Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Find existing playbooks for your apps

Before you begin creating playbooks from scratch, consider looking for existing playbooks that are similar to your use case that you might use as-is, or as a base for a template you want to create. You can start with an existing playbook from the community or from someone else in your organization and, if needed, modify a copy of it to suit your specific needs. For example, if you want a playbook to check whether an incoming IP address is malicious, you can start with an existing playbook that has that functionality and update it for your own specifications. Or, if you want to check incoming country codes, you can modify an existing playbook that checks for IP addresses and modify it to look at country codes.

The Splunk community is a rich resource for shared playbooks. You can save time and effort by using or starting with an existing playbook.

Find associated playbooks

Playbooks are associated with various applications. You can search for existing playbooks based on the apps you have available in your system.

Find playbooks for your apps

To find playbooks associated with your apps, follow these steps:

  1. In , navigate to the Apps page.
  2. Find the app you want to work with. In the row for that app, select Associated Playbooks.
    A list of existing playbooks that work with that app display.
  3. Select the name of an existing playbook that you want to explore. The playbook opens in the Visual Playbook Editor.
  4. If you are missing configurations, a message appears. Select View to make the necessary configurations. This process is described in Missing configurations in imported playbooks in Export and import playbooks in .
  5. To save a copy of the existing playbook, select the three dots 3 dots icon near the settings and Save buttons select Save as.
  6. You can use the existing playbook without making any changes or modify it to suit your organization's needs.
    To modify an existing playbook, refer to other topics in this chapter, starting with Create a new playbook in .

Find playbooks for specific apps

You might want to use playbooks for a specific app that is not necessarily one that you have already installed.

To find playbooks associated with other apps, follow these steps:

  1. In , navigate to the Playbooks page.
  2. In the table headings, select Apps Used. Select an app name from the list. The table displays only playbooks that use that app.
  3. Select the name of an existing playbook that you want to explore. The playbook opens in the Visual Playbook Editor.

Find playbooks by type

You can filter the playbooks you want to display on the Playbooks page before you open it. Filtering playbooks can help you to find specific playbooks.

To filter playbooks displayed on the Playbooks page, follow these steps:

  1. In , select the Home menu.
  2. Before navigating directly to the Playbooks page, select one of the filters next to the Playbooks option.
    • Active playbooks: Displays only playbooks that are set to Active.
    • Custom playbooks: Displays only your playbooks that are not in the Splunk community repository.
    • Community playbooks: Displays only playbooks in the Splunk community repository.
Last modified on 17 May, 2023
Use keyboard shortcuts in the playbook editor
Add custom fields to your playbook

This documentation applies to the following versions of Splunk® SOAR (Cloud): current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters