Splunk® Phantom (Legacy)

Develop Apps for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Splunk Phantom apps overview

Splunk Phantom apps provide a mechanism to extend the Splunk Phantom platform by adding connectivity to third party security technologies in order to run actions. Given the broad set of technologies that can be orchestrated during a cyber response exercise, apps provide some relief in allowing users and partners to add their own custom functionality.

Splunk Phantom apps are developed by engineers knowledgeable in Python and modern web technologies.

To develop a Splunk Phantom app, start with the app wizard:

  1. From the main menu, select Apps.
  2. Click App Wizard.

The Splunk Phantom portal has all the videos of past App Development Webinars. View them to gain more insight and best practices.

Splunk Phantom app architecture

Splunk Phantom apps are written in Python to create a bridge between the Splunk Phantom platform and other security device/applications. Think of them as having two strict edges:

  • One of the edges is given an action to be carried out on behalf of the Splunk Phantom platform.
  • An app on the opposite edge converts the action into specific commands to communicate with its device or service.

The result of these actions are read by the app and passed back to the Splunk Phantom platform. This simple design helps facilitate automated actions that are carried out by the Splunk Phantom platform on behalf of the user.

This screen image shows three boxes. These boxes are Splunk Phantom Core Platform, App, and Device/Service. The action arrows connect Splunk Phantom Core Platform to App, and App to Device/Service. The result arrows connect Device/Service to App, and App to Splunk Phantom Core Platform.

The first edge is implemented by a rich set of Python APIs that the platform exposes to the app developer through a base class.

Apps distributed by Splunk Phantom or third parties are transmitted as .gzip archives that you can import into Splunk Phantom.

Splunk Phantom app components

A Splunk Phantom app consists of a number of components.

Component Description
__init__.py Required to initialize and define a Python package. You can use an empty file.
sampleapp.json JSON metadata that describes the app and functionality that the app provides
sampleapp_connector.py The App Main Connector Module (Python script) that implements the actions that are provided by the app. This module is a class that is derived from the BaseConnector class.
sampleapp_view.py Optional widget view. This is a view, in the context of standard MVC framework. Splunk Phantom is built on Django, an open source Python-based MVC framework. The Splunk Phantom platform will load views that you have specified within your JSON meta-data file dynamically. Full documentation on views and templates is available on the Django documentation website.
sampleapp_view.html Optional widget template. The template defines how the information within the view is to be rendered and displayed. The full complement of Django tags are available within a template.

This image shows how the various components interact with each other.

This scene image shows the relationship among the Splunk Phantom app components. The components are described in the table immediately preceding this image.

Last modified on 10 August, 2020
  Connector module development

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters