Add an Action block to a playbook using the classic playbook editor
Perform the following steps to add an Action block to a playbook:
- Drag the half-circle icon attached to any existing block in the editor.
- Select Action from the list of block types. Actions available to you in the playbook editor are determined by the apps that are installed and configured in .
- Select the action you want to configure, or enter an action name in the search field if you don't see the desired action listed. You can also filter the list of actions by action type.
- Select investigate, generic, correct, or contain.
- Click By App to view a list of configured apps, and select an available action provided by the selected app.
- Select an asset that you want to run the action on. An asset is a specific configuration or instance of an app. In some cases, you may have multiple configurations for a specific app. For example, your environment may have multiple networks separated by firewalls, which require you to configure one instance of a specific app for each network.
- Select the field where you want to perform the asset. For example, an IPS event may have fields like sourceAddress and destinationAddress and the attack signature. When a container is created in , it has an artifact with fields for the sourceAddress and destinationAddress from the event.
- Select one of these fields to perform the action on.
- Click Save.
- Enter a comment about this action.
Configure linked parameters in an Action block when you have multiple assets that share parameters with the same name. For example, you might have multiple assets configured that provide an action to create a ticket with a
subject parameter. In this case, the word "linked" appears above the subject field, indicating that the field is linked to another field with the same name in a different asset. If you change the value here, the value for the field changes in all assets.
If you need to have the field take separate values, create separate action blocks.
Follow these steps to configure advanced settings for an Action block:
- Click Advanced Settings.
- Select General Settings, Action Settings, or Join Settings.
|General Settings||Configure settings for this Action block.
|Action Settings||Configure the action settings that a user must perform.
|Join Settings||You can configure Join settings when you have two blocks with callbacks both calling the same downstream block. Block types with callbacks are Action and Prompt. Configure Join settings from the downstream block. Click the required checkbox if the action in the upstream block must be completed before this downstream block is run.|
Add a new block to your playbook using the classic playbook editor
Use filters to separate artifacts before further processing with the classic playbook editor
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.4.0