Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

View or edit playbook settings in Splunk SOAR

To view or edit playbook settings after you've saved a playbook, click Playbook Settings. You can also view playbook settings before a playbook is saved, but not all fields are available until after the playbook is saved.

The following table describes the fields in the playbook settings.

Field Description
Operates on Related information in Splunk SOAR is organized in containers. Playbooks contain the list of artifacts the playbook work on and the results of the playbook and action runs. A playbook can't run without an associated container, which holds the inputs and outputs for a playbook run. Containers also have a label associated with them, which is used to group together different kinds of information. For example, Splunk SOAR includes one default notable label, Events. Other labels could be Intelligence for data from threat and intel feeds or Phishing for phishing emails. Playbooks are designated to run on particular labels. Select which labels this playbook works on from the Operates on field. Most playbooks are designed to work on a particular category, and therefore a particular label.
Tenants Select one or more tenants to run the playbook against the containers belonging to the selected tenants. Use an asterisk (*) to run the playbook on containers for all tenants.
Category Use categories to organize and save your playbooks into folders. For example, you can create a Production category for playbooks that are ready to be marked active, and a Test category for playbooks that are under development.
Run as The service account used by Splunk SOAR to run the playbook.
Logging Toggle this switch to turn on debug logging each time the playbook is run. Logging might be useful when you create a new playbook. Later, you can turn logging off to save disk space.
Active The playbook will automatically run on every new container or artifact that comes into Splunk SOAR, for the playbook labels it is set to run on.
Safe Mode Toggle this switch to put the playbook in read-only mode. By turning on Safe Mode, the playbook will be unable to run read-write actions. Read and write actions are defined by each app in Splunk SOAR.
Draft Mode Toggle this switch to save a draft of your playbook, even if your playbook is incomplete or has errors. Playbooks in draft mode can't be marked active.
Description Enter a description for the playbook. The description becomes a triple-quoted comment in the playbook and appears on the playbooks page.
Notes Notes can be viewed only by editing the playbook.
Export Playbook You can share playbooks by exporting them. Import a shared playbook file on the playbooks page.
Revision History Click View to see a previous revision of the playbook. You can make edits and save as a new version, or click Latest Version to return to the most current version.

Click Revert to use the corresponding previous version of the playbook as the most current version.

Audit Trail The Audit Trail button downloads a CSV file that shows the full audit trail of the playbook, including dates and times.
Last modified on 18 September, 2024
Use keyboard shortcuts in the classic playbook editor   View or edit the Python code in playbooks

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters