After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Take a tour of and perform product onboarding when you log in for the first time
When you log in to for the first time, there are several screens you must navigate before arriving at the home page. The screens appear in the following order:
- Read and accept the Splunk End User License Agreement.
- Review and understand how Splunk collects and uses aggregated product usage data.
- (Optional) Take a tour of and create some sample data.
- (Optional) Configure basic settings for your instance, data sources, playbooks, and apps and assets.
Read and accept the Splunk End User License Agreement
When you log in to for the first time, you must read and accept the Splunk End User License Agreement.
- Scroll to the bottom of the End User License Agreement.
- Click I Accept.
Review and understand how Splunk collects and uses aggregated product usage data
Splunk collects and sends anonymized usage data to Splunk. This behavior is enabled by default. Read the text on the Helping You Get More Value from Splunk Software page and click Got it.
See Share data from for information about how to opt out, what information is shared, and how it is used.
Take a tour of and create some sample data
Generate some sample data and get a guided tour of 's main pages.
Click Exit Tour at any time to leave the tour and go to the onboarding tutorial, where you can Configure basic settings for your instance, data sources, playbooks, and apps and assets.
Perform the following tasks to create some sample data and take the guided tour:
- Click Get Started to begin the product tour and create sample events.
- Generate some sample events. Click the number of sample events you want to generate. After the events are generated, the Sources page shows you the sample events.
- Click View Event to view the details for an event on the Investigation page.
- Click Run Playbook to run a playbook against this event. In Investigation, the Activity tab shows the automated actions taken against the event by the playbook.
- Click View Playbook to view the playbook in the Playbook Editor. Playbooks run from the Start block and perform the actions up to the End block.
- Click Configure to complete the tour and go to the onboarding tutorial, where you can Configure basic settings for your Splunk SOAR instance, data sources, playbooks, and apps and assets.
Configure basic settings for your instance, data sources, playbooks, and apps and assets
Click Skip on-boarding at any time to go directly to the home page. See Log in and navigate in Use .
Configure basic settings
Configure basic administrative and email settings for your instance.
- Configure the administrative password, company name, IT contact email address, system time zone, and the base URL for this instance. If you skip the on-boarding, you can configure these fields later. See Configure your company settings in for more information about these fields.
- Configure email server settings. requires an email server to send users email for action approvals, when SLAs are breached, and when items that they are tracking change. If you skip the on-boarding, you can configure the email server and asset later. See Add and configure apps and assets to provide actions in .
- Use smtp as the default asset name, or enter a new name.
- Enter the IP address or hostname of the email server.
- Select the SSL method that your instance should use to connect to the email server.
- Complete the email asset configuration by providing a tag, username, password, sender address, and port.
- Click Enable Unicode Support to enable to properly display Unicode characters in the emails.
Splunk SOAR (Cloud) comes preconfigured with an SMTP asset called internal_smtp
. The sender address of the internal_smtp
asset cannot be changed. If you want Splunk SOAR (Cloud) to send emails from another address and domain, configure an SMTP asset using the previous instructions.
Configure a data source
Configure a data source from which can ingest data. In this on-boarding procedure, you can add one data source. You can add additional data sources later at any time. See Add and configure apps and assets to provide actions in .
Perform the following tasks to configure a data source during the on-boarding procedure.
- Select a data source. For example, you can configure your email server as a data source.
- Select or specify an asset name. For example, "office365-phishing-inbox".
- Select or specify a container name. For example, "FW: Spam Quarantine Notification".
- (Optional) Click Additional Information to expand the section.
- Enter one or more Tags to attach to the objects from this data source. With the email server example, you might want to add tags that specify the inbox name the email came from, or the backing service, such as "office365".
- Enter a description for the asset. For example, "Data ingested from Office 365".
- Complete other fields specific to the asset type. The fields may vary depending on the data source you selected. With this example, you might want to configure the Mailbox folder to be Polled and the Maximum Emails to Poll First Time for Scheduled Polling.
- Click Save.
- In some cases, you are asked to perform additional tasks. For example, if you configure a Splunk data source, you must record the authorization token that is provided and also download a separate app from Splunkbase in order for the integration between and the Splunk platform to work.
- Click Continue.
Run a demo playbook
A list of playbooks is available based on the data source you configured. Select a playbook you want to run, then click Save and Continue.
Configure apps and assets
Configure apps and assets that will provide actions for your playbooks.
- Select the apps that will provide the actions for the selected playbook.
- If you selected the investigate playbook, select one app in each of the Information Services, File Reputation Services, Domain Reputation Services, Sandbox, and Threat Intel.
- If you selected the hunting playbook, select one app in each of the Information Services, Endpoint Services, File Reputation Services, and Sandbox.
- In the Select Apps to Configure section, select each app and provide the required information to configure an instance of the app, called an asset.
- Select Additional Information to expand the section and provide additional information.
- Select Save and Test Connectivity to verify the configuration of each asset.
Reset the admin password | security information |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Feedback submitted, thanks!