Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Add tags to objects in Splunk Phantom

Add tags to objects in Splunk Phantom to help you perform the following tasks:

  • Search for objects in Splunk Phantom
  • Flag objects for other users
  • Automation and workflow operations
  • Affect the flow of playbooks

You can also require tags before a container can be closed. See Configure how events are resolved for more information.

Required user privileges to view, add, edit, or delete tags in Splunk Phantom

To view the Tags page, a user must have a role with the View System Settings privilege. To add, edit, or delete tags on the Tags page, a user must have a role with the Edit System Settings privilege.

Editing the tags on individual containers, artifacts, or assets requires a role with the matching Edit Containers, Edit Artifacts, or Edit Assets privileges. However, a user with the combination of View System Settings and Edit System Settings privileges can use the Tags page to delete or rename tags regardless of the object they are applied to, even without the edit privileges for those objects.

View tags in your Splunk Phantom instance

To view the Tags page, a user must have a role with the View System Settings privilege.

Perform the following steps to access the Tags page and view the existing tags in your Splunk Phantom instance:

  1. From the Main Menu, select Administration.
  2. Select Administration Settings > Tags.

Add a new tag to Splunk Phantom

To add a new tag to Splunk Phantom, perform the following steps:

  1. On the Tags page, click + Tag.
  2. Enter a new tag name.
  3. Click Create.

Tags can be added on individual objects by editing or creating that object in Splunk Phantom and typing them into the Tags field. For example, to create a new tag for a container in Splunk Phantom, do the following:

  1. Navigate to the container.
  2. Click Event Info to expand the section.
  3. In the Tags field, enter the name of a new tag you want to associate with the container.

Edit existing Splunk Phantom tags

Renaming a tag affects all objects in Splunk Phantom currently using that tag. All containers, artifacts, or assets in Splunk Phantom with the existing tag name are updated to use the new tag name.

To edit an existing tag, perform the following steps:

  1. On the Tags page, click the edit icon for the tag. If the existing tag is already in use by another Splunk Phantom component, its usage is summarized in the Edit Tag window. Review this information and make notes of where you must update the tag in Splunk Phantom to keep your playbooks operational.
  2. Modify the name of the tag as desired.
  3. Click Save.

Delete a tag in Splunk Phantom

A tag exists in Splunk Phantom as long as at least one object still uses that tag. If you remove a tag from all objects or delete all those objects, the tag no longer shows on the Tags page. Deleting a tag affects all objects in Splunk Phantom currently using that tag. The deleted tag is removed from all containers, artifacts, or assets in Splunk Phantom currently using the tag.

To delete an existing tag, perform the following steps:

  1. On the Tags page, click the delete icon for the tag.
    If the existing tag is already in use by another Splunk Phantom component, its usage is summarized in the Delete Tag window. Review this information before you proceed.
  2. Click Delete.
Last modified on 28 January, 2020
Set the global action concurrency limit   Create custom CEF fields in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters