简介

2016 RSA conference 明星产品，可以将其认为是一个整合企业内部所使用的安全工具或产品的管理平台。初次使用，总结如下：

主要功能

Phantom platform (Programmable Security Controller)

• 集成&管理安全工具
• 获取&处理事件
• 通知责任人(Oweners)响应(Actions)

Workflow

The below diagram describes the end-to-end flow of how Phantom views the world of security automation.

workflow

一句话总结：将安全产品或工具抽象为APPs, 使用自动以Playbooks对APPs操作，最终在Assets上实行Actions，同时引入Users管理（Playbooks EXECUTE Actions USING Apps ON Assets WHO HAVE Owners.）

Phantom terminology

以下概念对应 Workflow 中的内容。

Playbooks （处理获取的数据,自动化逻辑处理）

Playbooks EXECUTE Actions USING Apps ON Assets WHO HAVE Owners.
Written in Python. define a series of automation tasks. This event data is stored and handled by Phantom as JSON, and Rules operate on this JSON data

Actions (Phantom Verbs, 主要在Playbooks中使用)

are high level primitives that are used throughout the Phantom platform.These are simple, short, and obvious verbs that are used to execute ACTIONS in PLAYBOOKSExamples include get process dump, block ip,suspend vm, and terminate process.

APPs (将三方工具抽象成Phantom APPs)

define which types of assets that they can operate onexpose a list of ACTIONS that they support, Examples include get process dump, block ip,etc.

Phantom APPS extend the Phantom platform by adding connectivity to third party security technologies in order to execute actions.They provide an abstraction layer to the hundreds of possible security products that Phantom may interface with

PS: 理论上可以用Python 集成所有安全产品 via web technology（REST API）

Assets (Phantom可操作的资产)

are specific instances of physical or virtual devices within your organization. These may include servers, endpoints, routers, and firewalls among others.ASSETS typically also possess primary and secondary OWNERS.

其它概念

Data source （Playbooks处理的源数据）

Data Sources are services or devices that supply information that Phantom users may want to store or act on. This information is stored in Containers. An example Data Source is Splunk. You may have your anti-virus server feeding infection events into Splunk, and Phantom will pick up those events, and create one or more Incidents for the infection notifications. Each Incident will typically have one or more Artifacts, which are data about the Incident.

Incidents (事件触发生成Incidents)

可基于事件触发，自动生成Incidents。或者手动添加。

Artifacts (包含于Incident内，用于描述此Incident)

Container (拥有数据输出的Assets)

the only Assets that use Containers are those that can Ingest, such as QRadar, Splunk, IMAP, etc. If you add an Ingest Asset, you will see one of the configuration options is to designate a container type. There are three built-in types, Intelligence, Incident, and Vulnerability. Before we can use the Asset to take an Action, we need one more thing; a container. A container in Phantom is used to group items together. These items include Artifacts, Actions, Playbook runs, results, and files. To run an Action, we need the container to track what the Action belongs to, as well as hold the results we get back from running the Action.

Refet to：Phantom documentation