actions |
| Cofense | Cofense Intelligence | This App integrates with PhishMe Intelligence to provide various hunting and reporting actions in addition to threat ingestion |
| Critical Stack | Critical Stack | This app integrates with the CriticalStack feed to implement investigative actions |
| CRITs | CRITs | This App supports various investigative actions on CRITs |
| Chronicle | VirusTotal Threat Intelligence | This app integrates with the VirusTotal cloud to implement investigative and reputation actions |
| Crowdstrike | Crowdstrike Streaming | This app integrates with CrowdStrike security services to implement ingestion of endpoint security data |
| Crowdstrike | Crowdstrike Falcon Host | This app allows you to manage indicators of compromise (IOC) and investigate your endpoints on the Falcon Host API |
| Cuckoo | Cuckoo | This app supports executing various investigative actions on the Cuckoo sandbox |
| Cybereason | EDR | This app integrates with Cybereason to perform investigative, contain and corrective actions |
| Cylance | Cylance Protect | This app supports various investigative, containment, and corrective actions on CylancePROTECT |
| Cymmetria | MazeRunner | MazeRunner App |
| Cyware | Cyware | Implements event reporting on the Cyware platform |
| Digital Shadows | Digital Shadows | This app integrates with Digital Shadows SearchLight to ingest and investigate credentials found in data breaches |
| DomainTools | DomainTools | Use DomainTools to query various current and historical data regarding domain names, domain registration and IPs |
| DomainTools | DomainTools Iris | Use the DomainTools Iris Investigate API to profile domain names, get risk scores, and find connected domains that share the same Whois details, web hosting profiles, SSL certificates, and more |
| DShield | DShield | Implements lookup ip action by querying the DShield web API |
| EclecticIQ | EclecticIQ | TIP integration |
| Elastic | Elasticsearch | This app integrates with an Elasticsearch installation to implement ingestion and investigative actions |
| Empire | Empire | This app supports a variety of actions to interact with the REST API of Empire - https://github.com/powershellempire/empire |
| Endace | Endace | App integrates with the Endace Packet Capture device to implement investigative actions |
| Endgame | Endgame | This app integrates with Endgame to execute investigative and corrective actions |
| eSentire | Cymon | Queries Cymon for IP, URL, domain, and blacklist information. |
| Extrahop | Extrahop | This app integrates with the ExtraHop platform to perform investigative actions based on real-time network data |
| F5 | BigIP | This app supports containment actions like 'block ip' or 'unblock ip' on an F5 BIG-IP appliance. There must be a firewall policy (Security››Network Firewall:Policies) configured on the BIG-IP and the name of the policy must be specified in the Action Parameters. The rule name can be the source IP address appended to a keyword string, e.g. 'Phantom' + ip |
| Farsight Security | DNSDB | This app supports investigative DNS lookup actions on DNSDB |
| FireEye | FireEye HX | FireEye HX Endpoint Security |
| FireEye | FireEye CM | Leverage the FireEye Web Services API to download malware objects. |
| Floodlight | Floodlight | Implements command and control for the Floodlight SDN controller |
| Forcepoint | Forcepoint Next Generation Firewall | This app integrates with Forcepoint Firewall |
| Forescout | Forescout NAC | This app implements various network access control actions for ForeScout |
| Fortinet | Fortisiem | This app implements various network access control actions for ForeScout |
| Fortinet | FortiGate | This app supports a variety of containment and investigative actions on the FortiGate Firewall. |
| Generic | BerryIO | This app supports actions for APIs on the BerryIO project for the Raspberry Pi, such as GPIO status, get and set. |
| Generic | Timer | This app will generate an empty event which can be used to kick off a playbook at scheduled intervals |
| Generic | NetBios | This app implements various investigative actions using the NetBIOS protocol |
| Generic | RSS | Ingest IOCs from an RSS Feed |
| Generic | Whois RDAP | This App implements the investigative action 'whois ip' using RDAP. |
| Generic | Whois | This App implements investigative actions that query the whois database |
| Generic | SSH | This app supports executing various endpoint-based investigative and containment actions on an SSH endpoint |
| Generic | SMTP | This app provides the ability to send email using SMTP |
| Generic | REST Data Source | This app implements custom REST handlers for external implementations to push ingest data such as events and artifacts into Phantom |
| Generic | NMAP | This app integrates with NMAP in order to provide detailed network information |
| Generic | IMAP | This app supports email ingestion and various investigative actions over IMAP |
| Generic | HTTP | This App facilitates making HTTP requests as actions |
| Generic | Generator | This app generates ingested sample data |
| Generic | DNS | This app implements investigative actions that return DNS Records for the object queried |
| Generic | git | This app integrates with git and supports common git actions |
| Gigamon | GigaVUE FM | This app leverages APIs from GigaVUE-FM 5.1 and above to perform investigative and corrective actions |
| Big Query | This app allows running investigative actions against Google BigQuery | |
| GSuite | This app allows various file manipulation actions to be performed on Google Drive | |
| GRR Rapid Response | This app implements various actions from the GRR API | |
| Safe Browsing | This app Integrate with Google Safe Browsing to execute reputation-based actions | |
| GSuite for Gmail | Integrates with G Suite for various investigative and containment actions | |
| Greynoise | Greynoise | This app implements investigate actions to fetch IP details using Greynoise API |
| HackerTarget | HackerTarget | This app supports executing investigative actions like 'traceroute', 'ping', 'whois ip', and 'whois domain' to analyze a host. |
| Hive Project | TheHive | This app integrates with an instance of TheHive to perform ticketing actions |
| HoneyDB | HoneyDB | Performs investigative actions on the HoneyDB service |
| HPE | ArcSight ESM | This app implements creating and updating cases on ArcSight |
| IBM | Watson | Leverage IBM Watson for language translation |
| IBM | XForce | This app implements various investigative actions on the IBM XForce device |
| IBM | QRadar | This app supports investigative actions like 'get events' and 'get flows' on an IBM QRadar device. It also supports ingesting Incidents and Events into Phantom containers and artifacts |
| IBM | BigFix | This app supports several investigative actions on IBM Big Fix |
| IF | Maker Channel | IFTTT Maker Channel connector |
| Imperva | SecureSphere WAF | This app implements containment actions by integrating with the SecureServer Device |
| InfluxDB | InfluxDB | This app implements various investigative actions against an InfluxDB instance |
| Infoblox | DDI | This app supports various containment and investigative actions on Infoblox Grid Manager. |
| Interset | Interset | This app allows integration with the Interset analytics platform by implementing contain and investigate actions pertaining to importance and risk details respectively |
| Intsights | Cyber Intelligence | This app integrates with Intsights Cyber Intelligence. |
| Intsights | Intsights | This app integrates with Intsights Cyber Intelligence. |
| ipstack | ipstack | Integrates with ipstack to implement investigative actions |
| iSight-Partners | ThreatScape | This app integrates with iSight Partners' ThreatScape product. It implements the ingest action to pull campaign reports and parse them into containers with all the IOCs represented as artifacts. Investigative actions like 'hunt domain', 'hunt ip' etc. are also supported. |
| isitPhishing | isitPhishing | This app implements investigative actions on the isitPhishing service. |
| Ivanti | ITSM | This app integrates with Ivanti ITSM to provide ingestion and several ticketing actions |
| Jask | Jask | This app implements ingest action for fetching alerts on JASK ASOC Platform |
| Joe Sandbox | Joe Sandbox | This app supports executing investigative actions to analyze files and URLs on Joe Sandbox |
| Juniper Networks | Juniper Networks SRX | This app implements various containment actions like 'block ip' and 'block application' in addition to investigative actions like 'list applications' on a Juniper SRX device. Uses port 830 by default if no port is set. |
| Juniper Networks | Juniper Networks Cyphort | This app supports executing investigative actions like 'detonate file' to analyze executables on the Cyphort sandbox. |
| Kenna Security | Kenna Security | This app supports executing investigative actions like 'detonate file' to analyze executables on the Cyphort sandbox. |
| KnowThyCustomer | KnowThyCustomer | This app integrates with the KnowThyCustomer service to implement investigative actions |
| Koodous | Koodous Collaborative Malware Research Platform | This app integrates with Koodous to analyze APK files |
| Lastline | Lastline Detonator | This app supports executing investigative actions to analyze executables and URLs on the online Lastline sandbox |
| LogRhythym | LogRhythym SIEM | This app supports ingestion and several investigative actions on LogRhythm SIEM |
| MACVendors.com | MAC Address Vendor API Lookup | This app interfaces with the Cisco Meraki cloud managed devices. The search string specified is used to match a value in the client MAC address or description field. The default dashboard URL is dashboard.meraki.com. The API Key is generated in your account profile. An account with read only privileges is acceptable. |
| MalShare | MalShare Public Malware Repository | This app integrates with MalShare to provide several investigative actions |
| malwaredomainlist.com | Malware Domain List | This app retrieves IOC reputation from Malware Domain List |
| MalwareBytes | MalwareBytes Cloud Endpoint Security | This app integrates with the Malwarebytes Cloud platform to perform prevention, detection, remediation, and forensics endpoint management tasks |
| Malwr | Malwr Online Analysis and Research Platform | This app implements investigative actions on the Malwr cloud based sandbox. |
| Mattermost | Mattermost Chat Service | This app integrates with Mattermost to support various investigative actions |
| MaxMind | GeoIP2 IP Location Database | This app provides ip geolocation with the included MaxMind database. |
| McAfee | TrustedSource | McAfee TrustedSource provides an online service that enables you to check website categorization and risk levels |
| McAfee | Network Security Manager (NSM) | This app supports multiple containment actions on the McAfee NSM |
| McAfee | Enteprise Security Manager (ESM) | This app ingests data from a McAfee ESM device. Each event is parsed into a container and various event characteristics like the Rule, Signature and actionName are ingested into the event artifact. |
| McAfee | ePolicy Orchestrator (ePO) | This app implements various endpoint based investigative and containment actions by integrating with McAfee ePO |
| McAfee | OpenDXL | Push Notfications over McAfee OpenDXL |
| McAfee | Advanced Threat Defense (ATD) | This app supports executing investigative actions like 'detonate file' to analyze executables on the McAfee ATD appliance |
| Microsoft | Microsoft SQL Serve | This app supports investigative actions against a Microsoft SQL Server |
| Microsoft | Windows Remote Management | This app integrates with the Windows Remote Management service to execute various actions |
| Microsoft | Microsoft Sharepoint | Provides various interactions with Microsoft SharePoint sites |
| Microsoft | Office 365 | This app ingests emails from a mailbox in addition to supporting various investigative and containment actions on an Office 365 service |
| Microsoft | Windows Server - WMI | This App uses the WMI WQL to implement investigative actions that are executed on a Windows endpoint |
| Microsoft | Windows Server - LDAP | This app implements various actions that can be carried out on an AD server |
| Microsoft | Office 365 | Connects to Office 365 using the MS Graph API |
| Microsoft | Exchange Server | This app performs email ingestion, investigative and containment actions on an on-premise Exchange installation |
| Microsoft | System Center Operations Manager | This app integrates with Microsoft System Center Operations Manager (SCOM) to execute investigative actions |
| Microsoft | System Center Configuration Manager | This app integrates with Microsoft System Center Configuration Manager (SCCM) to execute investigative and generic actions |
| MISP Project | Malware Information Sharing Platform (MISP) | Take action with Malware Information Sharing Platform |
| Mnemonic | PassiveDNS | This app integrates with the Mnemonic Passive DNS API to implement investigative actions |
| MobileIron | MobileIron | This app allows endpoint management on MobileIron by implementing actions such as 'list devices', 'lock devices' and 'unlock device'. |
| MongoDB | MongoDB | This app supports CRUD operations in a MongoDB database |
| MxToolBox | MxToolBox | This app implements investigative actions on domains and IPs. |
| Myip.ms | Myip.ms Whois IP Service | This app integrates with the Myip.ms service to implement investigative actions |
| NC4 | Soltra Edge Cyber Threat Communications Platform | This App acts as a STIX client and implements the ingest action to pull data from a Soltra Edge device to create containers and artifacts. |
| Netskope | Netskope Cloud Access Security Broker | This app integrates with the Netskope to execute various investigative and polling actions |
| Neutrino API | Netskope Cloud Access Security Broker | This app integrates with the Netskope to execute various investigative and polling actions |
| Okta | Okta Identity and Access Management | This app supports various identity management actions on Okta |
| OpenStack | OpenStack Software Platform | This app interfaces with OpenStack to take an IP, and suspend the associated instance. It is intended to be coupled in a playbook with a ticketing system to log why the instance was suspended |
| OPSWAT | Metadefender Advanced Threat Prevention | App that connects to OPSWAT Metadefender for actions like ip reputation and file reputation. |
| Oracle | MySQL Database Server | This app supports investigative actions against a MySQL database |
| OSXCollector | OSXCollector Forensics and Analysis | Runs OSXCollector on an endpoint running OS X |
| PagerDuty | PagerDuty | This app integrates with PagerDuty to implement investigative and ticketing actions |
| Palo Alto Networks | WildFire Malware Analysis | This app supports file detonation for forensic file analysis on the Palo Alto Networks WildFire sandbox |
| Palo Alto Networks | AutoFocus Threat Intelligence | This app implements hunting and reporting actions on the AutoFocus threat intelligence service. |
| Palo Alto Networks | Panorama Network Security Management | This app integrates with the Palo Alto Networks Panorama product to support several containment and investigative actions |
| Palo Alto Networks | Next-Generation Firewall | This app integrates with the Palo Alto Networks Firewall to support containment actions like 'block url', 'block application' and 'block ip' in addition to investigative actions like 'list applications'. |
| Payload Security | Falcon Sandbox | This app integrates with Falcon Sandbox Services to provide investigative actions |
| Phantom | Message Parser | Integrate with Slack to post messages and attachments to channels |
| Phantom | Phantom App for Kafka | Integrate with Slack to post messages and attachments to channels |
| Phantom | Phantom API | This App exposes various Phantom APIs as actions |
| PhishLabs | PhishLabs Casetracker Portal | This app implements investigative actions on the PhishLabs Casetracker Portal |
| PioLink | TiFRONT Cloud Security Switch | This app supports containment actions like 'block ip' and 'unblock ip' on a TiFRONT device. |
| Pipl | Pipl People Search | This app integrates with Pipl to perform an investigative action |
| PostgreSQL | PostgreSQL Database Server | This app supports investigative actions against a PostgreSQL database |
| Proofpoint | Targeted Attack Protection (TAP) | This App integrates with Proofpoint to implement ingestion and investigative actions |
| ProtectWise | Network Detection and Response (NDR) | This app integrates with the ProtectWise cloud platform to implement ingestion and investigative actions |
| Qualys | SSL Labs Assessment API | This app supports executing investigative actions to analyze a host |
| Rapid7 | InsightVM Vulnerability Management | This app integrates with Rapid7 InsightVM (formerly Nexpose) to ingest scan data |
| Recorded Future | Recorded Future Threat Intelligence | Recorded Future |
| RedLock | RedLock | This app integrates with RedLock and ingests new alerts |
| ReversingLabs | TitaniumCloud File Reputation | This app implements investigative actions on the ReversingLabs reputation service |
| ReversingLabs | A1000 Malware Analysis | This app integrates with the ReversingLabs A1000 Advanced Malware Analysis Appliance to implement investigative actions |
| ReversingLabs | TitaniumScale Malware Analysis | This app integrates with ReversingLabs TiScale Enterprise Scale File Visibility platform to automate analysis and investigative actions for file samples |
| RIPE | RIPE Abuse Intelligence | This app integrates with RIPE to support investigative actions |
| RSA | Security Analytics | This App supports ingestion and investigative actions on RSA Security Analytics |
| RSA | Archer | This app implements ticket management actions on RSA Archer GRC. |
| RSA | NetWitness Logs and Packets | This app supports investigative actions to collect log and packet captures from RSA NetWitness Logs and Packets. |
| RSA | NetWitness Endpoint | This app supports executing various endpoint-based investigative and containment actions on RSA NetWitness Endpoint |
| RiskIQ | PassiveTotal | This app implements investigative actions by integrating with the PassiveTotal cloud reputation service |
| Screenshot Machine | Screenshot Machine | This app integrates with the Screenshot Machine service |
| Security Onion | Security Onion | This app integrates with the ELSA service included in the Security Onion security distribution |
| SentinelOne | SentinelOne | This app integrates with the SentinelOne platform to perform prevention, detection, remediation, and forensic endpoint management tasks |
| ServiceNow | ServiceNow Platform | This app provides ServiceNow integration for tickets and records |
| ShadowDragon | SocialNet Social Media Forensics and Investigations | This app supports investigative actions on the SocialNet cloud investigation API |
| Shodan | Shodan Search Engine | This app implements investigative actions like query ip and query domain to get information from the shodan search engine. |
| Slack | Slack Collaboration Platform | Integrate with Slack to post messages and attachments to channels |
| Soliton Systems | Infotrace Mark II Endpoint Detection and Response | This app supports containment actions on Soliton Mark II Server |
| SonicWALL | Firewall | Manipulate SonicWALL firewall via ECLI |
| SQLite | SQLite Database Server | This app supports investigative actions against a local SQLite database |
| Sumo Logic | Sumo Logic Log Management and Analytics | This app integrates with the Sumo Logic cloud platform to implement investigative actions |
| Symantec | Symantec Messaging Gateway | This app integrates with an instance of Symantec Messaging Gateway to perform containment and corrective actions |
| Symantec | Symantec Endpoint Protection 14 | Integrate with Symantec Endpoint Protection 14 to execute investigative, containment and corrective actions |
| Symantec | Symantec Data Loss Prevention (DLP) | This app ingests data from a Symantec Data Loss Prevention installation |
| Symantec | Symantec Content Analysis Software (CAS) | This app supports file investigation on the Symantec Content Analysis System |
| Symantec | Malware Analysis Service | Integrate with Malware Analysis Service (MAS) to execute actions like detonate file and get report |
| Symantec | DeepSight | This app supports hunting and a variety of investigative actions, in addition to report ingestion, from the Symantec DeepSight Intelligence cyber security service. |
| Symantec | Symantec Advanced Threat Protection (ATP) | This app integrates with a Symantec ATP (Advanced Threat Protection) device to implement ingestion, investigative and containment actions |
| Tala | Tala | This app implements various endpoint actions using Tala |
| Tanium | Tanium Endpoint Security | This app supports investigative and containment actions on Tanium |
| Tenable | Tenable.sc (SecurityCenter) | This app integrates with Tenable's SecurityCenter to provide endpoint-based investigative actions. |
| Tenable | Nessus Vulnerability Assessment | This app integrates with Tenable's Nessus scanner to provide endpoint-based investigative actions |
| ThreatConnect | ThreatConnect Threat Intelligence Platform | This app integrates with the ThreatConnect platform to provide various hunting actions in addition to threat ingestion. |
| ThreatCrowd | ThreatCrowd Threat Intelligence | This app provides free investigative actions such as file reputation, lookup domain, lookup ip, and lookup email. |
| ThreatMiner | ThreatMiner Threat Intelligence | This app integrates with the ThreatMiner API to provide investigation activities |
| ThreatQuotient | ThreatQ Threat Intelligence Platform | Integrates a variety of ThreatQ services into Phantom. |
| Tor | Tor Network | This app implements investigative actions to query info about the Tor network |
| TruSTAR | TruSTAR Intelligence Management Platform | This App integrates with TruSTAR to provide various hunting and reporting actions |
| Tufin | SecureTrack Firewall Policy Managment | This app supports investigative actions on Tufin SecureTrack |
| Twilio | Twilio Cloud Communications Platform | This app integrates with Twilio to send messages |
| unshorten.me | unshorten.me URL Expansion Service | This app integrates with the unshorten.me service to expand shortened URLs |
| urlscan.io | urlscan.io website scanner | This app supports investigative actions on urlscan.io |
| URLVoid | URLVoid Website Reputation Service | This app supports executing investigative and reputation actions on the URLVoid service |
| Vectra | Vectra Active Enforcement | This app ingests data from the Vectra Active Enforcement device |
| Verodin | Verodin Security Instrumentation Platform | Phantom app for Verodin |
| VictorOps | VictorOps DevOps Incident Management and IT Alerting | This app implements various investigative actions using VictorOps |
| VMRay | VMRay Malware Analysis Tool | Connector for VMRay Analyzer |
| VMware | vSphere Virtualization Management Software | This app implements investigative, containment and VM management actions on VMware ESXi or vCenter server |
| VMware | NSX Network Virtualization and Security | This app implements investigative and management action on VMware NSX, Network Virtualization and Security Platform |
| WiGLE | WiGLE Wireless Network Intelligence | This app integrates with the WiGLE service to implement investigative actions |
| xMatters | xMatters IT Event Management | This app integrates with xMatters to retrieve information about events and users |
| Zendesk | Zendesk Customer Service Software | This App allows for ticket management on Zendesk |
| Zetalytics | Zetalytics Passive DNS | This App implements investigative actions that query the ZETAlytics security feed and APIs |
| Zscaler | Zscaler Security System | This app implements containment and investigative actions on Zscaler |