Splunk® SOAR (On-premises)

Build Playbooks with the Playbook Editor

This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Add an action block to your playbook

Perform the following steps to add an Action block to a playbook.

  1. Drag and drop the half-circle icon attached to any existing block in the editor. Select an Action block from the menu that appears. Actions available to you in the playbook editor are determined by the apps that are installed and configured on . See Add and configure apps and assets to provide actions in .
  2. Select the action you want to configure, or enter an action name in the search field if you don't see the desired action listed.
  3. (Optional) You can also filter the list of actions by action type. Select By App or By Action. Click By App to view a list of configured apps, and then select an available action provided by the selected app.
  4. Select a configuration that you want to run the action on. In some cases, you may have multiple configurations for a specific app. For example, your environment may have multiple networks separated by firewalls, which would require you to configure one instance of a specific app for each network.
  5. Select the field on which you want to perform the action with the configuration. For example, an IPS event may have fields like sourceAddress and destinationAddress and the attack signature. When a notable is created in , it has an artifact with fields for the sourceAddress and destinationAddress from the event. Search for one of these fields to perform the action on. Click Enter to go to the next result or use the Up and down result icons icons to navigate results. You can also expand or collapse the lists by using the Expand or collapse list icons icons.
  6. (Optional) Create a custom datapath if the datapath you need isn't available. When you add a custom datapath, it is only available for the block you add it to. To create a custom datapath, follow these steps:
    1. Hover over a datapath field title and click +.
    2. Enter the datapath name.
    3. Select either Key or List from the drop-down menu. Use Key to use one value, and use List to use a list of values. Using List adds a .* value to the datapath and it appears as <list_name [] > with datapaths nested below it in the datapath picker. To add more values to your List, click the + icon under the top value of the list.
    4. Click Save.
  7. Click Done.
  8. Click Save.
  9. Enter a comment about this action.

You can also configure Advanced settings for an Action block. You can use Join Settings, Scope, and Action Settings in an Action block. For more information on these settings, see Advanced settings.

Example: Add a custom datapath to a playbook block

You might want to create a custom datapath if the datapath you need isn't available. This can happen when running actions with dynamic results. For example, if you execute a "run query" action on the Splunk app in , the action result output includes a dynamic list of fields that are defined as part of the query that was run. These fields don't appear in the data path selector, however they can be added by creating a custom datapath. In this instance, if the name of the action result output wasn't available, you can create the custom datapath action_result.data.*.hostname. To create this custom datapath, follow these steps:

  1. Add an action block to your playbook by dragging and dropping the half-circle icon attached to any existing block in the editor. Select an Action block from the menu that appears.
  2. Search for and select the action run query on the Splunk app in the By Action tab in the block.
  3. In the Configure tab for the block, enter the SPL query host="web_application" to run a run query action on the Splunk app in .
  4. Click on the block you want to add the custom datapath to and select the datapath run_query_1. Once you select this, you see that the hostname isn't available even though it was visible when running your query in Splunk.
  5. Add the custom datapath hostname under data [] . Custom datapaths only appear in the block they were added in:
    1. Hover over the data field title and click +.
    2. Enter the datapath name hostname as a Key.
    3. Click Save.

The custom datapath appears in the list under data [] as hostname.

Last modified on 22 September, 2021
Add a new block to your playbook   Run other playbooks inside your playbook in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters