Start with Investigation in Splunk Phantom
Use the Splunk Phantom Investigation page as the starting point to understand, investigate, and act on events. Investigation provides you access to event activity history, contextual and interactive data views, secure file attachments, and automation and case management controls.
The activity feed displays current and historical action and playbook activity that has acted on the currently displayed event. It provides a summary of the success, ongoing execution, and results of all automation operations for the event. The activity feed also provides team collaboration capabilities that are integrated inline with automation details and other data, forming a record of all relevant event information.
You can use Splunk Phantom to promote a verified event to a case using the integrated case management capability. Case management supports tasks that map to your defined Standard Operating Procedures (SOPs). Case management also has full access to the Phantom Automation Engine, allowing you to launch actions and playbooks as part of a task.
Set your view in Investigation
Analyst and summary views enable different personas to quickly view information and perform actions. Toggle quickly between the summary and analyst views by clicking the Summary or Analyst view buttons in an event or case.
- The Summary view presents mostly non-actionable information about a case. This information is useful for individuals such as managers or executives who want to be able to view the status of a case without having to view the actionable items.
- The Analyst view contains the same information as the summary view along with all options to perform actions on the case, such as run a playbook, add and edit a workbook, or view and add artifacts.
The collapsible heads up display (HUD) helps you track important metrics and information. Splunk Phantom administrators control HUD card settings. Users can customize the HUD for an event or case by adding or removing cards, or configuring manual cards of their own design.
The following HUD card types are available:
- Preset Metrics
- Custom Fields
Preset Metrics and Custom Fields cards are defined by a Splunk Phantom administrator and display one of the built-in metrics or the information from a custom field. You can add or remove these cards, but only an administrator can change the card options. Manual cards let you add a customized card to the HUD for an event or case.
Add a card to the HUD
Perform the following steps to add a card to the HUD:
- From the Phantom main menu, select either Cases or Sources > My Events.
- Select an event or case.
- Expand the HUD menu .
- Click the gear icon to open the Configure HUD modal.
- Click + HUD Card.
- Choose a HUD card type.
- Configure the available card options. The following table describes the manual card options:
Setting Description Type Text creates an input field where you can add a small amount of text.
Select creates a card with a dropdown list of options.
Message The name of the HUD card. Color The display color of the HUD card.
- Click Save.
To display HUD information from earlier versions of Splunk Phantom, set HUD TABLE DATA to ON.
Log in and navigate Splunk Phantom
Manage the status, severity, and resolution of events in Splunk Phantom
This documentation applies to the following versions of Splunk® Phantom: 4.8, 4.9