Add an action block to your playbook
Perform the following steps to add an Action block to a playbook.
- Drag and drop the half-circle icon attached to any existing block in the editor. Select an Action block from the menu that appears. Actions available to you in the playbook editor are determined by the apps that are installed and configured on . See Add and configure apps and assets to provide actions in .
- Select the action you want to configure, or enter an action name in the search field if you don't see the desired action listed.
- (Optional) You can also filter the list of actions by action type. Select By App or By Action. Click By App to view a list of configured apps, and then select an available action provided by the selected app.
- Select a configuration that you want to run the action on. In some cases, you may have multiple configurations for a specific app. For example, your environment may have multiple networks separated by firewalls, which would require you to configure one instance of a specific app for each network.
- Select the field on which you want to perform the action with the configuration. For example, an IPS event may have fields like sourceAddress and destinationAddress and the attack signature. When a notable is created in , it has an artifact with fields for the sourceAddress and destinationAddress from the event. Search for one of these fields to perform the action on. Click Enter to go to the next result or use the icons to navigate results. You can also expand or collapse the lists by using the icons.
- (Optional) Create a custom datapath if the datapath you need isn't available. When you add a custom datapath, it is only available for the block you add it to. To create a custom datapath, follow these steps:
- Hover over a datapath field title and click +.
- Enter the datapath name.
- Select either Key or List from the drop-down menu. Use Key to use one value, and use List to use a list of values. Using List adds a .* value to the datapath and it appears as <list_name  > with datapaths nested below it in the datapath picker. To add more values to your List, click the + icon under the top value of the list.
- Click Save.
- Click Done.
- Click Save.
- Enter a comment about this action.
You can also configure Advanced settings for an Action block. You can use Join Settings, Scope, and Action Settings in an Action block. For more information on these settings, see Advanced settings.
Example: Add a custom datapath to a playbook block
You might want to create a custom datapath if the datapath you need isn't available. This can happen when running actions with dynamic results. For example, if you execute a "run query" action on the Splunk app in , the action result output includes a dynamic list of fields that are defined as part of the query that was run. These fields don't appear in the data path selector, however they can be added by creating a custom datapath. In this instance, if the name of the action result output wasn't available, you can create the custom datapath
action_result.data.*.hostname. To create this custom datapath, follow these steps:
- Add an action block to your playbook by dragging and dropping the half-circle icon attached to any existing block in the editor. Select an Action block from the menu that appears.
- Search for and select the action run query on the Splunk app in the By Action tab in the block.
- In the Configure tab for the block, enter the SPL query
host="web_application"to run a run query action on the Splunk app in .
- Click on the block you want to add the custom datapath to and select the datapath
run_query_1.Once you select this, you see that the hostname isn't available even though it was visible when running your query in Splunk.
- Add the custom datapath
data . Custom datapaths only appear in the block they were added in:
- Hover over the data field title and click +.
- Enter the datapath name
hostnameas a Key.
- Click Save.
The custom datapath appears in the list under
data  as
Add a new block to your playbook
Run other playbooks inside your playbook in
This documentation applies to the following versions of Splunk® SOAR (Cloud): current