Splunk® Enterprise Security

Administer Splunk Enterprise Security

Configure automation rules to run playbooks based on findings in Splunk Enterprise Security

Set up automation rules to run one or more Splunk SOAR playbooks whenever one or more specified detections produce findings in Splunk Enterprise Security. For example, you might want to run a geolocation playbook on all of your findings that include IP addresses, or run a specific playbook that resets user accounts and looks for login activity in the event of a leaked credential alert.

Use automation rules only with the following components:
• playbooks of type Splunk Enterprise Security (not SOAR or Input playbooks)
• detections that produce a finding on the analyst queue

Each detection can be added only to one automation rule, regardless of whether the automation rule is On or Off. You must first disassociate or remove the detection from an automation rule before you can add the detection to another automation rule.

Automation rule status

Automation rules can be either On or Off.

  • On: The automation rule automatically runs its associated playbooks whenever the specified detection creates new findings in Splunk Enterprise Security. Automation rules only work on findings created after the automation rule is saved in the On position.
  • Off: The rule is saved and ready for you to activate at a later time. The selected playbooks will not run, even if the selected detections produce findings.

Create an automation rule

Follow these steps to create an automation rule:

  1. In Splunk Enterprise Security, select Configure, and then select Splunk SOAR.
  2. Select Automation rules, and then select + Automation rule.
  3. Enter a unique, descriptive name for the automation rule or accept the default name.
    You cannot change this name after you save the automation rule.
  4. Select + Playbook and select a playbook from the list of available Splunk Enterprise Security playbooks.
    Use the search bar to find a playbook with a specific name.
  5. Select Done.
  6. Optionally, select the plus sign (+) to add more playbooks to the automation rule. Repeat the previous steps for adding a playbook.
  7. Select + Detection and select one or more detections that will trigger the selected playbooks to run. All added detections must have status set to on.
    Use the search field to find a detection with a specific name or use filters to find detections that are associated with a specific app or based on whether the detection status is on or off.
  8. Select Add detections.
  9. Optionally select the plus sign (+) to add more detections to the automation rule. Repeat the previous step to add a new detection.
  10. Switch the toggle to the On position to set your automation rule to active.
    Switch the toggle to the Off position to save the automation rule and activate it at a later time.
  11. When you are satisfied with your automation rule, select Save.
    The automation rule displays on the Automation rules page. The name of each automation rule also displays in the Details section of the corresponding Edit event-based detection or Edit finding-based detection page.

Edit or delete an automation rule

Follow these steps to edit an automation rule:

  1. In the list of available automation rules, locate the rule that you want to edit.
    You can expand the automation rule to see the playbooks and detections it works on.
  2. Select the pencil icon pencil icon used for editing for that automation rule.
  3. Edit the rule:
    Following are some edit actions that you can perform on the automation rule:
    • Add or remove playbooks
    • Add or remove detections
    • Change whether the automation rule is on or off.
    • Delete the automation rule by selecting the Delete button.
  4. Select Save. The updated automation rule displays on, or is removed from, the Automation rules page.

Playbook run prioritization

If a finding triggers multiple playbooks within an automation rule, the playbooks run based on the time they are received by Splunk SOAR. The first playbook to reach Splunk SOAR is the first playbook to run (also known as first in, first out or FIF0).

See also

For more information on detections and findings, see the Splunk Enterprise Security documentation:

For more information on playbooks, see the following documentation:

For more information on setting the default severity in Splunk SOAR, see the following documentation:

Last modified on 31 October, 2024
Integration of Splunk SOAR with Splunk Enterprise Security   Configure apps and assets in Splunk SOAR

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters