Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Configure the response times for service level agreements

Service level agreements (SLA) define the number of minutes that is permitted to pass before an action or approval is considered late. SLAs are used for the following purposes in :

  • To track the amount of time a container or case has remaining before it is considered due.
  • To track the amount of time an approver has to approve an action before the approval escalates. For more information about the approval and escalation process, see Approve actions before they run in in Use .

Each event or case must have a severity assigned, and each severity has a corresponding SLA. This table lists the default SLA settings in :

Severity name SLA in minutes
High 60
Medium 720
Low 1440

The SLA time starts when a case or container is created. An action or approval is considered late if the SLA time is reached before the case or container is closed.

Set service level agreement times

You can set the SLA for any default or custom severity name in . Custom severities follow the same escalation process that the default severities follow. To set an SLA time for a severity, follow these steps:

  1. From the Home menu, select Administration.
  2. Select Event Settings > Response.
  3. In each severity level, type a number of minutes permitted to elapse before an action or approval must be escalated.
  4. (Optional) Check Automatic self-approval if you want actions activated by a user who can approve them to be approved automatically.
  5. (Optional) Add executive approvers by selecting them from the drop-down list in the Executive approvers field. When all of the SLA escalations have expired without being acted on, the executive approvers receive an SLA breach notification.
  6. Click Save Changes.
Last modified on 31 January, 2023
Track information about an event or case using HUD cards   Configure how events are resolved

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters