Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Find existing playbooks for your apps

Before you begin creating playbooks from scratch, consider looking for existing playbooks that are similar to your use case that you might use as-is, or as a base for a template you want to create. You can start with an existing playbook from the community or from someone else in your organization and, if needed, modify a copy of it to suit your specific needs. For example, if you want a playbook to check whether an incoming IP address is malicious, you can start with an existing playbook that has that functionality and update it for your own specifications. Or, if you want to check incoming country codes, you can modify an existing playbook that checks for IP addresses and modify it to look at country codes.

The Splunk community is a rich resource for shared playbooks. You can save time and effort by using or starting with an existing playbook.

Find associated playbooks

Playbooks are associated with various applications. You can search for existing playbooks based on the apps you have available in your system.

Find playbooks for your apps

To find playbooks associated with your apps, follow these steps:

  1. In , navigate to the Apps page.
  2. Find the app you want to work with. In the row for that app, select Associated Playbooks.
    A list of existing playbooks that work with that app display.
  3. Select the name of an existing playbook that you want to explore. The playbook opens in the Visual Playbook Editor.
  4. If you are missing configurations, a message appears. Select View to make the necessary configurations. This process is described in Missing configurations in imported playbooks in Export and import playbooks in .
  5. To save a copy of the existing playbook, select the three dots 3 dots icon near the settings and Save buttons select Save as.
  6. You can use the existing playbook without making any changes or modify it to suit your organization's needs.
    To modify an existing playbook, refer to other topics in this chapter, starting with Create a new playbook in .

Find playbooks for specific apps

You might want to use playbooks for a specific app that is not necessarily one that you have already installed.

To find playbooks associated with other apps, follow these steps:

  1. In , navigate to the Playbooks page.
  2. In the table headings, select Apps Used. Select an app name from the list. The table displays only playbooks that use that app.
  3. Select the name of an existing playbook that you want to explore. The playbook opens in the Visual Playbook Editor.

Find playbooks by category

Filtering playbooks on the Playbooks page can help you to find specific playbooks.

To filter playbooks displayed on the Playbooks page, follow these steps:

  1. In Home menu, select Playbooks.
  2. At the top of the Playbooks page, select one of the following tabs
    • All — Displays all playbooks.
    • Internal repositories — Displays only playbooks customized within your organization that are not in the Splunk Community repository.
    • Active — Displays only playbooks that are set to Active.
    • Classic mode — Displays only playbooks in your internal repositories that were created with the classic playbook editor. It does not include community playbooks. Use this tab to prepare for converting these playbooks to modern mode. For details, see Convert classic playbooks to modern playbooks.
    • Community repository — Displays only playbooks in the Splunk Community repository. This tab does not appear if you delete the Community repository.
Last modified on 06 November, 2024
Use keyboard shortcuts in the playbook editor   Find existing playbooks for your apps

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters