Configure the response times for service level agreements
Service level agreements (SLA) define the number of minutes that is permitted to pass before an action or approval is considered late. SLAs are used for the following purposes in Splunk Phantom:
- To track the amount of time a container or case has remaining before it is considered due.
- To track the amount of time an approver has to approve an action before the approval escalates. For more information about the approval and escalation process, see Approve actions before they run in Splunk Phantom in Use Splunk Phantom.
Each event or case must have a severity assigned, and each severity has a corresponding SLA. This table lists the default SLA settings in Splunk Phantom:
|Severity name||SLA in minutes|
The SLA time starts when a case or container is created. An action or approval is considered late if the SLA time is reached before the case or container is closed.
Set service level agreement times
You can set the SLA for any default or custom severity name in Splunk Phantom. Custom severities follow the same escalation process that the default severities follow. To set an SLA time for a severity, follow these steps:
- From the Main Menu, select Administration.
- Select Event Settings > Response.
- In each severity level, type a number of minutes permitted to elapse before an action or approval must be escalated.
- (Optional) Check Automatic self-approval if you want actions activated by a user who can approve them to be approved automatically.
- (Optional) Add executive approvers by selecting them from the drop-down list in the Executive approvers field. When all of the SLA escalations have expired without being acted on, the executive approvers receive an SLA breach notification.
- Click Save Changes.
Track information about an event or case using HUD cards
Configure how events are resolved
This documentation applies to the following versions of Splunk® Phantom: 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7