Add objects to a case in Splunk Phantom
Add objects to a case in one of the following ways:
- Promote a container to a new case. Everything in the container becomes a case object.
- Promote a container to an existing case. Choose the objects from the container to be copied to the existing case. The container itself remains a container and is not promoted to a case.
- Copy an individual object to an existing case with the Add to Case option.
Add objects from a container to an existing case
Perform the following steps to add objects from a container to an existing case:
- Navigate to a container in Splunk Phantom.
- Click the suitcase () icon.
- Select the case in the Add Event to Case dialog box:
- Select Existing Case.
- In the Case Name field, select an existing case, or start typing to filter the case names before selecting a case.
- Select a phase from the case that you want to add objects to.
- Select the object type from the container that you want to add to the case. If the object is evidence, check the Mark as evidence checkbox.
- Click Save.
You can add objects from a container to a case only once. If you try to add objects from the same container to the same case, an error message appears.
See Create cases in Splunk Phantom for information about promoting an entire container to a case.
Add artifacts from a container to a case
Perform the following steps to add artifacts from a container to a case:
- Navigate to a container in Splunk Phantom.
- Click Analyst to change the container to the analyst view.
- Click the Artifacts tab.
- Click the ... icon on the artifact line, and then select Add To Case.
- Complete the Add Artifact to Case dialog box:
- Click the Case Name field and select an existing case, or start typing to filter the case names before selecting a case.
- Select a phase from the case that you want to add artifacts to.
- (Optional) Click Include note and add a note to accompany the artifact being added.
- (Optional) If the artifact is evidence, check the Mark as evidence checkbox.
- Click Save.
You cannot add the same artifact to a case multiple times this way.
Add files from a container to a case
Perform the following steps to add files from a container to a case:
- Navigate to a container in Splunk Phantom.
- Click Analyst to change the container to analyst view.
- Click the Files tab.
- Click the ... icon on the artifact line, and then select Add To Case.
- Complete the Add File to Case dialog box:
- Click the Case Name field and select an existing case, or start typing to filter the case names before selecting a case.
- Select a phase from the case that you want to add the file to.
- Click Save.
Add action results from a container to a case
Perform the following steps to add action results from a container to a case:
- Navigate to a container in Splunk Phantom.
- Click Analyst to change the container to analyst view.
- Click the Activity tab. Action run results appear near the bottom in the Activity tab.
- Click the ... icon on an action result and select Add To Case.
- Complete the Add Action Result to Case dialog box:
- Click the Case Name field and select an existing case, or start typing to filter the case names before selecting a case.
- Select a phase from the case that you want to add the file to.
- Click Save.
Create cases in Splunk Phantom | Define a workflow in a case using workbooks in Splunk Phantom |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!