Create cases in Splunk Phantom

Once you have at least one case workbook, you can create cases to use that workbook.

Cases only contain the items from the workbook at the time the case was created. If you create a case from a workbook, and then later add a new phase to the workbook, the new phase is not available to the existing workbook. Only new cases created after the workbook is changed will have the new phase available to use. The case was a copy at the time it was created. There is no live link to the workbook. Items deleted from the workbook aren't deleted from cases created before the workbook change.

Promote a container to a case

Create a case by promoting a container.

1. From the main menu, select Sources, and then select a container label.
2. Click the suitcase () icon.
3. In the Promote to Case window, select the new workbook you want to use on this case. If you already added a workbook to the container, you do not have the option to select a workbook. The menu is inactive with the text "Keep current workbook".
4. Click Save.

A case looks similar to its container and has all of the same functions. The colored block with the word Case indicates that it is a case.

Select the Workbook tab to see the tasks defined in case workbook. The blue highlight indicates the current page and shows task completion progress within each phase.

Demote a case to change it back to a container

Perform the following steps to change a case back to a container:

1. In Splunk Phantom, navigate to the case you want to demote.
2. Click the suitcase () icon.

Delete a case in Splunk Phantom

Perform the following steps to delete a case:

1. In the main menu, select Cases.
2. Select the cases you want to delete.
3. Click Delete.
4. Click Delete again to confirm that you want to delete the selected cases.