The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises).
For documentation on the most recent version, go to the latest release.
Manage settings for a playbook in
The classic playbook editor will be deprecated soon, in 2024. For information on converting your playbooks, see Convert classic playbooks to modern playbooks.
After you've saved a playbook, you can manage the settings for a specific playbook.
- In , from the Home menu, select Playbooks.
- Locate the playbook that you want to review settings for and click on the playbook name.
- In the playbook editor, click Playbook Settings.
The following table describes the fields in the playbook settings. The fields you will see depend on whether you are configuring a classic or modern playbook, and whether your modern playbook is an input or automation playbook.
The fields Logging, Active, and Safe Mode don't persist when you export a playbook. If you want to use any of these fields in an imported playbook, you will need to set them again.
| Field | Description | Available in classic playbook? | Available in modern automation playbook? | Available in modern input playbook? |
|---|---|---|---|---|
| Operates on | Select the event label or labels that this playbook runs on in the Operates on field. Most playbooks are designed to work with data in a particular category, and therefore a particular label for events. Every event in has a label associated with it, such as Events or Email. For more on labels in , see Configure labels to apply to containers in Administer . | Yes | Yes | No |
| Category | Use categories to organize your playbooks. For example, you can create a Production category for playbooks that are ready to be marked active, and a Test category for playbooks that are under development. | Yes | Yes | Yes |
| Run as | The automation user used to run the playbook. | Yes | Yes | No |
| Tags | Use tags to provide additional metadata to group playbooks together. You can create tags for playbook within the same category or across multiple categories. | Yes | Yes | Yes |
| Logging | Toggle this switch to turn on debug logging each time the playbook is run. This might be useful when create a new playbook. If the playbook has an error, you are able to see what the problem was using debug logging. Eventually, when the playbook works like you expect, turn logging off to save disk space. | Yes | Yes | Yes |
| Active | Toggle this switch to make the playbook run automatically on every new event or artifact that comes into . | Yes | Yes | No |
| Safe Mode | Toggle this switch to put the playbook in read-only mode. Read and write permissions are defined by each connector in . For example, in an LDAP connector, get users is a read-only action, while reset password is read-write.
|
Yes | Yes | Yes |
| Draft Mode | Toggle this switch to save a draft of your playbook, even if your playbook is incomplete or has errors. Playbooks in draft mode can't be marked active. | Yes | Yes | Yes |
| Description | Enter a description for the playbook. The description becomes a triple-quoted comment in the playbook, and appears on the playbooks page. | Yes | Yes | Yes |
| Notes | Notes aren't visible anywhere else in and can only be viewed by editing the playbook. | Yes | Yes | Yes |
| Export Playbook | Export a playbook to download the current version of the playbook. This setting allows you to share playbooks with other users. You can import the file on the playbooks page. | Yes | No | No |
| Parent Playbooks | Expand the Parent Playbooks section to view or open the parent playbooks associated with this playbook. If there aren't any parent playbooks associated with this playbook, this section is not displayed. | No | Yes | Yes |
| View Keyboard Shortcuts | Click View Keyboard Shortcuts to see more information about keyboard shortcuts or to view the documentation. | No | Yes | Yes |
| Revision History | Click Revision History to view a playbook's revision history.
|
Yes | Yes | Yes |
| Audit Trail | Click Audit Trail to download a comma-separated value (CSV) file that shows the full audit trail of the playbook, including dates and times. | Yes | Yes | Yes |
| Docs |
|
Yes | Yes | Yes |
| Tenants | Select one or more tenants to run the playbook against the containers belonging to the selected tenants. Use an asterisk (*) to run the playbook on containers for all tenants. This field is only available in Splunk SOAR on-premises deployments. |
Yes | Yes | Yes |
Last modified on 15 March, 2024
| Export and import playbooks in | Update from source control in |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2
Download manual
Feedback submitted, thanks!