Splunk SOAR (f.k.a. Phantom)

change the status of incident on Splunk Phantom

eye893
New Member

Hi,

I would like to know if we change the status of incident on Splunk Phantom, can we automatically notify user?

Screen Shot 2564-06-28 at 16.57.58.png

Labels (1)
0 Karma

phanTom
SplunkTrust
SplunkTrust

@eye893 yes but not simply, at present. 

The way to handle this at present is to persist the status of containers in a list somewhere (Splunk/Phantom/other). Then create a playbook that is run every x minutes using the timer app that will run through the list and check that each container still has the same status. If so it moves to the next, otherwise it <does something>. 

This would need custom code as it's not a simple thing to do at the moment. I believe this will be made simpler in the next large release of Phantom/Splunk SOAR. 

0 Karma
Get Updates on the Splunk Community!

Running multiple macros in the same search

Hi all!I'm trying to run multiple macros in the same search and eventually aggregate the results from each ...

Logic of Compound Subsearch with inputlookup

I'm struggling to create a search using an inputlookup and multiple NOT searches.Background: I have an ...

Tagging Heavy Forwarders

This is a tip, not a question.&nbsp;<span class="lia-unicode-emoji" ...