Add files to an event in Splunk SOAR (On-premises)

When you find files that are relevant to an event, you can add them to the event in a vault. You can upload any type or size of file, unless instructed otherwise by your organization's administrator. Adding a file associates it with the event. You can optionally choose to mark the file as evidence or add it to a case.

Add a file to an event

To add a file to an event, follow these steps:

  1. In the Home menu, select Sources, the one of the selections for Events.
  2. Select the event you want to work with.
  3. Select Analyst to change to the Analyst view.
  4. Select the Files tab.
  5. Select the link to choose one or more files from your file system or drag one or more files onto the marked section of the screen.
    The files display in the list on the Files tab.

Download a file from the vault

To download a file from the vault, follow these steps:

  1. In the Home menu, select Sources, the one of the selections for Events.
  2. Select the event you want to work with.
  3. Select Analyst to change to the Analyst view.
  4. Select the Files tab and locate the file you want to delete.
  5. Select the three dots This image shows the more icon with three dots. next to the file name and select 'Download.

Delete a file from the vault

To delete a file from the vault, follow these steps:

  1. In the Home menu, select Sources, the one of the selections for Events.
  2. Select the event you want to work with.
  3. Select Analyst to change to the Analyst view.
  4. Select the Files tab and locate the file you want to delete.
  5. Select the three dots This image shows the more icon with three dots. next to the file name and select Delete file.