After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Run a playbook in
Analysts can use the /playbook
command to run a playbook from the command line in .
To run a playbook from the command line, you must supply the playbook_id or playbook_name and the scope. A playbook_name consists of a repository, followed by a slash ( / ), and the name of the playbook.
You can get a playbook_id or playbook_name by looking up the playbook from Main Menu > Playbooks, and clicking the playbook name from the list. The ID is the number in the playbook URL. See the following example:
https://<phantom.example.com/playbook/1
Or you can use the REST API to query /rest/playbook
. See Query for Data in REST API Reference for .
Scope is one of the following values:
new
- Run the playbook for only artifacts added to the container since the last time the playbook was run.all
- Run the playbook against all artifacts in the container.<artifact ID>
- Run the playbook for either a specific artifact or a list of artifacts.
Example using the playbook ID
/playbook 1 new
Example using the playbook name
/playbook local/example_playbook all
You can also supply lists for IDs or scope to run multiple playbooks, to run a playbook for multiple specified artifacts or scopes, or multiple playbooks for multiple specified artifacts.
Example of multiple specified artifacts
/playbook 1 ["41", "43", "45"]
This example runs playbook 1, for artifact IDs 41, 43, and 45 in the container.
Example of multiple playbooks
/playbook ["1", "2", "3"] new
This example runs playbooks 1, 2, and 3 for new artifacts in the container.
Example of multiple playbooks and multiple scopes
/playbook ["1", "2"] ["new", "all"]
The example runs playbooks 1 and 2 for both the new and all scope.
Playbooks interrupted by a system restart
If your system restarts while a playbook is running, the playbook run is cancelled. Any changes made by the playbook before the restart remain, and are not rolled back.
Run an action in | Add a note in |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0
Feedback submitted, thanks!