After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Define tasks using workbooks
Workbooks are lists of standard tasks that analysts follow when they evaluate events or cases. You can create workbooks to analyze events. You can also combine multiple workbooks to create a more comprehensive workbook for cumulative events or cases, or cases that start out as one type of incident but end up to be a different type of incident.
Workbooks are available from Investigation, in both Summary View and Analyst View.
See Define a workflow in a case using workbooks in Use for information about how to use workbooks in a workflow.
Create a workbook
Perform the following tasks to create a new workbook in :
- From the Home menu, select Administration.
- Select Product Settings > Workbooks.
- Click + Workbook.
- Enter a name for your workbook.
- (Optional) Enter a long description for your workbook.
- Configure at least one phase for your workbook. A workbook can have multiple phases.
- Enter a name for the phase.
- (Optional) Configure a service level agreement (SLA) for the phase. See Configure service level agreements in a workbook.
- Click the arrow next to Task Name to expand the section.
- Enter a name for the first task in the phase. You can have multiple tasks within each phase.
- (Optional) Assign an owner or role to the task. See Notify task owners when they are assigned to a task.
- (Optional) Enter a long description or instructions for this task.
- (Optional) Configure an SLA for this task. The SLA must be shorter in length than the SLA for the phase.
- (Optional) Click Actions to select actions you want to run when this task is performed.
- (Optional) Click Playbooks to select playbooks you want to run when this task is performed.
- (Optional) Click Add Task to configure additional tasks for the phase.
- (Optional) Click Add Phase to configure additional phases for the playbook.
- Click Save.
Edit an existing workbook
Changes to a workbook only apply to future uses of the workbook. For example, if you change the SLA of a phase or add or remove a phase or task, the change is not reflected in any Splunk SOAR asset currently using the workbook.
To edit an existing workbook, do the following:
- From the Home menu, select Administration.
- Select Product Settings > Workbooks.
- Click on a workbook name to see the read-only summary of that page.
- Use the drop-down list to expand the descriptions.
- Click Edit to go to the workbook editing page.
- Make the desired changes.
- Click Save.
Reorder phases in a workbook
Suppose you need to add a phase to the middle of a series of phases in an existing workbook. New phases are added to the end by default, so you need to reorder the phases to place the new phase in its desired location.
Perform the following tasks to reorder a phase:
- From the Home menu, select Administration.
- Select Product Settings > Workbooks.
- Click on a workbook name to see the read-only summary of that page.
- Use the drop-down list to expand the descriptions.
- Click Edit.
- Click Reorder Phases.
- Enter the new phase at the bottom.
- Click the three horizontal lines next to the phase and drag it to the order you want.
- Click Done Reordering.
- Click Save.
Configure service level agreements in a workbook
Service level agreements (SLAs) represent the default amount of time until a phase or task is due. You can adjust the time values to reflect your organization's requirements. The SLAs for phases and tasks are different from the SLAs that are set globally per severity across the entire platform.
Separate from severity SLAs, the phase and task SLAs allow for greater granularity when operating at the phase or task level. See Create additional custom severity names for more information about global SLAs and response settings.
The SLA time is tracked in minutes, days, or hours. It is based on the start_time
timestamp when the phase or task is started and the end_time
timestamp when the phase or task is completed. Each phase can have a total SLA that covers all the subtasks, or each task can have an individual SLA. However, if both the phase and task SLAs are used, there is no automatic validation to confirm that the phase SLA is greater than or equal to the total of all its subtask SLAs.
The owner of the phase or task sees SLA status messages in Investigation. You can also see the status of the current phase in the Summary View or in Analyst View, which is found under the Workbook tab. You can review if the SLAs are exceeded, how many tasks are completed, and how many of those tasks were completed on time.
To edit the phase or task SLA for the workbook, do the following:
- From the Home menu, select Administration.
- Select Product Settings > Workbooks.
- Click on a workbook name to see the the read-only summary of that page.
- Use the drop-down list to expand the descriptions.
- Click Edit to go to the workbook editing page.
- Change the Phase SLA or from the Task Name drop-down list, in the Task SLA field, revise the time in which to complete the task.
- Click Save.
Notify task owners when they are assigned to a task
You can notify owners that a workbook task is assigned to them. The table summarizes the methods.
Method of notification | Description |
---|---|
When you assign a task to a role, sends an email notification to every member of the role. When a specific user assigns that task to themselves, the new owner and the previous owner both get an email notification. | |
In-product | When you assign a task to a role, every member of the role sees a bell notification in the menu bar. When a specific user assigns that task to themselves, the bell notification disappears for all other members of the role. |
Enable clickable URLs in CEF data | Create custom status labels in |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Feedback submitted, thanks!