Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Add objects to a case in Splunk Phantom

Add objects to a case in one of the following ways:

  • Promote a container to a new case. Everything in the container becomes a case object.
  • Promote a container to an existing case. Choose the objects from the container to be copied to the existing case. The container itself remains a container and is not promoted to a case.
  • Copy an individual object to an existing case with the Add to Case option.

Add objects from a container to an existing case

Perform the following steps to add objects from a container to an existing case:

  1. Navigate to a container in Splunk Phantom.
  2. Click the suitcase (the suitcase icon) icon.
  3. Select the case in the Add Event to Case dialog box:
    1. Select Existing Case.
    2. In the Case Name field, select an existing case, or start typing to filter the case names before selecting a case.
    3. Select a phase from the case that you want to add objects to.
    4. Select the object type from the container that you want to add to the case. If the object is evidence, check the Mark as evidence checkbox.
  4. Click Save.

You can add objects from a container to a case only once. If you try to add objects from the same container to the same case, an error message appears.

See Create cases in Splunk Phantom for information about promoting an entire container to a case.

Add artifacts from a container to a case

Perform the following steps to add artifacts from a container to a case:

  1. Navigate to a container in Splunk Phantom.
  2. Click Analyst to change the container to the analyst view.
  3. Click the Artifacts tab.
  4. Click the ... icon on the artifact line, and then select Add To Case.
  5. Complete the Add Artifact to Case dialog box:
    1. Click the Case Name field and select an existing case, or start typing to filter the case names before selecting a case.
    2. Select a phase from the case that you want to add artifacts to.
    3. (Optional) Click Include note and add a note to accompany the artifact being added.
    4. (Optional) If the artifact is evidence, check the Mark as evidence checkbox.
  6. Click Save.

You cannot add the same artifact to a case multiple times this way.

Add files from a container to a case

Perform the following steps to add files from a container to a case:

  1. Navigate to a container in Splunk Phantom.
  2. Click Analyst to change the container to analyst view.
  3. Click the Files tab.
  4. Click the ... icon on the artifact line, and then select Add To Case.
  5. Complete the Add File to Case dialog box:
    1. Click the Case Name field and select an existing case, or start typing to filter the case names before selecting a case.
    2. Select a phase from the case that you want to add the file to.
  6. Click Save.

Add action results from a container to a case

Perform the following steps to add action results from a container to a case:

  1. Navigate to a container in Splunk Phantom.
  2. Click Analyst to change the container to analyst view.
  3. Click the Activity tab. Action run results appear near the bottom in the Activity tab.
  4. Click the ... icon on an action result and select Add To Case.
  5. Complete the Add Action Result to Case dialog box:
    1. Click the Case Name field and select an existing case, or start typing to filter the case names before selecting a case.
    2. Select a phase from the case that you want to add the file to.
  6. Click Save.
Last modified on 19 July, 2021
Create cases in Splunk Phantom   Define a workflow in a case using workbooks in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters