Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Create custom status labels in Splunk Phantom

You can create additional status labels for the events and cases in Splunk Phantom as needed for your business processes.

Statuses are grouped into three categories: New, Open, and Resolved. You can create up to 10 total status labels in Splunk Phantom.

Status label rules

Status labels must adhere to the following rules:

  • At least one status label must exist for each of the status categories.
  • The labels New, Open, and Closed are available upon upgrade. These three labels can be deleted, removing them from the active list. These labels cannot be renamed because they are required for backwards compatibility with apps and playbooks.

To maintain backwards compatibility with apps and existing playbooks, if the status labels New, Open, or Closed have been deleted, ingestion apps and the REST API can still assign the statuses New, Open, and Closed to containers.

Create a status label in Splunk Phantom

To create a status label, follow these steps:

  1. From the main menu, select Administration.
  2. Select Event Settings > Status.
  3. Click Add Item in the status category where you want to create the new status label.
  4. Type the new status name. The status label name must adhere to the following conditions:
    • Only ASCII characters a-z, 0-9, dash ( - ), or underscores ( _ ) are allowed.
    • The name cannot exceed 20 characters in length.
  5. Click Add Item.

To reorder status labels, drag the handle ( ☰ ) on the left side of the status label's input box to the desired position.

To delete a status label, click the circled x ( ⓧ ) to the right of the status label's input box.

To set the status label used as the default label for that status type, select the desired label from the drop-down list in the Default status field.

Last modified on 01 September, 2020
Use data retention strategies to schedule and manage your database cleanup   Create custom severity names

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters