Splunk® SOAR (On-premises)

Build Playbooks with the Playbook Editor

As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Add additional functionality to your playbook in using the Utility block

This feature is currently in beta.

Use the Utility block to expand the functionality of your playbooks in . You can use custom functions and APIs from the Utility block. Custom functions enable you to use your Python skills to expand the kinds of processing performed in a playbook, such as applying string transformations, parsing a raw data input, or calling a third party Python module. Custom functions can also interact with the REST API in a customizable way. You can share custom functions across your team and across multiple playbooks to increase collaboration and efficiency.

Configure a utility block

To configure a Utility block, follow these steps:

  1. Drag and drop the half-circle icon attached to any existing block in the editor. Select a Utility block from the menu that appears.
  2. Select whether to use a Custom Function or API utility.

Expand playbook functionality with the Custom Function utility

The following prerequisites are needed for using a custom function.

If you selected a Custom Function, complete the following steps:

  1. Click in the search bar to display all of your repositories.
  2. Click the repository your custom function is saved to and either search for your custom function, or select it from the list.
  3. Configure the parameter datapaths and, optionally, create a custom datapath. For details on creating datapaths, see Specify data in your playbook.
  4. Click Done.

Set parameters with the API utility

Use the Utility block API to set parameters of the container it's running in. For example, you can use a utility call from the Utility block to set the severity of a container.

If you selected an API, select the utility property you want to set. The following table summarizes the properties that you can set.

Property Description
add comment Add a comment to the container. You can either supply a variable or a static string in the input.
add to list One of two API calls that doesn't operate directly on the container itself. The add list property takes two parameters: the list that you want to add to, and the data you are adding. If the list doesn't exist, it is created by . You can point the data field to a variable by selecting from the drop-down menu or you can type in a fixed string.
add note Add a note to the container.
add tag Add a tag to the container.
promote to case Promote the container to a case.
pin Pin data to the summary tab in the container. This property takes the following parameters:
  • Message
  • Data
  • Pin Type
  • Pin Color
  • Name
remove list One of two API calls that doesn't operate directly on the container. The remove list property takes a list name as the single parameter, and deletes that list when it has run.
remove tag Remove a tag from the container.
set label Set the label of the container. The drop-down lists all of the labels available on your instance.
set owner Set the owner of the container.
set sensitivity Set the sensitivity of the container.
set severity Set the severity of the container.
set status Set the status of the container, such as closed.

Finish editing the playbook

When you are finished editing your playbook, do the following:

  1. Click Save to enter your desired settings and playbook name.
  2. After you have selected a utility, configure the datapaths and, optionally, create a custom datapath. For details on creating datapaths, see Specify data in your playbook.
  3. Click Done.

You can configure multiple utility calls in any utility block. For example, you can set the label, severity, and status of a container using one utility block.

Last modified on 07 March, 2023
Add custom code to your playbook with the code block   Use filters in your playbook to specify a subset of artifacts before further processing

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters