SPLUNK PHANTOM
Apps & Integrations

A B C D E F G H I J K L M N O P Q R S T U V W X Z
Vendor App Summary
A10 LADS This app supports containment actions like 'block ip' or 'unblock ip' using the A10 Lightning Application Delivery System (LADS).
AbuseIPDB AbuseIPDB This app integrates with AbuseIPDB to perform investigative actions
Aella Data Aella Data Starlight This app integrates with an Aella Data installation to implement ingestion and investigative actions
Amazon Alexa Connects to Alexa Web Information Services for lookup url.
Anomali ThreatStream Integrates a variety of reputation and lookup actions from the Anomali ThreatStream threat intelligence platform.
Apache Kafka This app implements ingesting and sending data on the Apache Kafka messaging system
Arbor Networks Arbor Networks APS This app integrates with Arbor Networks APS to execute containment and corrective actions
Atlassian HipChat This app integrates with HipChat to support different generic and investigative actions
Atlassian Jira This app supports a variety of ticket management actions on JIRA
Aurea AlertFind Integrate with AlertFind to enable notification actions
AWS AWS Athena This app supports investigative actions on AWS Athena
AWS AWS Community App App Review - AWS App by GE
AWS AWS Community App 2 AWS Community App - BAH
AWS AWS IAM This app integrates with Amazon Web Services Identity Access Management (AWS IAM) to support various containment, corrective and investigate actions
AWS AWS Lambda This app integrates with AWS Lambda to perform lambda functions
AWS AWS S3 This app integrates with AWS S3 to perform investigative actions
Axonius Axonius This app integrates with the Axonius Cybersecurity Asset Management Platform to enrich asset data for investigations
     
Basis Technology Cyber Triage Initiates a remote endpoint collection to support an investigation using Cyber Triage
Bay Dynamics Risk Fabric This app supports retrieving entity risk scores from Risk Fabric
Best Practical Request Tracker This app allows ticket management on Request Tracker by implementing investigative and manipulative actions on the tickets
BMC Software RemedyForce This app allows ticket management on RemedyForce by implementing actions like create ticket and update ticket.
BMC Software Remedy This app supports ticket management functions on incidents in BMC Remedy.
     
Carbon Black CB Defense This app integrates with an instance of Carbon Black defense to run investigative actions
Carbon Black CB Response This app supports executing various endpoint-based investigative and containment actions on Carbon Black Response
Carbon Black CB Protection This app supports various investigative and containment actions on Carbon Black Enterprise Protection (formerly Bit9)
Censys Censys This app implements investigative actions to get information from the censys search engine
Certly Certly Implements url reputation action by querying the Certly web API
Check-Point-Software Firewall This app supports a variety of endpoint and network based containment actions on Check Point Firewall
Cherwell Cherwell This app implements various ticketing actions on Cherwell
Cisco Cisco ASA This app supports containment actions like 'block ip' in addition to investigative actions like 'get config' and 'get version' on a Cisco ASA device.
Cisco Cisco Catalyst This app supports containment actions like 'set system vlan' in addition to investigative actions like 'get config' and 'get version' on a Cisco Catalyst switch.
Cisco Cisco ESA This app supports investigation on the Cisco Email Security Appliance (ESA) device.
Cisco Cisco FireAMP This app allows users to connect to FireAMP with actions such as list endpoints, hunt url, and hunt ip.
Cisco Cisco Firepower This app interfaces with Cisco Firepower devices to add or remove IPs or networks to a Firepower Network Group Object, which is configured with an ACL
Cisco Cisco FireSIGHT This app implements investigative actions on the FireSIGHT device
Cisco Cisco ISE This app implements investigative and containment actions like 'quarantine device', 'terminate session' and 'list sessions' etc. on a Cisco ISE device.
Cisco Cisco Router BGP RTBH This app interfaces with Cisco IOS-XE devices to create a blackhole for configured IPs or networks in Cisco BGP networks.
Cisco Cisco Spark Integrate with Cisco Spark to implement investigative actions
Cisco Cisco Tetration This app supports variety of investigative actions on Cisco Tetration Analytics
Cisco Cisco Umbrella This app allows management of a domain list on the OpenDNS Umbrella Security platform by implementing actions like 'block domain', 'unblock domain' and 'list blocked domains'.
Cisco Duo Security Use Duo Auth API to authenticate actions.
Cisco Meraki This app interfaces with the Cisco Meraki cloud managed devices. The search string specified is used to match a value in the client MAC address or description field. The default dashboard URL is dashboard.meraki.com. The API Key is generated in your account profile. An account with read only privileges is acceptable.
Cisco PhishTank Phish Verification System This app implements URL investigative capabilities utilizing PhishTank
ClickSend ClickSend This app integrates with ClickSend to send SMS messages
CloudPassage CloudPassage This app supports a variety of investigative actions on CloudPassage Halo
Code42 Code42 This app integrates with Code42 to execute various containment, corrective and investigative actions
Cofense Cofense Intelligence This App integrates with PhishMe Intelligence to provide various hunting and reporting actions in addition to threat ingestion
Critical Stack Critical Stack This app integrates with the CriticalStack feed to implement investigative actions
CRITs CRITs This App supports various investigative actions on CRITs
Chronicle VirusTotal Threat Intelligence This app integrates with the VirusTotal cloud to implement investigative and reputation actions
Crowdstrike Crowdstrike Streaming This app integrates with CrowdStrike security services to implement ingestion of endpoint security data
Crowdstrike Crowdstrike Falcon Host This app allows you to manage indicators of compromise (IOC) and investigate your endpoints on the Falcon Host API
Cuckoo Cuckoo This app supports executing various investigative actions on the Cuckoo sandbox
Cybereason EDR This app integrates with Cybereason to perform investigative, contain and corrective actions
Cylance Cylance Protect This app supports various investigative, containment, and corrective actions on CylancePROTECT
Cymmetria MazeRunner MazeRunner App
Cyware Cyware Implements event reporting on the Cyware platform
     
Digital Shadows Digital Shadows This app integrates with Digital Shadows SearchLight to ingest and investigate credentials found in data breaches
DomainTools DomainTools Use DomainTools to query various current and historical data regarding domain names, domain registration and IPs
DomainTools DomainTools Iris Use the DomainTools Iris Investigate API to profile domain names, get risk scores, and find connected domains that share the same Whois details, web hosting profiles, SSL certificates, and more
DShield DShield Implements lookup ip action by querying the DShield web API
     
EclecticIQ EclecticIQ TIP integration
Elastic Elasticsearch This app integrates with an Elasticsearch installation to implement ingestion and investigative actions
Empire Empire This app supports a variety of actions to interact with the REST API of Empire - https://github.com/powershellempire/empire
Endace Endace App integrates with the Endace Packet Capture device to implement investigative actions
Endgame Endgame This app integrates with Endgame to execute investigative and corrective actions
eSentire Cymon Queries Cymon for IP, URL, domain, and blacklist information.
Extrahop Extrahop This app integrates with the ExtraHop platform to perform investigative actions based on real-time network data
     
F5 BigIP This app supports containment actions like 'block ip' or 'unblock ip' on an F5 BIG-IP appliance. There must be a firewall policy (Security››Network Firewall:Policies) configured on the BIG-IP and the name of the policy must be specified in the Action Parameters. The rule name can be the source IP address appended to a keyword string, e.g. 'Phantom' + ip
Farsight Security DNSDB This app supports investigative DNS lookup actions on DNSDB
FireEye FireEye HX FireEye HX Endpoint Security
FireEye FireEye CM Leverage the FireEye Web Services API to download malware objects.
Floodlight Floodlight Implements command and control for the Floodlight SDN controller
Forcepoint Forcepoint Next Generation Firewall This app integrates with Forcepoint Firewall
Forescout Forescout NAC This app implements various network access control actions for ForeScout
Fortinet Fortisiem This app implements various network access control actions for ForeScout
Fortinet FortiGate This app supports a variety of containment and investigative actions on the FortiGate Firewall.
     
Generic BerryIO This app supports actions for APIs on the BerryIO project for the Raspberry Pi, such as GPIO status, get and set.
Generic Timer This app will generate an empty event which can be used to kick off a playbook at scheduled intervals
Generic NetBios This app implements various investigative actions using the NetBIOS protocol
Generic RSS Ingest IOCs from an RSS Feed
Generic Whois RDAP This App implements the investigative action 'whois ip' using RDAP.
Generic Whois This App implements investigative actions that query the whois database
Generic SSH This app supports executing various endpoint-based investigative and containment actions on an SSH endpoint
Generic SMTP This app provides the ability to send email using SMTP
Generic REST Data Source This app implements custom REST handlers for external implementations to push ingest data such as events and artifacts into Phantom
Generic NMAP This app integrates with NMAP in order to provide detailed network information
Generic IMAP This app supports email ingestion and various investigative actions over IMAP
Generic HTTP This App facilitates making HTTP requests as actions
Generic Generator This app generates ingested sample data
Generic DNS This app implements investigative actions that return DNS Records for the object queried
Generic git This app integrates with git and supports common git actions
Gigamon GigaVUE FM This app leverages APIs from GigaVUE-FM 5.1 and above to perform investigative and corrective actions
Google Big Query This app allows running investigative actions against Google BigQuery
Google GSuite This app allows various file manipulation actions to be performed on Google Drive
Google GRR Rapid Response This app implements various actions from the GRR API
Google Safe Browsing This app Integrate with Google Safe Browsing to execute reputation-based actions
Google GSuite for Gmail Integrates with G Suite for various investigative and containment actions
Greynoise Greynoise This app implements investigate actions to fetch IP details using Greynoise API
     
HackerTarget HackerTarget This app supports executing investigative actions like 'traceroute', 'ping', 'whois ip', and 'whois domain' to analyze a host.
Hive Project TheHive This app integrates with an instance of TheHive to perform ticketing actions
HoneyDB HoneyDB Performs investigative actions on the HoneyDB service
HPE ArcSight ESM This app implements creating and updating cases on ArcSight
     
IBM Watson Leverage IBM Watson for language translation
IBM XForce This app implements various investigative actions on the IBM XForce device
IBM QRadar This app supports investigative actions like 'get events' and 'get flows' on an IBM QRadar device. It also supports ingesting Incidents and Events into Phantom containers and artifacts
IBM BigFix This app supports several investigative actions on IBM Big Fix
IF Maker Channel IFTTT Maker Channel connector
Imperva SecureSphere WAF This app implements containment actions by integrating with the SecureServer Device
InfluxDB InfluxDB This app implements various investigative actions against an InfluxDB instance
Infoblox DDI This app supports various containment and investigative actions on Infoblox Grid Manager.
Interset Interset This app allows integration with the Interset analytics platform by implementing contain and investigate actions pertaining to importance and risk details respectively
Intsights Cyber Intelligence This app integrates with Intsights Cyber Intelligence.
Intsights Intsights This app integrates with Intsights Cyber Intelligence.
ipstack ipstack Integrates with ipstack to implement investigative actions
iSight-Partners ThreatScape This app integrates with iSight Partners' ThreatScape product. It implements the ingest action to pull campaign reports and parse them into containers with all the IOCs represented as artifacts. Investigative actions like 'hunt domain', 'hunt ip' etc. are also supported.
isitPhishing isitPhishing This app implements investigative actions on the isitPhishing service.
Ivanti ITSM This app integrates with Ivanti ITSM to provide ingestion and several ticketing actions
     
Jask Jask This app implements ingest action for fetching alerts on JASK ASOC Platform
Joe Sandbox Joe Sandbox This app supports executing investigative actions to analyze files and URLs on Joe Sandbox
Juniper Networks Juniper Networks SRX This app implements various containment actions like 'block ip' and 'block application' in addition to investigative actions like 'list applications' on a Juniper SRX device. Uses port 830 by default if no port is set.
Juniper Networks Juniper Networks Cyphort This app supports executing investigative actions like 'detonate file' to analyze executables on the Cyphort sandbox.
     
Kenna Security Kenna Security This app supports executing investigative actions like 'detonate file' to analyze executables on the Cyphort sandbox.
KnowThyCustomer KnowThyCustomer This app integrates with the KnowThyCustomer service to implement investigative actions
Koodous Koodous Collaborative Malware Research Platform This app integrates with Koodous to analyze APK files
     
Lastline Lastline Detonator This app supports executing investigative actions to analyze executables and URLs on the online Lastline sandbox
LogRhythym LogRhythym SIEM This app supports ingestion and several investigative actions on LogRhythm SIEM
     
MACVendors.com MAC Address Vendor API Lookup This app interfaces with the Cisco Meraki cloud managed devices. The search string specified is used to match a value in the client MAC address or description field. The default dashboard URL is dashboard.meraki.com. The API Key is generated in your account profile. An account with read only privileges is acceptable.
MalShare MalShare Public Malware Repository This app integrates with MalShare to provide several investigative actions
malwaredomainlist.com Malware Domain List This app retrieves IOC reputation from Malware Domain List
MalwareBytes MalwareBytes Cloud Endpoint Security This app integrates with the Malwarebytes Cloud platform to perform prevention, detection, remediation, and forensics endpoint management tasks
Malwr Malwr Online Analysis and Research Platform This app implements investigative actions on the Malwr cloud based sandbox.
Mattermost Mattermost Chat Service This app integrates with Mattermost to support various investigative actions
MaxMind GeoIP2 IP Location Database This app provides ip geolocation with the included MaxMind database.
McAfee TrustedSource McAfee TrustedSource provides an online service that enables you to check website categorization and risk levels
McAfee Network Security Manager (NSM) This app supports multiple containment actions on the McAfee NSM
McAfee Enteprise Security Manager (ESM) This app ingests data from a McAfee ESM device. Each event is parsed into a container and various event characteristics like the Rule, Signature and actionName are ingested into the event artifact.
McAfee ePolicy Orchestrator (ePO) This app implements various endpoint based investigative and containment actions by integrating with McAfee ePO
McAfee OpenDXL Push Notfications over McAfee OpenDXL
McAfee Advanced Threat Defense (ATD) This app supports executing investigative actions like 'detonate file' to analyze executables on the McAfee ATD appliance
Microsoft Microsoft SQL Serve This app supports investigative actions against a Microsoft SQL Server
Microsoft Windows Remote Management This app integrates with the Windows Remote Management service to execute various actions
Microsoft Microsoft Sharepoint Provides various interactions with Microsoft SharePoint sites
Microsoft Office 365 This app ingests emails from a mailbox in addition to supporting various investigative and containment actions on an Office 365 service
Microsoft Windows Server - WMI This App uses the WMI WQL to implement investigative actions that are executed on a Windows endpoint
Microsoft Windows Server - LDAP This app implements various actions that can be carried out on an AD server
Microsoft Office 365 Connects to Office 365 using the MS Graph API
Microsoft Exchange Server This app performs email ingestion, investigative and containment actions on an on-premise Exchange installation
Microsoft System Center Operations Manager This app integrates with Microsoft System Center Operations Manager (SCOM) to execute investigative actions
Microsoft System Center Configuration Manager This app integrates with Microsoft System Center Configuration Manager (SCCM) to execute investigative and generic actions
MISP Project Malware Information Sharing Platform (MISP) Take action with Malware Information Sharing Platform
Mnemonic PassiveDNS This app integrates with the Mnemonic Passive DNS API to implement investigative actions
MobileIron MobileIron This app allows endpoint management on MobileIron by implementing actions such as 'list devices', 'lock devices' and 'unlock device'.
MongoDB MongoDB This app supports CRUD operations in a MongoDB database
MxToolBox MxToolBox This app implements investigative actions on domains and IPs.
Myip.ms Myip.ms Whois IP Service This app integrates with the Myip.ms service to implement investigative actions
     
NC4 Soltra Edge Cyber Threat Communications Platform This App acts as a STIX client and implements the ingest action to pull data from a Soltra Edge device to create containers and artifacts.
Netskope Netskope Cloud Access Security Broker This app integrates with the Netskope to execute various investigative and polling actions
Neutrino API Netskope Cloud Access Security Broker This app integrates with the Netskope to execute various investigative and polling actions
     
Okta Okta Identity and Access Management This app supports various identity management actions on Okta
OpenStack OpenStack Software Platform This app interfaces with OpenStack to take an IP, and suspend the associated instance. It is intended to be coupled in a playbook with a ticketing system to log why the instance was suspended
OPSWAT Metadefender Advanced Threat Prevention App that connects to OPSWAT Metadefender for actions like ip reputation and file reputation.
Oracle MySQL Database Server This app supports investigative actions against a MySQL database
OSXCollector OSXCollector Forensics and Analysis Runs OSXCollector on an endpoint running OS X
     
PagerDuty PagerDuty This app integrates with PagerDuty to implement investigative and ticketing actions
Palo Alto Networks WildFire Malware Analysis This app supports file detonation for forensic file analysis on the Palo Alto Networks WildFire sandbox
Palo Alto Networks AutoFocus Threat Intelligence This app implements hunting and reporting actions on the AutoFocus threat intelligence service.
Palo Alto Networks Panorama Network Security Management This app integrates with the Palo Alto Networks Panorama product to support several containment and investigative actions
Palo Alto Networks Next-Generation Firewall This app integrates with the Palo Alto Networks Firewall to support containment actions like 'block url', 'block application' and 'block ip' in addition to investigative actions like 'list applications'.
Payload Security Falcon Sandbox This app integrates with Falcon Sandbox Services to provide investigative actions
Phantom Message Parser Integrate with Slack to post messages and attachments to channels
Phantom Phantom App for Kafka Integrate with Slack to post messages and attachments to channels
Phantom Phantom API This App exposes various Phantom APIs as actions
PhishLabs PhishLabs Casetracker Portal This app implements investigative actions on the PhishLabs Casetracker Portal
PioLink TiFRONT Cloud Security Switch This app supports containment actions like 'block ip' and 'unblock ip' on a TiFRONT device.
Pipl Pipl People Search This app integrates with Pipl to perform an investigative action
PostgreSQL PostgreSQL Database Server This app supports investigative actions against a PostgreSQL database
Proofpoint Targeted Attack Protection (TAP) This App integrates with Proofpoint to implement ingestion and investigative actions
ProtectWise Network Detection and Response (NDR) This app integrates with the ProtectWise cloud platform to implement ingestion and investigative actions
     
Qualys SSL Labs Assessment API This app supports executing investigative actions to analyze a host
     
Rapid7 InsightVM Vulnerability Management This app integrates with Rapid7 InsightVM (formerly Nexpose) to ingest scan data
Recorded Future Recorded Future Threat Intelligence Recorded Future
RedLock RedLock This app integrates with RedLock and ingests new alerts
ReversingLabs TitaniumCloud File Reputation This app implements investigative actions on the ReversingLabs reputation service
ReversingLabs A1000 Malware Analysis This app integrates with the ReversingLabs A1000 Advanced Malware Analysis Appliance to implement investigative actions
ReversingLabs TitaniumScale Malware Analysis This app integrates with ReversingLabs TiScale Enterprise Scale File Visibility platform to automate analysis and investigative actions for file samples
RIPE RIPE Abuse Intelligence This app integrates with RIPE to support investigative actions
RSA Security Analytics This App supports ingestion and investigative actions on RSA Security Analytics
RSA Archer This app implements ticket management actions on RSA Archer GRC.
RSA NetWitness Logs and Packets This app supports investigative actions to collect log and packet captures from RSA NetWitness Logs and Packets.
RSA NetWitness Endpoint This app supports executing various endpoint-based investigative and containment actions on RSA NetWitness Endpoint
RiskIQ PassiveTotal This app implements investigative actions by integrating with the PassiveTotal cloud reputation service
     
Screenshot Machine Screenshot Machine This app integrates with the Screenshot Machine service
Security Onion Security Onion This app integrates with the ELSA service included in the Security Onion security distribution
SentinelOne SentinelOne This app integrates with the SentinelOne platform to perform prevention, detection, remediation, and forensic endpoint management tasks
ServiceNow ServiceNow Platform This app provides ServiceNow integration for tickets and records
ShadowDragon SocialNet Social Media Forensics and Investigations This app supports investigative actions on the SocialNet cloud investigation API
Shodan Shodan Search Engine This app implements investigative actions like query ip and query domain to get information from the shodan search engine.
Slack Slack Collaboration Platform Integrate with Slack to post messages and attachments to channels
Soliton Systems Infotrace Mark II Endpoint Detection and Response This app supports containment actions on Soliton Mark II Server
SonicWALL Firewall Manipulate SonicWALL firewall via ECLI
SQLite SQLite Database Server This app supports investigative actions against a local SQLite database
Sumo Logic Sumo Logic Log Management and Analytics This app integrates with the Sumo Logic cloud platform to implement investigative actions
Symantec Symantec Messaging Gateway This app integrates with an instance of Symantec Messaging Gateway to perform containment and corrective actions
Symantec Symantec Endpoint Protection 14 Integrate with Symantec Endpoint Protection 14 to execute investigative, containment and corrective actions
Symantec Symantec Data Loss Prevention (DLP) This app ingests data from a Symantec Data Loss Prevention installation
Symantec Symantec Content Analysis Software (CAS) This app supports file investigation on the Symantec Content Analysis System
Symantec Malware Analysis Service Integrate with Malware Analysis Service (MAS) to execute actions like detonate file and get report
Symantec DeepSight This app supports hunting and a variety of investigative actions, in addition to report ingestion, from the Symantec DeepSight Intelligence cyber security service.
Symantec Symantec Advanced Threat Protection (ATP) This app integrates with a Symantec ATP (Advanced Threat Protection) device to implement ingestion, investigative and containment actions
     
Tala Tala This app implements various endpoint actions using Tala
Tanium Tanium Endpoint Security This app supports investigative and containment actions on Tanium
Tenable Tenable.sc (SecurityCenter) This app integrates with Tenable's SecurityCenter to provide endpoint-based investigative actions.
Tenable Nessus Vulnerability Assessment This app integrates with Tenable's Nessus scanner to provide endpoint-based investigative actions
ThreatConnect ThreatConnect Threat Intelligence Platform This app integrates with the ThreatConnect platform to provide various hunting actions in addition to threat ingestion.
ThreatCrowd ThreatCrowd Threat Intelligence This app provides free investigative actions such as file reputation, lookup domain, lookup ip, and lookup email.
ThreatMiner ThreatMiner Threat Intelligence This app integrates with the ThreatMiner API to provide investigation activities
ThreatQuotient ThreatQ Threat Intelligence Platform Integrates a variety of ThreatQ services into Phantom.
Tor Tor Network This app implements investigative actions to query info about the Tor network
TruSTAR TruSTAR Intelligence Management Platform This App integrates with TruSTAR to provide various hunting and reporting actions
Tufin SecureTrack Firewall Policy Managment This app supports investigative actions on Tufin SecureTrack
Twilio Twilio Cloud Communications Platform This app integrates with Twilio to send messages
     
unshorten.me unshorten.me URL Expansion Service This app integrates with the unshorten.me service to expand shortened URLs
urlscan.io urlscan.io website scanner This app supports investigative actions on urlscan.io
URLVoid URLVoid Website Reputation Service This app supports executing investigative and reputation actions on the URLVoid service
     
Vectra Vectra Active Enforcement This app ingests data from the Vectra Active Enforcement device
Verodin Verodin Security Instrumentation Platform Phantom app for Verodin
VictorOps VictorOps DevOps Incident Management and IT Alerting This app implements various investigative actions using VictorOps
VMRay VMRay Malware Analysis Tool Connector for VMRay Analyzer
VMware vSphere Virtualization Management Software This app implements investigative, containment and VM management actions on VMware ESXi or vCenter server
VMware NSX Network Virtualization and Security This app implements investigative and management action on VMware NSX, Network Virtualization and Security Platform
     
WiGLE WiGLE Wireless Network Intelligence This app integrates with the WiGLE service to implement investigative actions
     
xMatters xMatters IT Event Management This app integrates with xMatters to retrieve information about events and users
Zendesk Zendesk Customer Service Software This App allows for ticket management on Zendesk
     
Zetalytics Zetalytics Passive DNS This App implements investigative actions that query the ZETAlytics security feed and APIs
Zscaler Zscaler Security System This app implements containment and investigative actions on Zscaler