Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Use Data Preview to build, test, and edit playbooks

Use the Data preview panel on the right side of the Splunk SOAR screen to add blocks and preview their associated data. Data preview shows both sample data and real data for SOAR containers and Splunk Enterprise Security findings.

The data path picker configuration panel is still available to show possible data paths when using the configuration panel on the left side of the Visual Playbook Editor.

Real data views are currently available only for action, playbook, and Enterprise Security block types. Sample data views are available for all block types.

Create a playbook

Perform the following tasks to create a new playbook in :

  1. Select the Home menu, then select Playbooks.
  2. Select + Playbook to create a new playbook.
  3. Select the type of playbook you want to create. The playbook type appears at the bottom of the configuration panel on the playbook editor canvas.

    Available playbook types depend on whether you have paired Splunk SOAR (Cloud) with your Splunk Enterprise Security instance.

    Playbook type Availability Based on Usage
    Enterprise Security Only when paired with Splunk Enterprise Security. Splunk Enterprise Security data Can be called by analysts within Splunk Enterprise Security, launched as an automation rule, or used as sub-playbooks.
    SOAR / Automation Named SOAR when paired with Splunk Enterprise Security.
    Named Automation when not paired.
    Splunk SOAR data Can be called by analysts within Splunk SOAR, invoked automatically based on active labels, or used as sub-playbooks.
    Input Always available. Splunk Enterprise Security data or Splunk SOAR data Can only be called as sub-playbooks. Can only be run directly within the debugger.
  4. Specify a name for the playbook.
    • Playbooks in the same repository cannot have the same name. Playbooks in different repositories can have the same name.
    • As a best practice, do not use personally identifiable information in the names of playbooks.
  5. Select Settings. In the Playbook Settings panel, select the Operates on field and specify one or more event labels that this playbook runs on. Operates on is only available for the Automation or SOAR playbook type. Optionally, specify additional settings. For additional details on playbook settings, see Manage settings for a playbook in .

Playbook block limit recommendations

Try to limit your playbook to fewer than 50 individual blocks. Larger playbooks more resources and might load slowly. If needed, break large playbooks into smaller playbooks, including Input type playbooks, described in Create a new playbook in .

Preview the data

You can configure your playbook using the data from a Splunk SOAR event or container or a Splunk Enterprise Security finding or investigation that you specify. You can see actual data from the container, event, finding, or investigation to make sure that you construct the playbook appropriately for your needs. If you don't select a data source, the Data preview panel displays only sample views.

To view the data, follow these steps:

  1. (Conditional) If you are working with an input playbook, select whether you are working with data originating in Splunk Enterprise Security or in Splunk SOAR. If you are working with a different playbook type, continue with the next step.
  2. In the search field, enter a few letters or numbers to search for the data source you will be working with. Alternatively, select a recent source from the list that appears.
    • For Automation or SOAR playbooks, search for the container ID or name.
    • For Enterprise Security playbooks, search for the investigation ID or the reference ID of the finding or investigation.

      For Enterprise Security playbooks, you must first run an action or playbook on the finding or investigation for it to appear in Data Preview. Manually enter a finding ID, investigation ID, or display ID, then select '''Save and run''' to run the playbook and retrieve the data from Enterprise Security.

      A reference ID can be formatted in the following ways:

      • 28a6dc03-2f47-4848-a436-180bd2797a5a@@notable@@b3edcd9f906885cf7980992424a43f06 when viewing a Finding
      • 5CCA4678-4495-4FBA-AA14-0D9A1FC342F5, also known as a display ID or GUID, when viewing an investigation

      You can also use the shorter investigation ID with the format ES-00009, found either in the main analyst queue or in the side panel.

  3. Select the Start block, then view the data in one of two ways.
    • Select Container data (for Splunk SOAR) or Finding data (for Splunk Enterprise Security). The actual data for your source displays in purple.
    • Select Sample data to see example data that might populate each field but that is not related to your actual data. Sample data appears in teal.
  4. Optionally filter the data you see.
    • Select Filter on known data types to view only data relevant for your action or other playbook block you are running. For example, if you are using whois ip, only ip-related data displays.
    • Use the search field to search for a datapath name or actual data. For example, you can search for a field containing the word status or search for a status message of success.

You will use the data to configure the individual playbook blocks after you add them.

Add an Action block using Quick Actions

You can add an action block directly from the Data preview panel. In this example, there has been a malicious URL request attempt and you want to create an action in your playbook to find out its origin.

To add an action block from the Data preview panel, follow these steps:

  1. In the playbook you created, select the block after which you want to create an action block. In this example, it will be the Start block, but it can also be any other playbook block.
  2. View either the sample or action data, filtering it if needed.
  3. Locate the data you want to work with. In this example, use ip. Some data with specific datatypes, for example, ip, has a menu with three dots. Select the three dots to reveal the Run action menu, used for adding an action. The menu displays actions that are appropriate for the datatype you selected. For example, select geolocate_ip to use the IP address in the data you are previewing.
  4. (Conditional) If your instance has multiple installed applications with the same action name, an additional application selector appears. Select the application you want to use for the action.
  5. The action block appears on the playbook editor canvas, attached to the previous playbook block. Notice that the datapath associated with that datatype appears in the corresponding field in the action block's configuration panel, to the left of the canvas.
  6. Complete any additional fields in the configuration panel for this action. For example, you might have other required fields to add, or you can choose to add looping logic using the Loop tab.

For additional information on action blocks, see Add an action block to your playbook.

Add additional playbook blocks and specify configuration data

Use the data in the Data preview panel to configure each playbook block. In the geolocate_ip action scenario earlier, the action produces an output of the country where the source IP originated. Now you can use that output to configure a filter block. To add a new playbook block and configure its data, follow these steps:

  1. Select the block you want to configure. For example, select the geolocate_ip action configured previously. The sample view of the action should appear on the Data preview panel. Select the pin button image of a pin in the Data preview panel to continue to show the data for the pinned block while you navigate to other playbook blocks to keep the sample view from changing when adding another block.
  2. From that action block, drag and drop its half-circle icon. From the menu, select a filter block type. You will use data from the action block output to configure the new filter block.
  3. In the Data preview panel results, locate and select the country_name datapath, then select the copy icon next to the sample value.
  4. In the filter configuration panel on the left side, paste the datapath from the action block into the first condition.. The datapath that you pasted should look like this:geolocate_ip_1:action_result.data.*.country_name.
  5. Continue to configure the condition in the filter block. For example, if you have a select group of embargoed countries, you can create a custom list and specify that if the country name is not on that list.
  6. Select Done.
  7. In the Data preview panel, select Save and run. Messages inform you whether the playbook ran successfully. Switch to the Debugger tab to monitor the playbook's progress. See the Debug playbooks section in this article for more information on how to use the debugger tab.
  8. After the playbook run completes, return to the previously configured action block and notice that it now has an Action run view where you can see the real results of the action.
  9. Continue to add and configure blocks following these steps. After you create and configure the final block, connect it to the End block.

To view sample results or real results for playbook blocks, you must set the playbook block to synchronous mode in its configuration panel on the left.

See also

Navigate through playbook blocks using the Data preview panel

Use the icons in the Data preview panel to navigate through blocks in your playbook.

Icon Use
image of arrows to select the previous and next playbook block, relative to the selected playbook block In addition to selecting individual playbook blocks, you can use the forward and back arrows in the Data preview panel to highlight next and previous blocks in the current playbook, relative to the selected playbook block. When a playbook block is selected, its associated data displays in the Data preview panel.
image of a pin in the Data preview panel to continue to show the data for the pinned block while you navigate to other playbook blocks To continue to see the data for a specific block while you select other blocks in the playbook, select the pin icon while that block is selected. The data for that block is pinned in the Data preview panel, even when you select other blocks on the canvas. Select the pin icon again to clear the pin.

Debug playbooks

Use the debugger to test playbooks or troubleshoot issues, either while you are developing the playbook or if there are issues when the playbook runs.

To run your playbook using the debugger, the playbook must meet the following conditions:

  • The playbook must be saved. You cannot debug playbooks in edit mode.
  • The playbook cannot be marked active.
  • The playbook must have an event or Enterprise Security finding or investigation to run against.

You can access the playbook debugger in the Data Preview panel of the Visual Playbook Editor. Within the Data Preview panel, select the Debugger tab.

To run the debugger for a specific container, finding, or investigation, follow these steps:

If your Splunk SOAR instance is paired with your Splunk Enterprise Security instance, you can debug based on findings and investigations.

You must be logged in to Splunk SOAR using a Splunk Enterprise Security account to run the debugger on findings or investigations.

  1. Locate the ID for the container, finding, or investigation. Find the ID in the following locations
    ID type Playbook type Location
    Container Automation/SOAR
    Input
    Enterprise Security
    In the SOAR Sources page, in the ID column
    Finding Enterprise Security In the Enterprise Security Analyst queue, in the details panel, next to Reference ID.
    Investigation Enterprise Security In the Enterprise Security Analyst queue
  2. Copy the ID and paste it into the search field above the Debugger tab.
  3. Select whether you want to run the debugger as the current user or as the selected automation user.
  4. (Conditional) Specify the scope for debugging. Scope is not available when running the debugger on Enterprise Security data. Select one of the following options:
    • New Artifacts to include only the artifacts that were defined since the playbook last ran.
    • All Artifacts to include all artifacts in the playbook.
  5. Select Test.

Each line in the debug content starts with a date time stamp. Log entries show which block is running, the parameters sent, inputs from earlier blocks or playbooks, and the outputs of the block. The API call to on_finish represents a call to the End block. The playbook completes by logging a SUCCESS or FAILURE status.

Select Copy to copy the output of the debugger and paste it into a ticket or separate editor.

View or edit Python code

If you are experienced with Python, you can choose to select the Python editor tab in the Data preview panel to view or edit the underlying Python code in your playbook. The code in the Python editor tab is updated whenever you select Save and run in the Data preview panel.

For details, see View or edit the Python code in playbooks.

Last modified on 06 November, 2024
Find existing playbooks   Create a new playbook in

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters