View or edit playbook settings
To view or edit playbook settings after you've saved a playbook, click Playbook Settings. You can also view playbook settings before a playbook is saved, but not all fields are available until after the playbook is saved.
The following table describes the fields in the playbook settings.
Field | Description |
---|---|
Operates on | Related information in Splunk Phantom is organized in containers. Playbooks contain the list of artifacts the playbook work on and the results of the playbook and action runs. A playbook can't run without an associated container, which holds the inputs and outputs for a playbook run. Containers also have a label associated with them, which is used to group together different kinds of information. For example, Splunk Phantom includes one default notable label, Events. Other labels could be Intelligence for data from threat and intel feeds or Phishing for phishing emails. Playbooks are designated to run on particular labels. Select which labels this playbook works on from the Operates on field. Most playbooks are designed to work on a particular category, and therefore a particular label. |
Tenants | Select one or more tenants to run the playbook against the containers belonging to the selected tenants. Use an asterisk (*) to run the playbook on containers for all tenants. See Configure multiple tenants on your Splunk Phantom instance in Administer Splunk Phantom for more information about configuring multiple tenants. |
Category | Use categories to organize and save your playbooks into folders. For example, you can create a Production category for playbooks that are ready to be marked active, and a Test category for playbooks that are under development. |
Run as | The service account used by Splunk Phantom to run the playbook. |
Logging | Toggle this switch to turn on debug logging each time the playbook is run. Logging might be useful when you create a new playbook. Later, you can turn logging off to save disk space. |
Active | The playbook will automatically run on every new container or artifact that comes into Splunk Phantom, for the playbook labels and tenants it is set to run on. |
Safe Mode | Toggle this switch to put the playbook in read-only mode. By turning on Safe Mode, the playbook will be unable to run read-write actions. Read and write actions are defined by each app in Splunk Phantom. For example, in an LDAP app, get users is a read-only action, while reset password is read/write.
|
Draft Mode | Toggle this switch to save a draft of your playbook, even if your playbook is incomplete or has errors. Playbooks in draft mode can't be marked active. |
Description | Enter a description for the playbook. The description becomes a triple-quoted comment in the playbook and appears on the playbooks page. |
Notes | Notes can be viewed only by editing the playbook. |
Export Playbook | You can share playbooks by exporting them. Import a shared playbook file on the playbooks page. |
Revision History | Click View to see a previous revision of the playbook. You can make edits and save as a new version, or click Latest Version to return to the most current version.
Click Revert to use the corresponding previous version of the playbook as the most current version. |
Audit Trail | The Audit Trail button downloads a CSV file that shows the full audit trail of the playbook, including dates and times. |
Docs | Click the Docs link to go to the documentation page for Splunk Phantom. |
Save a playbook so that Splunk Phantom can access it | View or edit the Python code in Splunk Phantom playbooks |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8
Feedback submitted, thanks!