Overview of containers
A container describes an object made of one or more artifacts that playbooks automate on. Objects are ingested from assets into containers. A container has the default label event and can be promoted to a case.
Create a container
Containers are created automatically during ingestion. You can also create a new container by following these steps:
- From the main menu, click Sources.
- Click +Event.
- Enter an event name.
- The default label for a container is
events. If you have other labels, you can select one from the drop-down list in the Label field. See Configure labels to apply to containers in Administer Splunk Phantom.
- (Optional) Click the Advanced drop-down menu to specify other information about the container.
- In the Event Type field, select if you want this event to be a container (Event) or a case.
- In the Status field, select a status. See Create custom status labels in Splunk Phantom in Administer Splunk Phantom.
- In the Owner field, select the owner or role for the event.
- In the Severity field, select the severity of the event to define its impact or importance. See Create custom severity names in Administer Splunk Phantom.
- In the Sensitivity field, select the sensitivity of the event to define who has access to the container. For example, if the machine of a high-ranking officer is compromised, you can assign a higher sensitivity to limit which analysts have access.
- In the SLA Expires field, configure the service level agreement for resolving the container. See Configure the response times for service level agreements in Administer Splunk Phantom.
- Enter a description of the container in the Description field.
- In the Tags field, select existing tags or type a new tag to create the tag. See Add tags to objects in Splunk Phantom in Administer Splunk Phantom for more information about how tags are used in Splunk Phantom.
- Toggle the Artifact Dependency switch to the on position to prevent automation tasks from running on this container. By default, this dependency is off, meaning that automation tasks can run even when no artifacts are present.
- Click Save.
Understanding container update time
After you have created a container, the Event Info tab provides information about the playbooks and actions run on it, artifacts, date and time information, authorized users, and the source ID and tags for the container. The time in the Last Updated field shows when the container was last updated. Performing the following actions updates the Last Updated time for the container:
- Creating, deleting, or editing a note.
- Creating, deleting, or editing a workbook task.
- Creating, deleting, or editing a workbook phase.
- Creating or deleting evidence.
- Creating or deleting a container attachment.
- Running an action on the container.
- Changing the status or severity.
- Changing the owner.
- Promoting a container to a case, or demoting it to an event.
- Editing the description of a container.
- Adding, deleting, or editing tags on the container.
- Adding a workbook.
Create custom lists for use in Splunk Phantom playbooks
Overview of cases
This documentation applies to the following versions of Splunk® Phantom: 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!