Splunk® SOAR (Cloud)

Use Splunk SOAR (Cloud)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

View the list of configured playbooks in

The playbooks list contains all of your currently available playbooks and significant metadata about those playbooks. Use the playbooks list to sort, filter, and manage your playbooks.

To view the playbooks list, complete the following steps:

  1. From the Home menu, select Playbooks. All playbooks display.
  2. Select the Internal repositories tab to view playbooks that are specific to your organization.
  3. (Optional) Use the search field to find specific playbooks. Searches are case-insensitive and partial-word matches are supported. This search does not support booleans, such as AND, NOT, or OR. For additional information on finding existing playbooks, see Find existing playbooks in Build Playbooks with the Playbook Editor.

You can select the vertical ellipsis (⋮) icon to switch between displays of available columns in the playbook list. Items marked with a check mark (✓) appear in the playbook list. A horizontal scroll bar appears at the bottom of the playbook list as well.

From the playbooks list, you can complete the following tasks:

  • Reorder playbooks
  • Configure source control
  • Import playbooks
  • Manage playbooks with the Visual Playbook Editor

Reorder playbooks

You can set the playbook run order for playbooks with an Active status. Playbooks with an Inactive status do not run. By changing a playbook's status to Inactive, you cancel the running playbook. The next playbook in the list starts after the preceding playbook's on_start() function is complete.

If you want one playbook to start only if another playbook finishes running completely, use the phantom.playbook() function instead of the playbook list. See playbook in the Python Playbook API Reference for .

Configure source control

stores playbooks in Git repositories, and you can update playbooks from source control by selecting the update button (The icon to update the playbook from source control.).

To update a playbook from source control, complete the following steps:

  1. Select a repository from the drop-down list in the Source to update from field.
  2. Select either Force Update or Preserve State
    • Force Update treats the remote repository as authoritative. Using this overwrites any local changes to playbooks.
    • Preserve State retains the local metadata for changes to playbooks. Playbooks from the community repository always have a status of Inactive. If you have set the status of a community playbook to Active locally, updating from the community repository will set its status to Inactive unless you select Preserve State.
  3. Click Update.

You can also manage the source control settings by selecting the manage source control icon (The icon to manage source control.). See Configure a source code repository for your playbooks in Administer .

Import playbooks

To import a playbook that was exported from another instance of , complete the following steps:

  1. Select the import icon (The icon to import a playbook.).
  2. In the Source to update field, select a repository where you want to write the imported playbook.
  3. (Optional) Click Force Update to overwrite existing versions of the same playbook.
  4. Drag and drop a compressed playbook in .tgz format, or click and navigate to the playbook.
  5. Click Upload.

Manage playbooks with the Visual Playbook Editor

You can manage your playbooks by opening the Visual Playbook Editor.

Create new playbooks

Select the add playbook icon (The icon to add a playbook.) to open the Visual Playbook Editor and create a new playbook. See Create a new playbook in in Build Playbooks with the Playbook Editor.

Edit, delete, export, or copy a playbook

Select the name of a playbook to open it in the Visual Playbook Editor. For more information, see Create a new playbook in using the visual playbook editor in Build Playbooks with the Playbook Editor.

Select the check box next to the playbook name to select one or more playbooks. After you select playbooks, you can complete the following actions:

Action Description
Edit Set the properties of the selected playbooks, not the playbooks themselves. Set the status, logging mode, safe mode, labels, category, and tags by selecting the property value you want from the drop-down list.
Delete Delete the selected playbooks. A dialog box asks you to confirm your choice.
Export Download the playbook as a .tgz extension archive. You can export only one playbook at a time.
Copy Save the playbook to a repository that you have configured, such as Git. You can only copy one playbook at a time.
Last modified on 29 May, 2024
Search within   Create Executive Summary reports and view all reports in

This documentation applies to the following versions of Splunk® SOAR (Cloud): current, current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters