Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The visual editor for classic playbooks is now removed. Convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:

Manage settings for a playbook in

After you have saved a playbook, you can manage the settings for a specific playbook.

Access the playbook settings in one of these two ways:

  • Within the playbook editor, select Settings.
  • From other locations in
    1. In , from the Home menu, select Playbooks.
    2. Locate the playbook that you want to review settings for and select the playbook name.
    3. In the playbook editor, select Settings.

The following table describes the fields in the playbook settings. The fields you will see depend on whether you are configuring an input or automation playbook.

The fields Run automatically when, Logging, Active, and Safe Mode don't persist when you export a playbook. If you want to use any of these fields in an imported playbook, you will need to set them again.

Field Description Available in automation playbook? Available in input playbook?
Operates on Select one or more event labels that this playbook runs on. Most playbooks are designed to work with data in a certain category, and therefore a certain label for events. Every event in has a label associated with it, such as Events or Email. For more on labels in , see Configure labels to apply to containers in Administer . Yes No
Category Use categories to organize your playbooks. For example, you can create a Production category for playbooks that are ready to be marked active, and a Test category for playbooks that are under development. Yes Yes
Run as The automation user uses to run the playbook. Yes No
Tags Use tags to provide additional metadata to group playbooks together. You can create tags for playbook within the same category or across multiple categories. Yes Yes
Run automatically when Run the playbook automatically when the condition you specify occurs. This setting requires that the Active toggle, described later in this table, is set to On. Conditions you can specify include:
  • Artifact created: A user, including the automated user, creates an artifact within a specified container.
  • Container resolved: A user moves the container into a status within the Resolved status group, such as Closed. The playbook is not automatically run if the container is resolved by an automation user, an app, or by another playbook.
Yes No
Logging Toggle this switch to turn on debug logging each time the playbook is run. This might be useful when create a new playbook. If the playbook has an error, you are able to see what the problem was using debug logging. Eventually, when the playbook works like you expect, turn logging off to save disk space. Yes Yes
Active Toggle this switch to make the playbook run automatically based on the condition you specify in Run automatically when, described earlier in this table. Yes No
Safe Mode Toggle this switch to put the playbook in read-only mode. Read and write permissions are defined by each connector in . For example, in an LDAP connector, get users is a read-only action, while reset password is read-write.


Specifying the Safe Mode setting applies only to the current playbook, and not to any child playbooks called by that playbook. Specify Safe Mode for child playbooks directly.

Yes Yes
Draft Mode Toggle this switch to save a draft of your playbook, even if your playbook is incomplete or has errors. Playbooks in draft mode can't be marked active. Yes Yes
Description Enter a description for the playbook. The description becomes a triple-quoted comment in the playbook, and appears on the playbooks page. Yes Yes
Notes Notes aren't visible anywhere else in and can only be viewed by editing the playbook. Yes Yes
Export Playbook Export a playbook to download the current version of the playbook. This setting allows you to share playbooks with other users. You can import the file on the playbooks page. No No
Parent Playbooks Expand the Parent Playbooks section to open any parent playbooks associated with this playbook.
If there are no parent playbooks associated with this playbook, this section is not displayed.
Yes Yes
View Keyboard Shortcuts Select View Keyboard Shortcuts to see more information about keyboard shortcuts or to view the documentation. Yes Yes
Revision History Select Revision History to view a playbook's revision history.
This section does not display the first time you save a playbook; it displays only after you have saved changes to a playbook.
  • Select View to view a previous revision of the playbook. You can make edits, then save the edits as a new version.
  • Select Revert to use the corresponding previous version of the playbook as the most current version.
Yes Yes
Audit Trail Select Audit Trail to download a comma-separated value (CSV) file that shows the full audit trail of the playbook, including dates and times. Yes Yes
Docs/View Documentation

Select the View Documentation link in the playbook editor to go to the documentation page for .

Yes Yes
Tenants Select one or more tenants to run the playbook against the containers belonging to the selected tenants. Use an asterisk (*) to run the playbook on containers for all tenants.

This field is only available in Splunk SOAR on-premises deployments.

Yes Yes
Last modified on 20 February, 2025
Export and import playbooks in   Update from source control in

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters