Splunk® Phantom (Legacy)

Python Playbook API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Understanding apps and assets

Apps connect Splunk Phantom to third party services and provide actions that are used by playbooks. Assets are instances of apps configured by a Splunk Phantom admin. For more information, see About Splunk Phantom in the Use Splunk Phantom manual.

Apps and assets can be dynamically added to the system at any point in time through the user interface. Additionally, assets can also be added and managed through the REST API. As new apps are added, you are expected to define an asset on which the app can run an action. Apps are written for a specific product and each action of an app can indicate a regular expression for a version of the product that it supports. Assets also specify the product and version of the asset.

When Splunk Phantom runs an action, the platform intelligently matches the actions and assets for the corresponding product and version. Actions are run only on assets whose product and version match the app product and version. For example, the application can specify a product like Virus Total, and the action file reputation can specify a version, such as EQ(*), which implies that the action can run on all versions of Virus Total. Different apps for different products of the same type can provide the same action. For example, apps for Cisco ASA Firewall and Palo Alto Networks Firewall might both support the block IP action. When the action is run, you have the option to run either the action to block an IP on specific assets or on all of the assets where there is a matching app that supports that action. For more information, see the Develop Apps for Splunk Phantom manual.

Some assets can also provide the ability to ingest imported data to be imported. Data sources, such as a SIEM, can be configured for ingestion. For example, you can configure QRadar as an asset that also has ingestion configuration for Offenses, a term used by QRadar for incidents, to be imported into the Splunk Phantom platform. You can also use an asset ingestion configuration to define the basic properties of the containers, like the label or polling interval. For example, QRadar ingestion configuration can specify that all offenses imported from QRadar be labeled as incidents. The QRadar app provides the implementation to interface with the QRadar asset and map information in events on the QRadar system into CEF format as it is imported into Splunk Phantom.

Last modified on 04 September, 2020
Understanding datapaths   Understanding callbacks

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters