Splunk® Enterprise Security

Administer Splunk Enterprise Security

Create playbooks in Splunk SOAR

Create a playbook in Splunk SOAR to automate security workflows so analysts can spend more time performing analysis and investigation. The playbook editor provides a visual platform for creating playbooks without having to write code.

To define a workflow that you want to automate, link together a series of actions that are provided by apps. An app is third-party software integrated with Splunk SOAR. For example, you can integrate MaxMind as an app, which provides a geolocate ip action, or integrate Okta as app to provide actions such as set password or enable user. The actions available for use in your playbooks are determined by the apps integrated with Splunk SOAR.

After you create and save a playbook in Splunk SOAR, you can run playbooks when performing these tasks in Splunk SOAR:

  • Triaging or investigating cases as an analyst
  • Creating or adding a case to Investigation
  • Configuring playbooks to run automatically directly from the playbook editor

See also

Refer to the following documentation for details on creating and running playbooks.

Creating playbooks

To create playbooks in Splunk SOAR:

To use data from Splunk Enterprise Security, create a Splunk Enterprise Security type playbook and Splunk Enterprise Security playbook blocks:

To optionally create playbooks using APIs:

Running playbooks

Analysts can run playbooks from within the Splunk Enterprise Security Analyst Queue:

Last modified on 22 November, 2024
Configure apps and assets in Splunk SOAR   Create custom lists for Splunk SOAR playbooks

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters