Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Create custom severity names

Severity defines the impact or importance of an event or case. Different severity names have different assigned service level agreements in the Response page. ships with three predefined severity names: High, Medium, and Low. Your organization might need additional levels of severity to match your business processes. Additional severity names can be defined by a administrator.

You can create up to 10 severities in .

Create a severity in

To create a severity, follow these steps:

  1. From the Home menu, select Administration.
  2. Select Event Settings > Severity.
  3. Click Add Item.
  4. Enter the severity name and select a color from the drop-down list. The severity name must adhere to the following conditions:
    • Only ASCII characters a-z, 0-9, dash ( - ), or underscores ( _ ) are allowed.
    • The name cannot exceed 20 characters in length.
  5. Click Done.

Severity names cannot be edited. To change a severity name, delete it and recreate the severity name. To reorder severity names, drag the handle ( ☰ ) on the left side of the severity name's input box to the desired position.

To set the severity name used as the default severity, select the desired name from the drop-down list.

Delete a severity name in

To delete a severity name, click the circled x ( ⓧ ) to the right of the severity name's input box. Take note of the following behaviors before you delete a severity:

  • The severity label set as the default severity cannot be removed until a new default is selected.
  • Deleting a severity name does not change the severity of a case, event, or artifact. Changing a severity name does not update closed events, cases, or artifacts.
  • Deleted severity names appear in search results as strikethrough text.
  • Severity names are stored in 's internal database. Deleting a severity name from the active severity list does not remove that severity name from the database.
  • To maintain backwards compatibility with apps and existing playbooks, if the severity names High, Medium, or Low have been deleted, ingestion apps and the REST API can still assign the severity High, Medium, and Low to events, containers, or artifacts.
Last modified on 01 April, 2024
Create custom status labels in   Create custom fields to filter events

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters