After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Add a new block to your playbook
To add a new block to a playbook:
- Drag and drop the half-circle icon attached to any existing block in the editor. Select a block type from the menu that appears. Alternatively, select a block from the list of block types in the left panel and and drag it onto the editor.
- Configure the block as needed. See the following table.
- When you have finished configuring the block, select Done.
- Connect your block either by dragging the half circle icon from a previous block to the half circle icon on your new block, or by dragging and dropping a new block onto an existing block. Each new block must be connected to a block before itself. For example if your playbook has a single action, it will connect to the Start block and the End block.
Playbook block type | Description |
---|---|
Action | Run an action provided by an app that is installed and configured in . For example, you can use the MaxMind app to geolocate an IP address. See Add an action block to your playbook. |
Playbook | Run an existing playbook inside your current playbook. See Run other playbooks inside your playbook in . |
Code | Process data with custom code. See Add custom code to your playbook with the code block. |
Utility | Perform an action by making a utility call. See Set notable parameters in using the Utility block. The utility block is also where the custom functions live. |
Filter | Filter the results of the previous block. For example, you can separate items that have a specific severity and perform a different set of actions on those items. See Use filters in your playbook to specify a subset of events before further processing. |
Decision | Make a decision and perform different actions depending on the results of the previous block. For example, you can deny list all destination IPs that belong to a specific country. See Use decisions to send events to a specific downstream action in your playbook. |
Format | Format the results of the previous block. For example, you can gather data, format that data in a specific way, and send an email. See Customize the format of your playbook content. |
Prompt | Require a user to take action before proceeding to the next block. See Require user input using the Prompt block in your playbook. |
Enterprise Security API | Available only if your instance is paired with your Splunk Enterprise Security instance. Perform actions against the paired Splunk Enterprise Security system. Enterprise Security API blocks have functions similar to Action blocks. See Run a playbook in the Automate your investigation response with actions and playbooks in Splunk Enterprise Security documentation. |
Size limitations
Try to limit your playbook to fewer than 50 individual blocks. Larger playbooks use a lot of memory and might load slowly. If needed, break large playbooks into smaller playbooks, including Input type playbooks, described in Create a new playbook in .
Each playbook can run a maximum of 500 actions, including each repetition of any looped blocks. If you anticipate your playbook will have exceed that limit, update the limit. For details, see set_action_limit in the Session automation API article.
Advanced settings
Follow these steps to configure advanced settings for a block.
To use Advanced settings, when configuring a block follow these steps:
- Select Advanced.
- Modify the advanced settings.
Setting | Available for block types | Description |
---|---|---|
Join Settings | Action Playbook Code Filter Decision Format Prompt Enterprise Security |
You can configure join settings when multiple incoming blocks that support the synchronous functionality are linked to any downstream block. All Action, Prompt, and Manual Task blocks run synchronously and playbooks can be toggled to run synchronously in the block configuration. See Run other playbooks inside your playbooks in for more information on the synchronous functionality.
|
Scope | Action Playbook Code Filter Decision Format Prompt |
Configure scope to determine how the artifact data passed into a block's API is collected. Collection occurs in the context of the current playbook. Setting the scope advanced setting on a playbook block doesn't change the scope of a child playbook. In child playbooks, scope only affects the collected artifact data that is passed in as inputs to the child playbook and the collection occurs before the child playbook is run.
Specifying scope with Playbook and Utility blocks:
|
Action Settings | Action Enterprise Security |
Configure the action settings that a user must perform. Action settings are only available from an action block.
|
Case-sensitive | Decision Filter |
Select if you want the conditions evaluation to be case-sensitive, or case-insensitive. The default is case-sensitive. |
Delimiter | Prompt Format |
Specify an alternate separator to use when joining parameter values that result in a list together. The default separator is ",". |
Drop None | Prompt Format |
Select whether you want to drop the "None" values from the resulting lists of parameters. By default, the "None" values are included. |
Specifying data in playbook blocks
For details on how to specify data in your playbook blocks, see Specify data in your playbook.
Create a new playbook in | Add an action block to your playbook |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Feedback submitted, thanks!