Splunk® SOAR (On-premises)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Add an Action block to a playbook using the classic playbook editor

Perform the following steps to add an Action block to a playbook:

  1. Drag the half-circle icon attached to any existing block in the editor.
  2. Select Action from the list of block types. Actions available to you in the playbook editor are determined by the apps that are installed and configured in .
  3. Select the action you want to configure, or enter an action name in the search field if you don't see the desired action listed. You can also filter the list of actions by action type.
  4. Select investigate, generic, correct, or contain.
  5. Click By App to view a list of configured apps, and select an available action provided by the selected app.
  6. Select an asset that you want to run the action on. An asset is a specific configuration or instance of an app. In some cases, you may have multiple configurations for a specific app. For example, your environment may have multiple networks separated by firewalls, which require you to configure one instance of a specific app for each network.
  7. Select the field where you want to perform the asset. For example, an IPS event may have fields like sourceAddress and destinationAddress and the attack signature. When a container is created in , it has an artifact with fields for the sourceAddress and destinationAddress from the event.
  8. Select one of these fields to perform the action on.
  9. Click Save.
  10. Enter a comment about this action.

Configure linked parameters

Configure linked parameters in an Action block when you have multiple assets that share parameters with the same name. For example, you might have multiple assets configured that provide an action to create a ticket with a subject parameter. In this case, the word "linked" appears above the subject field, indicating that the field is linked to another field with the same name in a different asset. If you change the value here, the value for the field changes in all assets.

If you need to have the field take separate values, create separate action blocks.

Advanced settings

Follow these steps to configure advanced settings for an Action block:

  1. Click Advanced Settings.
  2. Select General Settings, Action Settings, or Join Settings.
Setting Description
General Settings Configure settings for this Action block.
  • Custom Name: The name for this action block. This name is visible in the playbook editor and also in wherever details about this action are visible.
  • Description: The Description field shows up as a code comment above the block definition.
  • Notes: The Notes field contents appear when you hover over the Note icon in the action block.
Action Settings Configure the action settings that a user must perform.
  • Reviewer: Select a user or group that must approve this action before the action runs. If you select a group or role, any user in that role can approve the action.
  • Delay Timer: Set a delay in minutes before the action runs. A clock icon is visible on the action block to show that a delay is configured.
Join Settings You can configure Join settings when you have two blocks with callbacks both calling the same downstream block. Block types with callbacks are Action and Prompt. Configure Join settings from the downstream block. Click the required checkbox if the action in the upstream block must be completed before this downstream block is run.
Last modified on 02 April, 2024
Add a new block to your playbook using the classic playbook editor   Use filters to separate artifacts before further processing with the classic playbook editor

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters