Splunk Phantom

Harness the full power of your security investments with security orchestration, automation, and response.

Playbook Automation

Visual Playbook Editor

The Phantom Visual Playbook Editor (VPE) allows both developers and non-developers to construct and customize complex Phantom Playbooks with drag-and-drop ease. While constructing a playbook graphically, the VPE generates all supporting code behind the scenes and in real time. Advanced users can start a new playbook with the VPE interface and later transition to the integrated Python playbook editor and debugger to fine tune it.

Playbook Canvas and Function Blocks

The VPE allows you to create a playbook using function blocks and connectors, which describe the order of operation. When creating a new block, you’re presented with all possible function block types as the next step in your playbook. You’re able to: define a security action to execute, filter data, make a decision using encoded logic, prompt a user for input or confirmation, call another playbook and more.

Collaborate, Respond and Manage

Phantom Mission Control

Phantom Mission Control brings event data and SOC tools together into one consolidated view. A part of the Phantom Platform’s event and case management capabilities, Phantom Mission Control enables an analyst to efficiently understand, investigate, decide, and act on an event. The interface includes access to all event activity history, contextual and interactive data views, a digital vault for attachments, as well as fully-integrated automation and case management controls. Phantom Mission Control was designed to enable you to quickly pivot around event data, eliminating constant switching between different screens and tools.

Phantom Mission Guidance

Phantom Mission Guidance is an intelligent assistant that’s fully integrated into Phantom Mission Control. It supports security operations analysts by offering suggestions to help investigate, contain, eradicate, and recover from a security event. It works by mapping security event data to your currently configured SOC tools and playbooks. Phantom Mission Guidance recommendations help educate newer analysts on steps to take and validate the choices of more experienced analysts.

Activity Feed

The Activity Feed in the Phantom Mission Control interface displays all current and historical action and playbook activity that has acted on the currently displayed event. This allows you to quickly see the success, ongoing execution, and results of all automation operations for the event. The Activity Feed also provides team collaboration capabilities that are integrated inline with automation details and other data, forming a record of all relevant event information.


Case Management

Case Management is fully integrated into Phantom Mission Control, allowing you to easily promote a verified event to a case. It also allows continued access to all tools, features, and data available in one interface. Case Management supports case tasks that map to your defined Standard Operating Procedures (SOPs). Moreover, Case Management has full access to the Phantom Automation Engine, allowing you to launch actions and playbooks as part of a task.



Workbooks allow you to codify your SOPs into reusable templates. Phantom supports custom and industry standard workbooks, like the included NIST-800-61 template for incident response. You are able to divide tasks into phases (e.g. detection, analysis, containment, eradication, and recovery), assign tasks to team members, document work, and more. You can also embed automation actions and playbooks directly into the workbook templates that you define.


How it Works

Key Concepts

Learn the key concepts relating to security orchestration, automation, and response on the Phantom Platform.

Data Sources

Use any type and source of security data to trigger Phantom into action, such as incidents, threat indicators, vulnerabilities, emails, and more. Phantom gives you full access to the contents of your security data for the purposes of automated decision making.

You can either push your data to Phantom, or pull it from a number of externally supported SIEM or analytics tools.


Playbooks are the codification of your Security Operations (SecOps) plan. In practice, they’re high-level Python scripts that Phantom interprets in order to execute your mission. Playbooks hook into the Phantom Platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.


Actions are the high-level primitives that Phantom uses within playbooks. Phantom integrates with 225+ Apps and 1,200+ APIs. Examples include:

  • Detonate File
    Detonate a file in a supported sandbox
  • Geolocate IP
    Perform a geolocation lookup on a given IP address
  • Hunt File
    Look for a particular file on endpoints
  • Block URL
    Block a URL on perimeter devices
  • Quarantine Device
    Disconnect a device from the network via NAC


Assets are the security and infrastructure assets that you integrate with the Phantom Platform. Examples include: firewalls, endpoint products, reputation services, sandboxes, directory services, and SIEMs.



Contrary to popular belief, Lor em Ipsum is not simply random text. It has roots in a piece of classical. LOL

Phantom Apps extend the platform by integrating third-party security products and tools. Most security technologies have RESTful APIs, command line interfaces, or other management interfaces that allow Phantom Apps to connect and execute actions. Apps expose the set of actions that they support back to the Phantom Platform.


Ingest high-fidelity events from Security Intelligence and Event Management (SIEM) tools into the Phantom Platform to trigger automated and analyst-driven workflows. Examples include: Splunk Enterprise Security, IBM QRadar and Arcsight ESM.

Threat Intelligence Services

Programmatically or manually query threat intelligence services for contextual information to aid with decision making. Examples include: VirusTotal, Recorded Future , and Palo Alto Networks AutoFocus.

Endpoint Detection and Response

Enforce your security policy decisions by integrating Phantom with your Endpoint Detection and Response (EDR) tool. Examples include: Carbon Black, Crowdstrike, McAfee and Symantec.