The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Automate responses with Splunk Enterprise Security playbook blocks
When you pair your instance with your Splunk Enterprise Security instance, you can use data from Splunk Enterprise Security in playbook blocks to automate against your Splunk Enterprise Security incidents.
To add the Splunk Enterprise Security block to use data from Splunk Enterprise Security, follow these steps:
Before you begin: If you have not already done so, create a playbook, as described in Create a new playbook in Splunk SOAR (Cloud).
- Select the half-circle icon attached to any existing block in the editor. Select an Enterprise Security block from the menu that appears.
- In the configuration panel, select the Enterprise Security API you want to configure, or search for an API name in the search field. See the list of available options later in this article.
As an example, select get tasks to get tasks for the incident this playbook is automating against. - Specify the parameters used in the API by using the datapath picker. For more information on parameters, hover over the information icon listed by the parameters. An asterisk
*next to a field indicates required inputs.
For the get tasks example, select the id* field to open the datapath picker. - The first panel of the datapath picker has two sections:
- Splunk Enterprise Security, for data coming from Splunk Enterprise Security
- Splunk SOAR, for data residing in Splunk SOAR, including data about the playbook itself, like the launching user.
- (Conditional) Some inputs for the APIs require a list of paired values. For example, the create event API requires input pairs. For these APIs, select the + Item button to add a pair, then select datapaths for the name and value. For example, if you were using the create event API in a playbook as part of geolocating an IP address, you could enter dest_country_name as the name of the field that you want to update, and in the value field, select geolocate_ip_1 then country_name from the datapath picker.
- (Conditional) If the datapath you need isn't available, create a custom datapath. When you add a custom datapath, it is available only for the block you add it to. To create a custom datapath, follow these steps:
- Hover over a datapath field title, like finding_ids and select +.
- Enter a name for the datapath.
- Select either Key or List. Use Key to use one value, and use List to use a list of values. Using List adds a .* value to the datapath and it appears as <list_name [] > with datapaths nested below it in the datapath picker. To add more values to your List, select the + icon under the top value of the list.
- Select Save to save the custom datapath.
For details on custom datapaths, and an example, see Example: Add a custom datapath to a playbook block. - Repeat this process for each required field in the API. When you have specified all required fields for the API, select Done.
- Optionally configure Advanced settings for a Splunk Enterprise Security block. You can use Join Settings, Scope, and Action Settings in a Splunk Enterprise Security block. For more information on these settings, see Advanced settings.
- Optionally, specify if you want to repeat this block with a logic loop. For details on looping, see Repeat actions with logic loops.
- Enter a name for the playbook.
Use 250 characters or fewer for the name of a playbook.
- Select Save to save the playbook.
- Enter a comment about this playbook.
- Select Save again.
Run a playbook that automates against Splunk Enterprise Security
You can run a playbook that automates against Splunk Enterprise Security from the following locations:
- Run a playbook from the Analyst queue on a finding or investigation in Splunk Enterprise Security. See Automate your investigation response with actions and playbooks in Splunk Enterprise Security.
- Run a playbook from a response template in Splunk Enterprise Security. See Set up actions and playbooks to run with response template tasks.
- Run a playbook from the debugger in . See Debug playbooks in the Use Data Preview to build, test, and edit Splunk SOAR (Cloud) playbooks article.
- Attach a playbook to a detection when configuring Automation Rules. See Configure automation rules to run playbooks based on detections in Splunk Enterprise Security.
Available options in the Splunk Enterprise Security block
Use the Splunk Enterprise Security block to set parameters of the incident it's running on. For example, you can use get tasks to get all the tasks of the incident. The following table describes the options available in the Splunk Enterprise Security block.
| API | Description |
|---|---|
| add events | Add events from any search to an investigation. |
| add finding or investigation note | Add note to the finding or investigation. |
| add investigation file | Add an attachment to the KV store. |
| add response plan | Apply a response template to an incident. |
| add task file | Add an attachment to a task. |
| add task note | Add a note to a task. The author and update time are populated automatically. |
| add task to current phase | Add a task to the response plan phase you are currently working on. |
| create event | Create event to be associated with an investigation. |
| delete event | Delete an event that is part of an investigation. |
| delete file attachments | Delete file attachment from Splunk SOAR and Splunk Enterprise Security. |
| delete finding or investigation note | Delete a note in a finding or an investigation. |
| delete task file | Delete the attachment from a task and from the collection, if applicable. |
| delete task note | Delete the note and attachments from a task. |
| get current phase | Get current response plan phase of an investigation. |
| get events | List all the events associated with an investigation. |
| get finding metadata | Retrieves the mutable data from a finding or investigation. |
| get finding or investigation | Retrieve a finding or an investigation by the GUID or display ID without running a search. |
| get investigation tasks | Get tasks of an investigation in Splunk Enterprise Security. |
| get notes in finding or investigation | Get notes from the finding or investigation. |
| get phase id | Retrieve a phase ID by providing the finding ID or the investigation ID, phase name, and response template name. The response matches the data available for dispatch to automation. |
| get response plans | Get all response plans within Splunk Enterprise Security. |
| get task file | Get the base64 file contents from an attachment in a task. |
| get task from current phase | Get a specific response plan task from the current response plan phase. |
| get task id | Retrieve a task ID by providing the investigation ID, phase name, and response template name. The response matches the data available for dispatch to automation. |
| get task notes | Get all the notes from a response plan task. |
| list file attachments | List the Splunk SOAR and Splunk Enterprise Security file attachments for a specific investigation or finding. |
| refresh | Fetch the investigation or finding on Splunk Enterprise Security for Splunk SOAR using a given investigation or finding ID. |
| set current phase | Set the current response plan phase of an incident. |
| start investigations | Create one or more investigations in Splunk Enterprise Security. |
| sync file attachments | Upload the attachments from Splunk Enterprise Security to Splunk SOAR. |
| update event | Update an event that is part of an investigation. |
| update finding or investigation | Update a Splunk Enterprise Security finding or investigation. |
| update findings or investigations note | Update a note in a finding or investigation. |
| update task in current phase | Update a specific response plan task in current response plan phase. |
| update task note | Update a note in a task. |
Last modified on 06 November, 2024
| Require user input using the Prompt block in your playbook | Determine your playbook flow in |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Download manual
Feedback submitted, thanks!