Splunk® SOAR (On-premises)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Use playbooks to automate analyst workflows in

Create a playbook in to automate security workflows so that analysts can spend more time performing analysis and investigation. The playbook editor provides a visual platform for creating playbooks without having to write code.

To define a workflow that you want to automate, link together a series of actions that are provided by apps. An app is third-party software integrated with . For example, you can integrate MaxMind as an app, which provides a geolocate ip action, or integrate Okta as app to provide actions such as set password or enable user. The actions available for use in your playbooks are determined by the apps integrated with .

After you create and save a playbook in , you can run playbooks when performing these tasks in :

  • Triaging or investigating cases as an analyst
  • Creating or adding a case to Investigation
  • Configuring playbooks to run automatically directly from the playbook editor

You can see statistics for runs of your playbooks in the Visual Playbook Editor. See View Playbook Run Statistics for information on the kind of statistics and how to access them.

The playbook editor requires a minimum screen width of 1200px.

Python 3.9 impacts on apps:

You must upgrade all custom apps to be compatible with with Python 3.9. If you don't, those apps might not run in the Python 3.9 environment.

Existing Python 3.6 playbooks continue to work in the new Python 3.9 environment.

If you use the terms "async" or "await" as names of variables, functions, or other pieces of code in your playbooks, a SyntaxError results. Rename anything named "async" or "await" in your playbooks.

If your system restarts while a playbook is running, the playbook run is cancelled. Any changes made by the playbook before the restart remain, and are not rolled back.

Last modified on 09 April, 2024
  Convert classic playbooks to modern playbooks

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters