Understanding apps and assets
Apps connect Splunk Phantom to third party services and provide actions that are used by playbooks. Assets are instances of apps configured by a Splunk Phantom admin. For more information, see About Splunk Phantom in the Use Splunk Phantom manual.
Apps and assets can be dynamically added to the system at any point in time through the user interface. Additionally, assets can also be added and managed through the REST API. As new apps are added, you are expected to define an asset on which the app can run an action. Apps are written for a specific product and each action of an app can indicate a regular expression for a version of the product that it supports. Assets also specify the product and version of the asset.
When Splunk Phantom runs an action, the platform intelligently matches the actions and assets for the corresponding product and version. Actions are run only on assets whose product and version match the app product and version. For example, the application can specify a product like Virus Total, and the action file reputation can specify a version, such as EQ(*), which implies that the action can run on all versions of Virus Total. Different apps for different products of the same type can provide the same action. For example, apps for Cisco ASA Firewall and Palo Alto Networks Firewall might both support the block IP action. When the action is run, you have the option to run either the action to block an IP on specific assets or on all of the assets where there is a matching app that supports that action. For more information, see the Develop Apps for Splunk Phantom manual.
Some assets can also provide the ability to ingest imported data to be imported. Data sources, such as a SIEM, can be configured for ingestion. For example, you can configure QRadar as an asset that also has ingestion configuration for Offenses, a term used by QRadar for incidents, to be imported into the Splunk Phantom platform. You can also use an asset ingestion configuration to define the basic properties of the containers, like the label or polling interval. For example, QRadar ingestion configuration can specify that all offenses imported from QRadar be labeled as incidents. The QRadar app provides the implementation to interface with the QRadar asset and map information in events on the QRadar system into CEF format as it is imported into Splunk Phantom.
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7