View or edit playbook settings in Splunk SOAR
To view or edit playbook settings after you've saved a playbook, click Playbook Settings. You can also view playbook settings before a playbook is saved, but not all fields are available until after the playbook is saved.
The following table describes the fields in the playbook settings.
|Operates on||Related information in Splunk SOAR is organized in containers. Playbooks contain the list of artifacts the playbook work on and the results of the playbook and action runs. A playbook can't run without an associated container, which holds the inputs and outputs for a playbook run. Containers also have a label associated with them, which is used to group together different kinds of information. For example, Splunk SOAR includes one default notable label, Events. Other labels could be Intelligence for data from threat and intel feeds or Phishing for phishing emails. Playbooks are designated to run on particular labels. Select which labels this playbook works on from the Operates on field. Most playbooks are designed to work on a particular category, and therefore a particular label.|
|Tenants||Select one or more tenants to run the playbook against the containers belonging to the selected tenants. Use an asterisk (*) to run the playbook on containers for all tenants.|
|Category||Use categories to organize and save your playbooks into folders. For example, you can create a Production category for playbooks that are ready to be marked active, and a Test category for playbooks that are under development.|
|Run as||The service account used by Splunk SOAR to run the playbook.|
|Logging||Toggle this switch to turn on debug logging each time the playbook is run. Logging might be useful when you create a new playbook. Later, you can turn logging off to save disk space.|
|Active||The playbook will automatically run on every new container or artifact that comes into Splunk SOAR, for the playbook labels it is set to run on.|
|Safe Mode||Toggle this switch to put the playbook in read-only mode. By turning on Safe Mode, the playbook will be unable to run read-write actions. Read and write actions are defined by each app in Splunk SOAR.|
|Draft Mode||Toggle this switch to save a draft of your playbook, even if your playbook is incomplete or has errors. Playbooks in draft mode can't be marked active.|
|Description||Enter a description for the playbook. The description becomes a triple-quoted comment in the playbook and appears on the playbooks page.|
|Notes||Notes can be viewed only by editing the playbook.|
|Export Playbook||You can share playbooks by exporting them. Import a shared playbook file on the playbooks page.|
|Revision History||Click View to see a previous revision of the playbook. You can make edits and save as a new version, or click Latest Version to return to the most current version.
Click Revert to use the corresponding previous version of the playbook as the most current version.
|Audit Trail||The Audit Trail button downloads a CSV file that shows the full audit trail of the playbook, including dates and times.|
Use keyboard shortcuts in the classic playbook editor
View or edit the Python code in playbooks
This documentation applies to the following versions of Splunk® SOAR (Cloud): current