Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Define tasks using workbooks

Workbooks are lists of standard tasks that analysts follow when they evaluate events or cases. You can create workbooks to analyze events. You can also combine multiple workbooks to create a more comprehensive workbook for cumulative events or cases, or cases that start out as one type of incident but end up to be a different type of incident.

Workbooks are available from Investigation, in both Summary View and Analyst View.

See Define a workflow in a case using workbooks in Use Splunk Phantom for information about how to use workbooks in a Splunk Phantom workflow.

Create a Splunk Phantom workbook

Perform the following tasks to create a new workbook in Splunk Phantom:

  1. From the main menu, select Administration.
  2. Select Product Settings > Workbooks.
  3. Click + Workbook.
  4. Enter a name for your workbook.
  5. (Optional) Enter a long description for your workbook.
  6. Configure at least one phase for your workbook. A workbook can have multiple phases.
    1. Enter a name for the phase.
    2. (Optional) Configure a service level agreement (SLA) for the phase. See Configure service level agreements in a workbook.
    3. Click the arrow next to Task Name to expand the section.
    4. Enter a name for the first task in the phase. You can have multiple tasks within each phase.
    5. (Optional) Assign an owner or role to the task. See Notify task owners when they are assigned to a task.
    6. (Optional) Enter a long description or instructions for this task.
    7. (Optional) Configure an SLA for this task. The SLA must be shorter in length than the SLA for the phase.
    8. (Optional) Click Actions to select actions you want to run when this task is performed.
    9. (Optional) Click Playbooks to select playbooks you want to run when this task is performed.
    10. (Optional) Click Add Task to configure additional tasks for the phase.
  7. (Optional) Click Add Phase to configure additional phases for the playbook.
  8. Click Save.

Edit an existing Splunk Phantom workbook

Changes to a workbook only apply to future uses of the workbook. For example, if you change the SLA of a phase or add or remove a phase or task, the change is not reflected in any Splunk Phantom asset currently using the workbook.

To edit an existing workbook, do the following:

  1. From the main menu, select Administration.
  2. Select Product Settings > Workbooks.
  3. Click on a workbook name to see the read-only summary of that page.
  4. Use the drop-down list to expand the descriptions.
  5. Click Edit to go to the workbook editing page.
  6. Make the desired changes.
  7. Click Save.

Reorder phases in a workbook

Suppose you need to add a phase to the middle of a series of phases in an existing workbook. New phases are added to the end by default, so you need to reorder the phases to place the new phase in its desired location.

Perform the following tasks to reorder a phase:

  1. From the main menu, select Administration.
  2. Select Product Settings > Workbooks.
  3. Click on a workbook name to see the read-only summary of that page.
  4. Use the drop-down list to expand the descriptions.
  5. Click Edit.
  6. Click Reorder Phases.
  7. Enter the new phase at the bottom.
  8. Click the three horizontal lines next to the phase and drag it to the order you want.
  9. Click Done Reordering.
  10. Click Save.

Configure service level agreements in a workbook

Service level agreements (SLAs) represent the default amount of time until a phase or task is due. You can adjust the time values to reflect your organization's requirements. The SLAs for phases and tasks are different from the SLAs that are set globally per severity across the entire platform.

Separate from severity SLAs, the phase and task SLAs allow for greater granularity when operating at the phase or task level. See Create additional custom severity names for more information about global SLAs and response settings.

The SLA time is tracked in minutes, days, or hours. It is based on the start_time timestamp when the phase or task is started and the end_time timestamp when the phase or task is completed. Each phase can have a total SLA that covers all the subtasks, or each task can have an individual SLA. However, if both the phase and task SLAs are used, there is no automatic validation to confirm that the phase SLA is greater than or equal to the total of all its subtask SLAs.

The owner of the phase or task sees SLA status messages in Investigation. You can also see the status of the current phase in the Summary View or in Analyst View, which is found under the Workbook tab. You can review if the SLAs are exceeded, how many tasks are completed, and how many of those tasks were completed on time.

To edit the phase or task SLA for the workbook, do the following:

  1. From the main menu, select Administration.
  2. Select Product Settings > Workbooks.
  3. Click on a workbook name to see the the read-only summary of that page.
  4. Use the drop-down list to expand the descriptions.
  5. Click Edit to go to the workbook editing page.
  6. Change the Phase SLA or from the Task Name drop-down list, in the Task SLA field, revise the time in which to complete the task.
  7. Click Save.

Notify task owners when they are assigned to a task

You can notify owners that a workbook task is assigned to them. The table summarizes the methods.

Method of notification Description
Email When you assign a task to a role, Splunk Phantom sends an email notification to every member of the role. When a specific user assigns that task to themselves, the new owner and the previous owner both get an email notification.
In-product When you assign a task to a role, every member of the role sees a bell notification in the Splunk Phantom menu bar. When a specific user assigns that task to themselves, the bell notification disappears for all other members of the role.
Mobile You can view Splunk Phantom notifications on your mobile device using the Splunk Mobile app.

You must complete the following steps before you can view mobile Splunk Phantom notifications:

View a notification by opening a push notification. Or, you can open a notification in the Splunk Mobile UI.

  1. In your Phantom instance in the Splunk Mobile app, navigate to the Notifications tab.
    You can filter notifications by type by tapping All Types at the top of the list.
  2. Tap a notification to view its details.
Last modified on 27 January, 2020
View related data using aggregation rules   Tune performance by managing features

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters