Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Manage settings for a playbook in

The Classic Visual Playbook Editor is not available in Splunk SOAR (Cloud) FedRAMP Moderate environments. Use the modern Visual Playbook editor instead.

After you have saved a playbook, you can manage the settings for a specific playbook.

Access the playbook settings in one of these two ways:

  • Within the playbook editor, select Settings.
  • From other locations in
    1. In , from the Home menu, select Playbooks.
    2. Locate the playbook that you want to review settings for and select the playbook name.
    3. In the playbook editor, select Settings.

The following table describes the fields in the playbook settings. The fields you will see depend on the type of playbook you are configuring. If your Splunk SOAR (Cloud) instance is paired with your Splunk Enterprise Security instance, the playbook types are Input, SOAR, and Enterprise Security. Otherwise, the options are automation and input playbook. For details on different playbook types, see Create a new playbook in Splunk SOAR (Cloud).

The fields Run automatically when, Logging, Active, and Safe Mode don't persist when you export a playbook. If you want to use any of these fields in an imported playbook, you will need to set them again.

Field Description Available in automation/SOAR playbook? Available in input playbook? Available in Enterprise Security playbook?
Playbook type Change between SOAR and Enterprise Security playbook types. The change takes effect when you save the playbook. Some functionality is lost when you change playbook types. For example, changing from an Enterprise Security block removes the finding section from the datapath picker. If needed, you can revert to an earlier version of the playbook in the playbook revision history, described later in this table.

Before changing a playbook's type, set it to inactive or remove it from any Enterprise Security automation rules.
Yes Cannot change Yes
Operates on Select one or more event labels that this playbook runs on. Most playbooks are designed to work with data in a certain category, and therefore a certain label for events. Every event in has a label associated with it, such as Events or Email. For more on labels in , see Configure labels to apply to containers in Administer . Yes No Value is always es_soar_integration and cannot be changed.
Category Use categories to organize your playbooks. For example, you can create a Production category for playbooks that are ready to be marked active, and a Test category for playbooks that are under development. Yes Yes Yes
Run as The automation user uses to run the playbook. Yes No No
Tags Use tags to provide additional metadata to group playbooks together. You can create tags for playbook within the same category or across multiple categories. Yes Yes Yes
Run automatically when Run the playbook automatically when the condition you specify occurs. This setting requires that the Active toggle, described later in this table, is set to On. Conditions you can specify include:
  • Artifact created: A user, including the automated user, creates an artifact within a specified container.
  • Container resolved: A user moves the container into a status within the Resolved status group, such as Closed. The playbook is not automatically run if the container is resolved by an automation user, an app, or by another playbook.
Yes No No
Logging Toggle this switch to turn on debug logging each time the playbook is run. This might be useful when create a new playbook. If the playbook has an error, you are able to see what the problem was using debug logging. Eventually, when the playbook works like you expect, turn logging off to save disk space. Yes Yes Yes
Active Toggle this switch to make the playbook run automatically based on the condition you specify in Run automatically when, described earlier in this table. Yes Yes No
Safe Mode Toggle this switch to put the playbook in read-only mode. Read and write permissions are defined by each connector in . For example, in an LDAP connector, get users is a read-only action, while reset password is read-write.


Specifying the Safe Mode setting applies only to the current playbook, and not to any child playbooks called by that playbook. Specify Safe Mode for child playbooks directly.

Yes Yes Yes
Draft Mode Toggle this switch to save a draft of your playbook, even if your playbook is incomplete or has errors. Playbooks in draft mode can't be marked active. Yes Yes Yes
Description Enter a description for the playbook. The description becomes a triple-quoted comment in the playbook, and appears on the playbooks page. Yes Yes Yes
Notes Notes aren't visible anywhere else in and can only be viewed by editing the playbook. Yes Yes Yes
Export Playbook Export a playbook to download the current version of the playbook. This setting allows you to share playbooks with other users. You can import the file on the playbooks page.
Available only for Classic-type playbooks, which are currently deprecated.
No No No
Parent Playbooks Expand the Parent Playbooks section to open any parent playbooks associated with this playbook.
If there are no parent playbooks associated with this playbook, this section is not displayed.
Yes Yes Yes
View Keyboard Shortcuts Select View Keyboard Shortcuts to see more information about keyboard shortcuts or to view the documentation. No Yes Yes
Revision History Select Revision History to view a playbook's revision history.
This section does not display the first time you save a playbook; it displays only after you have saved changes to a playbook.
  • Select View to view a previous revision of the playbook. You can make edits, then save the edits as a new version.
  • Select Revert to use the corresponding previous version of the playbook as the most current version.
Yes Yes Yes
Audit Trail Select Audit Trail to download a comma-separated value (CSV) file that shows the full audit trail of the playbook, including dates and times. Yes Yes Yes
View Documentation Select the View Documentation link to view documentation about playbooks. Yes Yes Yes
Last modified on 06 November, 2024
Export and import playbooks in   Update from source control in

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters