Splunk SOAR (f.k.a. Phantom)

change the status of incident on Splunk Phantom

eye893
New Member

Hi,

I would like to know if we change the status of incident on Splunk Phantom, can we automatically notify user?

Screen Shot 2564-06-28 at 16.57.58.png

Labels (1)
0 Karma

phanTom
SplunkTrust
SplunkTrust

@eye893 yes but not simply, at present. 

The way to handle this at present is to persist the status of containers in a list somewhere (Splunk/Phantom/other). Then create a playbook that is run every x minutes using the timer app that will run through the list and check that each container still has the same status. If so it moves to the next, otherwise it <does something>. 

This would need custom code as it's not a simple thing to do at the moment. I believe this will be made simpler in the next large release of Phantom/Splunk SOAR. 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...