Add an action block to your playbook
Perform the following steps to add an Action block to a playbook.
- Drag and drop the half-circle icon attached to any existing block in the editor. Select an Action block from the menu that appears. Actions available to you in the playbook editor are determined by the apps that are installed and configured on . See Add and configure apps and assets to provide actions in .
- Select the action you want to configure, or enter an action name in the search field if you don't see the desired action listed.
- (Optional) You can also filter the list of actions by action type. Select By App or By Action. Click By App to view a list of configured apps, and then select an available action provided by the selected app.
- Select a configuration that you want to run the action on. In some cases, you may have multiple configurations for a specific app. For example, your environment may have multiple networks separated by firewalls, which would require you to configure one instance of a specific app for each network.
- Specify the datapath to the field on which you want to perform the action with the configuration. For example, an IPS event may have fields like sourceAddress and destinationAddress and the attack signature. When a notable is created in , it has an artifact with fields for the sourceAddress and destinationAddress from the event. For details on specifying datapaths, see Specify data in your playbook.
- (Optional) Create a custom datapath if the datapath you need isn't available. For details on creating a custom datapath, see Custom datapaths in the Specify data in your playbook article.
- Click Done.
- Click Save.
- Enter a comment about this action.
You can also configure Advanced settings for an Action block. You can use Join Settings, Scope, and Action Settings in an Action block. For more information on these settings, see Advanced settings.
Add a new block to your playbook
Run other playbooks inside your playbook in
This documentation applies to the following versions of Splunk® SOAR (Cloud): current