Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Create custom severity names

Severity defines the impact or importance of an event or case. Different severity names have different assigned service level agreements in the Response page. Splunk Phantom ships with three predefined severity names: High, Medium, and Low. Your organization might need additional levels of severity to match your business processes. Additional severity names can be defined by a Splunk Phantom administrator.

You can create up to 10 severities in Splunk Phantom.

Create a severity in Splunk Phantom

To create a severity, follow these steps:

  1. From the Main Menu, select Administration.
  2. Select Event Settings > Severity.
  3. Click Add Item.
  4. Enter the severity name and select a color from the drop-down list. The severity name must adhere to the following conditions:
    • Only ASCII characters a-z, 0-9, dash ( - ), or underscores ( _ ) are allowed.
    • The name cannot exceed 20 characters in length.
  5. Click Done.

Severity names cannot be edited. To change a severity name, delete it and recreate the severity name. To reorder severity names, drag the handle ( ☰ ) on the left side of the severity name's input box to the desired position.

To set the severity name used as the default severity, select the desired name from the drop-down list.

Delete a severity name in Splunk Phantom

To delete a severity name, click the circled x ( ⓧ ) to the right of the severity name's input box. Take note of the following Splunk Phantom behaviors before you delete a severity:

  • The severity label set as the default severity cannot be removed until a new default is selected.
  • Deleting a severity name does not change the severity of a case, event, or artifact. Changing a severity name does not update closed events, cases, or artifacts.
  • Deleted severity names appear in search results as strikethrough text.
  • Severity names are stored in Splunk Phantom's internal database. Deleting a severity name from the active severity list does not remove that severity name from the database.
  • To maintain backwards compatibility with apps and existing playbooks, if the severity names High, Medium, or Low have been deleted, ingestion apps and the REST API can still assign the severity High, Medium, and Low to events, containers, or artifacts.
Last modified on 01 September, 2020
Create custom status labels in Splunk Phantom   Create custom fields to filter Splunk Phantom events

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters