Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Manage the status, severity, and resolution of events in Splunk Phantom

You can manage the status, severity, and resolution of events in Splunk Phantom in order to best organize events.

Use status to represent the state of an event

Each event or case has a status. Use the status to indicate the state of an event or case.

Statuses are grouped into three types: New, Open, and Closed. You can create up to 10 additional custom statuses in each category as required by your business processes.

The status of an event or case is set when it is created or ingested from an asset.

Perform the following steps to change the status of an event or case:

  1. In Investigation, click the downward arrow stack icon next to the Playbook button.
  2. In the expanded section at the top of the page, click Event Info.
  3. Select a status from the menu in the Status field.

You can also set the status of a case or event using actions inside of a playbook. See Set container parameters in Splunk Phantom using the API block in Build Playbooks with the Visual Editor.

Use severity to represent the importance of an event

Severity defines the impact or importance of an event or case. Different severities have their own service level agreements (SLAs) assigned to them.

Splunk Phantom ships with three severity names: High, Medium, and Low. Your organization might need additional levels of severity to match your business processes. A Splunk Phantom administrator can define additional severity names.

The severity of a case or event is set when it is created or ingested. You can change the severity assigned to a case or event in Investigation by clicking on the severity label.

Each severity label has a corresponding SLA which is defined as the number of minutes that can pass before an action or approval is considered late. Each severity name can be configured with its own SLA.

This table lists the default SLA settings for High, Medium, and Low.

Severity name SLA
High 60 minutes (1 hour)
Medium 720 minutes (12 hours)
Low 1440 (24 hours)

Use SLAs for the following purposes in Splunk Phantom:

  • Track the amount of time an event or case has remaining before it is considered due.
  • Track the amount of time an approver has to approve an action before the approval is escalated to another approver.

If an approver does not approve an action before the SLA time elapses, the action is escalated to the next level of approvers.

For more information about the approval and escalation process see Approve actions before they run in Splunk Phantom.

Close or resolve events and cases

When all the tasks or actions associated with a case or event are complete, you can close or resolve the case or event by setting the status to a Closed type. You can change the status in Investigation, using the REST API, or by automation in a playbook.

Change the status of an event or case by selecting the status from the menu in Investigation > Event Info > Status. Playbooks can also set the status of a case or event.

An administrator can specify which tags are required before an event or case before you can resolve it. Selecting a status with a Closed type with a missing required tag generates an error.

Last modified on 01 December, 2020
Start with Investigation in Splunk Phantom   Approve actions before they run in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters