Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

View the list of configured playbooks in

The Playbooks table contains all currently available playbooks and significant metadata about those playbooks. Use the playbooks list to sort, filter, and manage your playbooks.

To view the Playbooks table, select the main menu in , then select Playbooks.

From the Playbooks table page, you can perform any of the following tasks:

  • Use the search field to find specific playbooks. Searches are case-insensitive and partial-word matches are supported. This search does not support booleans, such as AND, NOT, or OR.
  • Search for playbooks that use a certain installed app. Select the Apps Used column heading, then either select from the list of installed apps shown or use the search box to enter the name of an installed app. The table displays only playbooks that match the specified apps.
  • Select column headers to sort the playbooks. The first click sorts in ascending order. The second will sort in descending order. For example, select the Updated column header. The icon changes to indicate whether the column is sorted in descending or ascending order. so that the playbooks with the most recent changes are listed at the top.
  • By default, 10 playbooks are displayed at a time. Select the Show 10 dropdown and select the number of playbooks you want displayed at a time.
  • Select the Reorder Active Playbooks icon (Reorder Active Playbooks icon) to change the order in which active playbooks are listed.
    If your Splunk SOAR and Splunk Enterprise Security instances are paired, reordering playbooks here does not affect the order of active playbooks run through automation rules.
    See Reorder active playbooks in .
  • Select the Update from source control icon (Update from source control icon) to update playbooks based on the source you select and your source control settings.
  • Select the Manage source control icon (Manage source control icon) to manage your source control settings. See Configure a source control repository for your playbooks.
  • Select the Import Playbook icon (Import Playbook icon) to add a playbook to . See Import a playbook to .
  • Select the + Playbook button to create a new playbook. The Playbook Editor will open in a new tab or window.

The columns in the Playbook table are described in the following table. By default, all available columns are visible. Scroll to the right as needed to view all available columns. Select the vertical ellipsis icon to select which columns to display.

Column Description
Name The name and description of the playbook.
Success The number of times the playbook has run successfully.
Failed The number of times the playbook did not finish running.
Label The event label that the playbooks runs on. This value is configured as the Operates on field in the playbook settings. See Review playbook settings for a playbook in .

If your Splunk SOAR (Cloud) instance is paired with your Splunk Enterprise Security instance: the label is always es_soar_integration.

Apps used Which apps are included in the playbook.
Assets used Which assets are included in the playbook.
Repo The repository or folder where the playbook is saved.
Category The playbook category. This value is configured in the Category field in the playbook settings. See Review playbook settings for a playbook in .
Status Indicates whether or not the playbook is active:
  • Inactive means the playbook is not active.
  • Active means the playbook is active.

Only active playbooks can be run.

If your Splunk SOAR (Cloud) instance is paired with your Splunk Enterprise Security instance: You cannot mark Enterprise Security-type playbooks as Active.

Mode

Either Classic or Modern. A Classic playbook uses the older version of the two playbook editors available in , and a Modern playbook uses a newer version of the playbook editor in .

Classic playbooks are deprecated as of release 6.2.1. For details on converting your playbooks, see Convert classic playbooks to modern playbooks.

Type The kind of playbook, specified when it was created.
Standalone Splunk SOAR includes 2 playbook types:
  • Automation playbooks can be called by analysts within Splunk SOAR, invoked automatically based on active labels, or used as sub-playbooks.
  • Input playbooks are used only as sub-playbooks and are not automatically invoked as independent playbooks. Input playbooks cannot be run manually, so they are not visible if you use the Run Playbook button. They can be run independently only in the playbook debugger.


Splunk SOAR paired with Splunk Enterprise Security includes 3 playbook types:

  • SOAR playbooks are based on data in Splunk SOAR and can be called by analysts within Splunk SOAR, invoked automatically based on active labels, or used as sub-playbooks.
  • Enterprise Security playbooks are based on data in Splunk Enterprise Security and can be called by analysts within Enterprise Security, launched as an automation rule, or used as sub-playbooks.
  • Input playbooks are based on data in either Splunk SOAR or Splunk Enterprise Security and can only be called as sub-playbooks. They cannot be run directly.
Python Version The Python version used in the playbook.
Created The date and time when the playbook was saved for the first time.
Updated The date and time when the playbook was most recently saved.
Updated By The name of the user who last updated the playbook.
Version The playbook version number.
Tags The tags associated with the playbook.
Sub-Playbooks Called The sub-playbooks that are called by this playbook.
Last modified on 18 September, 2024
Create custom lists for use in playbook comparisons   Export and import playbooks in

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters