Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The visual editor for classic playbooks is now removed. Convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:

View or edit playbook settings in Splunk SOAR

To view or edit playbook settings after you've saved a playbook, click Playbook Settings. You can also view playbook settings before a playbook is saved, but not all fields are available until after the playbook is saved.

The following table describes the fields in the playbook settings.

Field Description
Python version The Python version for your playbook. If you are using an older version of Python, you can select to update to a newer version.

After you change the Python version, you cannot return to a deprecated or unsupported Python version. Make a copy of your playbook before updating its Python version, so you can refer to the original code, if needed.

After you change the Python version, validate your code and make any updates needed for the updated Python version.

Playbook type Whether the playbook is SOAR, Enterprise Security, or Input. You can choose to change the playbook type here. Changing the playbook type might require some playbook updates.
Operates on Related information in Splunk SOAR is organized in containers. Playbooks contain the list of artifacts the playbook work on and the results of the playbook and action runs. A playbook can't run without an associated container, which holds the inputs and outputs for a playbook run. Containers also have a label associated with them, which is used to group together different kinds of information. For example, Splunk SOAR includes one default notable label, Events. Other labels could be Intelligence for data from threat and intel feeds or Phishing for phishing emails. Playbooks are designated to run on particular labels. Select which labels this playbook works on from the Operates on field. Most playbooks are designed to work on a particular category, and therefore a particular label.
Category Use categories to organize and save your playbooks into folders. For example, you can create a Production category for playbooks that are ready to be marked active, and a Test category for playbooks that are under development.
Run as The service account used by Splunk SOAR to run the playbook.
Tags Select one or more tags to add to the playbook. Adding tags is useful for associating playbooks with other objects in Splunk SOAR to associate them with each other.
Run automatically when Available only for SOAR/Automation playbooks.
Select whether you want to run the playbook when an artifact is created (like when a suspicious file is downloaded) or when a container is resolved (like sending a notification to a supervisor that a case has closed).
Logging Toggle this switch to turn on debug logging each time the playbook is run. Logging might be useful when you create a new playbook. Later, you can turn logging off to save disk space.
Active The playbook will automatically run on every new container or artifact that comes into Splunk SOAR, for the playbook labels it is set to run on.
Safe Mode Toggle this switch to put the playbook in read-only mode. By turning on Safe Mode, the playbook will be unable to run read-write actions. Read and write actions are defined by each app in Splunk SOAR.
Draft Mode Toggle this switch to save a draft of your playbook, even if your playbook is incomplete or has errors. Playbooks in draft mode can't be marked active.
Description Enter a description for the playbook. The description becomes a triple-quoted comment in the playbook and appears on the playbooks page.
Notes Notes can be viewed only by editing the playbook.
View Keyboard Shortcuts Select to view the keyboard shortcuts available while using the visual playbook editor. For details, see Use keyboard shortcuts in the playbook editor.
Revision History In the Playbook History window, select View to see a previous revision of the playbook. You can make edits and save as a new version, or click Latest Version to return to the most current version.

Select Revert to use the corresponding previous version of the playbook as the most current version.

Audit Trail Select the Audit Trail button to download a CSV file that shows the full audit trail of the playbook, including dates and times.
Last modified on 28 May, 2025
Find existing playbooks for your apps   View or edit the Python code in playbooks

This documentation applies to the following versions of Splunk® SOAR (Cloud): current

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters