After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Customize the format of your playbook content using the classic playbook editor
Use the Format block to craft custom strings and messages from various objects.
You might consider using a Format block to put together the body text for creating a ticket or sending an email. Imagine you have a playbook set to run on new containers and artifacts that does a basic lookup of source IP address artifacts. You want to take the results of that lookup, format the results, and send the information as an email. You craft your playbook so that the action results are available to the format block.
To configure a Format block, perform the following steps:
- Create a new block in the Classic Playbook Editor.
- Select Format from the list of block types.
- Configure the template parameter variables in the Template Parameters field. The first variable is identified as
{0}, the next as{1}, and so on. You can select any event and container properties. You can also select data from any upstream block. - In the Template field, craft a message using the variables you define.
Example of defining a template
This example defines a template in the following manner:
IP address: {0}
IP address country: {1}
IP address reputation: {2}
The message returned as a result of this template looks like the following:
IP address: 1.2.3.4 IP address country: United States IP address reputation: Malicious
If multiple events are picked up at the same time, you see the following message:
IP address: 1.2.3.4, 10.11.12.13 IP address country: United States, Turkey IP address reputation: Malicious
You can wrap %% around a formatting block to make each set of values output on its own line. For example:
%%
The IP address {0} originates from {1}.
%%
Wrapping %% around a formatting block produces results like the following:
The IP address 1.2.3.4 originates from United States. The IP address 10.11.12.13 originates from Turkey.
Example of using the Python str.format() function to create more advanced templates
More complicated formatting is supported using all the capabilities of the Python str.format() function. The following template demonstrates double curly brackets to support curly bracket escaping, automatic escaping of backslashes and quotes, and centered string alignment with a custom filler character:
JSON Formatting:
{{"notable_id":"{0}","event_count":{1}}}
Backslashes and quotes are escaped:
"ls /Applications/System \Preferences.app/"
Python formatting is supported:
|{0:-^50}|{1:-^50}|
|{2:-^50}|{3:-^{3}{2}{1}{3}{2}{1}50}|
The template produces output as in the following example:
JSON Formatting:
{"notable_id": "1004", "event_count": 10}
Backslashes and quotes are escaped:
"ls /Applications/System \Preferences.app/"
Python formatting is supported:
|-----------------------1004-----------------------|-----------------------10-----------------------|
|----------------------events----------------------|-------Zeus infection on HQ finance server------|
If a new line is needed, use \n.
| Use decisions to send artifacts to a specific downstream action with the classic playbook editor | Require user input to continue running the playbook using the classic playbook editor |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0
Download manual
Feedback submitted, thanks!