After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Add a new block to your playbook
To add a new block to a playbook:
- Drag and drop the half-circle icon attached to any existing block in the editor. Select a block type from the menu that appears. Or, click on and drag and drop a block onto the editor from the list of block types.
- Configure the block as needed. See the following table.
- Click Done when you are finished configuring the block.
- Connect your block either by dragging the half circle icon from a previous block to the half circle icon on your new block, or by dragging and dropping a new block onto an existing block. Each new block must be connected to a block before itself. For example if your playbook has a single action, it will connect to the Start block and the End block.
Playbook block type | Description |
---|---|
Action | Run an action provided by an app that is installed and configured in . For example, you can use the MaxMind app to geolocate an IP address. See Add an action block to your playbook. |
Playbook | Run an existing playbook inside your current playbook. See Run other playbooks inside your playbook in . |
Code | Process data with custom code. See Add custom code to your playbook with the code block. |
Utility | Perform an action by making a utility call. See Set notable parameters in using the Utility block. The utility block is also where the custom functions live. |
Filter | Filter the results of the previous block. For example, you can separate items that have a specific severity and perform a different set of actions on those items. See Use filters in your playbook to specify a subset of events before further processing. |
Decision | Make a decision and perform different actions depending on the results of the previous block. For example, you can deny list all destination IPs that belong to a specific country. See Use decisions to send events to a specific downstream action in your playbook. |
Format | Format the results of the previous block. For example, you can gather data, format that data in a specific way, and send an email. See Customize the format of your playbook content. |
Prompt | Require a user to take action before proceeding to the next block. See Require user input using the Prompt block in your playbook. |
Advanced settings
Follow these steps to configure advanced settings for a block.
To use Advanced settings, when configuring a block follow these steps:
- Click Advanced.
- Modify the advanced settings.
Setting | Block type | Description |
---|---|---|
Join Settings | Available for action, playbook, code, filter, decision, format, and prompt block types. | You can configure join settings when multiple incoming blocks that support the synchronous functionality are linked to any downstream block. All Action, Prompt, and Manual Task blocks run synchronously and playbooks can be toggled to run synchronously in the block configuration. See Run other playbooks inside your playbooks in for more information on the synchronous functionality.
|
Scope | Available for action, playbook, code, filter, utility, decision, format, and prompt block types. | Configure scope to determine how the artifact data passed into a block's API is collected. Collection occurs in the context of the current playbook. Setting the scope advanced setting on a playbook block doesn't change the scope of a child playbook. In child playbooks, scope only affects the collected artifact data that is passed in as inputs to the child playbook and the collection occurs before the child playbook is run.
Specifying scope with Playbook and Utility blocks:
|
Action Settings | Available for action blocks. | Configure the action settings that a user must perform. Action settings are only available from an action block.
|
Case-sensitive | Available for decision and filter blocks. | Select if you want the conditions evaluation to be case-sensitive, or case-insensitive. The default is case-sensitive. |
Delimiter | Available for prompt and format blocks. | Specify an alternate separator to use when joining parameter values that result in a list together. The default separator is ",". |
Drop None | Available for prompt and format blocks. | Select whether or not you want to drop the "None" values from the resulting lists of parameters. By default, the "None" values are included. |
Create a new playbook in | Add an action block to your playbook |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0
Feedback submitted, thanks!