Splunk® SOAR (On-premises)

Python Playbook Tutorial for Splunk SOAR (On-premises)

This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Develop, test, and deploy playbooks in

Playbooks can encode a very simple and repetitive set of simple actions OR can encode a very complex strategy to actively deal with a security breach or an incident. These strategies may be comprised of many actions combined to be executed either serially or in parallel.

Actions can be executed independent of each other (and hence in parallel) if they are called one after the other in a Playbook. However in order to execute them in sequence, either because there is a genuine dependency between two actions (parameters to action #2 are the output of action #1), action #1 has to specify a callback and in the callback of action #1, action #2 can be called.

In order to build these Playbooks and confidently deploy them, the platform supports the ability to debug them so that the author can see what the playbook is doing. Once the author is confident of the results and the Playbook is executing actions as expected, the Playbook can be saved. If the intention is to let the Playbook be executed in real time as new containers or artifacts are coming in, the Playbook has to be enabled.

Last modified on 22 September, 2021
Tutorial: Chain a series of actions in  

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters