Splunk Phantom

Harness the full power of your security investments with security orchestration, automation and response.

Playbook Automation

Visual Playbook Editor

The Phantom Visual Playbook Editor (VPE) allows both developers and non-developers to construct and customize complex Phantom playbooks with drag-and-drop ease. While constructing a playbook graphically, the VPE generates all supporting code behind the scenes and in real time. Advanced users can start a new playbook with the VPE interface and later transition to the integrated Python playbook editor and debugger to fine-tune it.

Playbook Canvas and Function Blocks

The VPE allows you to create a playbook using function blocks and connectors, which describe the order of operation. When creating a new block, you’re presented with all possible function block types as the next step in your playbook. You’re able to: define a security action to execute, filter data, make a decision using encoded logic, prompt a user for input or confirmation, call another playbook and more. You can also leverage our out-of-the-box library of "custom functions" (or write your own) and reuse them across multiple playbooks to help maximize playbook versatility and automate additional security processes.

Collaborate, Respond and Manage

Phantom Investigations

The Investigations screen is a hub for user collaboration and case management (also referred to as “incident management” in the industry). Analysts can collaborate to review the output of automated actions or playbooks, look at ingested data from the event, and bring data to real-time decisions.

Phantom Mission Guidance

An intelligent assistant that supports security operations analysts, Phantom Mission Guidance offers suggestions to help investigate, contain, eradicate and recover from a security event. It works by mapping security event data to your currently configured SOC tools and playbooks. Phantom Mission Guidance recommendations help educate newer analysts on steps to take and validate the choices of more experienced analysts.

Activity Feed

The Activity Feed in Splunk Phantom displays all current and historical action and playbook activity that has acted on the currently displayed event. This allows you to quickly see the success, ongoing execution and results of all automation operations for the event. The Activity Feed also provides team collaboration capabilities that are integrated inline with automation details and other data, forming a record of all relevant event information.


Case Management

Case Management is fully integrated into Splunk Phantom, allowing you to easily promote a verified event to a case. It also allows continued access to all tools, features and data available in one interface. Case Management supports case tasks that map to your defined Standard Operating Procedures (SOPs). Moreover, Case Management has full access to the Phantom Automation Engine, allowing you to launch actions and playbooks as part of a task.



Workbooks allow you to codify your SOPs into reusable templates. Phantom supports custom and industry-standard workbooks, like the included NIST-800-61 template for incident response. You are able to divide tasks into phases (e.g. detection, analysis, containment, eradication and recovery), assign tasks to team members, document work and more. You can also embed automation actions and playbooks directly into the workbook templates that you define.

How it Works

Key Concepts

Learn the key concepts relating to security orchestration, automation and response on the Phantom platform.

Data Sources

Use any type and source of security data to trigger Phantom into action, such as incidents, threat indicators, vulnerabilities, emails and more. Phantom gives you full access to the contents of your security data for the purposes of automated decision-making.

You can either push your data to Phantom, or pull it from a number of externally supported SIEM or analytics tools.


Playbooks are the codification of your Security Operations (SecOps) plan. In practice, they’re high-level Python scripts that Phantom interprets in order to execute your mission. Playbooks hook into the Phantom platform and all of its capabilities to execute actions, ensuring a repeatable and auditable process around your security operations.


Actions are the high-level primitives that Phantom uses within playbooks. Phantom integrates with 300+ apps and 1,900+ APIs. Examples include:

  • Detonate File
    Detonate a file in a supported sandbox
  • Geolocate IP
    Perform a geolocation lookup on a given IP address
  • Hunt File
    Look for a particular file on endpoints
  • Block URL
    Block a URL on perimeter devices
  • Quarantine Device
    Disconnect a device from the network via NAC


Assets are the security and infrastructure assets that you integrate with the Phantom platform. Examples include: firewalls, endpoint products, reputation services, sandboxes, directory services and SIEMs.


Maximize SOC efficiency and achieve enterprise-grade reliability, with the most powerful SOAR tool on the market. Phantom supercharges the scalability, performance and speed of your security automation, processing up to 50,000 security events per hour.


Contrary to popular belief, Lor em Ipsum is not simply random text. It has roots in a piece of classical. LOL
Phantom apps extend the platform by integrating third-party security products and tools. Most security technologies have RESTful APIs, command line interfaces or other management interfaces that allow Phantom apps to connect and execute actions. Apps expose the set of actions that they support back to the Phantom platform.


Ingest high-fidelity events from Security Intelligence and Event Management (SIEM) tools into the Phantom platform to trigger automated and analyst-driven workflows. Examples include: Splunk Enterprise Security, IBM QRadar and Arcsight ESM.

Threat Intelligence Services

Programmatically or manually query threat intelligence services for contextual information to aid with decision-making. Examples include: VirusTotal, Recorded Future and Palo Alto Networks AutoFocus.

Endpoint Detection and Response

Enforce your security policy decisions by integrating Phantom with your Endpoint Detection and Response (EDR) tool. Examples include: Carbon Black, Crowdstrike, McAfee and Symantec.

What can you do with Splunk Phantom?