Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Automate responses with Splunk Enterprise Security playbook blocks

When you pair your instance with your Splunk Enterprise Security instance, you can use data from Splunk Enterprise Security in playbook blocks to automate against your Splunk Enterprise Security incidents.

To add the Splunk Enterprise Security block to use data from Splunk Enterprise Security, follow these steps:

Before you begin: If you have not already done so, create a playbook, as described in Create a new playbook in Splunk SOAR (Cloud).

  1. Select the half-circle icon attached to any existing block in the editor. Select an Enterprise Security block from the menu that appears.
  2. In the configuration panel, select the Enterprise Security API you want to configure, or search for an API name in the search field. See the list of available options later in this article.
    As an example, select get tasks to get tasks for the incident this playbook is automating against.
  3. Specify the parameters used in the API by using the datapath picker. For more information on parameters, hover over the information icon listed by the parameters. An asterisk * next to a field indicates required inputs.
    For the get tasks example, select the id* field to open the datapath picker.
  4. The first panel of the datapath picker has two sections:
    • Splunk Enterprise Security, for data coming from Splunk Enterprise Security
    • Splunk SOAR, for data residing in Splunk SOAR, including data about the playbook itself, like the launching user.
    For the example, in the Splunk Enterprise Security section, select finding then, in the second panel of the datapath picker, select id to populate the datapath.
  5. (Conditional) Some inputs for the APIs require a list of paired values. For example, the create event API requires input pairs. For these APIs, select the + Item button to add a pair, then select datapaths for the name and value. For example, if you were using the create event API in a playbook as part of geolocating an IP address, you could enter dest_country_name as the name of the field that you want to update, and in the value field, select geolocate_ip_1 then country_name from the datapath picker.
  6. (Conditional) If the datapath you need isn't available, create a custom datapath. When you add a custom datapath, it is available only for the block you add it to. To create a custom datapath, follow these steps:
    1. Hover over a datapath field title, like finding_ids and select +.
    2. Enter a name for the datapath.
    3. Select either Key or List. Use Key to use one value, and use List to use a list of values. Using List adds a .* value to the datapath and it appears as <list_name [] > with datapaths nested below it in the datapath picker. To add more values to your List, select the + icon under the top value of the list.
    4. Select Save to save the custom datapath.
      For details on custom datapaths, and an example, see Example: Add a custom datapath to a playbook block.
  7. Repeat this process for each required field in the API. When you have specified all required fields for the API, select Done.
  8. Optionally configure Advanced settings for a Splunk Enterprise Security block. You can use Join Settings, Scope, and Action Settings in a Splunk Enterprise Security block. For more information on these settings, see Advanced settings.
  9. Optionally, specify if you want to repeat this block with a logic loop. For details on looping, see Repeat actions with logic loops.
  10. Enter a name for the playbook.

    Use 250 characters or fewer for the name of a playbook.

  11. Select Save to save the playbook.
  12. Enter a comment about this playbook.
  13. Select Save again.


See also

Run a playbook that automates against Splunk Enterprise Security

You can run a playbook that automates against Splunk Enterprise Security from the following locations:

Available options in the Splunk Enterprise Security block

Use the Splunk Enterprise Security block to set parameters of the incident it's running on. For example, you can use get tasks to get all the tasks of the incident. The following table describes the options available in the Splunk Enterprise Security block.

API Description
add finding or investigation note Add note to the finding or investigation.
add investigation file Add an attachment to the KV store.
add response plan Apply a response template to an incident.
add task Add a task to the response plan phase you are currently working on.
add task file Add an attachment to a task.
add task note Add a note to a task. Author and update time are populated automatically.
create event Delete an event to be part of an incident.
delete event Delete an event that is part of an incident.
delete finding or investigation note Delete a note in an incident.
delete investigation file Delete an investigation file from the KV store.
delete task file Delete the attachment from a task and from the collection, if applicable.
delete task note Delete the note and attachments from a task.
get file Download an attachment stored in the KV store.
get files in investigation Return all files from an investigation.
get finding metadata Return metadata associated with your Splunk Enterprise Security finding.
get finding or investigation Retrieve a finding or investigation by the finding or investigation ID without running a search. The response matches the data available for dispatch to automation.
get notes in finding or investigation Get notes from the finding or investigation.
get phase Get the current response plan phase of an investigation.
get phase id Retrieve a phase ID by providing the investigation ID, phase name, and response template name. The response matches the data available for dispatch to automation.
get response templates Get all response templates within Splunk Enterprise Security.
get task Get a specific response plan task from the current response plan phase.
get task file Get the base64 file contents from an attachment in a task.
get task id Retrieve a task ID by providing the investigation ID, phase name, and response template name. The response matches the data available for dispatch to automation.
get task notes Get all the notes from a response plan task.
get tasks Get all tasks of an investigation.
refresh Refreshes a finding or investigation, given its ID.
set phase Set the current response plan phase of an incident.
update findings or investigations note Update a note in a finding or investigation.
update finding or investigation Update a Splunk Enterprise Security finding or investigation.
update task Update a specific response plan task in the current response plan phase.
update task note Update a note in a task.
Last modified on 18 September, 2024
Require user input using the Prompt block in your playbook   Determine your playbook flow in

This documentation applies to the following versions of Splunk® SOAR (Cloud): current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters