Add tags to objects in Splunk Phantom to help you perform the following tasks:
- Search for objects in Splunk Phantom
- Flag objects for other users
- Automation and workflow operations
- Affect the flow of playbooks
You can also require tags before a container can be closed. See Configure how events are resolved for more information.
To view the Tags page, a user must have a role with the View System Settings privilege. To add, edit, or delete tags on the Tags page, a user must have a role with the Edit System Settings privilege.
Editing the tags on individual containers, artifacts, or assets requires a role with the matching Edit Containers, Edit Artifacts, or Edit Assets privileges. However, a user with the combination of View System Settings and Edit System Settings privileges can use the Tags page to delete or rename tags regardless of the object they are applied to, even without the edit privileges for those objects.
To view the Tags page, a user must have a role with the View System Settings privilege.
Perform the following steps to access the Tags page and view the existing tags in your Splunk Phantom instance:
- From the Main Menu, select Administration.
- Select Administration Settings > Tags.
Add a new tag to Splunk Phantom
To add a new tag to Splunk Phantom, perform the following steps:
- On the Tags page, click + Tag.
- Enter a new tag name.
- Click Create.
Tags can be added on individual objects by editing or creating that object in Splunk Phantom and typing them into the Tags field. For example, to create a new tag for a container in Splunk Phantom, do the following:
- Navigate to the container.
- Click Event Info to expand the section.
- In the Tags field, enter the name of a new tag you want to associate with the container.
Renaming a tag affects all objects in Splunk Phantom currently using that tag. All containers, artifacts, or assets in Splunk Phantom with the existing tag name are updated to use the new tag name.
To edit an existing tag, perform the following steps:
- On the Tags page, click the edit icon for the tag. If the existing tag is already in use by another Splunk Phantom component, its usage is summarized in the Edit Tag window. Review this information and make notes of where you must update the tag in Splunk Phantom to keep your playbooks operational.
- Modify the name of the tag as desired.
- Click Save.
Delete a tag in Splunk Phantom
A tag exists in Splunk Phantom as long as at least one object still uses that tag. If you remove a tag from all objects or delete all those objects, the tag no longer shows on the Tags page. Deleting a tag affects all objects in Splunk Phantom currently using that tag. The deleted tag is removed from all containers, artifacts, or assets in Splunk Phantom currently using the tag.
To delete an existing tag, perform the following steps:
- On the Tags page, click the delete icon for the tag.
If the existing tag is already in use by another Splunk Phantom component, its usage is summarized in the Delete Tag window. Review this information before you proceed.
- Click Delete.
Set the global action concurrency limit
Create custom CEF fields in Splunk Phantom
This documentation applies to the following versions of Splunk® Phantom: 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7