Use Data Preview to build, test, and edit Splunk SOAR (Cloud) playbooks
Use the Data preview panel on the right side of the Splunk SOAR screen to add blocks and preview their associated data. Data preview shows both sample data and real data for SOAR containers and Splunk Enterprise Security findings.
The data path picker configuration panel is still available to show possible data paths when using the configuration panel on the left side of the Visual Playbook Editor.
Create a playbook
Perform the following tasks to create a new playbook in Splunk SOAR (Cloud):
- Select the Home menu, then select Playbooks.
- Select + Playbook to create a new playbook.
- Select the type of playbook you want to create. The playbook type appears at the bottom of the configuration panel on the playbook editor canvas.
Note: Available playbook types depend on whether you have paired Splunk SOAR (Cloud) with your Splunk Enterprise Security instance.Playbook type Availability Based on Usage Enterprise Security Only when paired with Splunk Enterprise Security. Splunk Enterprise Security data Can be called by analysts within Splunk Enterprise Security, launched as an automation rule, or used as sub-playbooks. SOAR / Automation Named SOAR when paired with Splunk Enterprise Security. Named Automation when not paired. Splunk SOAR data Can be called by analysts within Splunk SOAR, invoked automatically based on active labels, or used as sub-playbooks. Input Always available. Splunk Enterprise Security data or Splunk SOAR data Can only be called as sub-playbooks. Can only be run directly within the debugger. 
- Specify a name for the playbook. 
- Playbooks in the same repository cannot have the same name. Playbooks in different repositories can have the same name.
- As a best practice, do not use personally identifiable information in the names of playbooks.
 
- Select Settings. In the Playbook Settings panel, select the Operates on field and specify one or more event labels that this playbook runs on. Operates on is only available for the Automation or SOAR playbook type. Optionally, specify additional settings. For additional details on playbook settings, see Manage settings for a playbook in Splunk SOAR (Cloud).
Playbook block limit recommendations
Try to limit your playbook to fewer than 50 individual blocks. Larger playbooks more resources and might load slowly. If needed, break large playbooks into smaller playbooks, including Input type playbooks, described in Create a new playbook in Splunk SOAR (Cloud).
Preview the data
You can configure your playbook using the data from a Splunk SOAR event or container or a Splunk Enterprise Security finding or investigation that you specify. You can see actual data from the container, event, finding, or investigation to make sure that you construct the playbook appropriately for your needs. If you don't select a data source, the Data preview panel displays only sample views.
To view the data, follow these steps:
- (Conditional) If you are working with an input playbook, select whether you are working with data originating in Splunk Enterprise Security or in Splunk SOAR. If you are working with a different playbook type, continue with the next step.
- In the search field, enter a few letters or numbers to search for the data source you will be working with. Alternatively, select a recent source from the list that appears. 
- For Automation or SOAR playbooks, search for the container ID or name.
- For Enterprise Security playbooks, search for the investigation ID or the reference ID of the finding or investigation. 
Note: For Enterprise Security playbooks, you must first run an action or playbook on the finding or investigation for it to appear in Data Preview. Manually enter a finding ID, investigation ID, or display ID, then select '''Save and run''' to run the playbook and retrieve the data from Enterprise Security.A reference ID can be formatted in the following ways: - 28a6dc03-2f47-4848-a436-180bd2797a5a@@notable@@b3edcd9f906885cf7980992424a43f06when viewing a Finding
- 5CCA4678-4495-4FBA-AA14-0D9A1FC342F5, also known as a display ID or GUID, when viewing an investigation
 You can also use the shorter investigation ID with the format ES-00009, found either in the main analyst queue or in the side panel.
 
- Select the Start block, then view the data in one of two ways. 
- Select Container data (for Splunk SOAR) or Finding data (for Splunk Enterprise Security). The actual data for your source displays in purple.
- Select Sample data to see example data that might populate each field but that is not related to your actual data. Sample data appears in teal.
 
- Optionally filter the data you see. 
- Select Filter on known data types to view only data relevant for your action or other playbook block you are running. For example, if you are using whois ip, only ip-related data displays.
- Use the search field to search for a datapath name or actual data. For example, you can search for a field containing the word statusor search for a status message of success.
 
- Select Filter on known data types to view only data relevant for your action or other playbook block you are running. For example, if you are using 
You will use the data to configure the individual playbook blocks after you add them.
Add an Action block using Quick Actions
You can add an action block directly from the Data preview panel. In this example, there has been a malicious URL request attempt and you want to create an action in your playbook to find out its origin.
To add an action block from the Data preview panel, follow these steps:
- In the playbook you created, select the block after which you want to create an action block. In this example, it will be the Start block, but it can also be any other playbook block.
- View either the sample or action data, filtering it if needed.
- Locate the data you want to work with. In this example, use ip. Some data with specific datatypes, for example,ip, has a menu with three dots. Select the three dots to reveal the Run action menu, used for adding an action. The menu displays actions that are appropriate for the datatype you selected. For example, selectgeolocate_ipto use the IP address in the data you are previewing.
- (Conditional) If your instance has multiple installed applications with the same action name, an additional application selector appears. Select the application you want to use for the action.
- The action block appears on the playbook editor canvas, attached to the previous playbook block. Notice that the datapath associated with that datatype appears in the corresponding field in the action block's configuration panel, to the left of the canvas.
- Complete any additional fields in the configuration panel for this action. For example, you might have other required fields to add, or you can choose to add looping logic using the Loop tab.
For additional information on action blocks, see Add an action block to your Splunk SOAR (Cloud) playbook.
Add additional playbook blocks and specify configuration data
Use the data in the Data preview panel to configure each playbook block. In the geolocate_ip action scenario earlier, the action produces an output of the country where the source IP originated. Now you can use that output to configure a filter block. To add a new playbook block and configure its data, follow these steps:
- Select the block you want to configure. For example, select the geolocate_ip action configured previously. The sample view of the action should appear on the Data preview panel. Select the pin button to keep the sample view from changing when adding another block. 
- From that action block, drag and drop its half-circle icon. From the menu, select a filter block type. You will use data from the action block output to configure the new filter block.
- In the Data preview panel results, locate and select the country_name datapath, then select the copy icon next to the sample value.
- In the filter configuration panel on the left side, paste the datapath from the action block into the first condition.. The datapath that you pasted should look like this:geolocate_ip_1:action_result.data.*.country_name.
- Continue to configure the condition in the filter block. For example, if you have a select group of embargoed countries, you can create a custom list and specify that if the country name is not on that list.
- Select Done.
- In the Data preview panel, select Save and run. Messages inform you whether the playbook ran successfully. Switch to the Debugger tab to monitor the playbook's progress. See the Debug playbooks section in this article for more information on how to use the debugger tab.
- After the playbook run completes, return to the previously configured action block and notice that it now has an Action run view where you can see the real results of the action.
- Continue to add and configure blocks following these steps. After you create and configure the final block, connect it to the End block.
See also
- For details on datapaths, including datapath structure, user-based datapaths, and custom datapaths:
- For details on other playbook block types:
- Add a new block to your Splunk SOAR (Cloud) playbook
- Run other playbooks inside your playbook in Splunk SOAR (Cloud)
- Add custom code to your Splunk SOAR (Cloud) playbook with the code block
- Set notable parameters in Splunk SOAR (Cloud) using the Utility block
- Use filters in your Splunk SOAR (Cloud) playbook to specify a subset of events before further processing
- Use decisions to send events to a specific downstream action in your Splunk SOAR (Cloud) playbook
- Customize the format of your Splunk SOAR (Cloud) playbook content
- Require user input using the Prompt block in your Splunk SOAR (Cloud) playbook
- Automate responses with Splunk Enterprise Security playbook blocks
 
Copy and paste playbook blocks
Save time and effort by copying one or more playbook blocks and pasting those blocks within that playbook, in a different playbook, or in a playbook in a different instance. This is helpful if you want to copy a subset of functionality from an existing playbook into a new playbook. Copying playbook blocks copies each block's configuration along with connections between the selected blocks.
Depending on your use case, you might choose a different strategy:
- To use a complete playbook within another playbook, use a playbook block with an input playbook. For details, see Run other playbooks inside your playbook in Splunk SOAR (Cloud).
- To repeat the actions of one or more playbook blocks, use a logic loop. For details, see Repeat actions with logic loops.
To copy and paste playbook blocks, follow these steps:
- Plan which blocks you want to copy and paste.
- Use one of these methods to select one or more playbook blocks : 
- Select a single block: Select one block in your playbook.
- Select multiple blocks: Press the Shift (or Command) key on your keyboard and select blocks in your playbook, one at a time. 
Note: You cannot copy or paste the Start or End blocks of a playbook.
 
- Press Command+C on your keyboard to copy the blocks.*
- Place your cursor on the Visual Playbook Editor canvas where you want to place the copied blocks.
- Press Command+V on your keyboard to paste the blocks.* Blocks are pasted on the canvas near your current cursor position or, if your cursor is not currently on the canvas, in the top, right corner of the current playbook.
- Connect each new block to the rest of your playbook.
- Optionally update the configuration for the pasted blocks.
* If you are using a Windows or Linux machine, replace Command with Control in the keyboard shortcuts.
Delete playbook blocks
You can delete playbook blocks either one at a time or as a group. Deleting each playbook block also deletes the connections between that block and other playbook blocks.
To delete playbook blocks, follow these steps:
- Plan which blocks you want to delete.
- Select one or more playbook blocks: 
- Select a single block: Select one block in your playbook.
- Select multiple blocks: Press the Shift key on your keyboard and select blocks in your playbook, one at a time. 
Note: You cannot delete the Start or End blocks of a playbook.
 
- Press Command+Backspace on your keyboard to delete the blocks.*
* If you are using a Windows or Linux machine, replace Command with Control in the keyboard shortcuts.
Navigate through playbook blocks using the Data preview panel
Debug playbooks
Use the debugger to test playbooks or troubleshoot issues, either while you are developing the playbook or if there are issues when the playbook runs.
To run your playbook using the debugger, the playbook must meet the following conditions:
- The playbook must be saved. You cannot debug playbooks in edit mode.
- The playbook cannot be marked active.
- The playbook must have an event or Enterprise Security finding or investigation to run against.
You can access the playbook debugger in the Data Preview panel of the Visual Playbook Editor. Within the Data Preview panel, select the Debugger tab.
To run the debugger for a specific container, finding, or investigation, follow these steps:
- Locate the ID for the container, finding, or investigation. 
Find the ID in the following locations
ID type Playbook type Location Container Automation/SOARInputEnterprise Security In the SOAR Sources page, in the ID column Finding Enterprise Security In the Enterprise Security Analyst queue, in the details panel, next to Reference ID. Investigation Enterprise Security In the Enterprise Security Analyst queue 
- Copy the ID and paste it into the search field above the Debugger tab.
- Select whether you want to run the debugger as the current user or as the selected automation user.
- (Conditional) Specify the scope for debugging. Scope is not available when running the debugger on Enterprise Security data. Select one of the following options: 
- New Artifacts to include only the artifacts that were defined since the playbook last ran.
- All Artifacts to include all artifacts in the playbook.
 
- Select Test.
Each line in the debug content starts with a date time stamp. Log entries show which block is running, the parameters sent, inputs from earlier blocks or playbooks, and the outputs of the block. The API call to on_finish represents a call to the End block. The playbook completes by logging a SUCCESS or FAILURE status.
Select Copy to copy the output of the debugger and paste it into a ticket or separate editor.
View logs for a specific playbook block
You can focus on debugger information for a single playbook block, rather than viewing debug logs for an entire playbook.
To view logs for a specific playbook block, follow these steps:
- Open a playbook in the Visual Playbook Editor.
- If you haven't already run this playbook in this session of using Splunk SOAR, select Save and run to run the playbook and generate debugging information.
- Select a playbook block.
- In the Data preview panel, select the Block results tab, then select the Logs tab to see a subset of debugger output for that selected block.
View or edit Python code
If you are experienced with Python, you can choose to select the Python editor tab in the Data preview panel to view or edit the underlying Python code in your playbook. The code in the Python editor tab is updated whenever you select Save and run in the Data preview panel.
For details, see View or edit the Python code in Splunk SOAR (Cloud) playbooks.