Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Require user input using the Prompt block in your playbook

Use a Prompt block in your playbook to send a message to a user or group that they must acknowledge, to continue running a playbook or to enter required information. This is also known as prompt-driven automation.

Using a prompt playbook block, you can send a message to a user or group whether they are logged into (an internal prompt) or not (an external prompt). For example, you can prompt a Security Analyst in the Security Operations Center (SOC) who is using or use email to prompt someone in your organization's network operations team to approve blocking a firewall, even if they don't use .

The processes for setting up internal prompts and external prompts are different. Refer to the appropriate section of this article:

Prompt users or groups who are logged into (Internal prompts)

To configure an internal prompt, perform the following steps:

  1. Drag and drop the half-circle icon attached to any existing block in the editor. Select a Prompt block from the menu that appears.
  2. Select Splunk SOAR users to prompt registered Splunk SOAR users. To prompt other users, refer to the instructions in the next section.
  3. Select a User or Role to approve the prompt. If the task is assigned to a group of users, the first user to approve it starts the playbook run. Consider selecting one of these dynamic roles:
    • Event owner: to prompt the user or role the container is assigned to when the playbook is run.
    • Playbook run owner: to prompt the user who initiated the playbook. If a playbook run is initiated by automation, the prompt block fails and no prompt is sent.
  4. In the Message box, craft a meaningful message so the users receiving the prompt understand what actions they must take.
  5. (Optional) Select + Message Parameter to search for and add the datapath to a message parameter. You can then add the values for this parameter in your message. Optionally add more parameters by selecting the plus icon. For details on specifying datapaths, see Specify data in your playbook. For details on formatting your prompt message, see Customize the format of your playbook content.
  6. Select + Question and enter a question to ask the approver in the Question 1 box. Although questions are not required, they are useful in guiding user responses.
  7. From the Response type list, choose the type of response to the question that is required to complete the task.
  8. Select the Required checkbox if the approver must answer the question in order for the playbook to resume running. If a response is not required, the question is informational.
  9. (Optional) Repeat the previous three steps for additional questions and response types.
  10. From the Required response time field, choose the response time in minutes.
  11. Select Done.

You can also configure Advanced settings for a prompt block. Use the Delimiter box to specify an alternate separator to use when joining parameters that result in a list together. The default separator is ",". Use the Drop None checkbox to select whether or not you want to drop the "None" values from the resulting lists of parameters. By default, the "None" values are included. For more information on other Advanced settings, see Advanced settings.

Additionally, you can select the Info tab to create a custom name for the block, add a description for the block, and add a tooltip to the block. For details, see Use custom names.

Prompt users or groups who are not logged into (External prompts)

Prompting users outside of Splunk SOAR involves risks.

To lower the risks of sending prompts to users outside of :

  • Carefully consider the distribution for your prompt link and avoid sending unauthenticated prompts to large groups, like distribution lists.
  • Avoid using unauthenticated prompts to approve sensitive actions, like quarantining hosts. Consider requiring SAML authentication instead.

To configure an external prompt for non- users, perform the following steps:

  1. Drag and drop the half-circle icon attached to any existing block in the editor. Select a Prompt block from the menu that appears.
  2. Select Others users to prompt non- users. To prompt Splunk SOAR users, refer to the instructions in the previous section.
  3. (Optional) Select Require SAML authentication to specify that any recipients must be authenticated through SAML.
    For details on configuring groups in SAML within , see Configure single sign-on authentication for .
    1. Select one or more SAML groups that the recipients must belong to so they can answer the prompt.
  4. In the Distribution section, specify how you want to contact the recipients. You can specify up to 4 distribution methods.
    1. Select +Distribution method. Select a method from the list of available options, like SMTP, then select the specific method, like send email. Notice that the options are essentially actions that you are calling from within the prompt block
    2. Configure the distribution method, specifying datapaths or values for all of the required fields, like, in the case of an email, the recipient and body of the email.
      Within the message body, include a link to the prompt itself, so the user can select it navigate to the location where they will respond to the prompt. In the datapath picker, locate the prompt block you are working on, like prompt_1. Then select the link parameter, usually ending with .secure_link. For example, here is a data path for the link for sending an SMTP email: prompt_1:action_result.parameter.secure_link. For details on specifying data in a playbook block, see Specify data in your playbook.
    3. (Optional) For the distribution method, select the Info tab. Specify a descriptive, custom name for the prompt. This is the name that the recipient will see. For details, see Use custom names. You can also add a description and a tooltip to the block.
    4. (Optional) For the distribution method, select the Loop tab. Create a loop for this distribution method, so the prompt will continue to be sent until a condition is met. For example, depending on the urgency of the prompt, you might want to send a Slack message to the recipient every 10 minutes until the recipient responds. For details on configuring loops, see Repeat actions with logic loops.
    5. (Optional) Select +Distribution method to add another distribution method. Repeat the steps in this section.
  5. In the Message box, craft a meaningful message so the users receiving the prompt understand what actions they must take.
  6. (Optional) Select + Message Parameter to search for and add the datapath to a message parameter. You can then add the values for this parameter in your message. Optionally add more parameters by selecting the plus icon. For details on specifying datapaths, see Specify data in your playbook. For details on formatting your prompt message, see Customize the format of your playbook content.
  7. Select + Question and enter a question to ask the approver in the Question 1 box. Although questions are not required, they are useful in guiding user responses.
  8. Select the Required checkbox if the approver must answer the question in order for the playbook to resume running. If a response is not required, the question is informational.
  9. From the Response type list, choose the type of response to the question that is required to complete the task.
  10. (Optional) Repeat the previous three steps for additional questions and response types.
  11. From the Required response time field, choose the response time in minutes.
  12. Select Done.

You can also configure Advanced settings for a prompt block. Use the Delimiter box to specify an alternate separator to use when joining parameters that result in a list together. The default separator is ",". Use the Drop None checkbox to select whether or not you want to drop the "None" values from the resulting lists of parameters. By default, the "None" values are included. For more information on other Advanced settings, see Advanced settings.

How Splunk SOAR-licensed recipients respond to prompts

Users or groups who are licensed to use receive prompts as emails and as notifications when they are logged into . The notifications display on the bell icon near their login name.

How other recipients respond to prompts

For external prompts, generates a link where the non- user can access the prompt. Those users or groups receive the link by the distribution method you specify, for example, email. When the user accesses the link, and authenticates with SAML if you specify that requirement, they can view the message, respond to, and answer any questions in the prompt.

The prompt is no longer visible or actionable in the following cases:

  • After the user responds to the prompt
  • If the Required response time specified in the prompt block is reached before the recipient responds to the prompt
  • If a user cancels the prompt

In each of these cases, if the recipient follows the link to the prompt, they will see a message letting them know that the prompt is not available and why.

Last modified on 06 November, 2024
Customize the format of your playbook content   Automate responses with Splunk Enterprise Security playbook blocks

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters