Phantom Releases Patch Update to 2.0 Platform

Feedback about the Phantom security automation and orchestration platform is incredibly important to all of us here at Phantom. As the product manager for the Phantom platform, I’m a strong believer of listening to current and future customers, as well as the ever-growing membership of the Phantom community. Our most recent patch release to the 2.0 platform is a great example of how we have incorporated the community feedback into the product.

Phantom 2.0 Patch 1 was released last Friday, December 9 and is available now on the Phantom Community’s download page. In addition to several other enhancements, there is one notable API change that will be particularly pleasing to Phantom power users. This change relates to feedback from users about the preferred behavior of the phantom.act() function call. This function call now executes even if its required parameters are missing and the playbook author should handle the failure in the action callback. In versions prior to this release, the automatically generated code for action blocks and the function itself checked to see if required parameters were passed to the action. The phantom.act() call would not be executed if any required parameters were missing.

Prior to this update, within an action block the call to phantom.act() would look like this:

if parameters:
     phantom.act("geolocate ip", parameters=parameters, 
     assets=['maxmind'], name="geolocate_ip_1", 
     phantom.error("'geolocate_ip_1' will not be executed 
     due to lack of parameters”) 

Now in the newly generated code, there is no check for parameters and the action is called directly:

phantom.act("geolocate ip", parameters=parameters, 
assets=['maxmind'], name="geolocate_ip_1”) 

This change in auto-generated code and behavior of the phantom.act() call helps users utilize joins. If there are two or more actions connected to a single block, the block will now be called when all phantom.act() calls have been called. In prior releases the playbook would have ended prematurely when all the called actions finish, while some actions were not called as expected by the user.

Two action blocks connected to a single action block

Another frequent community request has been supporting the Phantom platform on Amazon Web Services (AWS). Previously the platform was available as an Open Virtual Appliance (OVA) only. This week, we posted an Amazon Machine Image (AMI) version on our community site that contains the Phantom platform image suitable for AWS deployments. As always, please check it out and provide us with feedback through the community slack channel or through email at feedback (at) phantom (dot) us.


Robert Truesdell
Director, Product Management