Learn the key concepts relating to security orchestration, automation and response on the Phantom platform.
Use any type and source of security data to trigger Phantom into action, such as incidents, threat indicators, vulnerabilities, emails and more. Phantom gives you full access to the contents of your security data for the purposes of automated decision-making.
You can either push your data to Phantom, or pull it from a number of externally supported SIEM or analytics tools.
Playbooks are the codification of your Security Operations (SecOps) plan. In practice, they’re high-level Python scripts that Phantom interprets in order to execute your mission. Playbooks hook into the Phantom platform and all of its capabilities to execute actions, ensuring a repeatable and auditable process around your security operations.
Actions are the high-level primitives that Phantom uses within playbooks. Phantom integrates with 300+ apps and 1,900+ APIs. Examples include:
- Detonate File
Detonate a file in a supported sandbox
- Geolocate IP
Perform a geolocation lookup on a given IP address
- Hunt File
Look for a particular file on endpoints
- Block URL
Block a URL on perimeter devices
- Quarantine Device
Disconnect a device from the network via NAC
Assets are the security and infrastructure assets that you integrate with the Phantom platform. Examples include: firewalls, endpoint products, reputation services, sandboxes, directory services and SIEMs.
Maximize SOC efficiency and achieve enterprise-grade reliability, with the most powerful SOAR tool on the market. Phantom supercharges the scalability, performance and speed of your security automation, processing up to 50,000 security events per hour.