- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
change the status of incident on Splunk Phantom
eye893
New Member
06-27-2021
08:59 PM
Hi,
I would like to know if we change the status of incident on Splunk Phantom, can we automatically notify user?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
phanTom

SplunkTrust
06-28-2021
08:52 AM
@eye893 yes but not simply, at present.
The way to handle this at present is to persist the status of containers in a list somewhere (Splunk/Phantom/other). Then create a playbook that is run every x minutes using the timer app that will run through the list and check that each container still has the same status. If so it moves to the next, otherwise it <does something>.
This would need custom code as it's not a simple thing to do at the moment. I believe this will be made simpler in the next large release of Phantom/Splunk SOAR.
