The visual editor for classic playbooks is now removed. Convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:
For details, see:
Manage settings for a playbook in
After you have saved a playbook, you can manage the settings for a specific playbook.
Access the playbook settings in one of these two ways:
- Within the playbook editor, select Settings.
- From other locations in
- In , from the Home menu, select Playbooks.
- Locate the playbook that you want to review settings for and select the playbook name.
- In the playbook editor, select Settings.
The following table describes the fields in the playbook settings. The fields you will see depend on whether you are configuring an input or automation playbook.
The fields Run automatically when, Logging, Active, and Safe Mode don't persist when you export a playbook. If you want to use any of these fields in an imported playbook, you will need to set them again.
| Field | Description | Available in automation playbook? | Available in input playbook? |
|---|---|---|---|
| Operates on | Select one or more event labels that this playbook runs on. Most playbooks are designed to work with data in a certain category, and therefore a certain label for events. Every event in has a label associated with it, such as Events or Email. For more on labels in , see Configure labels to apply to containers in Administer . | Yes | No |
| Category | Use categories to organize your playbooks. For example, you can create a Production category for playbooks that are ready to be marked active, and a Test category for playbooks that are under development. | Yes | Yes |
| Run as | The automation user uses to run the playbook. | Yes | No |
| Tags | Use tags to provide additional metadata to group playbooks together. You can create tags for playbook within the same category or across multiple categories. | Yes | Yes |
| Run automatically when | Run the playbook automatically when the condition you specify occurs. This setting requires that the Active toggle, described later in this table, is set to On. Conditions you can specify include:
|
Yes | No |
| Logging | Toggle this switch to turn on debug logging each time the playbook is run. This might be useful when create a new playbook. If the playbook has an error, you are able to see what the problem was using debug logging. Eventually, when the playbook works like you expect, turn logging off to save disk space. | Yes | Yes |
| Active | Toggle this switch to make the playbook run automatically based on the condition you specify in Run automatically when, described earlier in this table. | Yes | No |
| Safe Mode | Toggle this switch to put the playbook in read-only mode. Read and write permissions are defined by each connector in . For example, in an LDAP connector, get users is a read-only action, while reset password is read-write.
|
Yes | Yes |
| Draft Mode | Toggle this switch to save a draft of your playbook, even if your playbook is incomplete or has errors. Playbooks in draft mode can't be marked active. | Yes | Yes |
| Description | Enter a description for the playbook. The description becomes a triple-quoted comment in the playbook, and appears on the playbooks page. | Yes | Yes |
| Notes | Notes aren't visible anywhere else in and can only be viewed by editing the playbook. | Yes | Yes |
| Export Playbook | Export a playbook to download the current version of the playbook. This setting allows you to share playbooks with other users. You can import the file on the playbooks page. | No | No |
| Parent Playbooks | Expand the Parent Playbooks section to open any parent playbooks associated with this playbook. If there are no parent playbooks associated with this playbook, this section is not displayed. |
Yes | Yes |
| View Keyboard Shortcuts | Select View Keyboard Shortcuts to see more information about keyboard shortcuts or to view the documentation. | Yes | Yes |
| Revision History | Select Revision History to view a playbook's revision history. This section does not display the first time you save a playbook; it displays only after you have saved changes to a playbook.
|
Yes | Yes |
| Audit Trail | Select Audit Trail to download a comma-separated value (CSV) file that shows the full audit trail of the playbook, including dates and times. | Yes | Yes |
| Docs/View Documentation |
Select the View Documentation link in the playbook editor to go to the documentation page for . |
Yes | Yes |
| Tenants | Select one or more tenants to run the playbook against the containers belonging to the selected tenants. Use an asterisk (*) to run the playbook on containers for all tenants. This field is only available in Splunk SOAR on-premises deployments. |
Yes | Yes |
Last modified on 20 February, 2025
| Export and import playbooks in | Update from source control in |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Download manual
Feedback submitted, thanks!