Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Track information about an event or case using HUD cards

Use the head-up display (HUD) in Investigation to quickly track relevant information about an event or case. HUD cards can display a metric from the built-in list or display a custom field. For more information about custom fields, see Create custom fields to filter Splunk Phantom assets.

Create a HUD Card

Perform the following tasks to create a HUD card:

  1. From the main menu, select Administration.
  2. Select Event Settings > HUD.
  3. Click + HUD Card.
  4. Select a HUD card type.
    • Select Preset Metrics to view predefined metrics about your asset, such as remaining tasks, number of failed actions, or tasks exceeding the SLA. Select the desired metric from the drop-down list. and then choose a background color for the HUD card.
    • Select Custom Field to view the information you defined in a custom field. See Create custom fields to filter Splunk Phantom events. The fields defined there are available in the drop-down list. Choose a background color for the HUD card.
  5. Click Done.

Manage HUD Cards

HUD cards display in Investigation in the same order they appear in the list of HUD cards in the settings page. Reorder the cards by dragging the cards by the handle ( ☰ ) into the order you want them to be displayed.

Delete a HUD card by clicking the circled x ( ⓧ ) icon to the right of the HUD card definition.

See Get a heads up with HUD cards for more information on using HUD Cards in Start with Investigation in Splunk Phantom.

Last modified on 23 April, 2020
Filter indicator records in Splunk Phantom   Configure the response times for service level agreements

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters