Splunk® SOAR (Cloud)

Use Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Start with Investigation in

Use the Investigation page as the starting point to understand, investigate, and act on events. An event is a single piece of data in Splunk software with a given timestamp, host, source, and source type. Events in are also called containers. The Investigation page provides you access to event activity history, contextual and interactive data views, secure file attachments, and automation and case management controls.

The activity feed displays current and historical action and playbook activity that has acted on the currently displayed event. It provides a summary of the success, ongoing execution, and results of all automation operations for the event. The activity feed also provides team collaboration capabilities that are integrated inline with automation details and other data, forming a record of all relevant event information.

Use to promote a verified event to a case using the integrated case management capability. Case management supports tasks that map to your defined Standard Operating Procedures (SOPs). Case management also has full access to the Automation Engine, allowing you to launch actions and playbooks as part of a task.

Open the Investigation page

To open the Investigation page, follow these steps:

  1. From the Home menu, select Events, then My Events.
  2. Select an event. If you do not yet have any events, select +Event to create an event.
    If your Splunk SOAR instance is paired with your Splunk Enterprise Security instance, when you create an event, you can choose the "es_soar_integration" label to indicate the event is for use with Splunk Enterprise Security data.

Alternatively, select any event on the home page.

Splunk Enterprise Security events

If your Splunk SOAR instance is paired with your Splunk Enterprise Security instance, you can view events associated with Splunk Enterprise Security.

Choose one of these methods to view events related to Splunk Enterprise Security:

  • On the Events page, select the Splunk Enterprise Security tab. For any investigation in this tab, select View details to view and work with the investigation in Splunk Enterprise Security.
  • From the Home menu, select Events, then select the es_soar_integration label.

Note that if you delete a Splunk Enterprise Security event from this page, you will permanently delete any action run history and playbook run history for its investigations and findings.

Set your view in Investigation

You can quickly view information and perform actions using the Summary and Analyst views in . Within an event or a case, switch between views by selecting the toggle switch for the Summary or Analyst view.

The following table describes uses for the two different views.

View Uses
Summary View the status of an event or case.
Analyst View the status of an event or case and also perform actions, such as running a playbook, adding and editing a workbook, or viewing and adding artifacts.

Run a playbook manually

administrators set most playbooks to run automatically when certain conditions are met, like when an event with a certain label is created. Occasionally, you might want to manually run a playbook against an event. You can do this in the Analyst view. To run a playbook event in the Analyst view of the Investigation page, follow these steps:

  1. From the main menu, select Events, or any of its subsections.
  2. Select an event that you want to run the playbook against.
  3. On the Investigation page, select the Analyst view.
  4. Select the Run Playbook button Image of the Run playbook icon. A list of available playbooks appears.
  5. Locate the playbook you want to run. Recommended playbooks appear at the top of the list. Optionally sort the columns or use the search field.
  6. By default, the playbook will run only on new artifacts collected since the last run of this playbook. To change the scope, select one of the following options:
    • New Artifacts: (Default) Includes only artifacts collected since the last run of this playbook.
    • All Artifacts: Includes all artifacts.
    • Artifact: Provide the ID of the specific artifact to include in this playbook run.
  7. Select Run Playbook.

View the Activity panel to see the progress of the playbook run. You can view information and perform actions within the Activity panel, including:

  • View the data created from a playbook run. Expand sections to see the results of each action, like geolocation data.
  • View the status of the playbook run. Animated circular arrows indicate when the playbook is running.
  • To cancel a playbook run, select the x icon.
  • Select the 3 dots menu for the following options
    • View the debug log.
    • Pin information about the playbook run to a HUD
    • Add the playbook run to a case.

HUD cards

The collapsible heads up display (HUD) helps you track important metrics and information. administrators control HUD card settings. Users can customize the HUD for an event or case by adding or removing cards, or configuring manual cards of their own design.

The following HUD card types are available:

  • Preset Metrics
  • Custom Fields
  • Manual

Preset Metrics and Custom Fields cards are defined by a administrator and display one of the built-in metrics or the information from a custom field. You can add or remove these cards, but only an administrator can change the card options. Manual cards let you add a customized card to the HUD for an event or case. Data-type cards include data and are displayed in the HUD table data.

Add a card to the HUD

Perform the following steps to add a card to the HUD:

  1. From the Home menu, select Events, then My Events.
  2. Select an event or case.
  3. Expand the HUD menu by selecting the downward-facing double chevron icon Image of the icon that expands the HUD menu..
  4. Select the gear icon to open the Configure HUD modal.
  5. Select + HUD Card.
  6. Choose a HUD card type.
  7. Configure the available card options. The following table describes the manual card options:
    Setting Description
    Type Text creates an input field where you can add a small amount of text.

    Select creates a card with a dropdown list of options.

    Message The name of the HUD card.
    Color The display color of the HUD card.
  8. To display available data-type cards, switch on the HUD table data toggle.
  9. Select Save.
Last modified on 06 November, 2024
Navigate with the Wayfinder   Manage the status, severity, and resolution of events in

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters