Splunk® SOAR (Cloud)

Use Splunk SOAR (Cloud)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Create custom lists for use in playbooks

A custom list is a collection of values that you can use in a playbook, such as a list of banned countries, or blocked or allowed IP addresses. Custom lists are used to save information in a visual format that can be used to make decisions or track information about playbooks. In your Filter and Decision blocks, compare parameters against all the values in a custom list, rather than having to configure each comparison in the playbook.

Create or import a custom list in

For information on working with custom lists through the REST API, refer to the next section, Create a custom list using the REST API.

Create a custom list in

Custom lists have a size limit of 256 MB.

Perform the following steps to create a custom list in :

  1. From the Home menu, select Custom Lists.
  2. Select + List to create a new list.
  3. Enter a name for the list.
  4. Enter or paste the list values in the table using one value per cell. For example, you can create a list of banned countries, or blocked or allowed IP addresses. Right-click in a cell to add or remove rows and columns.
  5. Select Save.

Import a custom list to using a CSV file

Imported custom list files have a size limit of 1 MB.

Perform the following tasks to import a CSV file to be used as a custom list.

  1. From the Home menu, select Custom Lists.
  2. Select the Import Custom List CSV icon (The Import Custom List CSV icon) to import a custom list as a CSV or TSV file.
  3. Enter a name for the list.
  4. Drag and drop your CSV or TSV file to the window, or select the window to locate the CSV file on your file system.
  5. Select Upload.

See Example of using a custom list in a filter in Build Playbooks with the Visual Editor for an example of how to use a custom list in a playbook.

Create a custom list using the REST API

See REST Lists in the REST API Reference for for information about how to manage custom lists using the REST API.

Export a custom list for use with third-party products and services

You can use the REST API to export a custom list for use as an external deny list with third-party products and services. For example, you can publish a list of banned IP addresses that can be used in your Palo Alto Networks firewall products.

Perform the following tasks to export a custom list and use it in a third-party product.

  1. Review the formatting requirements that your third-party product or service has for custom lists. For example, Palo Alto Networks products may have specific formatting requirements for their dynamic lists. Review these requirements so that the formatting in your custom lists match these formatting requirements of your third-party product or service.
  2. Provide a URI to the custom list in using the following format:
    https://username:password@[soar server]/rest/decided_list/[list name]/formatted_content?_output_format=csv

    For example, to provide a URI to the server SOAR_server.example.com, using admin as the user and password as the password, and a custom list named blockdomains:

    https://admin:password@SOAR_server.example.com/rest/decided_list/blockdomains/formatted_content?_output_format=csv
Last modified on 29 May, 2024
Create Executive Summary reports and view all reports in   Create and investigate containers

This documentation applies to the following versions of Splunk® SOAR (Cloud): current, current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters