Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Create custom severity names and control severity inheritance

Severity defines the impact or importance of an event or case. Different severity names have different assigned service level agreements in the Response page. ships with three predefined severity names: High, Medium, and Low. You can create additional severity levels and also control whether the severity level of a container changes based on the severity level of a newly added artifact.

Create a severity level in

Your organization might need additional levels of severity to match your business processes. Additional severity names can be defined by a administrator.

You can create up to 10 severities in . To create a severity, follow these steps:

  1. From the Home menu, select Administration.
  2. Select Event Settings, then Severity.
  3. Click Add Item.
  4. Enter the severity name and select a color from the drop-down list. The severity name must adhere to the following conditions:
    • Only ASCII characters a-z, 0-9, dash ( - ), or underscores ( _ ) are allowed.
    • The name cannot exceed 20 characters in length.
  5. Click Done.

Severity names cannot be edited. To change a severity name, delete it and recreate the severity name. To reorder severity names, drag the handle ( ☰ ) on the left side of the severity name's input box to the desired position.

To set the severity name used as the default severity, select the desired name from the drop-down list.

Delete a severity name in

To delete a severity name, click the circled x ( ⓧ ) to the right of the severity name's input box. Take note of the following behaviors before you delete a severity:

  • The severity label set as the default severity cannot be removed until a new default is selected.
  • Deleting a severity name does not change the severity of a case, event, or artifact. Changing a severity name does not update closed events, cases, or artifacts.
  • Deleted severity names appear in search results as strikethrough text.
  • Severity names are stored in 's internal database. Deleting a severity name from the active severity list does not remove that severity name from the database.
  • To maintain backwards compatibility with apps and existing playbooks, if the severity names High, Medium, or Low have been deleted, ingestion apps and the REST API can still assign the severity High, Medium, and Low to events, containers, or artifacts.
  • Deleting custom severity names that you have previously shared with other Splunk apps might result in additional steps in communication between and the other app.

Inherit severity level from new artifacts

You can choose whether a container inherits the severity level from a newly added artifact.

To select whether the severity levels of containers updates based on artifacts, follow these steps:

  1. From the Home menu, select Administration.
  2. Select Event Settings, then Severity.
  3. Choose the setting for the Update the container severity to match the new artifact toggle:
    • Toggle on: Severity of the container updates if a newly added artifact has a higher severity than the current container. The container severity is not affected if the newly added artifact has a severity lower than the current container.
    • Toggle off: Severity of the container does not change, regardless of the severity of a newly added artifact.
Last modified on 01 April, 2024
Create custom status labels in   Create custom fields to filter events

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.1, 6.2.2, 6.3.0, 6.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters