Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Define a workflow in a case using workbooks in Splunk Phantom

You can define a workflow in a case by using workbooks. Workbooks are lists of standard tasks that you follow when you evaluate events or cases. You can create workbooks to analyze events. You can also combine multiple workbooks to create a more comprehensive workbook for cumulative events, cumulative cases, or cases that start out as one type of incident but end up as a different type of incident.

Workbooks are available from Investigation in both Summary View and Analyst View.

Add a workbook to an event or case

Perform the following steps to add a workbook to an event or case:

  1. Navigate to an event or case in Splunk Phantom.
  2. Click the Workbook tab.
  3. Click Add Workbook.
  4. Select the desired workbook from the drop-down list.
  5. Click Save.

In Analyst View in Investigate, you can click Add to add additional workbooks to the event, or click Edit to make changes to the workbook. If you edit a workbook in this manner, the changes only apply to the current event, not for all events. You must edit a workbook on the Workbooks page to make global changes. See Define tasks using workbooks in Administer Splunk Phantom.

Use workbooks to track, edit, and complete tasks

Use workbooks in a case to track, edit, and complete tasks after you have added items to the case.

Perform the following tasks to view the workbook for a case:

  1. Navigate to the case in Splunk Phantom.
  2. Click Analyst to switch to the Analyst View.
  3. Select the Workbook tab.

Add new workbooks or edit phases and tasks

You can add existing workbooks to a case, add new phases to a workbook, or manage tasks.

  1. Navigate to the case in Splunk Phantom.
  2. Click Analyst to switch to Analyst View.
  3. Select the Workbook tab.
  4. Click Add to add existing workbooks to the case.

If you have created self-contained workbooks to analyze certain types of incidents, adding multiple workbooks is useful for cases that start out like one type of incident but turn out to be a different type of incident. This helps you avoid any inconsistencies that might occur from adding individual phases or tasks during analysis. It is also possible to add individual phases or tasks.

Click Edit to add new phases or manage tasks. You can add, remove, or rename tasks, assign an owner to a task, assign authorized users, or configure whether or not a note is required for the task to be completed. If you edit a workbook in this manner, the changes only apply to the current event, not for all events. You must edit a workbook on the Workbooks page to make global changes.

Manage task details

Click on a task in the workbook column to open the task details in the main window area. You can view the task name and description supplied when the task was created.

  1. Navigate to the case in Splunk Phantom.
  2. Click Analyst to switch to Analyst view.
  3. Select the Workbook tab.
  4. Click the name of the task.
  5. Select a progress status from the drop-down list.

All tasks start with the status of Incomplete by default. As you complete tasks, additional options such as In-Progress or Complete become available. If configured to do so, some items require you to enter a note before you can mark it as complete.

A checkmark next to the task name indicates that it is complete. You can change the status of a task to Incomplete if the task requires additional information or action.

Last modified on 15 January, 2020
Add objects to a case in Splunk Phantom   Create case reports to download and share in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters