Add objects to a case in Splunk SOAR (On-premises)

Add objects to a case in one of the following ways:

  • Promote a container to a new case. Everything in the container becomes a case object.
  • Promote a container to an existing case. Choose the objects from the container to be copied to the existing case. The container itself remains a container and is not promoted to a case.
  • Copy an individual object to an existing case with the Add to Case option.
Note: Objects and other container attachments are stored in the vault. You can access the vault by directly uploading attachments to a container or by using the vault playbook API. See Vault background in the Python Playbook API Reference for Splunk SOAR (On-premises) for more information.

Add objects from a container to an existing case

Perform the following steps to add objects from a container to an existing case:

  1. Navigate to a container in Splunk SOAR (On-premises).
  2. Click the suitcase (the suitcase icon) icon.
  3. Select the case in the Add Event to Case dialog box:
    1. Select Existing Case.
    2. In the Case Name field, select an existing case, or start typing to filter the case names before selecting a case.
    3. Select a phase from the case that you want to add objects to.
    4. Select the object type from the container that you want to add to the case. If the object is evidence, check the Mark as evidence checkbox.
  4. Click Save.

You can add objects from a container to a case only once.

See Create cases in Splunk SOAR (On-premises) for information about promoting an entire container to a case.

Add artifacts from a container to a case

Perform the following steps to add artifacts from a container to a case:

  1. Navigate to a container in Splunk SOAR (On-premises).
  2. Click Analyst to change the container to the analyst view.
  3. Click the Artifacts tab.
  4. Click the ... icon on the artifact line, and then select Add To Case.
  5. Complete the Add Artifact to Case dialog box:
    1. Click the Case Name field and select an existing case, or start typing to filter the case names before selecting a case.
    2. Select a phase from the case that you want to add artifacts to.
    3. (Optional) Click Include note and add a note to accompany the artifact being added.
    4. (Optional) If the artifact is evidence, check the Mark as evidence checkbox.
  6. Click Save.

Add files from a container to a case

Perform the following steps to add files from a container to a case:

  1. Navigate to a container in Splunk SOAR (On-premises).
  2. Click Analyst to change the container to analyst view.
  3. Click the Files tab.
  4. Click the ... icon on the artifact line, and then select Add To Case.
  5. Complete the Add File to Case dialog box:
    1. Click the Case Name field and select an existing case, or start typing to filter the case names before selecting a case.
    2. Select a phase from the case that you want to add the file to.
  6. Click Save.

Add action results from a container to a case

Perform the following steps to add action results from a container to a case:

  1. Navigate to a container in Splunk SOAR (On-premises).
  2. Click Analyst to change the container to analyst view.
  3. Click the Activity tab. Action run results appear near the bottom in the Activity tab.
  4. Click the ... icon on an action result and select Add To Case.
  5. Complete the Add Action Result to Case dialog box:
    1. Click the Case Name field and select an existing case, or start typing to filter the case names before selecting a case.
    2. Select a phase from the case that you want to add the file to.
  6. Click Save.