After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Run an action in
Analysts can use the /action
command to quickly run one of the actions supports.
Actions run with /action
are the same actions that are found in the Run Action dialog box, but the names of the actions are formatted with underscores ( _ ) instead of spaces. For example, the action geolocate ip
becomes geolocate_ip
.
The Run Action dialog box guides you through selecting the information an action requires. Using the command line interface requires you to provide the same information as arguments to the /action
command.
When you type /action
in the comment field of the activity sidebar, a tooltip-style dialog appears to guide you through adding arguments, or you can use the --help
argument to get a message with help information as shown here:
/action geolocate_ip "MaxMind" --help
PhBot returns the following help message:
usage: /action geolocate_ip [app] <required arguments> [--asset asset...] [--optional arguments] Queries MaxMind for IP location info required arguments: ip IP to geolocate
The command-line interpreter validates arguments with the /action
command. Incorrect arguments generate an error message to help you fix the arguments as shown in the following example:
/action whois_domain "WHOIS" splunk.com
The following error message is returned for the example:
/action whois_ip "WHOIS" a.b.not_an_ip
Use a list with the /action command
You can perform actions on lists of items by passing the list as an argument as shown in the following example:
/action geolocate_ip "MaxMind" ["1.1.1.1", "2.2.2.2"]
Lists must be presented in valid Python syntax, so individual items must be in quotation marks ( " ).
Passing the /action
command multiple lists or datapaths, or a mix of lists and datapaths, results in a product. For example, [1, 2] [3, 4]
results in four action runs: (1, 3), (1, 4), (2, 3),
and (2, 4)
.
command-line interface overview | Run a playbook in |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1
Feedback submitted, thanks!