After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Add files to an event in
When you find files that are relevant to an event, you can add them to the event in a vault. You can upload any type or size of file, unless instructed otherwise by your organization's administrator. Adding a file associates it with the event. You can optionally choose to mark the file as evidence or add it to a case.
Add a file to an event
To add a file to an event, follow these steps:
- In the Home menu, select Sources, the one of the selections for Events.
- Select the event you want to work with.
- Select Analyst to change to the Analyst view.
- Select the Files tab.
- Select the link to choose one or more files from your file system or drag one or more files onto the marked section of the screen.
The files display in the list on the Files tab.
Download a file from the vault
To download a file from the vault, follow these steps:
- In the Home menu, select Sources, the one of the selections for Events.
- Select the event you want to work with.
- Select Analyst to change to the Analyst view.
- Select the Files tab and locate the file you want to delete.
- Select the three dots next to the file name and select 'Download.
Delete a file from the vault
To delete a file from the vault, follow these steps:
- In the Home menu, select Sources, the one of the selections for Events.
- Select the event you want to work with.
- Select Analyst to change to the Analyst view.
- Select the Files tab and locate the file you want to delete.
- Select the three dots next to the file name and select Delete file.
Additional actions
When you select the three dots next to the file name, you can also choose to add the file to a case or mark it as evidence. For additional information, see Add objects to a case in and Mark files and events as evidence in .
Approve actions before they run in | Mark files and events as evidence in |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0
Feedback submitted, thanks!