In Splunk SOAR, an event is a security occurrence that may require a response. It is ingested from a third-party source and can be labeled to group related events together. The default label for containers is “Events,” which signifies potential threats13. A case, on the other hand, is a container that holds several containers, consolidating multiple events into one logical management unit. Cases can include artifacts and external evidence such as screen captures, analyst notes, and event data from third-party products22. They are used to manage and analyze investigation data tied to specific security events and incidents, providing a structured approach to incident response34.
References:
Manage the status, severity, and resolution of events in Splunk SOAR (Cloud) - Splunk Documentation
Managing cases in SOAR - Splunk Lantern
What is Splunk Phantom (Renamed to Splunk SOAR)? - BlueVoyant
Overview of cases - Splunk Documentation
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit