Splunk® Phantom (Legacy)

Use Splunk Phantom

View recommendations for mission experts, playbooks, and actions

Use the Guidance tab to view recommended users, playbooks, and actions that can be used to resolve an event. The recommendations are provided by Splunk Phantom based on a variety of factors, including the following:

  • Previous playbooks or actions run on a container, event, or case with the same label.
  • The users working on that label.
  • The frequency with which those previous entities were used. For example, a user that has frequently changed the state of all containers with the matching label would be considered an expert.
  • How recently an entity has interacted with the event, case, or container. For example, a user is considered less of an expert as time goes on, assuming there is no activity from the user.

Perform the following tasks to view guidance information:

  1. Navigate to a container or case in Splunk Phantom.
  2. Click Analyst to switch to Analyst view.
  3. Click the Guidance tab.

The Mission Experts are the users who have taken action on containers, events, or cases with the same label. You can also view recommended Playbooks and Actions in their respective sections.

Last modified on 19 October, 2020
Mark files and events as evidence in Splunk Phantom   View and create notes in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters