Create custom severity names
Severity defines the impact or importance of an event or case. Different severity names have different assigned service level agreements in the Response page. Splunk Phantom ships with three predefined severity names: High, Medium, and Low. Your organization might need additional levels of severity to match your business processes. Additional severity names can be defined by a Splunk Phantom administrator.
You can create up to 10 severities in Splunk Phantom.
Create a severity in Splunk Phantom
To create a severity, follow these steps:
- From the Main Menu, select Administration.
- Select Event Settings > Severity.
- Click Add Item.
- Enter the severity name and select a color from the drop-down list. The severity name must adhere to the following conditions:
- Only ASCII characters a-z, 0-9, dash ( - ), or underscores ( _ ) are allowed.
- The name cannot exceed 20 characters in length.
- Click Done.
Severity names cannot be edited. To change a severity name, delete it and recreate the severity name. To reorder severity names, drag the handle ( ☰ ) on the left side of the severity name's input box to the desired position.
To set the severity name used as the default severity, select the desired name from the drop-down list.
Delete a severity name in Splunk Phantom
To delete a severity name, click the circled x ( ⓧ ) to the right of the severity name's input box. Take note of the following Splunk Phantom behaviors before you delete a severity:
- The severity label set as the default severity cannot be removed until a new default is selected.
- Deleting a severity name does not change the severity of a case, event, or artifact. Changing a severity name does not update closed events, cases, or artifacts.
- Deleted severity names appear in search results as strikethrough text.
- Severity names are stored in Splunk Phantom's internal database. Deleting a severity name from the active severity list does not remove that severity name from the database.
- To maintain backwards compatibility with apps and existing playbooks, if the severity names High, Medium, or Low have been deleted, ingestion apps and the REST API can still assign the severity High, Medium, and Low to events, containers, or artifacts.
Create custom status labels in Splunk Phantom | Create custom fields to filter Splunk Phantom events |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!