Determine your playbook flow using the classic playbook editor
The order in which you arrange the blocks and lines in your playbook determine the playbook flow.
Process playbook blocks serially
Serial processing means playbook blocks are performed in the order they are arranged, as shown in the following screenshot:
In this example, the blocks perform as described:
- A
geolocate ipis performed on a source IP address. - When the
geolocate ipaction is finished, alookup ipperforms.
Use serial processing when the operations must happen in a specific order, such as when a downstream block depends on the results from an upstream block.
Processing playbook blocks in parallel
You can also wire blocks to process in parallel, as shown in the following example:
In this case, the geolocate ip and lookup ip actions perform simultaneously, and either action can finish first. You can wire blocks in this manner when you have no dependencies on the completion of either block, or if there are no dependencies between the blocks themselves.
Arranging blocks in a playbook
You can drag blocks around the canvas. Lines connected to boxes automatically arrange themselves when you move blocks around.
Hover over any playbook block and click the trash can icon to delete the block. The corresponding connecting arrow is also deleted.
| Add custom code to your Playbook with the legacy custom function block using the classic playbook editor | Save a playbook so that can access it using the classic playbook editor |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1
Download manual
Feedback submitted, thanks!