Splunk® Phantom (Legacy)

Build Playbooks with the Visual Editor

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

View or edit playbook settings in Splunk Phantom

To view or edit playbook settings after you've saved a playbook, click Playbook Settings. You can also view playbook settings before a playbook is saved, but not all fields are available until after the playbook is saved.

The following table describes the fields in the playbook settings.

Field Description
Operates on Related information in Splunk Phantom is organized in containers. Playbooks contain the list of artifacts the playbook work on and the results of the playbook and action runs. A playbook can't run without an associated container, which holds the inputs and outputs for a playbook run. Containers also have a label associated with them, which is used to group together different kinds of information. For example, Splunk Phantom includes one default notable label, Events. Other labels could be Intelligence for data from threat and intel feeds or Phishing for phishing emails. Playbooks are designated to run on particular labels. Select which labels this playbook works on from the Operates on field. Most playbooks are designed to work on a particular category, and therefore a particular label.
Tenants Select one or more tenants to run the playbook against the containers belonging to the selected tenants. Use an asterisk (*) to run the playbook on containers for all tenants. See Configure multiple tenants on your Splunk Phantom instance in Administer Splunk Phantom for more information about configuring multiple tenants.
Category Use categories to organize ayour playbooks. For example, you can create a Production category for playbooks that are ready to be marked active, and a Test category for playbooks that are under development.
Run as The service account used by Splunk Phantom to run the playbook.
Logging Toggle this switch to turn on debug logging each time the playbook is run. Logging might be useful when you create a new playbook. Later, you can turn logging off to save disk space.
Tags Add user-defined tags to your playbook so that you can sort your playbook listings page and rapidly identify playbooks.
Active The playbook will automatically run on every new container or artifact that comes into Splunk Phantom, for the playbook labels and tenants it is set to run on.
Safe Mode Toggle this switch to put the playbook in read-only mode. By turning on Safe Mode, the playbook will be unable to run read-write actions. Read and write actions are defined by each app in Splunk Phantom. For example, in an LDAP app, get users is a read-only action, while reset password is read/write.
Draft Mode Toggle this switch to save a draft of your playbook, even if your playbook is incomplete or has errors. Playbooks in draft mode can't be marked active.
Description Enter a description for the playbook. The description becomes a triple-quoted comment in the playbook and appears on the playbooks page.
Notes Notes can be viewed only by editing the playbook.
Export Playbook You can share playbooks by exporting them. Import a shared playbook file on the playbooks page.
Revision History Click View to see a previous revision of the playbook. You can make edits and save as a new version, or click Latest Version to return to the most current version.

Click Revert to use the corresponding previous version of the playbook as the most current version.

Audit Trail The Audit Trail button downloads a CSV file that shows the full audit trail of the playbook, including dates and times.
Docs Click the Docs link to go to the documentation page for Splunk Phantom.
Last modified on 20 August, 2021
Use keyboard shortcuts in the visual playbook editor   Run your Splunk Phantom playbook through the debugger

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters