Splunk® Phantom (Legacy)

Build Playbooks with the Visual Editor

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Add a new block to your Splunk Phantom playbook

To add a new block to a playbook, drag the half-circle icon attached to any block on the canvas. Release your mouse to create a new empty block connected to the originating block with an arrow.

When you place a new block on the editor, a set of playbook types appears for you to select:

Playbook type Description
Action Run an action provided by an app that is installed and configured in Splunk Phantom. For example, you can use the MaxMind connector to geolocate an IP address. See Add an Action block to a Splunk Phantom playbook.
Playbook Run an existing playbook inside your current playbook. See Run other Splunk Phantom playbooks inside your playbook.
API Perform an action by making an API call. See Set container parameters in Splunk Phantom using the API block.
Filter Filter the results of the previous block. For example, you can separate items that have a specific severity and perform a different set of actions on those items. See Use filters to separate Splunk Phantom artifacts before further processing.
Decision Make a decision and perform different actions depending on the results of the previous block. For example, you can blacklist all destination IPs that belong to a specific country. See Use decisions to send Splunk Phantom artifacts to a specific downstream action.
Format Format the results of the previous block. For example, you can gather data, format that data in a specific way, and send an email. Customize the format of your Splunk Phantom playbook content.
Prompt Require a user to take action before proceeding to the next block. See Require user input to continue running the Splunk Phantom playbook.
Manual Task Send a message to a Splunk Phantom user or group that must be acknowledged. See Require user input to continue running the Splunk Phantom playbook.
Custom Function Add custom Python code to your playbook to expand the kinds of processing that are performed by the playbook. Add custom code to your Splunk Phantom playbook with the Custom Function block.
Legacy Custom Function Legacy custom functions are the custom functions that were introduced in Splunk Phantom version 4.2. Add custom code to your Splunk Phantom Playbook with the Legacy Custom Function block. Legacy custom functions are planned to be deprecated soon. For information on converting legacy custom functions to new custom functions, see Convert legacy custom functions to new custom functions.
Last modified on 20 August, 2020
Create a new playbook in Splunk Phantom using the visual playbook editor   Add an Action block to a Splunk Phantom playbook

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters