The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Add a new block to your playbook using the classic playbook editor
The Classic Visual Playbook Editor is not available in Splunk SOAR (Cloud) FedRAMP Moderate environments. Use the modern Visual Playbook editor instead.
To add a new block to a playbook, drag the half-circle icon attached to any block on the canvas. Release your mouse to create a new empty block connected to the originating block with an arrow.
When you place a new block on the editor, a set of playbook types appears for you to select:
| Playbook type | Description |
|---|---|
| Action | Run an action provided by an app that is installed and configured in . For example, you can use the MaxMind connector to geolocate an IP address. See Add an Action block to a playbook using the classic playbook editor. |
| Playbook | Run an existing playbook inside your current playbook. See Run other playbooks inside your playbook using the classic playbook editor. |
| API | Perform an action by making an API call. See Set container parameters in using the API block. |
| Filter | Filter the results of the previous block. For example, you can separate items that have a specific severity and perform a different set of actions on those items. See Use filters to separate artifacts before further processing with the classic playbook editor. |
| Decision | Make a decision and perform different actions depending on the results of the previous block. For example, you can blacklist all destination IPs that belong to a specific country. See Use decisions to send artifacts to a specific downstream action with the classic playbook editor. |
| Format | Format the results of the previous block. For example, you can gather data, format that data in a specific way, and send an email. Customize the format of your playbook content using the classic playbook editor. |
| Prompt | Require a user to take action before proceeding to the next block. See Require user input to continue running the playbook using the classic playbook editor. |
| Manual Task | Send a message to a user or group that must be acknowledged. See Require user input to continue running the playbook using the classic playbook editor. |
| Custom Function | Add custom Python code to your playbook to expand the kinds of processing that are performed by the playbook. Add custom code to your playbook with the Custom Function block using the classic playbook editor. |
| Legacy Custom Function | Legacy custom functions are the custom functions that were introduced for playbooks in Splunk Phantom version 4.2. Add custom code to your Playbook with the Legacy Custom Function block using the classic playbook editor. Legacy custom functions are supported for users transitioning from Splunk Phantom to . Legacy custom functions should be converted to the newer custom function type. For information on converting legacy custom functions to new custom functions, see Convert legacy custom functions to new custom functions. |
Last modified on 06 November, 2024
| Create a new playbook in using the classic playbook editor | Add an Action block to a playbook using the classic playbook editor |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Download manual
Feedback submitted, thanks!