Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Add a new block to your playbook

To add a new block to a playbook:

  1. Drag and drop the half-circle icon attached to any existing block in the editor. Select a block type from the menu that appears. Alternatively, select a block from the list of block types in the left panel and and drag it onto the editor.
  2. Configure the block as needed. See the following table.
  3. When you have finished configuring the block, select Done.
  4. Connect your block either by dragging the half circle icon from a previous block to the half circle icon on your new block, or by dragging and dropping a new block onto an existing block. Each new block must be connected to a block before itself. For example if your playbook has a single action, it will connect to the Start block and the End block.
Playbook block type Description
Action Run an action provided by an app that is installed and configured in . For example, you can use the MaxMind app to geolocate an IP address. See Add an action block to your playbook.
Playbook Run an existing playbook inside your current playbook. See Run other playbooks inside your playbook in .
Code Process data with custom code. See Add custom code to your playbook with the code block.
Utility Perform an action by making a utility call. See Set notable parameters in using the Utility block. The utility block is also where the custom functions live.
Filter Filter the results of the previous block. For example, you can separate items that have a specific severity and perform a different set of actions on those items. See Use filters in your playbook to specify a subset of events before further processing.
Decision Make a decision and perform different actions depending on the results of the previous block. For example, you can deny list all destination IPs that belong to a specific country. See Use decisions to send events to a specific downstream action in your playbook.
Format Format the results of the previous block. For example, you can gather data, format that data in a specific way, and send an email. See Customize the format of your playbook content.
Prompt Require a user to take action before proceeding to the next block. See Require user input using the Prompt block in your playbook.
Enterprise Security API Available only if your instance is paired with your Splunk Enterprise Security instance.
Perform actions against the paired Splunk Enterprise Security system. Enterprise Security API blocks have functions similar to Action blocks. See Run a playbook in the Automate your investigation response with actions and playbooks in Splunk Enterprise Security documentation.

Size limitations

Try to limit your playbook to fewer than 50 individual blocks. Larger playbooks use a lot of memory and might load slowly. If needed, break large playbooks into smaller playbooks, including Input type playbooks, described in Create a new playbook in .

Each playbook can run a maximum of 500 actions, including each repetition of any looped blocks. If you anticipate your playbook will have exceed that limit, update the limit. For details, see set_action_limit in the Session automation API article.

Advanced settings

Follow these steps to configure advanced settings for a block.

To use Advanced settings, when configuring a block follow these steps:

  1. Select Advanced.
  2. Modify the advanced settings.
Setting Available for block types Description
Join Settings Action
Playbook
Code
Filter
Decision
Format
Prompt
Enterprise Security
You can configure join settings when multiple incoming blocks that support the synchronous functionality are linked to any downstream block. All Action, Prompt, and Manual Task blocks run synchronously and playbooks can be toggled to run synchronously in the block configuration. See Run other playbooks inside your playbooks in for more information on the synchronous functionality.


Configure join settings from the downstream block. These settings determine whether you wait to execute the next block until the required upstream blocks finish running. Select the required checkbox if the action in the upstream block must be completed before this downstream block is run. The required checkbox is enabled by default.

Scope Action
Playbook
Code
Filter
Decision
Format
Prompt
Configure scope to determine how the artifact data passed into a block's API is collected. Collection occurs in the context of the current playbook. Setting the scope advanced setting on a playbook block doesn't change the scope of a child playbook. In child playbooks, scope only affects the collected artifact data that is passed in as inputs to the child playbook and the collection occurs before the child playbook is run.
  • Default: The artifact data for the block uses the same scope as the playbook.
  • New Artifacts: The artifact data for the block is collected for new events.
  • All Artifacts: The artifact data for the block is collected for all events.

Specifying scope with Playbook and Utility blocks:

  • Playbook blocks: Scope is only relevant for Input playbooks, sometimes known as data playbooks. Scope is not relevant — and you cannot specify scope — for Automation playbooks.
  • Utility blocks: Scope is only relevant for utility blocks that have a datapath input. Scope is not relevant — and you cannot specify scope — when the utility block has a text input.
Action Settings Action
Enterprise Security
Configure the action settings that a user must perform. Action settings are only available from an action block.
  • Reviewer: Select a user or group that must approve this action before the action runs. If you select a group or role, any user in that role can approve the action.
  • Delay Timer: Set a delay in minutes before the action runs. A clock icon is visible on the action block to show that a delay is configured.
Case-sensitive Decision
Filter
Select if you want the conditions evaluation to be case-sensitive, or case-insensitive. The default is case-sensitive.
Delimiter Prompt
Format
Specify an alternate separator to use when joining parameter values that result in a list together. The default separator is ",".
Drop None Prompt
Format
Select whether you want to drop the "None" values from the resulting lists of parameters. By default, the "None" values are included.

Specifying data in playbook blocks

For details on how to specify data in your playbook blocks, see Specify data in your playbook.

Last modified on 18 September, 2024
Create a new playbook in   Add an action block to your playbook

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters