Splunk® SOAR (On-premises)

Use Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Add files to an event in

When you find files that are relevant to an event, you can add them to the event in a vault. You can upload any type or size of file, unless instructed otherwise by your organization's administrator. Adding a file associates it with the event. You can optionally choose to mark the file as evidence or add it to a case.

Add a file to an event

To add a file to an event, follow these steps:

  1. In the Home menu, select Sources, the one of the selections for Events.
  2. Select the event you want to work with.
  3. Select Analyst to change to the Analyst view.
  4. Select the Files tab.
  5. Select the link to choose one or more files from your file system or drag one or more files onto the marked section of the screen.
    The files display in the list on the Files tab.

Download a file from the vault

To download a file from the vault, follow these steps:

  1. In the Home menu, select Sources, the one of the selections for Events.
  2. Select the event you want to work with.
  3. Select Analyst to change to the Analyst view.
  4. Select the Files tab and locate the file you want to delete.
  5. Select the three dots This image shows the more icon with three dots. next to the file name and select 'Download.

Delete a file from the vault

To delete a file from the vault, follow these steps:

  1. In the Home menu, select Sources, the one of the selections for Events.
  2. Select the event you want to work with.
  3. Select Analyst to change to the Analyst view.
  4. Select the Files tab and locate the file you want to delete.
  5. Select the three dots This image shows the more icon with three dots. next to the file name and select Delete file.

Additional actions

When you select the three dots This image shows the more icon with three dots. next to the file name, you can also choose to add the file to a case or mark it as evidence. For additional information, see Add objects to a case in and Mark files and events as evidence in .

Last modified on 27 March, 2023
Approve actions before they run in   Mark files and events as evidence in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters