Splunk® SOAR (On-premises)

Use Splunk SOAR (On-premises)

This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Create custom lists for use in playbooks

A custom list is a collection of values that you can use in a playbook, such as a list of banned countries, or blocked or allowed IP addresses. Custom lists are used to save information in a visual format that can be used to make decisions or track information about playbooks. In your Filter and Decision blocks, compare parameters against all the values in a custom list, rather than having to configure each comparison in the playbook.

Create or import a custom list in

Perform the following steps to create a custom list:

  1. From the Home menu, select Playbooks.
  2. Click the Custom Lists tab.
  3. Click + List to create a new list.
  4. Enter a name for the list.
  5. Enter the list values in the table using one value per line. For example, you can create a list of banned countries, or blocked or allowed IP addresses.
  6. Click Save Changes.

Perform the following steps to import a custom list:

  1. Click on the import button.
  2. Enter a name for the list.
  3. Select a custom list file. You can upload either .csv or .tsv files. Custom lists have a 2GB limit.
  4. Click Upload.

See Example of using a custom list in a filter in Build Playbooks with the Visual Editor for an example of how to use a custom list in a playbook.

Create a custom list using the REST API

See REST Lists in the REST API Reference for for information about how to manage custom lists using the REST API.

Export a custom list for use with third party products and services

You can use the REST API to export a custom list for use as an external blacklist with third party products and services. For example, you can publish a list of banned IP addresses that can be used in your Palo Alto Networks firewall products.

Perform the following tasks to export a custom list and use it in a third party product.

  1. Review the formatting requirements that your third party product or service has for custom lists. For example, Palo Alto Networks products may have specific formatting requirements for their dynamic lists. Review these requirements so that the formatting in your custom lists match these formatting requirements of your third party product or service.
  2. Provide a URI to the custom list in using the following format:
    https://username:password@[soar server]/rest/decided_list/[list name]/formatted_content?_output_format=csv

    For example, to provide a URI to the server SOAR_server.example.com, using admin as the user and password as the password, and a custom list named blockdomains:

    https://admin:password@SOAR_server.example.com/rest/decided_list/blockdomains/formatted_content?_output_format=csv
Last modified on 22 September, 2021
Create Executive Summary reports and view all reports in   Overview of containers

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters