Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Automate responses with Splunk Enterprise Security playbook blocks

When you pair your instance with your Splunk Enterprise Security instance, you can use data from Splunk Enterprise Security in playbook blocks to automate against your Splunk Enterprise Security incidents.

To add the Splunk Enterprise Security block to use data from Splunk Enterprise Security, follow these steps:

Before you begin: If you have not already done so, create a playbook, as described in Create a new playbook in Splunk SOAR (Cloud).

  1. Select the half-circle icon attached to any existing block in the editor. Select an Enterprise Security block from the menu that appears.
  2. In the configuration panel, select the Enterprise Security API you want to configure, or search for an API name in the search field. See the list of available options later in this article.
    As an example, select get tasks to get tasks for the incident this playbook is automating against.
  3. Specify the parameters used in the API by using the datapath picker. For more information on parameters, hover over the information icon listed by the parameters. An asterisk * next to a field indicates required inputs.
    For the get tasks example, select the id* field to open the datapath picker.
  4. The first panel of the datapath picker has two sections:
    • Splunk Enterprise Security, for data coming from Splunk Enterprise Security
    • Splunk SOAR, for data residing in Splunk SOAR, including data about the playbook itself, like the launching user.
    For the example, in the Splunk Enterprise Security section, select finding then, in the second panel of the datapath picker, select id to populate the datapath.
  5. (Conditional) Some inputs for the APIs require a list of paired values. For example, the create event API requires input pairs. For these APIs, select the + Item button to add a pair, then select datapaths for the name and value. For example, if you were using the create event API in a playbook as part of geolocating an IP address, you could enter dest_country_name as the name of the field that you want to update, and in the value field, select geolocate_ip_1 then country_name from the datapath picker.
  6. (Conditional) If the datapath you need isn't available, create a custom datapath. When you add a custom datapath, it is available only for the block you add it to. To create a custom datapath, follow these steps:
    1. Hover over a datapath field title, like finding_ids and select +.
    2. Enter a name for the datapath.
    3. Select either Key or List. Use Key to use one value, and use List to use a list of values. Using List adds a .* value to the datapath and it appears as <list_name [] > with datapaths nested below it in the datapath picker. To add more values to your List, select the + icon under the top value of the list.
    4. Select Save to save the custom datapath.
      For details on custom datapaths, and an example, see Example: Add a custom datapath to a playbook block.
  7. Repeat this process for each required field in the API. When you have specified all required fields for the API, select Done.
  8. Optionally configure Advanced settings for a Splunk Enterprise Security block. You can use Join Settings, Scope, and Action Settings in a Splunk Enterprise Security block. For more information on these settings, see Advanced settings.
  9. Optionally, specify if you want to repeat this block with a logic loop. For details on looping, see Repeat actions with logic loops.
  10. Enter a name for the playbook.

    Use 250 characters or fewer for the name of a playbook.

  11. Select Save to save the playbook.
  12. Enter a comment about this playbook.
  13. Select Save again.


Run a playbook that automates against Splunk Enterprise Security

You can run a playbook that automates against Splunk Enterprise Security from the following locations:

Available options in the Splunk Enterprise Security block

Use the Splunk Enterprise Security block to set parameters of the incident it's running on. For example, you can use get tasks to get all the tasks of the incident. The following table describes the options available in the Splunk Enterprise Security block.

API Description
add events Add events from any search to an investigation.
add finding or investigation note Add note to the finding or investigation.
add investigation file Add an attachment to the KV store.
add response plan Apply a response template to an incident.
add task file Add an attachment to a task.
add task note Add a note to a task. The author and update time are populated automatically.
add task to current phase Add a task to the response plan phase you are currently working on.
create event Create event to be associated with an investigation.
delete event Delete an event that is part of an investigation.
delete file attachments Delete file attachment from Splunk SOAR and Splunk Enterprise Security.
delete finding or investigation note Delete a note in a finding or an investigation.
delete task file Delete the attachment from a task and from the collection, if applicable.
delete task note Delete the note and attachments from a task.
get current phase Get current response plan phase of an investigation.
get events List all the events associated with an investigation.
get finding metadata Retrieves the mutable data from a finding or investigation.
get finding or investigation Retrieve a finding or an investigation by the GUID or display ID without running a search.
get investigation tasks Get tasks of an investigation in Splunk Enterprise Security.
get notes in finding or investigation Get notes from the finding or investigation.
get phase id Retrieve a phase ID by providing the finding ID or the investigation ID, phase name, and response template name. The response matches the data available for dispatch to automation.
get response plans Get all response plans within Splunk Enterprise Security.
get task file Get the base64 file contents from an attachment in a task.
get task from current phase Get a specific response plan task from the current response plan phase.
get task id Retrieve a task ID by providing the investigation ID, phase name, and response template name. The response matches the data available for dispatch to automation.
get task notes Get all the notes from a response plan task.
list file attachments List the Splunk SOAR and Splunk Enterprise Security file attachments for a specific investigation or finding.
refresh Fetch the investigation or finding on Splunk Enterprise Security for Splunk SOAR using a given investigation or finding ID.
set current phase Set the current response plan phase of an incident.
start investigations Create one or more investigations in Splunk Enterprise Security.
sync file attachments Upload the attachments from Splunk Enterprise Security to Splunk SOAR.
update event Update an event that is part of an investigation.
update finding or investigation Update a Splunk Enterprise Security finding or investigation.
update findings or investigations note Update a note in a finding or investigation.
update task in current phase Update a specific response plan task in current response plan phase.
update task note Update a note in a task.
Last modified on 06 November, 2024
Require user input using the Prompt block in your playbook   Determine your playbook flow in

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters