LADS
This app supports containment actions like 'block ip' or 'unblock ip' using the A10 Lightning Application Delivery System (LADS).
AbuseIPDB
This app integrates with AbuseIPDB to perform investigative actions
Aella Data Starlight
This app integrates with an Aella Data installation to implement ingestion and investigative actions
Alexa
Connects to Alexa Web Information Services for lookup url.
ThreatStream
Integrates a variety of reputation and lookup actions from the Anomali ThreatStream threat intelligence platform.
Kafka
This app implements ingesting and sending data on the Apache Kafka messaging system
Arbor Networks APS
This app integrates with Arbor Networks APS to execute containment and corrective actions
HipChat
This app integrates with HipChat to support different generic and investigative actions
Jira
This app supports a variety of ticket management actions on JIRA
AlertFind
Integrate with AlertFind to enable notification actions
AWS Athena
This app supports investigative actions on AWS Athena
AWS Community App
App Review - AWS App by GE
AWS Community App 2
AWS Community App - BAH
AWS IAM
This app integrates with Amazon Web Services Identity Access Management (AWS IAM) to support various containment, corrective and investigate actions
AWS Lambda
This app integrates with AWS Lambda to perform lambda functions
AWS S3
This app integrates with AWS S3 to perform investigative actions
Axonius
This app integrates with the Axonius Cybersecurity Asset Management Platform to enrich asset data for investigations
Cyber Triage
Initiates a remote endpoint collection to support an investigation using Cyber Triage
Risk Fabric
This app supports retrieving entity risk scores from Risk Fabric
Request Tracker
This app allows ticket management on Request Tracker by implementing investigative and manipulative actions on the tickets
RemedyForce
This app allows ticket management on RemedyForce by implementing actions like create ticket and update ticket.
Remedy
This app supports ticket management functions on incidents in BMC Remedy.
CB Defense
This app integrates with an instance of Carbon Black defense to run investigative actions
CB Response
This app supports executing various endpoint-based investigative and containment actions on Carbon Black Response
CB Protection
This app supports various investigative and containment actions on Carbon Black Enterprise Protection (formerly Bit9)
Censys
This app implements investigative actions to get information from the censys search engine
Certly
Implements url reputation action by querying the Certly web API
Firewall
This app supports a variety of endpoint and network based containment actions on Check Point Firewall
Cherwell
This app implements various ticketing actions on Cherwell
Cisco ASA
This app supports containment actions like 'block ip' in addition to investigative actions like 'get config' and 'get version' on a Cisco ASA device.
Cisco Catalyst
This app supports containment actions like 'set system vlan' in addition to investigative actions like 'get config' and 'get version' on a Cisco Catalyst switch.
Cisco ESA
This app supports investigation on the Cisco Email Security Appliance (ESA) device.
Cisco FireAMP
This app allows users to connect to FireAMP with actions such as list endpoints, hunt url, and hunt ip.
Cisco Firepower
This app interfaces with Cisco Firepower devices to add or remove IPs or networks to a Firepower Network Group Object, which is configured with an ACL
Cisco FireSIGHT
This app implements investigative actions on the FireSIGHT device
Cisco ISE
This app implements investigative and containment actions like 'quarantine device', 'terminate session' and 'list sessions' etc. on a Cisco ISE device.
Cisco Router BGP RTBH
This app interfaces with Cisco IOS-XE devices to create a blackhole for configured IPs or networks in Cisco BGP networks.
Cisco Spark
Integrate with Cisco Spark to implement investigative actions
Cisco Tetration
This app supports variety of investigative actions on Cisco Tetration Analytics
Cisco Umbrella
This app allows management of a domain list on the OpenDNS Umbrella Security platform by implementing actions like 'block domain', 'unblock domain' and 'list blocked domains'.
Duo Security
Use Duo Auth API to authenticate actions.
Meraki
This app interfaces with the Cisco Meraki cloud managed devices. The search string specified is used to match a value in the client MAC address or description field. The default dashboard URL is dashboard.meraki.com. The API Key is generated in your account profile. An account with read only privileges is acceptable.
PhishTank Phish Verification System
This app implements URL investigative capabilities utilizing PhishTank
ClickSend
This app integrates with ClickSend to send SMS messages
CloudPassage
This app supports a variety of investigative actions on CloudPassage Halo
Code42
This app integrates with Code42 to execute various containment, corrective and investigative actions
Cofense Intelligence
This App integrates with PhishMe Intelligence to provide various hunting and reporting actions in addition to threat ingestion
Critical Stack
This app integrates with the CriticalStack feed to implement investigative actions
CRITs
This App supports various investigative actions on CRITs
VirusTotal Threat Intelligence
This app integrates with the VirusTotal cloud to implement investigative and reputation actions
Crowdstrike Streaming
This app integrates with CrowdStrike security services to implement ingestion of endpoint security data
Crowdstrike Falcon Host
This app allows you to manage indicators of compromise (IOC) and investigate your endpoints on the Falcon Host API
Cuckoo
This app supports executing various investigative actions on the Cuckoo sandbox
EDR
This app integrates with Cybereason to perform investigative, contain and corrective actions
Cylance Protect
This app supports various investigative, containment, and corrective actions on CylancePROTECT
MazeRunner
MazeRunner App
Cyware
Implements event reporting on the Cyware platform
Digital Shadows
This app integrates with Digital Shadows SearchLight to ingest and investigate credentials found in data breaches
DomainTools
Use DomainTools to query various current and historical data regarding domain names, domain registration and IPs
DomainTools Iris
Use the DomainTools Iris Investigate API to profile domain names, get risk scores, and find connected domains that share the same Whois details, web hosting profiles, SSL certificates, and more
DShield
Implements lookup ip action by querying the DShield web API
EclecticIQ
TIP integration
Elasticsearch
This app integrates with an Elasticsearch installation to implement ingestion and investigative actions
Empire
This app supports a variety of actions to interact with the REST API of Empire - https://github.com/powershellempire/empire
Endace
App integrates with the Endace Packet Capture device to implement investigative actions
Endgame
This app integrates with Endgame to execute investigative and corrective actions
Cymon
Queries Cymon for IP, URL, domain, and blacklist information.
Extrahop
This app integrates with the ExtraHop platform to perform investigative actions based on real-time network data
BigIP
This app supports containment actions like 'block ip' or 'unblock ip' on an F5 BIG-IP appliance. There must be a firewall policy (Security››Network Firewall:Policies) configured on the BIG-IP and the name of the policy must be specified in the Action Parameters. The rule name can be the source IP address appended to a keyword string, e.g. 'Phantom' + ip
DNSDB
This app supports investigative DNS lookup actions on DNSDB
FireEye HX
FireEye HX Endpoint Security
FireEye CM
Leverage the FireEye Web Services API to download malware objects.
Floodlight
Implements command and control for the Floodlight SDN controller
Forcepoint Next Generation Firewall
This app integrates with Forcepoint Firewall
Forescout NAC
This app implements various network access control actions for ForeScout
Fortisiem
This app implements powerful security, performance, compliance, information and event management. It provides rapid detection and remediation of security events
FortiGate
This app supports a variety of containment and investigative actions on the FortiGate Firewall.
BerryIO
This app supports actions for APIs on the BerryIO project for the Raspberry Pi, such as GPIO status, get and set.
Timer
This app will generate an empty event which can be used to kick off a playbook at scheduled intervals
NetBios
This app implements various investigative actions using the NetBIOS protocol
RSS
Ingest IOCs from an RSS Feed
Whois RDAP
This App implements the investigative action 'whois ip' using RDAP.
Whois
This App implements investigative actions that query the whois database
SSH
This app supports executing various endpoint-based investigative and containment actions on an SSH endpoint
SMTP
This app provides the ability to send email using SMTP
REST Data Source
This app implements custom REST handlers for external implementations to push ingest data such as events and artifacts into Phantom
NMAP
This app integrates with NMAP in order to provide detailed network information
IMAP
This app supports email ingestion and various investigative actions over IMAP
HTTP
This App facilitates making HTTP requests as actions
Generator
This app generates ingested sample data
DNS
This app implements investigative actions that return DNS Records for the object queried
git
This app integrates with git and supports common git actions
GigaVUE FM
This app leverages APIs from GigaVUE-FM 5.1 and above to perform investigative and corrective actions
Big Query
This app allows running investigative actions against Google BigQuery
GSuite
This app allows various file manipulation actions to be performed on Google Drive
GRR Rapid Response
This app implements various actions from the GRR API
Safe Browsing
This app Integrate with Google Safe Browsing to execute reputation-based actions
GSuite for Gmail
Integrates with G Suite for various investigative and containment actions
Greynoise
This app implements investigate actions to fetch IP details using Greynoise API
HackerTarget
This app supports executing investigative actions like 'traceroute', 'ping', 'whois ip', and 'whois domain' to analyze a host.
TheHive
This app integrates with an instance of TheHive to perform ticketing actions
HoneyDB
Performs investigative actions on the HoneyDB service
ArcSight ESM
This app implements creating and updating cases on ArcSight
Watson
Leverage IBM Watson for language translation
XForce
This app implements various investigative actions on the IBM XForce device
QRadar
This app supports investigative actions like 'get events' and 'get flows' on an IBM QRadar device. It also supports ingesting Incidents and Events into Phantom containers and artifacts
BigFix
This app supports several investigative actions on IBM Big Fix
Maker Channel
IFTTT Maker Channel connector
SecureSphere WAF
This app implements containment actions by integrating with the SecureServer Device
InfluxDB
This app implements various investigative actions against an InfluxDB instance
DDI
This app supports various containment and investigative actions on Infoblox Grid Manager.
Interset
This app allows integration with the Interset analytics platform by implementing contain and investigate actions pertaining to importance and risk details respectively
Cyber Intelligence
This app integrates with Intsights Cyber Intelligence.
Intsights
This app integrates with Intsights Cyber Intelligence.
ipstack
Integrates with ipstack to implement investigative actions
ThreatScape
This app integrates with iSight Partners' ThreatScape product. It implements the ingest action to pull campaign reports and parse them into containers with all the IOCs represented as artifacts. Investigative actions like 'hunt domain', 'hunt ip' etc. are also supported.
isitPhishing
This app implements investigative actions on the isitPhishing service.
ITSM
This app integrates with Ivanti ITSM to provide ingestion and several ticketing actions
Jask
This app implements ingest action for fetching alerts on JASK ASOC Platform
Joe Sandbox
This app supports executing investigative actions to analyze files and URLs on Joe Sandbox
Juniper Networks SRX
This app implements various containment actions like 'block ip' and 'block application' in addition to investigative actions like 'list applications' on a Juniper SRX device. Uses port 830 by default if no port is set.
Juniper Networks Cyphort
This app supports executing investigative actions like 'detonate file' to analyze executables on the Cyphort sandbox.
Kenna Security
This app integrates with Kenna Security to implement various investigative actions
KnowThyCustomer
This app integrates with the KnowThyCustomer service to implement investigative actions
Koodous Collaborative Malware Research Platform
This app integrates with Koodous to analyze APK files
Lastline Detonator
This app supports executing investigative actions to analyze executables and URLs on the online Lastline sandbox
LogRhythym SIEM
This app supports ingestion and several investigative actions on LogRhythm SIEM
MAC Address Vendor API Lookup
This app interfaces with the Cisco Meraki cloud managed devices. The search string specified is used to match a value in the client MAC address or description field. The default dashboard URL is dashboard.meraki.com. The API Key is generated in your account profile. An account with read only privileges is acceptable.
MalShare Public Malware Repository
This app integrates with MalShare to provide several investigative actions
Malware Domain List
This app retrieves IOC reputation from Malware Domain List
MalwareBytes Cloud Endpoint Security
This app integrates with the Malwarebytes Cloud platform to perform prevention, detection, remediation, and forensics endpoint management tasks
Malwr Online Analysis and Research Platform
This app implements investigative actions on the Malwr cloud based sandbox.
Mattermost Chat Service
This app integrates with Mattermost to support various investigative actions
GeoIP2 IP Location Database
This app provides ip geolocation with the included MaxMind database.
TrustedSource
McAfee TrustedSource provides an online service that enables you to check website categorization and risk levels
Network Security Manager (NSM)
This app supports multiple containment actions on the McAfee NSM
Enteprise Security Manager (ESM)
This app ingests data from a McAfee ESM device. Each event is parsed into a container and various event characteristics like the Rule, Signature and actionName are ingested into the event artifact.
ePolicy Orchestrator (ePO)
This app implements various endpoint based investigative and containment actions by integrating with McAfee ePO
OpenDXL
Push Notfications over McAfee OpenDXL
Advanced Threat Defense (ATD)
This app supports executing investigative actions like 'detonate file' to analyze executables on the McAfee ATD appliance
Microsoft SQL Server
This app supports investigative actions against a Microsoft SQL Server
Windows Remote Management
This app integrates with the Windows Remote Management service to execute various actions
Microsoft Sharepoint
Provides various interactions with Microsoft SharePoint sites
Office 365
This app ingests emails from a mailbox in addition to supporting various investigative and containment actions on an Office 365 service
Windows Server - WMI
This App uses the WMI WQL to implement investigative actions that are executed on a Windows endpoint
Windows Server - Agent
Windows Server - LDAP
This app implements various actions that can be carried out on an AD server
Office 365
Connects to Office 365 using the MS Graph API
Exchange Server
This app performs email ingestion, investigative and containment actions on an on-premise Exchange installation
System Center Operations Manager
This app integrates with Microsoft System Center Operations Manager (SCOM) to execute investigative actions
System Center Configuration Manager
This app integrates with Microsoft System Center Configuration Manager (SCCM) to execute investigative and generic actions
Malware Information Sharing Platform (MISP)
Take action with Malware Information Sharing Platform
PassiveDNS
This app integrates with the Mnemonic Passive DNS API to implement investigative actions
MobileIron
This app allows endpoint management on MobileIron by implementing actions such as 'list devices', 'lock devices' and 'unlock device'.
MongoDB
This app supports CRUD operations in a MongoDB database
MxToolBox
This app implements investigative actions on domains and IPs.
Myip.ms Whois IP Service
This app integrates with the Myip.ms service to implement investigative actions
Soltra Edge Cyber Threat Communications Platform
This App acts as a STIX client and implements the ingest action to pull data from a Soltra Edge device to create containers and artifacts.
Netskope Cloud Access Security Broker
This app integrates with the Netskope to execute various investigative and polling actions
Neutrino API Developer Power Tools
Detect potentially malicious or dangerous IP addresses by integrating with Neutrino API
Okta Identity and Access Management
This app supports various identity management actions on Okta
OpenStack Software Platform
This app interfaces with OpenStack to take an IP, and suspend the associated instance. It is intended to be coupled in a playbook with a ticketing system to log why the instance was suspended
Metadefender Advanced Threat Prevention
App that connects to OPSWAT Metadefender for actions like ip reputation and file reputation.
MySQL Database Server
This app supports investigative actions against a MySQL database
OSXCollector Forensics and Analysis
Runs OSXCollector on an endpoint running OS X
PagerDuty
This app integrates with PagerDuty to implement investigative and ticketing actions
WildFire Malware Analysis
This app supports file detonation for forensic file analysis on the Palo Alto Networks WildFire sandbox
AutoFocus Threat Intelligence
This app implements hunting and reporting actions on the AutoFocus threat intelligence service.
Panorama Network Security Management
This app integrates with the Palo Alto Networks Panorama product to support several containment and investigative actions.
Next-Generation Firewall
This app integrates with the Palo Alto Networks Firewall to support containment actions like 'block url', 'block application' and 'block ip' in addition to investigative actions like 'list applications'.
Falcon Sandbox
This app integrates with Falcon Sandbox Services to provide investigative actions
Message Parser
Integrate with Slack to post messages and attachments to channels
Phantom App for Kafka
Integrate with Slack to post messages and attachments to channels
Phantom API
This App exposes various Phantom APIs as actions
PhishLabs Casetracker Portal
This app implements investigative actions on the PhishLabs Casetracker Portal
TiFRONT Cloud Security Switch
This app supports containment actions like 'block ip' and 'unblock ip' on a TiFRONT device.
Pipl People Search
This app integrates with Pipl to perform an investigative action
PostgreSQL Database Server
This app supports investigative actions against a PostgreSQL database
Targeted Attack Protection (TAP)
This App integrates with Proofpoint to implement ingestion and investigative actions
Network Detection and Response (NDR)
This app integrates with the ProtectWise cloud platform to implement ingestion and investigative actions
SSL Labs Assessment API
This app supports executing investigative actions to analyze a host
InsightVM Vulnerability Management
This app integrates with Rapid7 InsightVM (formerly Nexpose) to ingest scan data
Recorded Future Threat Intelligence
Recorded Future
Ansible Tower
This app launches a job template on Ansible Tower 3.0. The job template can be specified by its name or numeric value. Ansible extra vars can be specified to the playbook. After a successful launch, the app waits for the job to complete to return the job status, up to the specified dead interval iterations. With Ansible Tower 3.0 if extra variables need be passed, the job template must have 'Prompt on launch' checked.
RedLock
This app integrates with RedLock and ingests new alerts
TitaniumCloud File Reputation
This app implements investigative actions on the ReversingLabs reputation service
A1000 Malware Analysis
This app integrates with the ReversingLabs A1000 Advanced Malware Analysis Appliance to implement investigative actions
TitaniumScale Malware Analysis
This app integrates with ReversingLabs TiScale Enterprise Scale File Visibility platform to automate analysis and investigative actions for file samples
RIPE Abuse Intelligence
This app integrates with RIPE to support investigative actions
Security Analytics
This App supports ingestion and investigative actions on RSA Security Analytics
Archer
This app implements ticket management actions on RSA Archer GRC.
NetWitness Logs and Packets
This app supports investigative actions to collect log and packet captures from RSA NetWitness Logs and Packets.
NetWitness Endpoint
This app supports executing various endpoint-based investigative and containment actions on RSA NetWitness Endpoint
PassiveTotal
This app implements investigative actions by integrating with the PassiveTotal cloud reputation service
Screenshot Machine
This app integrates with the Screenshot Machine service
Security Onion
This app integrates with the ELSA service included in the Security Onion security distribution
SentinelOne
This app integrates with the SentinelOne platform to perform prevention, detection, remediation, and forensic endpoint management tasks
ServiceNow Platform
This app provides ServiceNow integration for tickets and records
SocialNet Social Media Forensics and Investigations
This app supports investigative actions on the SocialNet cloud investigation API
Shodan Search Engine
This app implements investigative actions like query ip and query domain to get information from the shodan search engine.
Slack Collaboration Platform
Integrate with Slack to post messages and attachments to channels
Infotrace Mark II Endpoint Detection and Response
This app supports containment actions on Soliton Mark II Server
Firewall
Manipulate SonicWALL firewall via ECLI
SQLite Database Server
This app supports investigative actions against a local SQLite database
Sumo Logic Log Management and Analytics
This app integrates with the Sumo Logic cloud platform to implement investigative actions
Symantec Messaging Gateway
This app integrates with an instance of Symantec Messaging Gateway to perform containment and corrective actions
Symantec Endpoint Protection 14
Integrate with Symantec Endpoint Protection 14 to execute investigative, containment and corrective actions
Symantec Data Loss Prevention (DLP)
This app ingests data from a Symantec Data Loss Prevention installation
Symantec Content Analysis Software (CAS)
This app supports file investigation on the Symantec Content Analysis System
Malware Analysis Service
Integrate with Malware Analysis Service (MAS) to execute actions like detonate file and get report
DeepSight
This app supports hunting and a variety of investigative actions, in addition to report ingestion, from the Symantec DeepSight Intelligence cyber security service.
Symantec Advanced Threat Protection (ATP)
This app integrates with a Symantec ATP (Advanced Threat Protection) device to implement ingestion, investigative and containment actions
Tala
This app implements various endpoint actions using Tala
Tanium Endpoint Security
This app supports investigative and containment actions on Tanium
Tenable.sc (SecurityCenter)
This app integrates with Tenable's SecurityCenter to provide endpoint-based investigative actions.
Nessus Vulnerability Assessment
This app integrates with Tenable's Nessus scanner to provide endpoint-based investigative actions
ThreatConnect Threat Intelligence Platform
This app integrates with the ThreatConnect platform to provide various hunting actions in addition to threat ingestion.
ThreatCrowd Threat Intelligence
This app provides free investigative actions such as file reputation, lookup domain, lookup ip, and lookup email.
ThreatMiner Threat Intelligence
This app integrates with the ThreatMiner API to provide investigation activities
ThreatQ Threat Intelligence Platform
Integrates a variety of ThreatQ services into Phantom.
Tor Network
This app implements investigative actions to query info about the Tor network
TruSTAR Intelligence Management Platform
This App integrates with TruSTAR to provide various hunting and reporting actions
SecureTrack Firewall Policy Managment
This app supports investigative actions on Tufin SecureTrack
Twilio Cloud Communications Platform
This app integrates with Twilio to send messages
unshorten.me URL Expansion Service
This app integrates with the unshorten.me service to expand shortened URLs
urlscan.io website scanner
This app supports investigative actions on urlscan.io
URLVoid Website Reputation Service
This app supports executing investigative and reputation actions on the URLVoid service
Vectra Active Enforcement
This app ingests data from the Vectra Active Enforcement device
Verodin Security Instrumentation Platform
Phantom app for Verodin
VictorOps DevOps Incident Management and IT Alerting
This app implements various investigative actions using VictorOps
VMRay Malware Analysis Tool
Connector for VMRay Analyzer
vSphere Virtualization Management Software
This app implements investigative, containment and VM management actions on VMware ESXi or vCenter server
NSX Network Virtualization and Security
This app implements investigative and management action on VMware NSX, Network Virtualization and Security Platform
Volatility Open Source Memory Forensics
This app implements a variety of investigative actions on the Volatility forensics analysis platform.
WiGLE Wireless Network Intelligence
This app integrates with the WiGLE service to implement investigative actions
xMatters IT Event Management
This app integrates with xMatters to retrieve information about events and users
Zendesk Customer Service Software
This App allows for ticket management on Zendesk
Zetalytics Passive DNS
This App implements investigative actions that query the ZETAlytics security feed and APIs
Zscaler Security System
This app implements containment and investigative actions on Zscaler
