After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Manage settings for a playbook in
The Classic Visual Playbook Editor is not available in Splunk SOAR (Cloud) FedRAMP Moderate environments. Use the modern Visual Playbook editor instead.
After you have saved a playbook, you can manage the settings for a specific playbook.
Access the playbook settings in one of these two ways:
- Within the playbook editor, select Settings.
- From other locations in
- In , from the Home menu, select Playbooks.
- Locate the playbook that you want to review settings for and select the playbook name.
- In the playbook editor, select Settings.
The following table describes the fields in the playbook settings. The fields you will see depend on the type of playbook you are configuring. If your Splunk SOAR (Cloud) instance is paired with your Splunk Enterprise Security instance, the playbook types are Input, SOAR, and Enterprise Security. Otherwise, the options are automation and input playbook. For details on different playbook types, see Create a new playbook in Splunk SOAR (Cloud).
The fields Run automatically when, Logging, Active, and Safe Mode don't persist when you export a playbook. If you want to use any of these fields in an imported playbook, you will need to set them again.
Field | Description | Available in automation/SOAR playbook? | Available in input playbook? | Available in Enterprise Security playbook? |
---|---|---|---|---|
Playbook type | Change between SOAR and Enterprise Security playbook types. The change takes effect when you save the playbook. Some functionality is lost when you change playbook types. For example, changing from an Enterprise Security block removes the finding section from the datapath picker. If needed, you can revert to an earlier version of the playbook in the playbook revision history, described later in this table. Before changing a playbook's type, set it to inactive or remove it from any Enterprise Security automation rules. |
Yes | Cannot change | Yes |
Operates on | Select one or more event labels that this playbook runs on. Most playbooks are designed to work with data in a certain category, and therefore a certain label for events. Every event in has a label associated with it, such as Events or Email. For more on labels in , see Configure labels to apply to containers in Administer . | Yes | No | Value is always es_soar_integration and cannot be changed.
|
Category | Use categories to organize your playbooks. For example, you can create a Production category for playbooks that are ready to be marked active, and a Test category for playbooks that are under development. | Yes | Yes | Yes |
Run as | The automation user uses to run the playbook. | Yes | No | No |
Tags | Use tags to provide additional metadata to group playbooks together. You can create tags for playbook within the same category or across multiple categories. | Yes | Yes | Yes |
Run automatically when | Run the playbook automatically when the condition you specify occurs. This setting requires that the Active toggle, described later in this table, is set to On. Conditions you can specify include:
|
Yes | No | No |
Logging | Toggle this switch to turn on debug logging each time the playbook is run. This might be useful when create a new playbook. If the playbook has an error, you are able to see what the problem was using debug logging. Eventually, when the playbook works like you expect, turn logging off to save disk space. | Yes | Yes | Yes |
Active | Toggle this switch to make the playbook run automatically based on the condition you specify in Run automatically when, described earlier in this table. | Yes | Yes | No |
Safe Mode | Toggle this switch to put the playbook in read-only mode. Read and write permissions are defined by each connector in . For example, in an LDAP connector, get users is a read-only action, while reset password is read-write.
|
Yes | Yes | Yes |
Draft Mode | Toggle this switch to save a draft of your playbook, even if your playbook is incomplete or has errors. Playbooks in draft mode can't be marked active. | Yes | Yes | Yes |
Description | Enter a description for the playbook. The description becomes a triple-quoted comment in the playbook, and appears on the playbooks page. | Yes | Yes | Yes |
Notes | Notes aren't visible anywhere else in and can only be viewed by editing the playbook. | Yes | Yes | Yes |
Export Playbook | Export a playbook to download the current version of the playbook. This setting allows you to share playbooks with other users. You can import the file on the playbooks page. Available only for Classic-type playbooks, which are currently deprecated. |
No | No | No |
Parent Playbooks | Expand the Parent Playbooks section to open any parent playbooks associated with this playbook. If there are no parent playbooks associated with this playbook, this section is not displayed. |
Yes | Yes | Yes |
View Keyboard Shortcuts | Select View Keyboard Shortcuts to see more information about keyboard shortcuts or to view the documentation. | No | Yes | Yes |
Revision History | Select Revision History to view a playbook's revision history. This section does not display the first time you save a playbook; it displays only after you have saved changes to a playbook.
|
Yes | Yes | Yes |
Audit Trail | Select Audit Trail to download a comma-separated value (CSV) file that shows the full audit trail of the playbook, including dates and times. | Yes | Yes | Yes |
View Documentation | Select the View Documentation link to view documentation about playbooks. | Yes | Yes | Yes |
Export and import playbooks in | Update from source control in |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Feedback submitted, thanks!