Manage the status, severity, and resolution of events in Splunk Phantom
You can manage the status, severity, and resolution of events in Splunk Phantom in order to best organize events.
Use status to represent the state of an event
Each event or case has a status. Use the status to indicate the state of an event or case.
Statuses are grouped into three types: New, Open, and Closed. You can create up to 10 additional custom statuses in each category as required by your business processes.
The status of an event or case is set when it is created or ingested from an asset.
Perform the following steps to change the status of an event or case:
- In Investigation, click the downward arrow stack icon next to the Playbook button.
- In the expanded section at the top of the page, click Event Info.
- Select a status from the menu in the Status field.
You can also set the status of a case or event using actions inside of a playbook. See Set container parameters in Splunk Phantom using the API block in Build Playbooks with the Visual Editor.
Use severity to represent the importance of an event
Severity defines the impact or importance of an event or case. Different severities have their own service level agreements (SLAs) assigned to them.
Splunk Phantom ships with three severity names: High, Medium, and Low. Your organization might need additional levels of severity to match your business processes. A Splunk Phantom administrator can define additional severity names.
The severity of a case or event is set when it is created or ingested. You can change the severity assigned to a case or event in Investigation by clicking on the severity label.
Each severity label has a corresponding SLA which is defined as the number of minutes that can pass before an action or approval is considered late. Each severity name can be configured with its own SLA.
This table lists the default SLA settings for High, Medium, and Low.
|High||60 minutes (1 hour)|
|Medium||720 minutes (12 hours)|
|Low||1440 (24 hours)|
Use SLAs for the following purposes in Splunk Phantom:
- Track the amount of time an event or case has remaining before it is considered due.
- Track the amount of time an approver has to approve an action before the approval is escalated to another approver.
If an approver does not approve an action before the SLA time elapses, the action is escalated to the next level of approvers.
For more information about the approval and escalation process see Approve actions before they run in Splunk Phantom.
Close or resolve events and cases
When all the tasks or actions associated with a case or event are complete, you can close or resolve the case or event by setting the status to a Closed type. You can change the status in Investigation, using the REST API, or by automation in a playbook.
Change the status of an event or case by selecting the status from the menu in Investigation > Event Info > Status. Playbooks can also set the status of a case or event.
An administrator can specify which tags are required before an event or case before you can resolve it. Selecting a status with a Closed type with a missing required tag generates an error.
Start with Investigation in Splunk Phantom
Approve actions before they run in Splunk Phantom
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7