Splunk® Phantom (Legacy)

Administer Splunk Phantom

Acrobat logo Download manual as PDF


Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.
Acrobat logo Download topic as PDF

Customize email templates in Splunk Phantom

Customize email templates in Splunk Phantom by inserting real-time information into the emails using special variables. For example, to use the name of the incident in the email, use the {name} variable where you want the incident name to appear. Variables can be used in both the subject and body of the email.

  1. From the main menu, select Administration.
  2. Select Administration Settings > Email Settings.
  3. Select a template from the drop-down list. Templates provided by default are New Incident Assigned and Approvals.
  4. Modify the email template for your use. You can use the variables listed in the following table.

The term container refers to the type of object generating the email. Incidents are the only container used for generating emails. See Add and configure apps and assets to provide actions in Splunk Phantom for more information about containers.

Variable Description
{name} The name of the container or incident.
{label} The label of the container, such as "incident" or "vulnerability," which is configured on the asset.
{container_url} The URL to view the container.
{first_name} The first name of the user being notified.
{from_first_name} The first name of the user who was the previous owner.
{from_email} The email address of the previous owner. This is not a template, but can be configured in settings.
{due_time} The due time of the container in the respective time zone.
{severity} The severity of the container, such as high, medium, or low.
{your_expired_containers} The details of the expired containers assigned to the user.
{your_expiring_containers} The details of the containers assigned to the user that are about to expire.
{your_closed_containers} The details of the containers assigned to the user that have been closed.
{all_expired_containers} The details of all containers that have expired.
{all_expiring_containers} The details of all containers that are about to expire.
{all_closed_containers} The details of all containers that have been closed.
{task_count} The amount of tasks assigned to you.
{task_list} The list of tasks associated with the case.
{phase} The case management phase associated with the task.
{ownership_type} Denotes the owner type as either user or role.
{invitee_first_name} The first name of the person receiving the email.
{inviter_first_name} The first name of the person sending the email.
{user_message} A custom message that can be written and added as part of the notification.
{from_first_name} The name of the person the incident was reassigned to.
{action_name} The name of the action that will be run on the asset.
{action_executor} The rule name or name of the user running or executing the action.
{asset_name} The name of the asset.
{user_owner_type} This denotes whether the owner is the primary or secondary approver.
{approval_due_time} The time in which the action to be run on an asset must be approved by.
{approval_url} Use this URL to navigate to a place where you can approve, deny, delegate or change the action parameters.
{approval_message} A custom message that can be added to a manual action sent with the approval request.
{task_name} The name of an assigned task.
Last modified on 02 March, 2020
PREVIOUS
Configure a source control repository for your Splunk Phantom playbooks
  NEXT
Configure search in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters