Configure labels to apply to containers
Labels are a property applied to containers. A label applied to a container enables Splunk Phantom to run playbooks and other automation against containers.
Splunk Phantom ships with one label defined: events. More labels can be added to suit your workflow or organizational needs. Labels can have additional custom fields, be used as the basis of a HUD Card, or have tags required before the label's container can be set to a closed or resolved status.
Create a label
Perform the following steps to create a label:
- From the main menu, select Administration.
- Click Event Settings > Label Settings.
- Click + Label.
- Type a name for the label.
- Click Create.
When creating labels, verify that the label permissions allow your users or profiles access to the new label if needed:
- See Add a role to .
- See the step regarding Label Permissions to configure label permissions for this role.
Delete or modify a label
Delete a label by clicking the ⓧ icon to the right of the label's name.
Perform the following tasks to modify a label:
- From the main menu, select Administration.
- Click Event Settings > Label Settings.
- Click the label's name in the list.
- Click either Custom Fields, HUD, or Resolution. Each of these items behaves identically to the top-level settings of the same name.
- For Custom Fields settings, see Create custom fields for containers.
- For HUD settings, see Track information about an event or case using HUD cards.
- For Resolution settings, see Configure how events are resolved.
Configure how events are resolved | Use authorized users to grant authorized access |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!