View recommendations for mission experts, playbooks, and actions
Use the Guidance tab to view recommended users, playbooks, and actions that can be used to resolve an event. The recommendations are provided by Splunk Phantom based on a variety of factors, including the following:
- Previous playbooks or actions run on a container, event, or case with the same label.
- The users working on that label.
- The frequency with which those previous entities were used. For example, a user that has frequently changed the state of all containers with the matching label would be considered an expert.
- How recently an entity has interacted with the event, case, or container. For example, a user is considered less of an expert as time goes on, assuming there is no activity from the user.
Perform the following tasks to view guidance information:
- Navigate to a container or case in Splunk Phantom.
- Click Analyst to switch to Analyst view.
- Click the Guidance tab.
The Mission Experts are the users who have taken action on containers, events, or cases with the same label. You can also view recommended Playbooks and Actions in their respective sections.
Mark files and events as evidence in Splunk Phantom
View and create notes in Splunk Phantom
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7