Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Add an action block to your playbook

Perform the following steps to add an Action block to a playbook.

  1. Drag and drop the half-circle icon attached to any existing block in the editor. Select an Action block from the menu that appears. Actions available to you in the playbook editor are determined by the apps that are installed and configured on . See Add and configure apps and assets to provide actions in .
  2. Select the action you want to configure, or enter an action name in the search field if you don't see the desired action listed.
  3. (Optional) You can also filter the list of actions by action type. Select By App or By Action. Click By App to view a list of configured apps, and then select an available action provided by the selected app.
  4. Select a configuration that you want to run the action on. In some cases, you might have multiple configurations for a specific app. For example, your environment might have multiple networks separated by firewalls, which would require you to configure one instance of a specific app for each network.
  5. Specify the datapath to the field on which you want to perform the action with the configuration. For example, an IPS event might have fields like sourceAddress and destinationAddress and the attack signature. When a notable is created in , it has an artifact with fields for the sourceAddress and destinationAddress from the event. For details on specifying datapaths, see Specify data in your playbook.
  6. (Optional) Create a custom datapath if the datapath you need isn't available. For details on creating a custom datapath, see Custom datapaths in the Specify data in your playbook article.
  7. Click Done.
  8. Click Save.
  9. Enter a comment about this action.

You can also configure Advanced settings for an Action block. You can use Join Settings, Scope, and Action Settings in an Action block. For more information on these settings, see Advanced settings.

Last modified on 29 May, 2024
Add a new block to your playbook   Run other playbooks inside your playbook in

This documentation applies to the following versions of Splunk® SOAR (Cloud): current, current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters