Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

View the list of configured playbooks in Splunk Phantom

The playbooks list contains all your currently available Splunk Phantom playbooks and significant metadata about those playbooks. Use the playbooks list to sort, filter, and manage your playbooks.

To open the playbooks list, perform the following steps:

  1. From the main menu, select Playbooks.
  2. Click the Playbooks tab if it's not already open.
  3. (Optional) Use the search field to find specific playbooks. Searches are case-insensitive and partial-word matches are supported. This search does not support booleans, such as AND, NOT, or OR.

Use the buttons to reorder the playbooks on this page, configure source control, import playbooks, or create new playbooks:


Button Description
The icon to reorder playbooks. Set the order to run playbooks with a status of Active.
  • Playbooks with a status of Inactive are not run. When you change a playbook's status to Inactive, you are prompted to cancel the running playbook.
  • The next playbook in the list starts once the preceding playbook's on_start() function has completed.
  • If you want one playbook to depend on another playbook finishing completely before starting, use the phantom.playbook() function instead of the playbook list. See playbook in the Python Playbook API Reference for Splunk Phantom.
The icon to update the playbook from source control. Splunk Phantom stores playbooks in Git repositories. See Configure a source code repository for your playbooks in Administer Splunk Phantom. Click this button to open the Update from Source Control dialog.
  1. Select a repository from the drop-down list in the Source to update from field.
  2. Select either Force Update or Preserve State
    • Force Update treats the remote repository as authoritative. Using this overwrites any local changes to playbooks.
    • Preserve State retains the local metadata for changes to playbooks. Playbooks from the community repository always have a status of Inactive. If you have set the status of a community playbook to Active locally, updating from the community repository will set its status to Inactive unless you select Preserve State.
  3. Click Update.
The icon to manage source control. Manage source control settings. See Configure a source code repository for your Splunk Phantom playbooks in Administer Splunk Phantom.
The icon to import a playbook. Import a playbook that was exported from another instance of Splunk Phantom.
  1. Click this button to import a playbook.
  2. In the Source to update field, select a repository where you want to write the imported playbook.
  3. (Optional) Click Force Update to overwrite existing versions of the same playbook.
  4. Drag and drop a compressed playbook in .tgz format, or click and navigate to the playbook.
  5. Click Upload.
The icon to add a playbook. Open the Visual Playbook Editor (VPE) to create a new playbook. SeeCreate a new playbook in Splunk Phantom using the visual playbook editor in Build Playbooks with the Visual Editor.

Click the vertical ellipsis (⋮) icon to toggle the display of the available columns in the playbook list. Items marked with a check mark (✓) are displayed in the playbook list. When the space required to display the columns exceeds the width of the current window, a scroll bar appears at the bottom of the playbook list.

Edit, delete, export, or copy a playbook

Click the name of a playbook to open it in the Visual Playbook Editor. For more information, see Create a new playbook in Splunk Phantom using the visual playbook editor in Build Playbooks with the Visual Editor.

Check the checkbox next to the playbook name to select one or more playbooks. After playbooks are selected, you can perform the following actions:

Button Action
Edit Set the properties of the selected playbooks, not the playbooks themselves. Set the status, logging mode, safe mode, which labels the playbook operates on, the category, and tags by selecting the property value you want from the drop-down list.
Delete Delete the selected playbooks. A dialog box asks you to confirm your choice.
Export Download the playbook as a .tgz extension archive. You can export only one playbook at a time.
Copy Save the playbook to a repository that you have configured, such as Git. You can only copy one playbook at a time.
Last modified on 02 December, 2020
Search within Splunk Phantom   Create Executive Summary reports and view all reports in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters