Splunk Phantom apps overview
Splunk Phantom apps provide a mechanism to extend the Splunk Phantom platform by adding connectivity to third party security technologies in order to run actions. Given the broad set of technologies that can be orchestrated during a cyber response exercise, apps provide some relief in allowing users and partners to add their own custom functionality.
Splunk Phantom apps are developed by engineers knowledgeable in Python and modern web technologies.
To develop a Splunk Phantom app, start with the app wizard:
- From the main menu, select Apps.
- Click App Wizard.
The Splunk Phantom portal has all the videos of past App Development Webinars. View them to gain more insight and best practices.
Splunk Phantom app architecture
Splunk Phantom apps are written in Python to create a bridge between the Splunk Phantom platform and other security device/applications. Think of them as having two strict edges:
- One of the edges is given an action to be carried out on behalf of the Splunk Phantom platform.
- An app on the opposite edge converts the action into specific commands to communicate with its device or service.
The result of these actions are read by the app and passed back to the Splunk Phantom platform. This simple design helps facilitate automated actions that are carried out by the Splunk Phantom platform on behalf of the user.
The first edge is implemented by a rich set of Python APIs that the platform exposes to the app developer through a base class.
Apps distributed by Splunk Phantom or third parties are transmitted as
.gzip archives that you can import into Splunk Phantom.
Splunk Phantom app components
A Splunk Phantom app consists of a number of components.
||Required to initialize and define a Python package. You can use an empty file.|
||JSON metadata that describes the app and functionality that the app provides|
||The App Main Connector Module (Python script) that implements the actions that are provided by the app. This module is a class that is derived from the BaseConnector class.|
||Optional widget view. This is a view, in the context of standard MVC framework. Splunk Phantom is built on Django, an open source Python-based MVC framework. The Splunk Phantom platform will load views that you have specified within your JSON meta-data file dynamically. Full documentation on views and templates is available on the Django documentation website.|
||Optional widget template. The template defines how the information within the view is to be rendered and displayed. The full complement of Django tags are available within a template.|
This image shows how the various components interact with each other.
Connector module development
This documentation applies to the following versions of Splunk® Phantom: 4.8, 4.9