Splunk® SOAR (On-premises)

Build Playbooks with the Playbook Editor

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Add additional functionality to your playbook in using the Utility block

This feature is currently in beta.

Use the Utility block to expand the functionality of your playbooks in . You can use custom functions and APIs from the Utility block. Custom functions enable you to use your Python skills to expand the kinds of processing performed in a playbook, such as applying string transformations, parsing a raw data input, or calling a third party Python module. Custom functions can also interact with the REST API in a customizable way. You can share custom functions across your team and across multiple playbooks to increase collaboration and efficiency.

Configure a utility block

To configure a Utility block, follow these steps:

  1. Drag and drop the half-circle icon attached to any existing block in the editor. Select a Utility block from the menu that appears.
  2. Select whether to use a Custom Function or API utility.

Expand playbook functionality with the Custom Function utility

The following prerequisites are needed for using a custom function.

If you selected a Custom Function, complete the following steps:

  1. Click in the search bar to display all of your repositories.
  2. Click the repository your custom function is saved to and either search for your custom function, or select it from the list.
  3. (Optional) Once you have selected a custom function, you can configure the value of the input parameters.
    1. (Conditional) To configure the value of the input parameters, click the > icon to set the properties.
    2. (Conditional) Create a custom datapath for your input parameters if the datapath you need isn't available. When you add a custom datapath, it is only available for the block you add it to. To see an example of a custom datapath, see Example: Add a custom datapath to a playbook block. To create a custom datapath, follow these steps:
      1. Hover over a datapath field title and click +.
      2. Enter the datapath name.
      3. Select either Key or List from the drop-down menu. Use Key to use one value, and use List to use a list of values. Using List adds a .* value to the datapath and it appears as <list_name [] > with datapaths nested below it in the datapath picker. To add more values to your List, click the + icon under the top value of the list.
    3. Click Save.

Set parameters with the API utility

Use the Utility block API to set parameters of the container it's running in. For example, you can use a utility call from the Utility block to set the severity of a container.

If you selected an API, select the utility property you want to set. The following table summarizes the properties that you can set.

Property Description
add comment Add a comment to the container. You can either supply a variable or a static string in the input.
add to list One of two API calls that doesn't operate directly on the container itself. The add list property takes two parameters: the list that you want to add to, and the data you are adding. If the list doesn't exist, it is created by . You can point the data field to a variable by selecting from the drop-down menu or you can type in a fixed string.
add note Add a note to the container.
add tag Add a tag to the container.
promote to case Promote the container to a case.
pin Pin data to the summary tab in the container. This property takes the following parameters:
  • Message
  • Data
  • Pin Type
  • Pin Color
  • Name
remove list One of two API calls that doesn't operate directly on the container. The remove list property takes a list name as the single parameter, and deletes that list when it has run.
remove tag Remove a tag from the container.
set label Set the label of the container. The drop-down lists all of the labels available on your instance.
set owner Set the owner of the container.
set sensitivity Set the sensitivity of the container.
set severity Set the severity of the container.
set status Set the status of the container, such as closed.

Finish editing the playbook

When you are finished editing your playbook, do the following:

  1. Click Save to enter your desired settings and playbook name.
  2. Once you have selected a utility, configure the datapaths. Search for the datapath you want to use. Click Enter to go to the next result or use the Up and down result icons icons to navigate results. You can also expand or collapse the lists by using the Expand or collapse list icons icons. To create a custom datapath, see Example: Add a custom datapath to a playbook block.
  3. Click Done.

You can configure multiple utility calls in any utility block. For example, you can set the label, severity, and status of a container using one utility block.

Last modified on 07 December, 2022
Add custom code to your playbook with the code block
Use filters in your playbook to specify a subset of artifacts before further processing

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.4.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters