Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Configure the response times for service level agreements

Service level agreements (SLA) define the number of minutes that is permitted to pass before an action or approval is considered late. SLAs are used for the following purposes in Splunk Phantom:

  • To track the amount of time a container or case has remaining before it is considered due.
  • To track the amount of time an approver has to approve an action before the approval escalates. For more information about the approval and escalation process, see Approve actions before they run in Splunk Phantom in Use Splunk Phantom.

Each event or case must have a severity assigned, and each severity has a corresponding SLA. This table lists the default SLA settings in Splunk Phantom:

Severity name SLA in minutes
High 60
Medium 720
Low 1440

The SLA time starts when a case or container is created. An action or approval is considered late if the SLA time is reached before the case or container is closed.

Set service level agreement times

You can set the SLA for any default or custom severity name in Splunk Phantom. Custom severities follow the same escalation process that the default severities follow. To set an SLA time for a severity, follow these steps:

  1. From the Main Menu, select Administration.
  2. Select Event Settings > Response.
  3. In each severity level, type a number of minutes permitted to elapse before an action or approval must be escalated.
  4. (Optional) Check Automatic self-approval if you want actions activated by a user who can approve them to be approved automatically.
  5. (Optional) Add executive approvers by selecting them from the drop-down list in the Executive approvers field. When all of the SLA escalations have expired without being acted on, the executive approvers receive an SLA breach notification.
  6. Click Save Changes.
Last modified on 12 February, 2020
Track information about an event or case using HUD cards   Configure how events are resolved

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters