The Files tab on the Investigate page allows the user to upload, download, and view files related to
an investigation. A user can upload the output from a detonate action to the Files tab for further
investigation, such as analyzing the file metadata, content, or hash. Files tab items and artifacts are
not the only data sources that can populate active cases, as cases can also include events, tasks,
notes, and comments. Files tab items can be added to investigations by using the add file action
block or the Add File button on the Files tab. Phantom memory requirements may increase
depending on the Files tab usage, as files are stored in the Phantom database.
The Files tab on the Investigate page in Splunk Phantom is an area where users can manage and
analyze files related to an investigation. Users can upload files, such as outputs from a 'detonate file'
action which analyzes potentially malicious files in a sandbox environment. The files tab allows users
to store and further investigate these outputs, which can include reports, logs, or any other file types
that have been generated or are relevant to the investigation. The Files tab is an integral part of the
investigation process, providing easy access to file data for analysis and correlation with other
incident data.
