Splunk® SOAR (On-premises)

Use Splunk SOAR (On-premises)

This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Create cases in

Once you have at least one case workbook, you can create cases to use that workbook.

Cases only contain the items from the workbook at the time the case was created. If you create a case from a workbook, and then later add a new phase to the workbook, the new phase is not available to the existing workbook. Only new cases created after the workbook is changed will have the new phase available to use. The case was a copy at the time it was created. There is no live link to the workbook. Items deleted from the workbook aren't deleted from cases created before the workbook change.

Promote a container to a case

Create a case by promoting a container.

  1. From the Home menu, select Sources, and then select a container label.
  2. Click the suitcase (the suitcase icon) icon.
  3. In the Promote to Case window, select the new workbook you want to use on this case. If you already added a workbook to the container, you do not have the option to select a workbook. The menu is inactive with the text "Keep current workbook".
  4. Click Save.

A case looks similar to its container and has all of the same functions. The colored block with the word Case indicates that it is a case.

Select the Workbook tab to see the tasks defined in case workbook. The blue highlight indicates the current page and shows task completion progress within each phase.

Demote a case to change it back to a container

Perform the following steps to change a case back to a container:

  1. In , navigate to the case you want to demote.
  2. Click the suitcase (the suitcase icon) icon.

Delete a case in

Perform the following steps to delete a case:

  1. In the Home menu, select Cases.
  2. Select the cases you want to delete.
  3. Click Delete.
  4. Click Delete again to confirm that you want to delete the selected cases.
Last modified on 22 September, 2021
Overview of cases   Add objects to a case in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters