Splunk® SOAR (Cloud)

Use Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Create and investigate containers

A container describes an object made of one or more artifacts that playbooks automate on. Objects are ingested from assets into containers. A container has the default label event and can be promoted to a case.

Create a container

Containers are created automatically during ingestion. You can also create a new container by following these steps:

  1. From the Home menu, click Sources.
  2. Click +Event.
  3. Enter an event name.
  4. The default label for a container is "events." If you have other labels, you can select one from the drop-down list in the Label field. See Configure labels to apply to containers in Administer .
  5. (Optional) Click the Advanced drop-down menu to specify other information about the container.
    1. In the Event Type field, select if you want this event to be a container (Event) or a case.
    2. In the Status field, select a status. See Create custom status labels in in Administer .
    3. In the Owner field, select the owner or role for the event.
    4. In the Severity field, select the severity of the event to define its impact or importance. See Create custom severity names in Administer .
    5. In the Sensitivity field, select the sensitivity of the event to define who has access to the container. For example, if the machine of a high-ranking officer is compromised, you can assign a higher sensitivity to limit which analysts have access.
    6. In the SLA Expires field, configure the service level agreement for resolving the container. See Configure the response times for service level agreements in Administer .
    7. Enter a description of the container in the Description field.
    8. In the Tags field, select existing tags or type a new tag to create the tag. See Add tags to objects in in Administer for more information about how tags are used in .
    9. Toggle the Artifact Dependency switch to the off position to prevent automation tasks from running on this container. By default, this toggle is is in the off position, meaning that automation tasks can only run when artifacts are present.
  6. Click Save.

Event information for containers

After you create a container, the Event Info tab provides information about the playbooks and actions run on it and about its artifacts. It also includes date and time information, authorized users, the source ID, and tags for the container. The time in the Last Updated field shows when the container was last updated. The Last Updated time for the container updates after completing any of the following actions:

  • Creating, deleting, or editing a note.
  • Creating, deleting, or editing a workbook task.
  • Creating, deleting, or editing a workbook phase.
  • Creating or deleting evidence.
  • Creating or deleting a container attachment.
  • Running an action on the container.
  • Changing the status or severity.
  • Changing the owner.
  • Promoting a container to a case, or demoting it to an event.
  • Editing the description of a container.
  • Adding, deleting, or editing tags on the container.
  • Adding a workbook.
Last modified on 18 September, 2024
Create custom lists for use in playbooks   Overview of cases

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters