Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Create cases in Splunk Phantom

Once you have at least one case workbook, you can create cases to use that workbook.

Cases only contain the items from the workbook at the time the case was created. If you create a case from a workbook, and then later add a new phase to the workbook, the new phase is not available to the existing workbook. Only new cases created after the workbook is changed will have the new phase available to use. The case was a copy at the time it was created. There is no live link to the workbook. Items deleted from the workbook aren't deleted from cases created before the workbook change.

Promote a container to a case

Create a case by promoting a container.

  1. From the main menu, select Sources, and then select a container label.
  2. Click the suitcase (the suitcase icon) icon.
  3. In the Promote to Case window, select the new workbook you want to use on this case. If you already added a workbook to the container, you do not have the option to select a workbook. The menu is inactive with the text "Keep current workbook".
  4. Click Save.

A case looks similar to its container and has all of the same functions. The colored block with the word Case indicates that it is a case.

Select the Workbook tab to see the tasks defined in case workbook. The blue highlight indicates the current page and shows task completion progress within each phase.

Demote a case to change it back to a container

Perform the following steps to change a case back to a container:

  1. In Splunk Phantom, navigate to the case you want to demote.
  2. Click the suitcase (the suitcase icon) icon.

Delete a case in Splunk Phantom

Perform the following steps to delete a case:

  1. In the main menu, select Cases.
  2. Select the cases you want to delete.
  3. Click Delete.
  4. Click Delete again to confirm that you want to delete the selected cases.
Last modified on 25 February, 2020
Overview of cases   Add objects to a case in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters