Splunk® SOAR (On-premises)

Use Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Manage the status, severity, and resolution of events in

You can manage the status, severity, and resolution of events in in order to best organize events.

Use status to represent the state of an event

Each event or case has a status. Use the status to indicate the state of an event or case.

Statuses are grouped into three types: New, Open, and Closed. You can create up to 10 additional custom statuses in each category as required by your business processes.

The status of an event or case is set when it is created or ingested from an asset.

Perform the following steps to change the status of an event or case:

  1. In Investigation, click the downward arrow stack icon next to the Playbook button.
  2. In the expanded section at the top of the page, click Event Info.
  3. Select a status from the menu in the Status field.

You can also set the status of a case or event using actions inside of a playbook. See Set parameters with the API utility in Add functionality to your playbook in using the Utility block.

Use severity to represent the importance of an event

Severity defines the impact or importance of an event or case. Different severities have their own service level agreements (SLAs) assigned to them.

ships with three severity names: High, Medium, and Low. Your organization might need additional levels of severity to match your business processes. A administrator can define additional severity names.

The severity of a case or event is set when it is created or ingested. You can change the severity assigned to a case or event in Investigation by clicking on the severity label.

Each severity label has a corresponding SLA which is defined as the number of minutes that can pass before an action or approval is considered late. Each severity name can be configured with its own SLA.

This table lists the default SLA settings for High, Medium, and Low.

Severity name SLA
High 60 minutes (1 hour)
Medium 720 minutes (12 hours)
Low 1440 (24 hours)

Use SLAs for the following purposes in :

  • Track the amount of time an event or case has remaining before it is considered due.
  • Track the amount of time an approver has to approve an action before the approval is escalated to another approver.

If an approver does not approve an action before the SLA time elapses, the action is escalated to the next level of approvers.

For more information about the approval and escalation process see Approve actions before they run in .

Close or resolve events and cases

When all the tasks or actions associated with a case or event are complete, you can close or resolve the case or event by setting the status to a Closed type. You can change the status in Investigation, using the REST API, or by automation in a playbook.

Change the status of an event or case by selecting the status from the menu in Investigation > Event Info > Status. Playbooks can also set the status of a case or event.

An administrator can specify which tags are required before an event or case before you can resolve it. Selecting a status with a Closed type with a missing required tag generates an error.

Last modified on 01 December, 2023
Start with Investigation in   Approve actions before they run in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters