Splunk® SOAR (On-premises)

Build Playbooks with the Playbook Editor

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Add an action block to your playbook

Perform the following steps to add an Action block to a playbook.

  1. Drag and drop the half-circle icon attached to any existing block in the editor. Select an Action block from the menu that appears. Actions available to you in the playbook editor are determined by the apps that are installed and configured on . See Add and configure apps and assets to provide actions in .
  2. Select the action you want to configure, or enter an action name in the search field if you don't see the desired action listed.
  3. (Optional) You can also filter the list of actions by action type. Select By App or By Action. Click By App to view a list of configured apps, and then select an available action provided by the selected app.
  4. Select a configuration that you want to run the action on. In some cases, you may have multiple configurations for a specific app. For example, your environment may have multiple networks separated by firewalls, which would require you to configure one instance of a specific app for each network.
  5. Specify the datapath to the field on which you want to perform the action with the configuration. For example, an IPS event may have fields like sourceAddress and destinationAddress and the attack signature. When a notable is created in , it has an artifact with fields for the sourceAddress and destinationAddress from the event. For details on specifying datapaths, see Specify data in your playbook.
  6. (Optional) Create a custom datapath if the datapath you need isn't available. For details on creating a custom datapath, see Custom datapaths in the Specify data in your playbook article.
  7. Click Done.
  8. Click Save.
  9. Enter a comment about this action.

You can also configure Advanced settings for an Action block. You can use Join Settings, Scope, and Action Settings in an Action block. For more information on these settings, see Advanced settings.

Last modified on 07 March, 2023
PREVIOUS
Add a new block to your playbook
  NEXT
Run other playbooks inside your playbook in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters