Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

View and create notes in Splunk Phantom

You can create a note in Splunk Phantom when working with events, tasks, and cases. Use the Notes tab to view all of the notes, regardless of who created them.

Create a note

To create a note, follow these steps:

  1. Navigate to an event, task, or case in Splunk Phantom.
  2. Click the Notes tab.
  3. Enter a title and body text for your note.
  4. (Optional) Add an attachment by clicking the paper clip icon. You can upload a new attachment of up to 20 MB. To upload a larger attachment, first upload it using the Files tab. You can then add the larger file to the note as an existing file using the paper clip icon.
  5. (Optional) Click the image icon to add a new or existing image of up to 2 MB. Supported image file types include JPG, JPEG, PNG, GIF, BMP, and ICO. Images appear inline in the body of the note once the note is saved.
  6. Click Save.

To edit, delete, or mark a note as evidence, click the This image shows the more icon. icon. Once your note is marked as evidence, it appears in the Evidence tab.

Filtering notes

You can filter notes by doing the following:

  • In the Show field, select either Task Notes, General Notes, or Artifact Notes from the drop-down list. By default, all notes are displayed.
  • In the Sort field, sort by the Newest or Oldest notes.

Users who upgrade Splunk Phantom from version 4.5 or lower need to reindex containers before notes are searchable. Use the Search Settings page to reindex containers.

Using HTML and Markdown in notes

Splunk Phantom supports clickable links and inline images when notes are written in Markdown. Clickable links and inline images are not supported when notes are written in HTML.

Notes created prior to Splunk Phantom version 4.9 are rendered as HTML notes. Notes created in Splunk Phantom version 4.9 or later are saved and rendered as Markdown.

Supported Markdown

Splunk Phantom uses the Markdown flavor as GitHub. See https://guides.github.com/features/mastering-markdown for more information on the Markdown used in notes.

Because notes will be rendered in Markdown, you may need to escape markdown characters you want to use in the body of your note with the backslash character.

For example, if you want to use brackets around text without turning that text into a link, you would escape the brackets.

 \[example text\] 

This table lists characters you might need to escape.

Character Description Character Description
\ backslash ( ) parentheses
` backtick # pound sign
* asterisk + plus sign
_ underscore - minus sign (hyphen)
{ } curly braces . dot (period)
[ ] brackets ! exclamation mark
< > angle brackets pipe
Last modified on 06 May, 2021
View recommendations for mission experts, playbooks, and actions   Search within Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters